diff options
Diffstat (limited to 'lass')
55 files changed, 1119 insertions, 453 deletions
diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix index 21f3a8bd..1a98fc05 100644 --- a/lass/1systems/blue/source.nix +++ b/lass/1systems/blue/source.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, ... }: +{ lib, pkgs, test, ... }: { - nixpkgs = lib.mkForce { + nixpkgs = lib.mkIf (! test) (lib.mkForce { file = { path = toString (pkgs.fetchFromGitHub { owner = "nixos"; @@ -10,5 +10,5 @@ }); useChecksum = true; }; - }; + }); } diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index 6e3df12f..bd559944 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -34,6 +34,7 @@ with import <stockholm/lib>; ]; }; environment.systemPackages = with pkgs; [ + ark pavucontrol #firefox chromium @@ -57,6 +58,8 @@ with import <stockholm/lib>; { krebs.per-user.bitcoin.packages = [ pkgs.electrum + pkgs.electron-cash + pkgs.litecoin ]; users.extraUsers = { bitcoin = { diff --git a/lass/1systems/hilum/config.nix b/lass/1systems/hilum/config.nix new file mode 100644 index 00000000..f57d275d --- /dev/null +++ b/lass/1systems/hilum/config.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/browsers.nix> + <stockholm/lass/2configs/programs.nix> + <stockholm/lass/2configs/network-manager.nix> + <stockholm/lass/2configs/mail.nix> + <stockholm/lass/2configs/syncthing.nix> + ]; + + krebs.build.host = config.krebs.hosts.hilum; + + boot.loader.grub = { + extraEntries = '' + submenu isos { + source /grub/autoiso.cfg + } + ''; + extraFiles."/grub/autoiso.cfg" = (pkgs.stdenv.mkDerivation { + name = "autoiso.cfg"; + src = pkgs.grub2.src; + phases = [ "unpackPhase" "installPhase" ]; + installPhase = '' + cp docs/autoiso.cfg $out + ''; + }); + }; +} diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix new file mode 100644 index 00000000..f8bab57d --- /dev/null +++ b/lass/1systems/hilum/physical.nix @@ -0,0 +1,35 @@ +{ lib, pkgs, ... }: + +{ + imports = [ + ./config.nix + <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub.enable = true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.device = "/dev/disk/by-id/usb-General_USB_Flash_Disk_0374116060006128-0:0"; + boot.loader.grub.efiInstallAsRemovable = true; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/6db29cdd-ff64-496d-b541-5f1616665dc2"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."usb_nix".device = "/dev/disk/by-uuid/3c8ab3af-57fb-4564-9e27-b2766404f5d4"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2B9E-5131"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index d8c8699a..86727700 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: { imports = [ @@ -14,20 +14,13 @@ <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/bitcoin.nix> - <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/wine.nix> - <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/nfs-dl.nix> - <stockholm/lass/2configs/prism-share.nix> + #<stockholm/lass/2configs/prism-share.nix> <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.icarus; - - environment.systemPackages = with pkgs; [ - macchanger - dpass - ]; programs.adb.enable = true; } diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index a814cc6b..a7b9f21b 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -52,8 +52,6 @@ with import <stockholm/lib>; root = { openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.lass-shodan.pubkey - config.krebs.users.lass-icarus.pubkey ]; }; }; diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix deleted file mode 100644 index cab267d5..00000000 --- a/lass/1systems/morpheus/config.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - imports = [ - <stockholm/lass> - - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/power-action.nix> - <stockholm/lass/2configs/baseX.nix> - <stockholm/lass/2configs/games.nix> - <stockholm/lass/2configs/steam.nix> - ]; - - krebs.build.host = config.krebs.hosts.morpheus; - - networking.wireless.enable = false; - networking.networkmanager.enable = true; - - services.logind.extraConfig = '' - HandleLidSwitch=ignore - ''; - - nixpkgs.config.packageOverrides = super: { - steam = super.steam.override { - withPrimus = true; - extraPkgs = p: with p; [ - glxinfo - nettools - bumblebee - ]; - }; - }; - - - services.xserver.desktopManager.default = "none"; - services.xserver.displayManager.lightdm.autoLogin = { - enable = true; - user = "lass"; - timeout = 5; - }; -} diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix deleted file mode 100644 index 0f08acb2..00000000 --- a/lass/1systems/morpheus/physical.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib, ... }: -{ - imports = [ - <nixpkgs/nixos/modules/installer/scan/not-detected.nix> - ./config.nix - ]; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking.hostId = "60ce7e88"; - - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ]; - - hardware.bumblebee.enable = true; - hardware.bumblebee.group = "video"; - - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/DF3B-4528"; - fsType = "vfat"; - }; - - nix.maxJobs = lib.mkDefault 8; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; -} diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index f911b79d..03ff4213 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -49,14 +49,31 @@ with import <stockholm/lib>; ]; } { - krebs.syncthing.folders."the_playlist" = { - path = "/home/lass/tmp/the_playlist"; - peers = [ "mors" "phone" "prism" ]; + krebs.syncthing = { + peers.schasch.addresses = [ "schasch.r:22000" ]; + folders = { + the_playlist = { + path = "/home/lass/tmp/the_playlist"; + peers = [ "mors" "phone" "prism" "xerxes" ]; + }; + free_music = { + id = "mu9mn-zgvsw"; + path = "/home/lass/tmp/free_music"; + peers = [ "mors" "schasch" ]; + }; + }; }; - krebs.permown."/home/lass/tmp/the_playlist" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; + krebs.permown = { + "/home/lass/tmp/free_music" = { + owner = "lass"; + group = "syncthing"; + umask = "0007"; + }; + "/home/lass/tmp/the_playlist" = { + owner = "lass"; + group = "syncthing"; + umask = "0007"; + }; }; } { @@ -112,7 +129,6 @@ with import <stockholm/lib>; cac-api sshpass get - teamspeak_client hashPassword urban mk_sql_pair diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix index 25425f14..6828d70d 100644 --- a/lass/1systems/mors/physical.nix +++ b/lass/1systems/mors/physical.nix @@ -22,7 +22,7 @@ }; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0" + SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0" ''; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d7b0b701..f4c011dc 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -31,7 +31,15 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" ]; + packages = [ + (pkgs.writeDashBin "kick-routing" '' + /run/wrappers/bin/sudo ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service + '') + ]; }; + security.sudo.extraConfig = '' + riot ALL=(root) NOPASSWD: ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service + ''; # TODO write function for proxy_pass (ssl/nonssl) @@ -57,6 +65,13 @@ with import <stockholm/lib>; config.krebs.users.makefu.pubkey ]; }; + users.users.nin = { + uid = genid "nin"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; users.extraUsers.dritter = { uid = genid_uint31 "dritter"; isNormalUser = true; @@ -109,6 +124,26 @@ with import <stockholm/lib>; localAddress = "10.233.2.2"; }; } + { + #onondaga + systemd.services."container@onondaga".reloadIfChanged = mkForce false; + containers.onondaga = { + config = { ... }: { + imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.nin.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.5"; + localAddress = "10.233.2.6"; + }; + } <stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/ts3.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> @@ -149,7 +184,7 @@ with import <stockholm/lib>; imports = [ <stockholm/lass/2configs/realwallpaper.nix> ]; - services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + services.nginx.virtualHosts."lassul.us".locations."= /wallpaper.png".extraConfig = '' alias /var/realwallpaper/realwallpaper.png; ''; } @@ -195,6 +230,7 @@ with import <stockholm/lib>; }; } <stockholm/lass/2configs/minecraft.nix> + <stockholm/lass/2configs/codimd.nix> { services.taskserver = { enable = true; @@ -225,41 +261,6 @@ with import <stockholm/lib>; hostAddress = "10.233.2.3"; localAddress = "10.233.2.4"; }; - services.nginx.virtualHosts."rote-allez-fraktion.de" = { - enableACME = true; - forceSSL = true; - locations."/" = { - extraConfig = '' - proxy_set_header Host rote-allez-fraktion.de; - proxy_pass http://10.233.2.4; - ''; - }; - }; - } - { - imports = [ <stockholm/lass/2configs/backup.nix> ]; - lass.restic = genAttrs [ - "daedalus" - "icarus" - "littleT" - "mors" - "shodan" - "skynet" - ] (dest: { - dirs = [ - "/home/chat/.weechat" - "/bku/sql_dumps" - ]; - passwordFile = (toString <secrets>) + "/restic/${dest}"; - repo = "sftp:backup@${dest}.r:/backups/prism"; - extraArguments = [ - "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" - ]; - timerConfig = { - OnCalendar = "00:05"; - RandomizedDelaySec = "5h"; - }; - }); } { users.users.download.openssh.authorizedKeys.keys = [ @@ -343,7 +344,7 @@ with import <stockholm/lib>; services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = '' if ($scheme != "https") { - rewrite ^ https://$host$uri permanent; + rewrite ^ https://$host$request_uri permanent; } auth_basic "Restricted Content"; auth_basic_user_file ${pkgs.writeText "transmission-user-pass" '' @@ -363,13 +364,8 @@ with import <stockholm/lib>; uid = genid "download"; openssh.authorizedKeys.keys = with config.krebs.users; [ lass.pubkey - lass-shodan.pubkey - lass-icarus.pubkey - lass-daedalus.pubkey - lass-helios.pubkey lass-android.pubkey makefu.pubkey - wine-mors.pubkey ]; }; }; @@ -382,7 +378,7 @@ with import <stockholm/lib>; ''; fileSystems."/export/download" = { - device = "/var/lib/containers/yellow/var/download"; + device = "/var/lib/containers/yellow/var/download/finished"; options = [ "bind" ]; }; services.nfs.server = { @@ -395,6 +391,12 @@ with import <stockholm/lib>; statdPort = 4000; }; krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } @@ -456,4 +458,10 @@ with import <stockholm/lib>; enable = true; freeMemThreshold = 5; }; + + # prism rsa hack + services.openssh.hostKeys = [{ + path = toString <secrets> + "ssh.id_rsa"; + type = "rsa"; + }]; } diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 9a84e9d6..7458f5ff 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -20,6 +20,11 @@ fsType = "ext4"; }; + fileSystems."/backups" = { + device = "tank/backups"; + fsType = "zfs"; + }; + fileSystems."/srv/http" = { device = "tank/srv-http"; fsType = "zfs"; diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 5de87d79..ad510283 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -17,6 +17,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/green-host.nix> <stockholm/lass/2configs/ssh-cryptsetup.nix> + <stockholm/lass/2configs/nfs-dl.nix> ]; krebs.build.host = config.krebs.hosts.shodan; @@ -24,4 +25,90 @@ with import <stockholm/lib>; services.logind.extraConfig = '' HandleLidSwitch=ignore ''; + + #media center + users.users.media = { + isNormalUser = true; + uid = genid_uint31 "media"; + extraGroups = [ "video" "audio" ]; + }; + + services.xserver.displayManager.lightdm.autoLogin = { + enable = true; + user = "media"; + }; + + #hass + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8123"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 1883"; target = "ACCEPT"; } + # zerotierone + { predicate = "-p udp --dport 9993"; target = "ACCEPT"; } + ]; + + services.home-assistant = let + tasmota_s20 = name: topic: { + platform = "mqtt"; + inherit name; + state_topic = "stat/${topic}/POWER"; + command_topic = "cmnd/${topic}/POWER"; + payload_on = "ON"; + payload_off = "OFF"; + }; + in { + enable = true; + package = pkgs.home-assistant.override { + python3 = pkgs.python36; + #extraComponents = [ + # (pkgs.fetchgit { + # url = "https://github.com/marcschumacher/dwd_pollen"; + # rev = "0.1"; + # sha256 = "12vldwsds27c9l15ffc6svk9mj17jhypcz736pvpmpqbsymllz2p"; + # }) + #]; + }; + config = { + homeassistant = { + name = "Home"; time_zone = "Europe/Berlin"; + latitude = "48.7687"; + longitude = "9.2478"; + elevation = 247; + }; + sun.elevation = 66; + discovery = {}; + frontend = { }; + mqtt = { + broker = "localhost"; + port = 1883; + client_id = "home-assistant"; + username = "gg23"; + password = "gg23-mqtt"; + keepalive = 60; + protocol = 3.1; + }; + sensor = [ + ]; + switch = [ + (tasmota_s20 "Drucker Strom" "drucker") + (tasmota_s20 "Bett Licht" "bett") + ]; + device_tracker = [ + { + platform = "luci"; + } + ]; + }; + }; + + services.mosquitto = { + enable = true; + host = "0.0.0.0"; + allowAnonymous = false; + checkPasswords = true; + users.gg23 = { + password = "gg23-mqtt"; + acl = [ "topic readwrite #" ]; + }; + }; + environment.systemPackages = [ pkgs.mosquitto ]; } diff --git a/lass/1systems/shodan/physical.nix b/lass/1systems/shodan/physical.nix index 41508127..7cfeba93 100644 --- a/lass/1systems/shodan/physical.nix +++ b/lass/1systems/shodan/physical.nix @@ -13,7 +13,6 @@ initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; }; fileSystems = { "/" = { diff --git a/lass/1systems/uriel/physical.nix b/lass/1systems/uriel/physical.nix index 9ac3468a..2d21f00d 100644 --- a/lass/1systems/uriel/physical.nix +++ b/lass/1systems/uriel/physical.nix @@ -3,7 +3,7 @@ ./config.nix ]; - hardware.enableAllFirmware = true; + hardware.enableRedistributableFirmware = true; boot = { #kernelParams = [ # "acpi.brightness_switch_enabled=0" diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix new file mode 100644 index 00000000..8630d0f4 --- /dev/null +++ b/ |