diff options
author | tv <tv@krebsco.de> | 2017-08-24 17:39:53 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2017-08-24 17:39:53 +0200 |
commit | fd69096a27575b9d4d87a10af1492b273dad167c (patch) | |
tree | aa3e7dc121d3188a16a37a6751ec774abcc0df81 | |
parent | b9a4e834c06bc32fa38389e13c0ec42467c0fc46 (diff) | |
parent | fd6b42355907de5313ea3576e5d1bfa549433099 (diff) |
Merge remote-tracking branch 'prism/master'
55 files changed, 709 insertions, 126 deletions
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index daf9bd9d0..e7ece87b6 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -22,6 +22,7 @@ with import <stockholm/lib>; environment.systemPackages = with pkgs; [ git + vim rxvt_unicode.terminfo ]; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index cae0d1f37..7aeeb1f21 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -43,7 +43,7 @@ with import <stockholm/lib>; cores = 2; nets = rec { internet = { - ip4.addr = "104.233.79.118"; + ip4.addr = "45.62.226.163"; aliases = [ "echelon.i" ]; diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 81db2d411..68cba633b 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -113,14 +113,6 @@ with import <stockholm/lib>; }; kaepsele = { nets = { - internet = { - ip4.addr = "92.222.10.169"; - aliases = [ - "kaepsele.i" - "kaepsele.internet" - # TODO "kaepsele.org" - ]; - }; retiolum = { ip4.addr = "10.243.166.2"; ip6.addr = "42:b9d:6660:d07c:2bb7:4e91:1a01:2e7d"; @@ -129,17 +121,18 @@ with import <stockholm/lib>; ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAxj7kaye4pGLou7mVRTVgtcWFjuEosJlxVg24gM7nU1EaoRnBD93/ - Y3Je7BSUbz5xMXr5SFTPSkitInL7vU+jDOf2bEpqv+uUJAJIz85494oPS9xocdWo - rQsrQRAtOg4MLD+YIoAxQm2Mc4nt2CSE1+UP4uXGxpuh0c051b+9Kmwv1bTyHB9y - y01VSkDvNyHk5eA+RGDiujBAzhi35hzTlQgCJ3REOBiq4YmE1d3qpk3oNiYUcrcu - yFzQrSRIfhXjuzIR+wxqS95HDUsewSwt9HgkjJzYF5sQZSea0/XsroFqZyTJ8iB5 - FQx2emBqB525cWKOt0f5jgyjklhozhJyiwIDAQAB + MIIBCgKCAQEA4+kDaKhCBNlpHqRCA2R6c4UEFk0OaiPwHvjmBBjpihTJVyffIEYm + QFZ5ZNkaVumSOAgKk9ygppO9WsNasl1ag+IRWik9oupdzEkNjgvOMBVJGhcwGZGF + 6UEY5sdA1n0qg74og5BGSiXUBiaahVM0rAfCNk8gV3qrot5kWJMQLb9BKabJ56eb + JrgWepxuVaw3BoEhz6uusuvw5i1IF382L8R11hlvyefifXONFOAUjCrCr0bCb4uK + ZZcRUU35pbHLDXXTOrOarOO1tuVGu85VXo3S1sLaaouHYjhTVT8bxqbwcNhxBXYf + ONLv0f7G5XwecgUNbE6ZTfjV5PQKaww3lwIDAQAB -----END RSA PUBLIC KEY----- ''; }; }; - ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA9cDUg7qm37uOhQpdKSgpnJPWao9VZR6LFNphVcJQ++gYvVgWu6WMhigiy7DcGQSStUlXkZc4HZBBugwwNWcf7aAF6ijBuG5rVwb9AFQmSexpTOfWap33iA5f+LXYFHe7iv4Pt9TYO1ga1Ryl4EGKb7ol2h5vbKC+JiGaDejB0WqhBAyrTg4tTWO8k2JT11CrlTjNVctqV0IVAMtTc/hcJcNusnoGD4ic0QGSzEMYxcIGRNvIgWmxhI6GHeaHxXWH5fv4b0OpLlDfVUsIvEo9KVozoLGm/wgLBG/tQXKaF9qVMVgOYi9sX/hDLwhRrcD2cyAlq9djo2pMARYiriXF"; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wr36T0MmB8pnSO5/pw9/Dfe5+IMgVHOhm6EUa55jj"; }; mu = { cores = 2; diff --git a/krebs/source.nix b/krebs/source.nix index db30e1e35..400826351 100644 --- a/krebs/source.nix +++ b/krebs/source.nix @@ -14,6 +14,6 @@ in stockholm.file = toString <stockholm>; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "0590ecbe9e6b9a076065be29370701da758c61f1"; # nixos-17.03 @ 2017-07-30 + ref = "51a83266d164195698f04468d90d2c6238ed3491"; # nixos-17.03 @ 2017-07-30 }; } diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index 290d8a780..36daea1d5 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -1,23 +1,75 @@ +with import <stockholm/lib>; { config, pkgs, ... }: { imports = [ <stockholm/lass> <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> + <stockholm/lass/2configs/boot/coreboot.nix> - <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/git.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - <stockholm/lass/2configs/baseX.nix> - <stockholm/lass/2configs/browsers.nix> - <stockholm/lass/2configs/programs.nix> - <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/backups.nix> - <stockholm/lass/2configs/games.nix> + { + # bubsy config + users.users.bubsy = { + uid = genid "bubsy"; + home = "/home/bubsy"; + group = "users"; + createHome = true; + extraGroups = [ + "audio" + "networkmanager" + ]; + useDefaultShell = true; + }; + networking.networkmanager.enable = true; + networking.wireless.enable = mkForce false; + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + environment.systemPackages = with pkgs; [ + pavucontrol + firefox + hexchat + networkmanagerapplet + ]; + services.xserver.enable = true; + services.xserver.displayManager.lightdm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + } + { + krebs.per-user.bitcoin.packages = [ + pkgs.electrum + ]; + users.extraUsers = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + useDefaultShell = true; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + bubsy ALL=(bitcoin) NOPASSWD: ALL + ''; + } ]; + time.timeZone = "Europe/Berlin"; + + hardware.trackpoint = { + enable = true; + sensitivity = 220; + speed = 0; + emulateWheel = true; + }; + + services.logind.extraConfig = '' + HandleLidSwitch=ignore + ''; + krebs.build.host = config.krebs.hosts.daedalus; fileSystems = { @@ -29,7 +81,7 @@ }; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" ''; } diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 0b048a2b1..be064bed2 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -37,6 +37,7 @@ with import <stockholm/lib>; }; }; boot.kernelParams = [ "copytoram" ]; + networking.hostName = "lass-iso"; } { krebs.enable = true; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 2cb6a7519..bb6f84c7b 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -5,7 +5,7 @@ with import <stockholm/lib>; imports = [ <stockholm/lass> <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/coreboot.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> @@ -104,8 +104,8 @@ with import <stockholm/lib>; }; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0" ''; #TODO activationScripts seem broken, fix them! @@ -139,7 +139,6 @@ with import <stockholm/lib>; urban mk_sql_pair remmina - thunderbird iodine diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 5d05ae399..744bae551 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -298,6 +298,22 @@ in { localAddress = "10.233.2.2"; }; } + { + #kaepsele + containers.kaepsele = { + config = { ... }: { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + tv.pubkey + ]; + }; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index b707f4388..0b9499982 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -44,6 +44,10 @@ with import <stockholm/lib>; krebs.build.host = config.krebs.hosts.skynet; + services.logind.extraConfig = '' + HandleLidSwitch=ignore + ''; + #fileSystems = { # "/bku" = { # device = "/dev/mapper/pool-bku"; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 86d0ac7c1..3a99e65a0 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -48,6 +48,7 @@ in { acpi dic dmenu + gi gitAndTools.qgit lm_sensors haskellPackages.hledger diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 728e265f6..611e1b9da 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -40,6 +40,7 @@ with import <stockholm/lib>; { from = "patreon@lassul.us"; to = lass.mail; } { from = "steam@lassul.us"; to = lass.mail; } { from = "securityfocus@lassul.us"; to = lass.mail; } + { from = "radio@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index d3f5d1f39..eb606037e 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -80,7 +80,7 @@ let public = true; }; - make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: { + make-restricted-repo = name: { collaborators ? [], announce ? false, hooks ? {}, ... }: { inherit collaborators name; public = false; hooks = optionalAttrs announce { @@ -93,7 +93,7 @@ let # TODO define branches in some kind of option per repo branches = [ "master" "staging*" ]; }; - }; + } // hooks; }; make-rules = diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix index b72e2b087..ee4c0216c 100644 --- a/lass/2configs/ircd.nix +++ b/lass/2configs/ircd.nix @@ -13,7 +13,6 @@ sid = "1as"; description = "miep!"; network_name = "irc.retiolum"; - network_desc = "Retiolum IRC Network"; hub = yes; vhost = "0.0.0.0"; diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index ee0c3f938..9f9bb24fa 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -72,13 +72,13 @@ let ''} %r |" virtual-mailboxes \ + "Unread" "notmuch://?query=tag:unread"\ "INBOX" "notmuch://?query=tag:inbox \ and NOT tag:killed \ and NOT to:shackspace \ and NOT to:c-base \ and NOT from:security-alert@hpe.com \ and NOT to:nix-devel"\ - "Unread" "notmuch://?query=tag:unread"\ "shack" "notmuch://?query=to:shackspace"\ "c-base" "notmuch://?query=to:c-base"\ "security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\ diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index 9983fd567..5e028a3fb 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -15,7 +15,6 @@ let bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#news #bundestag bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#news bitcoinpakistan|https://bitcoinspakistan.com/feed/|#news #financial - c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#news cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#news carta|http://feeds2.feedburner.com/carta-standard-rss|#news catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#news @@ -27,7 +26,11 @@ let ccc|http://www.ccc.de/rss/updates.rdf|#news chan_b|https://boards.4chan.org/b/index.rss|#brainfuck chan_biz|https://boards.4chan.org/biz/index.rss|#news #brainfuck + chan_g|https://boards.4chan.org/g/index.rss|#news chan_int|https://boards.4chan.org/int/index.rss|#news #brainfuck + chan_sci|https://boards.4chan.org/sci/index.rss|#news + chan_x|https://boards.4chan.org/x/index.rss|#news + c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#news cryptogon|http://www.cryptogon.com/?feed=rss2|#news csm|http://rss.csmonitor.com/feeds/csm|#news csm_world|http://rss.csmonitor.com/feeds/world|#news @@ -61,6 +64,7 @@ let greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#news guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#news gulli|http://ticker.gulli.com/rss/|#news + hackernews|https://news.ycombinator.com/rss|#news handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#news #financial heise|https://www.heise.de/newsticker/heise-atom.xml|#news hindu_business|http://www.thehindubusinessline.com/?service=rss|#news #financial @@ -100,7 +104,12 @@ let reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#news #brainfuck reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#news reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#news #financial + reddit_consp|http://reddit.com/r/conspiracy/.rss|#news + reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news + reddit_nix|http://www.reddit.com/r/nixos/.rss|#news reddit_prog|http://www.reddit.com/r/programming/new/.rss|#news + reddit_sci|http://www.reddit.com/r/science/.rss|#news + reddit_tech|http://www.reddit.com/r/technology/.rss|#news reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#news #tpp reddit_world|http://www.reddit.com/r/worldnews/.rss|#news r-ethereum|http://www.reddit.com/r/ethereum/.rss|#news @@ -156,16 +165,6 @@ let wp_world|http://feeds.washingtonpost.com/rss/rss_blogpost|#news xkcd|https://xkcd.com/rss.xml|#news zdnet|http://www.zdnet.com/news/rss.xml|#news - - chan_g|https://boards.4chan.org/g/index.rss|#news - chan_x|https://boards.4chan.org/x/index.rss|#news - chan_sci|https://boards.4chan.org/sci/index.rss|#news - reddit_consp|http://reddit.com/r/conspiracy/.rss|#news - reddit_sci|http://www.reddit.com/r/science/.rss|#news - reddit_tech|http://www.reddit.com/r/technology/.rss|#news - reddit_nix|http://www.reddit.com/r/nixos/.rss|#news - reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news - hackernews|https://news.ycombinator.com/rss|#news ''; in { environment.systemPackages = [ diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 22ec7efa9..38a9550df 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -98,6 +98,7 @@ myKeyMap = [ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f") , ("M4-C-p", spawn "${pkgs.scrot}/bin/scrot ~/public_html/scrot.png") , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type") + , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type") , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%") , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%") , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%") diff --git a/makefu/1systems/darth/config.nix b/makefu/1systems/darth/config.nix index 9dbe67429..7accb13d3 100644 --- a/makefu/1systems/darth/config.nix +++ b/makefu/1systems/darth/config.nix @@ -3,44 +3,62 @@ with import <stockholm/lib>; let byid = dev: "/dev/disk/by-id/" + dev; - rootDisk = byid "ata-ADATA_SSD_S599_64GB_10460000000000000039"; - auxDisk = byid "ata-HGST_HTS721010A9E630_JR10006PH3A02F"; - dataPartition = auxDisk + "-part1"; + rootDisk = byid "ata-INTEL_SSDSC2BW480H6_CVTR53120385480EGN"; + bootPart = rootDisk + "-part1"; + rootPart = rootDisk + "-part2"; allDisks = [ rootDisk ]; # auxDisk in { imports = [ <stockholm/makefu> - <stockholm/makefu/2configs/fs/single-partition-ext4.nix> + <stockholm/makefu/2configs/fs/sda-crypto-root.nix> + <stockholm/makefu/2configs/sshd-totp.nix> <stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/smart-monitor.nix> <stockholm/makefu/2configs/exim-retiolum.nix> - <stockholm/makefu/2configs/virtualisation/libvirt.nix> + # <stockholm/makefu/2configs/virtualisation/libvirt.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> - <stockholm/makefu/2configs/share/temp-share-samba.nix> + <stockholm/makefu/2configs/tools/core.nix> + <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/nsupdate-data.nix> + + # SIEM + #<stockholm/makefu/2configs/tinc/siem.nix> + # {services.tinc.networks.siem = { + # name = "sdarth"; + # extraConfig = "ConnectTo = sjump"; + # }; + # } + + # { + # makefu.forward-journal = { + # enable = true; + # src = "10.8.10.2"; + # dst = "10.8.10.6"; + # }; + # } + + ## Sharing + # <stockholm/makefu/2configs/share/temp-share-samba.nix> + #{ + # services.samba.shares = { + # isos = { + # path = "/data/isos/"; + # "read only" = "yes"; + # browseable = "yes"; + # "guest ok" = "yes"; + # }; + # }; + #} + <stockholm/makefu/2configs/share/anon-ftp.nix> ]; - services.samba.shares = { - isos = { - path = "/data/isos/"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - services.tinc.networks.siem = { - name = "sdarth"; - extraConfig = "ConnectTo = sjump"; - }; - makefu.forward-journal = { - enable = true; - src = "10.8.10.2"; - dst = "10.8.10.6"; - }; - #networking.firewall.enable = false; + #networking.firewall.enable = false; + makefu.server.primary-itf = "enp0s25"; + krebs.hidden-ssh.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -49,31 +67,28 @@ in { firewall = { allowPing = true; logRefusedConnections = false; - trustedInterfaces = [ "eno1" ]; + # trustedInterfaces = [ "eno1" ]; allowedUDPPorts = [ 80 655 1655 67 ]; allowedTCPPorts = [ 80 655 1655 ]; }; # fallback connection to the internal virtual network - interfaces.virbr3.ip4 = [{ - |