summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile6
-rw-r--r--krebs/4lib/types.nix1
-rw-r--r--lass/1systems/mors.nix3
-rw-r--r--lass/1systems/prism.nix6
-rw-r--r--lass/1systems/uriel.nix39
-rw-r--r--lass/2configs/backups.nix34
-rw-r--r--lass/2configs/default.nix2
-rw-r--r--lass/2configs/iodined.nix20
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--lass/2configs/tests/dummy-secrets/iodinepw.nix1
-rw-r--r--lass/2configs/websites/domsen.nix74
-rw-r--r--lass/2configs/websites/util.nix1
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/umts.nix4
-rw-r--r--lass/3modules/usershadow.nix85
-rw-r--r--lass/5pkgs/xmonad-lass.nix3
16 files changed, 233 insertions, 49 deletions
diff --git a/Makefile b/Makefile
index 4fa5bc885..09f6eafd7 100644
--- a/Makefile
+++ b/Makefile
@@ -51,8 +51,6 @@ $(if $(target_user),,$(error unbound variable: target_user))
$(if $(target_port),,$(error unbound variable: target_port))
$(if $(target_path),,$(error unbound variable: target_path))
-target ?= $(target_user)@$(target_host):$(target_port)$(target_path)
-
build = \
nix-build \
--no-out-link \
@@ -88,6 +86,8 @@ deploy:
nixos-rebuild $(rebuild-command) --show-trace -I $(target_path)
# usage: make populate system=foo
+populate: populate-target = \
+ $(target_user)@$(target_host):$(target_port)$(target_path)
ifeq ($(debug),true)
populate: populate-flags += --debug
endif
@@ -96,7 +96,7 @@ populate: populate-flags += --ssh=$(ssh)
endif
populate:
$(call evaluate,config.krebs.build.source) --json --strict | \
- populate $(target) $(populate-flags)
+ populate $(populate-target) $(populate-flags)
# usage: make pkgs.populate
pkgs:;@$(error no package selected)
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 37d44606b..02ca2b8db 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -284,6 +284,7 @@ types // rec {
};
mail = mkOption {
type = str; # TODO retiolum mail address
+ default = "${config._module.args.name}@${config.networking.hostName}.r";
};
name = mkOption {
type = username;
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 1aa4d9b23..21e992a3e 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -194,6 +194,9 @@ with config.krebs.lib;
remmina
logf
+ iodine
+
+ macchanger
];
#TODO: fix this shit
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index c7c765302..b508103c5 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -23,6 +23,7 @@ in {
../2configs/buildbot-standalone.nix
../2configs/repo-sync.nix
../2configs/binary-cache/server.nix
+ ../2configs/iodined.nix
{
imports = [
../2configs/git.nix
@@ -260,6 +261,11 @@ in {
{ predicate = "-p tcp --dport 8088"; target = "ACCEPT"; }
];
}
+ {
+ krebs.repo-sync.timerConfig = {
+ OnCalendar = "*:0/5";
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix
index 16c39280d..c6d4dbd89 100644
--- a/lass/1systems/uriel.nix
+++ b/lass/1systems/uriel.nix
@@ -1,25 +1,40 @@
{ config, pkgs, ... }:
with builtins;
+with config.krebs.lib;
{
imports = [
../.
../2configs/retiolum.nix
- ../2configs/baseX.nix
../2configs/exim-retiolum.nix
- ../2configs/browsers.nix
- ../2configs/games.nix
- ../2configs/pass.nix
- ../2configs/bird.nix
- ../2configs/git.nix
- ../2configs/chromium-patched.nix
- ../2configs/bitlbee.nix
- ../2configs/weechat.nix
- ../2configs/skype.nix
{
- lass.umts = {
+ # locke config
+ time.timeZone = "Europe/Berlin";
+ services.xserver.enable = true;
+ users.users.locke = {
+ uid = genid "locke";
+ home = "/home/locke";
+ group = "users";
+ createHome = true;
+ extraGroups = [
+ "audio"
+ "networkmanager"
+ ];
+ useDefaultShell = true;
+ };
+ networking.networkmanager.enable = true;
+ networking.wireless.enable = mkForce false;
+ hardware.pulseaudio = {
+ enable = true;
+ systemWide = true;
+ };
+ environment.systemPackages = with pkgs; [
+ firefox
+ hexchat
+ networkmanagerapplet
+ ];
+ services.xserver.desktopManager.xfce = {
enable = true;
- modem = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
};
}
];
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
index 7d3046d43..916e08219 100644
--- a/lass/2configs/backups.nix
+++ b/lass/2configs/backups.nix
@@ -23,10 +23,10 @@ with config.krebs.lib;
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
startAt = "03:05";
};
- dishfire-http-uriel = {
+ dishfire-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-sql-prism = {
@@ -41,10 +41,10 @@ with config.krebs.lib;
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
startAt = "03:20";
};
- dishfire-sql-uriel = {
+ dishfire-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
prism-bitlbee-mors = {
@@ -53,10 +53,10 @@ with config.krebs.lib;
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
- prism-bitlbee-uriel = {
+ prism-bitlbee-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-chat-mors = {
@@ -65,10 +65,10 @@ with config.krebs.lib;
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
startAt = "03:30";
};
- prism-chat-uriel = {
+ prism-chat-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-sql-mors = {
@@ -77,10 +77,10 @@ with config.krebs.lib;
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
startAt = "03:40";
};
- prism-sql-uriel = {
+ prism-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-http-mors = {
@@ -89,22 +89,22 @@ with config.krebs.lib;
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
startAt = "03:50";
};
- prism-http-uriel = {
+ prism-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
startAt = "03:55";
};
- uriel-home-mors = {
+ shodan-home-mors = {
method = "pull";
- src = { host = config.krebs.hosts.uriel; path = "/home"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; };
+ src = { host = config.krebs.hosts.shodan; path = "/home"; };
+ dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
startAt = "04:00";
};
- mors-home-uriel = {
+ mors-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
- dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; };
+ dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
startAt = "05:00";
};
dishfire-http-helios = {
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 5575b7e7b..af3ed1d36 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -21,7 +21,6 @@ with config.krebs.lib;
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
- config.krebs.users.lass-uriel.pubkey
config.krebs.users.lass-shodan.pubkey
];
};
@@ -37,7 +36,6 @@ with config.krebs.lib;
];
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
- config.krebs.users.lass-uriel.pubkey
config.krebs.users.lass-shodan.pubkey
];
};
diff --git a/lass/2configs/iodined.nix b/lass/2configs/iodined.nix
new file mode 100644
index 000000000..ff254f39d
--- /dev/null
+++ b/lass/2configs/iodined.nix
@@ -0,0 +1,20 @@
+{ pkgs, config, ... }:
+
+let
+ # TODO: make this a parameter
+ domain = "io.lassul.us";
+ pw = import <secrets/iodinepw.nix>;
+in {
+
+ services.iodined = {
+ enable = true;
+ domain = domain;
+ ip = "172.16.10.1/24";
+ extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}";
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport 53"; target = "ACCEPT";}
+ ];
+
+}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 9e3fe888c..879da19bb 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/lassulus/nixpkgs;
- ref = "3fb009d94e70f5d1151f4ec239a90d2de1979a74";
+ ref = "8a8948167324f67d26a1c7ddc8e387128332b622";
};
}
diff --git a/lass/2configs/tests/dummy-secrets/iodinepw.nix b/lass/2configs/tests/dummy-secrets/iodinepw.nix
new file mode 100644
index 000000000..f5e704702
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/iodinepw.nix
@@ -0,0 +1 @@
+"derp"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index d5ad38c07..2f93c1f9c 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -1,9 +1,11 @@
{ config, pkgs, lib, ... }:
let
+
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
genid
- ;
+ genid_signed
+ ;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
ssl
servePage
@@ -20,6 +22,25 @@ let
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
'';
+ check-password = pkgs.writeDash "check-password" ''
+ read pw
+
+ file="/home/$PAM_USER/.shadow"
+
+ #check if shadow file exists
+ test -e "$file" || exit 123
+
+ hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+ salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+ calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+ if [ "$calc_hash" == $hash ]; then
+ exit 0
+ else
+ exit 1
+ fi
+ '';
+
in {
imports = [
./sqlBackup.nix
@@ -132,6 +153,9 @@ in {
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
sendmail_path = "${sendmail} -t -i"
always_populate_raw_post_data = -1
+ upload_max_filesize = 100M
+ post_max_size = 100M
+ file_uploads = on
'';
} ''
cat ${pkgs.php}/etc/php-recommended.ini > $out
@@ -140,21 +164,53 @@ in {
# MAIL STUFF
# TODO: make into its own module
- services.dovecot2 = {
- enable = true;
- mailLocation = "maildir:~/Mail";
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
- ];
+ services.dovecot2 = {
+ enable = true;
+ mailLocation = "maildir:~/Mail";
+ sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslServerKey = "/var/lib/acme/lassul.us/key.pem";
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
+ ];
+
+ security.pam.services.exim.text = ''
+ auth required pam_env.so
+ auth sufficient pam_exec.so debug expose_authtok ${check-password}
+ auth sufficient pam_unix.so likeauth nullok
+ auth required pam_deny.so
+ account required pam_unix.so
+ password required pam_cracklib.so retry=3 type=
+ password sufficient pam_unix.so nullok use_authtok md5shadow
+ password required pam_deny.so
+ session required pam_limits.so
+ session required pam_unix.so
+ '';
+
krebs.exim-smarthost = {
+ authenticators.PLAIN = ''
+ driver = plaintext
+ server_prompts = :
+ server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
+ server_set_id = $auth2
+ '';
+ authenticators.LOGIN = ''
+ driver = plaintext
+ server_prompts = "Username:: : Password::"
+ server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
+ server_set_id = $auth1
+ '';
internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
+ { from = "testuser@lassul.us"; to = "testuser"; }
];
system-aliases = [
];
+ ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
+ ssl_key = "/var/lib/acme/lassul.us/key.pem";
};
users.users.domsen = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 330d8ba86..467229c0c 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -188,6 +188,7 @@ rec {
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
+ client_max_body_size 100m;
'';
locations = [
(nameValuePair "/" ''
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 60370b230..6e1e20dd3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -6,6 +6,7 @@ _:
./mysql-backup.nix
./umts.nix
./urxvtd.nix
+ ./usershadow.nix
./wordpress_nginx.nix
./xresources.nix
];
diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix
index 01adc0409..7daaba89e 100644
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@@ -41,10 +41,6 @@ let
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
- #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
- modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
-
- # TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+ cfg = config.lass.usershadow;
+
+ out = {
+ options.lass.usershadow = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "usershadow";
+ pattern = mkOption {
+ type = types.str;
+ default = "/home/%/.shadow";
+ };
+ };
+
+ imp = {
+ environment.systemPackages = [ usershadow ];
+ security.pam.services.sshd.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+
+ security.pam.services.exim.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+ };
+
+ usershadow = let {
+ deps = [
+ "pwstore-fast"
+ "bytestring"
+ ];
+ body = pkgs.writeHaskell "passwords" {
+ executables.verify = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ user <- getEnv "PAM_USER"
+ shadowFilePattern <- head <$> getArgs
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then exitSuccess else exitFailure
+ '';
+ };
+ executables.passwd = {
+ extra-depends = deps;
+ text = ''
+ import System.Environment (getEnv)
+ import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.IO (stdin, hSetEcho, putStr)
+
+ main :: IO ()
+ main = do
+ home <- getEnv "HOME"
+ putStr "password:"
+ hSetEcho stdin False
+ password <- BS8.hGetLine stdin
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ '';
+ };
+ };
+ };
+
+in out
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 3bb88a1a2..86e69b10c 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -43,6 +43,7 @@ import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
import XMonad.Stockholm.Shutdown (sendShutdownEvent, handleShutdownEvent)
import XMonad.Util.EZConfig (additionalKeysP)
+import XMonad.Layout.SimpleFloat (simpleFloat)
myTerm :: String
@@ -75,7 +76,7 @@ mainNoArgs = do
myLayoutHook = defLayout
where
- defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1)
+ defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO ()