summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-11-28 23:29:18 +0100
committermakefu <github@syntax-fehler.de>2016-11-28 23:29:18 +0100
commitab5b81b0b4a6396ca3b53fbe414a7aad2845d8bc (patch)
treed5493e9f9e9dff67107e6c62943dbbae24af92d6
parent70dd1341b37e70866e811ab787031e4e74e98b09 (diff)
parentd8da51621e44f6577e6d725b6263837cfa70f2bd (diff)
Merge remote-tracking branch 'lass/master'
-rw-r--r--krebs/3modules/iptables.nix30
-rw-r--r--lass/1systems/mors.nix1
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/buildbot-standalone.nix2
-rw-r--r--lass/2configs/chromium-patched.nix48
-rw-r--r--lass/2configs/downloading.nix2
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--lass/2configs/vim.nix4
-rw-r--r--lass/2configs/websites/util.nix8
9 files changed, 16 insertions, 82 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index a4a4de6f9..09b493c20 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -29,9 +29,10 @@ let
tables = mkOption {
type = with types; attrsOf (attrsOf (submodule ({
options = {
+ #TODO: find out good defaults.
policy = mkOption {
type = str;
- default = "-";
+ default = "ACCEPT";
};
rules = mkOption {
type = nullOr (listOf (submodule ({
@@ -133,30 +134,9 @@ let
#=====
rules = iptables-version:
- let
- #TODO: find out good defaults.
- tables-defaults = {
- nat.PREROUTING.policy = "ACCEPT";
- nat.INPUT.policy = "ACCEPT";
- nat.OUTPUT.policy = "ACCEPT";
- nat.POSTROUTING.policy = "ACCEPT";
- filter.INPUT.policy = "ACCEPT";
- filter.FORWARD.policy = "ACCEPT";
- filter.OUTPUT.policy = "ACCEPT";
-
- #if someone specifies any other rules on this chain, the default rules get lost.
- #is this wanted beahiviour or a bug?
- #TODO: implement abstraction of rules
- filter.INPUT.rules = [
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
- };
- tables = tables-defaults // cfg.tables;
-
- in
- pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
- ${buildTables iptables-version tables}
- '';
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
+ ${buildTables iptables-version cfg.tables}
+ '';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 742d42bf8..99705cbf1 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -17,7 +17,6 @@ with import <stockholm/lib>;
../2configs/elster.nix
../2configs/steam.nix
../2configs/wine.nix
- ../2configs/chromium-patched.nix
../2configs/git.nix
../2configs/skype.nix
../2configs/teamviewer.nix
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 4b05e3296..fbab23500 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -31,6 +31,7 @@ in {
environment.systemPackages = with pkgs; [
acpi
+ dic
dmenu
gitAndTools.qgit
lm_sensors
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index 7422abdc8..e7fbccb77 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -36,7 +36,7 @@ in {
};
builder_pre = ''
# prepare grab_repo step for stockholm
- grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental', alwaysUseLatest=True)
+ grab_repo = steps.Git(repourl=stockholm_repo, mode='full')
# TODO: get nixpkgs/stockholm paths from krebs
env_lass = {
diff --git a/lass/2configs/chromium-patched.nix b/lass/2configs/chromium-patched.nix
deleted file mode 100644
index d9d7760dd..000000000
--- a/lass/2configs/chromium-patched.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-
-#settings to test:
-#
- #"ForceEphemeralProfiles": true,
-let
- masterPolicy = pkgs.writeText "master.json" ''
- {
- "PasswordManagerEnabled": false,
- "DefaultGeolocationSetting": 2,
- "RestoreOnStartup": 1,
- "AutoFillEnabled": false,
- "BackgroundModeEnabled": false,
- "DefaultBrowserSettingEnabled": false,
- "SafeBrowsingEnabled": false,
- "ExtensionInstallForcelist": [
- "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx",
- "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx"
- ]
- }
- '';
-
- master_preferences = pkgs.writeText "master_preferences" ''
- {
- "browser": {
- "custom_chrome_frame": true
- },
-
- "extensions": {
- "theme": {
- "id": "",
- "use_system": true
- }
- }
- }
- '';
-in {
- environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy;
-
- #environment.systemPackages = [
- # #pkgs.chromium
- # (pkgs.lib.overrideDerivation pkgs.chromium (attrs: {
- # buildCommand = attrs.buildCommand + ''
- # touch $out/TEST123
- # '';
- # }))
- #];
-}
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index 79a609e2b..ca0aded78 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -14,8 +14,8 @@ with import <stockholm/lib>;
];
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
- lass-uriel.pubkey
lass-shodan.pubkey
+ lass-helios.pubkey
makefu.pubkey
];
};
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index caca98746..be54d120a 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e";
+ ref = "ece0cea127f0a8799a6bd3b12c368193491f9058";
};
}
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index aac2b96d4..bfaae24c8 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -175,8 +175,8 @@ let
"Syntastic config
let g:syntastic_python_checkers=['flake8']
- nmap <esc>q :buffer
- nmap <M-q> :buffer
+ nmap <esc>q :buffer
+ nmap <M-q> :buffer
cnoremap <C-A> <Home>
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 3356fe9a8..0b2a6faac 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -88,6 +88,7 @@ rec {
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
+ fastcgi_read_timeout 120;
# Disable gzip to avoid the removal of the ETag header
gzip off;
@@ -164,10 +165,11 @@ rec {
user = nginx
group = nginx
pm = dynamic
- pm.max_children = 5
+ pm.max_children = 32
+ pm.max_requests = 500
pm.start_servers = 2
- pm.min_spare_servers = 1
- pm.max_spare_servers = 3
+ pm.min_spare_servers = 2
+ pm.max_spare_servers = 5
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'