diff options
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | krebs/4lib/types.nix | 1 | ||||
-rw-r--r-- | lass/1systems/mors.nix | 3 | ||||
-rw-r--r-- | lass/1systems/prism.nix | 6 | ||||
-rw-r--r-- | lass/1systems/uriel.nix | 39 | ||||
-rw-r--r-- | lass/2configs/backups.nix | 34 | ||||
-rw-r--r-- | lass/2configs/default.nix | 2 | ||||
-rw-r--r-- | lass/2configs/iodined.nix | 20 | ||||
-rw-r--r-- | lass/2configs/nixpkgs.nix | 2 | ||||
-rw-r--r-- | lass/2configs/tests/dummy-secrets/iodinepw.nix | 1 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 74 | ||||
-rw-r--r-- | lass/2configs/websites/util.nix | 1 | ||||
-rw-r--r-- | lass/3modules/default.nix | 1 | ||||
-rw-r--r-- | lass/3modules/umts.nix | 4 | ||||
-rw-r--r-- | lass/3modules/usershadow.nix | 85 | ||||
-rw-r--r-- | lass/5pkgs/xmonad-lass.nix | 3 |
16 files changed, 233 insertions, 49 deletions
@@ -51,8 +51,6 @@ $(if $(target_user),,$(error unbound variable: target_user)) $(if $(target_port),,$(error unbound variable: target_port)) $(if $(target_path),,$(error unbound variable: target_path)) -target ?= $(target_user)@$(target_host):$(target_port)$(target_path) - build = \ nix-build \ --no-out-link \ @@ -88,6 +86,8 @@ deploy: nixos-rebuild $(rebuild-command) --show-trace -I $(target_path) # usage: make populate system=foo +populate: populate-target = \ + $(target_user)@$(target_host):$(target_port)$(target_path) ifeq ($(debug),true) populate: populate-flags += --debug endif @@ -96,7 +96,7 @@ populate: populate-flags += --ssh=$(ssh) endif populate: $(call evaluate,config.krebs.build.source) --json --strict | \ - populate $(target) $(populate-flags) + populate $(populate-target) $(populate-flags) # usage: make pkgs.populate pkgs:;@$(error no package selected) diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 37d44606b..02ca2b8db 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -284,6 +284,7 @@ types // rec { }; mail = mkOption { type = str; # TODO retiolum mail address + default = "${config._module.args.name}@${config.networking.hostName}.r"; }; name = mkOption { type = username; diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1aa4d9b23..21e992a3e 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -194,6 +194,9 @@ with config.krebs.lib; remmina logf + iodine + + macchanger ]; #TODO: fix this shit diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index c7c765302..b508103c5 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -23,6 +23,7 @@ in { ../2configs/buildbot-standalone.nix ../2configs/repo-sync.nix ../2configs/binary-cache/server.nix + ../2configs/iodined.nix { imports = [ ../2configs/git.nix @@ -260,6 +261,11 @@ in { { predicate = "-p tcp --dport 8088"; target = "ACCEPT"; } ]; } + { + krebs.repo-sync.timerConfig = { + OnCalendar = "*:0/5"; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 16c39280d..c6d4dbd89 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -1,25 +1,40 @@ { config, pkgs, ... }: with builtins; +with config.krebs.lib; { imports = [ ../. ../2configs/retiolum.nix - ../2configs/baseX.nix ../2configs/exim-retiolum.nix - ../2configs/browsers.nix - ../2configs/games.nix - ../2configs/pass.nix - ../2configs/bird.nix - ../2configs/git.nix - ../2configs/chromium-patched.nix - ../2configs/bitlbee.nix - ../2configs/weechat.nix - ../2configs/skype.nix { - lass.umts = { + # locke config + time.timeZone = "Europe/Berlin"; + services.xserver.enable = true; + users.users.locke = { + uid = genid "locke"; + home = "/home/locke"; + group = "users"; + createHome = true; + extraGroups = [ + "audio" + "networkmanager" + ]; + useDefaultShell = true; + }; + networking.networkmanager.enable = true; + networking.wireless.enable = mkForce false; + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + environment.systemPackages = with pkgs; [ + firefox + hexchat + networkmanagerapplet + ]; + services.xserver.desktopManager.xfce = { enable = true; - modem = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0"; }; } ]; diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index 7d3046d43..916e08219 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -23,10 +23,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; startAt = "03:05"; }; - dishfire-http-uriel = { + dishfire-http-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; startAt = "03:10"; }; dishfire-sql-prism = { @@ -41,10 +41,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; startAt = "03:20"; }; - dishfire-sql-uriel = { + dishfire-sql-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; startAt = "03:25"; }; prism-bitlbee-mors = { @@ -53,10 +53,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; - prism-bitlbee-uriel = { + prism-bitlbee-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; prism-chat-mors = { @@ -65,10 +65,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; startAt = "03:30"; }; - prism-chat-uriel = { + prism-chat-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; }; startAt = "03:35"; }; prism-sql-mors = { @@ -77,10 +77,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; startAt = "03:40"; }; - prism-sql-uriel = { + prism-sql-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; }; startAt = "03:45"; }; prism-http-mors = { @@ -89,22 +89,22 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; startAt = "03:50"; }; - prism-http-uriel = { + prism-http-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; }; startAt = "03:55"; }; - uriel-home-mors = { + shodan-home-mors = { method = "pull"; - src = { host = config.krebs.hosts.uriel; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + src = { host = config.krebs.hosts.shodan; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; startAt = "04:00"; }; - mors-home-uriel = { + mors-home-shodan = { method = "push"; src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; }; startAt = "05:00"; }; dishfire-http-helios = { diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 5575b7e7b..af3ed1d36 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -21,7 +21,6 @@ with config.krebs.lib; root = { openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey config.krebs.users.lass-shodan.pubkey ]; }; @@ -37,7 +36,6 @@ with config.krebs.lib; ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey config.krebs.users.lass-shodan.pubkey ]; }; diff --git a/lass/2configs/iodined.nix b/lass/2configs/iodined.nix new file mode 100644 index 000000000..ff254f39d --- /dev/null +++ b/lass/2configs/iodined.nix @@ -0,0 +1,20 @@ +{ pkgs, config, ... }: + +let + # TODO: make this a parameter + domain = "io.lassul.us"; + pw = import <secrets/iodinepw.nix>; +in { + + services.iodined = { + enable = true; + domain = domain; + ip = "172.16.10.1/24"; + extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}"; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 53"; target = "ACCEPT";} + ]; + +} diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 9e3fe888c..879da19bb 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/lassulus/nixpkgs; - ref = "3fb009d94e70f5d1151f4ec239a90d2de1979a74"; + ref = "8a8948167324f67d26a1c7ddc8e387128332b622"; }; } diff --git a/lass/2configs/tests/dummy-secrets/iodinepw.nix b/lass/2configs/tests/dummy-secrets/iodinepw.nix new file mode 100644 index 000000000..f5e704702 --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/iodinepw.nix @@ -0,0 +1 @@ +"derp" diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index d5ad38c07..2f93c1f9c 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,9 +1,11 @@ { config, pkgs, lib, ... }: let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) genid - ; + genid_signed + ; inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) ssl servePage @@ -20,6 +22,25 @@ let exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" ''; + check-password = pkgs.writeDash "check-password" '' + read pw + + file="/home/$PAM_USER/.shadow" + + #check if shadow file exists + test -e "$file" || exit 123 + + hash="$(${pkgs.coreutils}/bin/head -1 $file)" + salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')" + + calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)" + if [ "$calc_hash" == $hash ]; then + exit 0 + else + exit 1 + fi + ''; + in { imports = [ ./sqlBackup.nix @@ -132,6 +153,9 @@ in { extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so sendmail_path = "${sendmail} -t -i" always_populate_raw_post_data = -1 + upload_max_filesize = 100M + post_max_size = 100M + file_uploads = on ''; } '' cat ${pkgs.php}/etc/php-recommended.ini > $out @@ -140,21 +164,53 @@ in { # MAIL STUFF # TODO: make into its own module - services.dovecot2 = { - enable = true; - mailLocation = "maildir:~/Mail"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; } - { predicate = "-p tcp --dport imap"; target = "ACCEPT"; } - ]; + services.dovecot2 = { + enable = true; + mailLocation = "maildir:~/Mail"; + sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; + sslServerKey = "/var/lib/acme/lassul.us/key.pem"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } + { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } + ]; + + security.pam.services.exim.text = '' + auth required pam_env.so + auth sufficient pam_exec.so debug expose_authtok ${check-password} + auth sufficient pam_unix.so likeauth nullok + auth required pam_deny.so + account required pam_unix.so + password required pam_cracklib.so retry=3 type= + password sufficient pam_unix.so nullok use_authtok md5shadow + password required pam_deny.so + session required pam_limits.so + session required pam_unix.so + ''; + krebs.exim-smarthost = { + authenticators.PLAIN = '' + driver = plaintext + server_prompts = : + server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" + server_set_id = $auth2 + ''; + authenticators.LOGIN = '' + driver = plaintext + server_prompts = "Username:: : Password::" + server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" + server_set_id = $auth1 + ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } + { from = "testuser@lassul.us"; to = "testuser"; } ]; system-aliases = [ ]; + ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/lassul.us/key.pem"; }; users.users.domsen = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 330d8ba86..467229c0c 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -188,6 +188,7 @@ rec { error_log /tmp/nginx_err.log; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; + client_max_body_size 100m; ''; locations = [ (nameValuePair "/" '' diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 60370b230..6e1e20dd3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -6,6 +6,7 @@ _: ./mysql-backup.nix ./umts.nix ./urxvtd.nix + ./usershadow.nix ./wordpress_nginx.nix ./xresources.nix ]; diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix index 01adc0409..7daaba89e 100644 --- a/lass/3modules/umts.nix +++ b/lass/3modules/umts.nix @@ -41,10 +41,6 @@ let wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113 - #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09"; - modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0"; - - # TODO: currently it is only netzclub umts-bin = pkgs.writeScriptBin "umts" '' #!/bin/sh set -euf diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix new file mode 100644 index 000000000..0e7e718a4 --- /dev/null +++ b/lass/3modules/usershadow.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + + cfg = config.lass.usershadow; + + out = { + options.lass.usershadow = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "usershadow"; + pattern = mkOption { + type = types.str; + default = "/home/%/.shadow"; + }; + }; + + imp = { + environment.systemPackages = [ usershadow ]; + security.pam.services.sshd.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; + + security.pam.services.exim.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; + }; + + usershadow = let { + deps = [ + "pwstore-fast" + "bytestring" + ]; + body = pkgs.writeHaskell "passwords" { + executables.verify = { + extra-depends = deps; + text = '' + import Data.Monoid + import System.IO + import Data.Char (chr) + import System.Environment (getEnv, getArgs) + import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.Exit (exitFailure, exitSuccess) + + main :: IO () + main = do + user <- getEnv "PAM_USER" + shadowFilePattern <- head <$> getArgs + let shadowFile = lhs <> user <> tail rhs + (lhs, rhs) = span (/= '%') shadowFilePattern + hash <- readFile shadowFile + password <- takeWhile (/= (chr 0)) <$> hGetLine stdin + let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) + if res then exitSuccess else exitFailure + ''; + }; + executables.passwd = { + extra-depends = deps; + text = '' + import System.Environment (getEnv) + import Crypto.PasswordStore (makePasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.IO (stdin, hSetEcho, putStr) + + main :: IO () + main = do + home <- getEnv "HOME" + putStr "password:" + hSetEcho stdin False + password <- BS8.hGetLine stdin + hash <- makePasswordWith pbkdf2 password 10 + BS8.writeFile (home ++ "/.shadow") hash + ''; + }; + }; + }; + +in out diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 3bb88a1a2..86e69b10c 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -43,6 +43,7 @@ import XMonad.Prompt (autoComplete, searchPredicate, XPConfig) import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy) import XMonad.Stockholm.Shutdown (sendShutdownEvent, handleShutdownEvent) import XMonad.Util.EZConfig (additionalKeysP) +import XMonad.Layout.SimpleFloat (simpleFloat) myTerm :: String @@ -75,7 +76,7 @@ mainNoArgs = do myLayoutHook = defLayout where - defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) + defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO () |