diff options
40 files changed, 756 insertions, 124 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 498282b0..0be16625 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -33,7 +33,7 @@ let in { hosts = addNames { echelon = { - cores = 4; + cores = 2; dc = "lass"; #dc = "cac"; nets = rec { internet = { @@ -66,6 +66,39 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK"; }; + prism = { + cores = 4; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["213.239.205.240"]; + aliases = [ + "prism.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.0.103"]; + addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; + aliases = [ + "prism.retiolum" + "cgit.prism.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl + kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl + JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I + AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5 + jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j + anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKVjJrM7fHfHpvZXEA3hmX4JliHl6h6Q8AGOPcu+9fF"; + }; fastpoke = { dc = "lass"; nets = rec { diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 94c9b0fb..182a068e 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -11,12 +11,28 @@ prepare() {( ;; centos) case $VERSION_ID in + 6) + prepare_centos "$@" + exit + ;; 7) prepare_centos "$@" exit ;; esac ;; + debian) + case $VERSION_ID in + 7) + prepare_debian "$@" + exit + ;; + 8) + prepare_debian "$@" + exit + ;; + esac + ;; esac elif test -e /etc/centos-release; then case $(cat /etc/centos-release) in @@ -31,6 +47,7 @@ prepare() {( )} prepare_arch() { + pacman -Sy type bzip2 2>/dev/null || pacman -S --noconfirm bzip2 type git 2>/dev/null || pacman -S --noconfirm git type rsync 2>/dev/null || pacman -S --noconfirm rsync @@ -44,6 +61,14 @@ prepare_centos() { prepare_common } +prepare_debian() { + apt-get update + type bzip2 2>/dev/null || apt-get install bzip2 + type git 2>/dev/null || apt-get install git + type rsync 2>/dev/null || apt-get install rsync + prepare_common +} + prepare_common() { if ! getent group nixbld >/dev/null; then diff --git a/krebs/Zhosts/prism b/krebs/Zhosts/prism new file mode 100644 index 00000000..4c875631 --- /dev/null +++ b/krebs/Zhosts/prism @@ -0,0 +1,12 @@ +Address = 213.239.205.240 +Subnet = 10.243.0.103 +Subnet = 42:0000:0000:0000:0000:0000:0000:15ab + +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl +kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl +JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I +AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5 +jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j +anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 94c793b0..dc0ca027 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -47,6 +47,23 @@ in { { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; } ]; } + { + users.extraUsers = { + satan = { + name = "satan"; + uid = 1338; + home = "/home/satan"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com" + ]; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.echelon; diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix new file mode 100644 index 00000000..570cdfb7 --- /dev/null +++ b/lass/1systems/prism.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) head; + + ip = (head config.krebs.build.host.nets.internet.addrs4); +in { + imports = [ + ../2configs/base.nix + ../2configs/downloading.nix + { + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; + } + { + networking.interfaces.et0.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = "213.239.205.225"; + networking.nameservers = [ + "8.8.8.8" + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0" + ''; + + } + { + #boot.loader.gummiboot.enable = true; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/pool/nix"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36"; + }; + + fileSystems."/var/download" = { + device = "/dev/pool/download"; + }; + + } + { + sound.enable = false; + } + { + #workaround for server dying after 6-7h + boot.kernelPackages = pkgs.linuxPackages_4_2; + } + ]; + + krebs.build.host = config.krebs.hosts.prism; +} diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 6fa9c5b2..057af7bc 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -27,8 +27,6 @@ with lib; createHome = true; useDefaultShell = true; extraGroups = [ - "audio" - "wheel" ]; openssh.authorizedKeys.keys = map readFile [ ../../krebs/Zpubkeys/lass.ssh.pub @@ -50,7 +48,7 @@ with lib; source = { git.nixpkgs = { url = https://github.com/Lassulus/nixpkgs; - rev = "33bdc011f5360288cd10b9fda90da2950442b2ab"; + rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80"; }; dir.secrets = { host = config.krebs.hosts.mors; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 1f5c3de5..3be3676a 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -8,6 +8,8 @@ in { ./urxvt.nix ]; + users.extraUsers.mainUser.extraGroups = [ "audio" ]; + time.timeZone = "Europe/Berlin"; virtualisation.libvirtd.enable = true; diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 5052da5c..553a3a55 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -1,5 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: +with lib; { imports = [ ../3modules/folderPerms.nix @@ -10,9 +11,13 @@ name = "download"; home = "/var/download"; createHome = true; + useDefaultShell = true; extraGroups = [ "download" ]; + openssh.authorizedKeys.keys = map readFile [ + ../../krebs/Zpubkeys/lass.ssh.pub + ]; }; transmission = { @@ -43,6 +48,7 @@ rpc-username = "download"; #add rpc-password in secrets rpc-password = "test123"; + peer-port = 51413; }; }; @@ -50,6 +56,8 @@ enable = true; tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } + { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } ]; }; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 2164b2e3..7e8fc03c 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -33,6 +33,8 @@ let web-routes-wai-custom = {}; go = {}; newsbot-js = {}; + kimsufi-check = {}; + realwallpaper = {}; }; restricted-repos = mapAttrs make-restricted-repo ( diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 7f0bcc5e..d26a2f4c 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -16,7 +16,7 @@ enable = true; hosts = ../../krebs/Zhosts; connectTo = [ - "fastpoke" + "prism" "cloudkrebs" "echelon" "pigstarter" diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index d2b08bef..69f1300b 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -24,8 +24,8 @@ with lib; }; imports = [ - ../2configs/CAC-Developer-2.nix - ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/hw/CAC-Developer-2.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/base.nix #../2configs/consul-server.nix ../2configs/exim-smarthost.nix diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index f0c7dc2a..305ea726 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -37,8 +37,8 @@ in }; imports = [ - ../2configs/CAC-Developer-1.nix - ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/hw/CAC-Developer-1.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/consul-server.nix ../2configs/exim-smarthost.nix diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 21084621..61f833d4 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -24,7 +24,7 @@ with lib; }; imports = [ - ../2configs/AO753.nix + ../2configs/hw/AO753.nix ../2configs/base.nix #../2configs/consul-server.nix ../2configs/git.nix @@ -87,13 +87,6 @@ with lib; swapDevices = [ ]; - nix = { - buildCores = 2; - maxJobs = 2; - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - # TODO base boot.tmpOnTmpfs = true; diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index c52222cd..f77268b5 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -37,8 +37,8 @@ in }; imports = [ - ../2configs/CAC-Developer-1.nix - ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/hw/CAC-Developer-1.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/consul-server.nix ../2configs/exim-smarthost.nix diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 586ad172..65389b66 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -24,7 +24,7 @@ with lib; }; imports = [ - ../2configs/w110er.nix + ../2configs/hw/w110er.nix ../2configs/base.nix #../2configs/consul-client.nix ../2configs/git.nix @@ -389,6 +389,4 @@ with lib; services.tor.enable = true; services.virtualboxHost.enable = true; - # TODO w110er if xserver is enabled - services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; } diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix new file mode 100644 index 00000000..82f5abf7 --- /dev/null +++ b/tv/1systems/xu.nix @@ -0,0 +1,390 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + krebs.build.host = config.krebs.hosts.xu; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@xu"; + + krebs.build.source = { + git.nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "e57024f821c94caf5684964474073649b8b6356b"; + }; + dir.secrets = { + host = config.krebs.hosts.wu; + path = "/home/tv/secrets/xu"; + }; + dir.stockholm = { + host = config.krebs.hosts.wu; + path = "/home/tv/stockholm"; + }; + }; + + imports = [ + ../2configs/hw/x220.nix + ../2configs/base.nix + #../2configs/consul-client.nix + ../2configs/git.nix + ../2configs/mail-client.nix + ../2configs/xserver + { + environment.systemPackages = with pkgs; [ + + # stockholm + genid + gnumake + hashPassword + lentil + parallel + (pkgs.writeScriptBin "im" '' + #! ${pkgs.bash}/bin/bash + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + + # root + cryptsetup + ntp # ntpate + + # tv + bc + bind # dig + #cac + dic + ff + file + gitAndTools.qgit #xserver + gnupg21 + haskellPackages.hledger + htop + jq + manpages + mkpasswd + mpv #xserver + netcat + nix-repl + nmap + nq + p7zip + pavucontrol #xserver + posix_man_pages + #pssh + qrencode + sxiv #xserver + texLive + tmux + zathura #xserver + + #ack + #apache-httpd + #ascii + #emacs + #es + #esniper + #gcc + #gptfdisk + #graphviz + #haskellPackages.cabal2nix + #haskellPackages.ghc + #haskellPackages.shake + #hdparm + #i7z + #iftop + #imagemagick + #inotifyTools + #iodine + #iotop + #lshw + #lsof + #minicom + #mtools + #ncmpc + #neovim + #nethogs + #nix-prefetch-scripts #cvs bug + #openssl + #openswan + #parted + #perl + #powertop + #ppp + #proot + #pythonPackages.arandr + #pythonPackages.youtube-dl + #racket + #rxvt_unicode-with-plugins + #scrot + #sec + #silver-searcher + #sloccount + #smartmontools + #socat + #sshpass + #strongswan + #sysdig + #sysstat + #tcpdump + #tlsdate + #unetbootin + #utillinuxCurses + #wvdial + #xdotool + #xkill + #xl2tpd + #xsel + ]; + } + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + krebs.exim-retiolum.enable = true; + } + { + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "cd" + "gum" + "pigstarter" + ]; + }; + } + { + users.extraGroups = { + tv.gid = 1337; + slaves.gid = 3799582008; # genid slaves + }; + + users.extraUsers = + mapAttrs (name: user@{ extraGroups ? [], ... }: user // { + inherit name; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + group = "tv"; + extraGroups = ["slaves"] ++ extraGroups; + }) { + ff = { + uid = 13378001; + extraGroups = [ + "audio" + "video" + ]; + }; + + cr = { + uid = 13378002; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + fa = { + uid = 2300001; + }; + + rl = { + uid = 2300002; + }; + + tief = { + uid = 2300702; + }; + + btc-bitcoind = { + uid = 2301001; + }; + + btc-electrum = { + uid = 2301002; + }; + + ltc-litecoind = { + uid = 2301101; + }; + + eth = { + uid = 2302001; + }; + + emse-hsdb = { + uid = 4200101; + }; + + wine = { + uid = 13370400; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + df = { + uid = 13370401; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + xr = { + uid = 13370061; + extraGroups = [ + "audio" + "video" + ]; + }; + + "23" = { + uid = 13370023; + }; + + electrum = { + uid = 13370102; + }; + + skype = { + uid = 6660001; + extraGroups = [ + "audio" + ]; + }; + + onion = { + uid = 6660010; + }; + + zalora = { + uid = 1000301; + extraGroups = [ + "audio" + # TODO remove vboxusers when hardening is active + "vboxusers" + "video" + ]; + }; + }; + + security.sudo.extraConfig = + let + isSlave = u: elem "slaves" u.extraGroups; + masterOf = u: u.group; + slaves = filterAttrs (_: isSlave) config.users.extraUsers; + toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL"; + in + concatMapStringsSep "\n" toSudoers (attrValues slaves); + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "xuca"; device = "/dev/sda2"; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/xuvga-r |