diff options
author | makefu <github@syntax-fehler.de> | 2018-11-30 23:19:32 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2018-11-30 23:19:32 +0100 |
commit | b8db7293383772b936b6937cc05b5588021ca693 (patch) | |
tree | 74cd0a8da1fd703080697bed04ffc1a8279a60ae /lass | |
parent | 861d4481f710d60d0d84aa8b1f8997f7fc18890d (diff) | |
parent | 7f5431a4999fea9626df300f707aa8c62de894e3 (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass')
-rw-r--r-- | lass/1systems/cabal/config.nix | 16 | ||||
-rw-r--r-- | lass/1systems/cabal/physical.nix | 12 | ||||
-rw-r--r-- | lass/1systems/prism/config.nix | 56 | ||||
-rw-r--r-- | lass/1systems/prism/physical.nix | 5 | ||||
-rw-r--r-- | lass/1systems/skynet/config.nix | 1 | ||||
-rw-r--r-- | lass/1systems/yellow/config.nix | 132 | ||||
-rw-r--r-- | lass/1systems/yellow/physical.nix | 8 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 6 | ||||
-rw-r--r-- | lass/2configs/downloading.nix | 65 | ||||
-rw-r--r-- | lass/2configs/exim-smarthost.nix | 1 | ||||
-rw-r--r-- | lass/2configs/tests/dummy-secrets/nordvpn.txt | 0 | ||||
-rw-r--r-- | lass/2configs/websites/lassulus.nix | 16 | ||||
-rw-r--r-- | lass/5pkgs/custom/xmonad-lass/default.nix | 30 | ||||
-rw-r--r-- | lass/5pkgs/fzfmenu/default.nix | 33 |
14 files changed, 259 insertions, 122 deletions
diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix deleted file mode 100644 index 6a8040c9d..000000000 --- a/lass/1systems/cabal/config.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - <stockholm/lass> - - <stockholm/lass/2configs/mouse.nix> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - <stockholm/lass/2configs/baseX.nix> - <stockholm/lass/2configs/AP.nix> - <stockholm/lass/2configs/blue-host.nix> - ]; - - krebs.build.host = config.krebs.hosts.cabal; -} diff --git a/lass/1systems/cabal/physical.nix b/lass/1systems/cabal/physical.nix deleted file mode 100644 index 3cc4af03b..000000000 --- a/lass/1systems/cabal/physical.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - imports = [ - ./config.nix - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> - ]; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0" - ''; -} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index a9fbae695..24fa3fd7a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -207,7 +207,6 @@ with import <stockholm/lib>; RandomizedDelaySec = "2min"; }; } - <stockholm/lass/2configs/downloading.nix> <stockholm/lass/2configs/minecraft.nix> { services.taskserver = { @@ -338,6 +337,61 @@ with import <stockholm/lib>; ]; } + { + systemd.services."container@yellow".reloadIfChanged = mkForce false; + containers.yellow = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.13"; + localAddress = "10.233.2.14"; + }; + + services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = '' + if ($scheme != "https") { + rewrite ^ https://$host$uri permanent; + } + auth_basic "Restricted Content"; + auth_basic_user_file ${pkgs.writeText "transmission-user-pass" '' + krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 + ''}; + proxy_pass http://10.233.2.14:9091; + ''; + + users.groups.download = {}; + users.users = { + download = { + createHome = true; + group = "download"; + name = "download"; + home = "/var/download"; + useDefaultShell = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + lass-shodan.pubkey + lass-icarus.pubkey + lass-daedalus.pubkey + lass-helios.pubkey + makefu.pubkey + wine-mors.pubkey + ]; + }; + }; + + system.activationScripts.downloadFolder = '' + mkdir -p /var/download + chmod 775 /var/download + ln -fs /var/lib/containers/yellow/var/download/finished /var/download/finished || : + chown download: /var/download/finished + ''; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 4388c13fa..116bdb92f 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -25,6 +25,11 @@ fsType = "zfs"; }; + fileSystems."/var/download" = { + device = "tank/download"; + fsType = "zfs"; + }; + fileSystems."/var/lib/containers" = { device = "tank/containers"; fsType = "zfs"; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 14aca598e..13a8b3e41 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -7,6 +7,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/power-action.nix> { services.xserver.enable = true; services.xserver.desktopManager.xfce.enable = true; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix new file mode 100644 index 000000000..ee14986ac --- /dev/null +++ b/lass/1systems/yellow/config.nix @@ -0,0 +1,132 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.yellow; + + system.activationScripts.downloadFolder = '' + mkdir -p /var/download + chown download:download /var/download + chmod 775 /var/download + ''; + + users.users.download = { uid = genid "download"; }; + users.groups.download.members = [ "transmission" ]; + users.users.transmission.group = mkForce "download"; + + systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ]; + services.transmission = { + enable = true; + settings = { + download-dir = "/var/download/finished"; + incomplete-dir = "/var/download/incoming"; + incomplete-dir-enable = true; + umask = "002"; + rpc-whitelist-enabled = false; + rpc-host-whitelist-enabled = false; + }; + }; + + krebs.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } + { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } + ]; + }; + + services.nginx.enable = true; + services.openvpn.servers.nordvpn.config = '' + client + dev tun + proto udp + remote 82.102.16.229 1194 + resolv-retry infinite + remote-random + nobind + tun-mtu 1500 + tun-mtu-extra 32 + mssfix 1450 + persist-key + persist-tun + ping 15 + ping-restart 0 + ping-timer-rem + reneg-sec 0 + comp-lzo no + + explicit-exit-notify 3 + + remote-cert-tls server + + #mute 10000 + auth-user-pass ${toString <secrets/nordvpn.txt>} + + verb 3 + pull + fast-io + cipher AES-256-CBC + auth SHA512 + + <ca> + -----BEGIN CERTIFICATE----- + MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD + VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH + Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw + bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y + ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG + A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT + B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2 + cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v + cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG + UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny + mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X + +D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT + ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI + 583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA + VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT + Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh + MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ + MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy + Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW + EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG + SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ + e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW + //DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB + wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB + KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p + lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9 + -----END CERTIFICATE----- + </ca> + key-direction 1 + <tls-auth> + # + # 2048 bit OpenVPN static key + # + -----BEGIN OpenVPN Static key V1----- + 49b2f54c6ee58d2d97331681bb577d55 + 054f56d92b743c31e80b684de0388702 + ad3bf51088cd88f3fac7eb0729f2263c + 51d82a6eb7e2ed4ae6dfa65b1ac764d0 + b9dedf1379c1b29b36396d64cb6fd6b2 + e61f869f9a13001dadc02db171f04c4d + c46d1132c1f31709e7b54a6eabae3ea8 + fbd2681363c185f4cb1be5aa42a27c31 + 21db7b2187fd11c1acf224a0d5a44466 + b4b5a3cc34ec0227fe40007e8b379654 + f1e8e2b63c6b46ee7ab6f1bd82f57837 + 92c209e8f25bc9ed493cb5c1d891ae72 + 7f54f4693c5b20f136ca23e639fd8ea0 + 865b4e22dd2af43e13e6b075f12427b2 + 08af9ffd09c56baa694165f57fe2697a + 3377fa34aebcba587c79941d83deaf45 + -----END OpenVPN Static key V1----- + </tls-auth> + ''; +} diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix new file mode 100644 index 000000000..7499ff723 --- /dev/null +++ b/lass/1systems/yellow/physical.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; +} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 9b44e8f0e..d781f8c71 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -126,6 +126,12 @@ in { restartIfChanged = false; }; + nixpkgs.config.packageOverrides = super: { + dmenu = pkgs.writeDashBin "dmenu" '' + ${pkgs.fzfmenu}/bin/fzfmenu "$@" + ''; + }; + krebs.xresources.enable = true; lass.screenlock.enable = true; } diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix deleted file mode 100644 index 8d0fb0d02..000000000 --- a/lass/2configs/downloading.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; - -{ - users.extraUsers = { - download = { - name = "download"; - home = "/var/download"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - "download" - ]; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-shodan.pubkey - lass-icarus.pubkey - lass-daedalus.pubkey - lass-helios.pubkey - makefu.pubkey - wine-mors.pubkey - ]; - }; - - transmission = { - extraGroups = [ - "download" - ]; - }; - }; - - users.extraGroups = { - download = { - members = [ - "download" - "transmission" - ]; - }; - }; - - krebs.rtorrent = { - enable = true; - web = { - enable = true; - port = 9091; - basicAuth = import <secrets/torrent-auth>; - }; - rutorrent.enable = true; - enableXMLRPC = true; - listenPort = 51413; - downloadDir = "/var/download/finished"; - # dump old torrents into watch folder to have them re-added - watchDir = "/var/download/watch"; - }; - - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } - { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } - ]; - }; -} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 9bb70d1c2..1ee45bb41 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -93,6 +93,7 @@ with import <stockholm/lib>; { from = "neocron@lassul.us"; to = lass.mail; } { from = "osmocom@lassul.us"; to = lass.mail; } { from = "lesswrong@lassul.us"; to = lass.mail; } + { from = "nordvpn@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/tests/dummy-secrets/nordvpn.txt b/lass/2configs/tests/dummy-secrets/nordvpn.txt new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/nordvpn.txt diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index b72b20928..6470d86f7 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -66,22 +66,6 @@ in { locations."/tinc".extraConfig = '' alias ${config.krebs.tinc_graphs.workingDir}/external; ''; - locations."/urlaubyay2018".extraConfig = '' - autoindex on; - alias /srv/http/lassul.us-media/india2018; - auth_basic "Restricted Content"; - auth_basic_user_file ${pkgs.writeText "pics-user-pass" '' - paolo:$apr1$aQ6mYNR3$ho.aJ7icqSO.y.xKo3GQf0 - ''}; - ''; - locations."/heilstadt".extraConfig = '' - autoindex on; - alias /srv/http/lassul.us-media/grabowsee2018; - auth_basic "Restricted Content"; - auth_basic_user_file ${pkgs.writeText "pics-user-pass" '' - c-base:$apr1$aQ6mYNR3$ho.aJ7icqSO.y.xKo3GQf0 - ''}; - ''; locations."/krebspage".extraConfig = '' default_type "text/html"; alias ${pkgs.krebspage}/index.html; diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix index 087d54eca..c020f975c 100644 --- a/lass/5pkgs/custom/xmonad-lass/default.nix +++ b/lass/5pkgs/custom/xmonad-lass/default.nix @@ -25,6 +25,8 @@ import Control.Monad.Extra (whenJustM) import Data.List (isInfixOf) import Data.Monoid (Endo) import System.Environment (getArgs, lookupEnv) +import System.Exit (exitFailure) +import System.IO (hPutStrLn, stderr) import System.Posix.Process (executeFile) import XMonad.Actions.CopyWindow (copy, kill1) import XMonad.Actions.CycleWS (toggleWS) @@ -36,7 +38,7 @@ import XMonad.Hooks.EwmhDesktops (ewmh) import XMonad.Hooks.FloatNext (floatNext) import XMonad.Hooks.FloatNext (floatNextHook) import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts)) -import XMonad.Hooks.Place (placeHook, smart) +import XMonad.Hooks.ManageHelpers (composeOne, doCenterFloat, (-?>)) import XMonad.Hooks.UrgencyHook (focusUrgent) import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..)) import XMonad.Layout.FixedColumn (FixedColumn(..)) @@ -49,7 +51,7 @@ import XMonad.Util.EZConfig (additionalKeysP) import XMonad.Util.NamedWindows (getName) import XMonad.Util.Run (safeSpawn) -import XMonad.Stockholm.Shutdown (handleShutdownEvent, sendShutdownEvent) +import XMonad.Stockholm.Shutdown (newShutdownEventHandler, shutdown) import XMonad.Stockholm.Pager (defaultWindowColors, pager, MatchMethod(MatchPrefix), PagerConfig(..)) data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show) @@ -69,18 +71,20 @@ myFont = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1" main :: IO () main = getArgs >>= \case - ["--shutdown"] -> sendShutdownEvent - _ -> main' + [] -> main' + ["--shutdown"] -> shutdown + args -> hPutStrLn stderr ("bad arguments: " <> show args) >> exitFailure main' :: IO () main' = do + handleShutdownEvent <- newShutdownEventHandler xmonad $ ewmh $ withUrgencyHook LibNotifyUrgencyHook $ def { terminal = myTerm , modMask = mod4Mask , layoutHook = smartBorders $ myLayoutHook - , manageHook = placeHook (smart (1,0)) <+> floatNextHook <+> floatHooks + , manageHook = floatHooks <+> floatNextHook , startupHook = whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) (\path -> forkFile path [] Nothing) @@ -95,13 +99,12 @@ myLayoutHook = defLayout defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat) floatHooks :: Query (Endo WindowSet) -floatHooks = composeAll . concat $ - [ [ title =? t --> doFloat | t <- myTitleFloats] - , [ className =? c --> doFloat | c <- myClassFloats ] ] - where - myTitleFloats = [] - myClassFloats = ["Pinentry"] -- for gpg passphrase entry - +floatHooks = composeOne + [ className =? "Pinentry" -?> doCenterFloat + , title =? "fzfmenu" -?> doCenterFloat + , title =? "glxgears" -?> doCenterFloat + , resource =? "Dialog" -?> doFloat + ] myKeyMap :: [([Char], X ())] myKeyMap = @@ -159,6 +162,9 @@ myKeyMap = , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33") , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100") + , ("M4-<F9>", spawn "${pkgs.redshift}/bin/redshift -O 4000 -g 0.9:0.8:0.8") + , ("M4-<F10>", spawn "${pkgs.redshift}/bin/redshift -x") + , ("<Pause>", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") , ("M4-s", spawn "${pkgs.knav}/bin/knav") diff --git a/lass/5pkgs/fzfmenu/default.nix b/lass/5pkgs/fzfmenu/default.nix new file mode 100644 index 000000000..6b5899359 --- /dev/null +++ b/lass/5pkgs/fzfmenu/default.nix @@ -0,0 +1,33 @@ +{ pkgs, ... }: + +pkgs.writeDashBin "fzfmenu" '' + set -efu + PROMPT=">" + for i in "$@" + do + case $i in + -p) + PROMPT="$2" + shift + shift + break + ;; + *) + echo "Unknown option $1" + shift + ;; + esac + done + INPUT=$(${pkgs.coreutils}/bin/cat) + OUTPUT="$(${pkgs.coreutils}/bin/mktemp)" + ${pkgs.rxvt_unicode}/bin/urxvt \ + -name fzfmenu -title fzfmenu \ + -e ${pkgs.dash}/bin/dash -c \ + "echo \"$INPUT\" | ${pkgs.fzf}/bin/fzf \ + --history=/dev/null \ + --no-sort \ + --prompt=\"$PROMPT\" \ + > \"$OUTPUT\"" 2>/dev/null + ${pkgs.coreutils}/bin/cat "$OUTPUT" + ${pkgs.coreutils}/bin/rm "$OUTPUT" +'' |