summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2015-12-20 19:37:46 +0100
committertv <tv@krebsco.de>2015-12-20 19:37:46 +0100
commitc89907175546aa0c39bc6b2c4960f0ea6e6db8c9 (patch)
tree158bf1a5938fc37efc466b00b3f0906ac2a50d9f /krebs
parentc09bc6a29f21f1c6bd21575e385b8b3bc5c89b8a (diff)
parent5821d8438578db623a3e248c52fefa424fad0b51 (diff)
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/apt-cacher-ng.nix157
-rw-r--r--krebs/3modules/default.nix4
-rw-r--r--krebs/3modules/fetchWallpaper.nix89
-rw-r--r--krebs/3modules/go.nix66
-rw-r--r--krebs/3modules/lass/default.nix34
-rw-r--r--krebs/3modules/makefu/default.nix74
-rw-r--r--krebs/3modules/retiolum.nix9
-rw-r--r--krebs/3modules/shared/default.nix47
-rw-r--r--krebs/3modules/tinc_graphs.nix4
-rw-r--r--krebs/4lib/infest/prepare.sh1
-rw-r--r--krebs/5pkgs/Reaktor/default.nix4
-rw-r--r--krebs/5pkgs/apt-cacher-ng/default.nix21
-rw-r--r--krebs/5pkgs/cac/default.nix6
-rw-r--r--krebs/5pkgs/cacpanel/default.nix18
-rw-r--r--krebs/5pkgs/drivedroid-gen-repo/default.nix22
-rw-r--r--krebs/5pkgs/fortclientsslvpn/default.nix87
-rw-r--r--krebs/5pkgs/go/default.nix57
-rw-r--r--krebs/5pkgs/go/packages.nix44
-rw-r--r--krebs/5pkgs/snapraid/default.nix33
-rw-r--r--krebs/Zhosts/gum2
-rw-r--r--krebs/Zhosts/vbob9
-rw-r--r--krebs/Zpubkeys/makefu_arch.ssh.pub1
-rw-r--r--krebs/Zpubkeys/makefu_omo.ssh.pub1
-rw-r--r--krebs/Zpubkeys/makefu_tsp.ssh.pub1
-rw-r--r--krebs/default.nix1
25 files changed, 742 insertions, 50 deletions
diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix
new file mode 100644
index 000000000..75296bafb
--- /dev/null
+++ b/krebs/3modules/apt-cacher-ng.nix
@@ -0,0 +1,157 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+ acng-config = pkgs.writeTextFile {
+ name = "acng-configuration";
+ destination = "/acng.conf";
+ text = ''
+ ForeGround: 1
+ CacheDir: ${cfg.cacheDir}
+ LogDir: ${cfg.logDir}
+ PidFile: /var/run/apt-cacher-ng.pid
+ ExTreshold: ${toString cfg.cacheExpiration}
+ CAfile: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+
+ Port: ${toString cfg.port}
+ BindAddress: ${cfg.bindAddress}
+
+ # defaults:
+ Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian
+ Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu
+ Remap-debvol: file:debvol_mirror*.gz /debian-volatile ; file:backends_debvol
+ Remap-cygwin: file:cygwin_mirrors /cygwin
+ Remap-sfnet: file:sfnet_mirrors
+ Remap-alxrep: file:archlx_mirrors /archlinux
+ Remap-fedora: file:fedora_mirrors
+ Remap-epel: file:epel_mirrors
+ Remap-slrep: file:sl_mirrors # Scientific Linux
+ Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo
+
+ ReportPage: acng-report.html
+ SupportDir: ${pkgs.apt-cacher-ng}/lib/apt-cacher-ng
+ LocalDirs: acng-doc ${pkgs.apt-cacher-ng}/share/doc/apt-cacher-ng
+
+ # Nix cache
+ ${optionalString cfg.enableNixCache ''
+ Remap-nix: http://cache.nixos.org /nixos ; https://cache.nixos.org
+ PfilePatternEx: (^|.*?/).*\.nar(info)?(|\.gz|\.xz|\.bz2)$
+ VfilePatternEx: (^|.*?/)nix-cache-info$
+ ''}
+
+ ${cfg.extraConfig}
+ '';
+ };
+
+ acng-home = "/var/cache/acng";
+ cfg = config.krebs.apt-cacher-ng;
+
+ api = {
+ enable = mkEnableOption "apt-cacher-ng";
+
+ cacheDir = mkOption {
+ default = acng-home + "/cache";
+ type = types.str;
+ description = ''
+ Path to apt-cacher-ng cache directory.
+ Will be created and chowned to acng-user
+ '';
+ };
+
+ logDir = mkOption {
+ default = acng-home + "/log";
+ type = types.str;
+ description = ''
+ Path to apt-cacher-ng log directory.
+ Will be created and chowned to acng-user
+ '';
+ };
+
+ port = mkOption {
+ default = 3142;
+ type = types.int;
+ description = ''
+ port of apt-cacher-ng
+ '';
+ };
+
+ bindAddress = mkOption {
+ default = "";
+ type = types.str;
+ example = "localhost 192.168.7.254 publicNameOnMainInterface";
+ description = ''
+ listen address of apt-cacher-ng. Defaults to every interface.
+ '';
+ };
+
+ cacheExpiration = mkOption {
+ default = 4;
+ type = types.int;
+ description = ''
+ number of days before packages expire in the cache without being
+ requested.
+ '';
+ };
+
+ enableNixCache = mkOption {
+ default = true;
+ type = types.bool;
+ description = ''
+ enable cache.nixos.org caching via PfilePatternEx and VfilePatternEx.
+
+ to use the apt-cacher-ng in your nixos configuration:
+ nix.binary-cache = [ http://acng-host:port/nixos ];
+
+ These options cannot be used in extraConfig, use SVfilePattern and
+ SPfilePattern or disable this option.
+ '';
+ };
+
+ extraConfig = mkOption {
+ default = "";
+ type = types.lines;
+ description = ''
+ extra config appended to the generated acng.conf
+ '';
+ };
+ };
+
+ imp = {
+
+ users.extraUsers.acng = {
+ # uid = config.ids.uids.acng;
+ uid = 897955083; #genid Reaktor
+ description = "apt-cacher-ng";
+ home = acng-home;
+ createHome = false;
+ };
+
+ users.extraGroups.acng = {
+ gid = 897955083; #genid Reaktor
+ # gid = config.ids.gids.Reaktor;
+ };
+
+ systemd.services.apt-cacher-ng = {
+ description = "apt-cacher-ng";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ PermissionsStartOnly = true;
+ ExecStartPre = pkgs.writeScript "acng-init" ''
+ #!/bin/sh
+ mkdir -p ${shell.escape cfg.cacheDir} ${shell.escape cfg.logDir}
+ chown acng:acng ${shell.escape cfg.cacheDir} ${shell.escape cfg.logDir}
+ '';
+ ExecStart = "${pkgs.apt-cacher-ng}/bin/apt-cacher-ng -c ${acng-config}";
+ PrivateTmp = "true";
+ User = "acng";
+ Restart = "always";
+ RestartSec = "10";
+ };
+ };
+ };
+in
+{
+ options.krebs.apt-cacher-ng = api;
+ config = mkIf cfg.enable imp;
+}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index a908d437b..740ba67b8 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,13 +6,16 @@ let
out = {
imports = [
+ ./apt-cacher-ng.nix
./bepasty-server.nix
./build.nix
./current.nix
./exim-retiolum.nix
./exim-smarthost.nix
+ ./fetchWallpaper.nix
./github-hosts-sync.nix
./git.nix
+ ./go.nix
./iptables.nix
./nginx.nix
./per-user.nix
@@ -85,6 +88,7 @@ let
krebs.dns.providers = {
de.krebsco = "zones";
gg23 = "hosts";
+ shack = "hosts";
internet = "hosts";
retiolum = "hosts";
};
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
new file mode 100644
index 000000000..83ecf4177
--- /dev/null
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -0,0 +1,89 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.krebs.fetchWallpaper;
+
+ out = {
+ options.krebs.fetchWallpaper = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "fetch wallpaper";
+ predicate = mkOption {
+ type = with types; nullOr path;
+ default = null;
+ };
+ url = mkOption {
+ type = types.str;
+ };
+ timerConfig = mkOption {
+ type = types.unspecified;
+ default = {
+ OnCalendar = "*:00,10,20,30,40,50";
+ };
+ };
+ stateDir = mkOption {
+ type = types.str;
+ default = "/var/lib/wallpaper";
+ };
+ display = mkOption {
+ type = types.str;
+ default = ":11";
+ };
+ };
+
+ fetchWallpaperScript = pkgs.writeScript "fetchWallpaper" ''
+ #! ${pkgs.bash}/bin/bash
+ ${optionalString (cfg.predicate != null) ''
+ if ! ${cfg.predicate}; then
+ echo "predicate failed - will not fetch from remote"
+ exit 0
+ fi
+ ''}
+ mkdir -p ${shell.escape cfg.stateDir}
+ curl -s -o ${shell.escape cfg.stateDir}/wallpaper -z ${shell.escape cfg.stateDir}/wallpaper ${shell.escape cfg.url}
+ feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
+ '';
+
+ imp = {
+ users.users.fetchWallpaper = {
+ name = "fetchWallpaper";
+ uid = 3332383611; #genid fetchWallpaper
+ description = "fetchWallpaper user";
+ home = cfg.stateDir;
+ createHome = true;
+ };
+
+ systemd.timers.fetchWallpaper = {
+ description = "fetch wallpaper timer";
+ wantedBy = [ "timers.target" ];
+
+ timerConfig = cfg.timerConfig;
+ };
+ systemd.services.fetchWallpaper = {
+ description = "fetch wallpaper";
+ after = [ "network.target" ];
+
+ path = with pkgs; [
+ curl
+ feh
+ ];
+
+ environment = {
+ URL = cfg.url;
+ DISPLAY = cfg.display;
+ };
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = fetchWallpaperScript;
+ User = "fetchWallpaper";
+ };
+ };
+ };
+in out
diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix
new file mode 100644
index 000000000..793d1f60d
--- /dev/null
+++ b/krebs/3modules/go.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+
+let
+ cfg = config.krebs.go;
+
+ out = {
+ options.krebs.go = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "Enable go url shortener";
+ port = mkOption {
+ type = types.str;
+ default = "1337";
+ description = "on which port go should run on";
+ };
+ redisKeyPrefix = mkOption {
+ type = types.str;
+ default = "go:";
+ description = "change the Redis key prefix which defaults to `go:`";
+ };
+ };
+
+ imp = {
+ services.redis = {
+ enable = mkDefault true;
+ bind = mkDefault "127.0.0.1";
+ };
+
+ users.extraUsers.go = {
+ name = "go";
+ uid = 42774411; #genid go
+ description = "go url shortener user";
+ home = "/var/lib/go";
+ createHome = true;
+ };
+
+ systemd.services.go = {
+ description = "go url shortener";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ path = with pkgs; [
+ go
+ ];
+
+ environment = {
+ PORT = cfg.port;
+ REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
+ };
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ User = "go";
+ Restart = "always";
+ ExecStart = "${pkgs.go}/bin/go";
+ };
+ };
+ };
+
+in out
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 2ad4353bd..26b0947bb 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -2,42 +2,14 @@
with lib;
-let
- testHosts = lib.genAttrs [
- "test-arch"
- "test-centos6"
- "test-centos7"
- ] (name: {
- inherit name;
- cores = 1;
- nets = {
- retiolum = {
- addrs4 = ["10.243.111.111"];
- addrs6 = ["42:0:0:0:0:0:0:7357"];
- aliases = [
- "test.retiolum"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd
- mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5
- TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1
- K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8
- QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY
- VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- });
-in {
+{
hosts = addNames {
echelon = {
cores = 2;
dc = "lass"; #dc = "cac";
nets = rec {
internet = {
- addrs4 = ["167.88.34.158"];
+ addrs4 = ["162.252.241.33"];
aliases = [
"echelon.internet"
];
@@ -241,7 +213,7 @@ in {
};
};
- } // testHosts;
+ };
users = addNames {
lass = {
pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 652527da2..1970a0777 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -84,6 +84,31 @@ with lib;
};
};
};
+
+ vbob = {
+ cores = 2;
+ dc = "makefu"; #vm local
+ nets = {
+ retiolum = {
+ addrs4 = ["10.243.1.91"];
+ addrs6 = ["42:0b2c:d90e:e717:03dd:9ac1:0000:a400"];
+ aliases = [
+ "vbob.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA+0TIo0dS9LtSdrmH0ClPHLO7dHtV9Dj7gaBAsbyuwxAI5cQgYKwr
+ 4G6t7IcJW+Gu2bh+LKtPP91+zYXq4Qr1nAaKw4ajsify6kpxsCBzknmwi6ibIJMI
+ AK114dr/XSk/Pc6hOSA8kqDP4c0MZXwitRBiNjrWbTrQh6GJ3CXhmpZ2lJkoAyNP
+ hjdPerbTUrhQlNW8FanyQQzOgN5I7/PXsZShmb3iNKz1Ban5yWKFCVpn8fjWQs5o
+ Un2AKowH4Y+/g8faGemL8uy/k5xrHSrn05L92TPDUpAXrcZXzo6ao1OBiwJJVl7s
+ AVduOY18FU82GUw7edR0e/b2UC6hUONflwIDAQAB
+ -----END RSA PUBLIC KEY-----
+
+ '';
+ };
+ };
+ };
flap = rec {
cores = 1;
dc = "cac"; #vps
@@ -238,6 +263,31 @@ with lib;
};
};
};
+
+ omo = rec {
+ cores = 2;
+ dc = "makefu"; #AMD E350
+
+ nets = {
+ retiolum = {
+ addrs4 = ["10.243.0.89"];
+ addrs6 = ["42:f9f0::10"];
+ aliases = [
+ "omo.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAuHQEeowvxRkoHJUw6cUp431pnoIy4MVv7kTLgWEK46nzgZtld9LM
+ ZdNMJB9CuOVVMHEaiY6Q5YchUmapGxwEObc0y+8zQxTPw3I4q0GkSJqKLPrsTpkn
+ sgEkHPfs2GVdtIBXDn9I8i5JsY2+U8QF8fbIQSOO08/Vpa3nknDAMege9yEa3NFm
+ s/+x+2pS+xV6uzf/H21XNv0oufInXwZH1NCNXAy5I2V6pz7BmAHilVOGCT7g2zn6
+ GasmofiYEnro4V5s8gDlQkb7bCZEIA9EgX/HP6fZJQezSUHcDCQFI0vg26xywbr6
+ 5+9tTn8fN2mWS5+Pdmx3haX1qFcBP5HglwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
gum = rec {
cores = 1;
dc = "online.net"; #root-server
@@ -245,7 +295,10 @@ with lib;
extraZones = {
"krebsco.de" = ''
share.euer IN A ${head nets.internet.addrs4}
+ mattermost.euer IN A ${head nets.internet.addrs4}
+ git.euer IN A ${head nets.internet.addrs4}
gum IN A ${head nets.internet.addrs4}
+ cgit.euer IN A ${head nets.internet.addrs4}
'';
};
nets = {
@@ -260,6 +313,7 @@ with lib;
addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"];
aliases = [
"gum.retiolum"
+ "cgit.gum.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -275,10 +329,26 @@ with lib;
};
};
};
- users = addNames {
+ users = addNames rec {
makefu = {
mail = "makefu@pornocauster.retiolum";
- pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster";
+ };
+ makefu-omo = {
+ inherit (makefu) mail;
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtDhAxjiCH0SmTGNDqmlKPug9qTf+IFOVjdXfk01lAV2KMVW00CgNo2d5kl5+6pM99K7zZO7Uo7pmSFLSCAg8J6cMRI3v5OxFsnQfcJ9TeGLZt/ua7F8YsyIIr5wtqKtFbujqve31q9xJMypEpiX4np3nLiHfYwcWu7AFAUY8UHcCNl4JXm6hsmPe+9f6Mg2jICOdkfMMn0LtW+iq1KZpw1Nka2YUSiE2YuUtV+V+YaVMzdcjknkVkZNqcVk6tbJ1ZyZKM+bFEnE4VkHJYDABZfELpcgBAszfWrVG0QpEFjVCUq5atpIVHJcWWDx072r0zgdTPcBuzsHHC5PRfVBLEw== makefu@servarch";
+ };
+ makefu-tsp = {
+ inherit (makefu) mail;
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1srWa67fcsw3r64eqgIuHbMbrj6Ywd9AwzCM+2dfXqYQZblchzH4Q4oydjdFOnV9LaA1LfNcWEjV/gVQKA2/xLSyXSDwzTxQDyOAZaqseKVg1F0a7wAF20+LiegQj6KXE29wcTW1RjcPncmagTBv5/vYbo1eDLKZjwGpEnG0+s+TRftrAhrgtbsuwR1GWWYACxk1CbxbcV+nIZ1RF9E1Fngbl4C4WjXDvsASi8s24utCd/XxgKwKcSFv7EWNfXlNzlETdTqyNVdhA7anc3N7d/TGrQuzCdtrvBFq4WbD3IRhSk79PXaB3L6xJ7LS8DyOSzfPyiJPK65Zw5s4BC07Z makefu@tsp";
+ };
+ makefu-vbob = {
+ inherit (makefu) mail;
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob";
+ };
+ exco = {
+ mail = "dickbutt@excogitation.de";
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de";
};
};
}
diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix
index 633642537..28ac67306 100644
--- a/krebs/3modules/retiolum.nix
+++ b/krebs/3modules/retiolum.nix
@@ -50,6 +50,14 @@ let
'';
};
+ extraConfig = mkOption {
+ type = types.str;
+ default = "";
+ description = ''
+ Extra Configuration to be appended to tinc.conf
+ '';
+ };
+
tincPackage = mkOption {
type = types.package;
default = pkgs.tinc;
@@ -203,6 +211,7 @@ let
Interface = ${cfg.network}
${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}
PrivateKeyFile = /tmp/retiolum-rsa_key.priv
+ ${cfg.extraConfig}
EOF
# source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up
diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix
index 24dd7b782..b332676c6 100644
--- a/krebs/3modules/shared/default.nix
+++ b/krebs/3modules/shared/default.nix
@@ -2,15 +2,48 @@
with lib;
-{
+let
+ testHosts = lib.genAttrs [
+ "test-arch"
+ "test-centos6"
+ "test-centos7"
+ ] (name: {
+ inherit name;
+ cores = 1;
+ nets = {
+ retiolum = {
+ addrs4 = ["10.243.111.111"];
+ addrs6 = ["42:0:0:0:0:0:0:7357"];
+ aliases = [
+ "test.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd
+ mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5
+ TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1
+ K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8
+ QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY
+ VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ });
+in {
hosts = addNames {
wolf = {
- #dc = "shack";
+ dc = "shack";
nets = {
- #shack = {
- # addrs4 = [ TODO ];
- # aliases = ["wolf.shack"];
- #};
+ shack = {
+ addrs4 = [ "10.42.2.150" ];
+ aliases = [
+ "wolf.shack"
+ "graphite.shack"
+ "acng.shack"
+ "drivedroid.shack"
+ ];
+ };
retiolum = {
addrs4 = ["10.243.77.1"];
addrs6 = ["42:0:0:0:0:0:77:1"];
@@ -32,7 +65,7 @@ with lib;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR";
};
- };
+ } // testHosts;
users = addNames {
shared = {
mail = "spam@krebsco.de";
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index e415d20ab..ba81dd416 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -89,9 +89,10 @@ let
};
restartIfChanged = true;
-
serviceConfig = {
Type = "simple";
+ TimeoutSec = 300; # we will wait 5 minutes, kill otherwise
+ restart = "always";
ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
#!/bin/sh
@@ -103,7 +104,6 @@ let
cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}"
fi
'';
-
ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
ExecStartPost = pkgs.writeScript "tinc_graphs-post" ''
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index 182a068ef..0bfc49380 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -66,6 +66,7 @@ prepare_debian() {
type bzip2 2>/dev/null || apt-get install bzip2
type git 2>/dev/null || apt-get install git
type rsync 2>/dev/null || apt-get install rsync
+ type curl 2>/dev/null || apt-get install curl
prepare_common
}
diff --git a/krebs/5pkgs/Reaktor/default.nix b/krebs/5pkgs/Reaktor/default.nix
index c38aa6423..c4a362757 100644
--- a/krebs/5pkgs/Reaktor/default.nix
+++ b/krebs/5pkgs/Reaktor/default.nix
@@ -2,14 +2,14 @@
python3Packages.buildPythonPackage rec {
name = "Reaktor-${version}";
- version = "0.5.0";
+ version = "0.5.1";
propagatedBuildInputs = with pkgs;[
python3Packages.docopt
python3Packages.requests2
];
src = fetchurl {
url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz";
- sha256 = "1npag52xmnyqv56z0anyf6xf00q0smfzsippal0xdbxrfj7s8qim";
+ sha256 = "0dn9r0cyxi1sji2pnybsrc4hhaaq7hmf235nlgkrxqlsdb7y6n6n";
};
meta = {
homepage = http://krebsco.de/;
diff --git a/krebs/5pkgs/apt-cacher-ng/default.nix b/krebs/5pkgs/apt-cacher-ng/default.nix
new file mode 100644
index 000000000..f253cdba0
--- /dev/null
+++ b/krebs/5pkgs/apt-cacher-ng/default.nix
@@ -0,0 +1,21 @@
+{ stdenv, fetchurl, cmake, doxygen, zlib, openssl, bzip2, pkgconfig, libpthreadstubs }:
+
+stdenv.mkDerivation rec {
+ name = "apt-cacher-ng-${version}";
+ version = "0.8.6";
+
+ src = fetchurl {
+ url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz";
+ sha256 = "0044dfks8djl11fs28jj8894i4rq424xix3d3fkvzz2i6lnp8nr5";
+ };
+
+ NIX_LDFLAGS = "-lpthread";
+ buildInputs = [ doxygen cmake zlib openssl bzip2 pkgconfig libpthreadstubs ];
+
+ meta = {
+ description = "A caching proxy specialized for linux distribution files";
+ homepage = http://www.unix-ag.uni-kl.de/~bloch/acng/;
+ license = stdenv.lib.licenses.gpl2;
+ maintainers = [ stdenv.lib.maintainers.makefu ];
+ };
+}
diff --git a/krebs/5pkgs/cac/default.nix b/krebs/5pkgs/cac/default.nix
index e29f091e4..40dd56412 100644
--- a/krebs/5pkgs/cac/default.nix
+++ b/krebs/5pkgs/cac/default.nix
@@ -4,9 +4,9 @@ stdenv.mkDerivation {
name = "cac-1.0.0";
src = fetchgit {
- url = http://cgit.cd.retiolum/cac;
- rev = "14de1d3c78385e3f8b6d694f5d799eb1b613159e";
- sha256 = "9b2a3d47345d6f8f27d9764c4f2f2acff17d3dde145dd0e674e4183e9312fec3";
+ url = http://cgit.gum/cac;
+ rev = "fe3b2ecb0aaf7d863842b896e18cd2b829f2297b";
+ sha256 = "05bnd7wyjhqy8srmpnc8d234rv3jxdjgb4z0hlfb9kg7mb12w1ya";
};
phases = [
diff --git a/krebs/5pkgs/cacpanel/default.nix b/krebs/5pkgs/cacpanel/default.nix
new file mode 100644
index 000000000..3e3e2e1fc
--- /dev/null
+++ b/krebs/5pkgs/cacpanel/default.nix
@@ -0,0 +1,18 @@
+{pkgs, python3Packages, ...}:
+
+python3Packages.buildPythonPackage rec {
+ name = "cacpanel-${version}";
+ version = "0.2.1";
+
+ src = pkgs.fetchurl {
+ url = "https://pypi.python.org/packages/source/c/cacpanel/cacpanel-${version}.tar.gz";
+ sha256 = "1zaazg5r10kgva32zh4fhpw6l6h51ijkwpa322na0kh4x6f6aqj3";
+ };
+
+ propagatedBuildInputs = with python3Packages; [
+ docopt
+ requests2
+ beautifulsoup4
+ ];
+}
+
diff --git a/krebs/5pkgs/drivedroid-gen-repo/default.nix b/krebs/5pkgs/drivedroid-gen-repo/default.nix
new file mode 100644
index 000000000..de8046c4a
--- /dev/null
+++ b/krebs/5pkgs/drivedroid-gen-repo/default.nix
@@ -0,0 +1,22 @@
+{stdenv,fetchurl,pkgs,python3Packages, ... }:
+
+python3Packages.buildPythonPackage rec {
+ name = "drivedroid-gen-repo-${version}";
+ version = "0.4.4";
+
+ propagatedBuildInputs = with pkgs;[
+ python3Packages.docopt
+ ];
+
+ src = fetchurl {
+ url = "https://pypi.python.org/packages/source/d/drivedroid-gen-repo/drivedroid-gen-repo-${version}.tar.gz";
+ sha256 = "09p58hzp61r5fp025lak9z52y0aakmaqpi59p9w5xq42dvy2hnvl";
+ };
+
+ meta = {
+ homepage = http://krebsco.de/;
+ description = "Generate Drivedroid repos";
+ license = stdenv.lib.licenses.wtfpl;
+ };
+}
+
diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix
new file mode 100644
index 000000000..720d4004f
--- /dev/null
+++ b/krebs/5pkgs/fortclientsslvpn/default.nix
@@ -0,0 +1,87 @@
+{ stdenv, lib, fetchurl, gtk, glib, libSM, gdk_pixbuf, libX11, libXinerama, iproute,
+ makeWrapper, libredirect, ppp, coreutils, gawk, pango }:
+stdenv.mkDerivation rec {
+ name = "forticlientsslvpn";
+ # forticlient will be copied into /tmp before execution. this is necessary as
+ # the software demands $base to be writeable
+
+ src = fetchurl {
+ # archive.org mirror:
+ # https://archive.org/download/ForticlientsslvpnLinux4.4.23171.tar/forticlientsslvpn_linux_4.4.2317.tar.gz
+ url = http://www.zen.co.uk/userfiles/knowledgebase/FortigateSSLVPNClient/forticlientsslvpn_linux_4.4.2317.tar.gz;
+ sha256 = "19clnf9rgrnwazlpah8zz5kvz6kc8lxawrgmksx25k5ywflmbcrr";
+ };
+ phases = [ "unpackPhase" "buildPhase" "installPhase" "fixupPhase" ];
+
+ buildInputs = [ makeWrapper ];
+
+ binPath = lib.makeSearchPath "bin" [
+ coreutils
+ gawk
+ ];
+
+
+ libPath = lib.makeLibraryPath [
+ stdenv.cc.cc
+ ];
+
+ guiLibPath = lib.makeLibraryPath [
+ gtk
+ glib
+ libSM
+ gdk_pixbuf
+ libX11
+ libXinerama
+ pango
+ ];
+
+ buildPhase = ''
+ # TODO: 32bit, use the 32bit folder
+ patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
+ --set-rpath "$libPath" \
+ 64bit/forticlientsslvpn_cli
+
+ patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
+ --set-rpath "$libPath:$guiLibPath" \
+ 64bit/forticlientsslvpn
+
+ patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
+ --set-rpath "$libPath" \
+ 64bit/helper/subproc
+
+ sed -i 's#\(export PATH=\).*#\1"${binPath}"#' 64bit/helper/waitppp.sh
+ '';
+
+ installPhase = ''
+ mkdir -p "$out/opt/fortinet"
+
+ cp -r 64bit/. "$out/opt/fortinet"
+ wrapProgram $out/opt/fortinet/forticlientsslvpn \
+ --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
+ --set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp
+
+ mkdir -p "$out/bin/"
+
+ cat > $out/bin/forticlientsslvpn <<EOF
+ #!/bin/sh
+ # prepare suid bit in tmp
+ # TODO maybe tmp does not support suid
+ set -euf
+ tmpforti=\$(${coreutils}/bin/mktemp -d)
+ trap "rm -rf \$tmpforti;" INT TERM EXIT
+ cp -r $out/opt/fortinet/. \$tmpforti
+ chmod +s \$tmpforti/helper/subproc
+ cd \$tmpforti
+ "./forticlientsslvpn" "\$@"
+ EOF
+
+ chmod +x $out/bin/forticlientsslvpn
+ chmod -x $out/opt/fortinet/helper/showlicense
+ '';
+ meta = {
+ homepage = http://www.fortinet.com;
+ description = "Forticlient SSL-VPN client";
+ license = lib.lice