diff options
Diffstat (limited to 'lass')
38 files changed, 598 insertions, 359 deletions
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix index 0a286c6f..bed8961b 100644 --- a/lass/1systems/archprism/config.nix +++ b/lass/1systems/archprism/config.nix @@ -36,10 +36,10 @@ with import <stockholm/lib>; # TODO write function for proxy_pass (ssl/nonssl) krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.179"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; } ]; } { @@ -57,13 +57,6 @@ with import <stockholm/lib>; config.krebs.users.makefu.pubkey ]; }; - users.users.nin = { - uid = genid "nin"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - ]; - }; users.extraUsers.dritter = { uid = genid "dritter"; isNormalUser = true; @@ -109,26 +102,6 @@ with import <stockholm/lib>; localAddress = "10.233.2.2"; }; } - { - #onondaga - systemd.services."container@onondaga".reloadIfChanged = mkForce false; - containers.onondaga = { - config = { ... }: { - imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.nin.pubkey - ]; - }; - autoStart = true; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.5"; - localAddress = "10.233.2.6"; - }; - } <stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/ts3.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> @@ -137,7 +110,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/monitoring/prometheus-server.nix> diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix index 56348d0a..36de7dc1 100644 --- a/lass/1systems/archprism/physical.nix +++ b/lass/1systems/archprism/physical.nix @@ -14,16 +14,16 @@ }; }; # TODO use this network config - #networking.interfaces.et0.ipv4.addresses = [ - # { - # address = config.krebs.build.host.nets.internet.ip4.addr; - # prefixLength = 27; - # } - # { - # address = "46.4.114.243"; - # prefixLength = 27; - # } - #]; + networking.interfaces.eth0.ipv4.addresses = [ + { + address = config.krebs.build.host.nets.internet.ip4.addr; + prefixLength = 27; + } + { + address = "46.4.114.243"; + prefixLength = 27; + } + ]; #networking.defaultGateway = "46.4.114.225"; #networking.nameservers = [ # "8.8.8.8" diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix new file mode 100644 index 00000000..8f748ab8 --- /dev/null +++ b/lass/1systems/blue/source.nix @@ -0,0 +1,11 @@ +{ lib, pkgs, ... }: +{ + nixpkgs = lib.mkForce { + file = toString (pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs"; + rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev; + sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256; + }); + }; +} diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix deleted file mode 100644 index 6a8040c9..00000000 --- a/lass/1systems/cabal/config.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - <stockholm/lass> - - <stockholm/lass/2configs/mouse.nix> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - <stockholm/lass/2configs/baseX.nix> - <stockholm/lass/2configs/AP.nix> - <stockholm/lass/2configs/blue-host.nix> - ]; - - krebs.build.host = config.krebs.hosts.cabal; -} diff --git a/lass/1systems/cabal/physical.nix b/lass/1systems/cabal/physical.nix deleted file mode 100644 index 3cc4af03..00000000 --- a/lass/1systems/cabal/physical.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - imports = [ - ./config.nix - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> - ]; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0" - ''; -} diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 1957c8ba..d2d4bd3e 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -25,9 +25,5 @@ macchanger dpass ]; - services.redshift = { - enable = true; - provider = "geoclue2"; - }; programs.adb.enable = true; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 6d65b58c..207c7c64 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -33,6 +33,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/print.nix> + <stockholm/lass/2configs/blue-host.nix> { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain @@ -101,6 +102,7 @@ with import <stockholm/lib>; urban mk_sql_pair remmina + transmission iodine @@ -147,10 +149,6 @@ with import <stockholm/lib>; programs.adb.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; virtualisation.docker.enable = true; - services.redshift = { - enable = true; - provider = "geoclue2"; - }; lass.restic = genAttrs [ "daedalus" diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index bf7de6fc..0ca39447 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -57,13 +57,6 @@ with import <stockholm/lib>; config.krebs.users.makefu.pubkey ]; }; - users.users.nin = { - uid = genid "nin"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - ]; - }; users.extraUsers.dritter = { uid = genid "dritter"; isNormalUser = true; @@ -119,7 +112,6 @@ with import <stockholm/lib>; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.nin.pubkey ]; }; autoStart = true; @@ -215,7 +207,6 @@ with import <stockholm/lib>; RandomizedDelaySec = "2min"; }; } - <stockholm/lass/2configs/downloading.nix> <stockholm/lass/2configs/minecraft.nix> { services.taskserver = { @@ -346,11 +337,64 @@ with import <stockholm/lib>; ]; } + { + systemd.services."container@yellow".reloadIfChanged = mkForce false; + containers.yellow = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.13"; + localAddress = "10.233.2.14"; + }; + + services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = '' + if ($scheme != "https") { + rewrite ^ https://$host$uri permanent; + } + auth_basic "Restricted Content"; + auth_basic_user_file ${pkgs.writeText "transmission-user-pass" '' + krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 + ''}; + proxy_pass http://10.233.2.14:9091; + ''; + + users.groups.download = {}; + users.users = { + download = { + createHome = true; + group = "download"; + name = "download"; + home = "/var/download"; + useDefaultShell = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + lass-shodan.pubkey + lass-icarus.pubkey + lass-daedalus.pubkey + lass-helios.pubkey + makefu.pubkey + wine-mors.pubkey + ]; + }; + }; + + system.activationScripts.downloadFolder = '' + mkdir -p /var/download + chmod 775 /var/download + ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || : + chown download: /var/download/finished + ''; + } ]; krebs.build.host = config.krebs.hosts.prism; - # workaround because grub store paths are broken - boot.copyKernels = true; services.earlyoom = { enable = true; freeMemThreshold = 5; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 56348d0a..116bdb92 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -1,77 +1,61 @@ { config, lib, pkgs, ... }: + { + imports = [ ./config.nix - { - boot.kernelParams = [ "net.ifnames=0" ]; - networking = { - defaultGateway = "46.4.114.225"; - # Use google's public DNS server - nameservers = [ "8.8.8.8" ]; - interfaces.eth0 = { - ipAddress = "46.4.114.247"; - prefixLength = 27; - }; - }; - # TODO use this network config - #networking.interfaces.et0.ipv4.addresses = [ - # { - # address = config.krebs.build.host.nets.internet.ip4.addr; - # prefixLength = 27; - # } - # { - # address = "46.4.114.243"; - # prefixLength = 27; - # } - #]; - #networking.defaultGateway = "46.4.114.225"; - #networking.nameservers = [ - # "8.8.8.8" - #]; - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - #''; - } - { - imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; - - networking.hostId = "fb4173ea"; - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - - fileSystems."/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/home" = { - device = "rpool/home"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; - fsType = "ext4"; - }; - - } + <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804"; + fsType = "ext4"; + }; + + fileSystems."/srv/http" = { + device = "tank/srv-http"; + fsType = "zfs"; + }; + + fileSystems."/var/download" = { + device = "tank/download"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/containers" = { + device = "tank/containers"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "tank/home"; + fsType = "zfs"; + }; + + nix.maxJobs = lib.mkDefault 8; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; + + boot.kernelParams = [ "net.ifnames=0" ]; + networking = { + hostId = "2283aaae"; + defaultGateway = "95.216.1.129"; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.eth0 = { + ipAddress = "95.216.1.150"; + prefixLength = 26; + }; + }; } diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 8405b0f1..87a733d6 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -16,6 +16,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/backup.nix> + <stockholm/lass/2configs/blue-host.nix> ]; krebs.build.host = config.krebs.hosts.shodan; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index b6c08f79..13a8b3e4 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -5,42 +5,36 @@ with import <stockholm/lib>; <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - #<stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/fetchWallpaper.nix> + <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/power-action.nix> { - # discordius config services.xserver.enable = true; + services.xserver.desktopManager.xfce.enable = true; + users.users.discordius = { - uid = genid "discordius"; - home = "/home/discordius"; - group = "users"; - createHome = true; + uid = genid "diskordius"; + isNormalUser = true; extraGroups = [ "audio" "networkmanager" ]; - useDefaultShell = true; - }; - networking.networkmanager.enable = true; - networking.wireless.enable = mkForce false; - hardware.pulseaudio = { - enable = true; - systemWide = true; }; environment.systemPackages = with pkgs; [ - pavucontrol - firefox - hexchat - networkmanagerapplet + google-chrome ]; - services.xserver.desktopManager.gnome3 = { + hardware.pulseaudio = { enable = true; + systemWide = true; }; } ]; krebs.build.host = config.krebs.hosts.skynet; + networking.wireless.enable = false; + networking.networkmanager.enable = true; + services.logind.extraConfig = '' HandleLidSwitch=ignore ''; diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix index 358e1f51..e3451293 100644 --- a/lass/1systems/skynet/physical.nix +++ b/lass/1systems/skynet/physical.nix @@ -1,10 +1,27 @@ { imports = [ ./config.nix - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> + <stockholm/krebs/2configs/hw/x220.nix> ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.grub.device = "nodev"; + + networking.hostId = "06442b9a"; + + fileSystems."/" = + { device = "rpool/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0876-B308"; + fsType = "vfat"; + }; + services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix new file mode 100644 index 00000000..48d40511 --- /dev/null +++ b/lass/1systems/yellow/config.nix @@ -0,0 +1,140 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.yellow; + + system.activationScripts.downloadFolder = '' + mkdir -p /var/download + chown download:download /var/download + chmod 775 /var/download + ''; + + users.users.download = { uid = genid "download"; }; + users.groups.download.members = [ "transmission" ]; + users.users.transmission.group = mkForce "download"; + + systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ]; + services.transmission = { + enable = true; + settings = { + download-dir = "/var/download/finished"; + incomplete-dir = "/var/download/incoming"; + incomplete-dir-enable = true; + umask = "002"; + rpc-whitelist-enabled = false; + rpc-host-whitelist-enabled = false; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."yellow.r".locations."/dl".extraConfig = '' + autoindex on; + alias /var/download/finished; + ''; + }; + + krebs.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } + { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } + ]; + }; + + services.openvpn.servers.nordvpn.config = '' + client + dev tun + proto udp + remote 82.102.16.229 1194 + resolv-retry infinite + remote-random + nobind + tun-mtu 1500 + tun-mtu-extra 32 + mssfix 1450 + persist-key + persist-tun + ping 15 + ping-restart 0 + ping-timer-rem + reneg-sec 0 + comp-lzo no + + explicit-exit-notify 3 + + remote-cert-tls server + + #mute 10000 + auth-user-pass ${toString <secrets/nordvpn.txt>} + + verb 3 + pull + fast-io + cipher AES-256-CBC + auth SHA512 + + <ca> + -----BEGIN CERTIFICATE----- + MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD + VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH + Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw + bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y + ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG + A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT + B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2 + cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v + cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG + UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny + mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X + +D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT + ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI + 583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA + VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT + Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh + MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ + MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy + Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW + EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG + SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ + e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW + //DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB + wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB + KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p + lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9 + -----END CERTIFICATE----- + </ca> + key-direction 1 + <tls-auth> + # + # 2048 bit OpenVPN static key + # + -----BEGIN OpenVPN Static key V1----- + 49b2f54c6ee58d2d97331681bb577d55 + 054f56d92b743c31e80b684de0388702 + ad3bf51088cd88f3fac7eb0729f2263c + 51d82a6eb7e2ed4ae6dfa65b1ac764d0 + b9dedf1379c1b29b36396d64cb6fd6b2 + e61f869f9a13001dadc02db171f04c4d + c46d1132c1f31709e7b54a6eabae3ea8 + fbd2681363c185f4cb1be5aa42a27c31 + 21db7b2187fd11c1acf224a0d5a44466 + b4b5a3cc34ec0227fe40007e8b379654 + f1e8e2b63c6b46ee7ab6f1bd82f57837 + 92c209e8f25bc9ed493cb5c1d891ae72 + 7f54f4693c5b20f136ca23e639fd8ea0 + 865b4e22dd2af43e13e6b075f12427b2 + 08af9ffd09c56baa694165f57fe2697a + 3377fa34aebcba587c79941d83deaf45 + -----END OpenVPN Static key V1----- + </tls-auth> + ''; +} diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix new file mode 100644 index 00000000..7499ff72 --- /dev/null +++ b/lass/1systems/yellow/physical.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; +} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 9b44e8f0..d781f8c7 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -126,6 +126,12 @@ in { restartIfChanged = false; }; + nixpkgs.config.packageOverrides = super: { + dmenu = pkgs.writeDashBin "dmenu" '' + ${pkgs.fzfmenu}/bin/fzfmenu "$@" + ''; + }; + krebs.xresources.enable = true; lass.screenlock.enable = true; } diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index 991bbeb5..d3775b5d 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -25,6 +25,14 @@ proxy_pass http://localhost:${toString config.services.nix-serve.port}; ''; }; + virtualHosts."cache.krebsco.de" = { + forceSSL = true; + serverAliases = [ "cache.lassul.us" ]; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + ''; + }; }; } diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 83c235f3..9cf294af 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -1,23 +1,115 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; +let + all_hosts = [ + "icarus" + "shodan" + "daedalus" + "skynet" + "prism" + ]; + remote_hosts = filter (h: h != config.networking.hostName) all_hosts; -{ +in { imports = [ <stockholm/lass/2configs/container-networking.nix> + { #hack for already defined + systemd.services."container@blue".reloadIfChanged = mkForce false; + systemd.services."container@blue".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' + ''; + systemd.services."container@blue".preStop = '' + /run/wrappers/bin/fusermount -u /var/lib/containers/blue + ''; + } ]; - systemd.services."container@blue".reloadIfChanged = mkForce false; + + system.activationScripts.containerPermissions = '' + mkdir -p /var/lib/con |