diff options
author | makefu <github@syntax-fehler.de> | 2019-04-12 19:28:17 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2019-04-12 19:28:17 +0200 |
commit | 8bea69348ae0f286b395e9087db7d70e6f1a375a (patch) | |
tree | 956a2dfb39f0ca1bb00ba40bd21e18037f1093fb /lass/2configs | |
parent | 179e95d0bfc985940d4970d6c1365c2c8e000d0d (diff) | |
parent | 72cd01d104bb61b5a5e28c2c10e0bd2bd55ce681 (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r-- | lass/2configs/backup.nix | 8 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 1 | ||||
-rw-r--r-- | lass/2configs/blue.nix | 4 | ||||
-rw-r--r-- | lass/2configs/default.nix | 8 | ||||
-rw-r--r-- | lass/2configs/exim-smarthost.nix | 3 | ||||
-rw-r--r-- | lass/2configs/mail.nix | 6 | ||||
-rw-r--r-- | lass/2configs/monitoring/node-exporter.nix | 15 | ||||
-rw-r--r-- | lass/2configs/monitoring/prometheus-server.nix | 217 | ||||
-rw-r--r-- | lass/2configs/prism-share.nix | 39 | ||||
-rw-r--r-- | lass/2configs/reaktor-coders.nix | 4 | ||||
-rw-r--r-- | lass/2configs/syncthing.nix | 18 | ||||
-rw-r--r-- | lass/2configs/tests/dummy-secrets/syncthing.cert | 0 | ||||
-rw-r--r-- | lass/2configs/tests/dummy-secrets/syncthing.key | 0 | ||||
-rw-r--r-- | lass/2configs/virtualbox.nix | 1 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 8 | ||||
-rw-r--r-- | lass/2configs/wine.nix | 2 | ||||
-rw-r--r-- | lass/2configs/zsh.nix | 4 |
17 files changed, 82 insertions, 256 deletions
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix index d23cf9a43..94272fdb0 100644 --- a/lass/2configs/backup.nix +++ b/lass/2configs/backup.nix @@ -2,19 +2,11 @@ with import <stockholm/lib>; { - fileSystems = { - "/backups" = { - device = "/dev/pool/backup"; - fsType = "ext4"; - }; - }; users.users.backup = { useDefaultShell = true; home = "/backups"; createHome = true; openssh.authorizedKeys.keys = with config.krebs.hosts; [ - mors.ssh.pubkey - prism.ssh.pubkey blue.ssh.pubkey ]; }; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 1d2d1173d..26d6622ae 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -79,6 +79,7 @@ in { taskwarrior termite xclip + xephyrify xorg.xbacklight xorg.xhost xsel diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index cdd77e847..aad8411b1 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -23,8 +23,8 @@ with (import <stockholm/lib>); krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} - { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";} + { predicate = "-i retiolum -p tcp --dport 9998:9999"; target = "ACCEPT";} + { predicate = "-i wiregrill -p tcp --dport 9998:9999"; target = "ACCEPT";} ]; systemd.services.chat = let diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 2547e8bac..972b4760a 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -4,10 +4,10 @@ with import <stockholm/lib>; imports = [ <stockholm/krebs/2configs/nscd-fix.nix> ./binary-cache/client.nix + ./backup.nix ./gc.nix ./mc.nix ./vim.nix - ./monitoring/node-exporter.nix ./zsh.nix ./htop.nix ./security-workarounds.nix @@ -42,8 +42,6 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ config.krebs.users.lass-mors.pubkey config.krebs.users.lass-blue.pubkey - config.krebs.users.lass-shodan.pubkey - config.krebs.users.lass-icarus.pubkey ]; }; }; @@ -211,6 +209,7 @@ with import <stockholm/lib>; { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } ]; }; }; @@ -218,4 +217,7 @@ with import <stockholm/lib>; networking.dhcpcd.extraConfig = '' noipv4ll ''; + services.netdata = { + enable = true; + }; } diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 555295422..aec59261c 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -97,6 +97,9 @@ with import <stockholm/lib>; { from = "csv-direct@lassul.us"; to = lass.mail; } { from = "nintendo@lassul.us"; to = lass.mail; } { from = "overleaf@lassul.us"; to = lass.mail; } + { from = "box@lassul.us"; to = lass.mail; } + { from = "paloalto@lassul.us"; to = lass.mail; } + { from = "subtitles@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 52d380b7c..0803846aa 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -60,7 +60,10 @@ let paypal = [ "to:paypal@lassul.us" ]; ptl = [ "to:ptl@posttenebraslab.ch" ]; retiolum = [ "to:lass@mors.r" ]; - security = [ "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" ]; + security = [ + "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" + "to:security-announce@lists.apple.com" + ]; shack = [ "to:shackspace.de" ]; steam = [ "to:steam@lassul.us" ]; tinc = [ "to:tinc@tinc-vpn.org" "to:tinc-devel@tinc-vpn.org" ]; @@ -225,6 +228,7 @@ in { msmtp mutt pkgs.notmuch + pkgs.muchsync pkgs.haskellPackages.much tag-new-mails tag-old-mails diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix deleted file mode 100644 index 561e3a25c..000000000 --- a/lass/2configs/monitoring/node-exporter.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; } - { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; } - ]; - services.prometheus.exporters = { - node = { - enable = true; - enabledCollectors = [ - "systemd" - ]; - }; - }; -} diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix deleted file mode 100644 index b7083c776..000000000 --- a/lass/2configs/monitoring/prometheus-server.nix +++ /dev/null @@ -1,217 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - #networking = { - # firewall.allowedTCPPorts = [ - # 3000 # grafana - # 9090 # prometheus - # 9093 # alertmanager - # ]; - # useDHCP = true; - #}; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } - ]; - - services = { - prometheus = { - enable = true; - extraFlags = [ - "-storage.local.retention 8760h" - "-storage.local.series-file-shrink-ratio 0.3" - "-storage.local.memory-chunks 2097152" - "-storage.local.max-chunks-to-persist 1048576" - "-storage.local.index-cache-size.fingerprint-to-metric 2097152" - "-storage.local.index-cache-size.fingerprint-to-timerange 1048576" - "-storage.local.index-cache-size.label-name-to-label-values 2097152" - "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040" - ]; - alertmanagerURL = [ "http://localhost:9093" ]; - rules = [ - '' - ALERT node_down - IF up == 0 - FOR 5m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Node is down.", - description = "{{$labels.alias}} has been down for more than 5 minutes." - } - ALERT node_systemd_service_failed - IF node_systemd_unit_state{state="failed"} == 1 - FOR 4m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", - description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." - } - ALERT node_filesystem_full_90percent - IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 - FOR 5m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Filesystem is running out of space soon.", - description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." - } - ALERT node_filesystem_full_in_4h - IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 - FOR 5m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", - description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" - } - ALERT node_filedescriptors_full_in_3h - IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum - FOR 20m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", - description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" - } - ALERT node_load1_90percent - IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 - FOR 1h - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Running on high load.", - description = "{{$labels.alias}} is running with > 90% total load for at least 1h." - } - ALERT node_cpu_util_90percent - IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 - FOR 1h - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: High CPU utilization.", - description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." - } - ALERT node_ram_using_90percent - IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 - FOR 30m - LABELS { - severity="page" - } - ANNOTATIONS { - summary="{{$labels.alias}}: Using lots of RAM.", - description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", - } - ALERT node_swap_using_80percent - IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 - FOR 10m - LABELS { - severity="page" - } - ANNOTATIONS { - summary="{{$labels.alias}}: Running out of swap soon.", - description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." - } - '' - ]; - scrapeConfigs = [ - { - job_name = "node"; - scrape_interval = "10s"; - static_configs = [ - { - targets = [ - ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts)); - #labels = { - # alias = "prometheus.example.com"; - #}; - } - ]; - } - ]; - alertmanager = { - enable = true; - listenAddress = "0.0.0.0"; - configuration = { - "global" = { - "smtp_smarthost" = "smtp.example.com:587"; - "smtp_from" = "alertmanager@example.com"; - }; - "route" = { - "group_by" = [ "alertname" "alias" ]; - "group_wait" = "30s"; - "group_interval" = "2m"; - "repeat_interval" = "4h"; - "receiver" = "team-admins"; - }; - "receivers" = [ - { - "name" = "team-admins"; - "email_configs" = [ - { - "to" = "devnull@example.com"; - } - ]; - "webhook_configs" = [ - { - "url" = "http://127.0.0.1:14813/prometheus-alerts"; - "send_resolved" = true; - } - ]; - } - ]; - }; - }; - }; - grafana = { - enable = true; - addr = "0.0.0.0"; - domain = "grafana.example.com"; - rootUrl = "https://grafana.example.com/"; - auth.anonymous.enable = true; - auth.anonymous.org_role = "Admin"; - }; - }; - services.logstash = { - enable = true; - inputConfig = '' - http { - port => 14813 - host => "127.0.0.1" - } - ''; - filterConfig = '' - if ([alerts]) { - ruby { - code => ' - lines = [] - event["alerts"].each {|p| - lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}" - } - event["output"] = lines.join("\n") - ' - } - } - ''; - outputConfig = '' - file { path => "/tmp/logs.json" codec => "json_lines" } - irc { - channels => [ "#noise" ] - host => "irc.r" - nick => "alarm" - codec => "json_lines" - format => "%{output}" - } - ''; - #plugins = [ ]; - }; -} diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix new file mode 100644 index 000000000..70e616ec6 --- /dev/null +++ b/lass/2configs/prism-share.nix @@ -0,0 +1,39 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: + +{ + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 139"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-p udp --dport 137"; target = "ACCEPT"; } + { predicate = "-p udp --dport 138"; target = "ACCEPT"; } + ]; + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + services.samba = { + enable = true; + enableNmbd = true; + shares = { + incoming = { + path = "/mnt/prism"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 4baec1976..7fd6a2a29 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -29,7 +29,7 @@ in { hooks.url-title { activate = "match"; - pattern = ''@([^ ]+) (.*)$''; + pattern = ''^@([^ ]+) (.*)$''; command = 1; arguments = [2]; env.HOME = config.krebs.reaktor2.coders.stateDir; @@ -66,7 +66,7 @@ in { } { activate = "match"; - pattern = ''!([^ ]+)(?:\s*(.*))?''; + pattern = ''^!([^ ]+)(?:\s*(.*))?''; command = 1; arguments = [2]; commands = { diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index 17debf822..842abc195 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,9 +3,27 @@ with import <stockholm/lib>; { services.syncthing = { enable = true; + group = "syncthing"; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} { predicate = "-p udp --dport 21027"; target = "ACCEPT";} ]; + krebs.syncthing = { + enable = true; + cert = toString <secrets/syncthing.cert>; + key = toString <secrets/syncthing.key>; + peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts); + folders = [ + { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; } + ]; + }; + + system.activationScripts.syncthing-home = '' + ${pkgs.coreutils}/bin/chmod a+x /home/lass + ''; + + lass.ensure-permissions = [ + { folder = "/home/lass/sync"; owner = "lass"; group = "syncthing"; } + ]; } diff --git a/lass/2configs/tests/dummy-secrets/syncthing.cert b/lass/2configs/tests/dummy-secrets/syncthing.cert new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/syncthing.cert diff --git a/lass/2configs/tests/dummy-secrets/syncthing.key b/lass/2configs/tests/dummy-secrets/syncthing.key new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/syncthing.key diff --git a/lass/2configs/virtualbox.nix b/lass/2configs/virtualbox.nix index cfb835d78..cd270bdf8 100644 --- a/lass/2configs/virtualbox.nix +++ b/lass/2configs/virtualbox.nix @@ -6,7 +6,6 @@ let in { #services.virtualboxHost.enable = true; virtualisation.virtualbox.host.enable = true; - nixpkgs.config.virtualbox.enableExtensionPack = true; virtualisation.virtualbox.host.enableHardening = false; users.extraUsers = { diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 7fb248139..5bd5a7cac 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -94,7 +94,7 @@ in { config = { adminpassFile = toString <secrets> + "/nextcloud_pw"; }; - #https = true; + https = true; nginx.enable = true; }; services.nginx.virtualHosts."o.xanf.org" = { @@ -234,11 +234,13 @@ in { createHome = true; }; + krebs.on-failure.plans.restic-backups-domsen = {}; services.restic.backups.domsen = { initialize = true; - extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr.duckdns.org -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ]; - repository = "sftp:efOVcMWSZ@wilhelmstr.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES"; + extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ]; + repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES"; passwordFile = toString <secrets> + "/domsen_backup_pw"; + timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; paths = [ "/srv/http" "/home/domsen/Mail" diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix index 71a5cdda9..02d7ffc8c 100644 --- a/lass/2configs/wine.nix +++ b/lass/2configs/wine.nix @@ -6,8 +6,6 @@ let in { users.users= { wine = { - name = "wine"; - description = "user for running wine"; home = "/home/wine"; useDefaultShell = true; extraGroups = [ diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index 76cac9f56..53106b03b 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -28,8 +28,8 @@ } zle -N down-line-or-local-history - setopt share_history - setopt hist_ignore_dups + setopt SHARE_HISTORY + setopt HIST_IGNORE_ALL_DUPS # setopt inc_append_history bindkey '^R' history-incremental-search-backward |