diff options
26 files changed, 150 insertions, 68 deletions
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 2ed5607f..c96b1472 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -246,12 +246,12 @@ let remote_smtp: driver = smtp - ${optionalString (cfg.dkim != []) '' + ${optionalString (cfg.dkim != []) (indent '' dkim_canon = relaxed dkim_domain = $sender_address_domain dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} - ''} + '')} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ {$acl_m_special_dom} } diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index a86f444d..218ac922 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -44,7 +44,7 @@ let wantedBy = [ "multi-user.target" ]; path = with pkgs; [ - go + go-shortener ]; environment = { @@ -57,7 +57,7 @@ let serviceConfig = { User = "go"; Restart = "always"; - ExecStart = "${pkgs.go}/bin/go"; + ExecStart = "${pkgs.go-shortener}/bin/go"; }; }; }; diff --git a/krebs/5pkgs/go/default.nix b/krebs/5pkgs/go-shortener/default.nix index 2871e5a9..996f7072 100644 --- a/krebs/5pkgs/go/default.nix +++ b/krebs/5pkgs/go-shortener/default.nix @@ -19,7 +19,7 @@ let }; in np.buildNodePackage { - name = "go"; + name = "go-shortener"; src = fetchgit { url = "http://cgit.lassul.us/go/"; diff --git a/krebs/5pkgs/go/packages.nix b/krebs/5pkgs/go-shortener/packages.nix index 9acfd765..9acfd765 100644 --- a/krebs/5pkgs/go/packages.nix +++ b/krebs/5pkgs/go-shortener/packages.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index c3d027ed..742d42bf 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -54,7 +54,7 @@ with import <stockholm/lib>; enable = true; package = pkgs.postgresql; }; - #virtualisation.docker.enable = true; + virtualisation.docker.enable = true; #users.users.mainUser.extraGroups = [ "docker" ]; } { diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 76710ac9..555e7fe1 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -224,6 +224,14 @@ in { OnCalendar = "*:0/5"; }; } + { + lass.usershadow = { + enable = true; + }; + } + { + virtualisation.libvirtd.enable = true; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index 9d1df1d7..09589838 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -75,6 +75,10 @@ with import <stockholm/lib>; fsType = "tmpfs"; options = ["nosuid" "nodev" "noatime"]; }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; }; services.udev.extraRules = '' diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 43c4d5b0..a7d2a6ce 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -46,6 +46,13 @@ with import <stockholm/lib>; NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; }; } + (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { + environment.variables = { + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + }) ]; networking.hostName = config.krebs.build.host.name; diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix index 7d694c17..f6ddbe96 100644 --- a/lass/2configs/go.nix +++ b/lass/2configs/go.nix @@ -3,7 +3,7 @@ with import <stockholm/lib>; { environment.systemPackages = [ - pkgs.go + pkgs.go-shortener ]; krebs.go = { enable = true; diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 4ef4c6ce..e665b6c6 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d"; + ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731"; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index f8814973..f2e4de6a 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -93,6 +93,7 @@ in { (sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") + (sync-remote "painload" "https://github.com/krebscode/painload") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-retiolum "go") (sync-retiolum "much") diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 18c771fa..2a6df06f 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -103,27 +103,6 @@ in { "o_ubikmedia_de" ]; - krebs.backup.plans = { - prism-sql-domsen = { - method = "push"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; }; - startAt = "00:01"; - }; - prism-http-domsen = { - method = "push"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; }; - startAt = "00:10"; - }; - prism-o-ubikmedia-domsen = { - method = "push"; - src = { host = config.krebs.hosts.prism; path = "/srv/o.ubikmedia.de-data"; }; - dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; }; - startAt = "00:30"; - }; - }; - services.phpfpm.phpOptions = '' sendmail_path = ${sendmail} -t upload_max_filesize = 100M @@ -142,28 +121,26 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } ]; krebs.exim-smarthost = { authenticators.PLAIN = '' driver = plaintext - server_prompts = : - server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" - server_set_id = $auth2 + public_name = PLAIN + server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} ''; authenticators.LOGIN = '' driver = plaintext + public_name = LOGIN server_prompts = "Username:: : Password::" - server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" - server_set_id = $auth1 + server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } - { from = "testuser@lassul.us"; to = "testuser"; } ]; - system-aliases = [ + sender_domains = [ + "jla-trading.com" ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index d93d310d..52914f44 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -88,13 +88,7 @@ in { ]; }; - services.phpfpm.phpIni = pkgs.runCommand "php.ini" { - options = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - sendmail_path = "${sendmail} -t -i" - ''; - } '' - cat ${pkgs.php}/etc/php-recommended.ini > $out - echo "$options" >> $out + services.phpfpm.phpOptions = '' + sendmail_path = ${sendmail} -t ''; } diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index 1ee01e8d..a8ab1c52 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -13,22 +13,27 @@ type = types.str; default = "/home/%/.shadow"; }; + path = mkOption { + type = types.str; + }; }; imp = { environment.systemPackages = [ usershadow ]; + lass.usershadow.path = "${usershadow}"; security.pam.services.sshd.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} auth required pam_permit.so account required pam_permit.so session required pam_permit.so ''; - security.pam.services.exim.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + security.pam.services.dovecot2.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} auth required pam_permit.so account required pam_permit.so session required pam_permit.so + session required pam_env.so envfile=${config.system.build.pamEnvironment} ''; }; @@ -38,7 +43,7 @@ "bytestring" ]; body = pkgs.writeHaskell "passwords" { - executables.verify = { + executables.verify_pam = { extra-depends = deps; text = '' import Data.Monoid @@ -61,18 +66,42 @@ if res then exitSuccess else exitFailure ''; }; + executables.verify_arg = { + extra-depends = deps; + text = '' + import Data.Monoid + import System.IO + import Data.Char (chr) + import System.Environment (getEnv, getArgs) + import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.Exit (exitFailure, exitSuccess) + + main :: IO () + main = do + argsList <- getArgs + let shadowFilePattern = argsList !! 0 + let user = argsList !! 1 + let password = argsList !! 2 + let shadowFile = lhs <> user <> tail rhs + (lhs, rhs) = span (/= '%') shadowFilePattern + hash <- readFile shadowFile + let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) + if res then do (putStr "yes") else exitFailure + ''; + }; executables.passwd = { extra-depends = deps; text = '' import System.Environment (getEnv) import Crypto.PasswordStore (makePasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 - import System.IO (stdin, hSetEcho, putStr) + import System.IO (stdin, hSetEcho, putStrLn) main :: IO () main = do home <- getEnv "HOME" - putStr "password:" + putStrLn "password:" hSetEcho stdin False password <- BS8.hGetLine stdin hash <- makePasswordWith pbkdf2 password 10 diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 96b12b9d..0b05d514 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -112,14 +112,13 @@ displaySomeException = displayException myKeyMap :: [([Char], X ())] myKeyMap = [ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f") + , ("M4-C-p", spawn "${pkgs.scrot}/bin/scrot ~/public_html/scrot.png") , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type") , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 +4%") , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 -4%") , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute 0 toggle") , ("<XF86AudioMicMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-source-mute 1 toggle") , ("<XF86Launch1>", gridselectWorkspace gridConfig W.view) - , ("<XF86MonBrightnessUp>", spawn "xbacklight -steps 1 -time 1 -inc 10") - , ("<XF86MonBrightnessDown>", spawn "xbacklight -steps 1 -time 1 -dec 10") , ("M4-a", focusUrgent) , ("M4-S-r", renameWorkspace def) @@ -129,6 +128,7 @@ myKeyMap = , ("M4-<Esc>", toggleWS) , ("M4-S-<Enter>", spawn urxvtcPath) , ("M4-x", floatNext True >> spawn urxvtcPath) + , ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite") , ("M4-f", floatNext True) , ("M4-b", sendMessage ToggleStruts) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index bfd880b8..8a43d25f 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,6 +24,7 @@ in { ../2configs/torrent.nix ../2configs/graphite-standalone.nix ../2configs/sabnzbd.nix + ../2configs/gum-share.nix ../2configs/opentracker.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index e7f5d0da..e1aec360 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -32,7 +32,7 @@ # ../2configs/buildbot-standalone.nix # hardware specifics are in here - ../2configs/hw/tp-x220.nix + ../2configs/hw/tp-x230.nix ../2configs/hw/rtl8812au.nix ../2configs/hw/bcm4352.nix # mount points @@ -46,7 +46,7 @@ # temporary modules ../2configs/temp/share-samba.nix ../2configs/laptop-backup.nix - ../2configs/temp/elkstack.nix + #../2configs/temp/elkstack.nix # ../2configs/temp/sabnzbd.nix ../2configs/tinc/siem.nix #../2configs/torrent.nix @@ -62,7 +62,7 @@ environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; - # virtualisation.docker.enable = true; + virtualisation.docker.enable = true; # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index cb6fe55b..db69be2f 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -10,7 +10,6 @@ with import <stockholm/lib>; } ./vim.nix ./binary-cache/nixos.nix - ./binary-cache/lass.nix ]; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); @@ -90,9 +89,14 @@ with import <stockholm/lib>; "d /tmp 1777 root root - -" ]; nix.nixPath = [ "/var/src" ]; - environment.variables = { + environment.variables = let + ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + in { NIX_PATH = mkForce "/var/src"; EDITOR = mkForce "vim"; + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; }; environment.systemPackages = with pkgs; [ diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 2877d222..091b7f21 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -6,7 +6,11 @@ let external-ip = config.krebs.build.host.nets.internet.ip4.addr; wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock"; in { - services.redis.enable = true; + services.redis = { + enable = true; + }; + systemd.services.redis.serviceConfig.LimitNOFILE=10032; + services.uwsgi = { enable = true; user = "nginx"; diff --git a/makefu/2configs/gum-share.nix b/makefu/2configs/gum-share.nix new file mode 100644 index 00000000..e578f43d --- /dev/null +++ b/makefu/2configs/gum-share.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + hostname = config.krebs.build.host.name; +in { + # users.users.smbguest = { + # name = "smbguest"; + # uid = config.ids.uids.smbguest; + # description = "smb guest user"; + # home = "/var/empty"; + # }; + + users.users.download = { }; + services.samba = { + enable = true; + shares = { + download = { + path = "/var/download"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "no"; + "valid users" = "download"; + }; + }; + extraConfig = '' + # guest account = smbguest + # map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p tcp --dport 445 -j ACCEPT + ''; +} diff --git a/makefu/2configs/hw/bcm4352.nix b/makefu/2configs/hw/bcm4352.nix index 516637eb..5dc8a144 100644 --- a/makefu/2configs/hw/bcm4352.nix +++ b/makefu/2configs/hw/bcm4352.nix @@ -1,6 +1,7 @@ {config, ...}: { networking.enableB43Firmware = true; + boot.kernelModules = [ "wl" ]; boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; } diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x230.nix index ce3e34ad..99563a77 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x230.nix @@ -5,9 +5,19 @@ with import <stockholm/lib>; imports = [ ./tp-x2x0.nix ]; boot = { - kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ]; - extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; + # tp-smapi is not supported bt x230 anymore + kernelModules = [ + "kvm-intel" + "thinkpad_ec" + # "acpi_call" + # "thinkpad_acpi" + # "tpm-rng" + ]; + extraModulePackages = [ + # config.boot.kernelPackages.acpi_call + ]; }; + services.acpid.enable = true; hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; services.xserver = { videoDriver = "intel"; @@ -15,8 +25,8 @@ with import <stockholm/lib>; Option "AccelMethod" "sna" ''; }; - - security.rngd.enable = true; + # no entropy source working + # security.rngd.enable = true; services.xserver.displayManager.sessionCommands ='' xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1 diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 2b615ecf..02bd8bb0 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -28,8 +28,9 @@ with import <stockholm/lib>; services.tlp.enable = true; services.tlp.extraConfig = '' # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery - #START_CHARGE_THRESH_BAT0=80 - STOP_CHARGE_THRESH_BAT0=95 + START_CHARGE_THRESH_BAT0=67 + STOP_CHARGE_THRESH_BAT0=100 + CPU_SCALING_GOVERNOR_ON_AC=performance CPU_SCALING_GOVERNOR_ON_BAT=ondemand @@ -40,6 +41,6 @@ with import <stockholm/lib>; ''; powerManagement.resumeCommands = '' - {pkgs.rfkill}/bin/rfkill unblock all + ${pkgs.rfkill}/bin/rfkill unblock all ''; } diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index 22cf9c9b..9d0b7487 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -44,7 +44,6 @@ in { pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = / - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix index dcb07246..c55b9446 100644 --- a/makefu/2configs/tinc/retiolum.nix +++ b/makefu/2configs/tinc/retiolum.nix @@ -1,4 +1,7 @@ _: { + imports = [ + ../binary-cache/lass.nix + ]; krebs.tinc.retiolum.enable = true; } diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix index 0d8f888f..d575d18b 100644 --- a/makefu/2configs/urlwatch.nix +++ b/makefu/2configs/urlwatch.nix @@ -15,7 +15,7 @@ http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ https://github.com/amadvance/snapraid/releases.atom - https://erdgeist.org/gitweb/opentracker/commit/ + https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack ]; }; } |