Merge remote-tracking branch 'prism/master'

7 files changed, 87 insertions, 26 deletions

diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index 5682f5eb6..f675c4ac8 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -15,6 +15,9 @@ let
   sec = toString <secrets>;
   # secKey is nothing worth protecting on a local machine
   secKey = import <secrets/bepasty-secret.nix>;
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+  ext-dom = "paste.krebsco.de" ;
 in {
 
   krebs.nginx.enable = mkDefault true;
@@ -25,7 +28,7 @@ in {
     servers = {
       internal = {
         nginx = {
-          server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+          server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
         };
         defaultPermissions = "admin,list,create,read,delete";
         secretKey = secKey;
@@ -33,17 +36,25 @@ in {
 
       external = {
         nginx = {
-          server-names = [ "paste.krebsco.de" ];
+          server-names = [ ext-dom ];
+          ssl = {
+            enable = true;
+            certificate = "${acmepath}/${ext-dom}/fullchain.pem";
+            certificate_key = "${acmepath}/${ext-dom}/key.pem";
+            # these certs will be needed if acme has not yet created certificates:
+            #certificate =   "${sec}/wildcard.krebsco.de.crt";
+            #certificate_key = "${sec}/wildcard.krebsco.de.key";
+            ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+          };
+          locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '');
           extraConfig = ''
           ssl_session_cache    shared:SSL:1m;
           ssl_session_timeout  10m;
-          ssl_certificate     ${sec}/wildcard.krebsco.de.crt;
-          ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-          ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
-          ssl_ciphers RC4:HIGH:!aNULL:!MD5;
-          ssl_prefer_server_ciphers on;
+
           if ($scheme = http){
             return 301 https://$server_name$request_uri;
           }'';
@@ -53,4 +64,12 @@ in {
       };
     };
   };
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
 }
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index 4562a123f..c94f1be7d 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -17,7 +17,6 @@ with config.krebs.lib;
   krebs = {
     enable = true;
 
-    dns.providers.siem = "hosts";
     dns.providers.lan  = "hosts";
     search-domain = "retiolum";
     build = {
@@ -25,7 +24,7 @@ with config.krebs.lib;
       source = let inherit (config.krebs.build) host user; in {
         nixpkgs.git = {
           url = https://github.com/nixos/nixpkgs;
-          ref = "0546a4a"; # stable @ 2016-06-11
+          ref = "125ffff"; # stable @ 2016-07-20
         };
         secrets.file =
           if getEnv "dummy_secrets" == "true"
@@ -67,7 +66,7 @@ with config.krebs.lib;
     startAgent = false;
   };
   services.openssh.enable = true;
-  nix.useChroot = true;
+  nix.useSandbox = true;
 
   users.mutableUsers = false;
 
@@ -171,4 +170,10 @@ with config.krebs.lib;
     consoleKeyMap = "us";
     defaultLocale = "en_US.UTF-8";
   };
+  # suppress chrome autit event messages
+  security.audit = {
+      rules = [
+        "-a task,never"
+      ];
+    };
 }
diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix
index 1c9a34965..58390e48d 100644
--- a/makefu/2configs/hw/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x220.nix
@@ -8,10 +8,9 @@ with config.krebs.lib;
     kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
   };
-
+  hardware.opengl.extraPackages =  [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
   services.xserver = {
     videoDriver = "intel";
-    vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
     deviceSection = ''
       Option "AccelMethod" "sna"
     '';
diff --git a/makefu/2configs/temp/share-samba.nix b/makefu/2configs/temp/share-samba.nix
new file mode 100644
index 000000000..c021e66c6
--- /dev/null
+++ b/makefu/2configs/temp/share-samba.nix
@@ -0,0 +1,36 @@
+{config, ... }:{
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/var/empty";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    139 445 # samba
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    137 138
+  ];
+  services.samba = {
+    enable = true;
+    shares = {
+      share-home = {
+        path = "/home/share/";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}
diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix
new file mode 100644
index 000000000..dcb072461
--- /dev/null
+++ b/makefu/2configs/tinc/retiolum.nix
@@ -0,0 +1,4 @@
+_:
+{
+  krebs.tinc.retiolum.enable = true;
+}
diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix
index 2b4e24774..7a14dea7f 100644
--- a/makefu/2configs/virtualization-virtualbox.nix
+++ b/makefu/2configs/virtualization-virtualbox.nix
@@ -2,20 +2,22 @@
 
 let
   mainUser = config.krebs.build.user;
-  version = "5.0.20";
-  rev = "106931";
-  vboxguestpkg = pkgs.fetchurl {
+  vboxguestpkg =  lib.stdenv.mkDerivation rec {
+    name = "Virtualbox-Extensions-${version}-${rev}";
+    version = "5.0.20";
+    rev = "106931";
+    src = pkgs.fetchurl {
         url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack";
         sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf";
       };
+  };
 in {
-  #inherit vboxguestpkg;
   virtualisation.virtualbox.host.enable = true;
   nixpkgs.config.virtualbox.enableExtensionPack = true;
 
   users.extraGroups.vboxusers.members = [ "${mainUser.name}" ];
   nixpkgs.config.packageOverrides = super: {
-    boot.kernelPackages = super.boot.kernelPackages.virtualbox.override {
+    boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override {
       buildInputs = super.boot.kernelPackages.virtualBox.buildInputs
         ++ [ vboxguestpkg ];
     };
diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix
index 9527ead1a..99c1315e1 100644
--- a/makefu/2configs/zsh-user.nix
+++ b/makefu/2configs/zsh-user.nix
@@ -22,15 +22,11 @@ in
       bindkey "\e[3~" delete-char
       zstyle ':completion:*' menu select
 
-      # load gpg-agent
-      envfile="$HOME/.gnupg/gpg-agent.env"
-      if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
-        eval "$(cat "$envfile")"
-      else
-        eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
-      fi
-      export GPG_AGENT_INFO
-      export SSH_AUTH_SOCK
+      gpg-connect-agent updatestartuptty /bye >/dev/null
+      GPG_TTY=$(tty)
+      export GPG_TTY
+      unset SSH_AGENT_PID
+      export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
       '';
 
     promptInit = ''