summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-12-07 13:20:49 +0100
committertv <tv@krebsco.de>2018-12-07 13:20:49 +0100
commit1d3a3c8104eac3e9a4ee7cdd961fcd61f706d173 (patch)
tree53ad5d4d3ecc88eeabba682fd1741bf3d1d96aa8 /lass
parentbfcf6ad0adaedf0d069850824fbbb55e4af20c5e (diff)
parent43be8e6bb38ea99ed489a8b6633ebb33b96b6282 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/archprism/config.nix276
-rw-r--r--lass/1systems/cabal/config.nix16
-rw-r--r--lass/1systems/cabal/physical.nix12
-rw-r--r--lass/1systems/icarus/config.nix4
-rw-r--r--lass/1systems/mors/config.nix5
-rw-r--r--lass/1systems/prism/config.nix77
-rw-r--r--lass/1systems/prism/physical.nix5
-rw-r--r--lass/1systems/shodan/config.nix3
-rw-r--r--lass/1systems/skynet/config.nix1
-rw-r--r--lass/1systems/yellow/config.nix167
-rw-r--r--lass/1systems/yellow/physical.nix8
-rw-r--r--lass/2configs/baseX.nix6
-rw-r--r--lass/2configs/binary-cache/server.nix1
-rw-r--r--lass/2configs/blue-host.nix1
-rw-r--r--lass/2configs/downloading.nix65
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/mail.nix10
-rw-r--r--lass/2configs/radio.nix3
-rw-r--r--lass/2configs/tests/dummy-secrets/nordvpn.txt0
-rw-r--r--lass/2configs/websites/fritz.nix70
-rw-r--r--lass/2configs/websites/lassulus.nix22
-rw-r--r--lass/3modules/xjail.nix2
-rw-r--r--lass/5pkgs/custom/xmonad-lass/default.nix21
-rw-r--r--lass/5pkgs/emot-menu/default.nix31
-rw-r--r--lass/5pkgs/fzfmenu/default.nix45
25 files changed, 366 insertions, 486 deletions
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
index bed8961b8..0a2ab1611 100644
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@@ -6,26 +6,10 @@ with import <stockholm/lib>;
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/libvirt.nix>
- {
- services.nginx.enable = true;
- imports = [
- <stockholm/lass/2configs/websites/domsen.nix>
- <stockholm/lass/2configs/websites/lassulus.nix>
- ];
- # needed by domsen.nix ^^
- lass.usershadow = {
- enable = true;
- };
-
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
- ];
- }
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
- uid = genid "riot";
+ uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
@@ -42,153 +26,7 @@ with import <stockholm/lib>;
{ v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; }
];
}
- {
- users.users.tv = {
- uid = genid "tv";
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.tv.pubkey
- ];
- };
- users.users.makefu = {
- uid = genid "makefu";
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.makefu.pubkey
- ];
- };
- users.extraUsers.dritter = {
- uid = genid "dritter";
- isNormalUser = true;
- extraGroups = [
- "download"
- ];
- openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
- ];
- };
- users.extraUsers.juhulian = {
- uid = 1339;
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
- ];
- };
- users.users.hellrazor = {
- uid = genid "hellrazor";
- isNormalUser = true;
- extraGroups = [
- "download"
- ];
- openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
- };
- }
- {
- #hotdog
- systemd.services."container@hotdog".reloadIfChanged = mkForce false;
- containers.hotdog = {
- config = { ... }: {
- imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = true;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.1";
- localAddress = "10.233.2.2";
- };
- }
- <stockholm/lass/2configs/exim-smarthost.nix>
- <stockholm/lass/2configs/ts3.nix>
- <stockholm/lass/2configs/privoxy-retiolum.nix>
- <stockholm/lass/2configs/radio.nix>
- <stockholm/lass/2configs/binary-cache/server.nix>
- <stockholm/lass/2configs/iodined.nix>
- <stockholm/lass/2configs/paste.nix>
- <stockholm/lass/2configs/syncthing.nix>
- <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
- <stockholm/lass/2configs/monitoring/prometheus-server.nix>
- { # quasi bepasty.nix
- imports = [
- <stockholm/lass/2configs/bepasty.nix>
- ];
- krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
- if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
- return 403;
- }
- '';
- }
- {
- services.tor = {
- enable = true;
- };
- }
- {
- lass.ejabberd = {
- enable = true;
- hosts = [ "lassul.us" ];
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
- ];
- }
- {
- imports = [
- <stockholm/lass/2configs/realwallpaper.nix>
- ];
- services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
- alias /var/realwallpaper/realwallpaper.png;
- '';
- }
- {
- users.users.jeschli = {
- uid = genid "jeschli";
- isNormalUser = true;
- openssh.authorizedKeys.keys = with config.krebs.users; [
- jeschli.pubkey
- jeschli-bln.pubkey
- jeschli-bolide.pubkey
- jeschli-brauerei.pubkey
- ];
- };
- krebs.git.rules = [
- {
- user = with config.krebs.users; [
- jeschli
- jeschli-bln
- jeschli-bolide
- jeschli-brauerei
- ];
- repo = [ config.krebs.git.repos.xmonad-stockholm ];
- perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
- }
- {
- user = with config.krebs.users; [
- jeschli
- jeschli-bln
- jeschli-bolide
- jeschli-brauerei
- ];
- repo = [ config.krebs.git.repos.stockholm ];
- perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
- }
- ];
- }
- {
- krebs.repo-sync.repos.stockholm.timerConfig = {
- OnBootSec = "5min";
- OnUnitInactiveSec = "2min";
- RandomizedDelaySec = "2min";
- };
- }
- <stockholm/lass/2configs/downloading.nix>
- <stockholm/lass/2configs/minecraft.nix>
{
services.taskserver = {
enable = true;
@@ -201,123 +39,11 @@ with import <stockholm/lib>;
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
- #<stockholm/lass/2configs/go.nix>
- {
- environment.systemPackages = [ pkgs.cryptsetup ];
- systemd.services."container@red".reloadIfChanged = mkForce false;
- containers.red = {
- config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = false;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.3";
- localAddress = "10.233.2.4";
- };
- services.nginx.virtualHosts."rote-allez-fraktion.de" = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- extraConfig = ''
- proxy_set_header Host rote-allez-fraktion.de;
- proxy_pass http://10.233.2.4;
- '';
- };
- };
- }
- #{
- # imports = [ <stockholm/lass/2configs/backup.nix> ];
- # lass.restic = genAttrs [
- # "daedalus"
- # "icarus"
- # "littleT"
- # "mors"
- # "shodan"
- # "skynet"
- # ] (dest: {
- # dirs = [
- # "/home/chat/.weechat"
- # "/bku/sql_dumps"
- # ];
- # passwordFile = (toString <secrets>) + "/restic/${dest}";
- # repo = "sftp:backup@${dest}.r:/backups/prism";
- # extraArguments = [
- # "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
- # ];
- # timerConfig = {
- # OnCalendar = "00:05";
- # RandomizedDelaySec = "5h";
- # };
- # });
- #}
- {
- users.users.download.openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
- ];
- }
- {
- }
- {
- lass.nichtparasoup.enable = true;
- services.nginx = {
- enable = true;
- virtualHosts."lol.lassul.us" = {
- forceSSL = true;
- enableACME = true;
- locations."/".extraConfig = ''
- proxy_pass http://localhost:5001;
- '';
- };
- };
- }
- {
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.nat.POSTROUTING.rules = [
- { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
- ];
- networking.wireguard.interfaces.wg0 = {
- ips = [ "10.244.1.1/24" ];
- listenPort = 51820;
- privateKeyFile = (toString <secrets>) + "/wireguard.key";
- allowedIPsAsRoutes = true;
- peers = [
- {
- # lass-android
- allowedIPs = [ "10.244.1.2/32" ];
- publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
- }
- ];
- };
- }
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
];
}
- {
- services.murmur.enable = true;
- services.murmur.registerName = "lassul.us";
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
- ];
-
- }
];
krebs.build.host = config.krebs.hosts.archprism;
diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix
deleted file mode 100644
index 6a8040c9d..000000000
--- a/lass/1systems/cabal/config.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
- <stockholm/lass>
-
- <stockholm/lass/2configs/mouse.nix>
- <stockholm/lass/2configs/retiolum.nix>
- <stockholm/lass/2configs/exim-retiolum.nix>
- <stockholm/lass/2configs/baseX.nix>
- <stockholm/lass/2configs/AP.nix>
- <stockholm/lass/2configs/blue-host.nix>
- ];
-
- krebs.build.host = config.krebs.hosts.cabal;
-}
diff --git a/lass/1systems/cabal/physical.nix b/lass/1systems/cabal/physical.nix
deleted file mode 100644
index 3cc4af03b..000000000
--- a/lass/1systems/cabal/physical.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- imports = [
- ./config.nix
- <stockholm/lass/2configs/hw/x220.nix>
- <stockholm/lass/2configs/boot/stock-x220.nix>
- ];
-
- services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0"
- SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0"
- '';
-}
diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix
index 1957c8ba4..d2d4bd3eb 100644
--- a/lass/1systems/icarus/config.nix
+++ b/lass/1systems/icarus/config.nix
@@ -25,9 +25,5 @@
macchanger
dpass
];
- services.redshift = {
- enable = true;
- provider = "geoclue2";
- };
programs.adb.enable = true;
}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index cac13be2b..207c7c640 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -102,6 +102,7 @@ with import <stockholm/lib>;
urban
mk_sql_pair
remmina
+ transmission
iodine
@@ -148,10 +149,6 @@ with import <stockholm/lib>;
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true;
- services.redshift = {
- enable = true;
- provider = "geoclue2";
- };
lass.restic = genAttrs [
"daedalus"
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index a9fbae695..83cc96771 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -25,7 +25,7 @@ with import <stockholm/lib>;
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
- uid = genid "riot";
+ uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
@@ -44,21 +44,21 @@ with import <stockholm/lib>;
}
{
users.users.tv = {
- uid = genid "tv";
+ uid = genid_uint31 "tv";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
users.users.makefu = {
- uid = genid "makefu";
+ uid = genid_uint31 "makefu";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
];
};
users.extraUsers.dritter = {
- uid = genid "dritter";
+ uid = genid_uint31 "dritter";
isNormalUser = true;
extraGroups = [
"download"
@@ -75,7 +75,7 @@ with import <stockholm/lib>;
];
};
users.users.hellrazor = {
- uid = genid "hellrazor";
+ uid = genid_uint31 "hellrazor";
isNormalUser = true;
extraGroups = [
"download"
@@ -168,7 +168,7 @@ with import <stockholm/lib>;
}
{
users.users.jeschli = {
- uid = genid "jeschli";
+ uid = genid_uint31 "jeschli";
isNormalUser = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
jeschli.pubkey
@@ -207,7 +207,6 @@ with import <stockholm/lib>;
RandomizedDelaySec = "2min";
};
}
- <stockholm/lass/2configs/downloading.nix>
<stockholm/lass/2configs/minecraft.nix>
{
services.taskserver = {
@@ -324,6 +323,15 @@ with import <stockholm/lib>;
}
];
};
+ services.dnsmasq = {
+ enable = true;
+ resolveLocalQueries = false;
+
+ extraConfig= ''
+ except-interface=lo
+ interface=wg0
+ '';
+ };
}
{
krebs.iptables.tables.filter.INPUT.rules = [
@@ -338,6 +346,61 @@ with import <stockholm/lib>;
];
}
+ {
+ systemd.services."container@yellow".reloadIfChanged = mkForce false;
+ containers.yellow = {
+ config = { ... }: {
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.13";
+ localAddress = "10.233.2.14";
+ };
+
+ services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = ''
+ if ($scheme != "https") {
+ rewrite ^ https://$host$uri permanent;
+ }
+ auth_basic "Restricted Content";
+ auth_basic_user_file ${pkgs.writeText "transmission-user-pass" ''
+ krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
+ ''};
+ proxy_pass http://10.233.2.14:9091;
+ '';
+
+ users.groups.download = {};
+ users.users = {
+ download = {
+ createHome = true;
+ group = "download";
+ name = "download";
+ home = "/var/download";
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = with config.krebs.users; [
+ lass.pubkey
+ lass-shodan.pubkey
+ lass-icarus.pubkey
+ lass-daedalus.pubkey
+ lass-helios.pubkey
+ makefu.pubkey
+ wine-mors.pubkey
+ ];
+ };
+ };
+
+ system.activationScripts.downloadFolder = ''
+ mkdir -p /var/download
+ chmod 775 /var/download
+ ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || :
+ chown download: /var/download/finished
+ '';
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix
index 4388c13fa..116bdb92f 100644
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@@ -25,6 +25,11 @@
fsType = "zfs";
};
+ fileSystems."/var/download" = {
+ device = "tank/download";
+ fsType = "zfs";
+ };
+
fileSystems."/var/lib/containers" = {
device = "tank/containers";
fsType = "zfs";
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 8405b0f1f..39c0791fc 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -8,14 +8,13 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
- <stockholm/lass/2configs/git.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
- <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
+ <stockholm/lass/2configs/blue-host.nix>
];
krebs.build.host = config.krebs.hosts.shodan;
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index 14aca598e..13a8b3e41 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -7,6 +7,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/blue-host.nix>
+ <stockholm/lass/2configs/power-action.nix>
{
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
new file mode 100644
index 000000000..ff7b23687
--- /dev/null
+++ b/lass/1systems/yellow/config.nix
@@ -0,0 +1,167 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs>
+ <stockholm/lass/2configs/retiolum.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.yellow;
+
+ system.activationScripts.downloadFolder = ''
+ mkdir -p /var/download
+ chown download:download /var/download
+ chmod 775 /var/download
+ '';
+
+ users.users.download = { uid = genid "download"; };
+ users.groups.download.members = [ "transmission" ];
+ users.users.transmission.group = mkForce "download";
+
+ systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
+ services.transmission = {
+ enable = true;
+ settings = {
+ download-dir = "/var/download/finished";
+ incomplete-dir = "/var/download/incoming";
+ incomplete-dir-enable = true;
+ umask = "002";
+ rpc-whitelist-enabled = false;
+ rpc-host-whitelist-enabled = false;
+ };
+ };
+
+ services.nginx = {
+ enable = true;
+ package = pkgs.nginx.override {
+ modules = with pkgs.nginxModules; [
+ fancyindex
+ ];
+ };
+ virtualHosts."dl" = {
+ default = true;
+ locations."/Nginx-Fancyindex-Theme-dark" = {
+ extraConfig = ''
+ alias ${pkgs.fetchFromGitHub {
+ owner = "Naereen";
+ repo = "Nginx-Fancyindex-Theme";
+ rev = "e84f7d6a32085c2b6238f85f5fdebe9ceb710fc4";
+ sha256 = "0wzl4ws2w8f0749vxfd1c8c21p3jw463wishgfcmaljbh4dwplg6";
+ }}/Nginx-Fancyindex-Theme-dark;
+ autoindex on;
+ '';
+ };
+ locations."/" = {
+ root = "/var/download/finished";
+ extraConfig = ''
+ fancyindex on;
+ fancyindex_header "/Nginx-Fancyindex-Theme-dark/header.html";
+ fancyindex_footer "/Nginx-Fancyindex-Theme-dark/footer.html";
+ dav_methods PUT DELETE MKCOL COPY MOVE;
+
+ create_full_put_path on;
+ dav_access all:r;
+ '';
+ };
+ };
+ };
+
+ krebs.iptables = {
+ enable = true;
+ tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
+ ];
+ };
+
+ services.openvpn.servers.nordvpn.config = ''
+ client
+ dev tun
+ proto udp
+ remote 82.102.16.229 1194
+ resolv-retry infinite
+ remote-random
+ nobind
+ tun-mtu 1500
+ tun-mtu-extra 32
+ mssfix 1450
+ persist-key
+ persist-tun
+ ping 15
+ ping-restart 0
+ ping-timer-rem
+ reneg-sec 0
+ comp-lzo no
+
+ explicit-exit-notify 3
+
+ remote-cert-tls server
+
+ #mute 10000
+ auth-user-pass ${toString <secrets/nordvpn.txt>}
+
+ verb 3
+ pull
+ fast-io
+ cipher AES-256-CBC
+ auth SHA512
+
+ <ca>
+ -----BEGIN CERTIFICATE-----
+ MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+ VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
+ Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw
+ bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
+ ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG
+ A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
+ B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2
+ cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
+ cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG
+ UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny
+ mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X
+ +D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT
+ ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI
+ 583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA
+ VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT
+ Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh
+ MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
+ MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy
+ Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
+ EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG
+ SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ
+ e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW
+ //DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB
+ wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB
+ KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p
+ lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9
+ -----END CERTIFICATE-----
+ </ca>
+ key-direction 1
+ <tls-auth>
+ #
+ # 2048 bit OpenVPN static key
+ #
+ -----BEGIN OpenVPN Static key V1-----
+ 49b2f54c6ee58d2d97331681bb577d55
+ 054f56d92b743c31e80b684de0388702
+ ad3bf51088cd88f3fac7eb0729f2263c
+ 51d82a6eb7e2ed4ae6dfa65b1ac764d0
+ b9dedf1379c1b29b36396d64cb6fd6b2
+ e61f869f9a13001dadc02db171f04c4d
+ c46d1132c1f31709e7b54a6eabae3ea8
+ fbd2681363c185f4cb1be5aa42a27c31
+ 21db7b2187fd11c1acf224a0d5a44466
+ b4b5a3cc34ec0227fe40007e8b379654
+ f1e8e2b63c6b46ee7ab6f1bd82f57837
+ 92c209e8f25bc9ed493cb5c1d891ae72
+ 7f54f4693c5b20f136ca23e639fd8ea0
+ 865b4e22dd2af43e13e6b075f12427b2
+ 08af9ffd09c56baa694165f57fe2697a
+ 3377fa34aebcba587c79941d83deaf45
+ -----END OpenVPN Static key V1-----
+ </tls-auth>
+ '';
+}
diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix
new file mode 100644
index 000000000..7499ff723
--- /dev/null
+++ b/lass/1systems/yellow/physical.nix
@@ -0,0 +1,8 @@
+{
+ imports = [
+ ./config.nix
+ ];
+ boot.isContainer = true;
+ networking.useDHCP = false;
+ environment.variables.NIX_REMOTE = "daemon";
+}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 9b44e8f0e..d781f8c71 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix