diff options
| -rw-r--r-- | 0make/lass/cloudkrebs.makefile | 4 | ||||
| -rw-r--r-- | 1systems/lass/cloudkrebs.nix | 33 | ||||
| -rw-r--r-- | 1systems/lass/mors.nix | 30 | ||||
| -rw-r--r-- | 1systems/lass/uriel.nix | 46 | ||||
| -rw-r--r-- | 2configs/lass/base.nix | 70 | ||||
| -rw-r--r-- | 2configs/lass/desktop-base.nix | 6 | ||||
| -rw-r--r-- | 2configs/lass/fastpoke-pages.nix | 103 | ||||
| -rw-r--r-- | 2configs/lass/git-repos.nix | 4 | ||||
| -rw-r--r-- | 2configs/lass/retiolum.nix | 29 | ||||
| -rw-r--r-- | 3modules/lass/iptables.nix | 2 |
10 files changed, 221 insertions, 106 deletions
diff --git a/0make/lass/cloudkrebs.makefile b/0make/lass/cloudkrebs.makefile new file mode 100644 index 000000000..baf7660b4 --- /dev/null +++ b/0make/lass/cloudkrebs.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cloudkrebs +nixpkgs_url := https://github.com/Lassulus/nixpkgs +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b +secrets_dir := /home/lass/secrets/cloudkrebs diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix new file mode 100644 index 000000000..8b3e41584 --- /dev/null +++ b/1systems/lass/cloudkrebs.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/lass/base.nix + ../../2configs/lass/retiolum.nix + ../../2configs/lass/fastpoke-pages.nix + { + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } + ]; + + networking.hostName = "cloudkrebs"; + +} diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 940dc4fdb..300738089 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -8,7 +8,6 @@ ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/virtualbox.nix ../../2configs/lass/elster.nix ../../2configs/lass/urxvt.nix @@ -20,19 +19,7 @@ ../../2configs/lass/chromium-patched.nix ../../2configs/lass/git-repos.nix ../../2configs/tv/synaptics.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } + ../../2configs/lass/retiolum.nix { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { @@ -168,21 +155,6 @@ ''; }; - users.extraUsers = { - #main user - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - extraGroups = [ "wheel" "audio" ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index 25745d055..a6f5a82d6 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -1,33 +1,30 @@ { config, pkgs, ... }: +with builtins; { imports = [ ../../2configs/lass/desktop-base.nix ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix ../../2configs/lass/git-repos.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/tv/exim-retiolum.nix + ../../2configs/lass/retiolum.nix { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; }; } { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/uriel.ssh.pub + ]; + }; }; } ]; @@ -87,29 +84,6 @@ ''; }; - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" "audio" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 5e5b8a7b1..494cafa95 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -3,14 +3,37 @@ with lib; { imports = [ - ./sshkeys.nix ../../3modules/lass/iptables.nix + ../../2configs/lass/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } - + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } ]; nix.useChroot = true; @@ -30,6 +53,8 @@ with lib; ''; environment.systemPackages = with pkgs; [ + nmap + git most rxvt_unicode.terminfo @@ -77,11 +102,11 @@ with lib; "sendmail" ]; - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; services.openssh = { enable = true; @@ -102,35 +127,12 @@ with lib; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } ]; }; }; - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; } diff --git a/2configs/lass/desktop-base.nix b/2configs/lass/desktop-base.nix index ee7a94bc9..9b98e4a8b 100644 --- a/2configs/lass/desktop-base.nix +++ b/2configs/lass/desktop-base.nix @@ -55,11 +55,9 @@ in { displayManager.auto.enable = true; displayManager.auto.user = mainUser.name; - layout = "us,de"; + layout = "us"; xkbModel = "evdev"; - xkbVariant = "altgr-intl,nodeadkeys"; - xkbOptions = "grp:caps_toggle"; - + xkbVariant = "altgr-intl"; }; } diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix new file mode 100644 index 000000000..2fd9a863a --- /dev/null +++ b/2configs/lass/fastpoke-pages.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ + ../../3modules/tv/nginx.nix + ../../3modules/lass/iptables.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + #createStaticPage = domain: + # { + # irc.nginx.servers."${domain}" = { + # server-names = [ + # "${domain}" + # "www.${domain}" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/${domain}; + # '') + # ]; + # }; + # networking.extraHosts = '' + # 10.243.206.102 ${domain} + # ''; + # }; + + #map createStaticPage [ + # "habsys.de" + # "pixelpocket.de" + # "karlaskop.de" + # "ubikmedia.de" + # "apanowicz.de" + # "aidsballs.de" + #]; + + tv.nginx = { + enable = true; + servers = { + + "habsys.de" = { + server-names = [ + "habsys.de" + "www.habsys.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/habsys.de; + '') + ]; + }; + + "karlaskop.de" = { + server-names = [ + "karlaskop.de" + "www.karlaskop.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/karlaskop.de; + '') + ]; + }; + + "pixelpocket.de" = { + server-names = [ + "pixelpocket.de" + "www.karlaskop.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/karlaskop.de; + '') + ]; + }; + + }; + }; + + networking.extraHosts = '' + 10.243.206.102 habsys.de karlaskop.de pixelpocket.de ubikmedia.de apanowicz.de + 10.243.206.102 aidsballs.de + ''; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix index c0c305b85..b4f446aef 100644 --- a/2configs/lass/git-repos.nix +++ b/2configs/lass/git-repos.nix @@ -39,7 +39,7 @@ let post-receive = git.irc-announce { nick = config.networking.hostName; # TODO make this the default channel = "#retiolum"; - server = "ire.retiolum"; + server = "cd.retiolum"; }; }; }; @@ -63,7 +63,7 @@ let post-receive = git.irc-announce { nick = config.networking.hostName; # TODO make this the default channel = "#retiolum"; - server = "ire.retiolum"; + server = "cd.retiolum"; }; }; public = true; diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix new file mode 100644 index 000000000..d1389ad2a --- /dev/null +++ b/2configs/lass/retiolum.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../3modules/tv/retiolum.nix + ../../2configs/tv/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index c97b9f730..8c6ad3fa1 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -106,7 +106,7 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; in #TODO: double check should be unneccessary, refactor! |