diff options
-rw-r--r-- | krebs/1systems/puyak/config.nix | 58 | ||||
-rw-r--r-- | krebs/1systems/puyak/source.nix | 3 | ||||
-rw-r--r-- | krebs/1systems/wolf/config.nix | 2 | ||||
-rw-r--r-- | krebs/2configs/cgit-mirror.nix | 45 | ||||
-rw-r--r-- | krebs/2configs/default.nix | 2 | ||||
-rw-r--r-- | krebs/2configs/repo-sync.nix | 91 | ||||
-rw-r--r-- | krebs/2configs/secret-passwords.nix | 6 | ||||
-rw-r--r-- | krebs/2configs/shared-buildbot.nix | 34 | ||||
-rw-r--r-- | krebs/3modules/git.nix | 3 | ||||
-rw-r--r-- | krebs/3modules/krebs/default.nix | 36 | ||||
-rw-r--r-- | krebs/6tests/data/secrets/hashedPasswords.nix | 1 | ||||
-rw-r--r-- | lass/2configs/backups.nix | 88 | ||||
-rw-r--r-- | lass/2configs/buildbot-standalone.nix | 2 | ||||
-rw-r--r-- | makefu/1systems/gum/config.nix | 9 | ||||
-rw-r--r-- | makefu/1systems/omo/config.nix | 35 | ||||
-rw-r--r-- | makefu/1systems/studio/source.nix | 5 | ||||
-rw-r--r-- | shell.nix | 4 | ||||
-rw-r--r-- | tv/3modules/ejabberd/config.nix | 218 | ||||
-rw-r--r-- | tv/3modules/ejabberd/default.nix | 42 | ||||
-rw-r--r-- | tv/5pkgs/default.nix | 4 | ||||
-rw-r--r-- | tv/5pkgs/ejabberd/default.nix | 28 |
21 files changed, 474 insertions, 242 deletions
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix new file mode 100644 index 000000000..f55da019a --- /dev/null +++ b/krebs/1systems/puyak/config.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: + +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + <stockholm/krebs/2configs/secret-passwords.nix> + + <stockholm/krebs/2configs/repo-sync.nix> + <stockholm/krebs/2configs/shared-buildbot.nix> + ]; + + krebs.build.host = config.krebs.hosts.puyak; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/pool-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/boot" = { + device = "/dev/sda2"; + }; + "/home" = { + device = "/dev/mapper/pool-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + hardware.enableAllFirmware = true; + networking.wireless.enable = true; + nixpkgs.config.allowUnfree = true; + + services.logind.extraConfig = '' + HandleLidSwitch=ignore + ''; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0" + ''; + +} diff --git a/krebs/1systems/puyak/source.nix b/krebs/1systems/puyak/source.nix new file mode 100644 index 000000000..a21651899 --- /dev/null +++ b/krebs/1systems/puyak/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "puyak"; +} diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index b8cc1b4a1..32e7bd49d 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -11,7 +11,6 @@ in <stockholm/krebs/2configs/central-stats-client.nix> <stockholm/krebs/2configs/save-diskspace.nix> - <stockholm/krebs/2configs/cgit-mirror.nix> <stockholm/krebs/2configs/graphite.nix> <stockholm/krebs/2configs/repo-sync.nix> <stockholm/krebs/2configs/shared-buildbot.nix> @@ -101,6 +100,7 @@ in users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.ulrich.pubkey + config.krebs.users.makefu-omo.pubkey ]; time.timeZone = "Europe/Berlin"; diff --git a/krebs/2configs/cgit-mirror.nix b/krebs/2configs/cgit-mirror.nix deleted file mode 100644 index c2326a5cc..000000000 --- a/krebs/2configs/cgit-mirror.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; -let - rules = with git; singleton { - user = [ wolf-repo-sync ]; - repo = [ stockholm-mirror ]; - perm = push ''refs/*'' [ non-fast-forward create delete merge ]; - }; - - stockholm-mirror = { - public = true; - name = "stockholm-mirror"; - cgit.desc = "mirror for all stockholm branches"; - hooks = { - post-receive = pkgs.git-hooks.irc-announce { - nick = config.networking.hostName; - verbose = false; - channel = "#retiolum"; - server = "ni.r"; - }; - }; - }; - - wolf-repo-sync = { - name = "wolf-repo-sync"; - mail = "spam@krebsco.de"; - # TODO put git-sync pubkey somewhere more appropriate - pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; - }; - -in { - krebs.users.wolf-repo-sync = wolf-repo-sync; - krebs.git = { - enable = true; - cgit = { - settings = { - root-title = "Shared Repos"; - root-desc = "keep on krebsing"; - }; - }; - inherit rules; - repos.stockholm-mirror = stockholm-mirror; - }; -} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 53ad56d65..901516e50 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -46,6 +46,6 @@ with import <stockholm/lib>; # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "15.09"; + system.stateVersion = "17.03"; } diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 637a26e3c..157a30e69 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -1,31 +1,80 @@ { config, lib, pkgs, ... }: -with lib; -{ - krebs.repo-sync = let - # TODO addMirrorURL function - mirror = "git@wolf:stockholm-mirror"; - in { - enable = true; - repos.stockholm = { - branches = { - makefu = { - origin.url = http://cgit.gum/stockholm ; - mirror.url = mirror; +with import <stockholm/lib>; + +let + mirror = "git@${config.networking.hostName}:"; + + defineRepo = name: announce: let + repo = { + public = true; + name = mkDefault "${name}"; + cgit.desc = mkDefault "mirror for ${name}"; + cgit.section = mkDefault "mirror"; + hooks = mkIf announce (mkDefault { + post-receive = pkgs.git-hooks.irc-announce { + nick = config.networking.hostName; + verbose = false; + channel = "#retiolum"; + server = "ni.r"; + branches = [ "newest" ]; }; - tv = { - origin.url = http://cgit.ni.r/stockholm; - mirror.url = mirror; + }); + }; + in { + rules = with git; singleton { + user = with config.krebs.users; [ + config.krebs.users."${config.networking.hostName}-repo-sync" + ]; + repo = [ repo ]; + perm = push ''refs/*'' [ non-fast-forward create delete merge ]; + }; + repos."${name}" = repo; + }; + + sync-retiolum = name: + { + krebs.repo-sync.repos.${name} = { + branches = { + makefu = { + origin.url = "http://cgit.gum/${name}"; + mirror.url = "${mirror}${name}"; + }; + tv = { + origin.url = "http://cgit.ni.r/${name}"; + mirror.url = "${mirror}${name}"; + }; + nin = { + origin.url = "http://cgit.onondaga.r/${name}"; + mirror.url = "${mirror}${name}"; + }; + lassulus = { + origin.url = "http://cgit.lassul.us/${name}"; + mirror.url = "${mirror}${name}"; + }; }; - lassulus = { - origin.url = http://cgit.prism/stockholm ; - mirror.url = mirror; + latest = { + url = "${mirror}${name}"; + ref = "heads/newest"; }; }; - latest = { - url = mirror; - ref = "heads/master"; + krebs.git = defineRepo name true; + }; + +in { + krebs.repo-sync = { + enable = true; + }; + krebs.git = { + enable = mkDefault true; + cgit = { + settings = { + root-title = "Shared Repos"; + root-desc = "keep on krebsing"; }; }; }; + imports = [ + (sync-retiolum "stockholm") + ]; } diff --git a/krebs/2configs/secret-passwords.nix b/krebs/2configs/secret-passwords.nix new file mode 100644 index 000000000..5d265eba6 --- /dev/null +++ b/krebs/2configs/secret-passwords.nix @@ -0,0 +1,6 @@ +{ ... }: with import <stockholm/lib>; +{ + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import <secrets/hashedPasswords.nix>); +} diff --git a/krebs/2configs/shared-buildbot.nix b/krebs/2configs/shared-buildbot.nix index efb41cc3e..a9e5afc75 100644 --- a/krebs/2configs/shared-buildbot.nix +++ b/krebs/2configs/shared-buildbot.nix @@ -1,30 +1,34 @@ { lib, config, pkgs, ... }: -# The buildbot config is self-contained and currently provides a way +# The buildbot config is self-contained and currently provides a way # to test "krebs" configuration (infrastructure to be used by every krebsminister). # You can add your own test, test steps as required. Deploy the config on a # krebs host like wolf and everything should be fine. # TODO for all users schedule a build for fast tests -{ +let + hostname = config.networking.hostName; +in { # due to the fact that we actually build stuff on the box via the daemon, # /nix/store should be cleaned up automatically as well - services.nginx.virtualHosts.build = { - serverAliases = [ "build.wolf.r" ]; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port}; - ''; + services.nginx = { + enable = true; + virtualHosts.build = { + serverAliases = [ "build.${hostname}.r" ]; + locations."/".extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; + ''; + }; }; nix.gc.automatic = true; nix.gc.dates = "05:23"; - networking.firewall.allowedTCPPorts = [ 8010 9989 ]; + networking.firewall.allowedTCPPorts = [ 80 8010 9989 ]; krebs.buildbot.master = let - stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ; + stockholm-mirror-url = "http://cgit.${hostname}.r/stockholm" ; in { - secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ]; workers = { testworker = "krebspass"; }; @@ -155,13 +159,13 @@ }; irc = { enable = true; - nick = "wolfbot"; + nick = "${hostname}bot"; server = "ni.r"; channels = [ { channel = "retiolum"; } ]; allowForce = true; }; extraConfig = '' - c['buildbotURL'] = "http://build.wolf.r/" + c['buildbotURL'] = "http://build.${hostname}.r/" ''; }; @@ -173,6 +177,6 @@ packages = with pkgs; [ gnumake jq nix populate ]; # all nix commands will need a working nixpkgs installation extraEnviron = { - NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./krebs/1systems/wolf.nix"; }; + NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./krebs/1systems/${hostname}/config.nix:stockholm=./"; }; }; } diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 884108ebb..93211d9d4 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -569,7 +569,8 @@ let if ! test -d "$repodir"; then mkdir -m "$mode" "$repodir" git init --bare --template=/var/empty "$repodir" - chown -R git:nogroup "$repodir" + # TODO fix correctly with stringAfter + chown -R ${toString config.users.users.git.uid}:nogroup "$repodir" fi ln -s ${hooks} "$repodir/hooks" '' diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 0aa0cac9d..f751b4f9f 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -30,6 +30,32 @@ let }); in { hosts = { + puyak = { + owner = config.krebs.users.krebs; + nets = { + retiolum = { + ip4.addr = "10.243.77.2"; + ip6.addr = "42:0:0:0:0:0:77:2"; + aliases = [ + "puyak.r" + "build.puyak.r" + "cgit.puyak.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955 + SwotAPBrOT5P3pZ52Pu326SR5nj9XWfN6GD0CkcDQddtRG5OOtUWlvkYzZraNh33 + p9l8TBgHJKogGe6umbs+4v7pWfbS0k708L2ttwY0ceju6RL6UqShIYB6qhDzwalU + p8s7pypl7BwrsTwYkUGleIptiN78cYv/NHvXhvXBuVGz4J0tCH4GMvdTHCah1l1r + zwEpKlAq0FD6bgYTJL94Tvxe2xzyr8c+xn1+XbJtMudGmrRjIHS6YupzO/Y2MO7w + UkbMKDhYVhSPFEyk6PMm0SU9uAh4I1+8BQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY"; + }; wolf = { owner = config.krebs.users.krebs; nets = { @@ -70,5 +96,15 @@ in { krebs = { pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary }; + puyak-repo-sync = { + name = "puyak-repo-sync"; + mail = "spam@krebsco.de"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+18mG/cV1YbR9PXzuu3ScyV9kENy08OXUntpmgh9H2"; + }; + wolf-repo-sync = { + name = "wolf-repo-sync"; + mail = "spam@krebsco.de"; + pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; + }; }; } diff --git a/krebs/6tests/data/secrets/hashedPasswords.nix b/krebs/6tests/data/secrets/hashedPasswords.nix new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/krebs/6tests/data/secrets/hashedPasswords.nix @@ -0,0 +1 @@ +{} diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index b20e15dd9..abc55a0e1 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -2,6 +2,8 @@ with import <stockholm/lib>; { + # TODO add timerConfig to krebs.backup and randomize startup + # TODO define plans more abstract krebs.backup.plans = { } // mapAttrs (_: recursiveUpdate { snapshots = { @@ -17,6 +19,12 @@ with import <stockholm/lib>; dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; startAt = "03:00"; }; + dishfire-http-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; }; + startAt = "03:10"; + }; dishfire-http-mors = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; @@ -26,7 +34,7 @@ with import <stockholm/lib>; dishfire-http-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; startAt = "03:10"; }; dishfire-sql-prism = { @@ -35,6 +43,12 @@ with import <stockholm/lib>; dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; startAt = "03:15"; }; + dishfire-sql-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; }; + startAt = "03:25"; + }; dishfire-sql-mors = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; @@ -44,21 +58,33 @@ with import <stockholm/lib>; dishfire-sql-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; + startAt = "03:25"; + }; + prism-bitlbee-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; prism-bitlbee-mors = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; prism-bitlbee-shodan = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; + src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; + prism-chat-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; }; + startAt = "03:35"; + }; prism-chat-mors = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; @@ -67,10 +93,16 @@ with import <stockholm/lib>; }; prism-chat-shodan = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; }; startAt = "03:35"; }; + prism-sql-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; }; + startAt = "03:45"; + }; prism-sql-mors = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; @@ -79,10 +111,16 @@ with import <stockholm/lib>; }; prism-sql-shodan = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; }; startAt = "03:45"; }; + prism-http-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; }; + startAt = "03:55"; + }; prism-http-mors = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; @@ -91,21 +129,45 @@ with import <stockholm/lib>; }; prism-http-shodan = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; }; startAt = "03:55"; }; - shodan-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; - startAt = "04:00"; + icarus-home-mors = { + method = "push"; + src = { host = config.krebs.hosts.icarus; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; }; + startAt = "05:00"; + }; + icarus-home-shodan = { + method = "push"; + src = { host = config.krebs.hosts.icarus; path = "/home"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; }; + startAt = "05:00"; + }; + mors-home-icarus = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; }; + startAt = "05:00"; }; mors-home-shodan = { method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; + src = { host = config.krebs.hosts.mors; path = "/home"; }; dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; }; startAt = "05:00"; }; + shodan-home-icarus = { + method = "pull"; + src = { host = config.krebs.hosts.shodan; path = "/home"; }; + dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; }; + startAt = "04:00"; + }; + shodan-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.shodan; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; + startAt = "04:00"; + }; }; } diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 86e7880db..e1fe9fd23 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -80,7 +80,7 @@ in { ] ) - for i in [ "test-all-krebs-modules", "test-centos7", "test-minimal-deploy", "wolf" ]: + for i in [ "puyak", "test-all-krebs-modules", "test-centos7", "test-minimal-deploy", "wolf" ]: build_host("krebs", i) for i in [ "mors", "uriel", "shodan", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]: diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index aaddd8a68..bbb8cfe11 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -14,7 +14,7 @@ let in { imports = [ <stockholm/makefu> - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + <nixpkgs/nixos/modules/profiles/qemu-guest.nix> <stockholm/makefu/2configs/headless.nix> <stockholm/makefu/2configs/fs/single-partition-ext4.nix> # <stockholm/makefu/2configs/smart-monitor.nix> @@ -33,6 +33,8 @@ in { <stockholm/makefu/2configs/tools/core.nix> <stockholm/makefu/2configs/tools/dev.nix> <stockholm/makefu/2configs/tools/sec.nix> + <stockholm/makefu/2configs/vim.nix> + <stockholm/makefu/2configs/zsh-user.nix> # services <stockholm/makefu/2configs/share/gum.nix> @@ -106,7 +108,10 @@ in { bepasty-client-cli get ]; - services.bitlbee.enable = true; + services.bitlbee = { + enable = true; + libpurple_plugins = [ pkgs.telegram-purple ]; + }; # Hardware boot.loader.grub.device = main-disk; diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 732f1d860..e43b203b4 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -53,14 +53,20 @@ in { <stockholm/makefu/2configs/share/omo.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> + # Logging - <stockholm/makefu/2configs/stats/server.nix #influx + grafana> + #influx + grafana + <stockholm/makefu/2configs/stats/server.nix> <stockholm/makefu/2configs/stats/client.nix> - <stockholm/makefu/2configs/stats/external/aralast.nix # logs to influx> + # logs to influx + <stockholm/makefu/2configs/stats/external/aralast.nix> # services <stockholm/makefu/2configs/syncthing.nix> <stockholm/makefu/2configs/mqtt.nix> + + # security + <stockholm/makefu/2configs/sshd-totp.nix> # <stockholm/makefu/2configs/logging/central-logging-client.nix> # <stockholm/makefu/2configs/torrent.nix> @@ -189,8 +195,29 @@ in { zramSwap.enable = true; krebs.Reaktor.reaktor = { - nickname = "Reaktor|bot"; - channels = [ "#krebs" "#shackspace" "#binaergewitter" ]; + nickname = "Reaktor|krebs"; + workdir = "/var/lib/Reaktor/krebs"; + channels = [ "#krebs" ]; + plugins = with pkgs.ReaktorPlugins;[ + stockholm-issue + nixos-version + sed-plugin + random-emoji ]; + }; + krebs.Reaktor.reaktor-shack = { + nickname = "Reaktor|shack"; + workdir = "/var/lib/Reaktor/shack"; + channels = [ "#shackspace" ]; + plugins = with pkgs.ReaktorPlugins;[ + shack-correct + # stockholm-issue + sed-plugin + random-emoji ]; + }; + krebs.Reaktor.reaktor-bgt = { + nickname = "Reaktor|bgt"; + workdir = "/var/lib/Reaktor/bgt"; + channels = [ "#binaergewitter" ]; plugins = with pkgs.ReaktorPlugins;[ titlebot # stockholm-issue diff --git a/makefu/1systems/studio/source.nix b/makefu/1systems/studio/source.nix index af0f37809..f662653e7 100644 --- a/makefu/1systems/studio/source.nix +++ b/makefu/1systems/studio/source.nix @@ -1,7 +1,4 @@ import <stockholm/makefu/source.nix> { name="studio"; - override.musnix.git = { - url = https://github.com/musnix/musnix.git; - ref = "d8b989f"; - }; + musnix = true; } @@ -47,10 +47,8 @@ let ''; init.env = pkgs.writeText "init.env" /* sh */ '' - config=''${config-$user/1systems/$system/config.nix} source=''${source-$user/1systems/$system/source.nix} - export config export source export system export target @@ -98,7 +96,6 @@ let --readonly-mode \ --show-trace \ --strict \ - -I nixos-config="$config" \ "$source") echo $_source | ${pkgs.populate}/bin/populate \ @@ -118,7 +115,6 @@ let STOCKHOLM_VERSION=$STOCKHOLM_VERSION \ nix-shell \ --run $(q \ - config=$config \ system=$system \ target=$target \ using_proxy=true \ diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index 29c38fbe4..68bcfa340 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -1,93 +1,129 @@ -{ config, ... }: with import <stockholm/lib>; let - cfg = config.tv.ejabberd; +with import <stockholm/lib>; +{ config, ... }: let - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; -in toFile "ejabberd.conf" '' - {loglevel, 3}. - {hosts, ${toErlang cfg.hosts}}. - {listen, - [ - {5222, ejabberd_c2s, [ - starttls, - {certfile, ${toErlang cfg.certfile.path}}, - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - {5280, ejabberd_http, [ - captcha, - http_bind, - http_poll, - web_admin - ]} - ]}. - {s2s_use_starttls, required}. - {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. - {auth_method, internal}. - {shaper, normal, {maxrate, 1000}}. - {shaper, fast, {maxrate, 50000}}. - {max_fsm_queue, 1000}. - {acl, local, {user_regexp, ""}}. - {access, max_user_sessions, [{10, all}]}. - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - {access, local, [{allow, local}]}. - {access, c2s, [{deny, blocked}, - {allow, all}]}. - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - {access, s2s_shaper, [{fast, all}]}. - {access, announce, [{allow, admin}]}. - {access, configure, [{allow, admin}]}. - {access, muc_admin, [{allow, admin}]}. - {access, muc_create, [{allow, local}]}. - {access, muc, [{allow, all}]}. - {access, pubsub_createnode, [{allow, local}]}. - {access, register, [{allow, all}]}. - {language, "en"}. - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, - {mod_blocking,[]}, - {mod_caps, []}, - {mod_configure,[]}, - {mod_disco, []}, - {mod_irc, []}, - {mod_http_bind, []}, - {mod_last, []}, - {mod_muc, [ - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - {mod_privacy, []}, - {mod_private, []}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} - ]}, - {mod_register, [ - {welcome_message, {"Welcome!", |