summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2019-04-12 19:28:17 +0200
committermakefu <github@syntax-fehler.de>2019-04-12 19:28:17 +0200
commit8bea69348ae0f286b395e9087db7d70e6f1a375a (patch)
tree956a2dfb39f0ca1bb00ba40bd21e18037f1093fb /lass/2configs
parent179e95d0bfc985940d4970d6c1365c2c8e000d0d (diff)
parent72cd01d104bb61b5a5e28c2c10e0bd2bd55ce681 (diff)
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/backup.nix8
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/blue.nix4
-rw-r--r--lass/2configs/default.nix8
-rw-r--r--lass/2configs/exim-smarthost.nix3
-rw-r--r--lass/2configs/mail.nix6
-rw-r--r--lass/2configs/monitoring/node-exporter.nix15
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix217
-rw-r--r--lass/2configs/prism-share.nix39
-rw-r--r--lass/2configs/reaktor-coders.nix4
-rw-r--r--lass/2configs/syncthing.nix18
-rw-r--r--lass/2configs/tests/dummy-secrets/syncthing.cert0
-rw-r--r--lass/2configs/tests/dummy-secrets/syncthing.key0
-rw-r--r--lass/2configs/virtualbox.nix1
-rw-r--r--lass/2configs/websites/domsen.nix8
-rw-r--r--lass/2configs/wine.nix2
-rw-r--r--lass/2configs/zsh.nix4
17 files changed, 82 insertions, 256 deletions
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix
index d23cf9a43..94272fdb0 100644
--- a/lass/2configs/backup.nix
+++ b/lass/2configs/backup.nix
@@ -2,19 +2,11 @@
with import <stockholm/lib>;
{
- fileSystems = {
- "/backups" = {
- device = "/dev/pool/backup";
- fsType = "ext4";
- };
- };
users.users.backup = {
useDefaultShell = true;
home = "/backups";
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.hosts; [
- mors.ssh.pubkey
- prism.ssh.pubkey
blue.ssh.pubkey
];
};
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 1d2d1173d..26d6622ae 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -79,6 +79,7 @@ in {
taskwarrior
termite
xclip
+ xephyrify
xorg.xbacklight
xorg.xhost
xsel
diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
index cdd77e847..aad8411b1 100644
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@@ -23,8 +23,8 @@ with (import <stockholm/lib>);
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";}
- { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
- { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";}
+ { predicate = "-i retiolum -p tcp --dport 9998:9999"; target = "ACCEPT";}
+ { predicate = "-i wiregrill -p tcp --dport 9998:9999"; target = "ACCEPT";}
];
systemd.services.chat = let
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 2547e8bac..972b4760a 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -4,10 +4,10 @@ with import <stockholm/lib>;
imports = [
<stockholm/krebs/2configs/nscd-fix.nix>
./binary-cache/client.nix
+ ./backup.nix
./gc.nix
./mc.nix
./vim.nix
- ./monitoring/node-exporter.nix
./zsh.nix
./htop.nix
./security-workarounds.nix
@@ -42,8 +42,6 @@ with import <stockholm/lib>;
openssh.authorizedKeys.keys = [
config.krebs.users.lass-mors.pubkey
config.krebs.users.lass-blue.pubkey
- config.krebs.users.lass-shodan.pubkey
- config.krebs.users.lass-icarus.pubkey
];
};
};
@@ -211,6 +209,7 @@ with import <stockholm/lib>;
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
{ predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
];
};
};
@@ -218,4 +217,7 @@ with import <stockholm/lib>;
networking.dhcpcd.extraConfig = ''
noipv4ll
'';
+ services.netdata = {
+ enable = true;
+ };
}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 555295422..aec59261c 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -97,6 +97,9 @@ with import <stockholm/lib>;
{ from = "csv-direct@lassul.us"; to = lass.mail; }
{ from = "nintendo@lassul.us"; to = lass.mail; }
{ from = "overleaf@lassul.us"; to = lass.mail; }
+ { from = "box@lassul.us"; to = lass.mail; }
+ { from = "paloalto@lassul.us"; to = lass.mail; }
+ { from = "subtitles@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 52d380b7c..0803846aa 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -60,7 +60,10 @@ let
paypal = [ "to:paypal@lassul.us" ];
ptl = [ "to:ptl@posttenebraslab.ch" ];
retiolum = [ "to:lass@mors.r" ];
- security = [ "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" ];
+ security = [
+ "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us"
+ "to:security-announce@lists.apple.com"
+ ];
shack = [ "to:shackspace.de" ];
steam = [ "to:steam@lassul.us" ];
tinc = [ "to:tinc@tinc-vpn.org" "to:tinc-devel@tinc-vpn.org" ];
@@ -225,6 +228,7 @@ in {
msmtp
mutt
pkgs.notmuch
+ pkgs.muchsync
pkgs.haskellPackages.much
tag-new-mails
tag-old-mails
diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix
deleted file mode 100644
index 561e3a25c..000000000
--- a/lass/2configs/monitoring/node-exporter.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; }
- { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; }
- ];
- services.prometheus.exporters = {
- node = {
- enable = true;
- enabledCollectors = [
- "systemd"
- ];
- };
- };
-}
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
deleted file mode 100644
index b7083c776..000000000
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ /dev/null
@@ -1,217 +0,0 @@
-{ pkgs, lib, config, ... }:
-{
- #networking = {
- # firewall.allowedTCPPorts = [
- # 3000 # grafana
- # 9090 # prometheus
- # 9093 # alertmanager
- # ];
- # useDHCP = true;
- #};
-
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; }
- { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; }
- { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; }
- ];
-
- services = {
- prometheus = {
- enable = true;
- extraFlags = [
- "-storage.local.retention 8760h"
- "-storage.local.series-file-shrink-ratio 0.3"
- "-storage.local.memory-chunks 2097152"
- "-storage.local.max-chunks-to-persist 1048576"
- "-storage.local.index-cache-size.fingerprint-to-metric 2097152"
- "-storage.local.index-cache-size.fingerprint-to-timerange 1048576"
- "-storage.local.index-cache-size.label-name-to-label-values 2097152"
- "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040"
- ];
- alertmanagerURL = [ "http://localhost:9093" ];
- rules = [
- ''
- ALERT node_down
- IF up == 0
- FOR 5m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}}: Node is down.",
- description = "{{$labels.alias}} has been down for more than 5 minutes."
- }
- ALERT node_systemd_service_failed
- IF node_systemd_unit_state{state="failed"} == 1
- FOR 4m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.",
- description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}."
- }
- ALERT node_filesystem_full_90percent
- IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3
- FOR 5m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}}: Filesystem is running out of space soon.",
- description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem."
- }
- ALERT node_filesystem_full_in_4h
- IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0
- FOR 5m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.",
- description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours"
- }
- ALERT node_filedescriptors_full_in_3h
- IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum
- FOR 20m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.",
- description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours"
- }
- ALERT node_load1_90percent
- IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9
- FOR 1h
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}}: Running on high load.",
- description = "{{$labels.alias}} is running with > 90% total load for at least 1h."
- }
- ALERT node_cpu_util_90percent
- IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90
- FOR 1h
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary = "{{$labels.alias}}: High CPU utilization.",
- description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h."
- }
- ALERT node_ram_using_90percent
- IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1
- FOR 30m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary="{{$labels.alias}}: Using lots of RAM.",
- description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.",
- }
- ALERT node_swap_using_80percent
- IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8
- FOR 10m
- LABELS {
- severity="page"
- }
- ANNOTATIONS {
- summary="{{$labels.alias}}: Running out of swap soon.",
- description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now."
- }
- ''
- ];
- scrapeConfigs = [
- {
- job_name = "node";
- scrape_interval = "10s";
- static_configs = [
- {
- targets = [
- ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts));
- #labels = {
- # alias = "prometheus.example.com";
- #};
- }
- ];
- }
- ];
- alertmanager = {
- enable = true;
- listenAddress = "0.0.0.0";
- configuration = {
- "global" = {
- "smtp_smarthost" = "smtp.example.com:587";
- "smtp_from" = "alertmanager@example.com";
- };
- "route" = {
- "group_by" = [ "alertname" "alias" ];
- "group_wait" = "30s";
- "group_interval" = "2m";
- "repeat_interval" = "4h";
- "receiver" = "team-admins";
- };
- "receivers" = [
- {
- "name" = "team-admins";
- "email_configs" = [
- {
- "to" = "devnull@example.com";
- }
- ];
- "webhook_configs" = [
- {
- "url" = "http://127.0.0.1:14813/prometheus-alerts";
- "send_resolved" = true;
- }
- ];
- }
- ];
- };
- };
- };
- grafana = {
- enable = true;
- addr = "0.0.0.0";
- domain = "grafana.example.com";
- rootUrl = "https://grafana.example.com/";
- auth.anonymous.enable = true;
- auth.anonymous.org_role = "Admin";
- };
- };
- services.logstash = {
- enable = true;
- inputConfig = ''
- http {
- port => 14813
- host => "127.0.0.1"
- }
- '';
- filterConfig = ''
- if ([alerts]) {
- ruby {
- code => '
- lines = []
- event["alerts"].each {|p|
- lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}"
- }
- event["output"] = lines.join("\n")
- '
- }
- }
- '';
- outputConfig = ''
- file { path => "/tmp/logs.json" codec => "json_lines" }
- irc {
- channels => [ "#noise" ]
- host => "irc.r"
- nick => "alarm"
- codec => "json_lines"
- format => "%{output}"
- }
- '';
- #plugins = [ ];
- };
-}
diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix
new file mode 100644
index 000000000..70e616ec6
--- /dev/null
+++ b/lass/2configs/prism-share.nix
@@ -0,0 +1,39 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }:
+
+{
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 139"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 445"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 137"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 138"; target = "ACCEPT"; }
+ ];
+ users.users.smbguest = {
+ name = "smbguest";
+ uid = config.ids.uids.smbguest;
+ description = "smb guest user";
+ home = "/home/share";
+ createHome = true;
+ };
+ services.samba = {
+ enable = true;
+ enableNmbd = true;
+ shares = {
+ incoming = {
+ path = "/mnt/prism";
+ "read only" = "no";
+ browseable = "yes";
+ "guest ok" = "yes";
+ };
+ };
+ extraConfig = ''
+ guest account = smbguest
+ map to guest = bad user
+ # disable printing
+ load printers = no
+ printing = bsd
+ printcap name = /dev/null
+ disable spoolss = yes
+ '';
+ };
+}
diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix
index 4baec1976..7fd6a2a29 100644
--- a/lass/2configs/reaktor-coders.nix
+++ b/lass/2configs/reaktor-coders.nix
@@ -29,7 +29,7 @@ in {
hooks.url-title
{
activate = "match";
- pattern = ''@([^ ]+) (.*)$'';
+ pattern = ''^@([^ ]+) (.*)$'';
command = 1;
arguments = [2];
env.HOME = config.krebs.reaktor2.coders.stateDir;
@@ -66,7 +66,7 @@ in {
}
{
activate = "match";
- pattern = ''!([^ ]+)(?:\s*(.*))?'';
+ pattern = ''^!([^ ]+)(?:\s*(.*))?'';
command = 1;
arguments = [2];
commands = {
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index 17debf822..842abc195 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -3,9 +3,27 @@ with import <stockholm/lib>;
{
services.syncthing = {
enable = true;
+ group = "syncthing";
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
{ predicate = "-p udp --dport 21027"; target = "ACCEPT";}
];
+ krebs.syncthing = {
+ enable = true;
+ cert = toString <secrets/syncthing.cert>;
+ key = toString <secrets/syncthing.key>;
+ peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
+ folders = [
+ { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; }
+ ];
+ };
+
+ system.activationScripts.syncthing-home = ''
+ ${pkgs.coreutils}/bin/chmod a+x /home/lass
+ '';
+
+ lass.ensure-permissions = [
+ { folder = "/home/lass/sync"; owner = "lass"; group = "syncthing"; }
+ ];
}
diff --git a/lass/2configs/tests/dummy-secrets/syncthing.cert b/lass/2configs/tests/dummy-secrets/syncthing.cert
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/syncthing.cert
diff --git a/lass/2configs/tests/dummy-secrets/syncthing.key b/lass/2configs/tests/dummy-secrets/syncthing.key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/syncthing.key
diff --git a/lass/2configs/virtualbox.nix b/lass/2configs/virtualbox.nix
index cfb835d78..cd270bdf8 100644
--- a/lass/2configs/virtualbox.nix
+++ b/lass/2configs/virtualbox.nix
@@ -6,7 +6,6 @@ let
in {
#services.virtualboxHost.enable = true;
virtualisation.virtualbox.host.enable = true;
- nixpkgs.config.virtualbox.enableExtensionPack = true;
virtualisation.virtualbox.host.enableHardening = false;
users.extraUsers = {
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 7fb248139..5bd5a7cac 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -94,7 +94,7 @@ in {
config = {
adminpassFile = toString <secrets> + "/nextcloud_pw";
};
- #https = true;
+ https = true;
nginx.enable = true;
};
services.nginx.virtualHosts."o.xanf.org" = {
@@ -234,11 +234,13 @@ in {
createHome = true;
};
+ krebs.on-failure.plans.restic-backups-domsen = {};
services.restic.backups.domsen = {
initialize = true;
- extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr.duckdns.org -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
- repository = "sftp:efOVcMWSZ@wilhelmstr.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
+ extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
+ repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
passwordFile = toString <secrets> + "/domsen_backup_pw";
+ timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
paths = [
"/srv/http"
"/home/domsen/Mail"
diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index 71a5cdda9..02d7ffc8c 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -6,8 +6,6 @@ let
in {
users.users= {
wine = {
- name = "wine";
- description = "user for running wine";
home = "/home/wine";
useDefaultShell = true;
extraGroups = [
diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix
index 76cac9f56..53106b03b 100644
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@@ -28,8 +28,8 @@
}
zle -N down-line-or-local-history
- setopt share_history
- setopt hist_ignore_dups
+ setopt SHARE_HISTORY
+ setopt HIST_IGNORE_ALL_DUPS
# setopt inc_append_history
bindkey '^R' history-incremental-search-backward