Merge remote-tracking branch 'lass/master'

author: makefu <github@syntax-fehler.de> 2017-10-07 11:08:13 +0200
committer: makefu <github@syntax-fehler.de> 2017-10-07 11:08:13 +0200
commit: 8290c6507e500c1899f4a7d1184ef5b24c8132cb (patch)
tree: 91d64e1cc20647acce06f7f28da46b58e5dd2571 /lass/2configs
parent: 52f9105027a7c2d70145d7d2db69452e148b2158 (diff)
parent: a8db051451d2827d7c7ad38f005284013e63c039 (diff)
13 files changed, 63 insertions, 39 deletions
diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix
index b2d40d4f..43647892 100644
--- a/lass/2configs/bepasty.nix
+++ b/lass/2configs/bepasty.nix
@@ -31,7 +31,6 @@ in {
     } //
     genAttrs ext-doms (ext-dom: {
       nginx = {
-        enableSSL = true;
         forceSSL = true;
         enableACME = true;
       };
diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix
index b255254f..fa01a99c 100644
--- a/lass/2configs/copyq.nix
+++ b/lass/2configs/copyq.nix
@@ -25,12 +25,15 @@ in {
     environment = {
       DISPLAY = ":0";
     };
+    path = with pkgs; [
+      qt5.full
+    ];
     serviceConfig = {
       SyslogIdentifier = "copyq";
       ExecStart = "${pkgs.copyq}/bin/copyq";
       ExecStartPost = copyqConfig;
       Restart = "always";
-      RestartSec = "2s";
+      RestartSec = "15s";
       StartLimitBurst = 0;
       User = "lass";
     };
diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix
new file mode 100644
index 00000000..0a5623bf
--- /dev/null
+++ b/lass/2configs/dcso-vpn.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ ... }:
+
+{
+
+  users.extraUsers = {
+    dcsovpn = rec {
+      name = "dcsovpn";
+      uid = genid "dcsovpn";
+      description = "user for running dcso openvpn";
+      home = "/home/${name}";
+    };
+  };
+
+  users.extraGroups.dcsovpn.gid = genid "dcsovpn";
+
+  services.openvpn.servers = {
+    dcso = {
+      config = ''
+        client
+        dev tun
+        tun-mtu 1356
+        mssfix
+        proto udp
+        float
+        remote 217.111.55.41 1194
+        nobind
+        user dcsovpn
+        group dcsovpn
+        persist-key
+        persist-tun
+        ca ${toString <secrets/dcsovpn/ca.pem>}
+        cert ${toString <secrets/dcsovpn/cert.pem>}
+        key ${toString <secrets/dcsovpn/cert.key>}
+        verb 3
+        mute 20
+        auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
+        route-method exe
+        route-delay 2
+      '';
+      updateResolvConf = true;
+    };
+  };
+}
diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
index 00f318e5..ad015180 100644
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@@ -3,6 +3,6 @@
 with import <stockholm/lib>;
 {
   nix.gc = {
-    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
+    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
   };
 }
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 5bd2f2f7..1c253a6c 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -3,7 +3,8 @@
 {
   krebs.per-user.lass.packages = with pkgs; [
     pass
-    gnupg1
+    gnupg
   ];
 
+  programs.gnupg.agent.enable = true;
 }
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 17c39a5f..6e185a4d 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -73,17 +73,6 @@ in {
       allowKeysForGroup = true;
       group = "lasscert";
     };
-    certs."cgit.lassul.us" = {
-      email = "lassulus@gmail.com";
-      webroot = "/var/lib/acme/acme-challenges";
-      plugins = [
-        "account_key.json"
-        "key.pem"
-        "fullchain.pem"
-      ];
-      group = "nginx";
-      allowKeysForGroup = true;
-    };
   };
 
   krebs.tinc_graphs.enable = true;
@@ -119,8 +108,8 @@ in {
   ];
 
   services.nginx.virtualHosts."lassul.us" = {
+    addSSL = true;
     enableACME = true;
-    serverAliases = [ "lassul.us" ];
     locations."/".extraConfig = ''
       root /srv/http/lassul.us;
     '';
@@ -158,30 +147,12 @@ in {
     in ''
       alias ${initscript};
     '';
-
-    enableSSL = true;
-    extraConfig = ''
-      listen 80;
-      listen [::]:80;
-    '';
-    sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
-    sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
   };
 
   services.nginx.virtualHosts.cgit = {
-    serverAliases = [
-      "cgit.lassul.us"
-    ];
-    locations."/.well-known/acme-challenge".extraConfig = ''
-      root /var/lib/acme/acme-challenges;
-    '';
-    enableSSL = true;
-    extraConfig = ''
-      listen 80;
-      listen [::]:80;
-    '';
-    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
-    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
+    serverName = "cgit.lassul.us";
+    addSSL = true;
+    enableACME = true;
   };
 
   users.users.blog = {
diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix
index 7cb4b320..2fffa6cc 100644
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@@ -3,12 +3,13 @@
 {
   krebs.secret.files.mysql_rootPassword = {
     path = "${config.services.mysql.dataDir}/mysql_rootPassword";
-    owner.name = "root";
+    owner.name = "mysql";
     source-path = toString <secrets> + "/mysql_rootPassword";
   };
 
   services.mysql = {
     enable = true;
+    dataDir = "/var/mysql";
     package = pkgs.mariadb;
     rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
   };
diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix
index 4b644561..d5496ac0 100644
--- a/lass/2configs/weechat.nix
+++ b/lass/2configs/weechat.nix
@@ -21,6 +21,11 @@ in {
     ];
   };
 
+  # mosh
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+  ];
+
   #systemd.services.chat = {
   #  description = "chat environment setup";
   #  after = [ "network.target" ];
diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index 2444d32d..0d2b731c 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -5,7 +5,7 @@ let
 
 in {
   krebs.per-user.wine.packages = with pkgs; [
-    wineFull
+    wine
     #(wineFull.override { wineBuild = "wine64"; })
   ];
   users.users= {
author	makefu <github@syntax-fehler.de>	2017-10-07 11:08:13 +0200
committer	makefu <github@syntax-fehler.de>	2017-10-07 11:08:13 +0200
commit	8290c6507e500c1899f4a7d1184ef5b24c8132cb (patch)
tree	91d64e1cc20647acce06f7f28da46b58e5dd2571 /lass/2configs
parent	52f9105027a7c2d70145d7d2db69452e148b2158 (diff)
parent	a8db051451d2827d7c7ad38f005284013e63c039 (diff)