diff options
author | makefu <github@syntax-fehler.de> | 2018-05-31 10:39:49 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2018-05-31 10:39:49 +0200 |
commit | 10deb114affc296224df59a5e4a3161101548613 (patch) | |
tree | cdb0aec231ee0d5354003e6d0d2d4df38db22f82 /lass/2configs | |
parent | 319bb6fa89e24d0da9eca1b9d69c685b95f329f0 (diff) | |
parent | 4277c251906100bc103808af7a674fe2fbb3851b (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r-- | lass/2configs/AP.nix | 22 | ||||
-rw-r--r-- | lass/2configs/IM.nix | 73 | ||||
-rw-r--r-- | lass/2configs/backup.nix | 1 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 11 | ||||
-rw-r--r-- | lass/2configs/bitlbee.nix | 15 | ||||
-rw-r--r-- | lass/2configs/blue-host.nix | 22 | ||||
-rw-r--r-- | lass/2configs/blue.nix | 55 | ||||
-rw-r--r-- | lass/2configs/container-networking.nix | 15 | ||||
-rw-r--r-- | lass/2configs/default.nix | 6 | ||||
-rw-r--r-- | lass/2configs/exim-smarthost.nix | 5 | ||||
-rw-r--r-- | lass/2configs/games.nix | 1 | ||||
-rw-r--r-- | lass/2configs/git.nix | 12 | ||||
-rw-r--r-- | lass/2configs/libvirt.nix | 3 | ||||
-rw-r--r-- | lass/2configs/monitoring/prometheus-server.nix | 1 | ||||
-rw-r--r-- | lass/2configs/steam.nix | 2 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 15 | ||||
-rw-r--r-- | lass/2configs/websites/util.nix | 16 |
17 files changed, 148 insertions, 127 deletions
diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix index 5ce7cfff8..dfffbfdf9 100644 --- a/lass/2configs/AP.nix +++ b/lass/2configs/AP.nix @@ -6,7 +6,7 @@ in { boot.extraModulePackages = [ pkgs.linuxPackages.rtl8814au ]; - networking.networkmanager.unmanaged = [ wifi ]; + networking.networkmanager.unmanaged = [ wifi "et0" ]; systemd.services.hostapd = { description = "hostapd wireless AP"; @@ -38,12 +38,17 @@ in { }; }; - networking.interfaces.${wifi}.ipv4.addresses = [ + networking.bridges.br0.interfaces = [ + wifi + "et0" + ]; + + networking.interfaces.br0.ipv4.addresses = [ { address = "10.99.0.1"; prefixLength = 24; } ]; services.dhcpd4 = { enable = true; - interfaces = [ wifi ]; + interfaces = [ "br0" ]; extraConfig = '' option subnet-mask 255.255.255.0; option routers 10.99.0.1; @@ -56,11 +61,12 @@ in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; } - { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; } - { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix deleted file mode 100644 index 7d3dfd428..000000000 --- a/lass/2configs/IM.nix +++ /dev/null @@ -1,73 +0,0 @@ -with (import <stockholm/lib>); -{ config, lib, pkgs, ... }: - -let - tmux = pkgs.writeDash "tmux" '' - exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g status off - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" - ''; -in { - - services.bitlbee = { - enable = true; - portNumber = 6666; - plugins = [ - pkgs.bitlbee-facebook - pkgs.bitlbee-steam - pkgs.bitlbee-discord - ]; - libpurple_plugins = [ pkgs.telegram-purple ]; - }; - - users.extraUsers.chat = { - home = "/home/chat"; - uid = genid "chat"; - useDefaultShell = true; - createHome = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-shodan.pubkey - lass-icarus.pubkey - lass-android.pubkey - lass-helios.pubkey - ]; - }; - - # mosh - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-p tcp --dport 9999"; target = "ACCEPT";} - ]; - - systemd.services.chat = { - description = "chat environment setup"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = false; - - path = [ - pkgs.rxvt_unicode.terminfo - ]; - - serviceConfig = { - User = "chat"; - RemainAfterExit = true; - Type = "oneshot"; - ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; - ExecStop = "${tmux} kill-session -t IM"; - }; - }; -} diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix index 27adf6d2a..d23cf9a43 100644 --- a/lass/2configs/backup.nix +++ b/lass/2configs/backup.nix @@ -15,6 +15,7 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = with config.krebs.hosts; [ mors.ssh.pubkey prism.ssh.pubkey + blue.ssh.pubkey ]; }; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e2e44b6fc..a387f2c5d 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -69,11 +69,13 @@ in { environment.systemPackages = with pkgs; [ acpi bank + cabal2nix dic dmenu gi - git-preview gitAndTools.qgit + git-preview + gnome3.dconf lm_sensors mpv-poll much @@ -86,19 +88,18 @@ in { rxvt_unicode_with-plugins slock sxiv - timewarrior taskwarrior termite + thesauron + timewarrior xclip + xephyrify xorg.xbacklight xorg.xhost xsel youtube-tools yt-next zathura - - cabal2nix - xephyrify ]; fonts.fonts = with pkgs; [ diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix new file mode 100644 index 000000000..1220fa0cd --- /dev/null +++ b/lass/2configs/bitlbee.nix @@ -0,0 +1,15 @@ +with (import <stockholm/lib>); +{ config, lib, pkgs, ... }: + +{ + services.bitlbee = { + enable = true; + portNumber = 6666; + plugins = [ + pkgs.bitlbee-facebook + pkgs.bitlbee-steam + pkgs.bitlbee-discord + ]; + libpurple_plugins = [ pkgs.telegram-purple ]; + }; +} diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix new file mode 100644 index 000000000..657234bc1 --- /dev/null +++ b/lass/2configs/blue-host.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + ]; + containers.blue = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.9"; + localAddress = "10.233.2.10"; + }; +} diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix new file mode 100644 index 000000000..c0417b865 --- /dev/null +++ b/lass/2configs/blue.nix @@ -0,0 +1,55 @@ +with (import <stockholm/lib>); +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./bitlbee.nix + ./mail.nix + ./pass.nix + ]; + + services.tor.enable = true; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} + ]; + + systemd.services.chat = let + tmux = pkgs.writeDash "tmux" '' + exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' + set-option -g prefix ` + unbind-key C-b + bind ` send-prefix + + set-option -g status off + set-option -g default-terminal screen-256color + + #use session instead of windows + bind-key c new-session + bind-key p switch-client -p + bind-key n switch-client -n + bind-key C-s switch-client -l + ''} "$@" + ''; + in { + description = "chat environment setup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = false; + + path = [ + pkgs.rxvt_unicode.terminfo + ]; + + serviceConfig = { + User = "lass"; + RemainAfterExit = true; + Type = "oneshot"; + ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; + ExecStop = "${tmux} kill-session -t IM"; + }; + }; +} diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index 3dae3420d..f04e4342d 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -1,12 +1,6 @@ -{ ... }: +{ lib, ... }: { - #krebs.iptables.tables.filter.INPUT.rules = [ - # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 53"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 53"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 67"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 67"; target = "ACCEPT"; } - #]; krebs.iptables.tables.filter.FORWARD.rules = [ { v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } { v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; } @@ -14,9 +8,9 @@ { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - #krebs.iptables.tables.filter.OUTPUT.rules = [ - # { v6 = false; predicate = "-o ve-+ -p udp -m udp --dport 68"; target = "ACCEPT"; } - #]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; } @@ -24,4 +18,5 @@ { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 12a814605..ed97b4897 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -19,7 +19,8 @@ with import <stockholm/lib>; users.extraUsers = { root = { openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey config.krebs.users.lass-xerxes.pubkey @@ -38,7 +39,8 @@ with import <stockholm/lib>; "wheel" ]; openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey ]; diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index e05ed2427..371f20885 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -14,7 +14,7 @@ with import <stockholm/lib>; ]; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ config.krebs.hosts.mors - config.krebs.hosts.uriel + config.krebs.hosts.blue ]; internet-aliases = with config.krebs.users; [ { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 @@ -80,6 +80,9 @@ with import <stockholm/lib>; { from = "hetzner@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; } { from = "immoscout@lassul.us"; to = lass.mail; } + { from = "elitedangerous@lassul.us"; to = lass.mail; } + { from = "boardgamegeek@lassul.us"; to = lass.mail; } + { from = "qwertee@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 3ee3a98a5..81f53bf69 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -80,6 +80,7 @@ in { }; }; + hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.support32Bit = true; security.sudo.extraConfig = '' diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 43085ba5e..e41ff606f 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,17 +57,17 @@ let cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.section = "software"; }; + krops = { + cgit.desc = "krebs deployment"; + cgit.section = "software"; + }; + } // mapAttrs make-public-repo-silent { nixos-aws = { collaborators = [ { name = "fabio"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; } ]; }; - krops = { - cgit.desc = "krebs deployment"; - cgit.section = "software"; - }; - } // mapAttrs make-public-repo-silent { }; restricted-repos = mapAttrs make-restricted-repo ( @@ -121,7 +121,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-shodan ]; + user = [ lass-mors lass-shodan lass-icarus lass-blue ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index a71638323..78d5ae0e9 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -20,6 +20,9 @@ krebs.iptables.tables.filter.OUTPUT.rules = [ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; } diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix index e16d421a0..aef671636 100644 --- a/lass/2configs/monitoring/prometheus-server.nix +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -159,7 +159,6 @@ "email_configs" = [ { "to" = "devnull@example.com"; - "send_resolved" = true; } ]; "webhook_configs" = [ diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index 225ddd308..e1b523e3a 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -10,8 +10,6 @@ # source: https://nixos.org/wiki/Talk:Steam # ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - nixpkgs.config.steam.java = true; environment.systemPackages = with pkgs; [ steam diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 7a72499c9..4e8361a17 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -26,12 +26,7 @@ in { ./default.nix ./sqlBackup.nix (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ - "habsys.de" - "habsys.eu" - "www.habsys.de" - "www.habsys.eu" - ]) + (servePage [ "freemonkey.art" ]) (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ "ubikmedia.de" @@ -120,6 +115,7 @@ in { { from = "jms@ubikmedia.eu"; to = "jms"; } { from = "ms@ubikmedia.eu"; to = "ms"; } { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } + { from = "akayguen@freemonkey.art"; to ="akayguen"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -177,5 +173,12 @@ in { createHome = true; }; + users.users.akayguen = { + uid = genid_signed "akayguen"; + home = "/home/akayguen"; + useDefaultShell = true; + createHome = true; + }; + } diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 61b5543ce..816449c14 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,11 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - onlySSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; + addSSL = true; serverAliases = domains; locations."/".extraConfig = '' root /srv/http/${domain}; @@ -87,12 +83,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - onlySSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; @@ -201,12 +194,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - onlySSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - root /srv/http/${domain}/; index index.php; access_log /tmp/nginx_acc.log; |