summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2018-05-31 10:39:49 +0200
committermakefu <github@syntax-fehler.de>2018-05-31 10:39:49 +0200
commit10deb114affc296224df59a5e4a3161101548613 (patch)
treecdb0aec231ee0d5354003e6d0d2d4df38db22f82 /lass/2configs
parent319bb6fa89e24d0da9eca1b9d69c685b95f329f0 (diff)
parent4277c251906100bc103808af7a674fe2fbb3851b (diff)
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/AP.nix22
-rw-r--r--lass/2configs/IM.nix73
-rw-r--r--lass/2configs/backup.nix1
-rw-r--r--lass/2configs/baseX.nix11
-rw-r--r--lass/2configs/bitlbee.nix15
-rw-r--r--lass/2configs/blue-host.nix22
-rw-r--r--lass/2configs/blue.nix55
-rw-r--r--lass/2configs/container-networking.nix15
-rw-r--r--lass/2configs/default.nix6
-rw-r--r--lass/2configs/exim-smarthost.nix5
-rw-r--r--lass/2configs/games.nix1
-rw-r--r--lass/2configs/git.nix12
-rw-r--r--lass/2configs/libvirt.nix3
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix1
-rw-r--r--lass/2configs/steam.nix2
-rw-r--r--lass/2configs/websites/domsen.nix15
-rw-r--r--lass/2configs/websites/util.nix16
17 files changed, 148 insertions, 127 deletions
diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix
index 5ce7cfff8..dfffbfdf9 100644
--- a/lass/2configs/AP.nix
+++ b/lass/2configs/AP.nix
@@ -6,7 +6,7 @@ in {
boot.extraModulePackages = [
pkgs.linuxPackages.rtl8814au
];
- networking.networkmanager.unmanaged = [ wifi ];
+ networking.networkmanager.unmanaged = [ wifi "et0" ];
systemd.services.hostapd = {
description = "hostapd wireless AP";
@@ -38,12 +38,17 @@ in {
};
};
- networking.interfaces.${wifi}.ipv4.addresses = [
+ networking.bridges.br0.interfaces = [
+ wifi
+ "et0"
+ ];
+
+ networking.interfaces.br0.ipv4.addresses = [
{ address = "10.99.0.1"; prefixLength = 24; }
];
services.dhcpd4 = {
enable = true;
- interfaces = [ wifi ];
+ interfaces = [ "br0" ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.99.0.1;
@@ -56,11 +61,12 @@ in {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
- { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
- { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
- { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix
deleted file mode 100644
index 7d3dfd428..000000000
--- a/lass/2configs/IM.nix
+++ /dev/null
@@ -1,73 +0,0 @@
-with (import <stockholm/lib>);
-{ config, lib, pkgs, ... }:
-
-let
- tmux = pkgs.writeDash "tmux" ''
- exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
- set-option -g prefix `
- unbind-key C-b
- bind ` send-prefix
-
- set-option -g status off
- set-option -g default-terminal screen-256color
-
- #use session instead of windows
- bind-key c new-session
- bind-key p switch-client -p
- bind-key n switch-client -n
- bind-key C-s switch-client -l
- ''} "$@"
- '';
-in {
-
- services.bitlbee = {
- enable = true;
- portNumber = 6666;
- plugins = [
- pkgs.bitlbee-facebook
- pkgs.bitlbee-steam
- pkgs.bitlbee-discord
- ];
- libpurple_plugins = [ pkgs.telegram-purple ];
- };
-
- users.extraUsers.chat = {
- home = "/home/chat";
- uid = genid "chat";
- useDefaultShell = true;
- createHome = true;
- openssh.authorizedKeys.keys = with config.krebs.users; [
- lass.pubkey
- lass-shodan.pubkey
- lass-icarus.pubkey
- lass-android.pubkey
- lass-helios.pubkey
- ];
- };
-
- # mosh
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
- { predicate = "-p tcp --dport 9999"; target = "ACCEPT";}
- ];
-
- systemd.services.chat = {
- description = "chat environment setup";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
-
- restartIfChanged = false;
-
- path = [
- pkgs.rxvt_unicode.terminfo
- ];
-
- serviceConfig = {
- User = "chat";
- RemainAfterExit = true;
- Type = "oneshot";
- ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
- ExecStop = "${tmux} kill-session -t IM";
- };
- };
-}
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix
index 27adf6d2a..d23cf9a43 100644
--- a/lass/2configs/backup.nix
+++ b/lass/2configs/backup.nix
@@ -15,6 +15,7 @@ with import <stockholm/lib>;
openssh.authorizedKeys.keys = with config.krebs.hosts; [
mors.ssh.pubkey
prism.ssh.pubkey
+ blue.ssh.pubkey
];
};
}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index e2e44b6fc..a387f2c5d 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -69,11 +69,13 @@ in {
environment.systemPackages = with pkgs; [
acpi
bank
+ cabal2nix
dic
dmenu
gi
- git-preview
gitAndTools.qgit
+ git-preview
+ gnome3.dconf
lm_sensors
mpv-poll
much
@@ -86,19 +88,18 @@ in {
rxvt_unicode_with-plugins
slock
sxiv
- timewarrior
taskwarrior
termite
+ thesauron
+ timewarrior
xclip
+ xephyrify
xorg.xbacklight
xorg.xhost
xsel
youtube-tools
yt-next
zathura
-
- cabal2nix
- xephyrify
];
fonts.fonts = with pkgs; [
diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix
new file mode 100644
index 000000000..1220fa0cd
--- /dev/null
+++ b/lass/2configs/bitlbee.nix
@@ -0,0 +1,15 @@
+with (import <stockholm/lib>);
+{ config, lib, pkgs, ... }:
+
+{
+ services.bitlbee = {
+ enable = true;
+ portNumber = 6666;
+ plugins = [
+ pkgs.bitlbee-facebook
+ pkgs.bitlbee-steam
+ pkgs.bitlbee-discord
+ ];
+ libpurple_plugins = [ pkgs.telegram-purple ];
+ };
+}
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
new file mode 100644
index 000000000..657234bc1
--- /dev/null
+++ b/lass/2configs/blue-host.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ ];
+ containers.blue = {
+ config = { ... }: {
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = true;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.9";
+ localAddress = "10.233.2.10";
+ };
+}
diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
new file mode 100644
index 000000000..c0417b865
--- /dev/null
+++ b/lass/2configs/blue.nix
@@ -0,0 +1,55 @@
+with (import <stockholm/lib>);
+{ config, lib, pkgs, ... }:
+
+{
+
+ imports = [
+ ./bitlbee.nix
+ ./mail.nix
+ ./pass.nix
+ ];
+
+ services.tor.enable = true;
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
+ { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
+ ];
+
+ systemd.services.chat = let
+ tmux = pkgs.writeDash "tmux" ''
+ exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
+ set-option -g prefix `
+ unbind-key C-b
+ bind ` send-prefix
+
+ set-option -g status off
+ set-option -g default-terminal screen-256color
+
+ #use session instead of windows
+ bind-key c new-session
+ bind-key p switch-client -p
+ bind-key n switch-client -n
+ bind-key C-s switch-client -l
+ ''} "$@"
+ '';
+ in {
+ description = "chat environment setup";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ restartIfChanged = false;
+
+ path = [
+ pkgs.rxvt_unicode.terminfo
+ ];
+
+ serviceConfig = {
+ User = "lass";
+ RemainAfterExit = true;
+ Type = "oneshot";
+ ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
+ ExecStop = "${tmux} kill-session -t IM";
+ };
+ };
+}
diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix
index 3dae3420d..f04e4342d 100644
--- a/lass/2configs/container-networking.nix
+++ b/lass/2configs/container-networking.nix
@@ -1,12 +1,6 @@
-{ ... }:
+{ lib, ... }:
{
- #krebs.iptables.tables.filter.INPUT.rules = [
- # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 53"; target = "ACCEPT"; }
- # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
- # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 67"; target = "ACCEPT"; }
- # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
- #];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; }
@@ -14,9 +8,9 @@
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
- #krebs.iptables.tables.filter.OUTPUT.rules = [
- # { v6 = false; predicate = "-o ve-+ -p udp -m udp --dport 68"; target = "ACCEPT"; }
- #];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; }
+ ];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; }
@@ -24,4 +18,5 @@
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
+ boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 12a814605..ed97b4897 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -19,7 +19,8 @@ with import <stockholm/lib>;
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
+ config.krebs.users.lass-mors.pubkey
+ config.krebs.users.lass-blue.pubkey
config.krebs.users.lass-shodan.pubkey
config.krebs.users.lass-icarus.pubkey
config.krebs.users.lass-xerxes.pubkey
@@ -38,7 +39,8 @@ with import <stockholm/lib>;
"wheel"
];
openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
+ config.krebs.users.lass-mors.pubkey
+ config.krebs.users.lass-blue.pubkey
config.krebs.users.lass-shodan.pubkey
config.krebs.users.lass-icarus.pubkey
];
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index e05ed2427..371f20885 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
];
relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
config.krebs.hosts.mors
- config.krebs.hosts.uriel
+ config.krebs.hosts.blue
];
internet-aliases = with config.krebs.users; [
{ from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822
@@ -80,6 +80,9 @@ with import <stockholm/lib>;
{ from = "hetzner@lassul.us"; to = lass.mail; }
{ from = "allygator@lassul.us"; to = lass.mail; }
{ from = "immoscout@lassul.us"; to = lass.mail; }
+ { from = "elitedangerous@lassul.us"; to = lass.mail; }
+ { from = "boardgamegeek@lassul.us"; to = lass.mail; }
+ { from = "qwertee@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 3ee3a98a5..81f53bf69 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -80,6 +80,7 @@ in {
};
};
+ hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.support32Bit = true;
security.sudo.extraConfig = ''
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 43085ba5e..e41ff606f 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -57,17 +57,17 @@ let
cgit.desc = "Fork of nix-user-chroot my lethalman";
cgit.section = "software";
};
+ krops = {
+ cgit.desc = "krebs deployment";
+ cgit.section = "software";
+ };
+ } // mapAttrs make-public-repo-silent {
nixos-aws = {
collaborators = [ {
name = "fabio";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
} ];
};
- krops = {
- cgit.desc = "krebs deployment";
- cgit.section = "software";
- };
- } // mapAttrs make-public-repo-silent {
};
restricted-repos = mapAttrs make-restricted-repo (
@@ -121,7 +121,7 @@ let
with git // config.krebs.users;
repo:
singleton {
- user = [ lass lass-shodan ];
+ user = [ lass-mors lass-shodan lass-icarus lass-blue ];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index a71638323..78d5ae0e9 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -20,6 +20,9 @@
krebs.iptables.tables.filter.OUTPUT.rules = [
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; }
+ ];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
index e16d421a0..aef671636 100644
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -159,7 +159,6 @@
"email_configs" = [
{
"to" = "devnull@example.com";
- "send_resolved" = true;
}
];
"webhook_configs" = [
diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix
index 225ddd308..e1b523e3a 100644
--- a/lass/2configs/steam.nix
+++ b/lass/2configs/steam.nix
@@ -10,8 +10,6 @@
# source: https://nixos.org/wiki/Talk:Steam
#
##TODO: make steam module
- hardware.opengl.driSupport32Bit = true;
-
nixpkgs.config.steam.java = true;
environment.systemPackages = with pkgs; [
steam
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 7a72499c9..4e8361a17 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -26,12 +26,7 @@ in {
./default.nix
./sqlBackup.nix
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
- (servePage [
- "habsys.de"
- "habsys.eu"
- "www.habsys.de"
- "www.habsys.eu"
- ])
+ (servePage [ "freemonkey.art" ])
(serveOwncloud [ "o.ubikmedia.de" ])
(serveWordpress [
"ubikmedia.de"
@@ -120,6 +115,7 @@ in {
{ from = "jms@ubikmedia.eu"; to = "jms"; }
{ from = "ms@ubikmedia.eu"; to = "ms"; }
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
+ { from = "akayguen@freemonkey.art"; to ="akayguen"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
@@ -177,5 +173,12 @@ in {
createHome = true;
};
+ users.users.akayguen = {
+ uid = genid_signed "akayguen";
+ home = "/home/akayguen";
+ useDefaultShell = true;
+ createHome = true;
+ };
+
}
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 61b5543ce..816449c14 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -16,11 +16,7 @@ rec {
in {
services.nginx.virtualHosts.${domain} = {
enableACME = true;
- onlySSL = true;
- extraConfig = ''
- listen 80;
- listen [::]:80;
- '';
+ addSSL = true;
serverAliases = domains;
locations."/".extraConfig = ''
root /srv/http/${domain};
@@ -87,12 +83,9 @@ rec {
in {
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
- onlySSL = true;
+ addSSL = true;
serverAliases = domains;
extraConfig = ''
- listen 80;
- listen [::]:80;
-
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
@@ -201,12 +194,9 @@ rec {
in {
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
- onlySSL = true;
+ addSSL = true;
serverAliases = domains;
extraConfig = ''
- listen 80;
- listen [::]:80;
-
root /srv/http/${domain}/;
index index.php;
access_log /tmp/nginx_acc.log;