diff options
author | makefu <github@syntax-fehler.de> | 2016-11-28 23:29:18 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2016-11-28 23:29:18 +0100 |
commit | ab5b81b0b4a6396ca3b53fbe414a7aad2845d8bc (patch) | |
tree | d5493e9f9e9dff67107e6c62943dbbae24af92d6 | |
parent | 70dd1341b37e70866e811ab787031e4e74e98b09 (diff) | |
parent | d8da51621e44f6577e6d725b6263837cfa70f2bd (diff) |
Merge remote-tracking branch 'lass/master'
-rw-r--r-- | krebs/3modules/iptables.nix | 30 | ||||
-rw-r--r-- | lass/1systems/mors.nix | 1 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 1 | ||||
-rw-r--r-- | lass/2configs/buildbot-standalone.nix | 2 | ||||
-rw-r--r-- | lass/2configs/chromium-patched.nix | 48 | ||||
-rw-r--r-- | lass/2configs/downloading.nix | 2 | ||||
-rw-r--r-- | lass/2configs/nixpkgs.nix | 2 | ||||
-rw-r--r-- | lass/2configs/vim.nix | 4 | ||||
-rw-r--r-- | lass/2configs/websites/util.nix | 8 |
9 files changed, 16 insertions, 82 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index a4a4de6f9..09b493c20 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -29,9 +29,10 @@ let tables = mkOption { type = with types; attrsOf (attrsOf (submodule ({ options = { + #TODO: find out good defaults. policy = mkOption { type = str; - default = "-"; + default = "ACCEPT"; }; rules = mkOption { type = nullOr (listOf (submodule ({ @@ -133,30 +134,9 @@ let #===== rules = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - pkgs.writeText "krebs-iptables-rules${iptables-version}" '' - ${buildTables iptables-version tables} - ''; + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' + ${buildTables iptables-version cfg.tables} + ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 742d42bf8..99705cbf1 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -17,7 +17,6 @@ with import <stockholm/lib>; ../2configs/elster.nix ../2configs/steam.nix ../2configs/wine.nix - ../2configs/chromium-patched.nix ../2configs/git.nix ../2configs/skype.nix ../2configs/teamviewer.nix diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 4b05e3296..fbab23500 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -31,6 +31,7 @@ in { environment.systemPackages = with pkgs; [ acpi + dic dmenu gitAndTools.qgit lm_sensors diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 7422abdc8..e7fbccb77 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -36,7 +36,7 @@ in { }; builder_pre = '' # prepare grab_repo step for stockholm - grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental', alwaysUseLatest=True) + grab_repo = steps.Git(repourl=stockholm_repo, mode='full') # TODO: get nixpkgs/stockholm paths from krebs env_lass = { diff --git a/lass/2configs/chromium-patched.nix b/lass/2configs/chromium-patched.nix deleted file mode 100644 index d9d7760dd..000000000 --- a/lass/2configs/chromium-patched.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -#settings to test: -# - #"ForceEphemeralProfiles": true, -let - masterPolicy = pkgs.writeText "master.json" '' - { - "PasswordManagerEnabled": false, - "DefaultGeolocationSetting": 2, - "RestoreOnStartup": 1, - "AutoFillEnabled": false, - "BackgroundModeEnabled": false, - "DefaultBrowserSettingEnabled": false, - "SafeBrowsingEnabled": false, - "ExtensionInstallForcelist": [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", - "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" - ] - } - ''; - - master_preferences = pkgs.writeText "master_preferences" '' - { - "browser": { - "custom_chrome_frame": true - }, - - "extensions": { - "theme": { - "id": "", - "use_system": true - } - } - } - ''; -in { - environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; - - #environment.systemPackages = [ - # #pkgs.chromium - # (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { - # buildCommand = attrs.buildCommand + '' - # touch $out/TEST123 - # ''; - # })) - #]; -} diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 79a609e2b..ca0aded78 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -14,8 +14,8 @@ with import <stockholm/lib>; ]; openssh.authorizedKeys.keys = with config.krebs.users; [ lass.pubkey - lass-uriel.pubkey lass-shodan.pubkey + lass-helios.pubkey makefu.pubkey ]; }; diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index caca98746..be54d120a 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e"; + ref = "ece0cea127f0a8799a6bd3b12c368193491f9058"; }; } diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index aac2b96d4..bfaae24c8 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -175,8 +175,8 @@ let "Syntastic config let g:syntastic_python_checkers=['flake8'] - nmap <esc>q :buffer - nmap <M-q> :buffer + nmap <esc>q :buffer + nmap <M-q> :buffer cnoremap <C-A> <Home> diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 3356fe9a8..0b2a6faac 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -88,6 +88,7 @@ rec { # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; + fastcgi_read_timeout 120; # Disable gzip to avoid the removal of the ETag header gzip off; @@ -164,10 +165,11 @@ rec { user = nginx group = nginx pm = dynamic - pm.max_children = 5 + pm.max_children = 32 + pm.max_requests = 500 pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 + pm.min_spare_servers = 2 + pm.max_spare_servers = 5 listen.owner = nginx listen.group = nginx php_admin_value[error_log] = 'stderr' |