summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-01-16 20:19:27 +0100
committertv <tv@krebsco.de>2018-01-16 20:19:27 +0100
commitcc4e5322aeca08d121b7769517136b05d7e391ca (patch)
tree8d8757d91cd631c58d30cb98589973a4983e9d4a
parent1c06f938b3d4e4e036184639ecdcadec27b5d8f8 (diff)
parent74d1531be988057ccadd3de5184d915dcf84c92d (diff)
Merge remote-tracking branch 'prism/master'
-rw-r--r--jeschli/1systems/bln/config.nix2
-rw-r--r--jeschli/1systems/enklave/config.nix45
-rw-r--r--jeschli/1systems/enklave/source.nix3
-rw-r--r--jeschli/1systems/reagenzglas/config.nix1
-rw-r--r--jeschli/2configs/default.nix2
-rw-r--r--jeschli/2configs/os-templates/CentOS-7-64bit.nix16
-rw-r--r--jeschli/2configs/retiolum.nix4
-rw-r--r--jeschli/source.nix2
-rw-r--r--krebs/2configs/repo-sync.nix2
-rw-r--r--krebs/3modules/jeschli/default.nix46
-rw-r--r--krebs/3modules/lass/default.nix15
-rw-r--r--krebs/3modules/makefu/default.nix1
-rw-r--r--krebs/4lib/infest/prepare.sh87
-rw-r--r--krebs/5pkgs/simple/internetarchive/default.nix2
-rw-r--r--lass/1systems/daedalus/config.nix3
-rw-r--r--lass/1systems/prism/config.nix11
-rw-r--r--lass/2configs/baseX.nix2
-rw-r--r--lass/2configs/browsers.nix20
-rw-r--r--lass/2configs/default.nix11
-rw-r--r--lass/2configs/exim-smarthost.nix5
-rw-r--r--lass/2configs/minecraft.nix21
-rw-r--r--lass/2configs/zsh.nix34
-rw-r--r--lass/source.nix2
-rw-r--r--makefu/1systems/gum/config.nix2
-rw-r--r--makefu/2configs/deployment/photostore.krebsco.de.nix40
-rw-r--r--makefu/5pkgs/cameraupload-server/default.nix23
26 files changed, 339 insertions, 63 deletions
diff --git a/jeschli/1systems/bln/config.nix b/jeschli/1systems/bln/config.nix
index 873c0fa3d..9e5f8c52e 100644
--- a/jeschli/1systems/bln/config.nix
+++ b/jeschli/1systems/bln/config.nix
@@ -36,7 +36,7 @@
}
];
- networking.hostName = "BLN02NB0154"; # Define your hostname.
+ networking.hostName = lib.mkForce "BLN02NB0154"; # Define your hostname.
networking.networkmanager.enable = true;
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
diff --git a/jeschli/1systems/enklave/config.nix b/jeschli/1systems/enklave/config.nix
new file mode 100644
index 000000000..010089017
--- /dev/null
+++ b/jeschli/1systems/enklave/config.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/jeschli>
+ <stockholm/jeschli/2configs/retiolum.nix>
+ <stockholm/jeschli/2configs/os-templates/CentOS-7-64bit.nix>
+ {
+ networking.dhcpcd.allowInterfaces = [
+ "enp*"
+ "eth*"
+ "ens*"
+ ];
+ }
+ {
+ services.openssh.enable = true;
+ }
+ {
+ sound.enable = false;
+ }
+ {
+ users.extraUsers = {
+ root.initialPassword = "pfeife123";
+ root.openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
+ ];
+ jeschli = {
+ name = "jeschli";
+ uid = 1000;
+ home = "/home/jeschli";
+ group = "users";
+ createHome = true;
+ useDefaultShell = true;
+ extraGroups = [
+ ];
+ openssh.authorizedKeys.keys = [
+"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
+ ];
+ };
+ };
+ }
+ ];
+
+ krebs.build.host = config.krebs.hosts.enklave;
+}
diff --git a/jeschli/1systems/enklave/source.nix b/jeschli/1systems/enklave/source.nix
new file mode 100644
index 000000000..4f9f37be7
--- /dev/null
+++ b/jeschli/1systems/enklave/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/jeschli/source.nix> {
+ name = "enklave";
+}
diff --git a/jeschli/1systems/reagenzglas/config.nix b/jeschli/1systems/reagenzglas/config.nix
index d65e897ae..eb2ba179e 100644
--- a/jeschli/1systems/reagenzglas/config.nix
+++ b/jeschli/1systems/reagenzglas/config.nix
@@ -29,7 +29,6 @@
allowDiscards = true;
}
];
- networking.hostName = "reaganzglas"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true;
# Select internationalisation properties.
diff --git a/jeschli/2configs/default.nix b/jeschli/2configs/default.nix
index 7fb240951..6d788d283 100644
--- a/jeschli/2configs/default.nix
+++ b/jeschli/2configs/default.nix
@@ -4,6 +4,7 @@ with import <stockholm/lib>;
imports = [
./vim.nix
./retiolum.nix
+ <stockholm/lass/2configs/security-workarounds.nix>
{
environment.variables = {
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
@@ -63,4 +64,5 @@ with import <stockholm/lib>;
];
krebs.enable = true;
+ networking.hostName = config.krebs.build.host.name;
}
diff --git a/jeschli/2configs/os-templates/CentOS-7-64bit.nix b/jeschli/2configs/os-templates/CentOS-7-64bit.nix
new file mode 100644
index 000000000..fb34e94e2
--- /dev/null
+++ b/jeschli/2configs/os-templates/CentOS-7-64bit.nix
@@ -0,0 +1,16 @@
+_:
+
+{
+ imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
+
+ boot.loader.grub = {
+ device = "/dev/sda";
+ splashImage = null;
+ };
+ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
+
+ fileSystems."/" = {
+ device = "/dev/sda1";
+ fsType = "ext4";
+ };
+}
diff --git a/jeschli/2configs/retiolum.nix b/jeschli/2configs/retiolum.nix
index 403300b30..b611cbe7d 100644
--- a/jeschli/2configs/retiolum.nix
+++ b/jeschli/2configs/retiolum.nix
@@ -9,6 +9,7 @@
"gum"
"ni"
"dishfire"
+ "enklave"
];
};
@@ -16,6 +17,9 @@
tinc = pkgs.tinc_pre;
};
+ networking.firewall.allowedTCPPorts = [ 655 ];
+ networking.firewall.allowedUDPPorts = [ 655 ];
+
environment.systemPackages = [
pkgs.tinc
];
diff --git a/jeschli/source.nix b/jeschli/source.nix
index ae9e1e72e..382dd61bc 100644
--- a/jeschli/source.nix
+++ b/jeschli/source.nix
@@ -10,7 +10,7 @@ in
nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "d83c808";
+ ref = "0653b73";
};
secrets.file = getAttr builder {
buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix
index 84b7d9c0e..48da88a8d 100644
--- a/krebs/2configs/repo-sync.nix
+++ b/krebs/2configs/repo-sync.nix
@@ -58,7 +58,7 @@ let
ref = "heads/master";
};
};
- krebs.git = defineRepo name true;
+ krebs.git = defineRepo name false;
};
in {
diff --git a/krebs/3modules/jeschli/default.nix b/krebs/3modules/jeschli/default.nix
index 0d161e1c8..c7e882742 100644
--- a/krebs/3modules/jeschli/default.nix
+++ b/krebs/3modules/jeschli/default.nix
@@ -118,6 +118,52 @@ with import <stockholm/lib>;
};
};
};
+ enklave = {
+ nets = rec {
+ internet = {
+ ip4.addr = "88.198.164.182";
+ aliases = [
+ "enklave.i"
+ ];
+ };
+ retiolum = {
+ via = internet;
+ ip4.addr = "10.243.27.30";
+ ip6.addr = "42::30";
+ aliases = [
+ "enklave.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIID8gKCA+kAt8zRg/g0jRmqXn6rVul/tdjWtLPcu0aTjNJ5OYZh50i7WqWllGVz
+ +FfJicuq/Xd1l5qrgUN7MD+Wrfeov+G9lzSgacfPhXMujutXxX3JwW/9f7UN+yoN
+ Sw29Zj+NWb45HyI5WVwMQ332KbKjNcWdTRe+O39oE6bZWg54oEeZOad2UJ7/83sB
+ yNEV/B7bJ0+X9HR8XCKrHI/RkjixNauMDlquGzoVyqLKIWwUnBl9CwtNBCYHbvYD
+ G1rWeCewd9Z6KsqcKSePfa4mn5eOluWcXmbrD/sx8oII40oNUs3kI7a2HExB2Yle
+ P9Q5MQrXRZfI3bdrh1aHieBodZLtosHPNuJIpo8ZaCX88WLhGR3nhJa1vvM1vNwd
+ TSSAdobdZUcuIQJKnVxwP4rXQAKPkN2+ddy+tXCGvfFAsdGKDbgPy4FgT+Ed28vg
+ 3W0fef/3sDNGPY1VAa58/pLz9Un3kNJKUjt00tWamo8daU/3mxZs83nIqDHLq86l
+ 1+wCl37l+KHe7pUVZ3smoezPRCMoUThmc7VzupbQG+piiSSyiYQi0CuBusa44t76
+ 1lMr3pOdRBBAoetZ745ZZVx8s+eYk+C1BmQbLJAfzQ9sbH3LAwXpuAH70mtrFqWl
+ C3LF89/5mZRbFxALZv9cVx3LqIZDjwpKlwPWorZwo14L+eAagdPCcnVNo6ZcVow2
+ mAdNnf7C33fvRsU+rUEIZVPsBHZfAv+f0jqQ65TMvl32VZ0FlxxahSZSj64n8iwr
+ Z+DOxKA9OcAaTrHQReYLpWUfNceVDLfOmQLeih8hNgClgqPgYJP/OtN+ox3NP6ZX
+ +Gkx9HO7a+agtyJxjh3NYbT/NkRW8HcjW8KgRN7jlE9sQi5/FoxKQOUdHmLTvjdk
+ YJXqdPWMYHj2xt4A8x2nzl/si6lwDsod+zdY5RGSdYhoybEOs4wZZIuArmm8GP+C
+ IbtgutknAuqvm2FOxyWCbLFTimgqC5BgrNUsXFJJLsHQ3bWFJtVpJlSa5Y0iypCP
+ Yr/cefbDrGfs3eCy7FlYDIkCcH06FPm1LTs6USisrtKFObRQN+zPSPln9FysNmpH
+ h0YUhrWdTO+wN78K5gc4ALPNUlyqmH61h8jS2qSdrRZLcZWIi4K4banG6EJcWRvV
+ kaVxghY1i/Z9x43bZRpBPvpM462IDx08vYX9AcFmF7JfjAXPwJO/EqZVsY1YPDzO
+ vdXWrtTORO8R8Pjq3X952yNqgHBcJQh7Q9TBcj+XBtkidOSnTt3Sp/RumsucUW19
+ 0wMempDPiCOAadLmR4cW5XL1ednXurkd+5gHCmB1Sl7FueP5dgLB/mhXjmITE3zH
+ aQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+
+
};
users = {
jeschli = {
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 0567d58ba..37bb31563 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -3,6 +3,9 @@
with import <stockholm/lib>;
{
+ dns.providers = {
+ "lassul.us" = "zones";
+ };
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
ci = true;
@@ -80,6 +83,18 @@ with import <stockholm/lib>;
prism IN A ${nets.internet.ip4.addr}
paste IN A ${nets.internet.ip4.addr}
'';
+ "lassul.us" = ''
+ $TTL 3600
+ @ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
+ 60 IN NS ns16.ovh.net.
+ 60 IN NS dns16.ovh.net.
+ 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ 60 IN TXT v=spf1 mx -all
+ cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ io 60 IN NS ions.lassul.us.
+ ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ '';
};
nets = rec {
internet = {
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 9f1842b88..56e5c6b82 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -541,6 +541,7 @@ with import <stockholm/lib>;
graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}
+ photostore IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index ccfc4f49b..78c1c6ec1 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -21,6 +21,10 @@ prepare() {(
esac
;;
debian)
+ if grep -Fq Hetzner /etc/motd; then
+ prepare_hetzner_rescue "$@"
+ exit
+ fi
case $VERSION_ID in
7)
prepare_debian "$@"
@@ -72,7 +76,7 @@ prepare_debian() {
type bzip2 2>/dev/null || apt-get install bzip2
type git 2>/dev/null || apt-get install git
type rsync 2>/dev/null || apt-get install rsync
- type curl 2>/dev/null || apt-get install curl
+ type curl 2>/dev/null || apt-get install curl
prepare_common
}
@@ -90,10 +94,33 @@ prepare_nixos_iso() {
mkdir -p bin
rm -f bin/nixos-install
- cp "$(type -p nixos-install)" bin/nixos-install
+ cp "$(_which nixos-install)" bin/nixos-install
sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
}
+prepare_hetzner_rescue() {
+ _which() (
+ which "$1"
+ )
+ mountpoint /mnt
+
+ type bzip2 2>/dev/null || apt-get install bzip2
+ type git 2>/dev/null || apt-get install git
+ type rsync 2>/dev/null || apt-get install rsync
+ type curl 2>/dev/null || apt-get install curl
+
+ mkdir -p /mnt/"$target_path"
+ mkdir -p "$target_path"
+
+ if ! mountpoint "$target_path"; then
+ mount --rbind /mnt/"$target_path" "$target_path"
+ fi
+
+ _prepare_nix_users
+ _prepare_nix
+ _prepare_nixos_install
+}
+
get_nixos_install() {
echo "installing nixos-install" 2>&1
c=$(mktemp)
@@ -107,24 +134,13 @@ EOF
nix-env -i -A config.system.build.nixos-install -f "<nixpkgs/nixos>"
rm -v $c
}
+
prepare_common() {(
+ _which() (
+ type -p "$1"
+ )
- if ! getent group nixbld >/dev/null; then
- groupadd -g 30000 -r nixbld
- fi
- for i in `seq 1 10`; do
- if ! getent passwd nixbld$i 2>/dev/null; then
- useradd \
- -d /var/empty \
- -g 30000 \
- -G 30000 \
- -l \
- -M \
- -s /sbin/nologin \
- -u $(expr 30000 + $i) \
- nixbld$i
- fi
- done
+ _prepare_nix_users
#
# mount install directory
@@ -173,10 +189,12 @@ prepare_common() {(
mount --bind /nix /mnt/nix
fi
- #
- # install nix
- #
+ _prepare_nix
+ _prepare_nixos_install
+)}
+
+_prepare_nix() {
# install nix on host (cf. https://nixos.org/nix/install)
if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then
(
@@ -201,17 +219,40 @@ prepare_common() {(
if ! mountpoint "$target_path"; then
mount --rbind /mnt/"$target_path" "$target_path"
fi
+}
+_prepare_nix_users() {
+ if ! getent group nixbld >/dev/null; then
+ groupadd -g 30000 -r nixbld
+ fi
+ for i in `seq 1 10`; do
+ if ! getent passwd nixbld$i 2>/dev/null; then
+ useradd \
+ -d /var/empty \
+ -g 30000 \
+ -G 30000 \
+ -l \
+ -M \
+ -s /sbin/nologin \
+ -u $(expr 30000 + $i) \
+ nixbld$i
+ fi
+ done
+}
+
+
+_prepare_nixos_install() {
get_nixos_install
+
mkdir -p bin
rm -f bin/nixos-install
- cp "$(type -p nixos-install)" bin/nixos-install
+ cp "$(_which nixos-install)" bin/nixos-install
sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
if ! grep -q '^PATH.*#krebs' .bashrc; then
echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc
echo 'PATH=$HOME/bin:$PATH #krebs' >> .bashrc
fi
-)}
+}
prepare "$@"
diff --git a/krebs/5pkgs/simple/internetarchive/default.nix b/krebs/5pkgs/simple/internetarchive/default.nix
index 2f55e6f42..3c83093be 100644
--- a/krebs/5pkgs/simple/internetarchive/default.nix
+++ b/krebs/5pkgs/simple/internetarchive/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, pkgs, fetchPypi, ... }:
+{ stdenv, pkgs, ... }:
with pkgs.python3Packages;
buildPythonPackage rec {
pname = "internetarchive";
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 8ec744584..609fae3c8 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -40,6 +40,9 @@ with import <stockholm/lib>;
zathura
skype
wine
+ geeqie
+ vlc
+ minecraft
];
nixpkgs.config.firefox.enableAdobeFlash = true;
services.xserver.enable = true;
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 03e9f6eeb..087aaab06 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -289,13 +289,6 @@ in {
alias /var/realwallpaper/realwallpaper.png;
'';
}
- {
- services.minecraft-server.enable = true;
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
- { predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
- ];
- }
<stockholm/krebs/2configs/reaktor-krebs.nix>
<stockholm/lass/2configs/dcso-dev.nix>
{
@@ -307,7 +300,7 @@ in {
jeschli-brauerei
];
repo = [ config.krebs.git.repos.stockholm ];
- perm = with git; push "refs/heads/staging/jeschli" [ fast-forward non-fast-forward create delete merge ];
+ perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
}
];
}
@@ -318,6 +311,8 @@ in {
RandomizedDelaySec = "2min";
};
}
+ <stockholm/lass/2configs/downloading.nix>
+ <stockholm/lass/2configs/minecraft.nix>
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 59ea0ecb7..65e8f15a4 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -85,6 +85,8 @@ in {
screengrab
slock
sxiv
+ timewarrior
+ taskwarrior
termite
xclip
xorg.xbacklight
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index 9459cfd6f..cbbd54b6b 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -35,7 +35,10 @@ let
useDefaultShell = true;
createHome = true;
};
- lass.browser.paths.${name}.path = bin;
+ lass.browser.paths.${name} = {
+ path = bin;
+ inherit precedence;
+ };
security.sudo.extraConfig = ''
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
'';
@@ -80,6 +83,14 @@ in {
browser-select
];
+ programs.chromium = {
+ enable = true;
+ extensions = [
+ "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
+ "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
+ ];
+ };
+
imports = [
{
options.lass.browser.select = mkOption {
@@ -102,8 +113,9 @@ in {
( createFirefoxUser "ff" [ "audio" ] 10 )
( createChromiumUser "cr" [ "video" "audio" ] 9 )
( createChromiumUser "gm" [ "video" "audio" ] 8 )
- ( createChromiumUser "wk" [ "video" "audio" ] )
- ( createChromiumUser "fb" [ "video" "audio" ] )
- ( createChromiumUser "com" [ "video" "audio" ] )
+ ( createChromiumUser "wk" [ "video" "audio" ] 0 )
+ ( createChromiumUser "fb" [ "video" "audio" ] 0 )
+ ( createChromiumUser "com" [ "video" "audio" ] 0 )
+ ( createChromiumUser "fin" [] (-1) )
];
}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index c68aee330..5a5f1b347 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -2,11 +2,12 @@ with import <stockholm/lib>;
{ config, pkgs, ... }:
{
imports = [
- ../2configs/binary-cache/client.nix
- ../2configs/gc.nix
- ../2configs/mc.nix
- ../2configs/vim.nix
- ../2configs/monitoring/client.nix
+ ./binary-cache/client.nix
+ ./gc.nix
+ ./mc.nix
+ ./vim.nix
+ ./monitoring/client.nix
+ ./zsh.nix
./htop.nix
./backups.nix
./security-workarounds.nix
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 94191fcb7..0219f5216 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -54,6 +54,11 @@ with import <stockholm/lib>;
{ from = "bitstamp@lassul.us"; to = lass.mail; }
{ from = "bitcoin.de@lassul.us"; to = lass.mail; }
{ from = "ableton@lassul.us"; to = lass.mail; }
+ { from = "dhl@lassul.us"; to = lass.mail; }
+ { from = "sipgate@lassul.us"; to = lass.mail; }
+ { from = "coinexchange@lassul.us"; to = lass.mail; }
+ { from = "verwaltung@lassul.us"; to = lass.mail; }
+ { from = "gearbest@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix
new file mode 100644
index 000000000..aa33dcccc
--- /dev/null
+++ b/lass/2configs/minecraft.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+
+{
+ users.users = {
+ mc = {
+ name = "mc";
+ description = "user playing mc";
+ home = "/home/mc";
+ createHome = true;
+ useDefaultShell = true;
+ packages = with pkgs; [
+ tmux
+ ];
+ };
+ };
+ krebs.per-user.mc.packages = [ pkgs.jdk ];
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix
index 4d33aa79d..728c0cc0d 100644
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@@ -7,10 +7,8 @@
zsh-newuser-install() { :; }
'';
interactiveShellInit = ''
- #unsetopt nomatch
setopt autocd extendedglob
bindkey -e
- zstyle :compinstall filename '/home/lass/.zshrc'
#history magic
bindkey "" up-line-or-local-history
@@ -40,7 +38,6 @@
bindkey "^X^E" edit-command-line
#completion magic
- fpath=(~/.zsh/completions $fpath)
autoload -Uz compinit
compinit
zstyle ':completion:*' menu select
@@ -48,14 +45,18 @@
#enable automatic rehashing of $PATH
zstyle ':completion:*' rehash true
-
- #eval $( dircolors -b ~/.LS_COLORS )
+ eval $(dircolors -b ${pkgs.fetchFromGitHub {
+ owner = "trapd00r";
+ repo = "LS_COLORS";
+ rev = "master";
+ sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp";
+ }}/LS_COLORS)
# export MANPAGER='sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | vim -R -c "set ft=man nonu nomod nolist" -'
#beautiful colors
alias ls='ls --color'
- zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
+ # zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
#emacs bindings
bindkey "[7~" beginning-of-line
@@ -66,24 +67,24 @@
#aliases
alias ll='ls -l'
alias la='ls -la'
- alias pinginet='ping 8.8.8.8'
- alias du='du -hd1'
- alias qiv="qiv -f -m"
- alias zshres="source ~/.zshrc"
#fancy window title magic
case $TERM in
(*xterm* | *rxvt*)
-
- # Write some info to terminal title.
- # This is seen when the shell prompts for input.
function precmd {
- print -Pn "\e]0;%(1j,%j job%(2j|s|); ,)%~\a"
+ if test -n "$SSH_CLIENT"; then
+ echo -ne "\033]0;$$ $USER@$HOST $PWD\007"
+ else
+ echo -ne "\033]0;$$ $USER@$PWD\007"
+ fi
}
- # Write command and args to terminal title.
# This is seen while the shell waits for a command to complete.
function preexec {
- printf "\033]0;%s\a" "$1"
+ if test -n "$SSH_CLIENT"; then
+ echo -ne "\033]0;$$ $USER@$HOST $PWD $1\007"
+ else
+ echo -ne "\033]0;$$ $USER@$PWD $1\007"
+ fi
}
;;
esac
@@ -119,4 +120,5 @@
'';
};
users.users.mainUser.shell = "/run/current-system/sw/bin/zsh";
+ users.users.root.shell = "/run/current-system/sw/bin/zsh";
}
diff --git a/lass/source.nix b/lass/source.nix
index 46c6d31dc..8ca3fe3c0 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "d202e30";
+ ref = "92d088e";
};
secrets = getAttr builder {
buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 6e5f3c2d4..f473d9e4c 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -67,7 +67,7 @@ in {
<stockholm/makefu/2configs/nginx/public_html.nix>
<stockholm/makefu/2configs/nginx/update.connector.one.nix>
- <stockholm/makefu/2configs/deployment/mycube.connector.one.nix>
+ <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
<stockholm/makefu/2configs/deployment/graphs.nix>
<stockholm/makefu/2configs/deployment/owncloud.nix>
<stockholm/makefu/2configs/deployment/boot-euer.nix>
diff --git a/makefu/2configs/deployment/photostore.krebsco.de.nix b/makefu/2configs/deployment/photostore.krebsco.de.nix
new file mode 100644
index 000000000..9e16a384a
--- /dev/null
+++ b/makefu/2configs/deployment/photostore.krebsco.de.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+# more than just nginx config but not enough to become a module
+with import <stockholm/lib>;
+let
+ wsgi-sock = "${workdir}/uwsgi-photostore.sock";
+ workdir = config.services.uwsgi.runDir;
+in {
+
+ services.uwsgi = {
+ enable = true;
+ user = "nginx";
+ runDir = "/var/lib/photostore";
+ plugins = [ "python3" ];
+ instance = {
+ type = "emperor";
+ vassals = {
+ cameraupload-server = {
+ type = "normal";
+ pythonPackages = self: with self; [ pkgs.cameraupload-server ];
+ socket = wsgi-sock;
+ };
+ };
+ };
+ };
+
+ services.nginx = {
+ enable = mkDefault true;
+ virtualHosts."photostore.krebsco.de" = {
+ locations = {
+ "/".extraConfig = ''
+ uwsgi_pass unix://${wsgi-sock};
+ uwsgi_param UWSGI_CHDIR ${workdir};
+ uwsgi_param UWSGI_MODULE cuserver.main;
+