diff options
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/urlwatch.nix | 17 | ||||
| -rw-r--r-- | lass/1systems/icarus.nix | 17 | ||||
| -rw-r--r-- | lass/1systems/mors.nix | 47 | ||||
| -rw-r--r-- | lass/2configs/buildbot-standalone.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/exim-smarthost.nix | 2 | ||||
| -rw-r--r-- | lass/5pkgs/init/default.nix | 30 | ||||
| -rw-r--r-- | makefu/1systems/gum.nix | 5 | ||||
| -rw-r--r-- | makefu/1systems/vbob.nix | 1 | ||||
| -rw-r--r-- | makefu/1systems/x.nix | 5 | ||||
| -rw-r--r-- | makefu/2configs/lanparty/lancache.nix | 59 | ||||
| -rw-r--r-- | makefu/2configs/sshd-totp.nix | 18 | ||||
| -rw-r--r-- | makefu/2configs/tools/dev.nix | 1 | ||||
| -rw-r--r-- | makefu/2configs/urlwatch.nix | 27 | ||||
| -rw-r--r-- | makefu/2configs/urlwatch/default.nix | 45 | ||||
| -rw-r--r-- | makefu/2configs/urlwatch/hook.py | 16 | ||||
| -rw-r--r-- | makefu/5pkgs/gen-oath-safe/default.nix | 37 |
17 files changed, 208 insertions, 127 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 4c0ce0fe3..c517ac1d8 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -308,7 +308,6 @@ with import <stockholm/lib>; extraZones = { "krebsco.de" = '' wry IN A ${nets.internet.ip4.addr} - io IN NS wry.krebsco.de. tinc IN A ${nets.internet.ip4.addr} ''; }; @@ -470,6 +469,7 @@ with import <stockholm/lib>; wiki.euer IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr} + io IN NS gum.krebsco.de. ''; }; nets = rec { diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index c06e5ddb1..463fa26ba 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -60,6 +60,7 @@ let description = "URL to watch."; example = [ https://nixos.org/channels/nixos-unstable/git-revision + { url = http://localhost ; filter = "grep:important.*stuff"; } ]; apply = map (x: getAttr (typeOf x) { set = x; @@ -79,7 +80,8 @@ let }; urlsFile = pkgs.writeText "urls" - (concatMapStringsSep "\n---\n" toJSON cfg.urls); + (concatMapStringsSep "\n---\n" + (x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls); hooksFile = cfg.hooksFile; @@ -142,17 +144,6 @@ let PrivateTmp = "true"; SyslogIdentifier = "urlwatch"; Type = "oneshot"; - ExecStartPre = - pkgs.writeDash "urlwatch-prestart" '' - set -euf - - dataDir=$HOME - - if ! test -e "$dataDir"; then - mkdir -m 0700 -p "$dataDir" - chown ${user.name}: "$dataDir" - fi - ''; ExecStart = pkgs.writeDash "urlwatch" '' set -euf @@ -185,6 +176,8 @@ let }; users.extraUsers = singleton { inherit (user) name uid; + home = cfg.dataDir; + createHome = true; }; }; diff --git a/lass/1systems/icarus.nix b/lass/1systems/icarus.nix index b869a67a7..13c517e3b 100644 --- a/lass/1systems/icarus.nix +++ b/lass/1systems/icarus.nix @@ -6,9 +6,9 @@ with import <stockholm/lib>; ../. ../2configs/retiolum.nix ../2configs/hw/tp-x220.nix - ../2configs/baseX.nix ../2configs/git.nix ../2configs/exim-retiolum.nix + ../2configs/baseX.nix ../2configs/browsers.nix ../2configs/programs.nix ../2configs/fetchWallpaper.nix @@ -22,9 +22,9 @@ with import <stockholm/lib>; loader.grub.enable = true; loader.grub.version = 2; loader.grub.device = "/dev/sda"; - loader.grub.enableCryptodisk = true; + loader.grub.efiSupport = true; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; }; @@ -34,11 +34,14 @@ with import <stockholm/lib>; fsType = "btrfs"; options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; + "/boot" = { + device = "/dev/sda2"; }; + #"/bku" = { + # device = "/dev/mapper/pool-bku"; + # fsType = "btrfs"; + # options = ["defaults" "noatime" "ssd" "compress=lzo"]; + #}; "/home" = { device = "/dev/mapper/pool-home"; fsType = "btrfs"; diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index b9ab54503..0bfd54515 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -96,49 +96,30 @@ with import <stockholm/lib>; loader.grub.enable = true; loader.grub.version = 2; loader.grub.device = "/dev/sda"; + loader.grub.efiSupport = true; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; }; fileSystems = { "/" = { - device = "/dev/big/nix"; - fsType = "ext4"; + device = "/dev/mapper/pool-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; - "/boot" = { - device = "/dev/sda1"; - }; - - "/mnt/loot" = { - device = "/dev/big/loot"; - fsType = "ext4"; + device = "/dev/sda2"; }; - + #"/bku" = { + # device = "/dev/mapper/pool-bku"; + # fsType = "btrfs"; + # options = ["defaults" "noatime" "ssd" "compress=lzo"]; + #}; "/home" = { - device = "/dev/big/home"; - fsType = "ext4"; - }; - - "/home/lass" = { - device = "/dev/big/home-lass"; - fsType = "ext4"; - }; - - "/home/games/.local/share/Steam" = { - device = "/dev/big/steam"; - fsType = "ext4"; - }; - - "/home/virtual/virtual" = { - device = "/dev/big/virtual"; - fsType = "ext4"; - }; - - "/mnt/conf" = { - device = "/dev/big/conf"; - fsType = "ext4"; + device = "/dev/mapper/pool-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; "/tmp" = { device = "tmpfs"; diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index e765ddbb4..449feb382 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -120,9 +120,6 @@ in { system={}".format(host)] ) - for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]: - build_host(env_tv, i) - for i in [ "mors", "uriel", "shodan", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]: build_host(env_lass, i) @@ -135,6 +132,9 @@ in { for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]: build_host(env_shared, i) + for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]: + build_host(env_tv, i) + bu.append( util.BuilderConfig( name="build-hosts", diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index b8d00e7d4..fd2f1f765 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -32,6 +32,8 @@ with import <stockholm/lib>; { from = "feed@lassul.us"; to = lass.mail; } { from = "art@lassul.us"; to = lass.mail; } { from = "irgendwas@lassul.us"; to = lass.mail; } + { from = "polo@lassul.us"; to = lass.mail; } + { from = "shack@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/5pkgs/init/default.nix b/lass/5pkgs/init/default.nix index b484d2c38..679187531 100644 --- a/lass/5pkgs/init/default.nix +++ b/lass/5pkgs/init/default.nix @@ -19,14 +19,15 @@ pkgs.writeText "init" '' disk=${disk} - luksdev=${disk}2 + luksdev=${disk}3 luksmap=/dev/mapper/${luksmap} vgname=${vgname} + bootdev=/dev/sda2 + rootdev=/dev/mapper/${vgname}-root homedev=/dev/mapper/${vgname}-home - bkudev=/dev/mapper/${vgname}-bku # #generate keyfile @@ -49,7 +50,8 @@ pkgs.writeText "init" '' mklabel gpt \ mkpart no-fs 0 1024KiB \ set 1 bios_grub on \ - mkpart primary 1025KiB 100% + mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \ + mkpart primary 1025MiB 100% fi if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then @@ -78,9 +80,8 @@ pkgs.writeText "init" '' lvchange -a y /dev/mapper/"$vgname" - if ! test -e "$rootdev"; then lvcreate -L 100G -n root "$vgname"; fi - if ! test -e "$homedev"; then lvcreate -L 100G -n home "$vgname"; fi - if ! test -e "$bkudev"; then lvcreate -L 200G -n bku "$vgname"; fi + if ! test -e "$rootdev"; then lvcreate -L 7G -n root "$vgname"; fi + if ! test -e "$homedev"; then lvcreate -L 100M -n home "$vgname"; fi # lvchange -a n "$vgname" @@ -89,6 +90,10 @@ pkgs.writeText "init" '' # formatting # + if ! test "$(blkid -o value -s TYPE "$bootdev")" = vfat; then + mkfs.vfat "$bootdev" + fi + if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then mkfs.btrfs "$rootdev" fi @@ -97,22 +102,18 @@ pkgs.writeText "init" '' mkfs.btrfs "$homedev" fi - if ! test "$(blkid -o value -s TYPE "$bkudev")" = btrfs; then - mkfs.btrfs "$bkudev" - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then mount "$rootdev" /mnt fi + if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then + mkdir -m 0000 -p /mnt/boot + mount "$bootdev" /mnt/boot + fi if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then mkdir -m 0000 -p /mnt/home mount "$homedev" /mnt/home fi - if ! test "$(lsblk -n -o MOUNTPOINT "$bkudev")" = /mnt/bku; then - mkdir -m 0000 -p /mnt/bku - mount "$bkudev" /mnt/bku - fi # umount -R /mnt @@ -122,6 +123,7 @@ pkgs.writeText "init" '' nix-env -iA nixos.git + # TODO: get sentinal file from target_path mkdir -p /mnt/var/src touch /mnt/var/src/.populate diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 519313f57..51761d3fd 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,7 +24,10 @@ in { # ../2configs/disable_v6.nix ../2configs/exim-retiolum.nix ../2configs/tinc/retiolum.nix - ../2configs/urlwatch.nix + ../2configs/urlwatch + + # Security + ../2configs/sshd-totp.nix # Tools ../2configs/tools/core.nix diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index b79ec64c0..d8e275bf6 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,6 +8,7 @@ (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) ../2configs/main-laptop.nix #< base-gui + ../2configs/sshd-totp.nix # Tools ../2configs/tools/core.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index b37c32944..235862e85 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -19,6 +19,8 @@ with import <stockholm/lib>; # ../2configs/disable_v6.nix # Testing + # ../2configs/lanparty/lancache.nix + # ../2configs/lanparty/lancache-dns.nix # ../2configs/deployment/dirctator.nix # ../2configs/vncserver.nix # ../2configs/deployment/led-fader @@ -58,6 +60,9 @@ with import <stockholm/lib>; # Filesystem ../2configs/fs/sda-crypto-root-home.nix + # Security + ../2configs/sshd-totp.nix + ]; makefu.server.primary-itf = "wlp3s0"; diff --git a/makefu/2configs/lanparty/lancache.nix b/makefu/2configs/lanparty/lancache.nix index ff5b0d788..3df2e3f59 100644 --- a/makefu/2configs/lanparty/lancache.nix +++ b/makefu/2configs/lanparty/lancache.nix @@ -36,38 +36,39 @@ let }; in { systemd.services.nginx-lancache = { - description = "Nginx lancache Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; + description = "Nginx lancache Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; - preStart = '' - mkdir -p ${cfg.statedir} && cd ${cfg.statedir} - PATH_CACHE=$PATH_BASE/cache - PATH_LOGS=$PATH_BASE/logs + preStart = '' + mkdir -p ${cfg.statedir} && cd ${cfg.statedir} + PATH_CACHE=$PATH_BASE/cache + PATH_LOGS=$PATH_BASE/logs - mkdir -p cache/{installers,tmp} logs - rm -f conf; ln -s ${lancache} conf - chown -R ${cfg.user}:${cfg.group} . - ''; - serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = "10s"; - StartLimitInterval = "1min"; - }; + mkdir -p cache/{installers,tmp} logs + rm -f conf; ln -s ${lancache} conf + chown -R ${cfg.user}:${cfg.group} . + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "10s"; + StartLimitInterval = "1min"; }; - environment.etc.nginx.source = lancache; - users.extraUsers = (singleton - { name = cfg.user; - group = cfg.group; - uid = genid cfg.group; - }); + }; - users.extraGroups = (singleton - { name = "${cfg.group}"; - gid = genid cfg.group; - }); + environment.etc.nginx.source = lancache; + users.extraUsers = (singleton + { name = cfg.user; + group = cfg.group; + uid = genid cfg.group; + }); + users.extraGroups = (singleton + { name = "${cfg.group}"; + gid = genid cfg.group; + }); + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/makefu/2configs/sshd-totp.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe <username> totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets/<host>/users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString <secrets>) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix index e40f5b36f..42006eb22 100644 --- a/makefu/2configs/tools/dev.nix +++ b/makefu/2configs/tools/dev.nix @@ -14,5 +14,6 @@ ovh-zone whatsupnix brain + gen-oath-safe ]; } diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix deleted file mode 100644 index 9493b2b7b..000000000 --- a/makefu/2configs/urlwatch.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, ... }: - -{ - krebs.urlwatch = { - enable = true; - mailto = config.krebs.users.makefu.mail; - onCalendar = "*-*-* 05:00:00"; - urls = [ - ## nixpkgs maintenance - https://api.github.com/repos/ovh/python-ovh/tags - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/Mic92/vicious/tags - https://pypi.python.org/simple/bepasty/ - https://pypi.python.org/simple/xstatic/ - http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ - http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ - https://github.com/amadvance/snapraid/releases.atom - https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/dorimanx/exfat-nofuse/commits - https://api.github.com/repos/dorimanx/exfat-nofuse/tags - https://api.github.com/repos/radare/radare2/tags - https://api.github.com/repos/rapid7/metasploit-framework/tags - ]; - }; -} - diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix new file mode 100644 index 000000000..f17bcdc3a --- /dev/null +++ b/makefu/2configs/urlwatch/default.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: + +{ + krebs.urlwatch = { + enable = true; + mailto = config.krebs.users.makefu.mail; + onCalendar = "*-*-* 05:00:00"; + hooksFile = ./hook.py; + urls = [ + ## nixpkgs maintenance + # github + ## No rate limit + https://github.com/amadvance/snapraid/releases.atom + https://github.com/radare/radare2/releases.atom + https://github.com/ovh/python-ovh/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/Mic92/vicious/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/dorimanx/exfat-nofuse/releases.atom + https://github.com/rapid7/metasploit-framework/releases.atom + ## rate limited + # https://api.github.com/repos/dorimanx/exfat-nofuse/commits + # https://api.github.com/repos/mcepl/gen-oath-safe/commits + https://api.github.com/repos/naim94a/udpt/commits + https://api.github.com/repos/dirkvdb/ps3netsrv--/commits + + # pypi + https://pypi.python.org/simple/bepasty/ + https://pypi.python.org/simple/xstatic/ + https://pypi.python.org/simple/devpi-client/ + # weird shit + http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ + http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ + https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack + https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack + + { + url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ; + filter = "grep:Software/Linux/dymo-cups-drivers"; + } + # TODO: dymo cups + ]; + }; +} + diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py new file mode 100644 index 000000000..7d9282c7e --- /dev/null +++ b/makefu/2configs/urlwatch/hook.py @@ -0,0 +1,16 @@ +import logging +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() +log.setLevel(level=logging.INFO) + +import re +import json + +from urlwatch import filters + + +class JsonFilter(filters.RegexMatchFilter): + MATCH = {'url': re.compile('https?://api.github.com/.*')} + + def filter(self, data): + return json.dumps(json.loads(data),indent=2,sort_keys=True) diff --git a/makefu/5pkgs/gen-oath-safe/default.nix b/makefu/5pkgs/gen-oath-safe/default.nix new file mode 100644 index 000000000..245e65174 --- /dev/null +++ b/makefu/5pkgs/gen-oath-safe/default.nix @@ -0,0 +1,37 @@ +{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }: + +stdenv.mkDerivation { + name = "geno-oath-safe-2017-06-30"; + src = fetchFromGitHub { + owner = "mcepl"; + repo = "gen-oath-safe"; + rev = "fb53841"; + sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m"; + }; + + phases = [ + "unpackPhase" + "installPhase" + "fixupPhase" + ]; + + buildInputs = [ makeWrapper ]; + + installPhase = + let + path = stdenv.lib.makeBinPath [ + coreutils + openssl + qrencode + yubikey-manager + libcaca + python + ]; + in + '' + mkdir -p $out/bin + cp gen-oath-safe $out/bin/ + wrapProgram $out/bin/gen-oath-safe \ + --prefix PATH : ${path} + ''; +} |