summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-11-27 11:47:54 +0100
committertv <tv@krebsco.de>2018-11-27 11:47:54 +0100
commitc4fabb0bc40e270f7d34a06115b121ef879fc2d1 (patch)
treed745b162ca3fed36057a1d6aa7d4b4b591d76107 /lass
parent09144f173677ed33850e484cf46876d13bb37c9e (diff)
parenteef1d7877defd7c310dc20f62bf96c7b8f408044 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/archprism/config.nix1
-rw-r--r--lass/1systems/blue/source.nix11
-rw-r--r--lass/1systems/mors/config.nix1
-rw-r--r--lass/1systems/skynet/config.nix29
-rw-r--r--lass/1systems/skynet/physical.nix21
-rw-r--r--lass/2configs/binary-cache/server.nix9
-rw-r--r--lass/2configs/blue-host.nix99
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/fetchWallpaper.nix1
-rw-r--r--lass/2configs/mail.nix4
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix3
-rw-r--r--lass/2configs/radio.nix17
-rw-r--r--lass/2configs/websites/domsen.nix7
-rw-r--r--lass/krops.nix15
14 files changed, 190 insertions, 29 deletions
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
index 6706914b5..bed8961b8 100644
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@@ -110,7 +110,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
- <stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix
new file mode 100644
index 000000000..8f748ab8f
--- /dev/null
+++ b/lass/1systems/blue/source.nix
@@ -0,0 +1,11 @@
+{ lib, pkgs, ... }:
+{
+ nixpkgs = lib.mkForce {
+ file = toString (pkgs.fetchFromGitHub {
+ owner = "nixos";
+ repo = "nixpkgs";
+ rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
+ sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
+ });
+ };
+}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 6d65b58c2..cac13be2b 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/print.nix>
+ <stockholm/lass/2configs/blue-host.nix>
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index b6c08f797..14aca598e 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -5,42 +5,35 @@ with import <stockholm/lib>;
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
- #<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
+ <stockholm/lass/2configs/blue-host.nix>
{
- # discordius config
services.xserver.enable = true;
+ services.xserver.desktopManager.xfce.enable = true;
+
users.users.discordius = {
- uid = genid "discordius";
- home = "/home/discordius";
- group = "users";
- createHome = true;
+ uid = genid "diskordius";
+ isNormalUser = true;
extraGroups = [
"audio"
"networkmanager"
];
- useDefaultShell = true;
- };
- networking.networkmanager.enable = true;
- networking.wireless.enable = mkForce false;
- hardware.pulseaudio = {
- enable = true;
- systemWide = true;
};
environment.systemPackages = with pkgs; [
- pavucontrol
- firefox
- hexchat
- networkmanagerapplet
+ google-chrome
];
- services.xserver.desktopManager.gnome3 = {
+ hardware.pulseaudio = {
enable = true;
+ systemWide = true;
};
}
];
krebs.build.host = config.krebs.hosts.skynet;
+ networking.wireless.enable = false;
+ networking.networkmanager.enable = true;
+
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix
index 358e1f511..e3451293f 100644
--- a/lass/1systems/skynet/physical.nix
+++ b/lass/1systems/skynet/physical.nix
@@ -1,10 +1,27 @@
{
imports = [
./config.nix
- <stockholm/lass/2configs/hw/x220.nix>
- <stockholm/lass/2configs/boot/stock-x220.nix>
+ <stockholm/krebs/2configs/hw/x220.nix>
];
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.efiSupport = true;
+ boot.loader.grub.efiInstallAsRemovable = true;
+ boot.loader.grub.device = "nodev";
+
+ networking.hostId = "06442b9a";
+
+ fileSystems."/" =
+ { device = "rpool/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/0876-B308";
+ fsType = "vfat";
+ };
+
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 220e41d0a..86158c468 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -20,7 +20,14 @@
services.nginx = {
enable = true;
virtualHosts.nix-serve = {
- serverAliases = [ "cache.prism.r" "cache.krebsco.de" "cache.lassul.us" ];
+ serverAliases = [ "cache.prism.r" ];
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:${toString config.services.nix-serve.port};
+ '';
+ };
+ virtualHosts."cache.krebsco.de" = {
+ serverAliases = [ "cache.lassul.us" ];
+ enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 83c235f3e..fba996743 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -1,23 +1,114 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
+let
+ all_hosts = [
+ "icarus"
+ "shodan"
+ "daedalus"
+ "skynet"
+ "prism"
+ ];
+ remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
-{
+in {
imports = [
<stockholm/lass/2configs/container-networking.nix>
+ { #hack for already defined
+ systemd.services."container@blue".reloadIfChanged = mkForce false;
+ systemd.services."container@blue".preStart = ''
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+ '';
+ systemd.services."container@blue".preStop = ''
+ /run/wrappers/bin/fusermount -u /var/lib/containers/blue
+ '';
+ }
];
- systemd.services."container@blue".reloadIfChanged = mkForce false;
+
+ system.activationScripts.containerPermissions = ''
+ mkdir -p /var/lib/containers
+ chmod 711 /var/lib/containers
+ '';
+
containers.blue = {
config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt_unicode.terminfo
+ ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
- autoStart = true;
+ autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
+
+
+ systemd.services = builtins.listToAttrs (map (host:
+ let
+ in nameValuePair "sync-blue-${host}" {
+ bindsTo = [ "container@blue.service" ];
+ wantedBy = [ "container@blue.service" ];
+ # ssh needed for rsync
+ path = [ pkgs.openssh ];
+ serviceConfig = {
+ Restart = "always";
+ RestartSec = 10;
+ ExecStart = pkgs.writeDash "sync-blue-${host}" ''
+ set -efu
+ #make sure blue is running
+ /run/wrappers/bin/ping -c1 blue.r > /dev/null
+
+ #make sure the container is unlocked
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+
+ #make sure our target is reachable
+ ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
+
+ #start sync
+ ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
+ settings {
+ nodaemon = true,
+ inotifyMode = "CloseWrite or Modify",
+ }
+ sync {
+ default.rsyncssh,
+ source = "/var/lib/containers/.blue",
+ host = "${host}.r",
+ targetdir = "/var/lib/containers/.blue",
+ rsync = {
+ owner = true,
+ group = true,
+ };
+ ssh = {
+ binary = "${pkgs.openssh}/bin/ssh";
+ identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
+ },
+ }
+ ''}
+ '';
+ };
+ unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+ }
+ ) remote_hosts);
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-blue" ''
+ set -ef
+ if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
+ ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
+ fi
+ nixos-container start blue
+ nixos-container run blue -- nixos-rebuild -I /var/src dry-build
+ if ping -c1 blue.r >/dev/null; then
+ echo 'blue is already running. bailing out'
+ exit 23
+ fi
+ nixos-container run blue -- nixos-rebuild -I /var/src switch
+ '')
+ ];
}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index bf43ee7d1..9bb70d1c2 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -92,6 +92,7 @@ with import <stockholm/lib>;
{ from = "ccc@lassul.us"; to = lass.mail; }
{ from = "neocron@lassul.us"; to = lass.mail; }
{ from = "osmocom@lassul.us"; to = lass.mail; }
+ { from = "lesswrong@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index e756c3424..065ee9c42 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -7,7 +7,6 @@ in {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/realwallpaper-krebs.png";
- maxTime = 10;
};
}
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 46939c97e..9ea91ae19 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -31,6 +31,7 @@ let
'';
mailboxes = {
+ afra = [ "to:afra@afra-berlin.de" ];
c-base = [ "to:c-base.org" ];
coins = [
"to:btce@lassul.us"
@@ -46,11 +47,14 @@ let
];
dezentrale = [ "to:dezentrale.space" ];
dhl = [ "to:dhl@lassul.us" ];
+ dn42 = [ "to:dn42@lists.nox.tf" ];
eloop = [ "to:eloop.org" ];
github = [ "to:github@lassul.us" ];
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
+ india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
lugs = [ "to:lugs@lug-s.org" ];
+ meetup = [ "to:meetup@lassul.us" ];
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
patreon = [ "to:patreon@lassul.us" ];
paypal = [ "to:paypal@lassul.us" ];
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
index aef671636..b7083c776 100644
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -177,7 +177,8 @@
addr = "0.0.0.0";
domain = "grafana.example.com";
rootUrl = "https://grafana.example.com/";
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+ auth.anonymous.enable = true;
+ auth.anonymous.org_role = "Admin";
};
};
services.logstash = {
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index bf6855804..85faded14 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -62,8 +62,23 @@ in {
extraConfig = ''
audio_output {
type "shout"
+ encoding "lame"
+ name "the_playlist_mp3"
+ host "localhost"
+ port "8000"
+ mount "/radio.mp3"
+ password "${source-password}"
+ bitrate "128"
+
+ format "44100:16:2"
+
+ user "source"
+ genre "good music"
+ }
+ audio_output {
+ type "shout"
encoding "ogg"
- name "the_playlist"
+ name "the_playlist_ogg"
host "localhost"
port "8000"
mount "/radio.ogg"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 828cab95f..4935268a4 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -139,6 +139,13 @@ in {
ssl_key = "/var/lib/acme/lassul.us/key.pem";
};
+ users.users.xanf = {
+ uid = genid_uint31 "xanf";
+ home = "/home/xanf";
+ useDefaultShell = true;
+ createHome = true;
+ };
+
users.users.domsen = {
uid = genid_uint31 "domsen";
description = "maintenance acc for domsen";
diff --git a/lass/krops.nix b/lass/krops.nix
index a898164c3..c2669c8f2 100644
--- a/lass/krops.nix
+++ b/lass/krops.nix
@@ -5,6 +5,12 @@
pkgs
;
+ host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
+ import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
+ else
+ {}
+ ;
+
source = { test }: lib.evalSource [
krebs-source
{
@@ -18,15 +24,24 @@
};
};
}
+ host-source
];
in {
+
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; };
inherit target;
};
+ # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
+ populate = { target, force ? false }: pkgs.populate {
+ inherit force;
+ source = source { test = false; };
+ target = lib.mkTarget target;
+ };
+
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
test = { target }: pkgs.krops.writeTest "${name}-test" {
force = true;