summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/exim-smarthost.nix4
-rw-r--r--krebs/3modules/go.nix4
-rw-r--r--krebs/5pkgs/go-shortener/default.nix (renamed from krebs/5pkgs/go/default.nix)2
-rw-r--r--krebs/5pkgs/go-shortener/packages.nix (renamed from krebs/5pkgs/go/packages.nix)0
-rw-r--r--lass/1systems/mors.nix2
-rw-r--r--lass/1systems/prism.nix5
-rw-r--r--lass/2configs/default.nix7
-rw-r--r--lass/2configs/go.nix2
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--lass/2configs/repo-sync.nix1
-rw-r--r--lass/2configs/websites/domsen.nix14
-rw-r--r--lass/2configs/websites/fritz.nix10
-rw-r--r--lass/3modules/usershadow.nix41
-rw-r--r--lass/5pkgs/xmonad-lass.nix1
-rw-r--r--makefu/1systems/x.nix6
-rw-r--r--makefu/2configs/deployment/mycube.connector.one.nix6
-rw-r--r--makefu/2configs/hw/tp-x230.nix (renamed from makefu/2configs/hw/tp-x220.nix)18
17 files changed, 87 insertions, 38 deletions
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 2ed5607f1..c96b14723 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -246,12 +246,12 @@ let
remote_smtp:
driver = smtp
- ${optionalString (cfg.dkim != []) ''
+ ${optionalString (cfg.dkim != []) (indent ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
- ''}
+ '')}
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
{$acl_m_special_dom} }
diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix
index a86f444dc..218ac9221 100644
--- a/krebs/3modules/go.nix
+++ b/krebs/3modules/go.nix
@@ -44,7 +44,7 @@ let
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
- go
+ go-shortener
];
environment = {
@@ -57,7 +57,7 @@ let
serviceConfig = {
User = "go";
Restart = "always";
- ExecStart = "${pkgs.go}/bin/go";
+ ExecStart = "${pkgs.go-shortener}/bin/go";
};
};
};
diff --git a/krebs/5pkgs/go/default.nix b/krebs/5pkgs/go-shortener/default.nix
index 2871e5a99..996f7072a 100644
--- a/krebs/5pkgs/go/default.nix
+++ b/krebs/5pkgs/go-shortener/default.nix
@@ -19,7 +19,7 @@ let
};
in np.buildNodePackage {
- name = "go";
+ name = "go-shortener";
src = fetchgit {
url = "http://cgit.lassul.us/go/";
diff --git a/krebs/5pkgs/go/packages.nix b/krebs/5pkgs/go-shortener/packages.nix
index 9acfd7658..9acfd7658 100644
--- a/krebs/5pkgs/go/packages.nix
+++ b/krebs/5pkgs/go-shortener/packages.nix
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index c3d027edc..742d42bf8 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -54,7 +54,7 @@ with import <stockholm/lib>;
enable = true;
package = pkgs.postgresql;
};
- #virtualisation.docker.enable = true;
+ virtualisation.docker.enable = true;
#users.users.mainUser.extraGroups = [ "docker" ];
}
{
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 76710ac9d..5da66d265 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -224,6 +224,11 @@ in {
OnCalendar = "*:0/5";
};
}
+ {
+ lass.usershadow = {
+ enable = true;
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 43c4d5b0d..a7d2a6cef 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -46,6 +46,13 @@ with import <stockholm/lib>;
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
}
+ (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+ environment.variables = {
+ CURL_CA_BUNDLE = ca-bundle;
+ GIT_SSL_CAINFO = ca-bundle;
+ SSL_CERT_FILE = ca-bundle;
+ };
+ })
];
networking.hostName = config.krebs.build.host.name;
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
index 7d694c173..f6ddbe96d 100644
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@@ -3,7 +3,7 @@
with import <stockholm/lib>;
{
environment.systemPackages = [
- pkgs.go
+ pkgs.go-shortener
];
krebs.go = {
enable = true;
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 4ef4c6ce7..e665b6c6f 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d";
+ ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
};
}
diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
index f88149730..f2e4de6a7 100644
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@@ -93,6 +93,7 @@ in {
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
(sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
+ (sync-remote "painload" "https://github.com/krebscode/painload")
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
(sync-retiolum "go")
(sync-retiolum "much")
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 18c771fad..fa56d0e12 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -142,28 +142,26 @@ in {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
];
krebs.exim-smarthost = {
authenticators.PLAIN = ''
driver = plaintext
- server_prompts = :
- server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
- server_set_id = $auth2
+ public_name = PLAIN
+ server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
'';
authenticators.LOGIN = ''
driver = plaintext
+ public_name = LOGIN
server_prompts = "Username:: : Password::"
- server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
- server_set_id = $auth1
+ server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
'';
internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
- { from = "testuser@lassul.us"; to = "testuser"; }
];
- system-aliases = [
+ sender_domains = [
+ "jla-trading.com"
];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem";
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index d93d310da..52914f444 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -88,13 +88,7 @@ in {
];
};
- services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
- options = ''
- extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
- sendmail_path = "${sendmail} -t -i"
- '';
- } ''
- cat ${pkgs.php}/etc/php-recommended.ini > $out
- echo "$options" >> $out
+ services.phpfpm.phpOptions = ''
+ sendmail_path = ${sendmail} -t
'';
}
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index 1ee01e8d9..a8ab1c52a 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -13,22 +13,27 @@
type = types.str;
default = "/home/%/.shadow";
};
+ path = mkOption {
+ type = types.str;
+ };
};
imp = {
environment.systemPackages = [ usershadow ];
+ lass.usershadow.path = "${usershadow}";
security.pam.services.sshd.text = ''
- auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
'';
- security.pam.services.exim.text = ''
- auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ security.pam.services.dovecot2.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
+ session required pam_env.so envfile=${config.system.build.pamEnvironment}
'';
};
@@ -38,7 +43,7 @@
"bytestring"
];
body = pkgs.writeHaskell "passwords" {
- executables.verify = {
+ executables.verify_pam = {
extra-depends = deps;
text = ''
import Data.Monoid
@@ -61,18 +66,42 @@
if res then exitSuccess else exitFailure
'';
};
+ executables.verify_arg = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ argsList <- getArgs
+ let shadowFilePattern = argsList !! 0
+ let user = argsList !! 1
+ let password = argsList !! 2
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then do (putStr "yes") else exitFailure
+ '';
+ };
executables.passwd = {
extra-depends = deps;
text = ''
import System.Environment (getEnv)
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
- import System.IO (stdin, hSetEcho, putStr)
+ import System.IO (stdin, hSetEcho, putStrLn)
main :: IO ()
main = do
home <- getEnv "HOME"
- putStr "password:"
+ putStrLn "password:"
hSetEcho stdin False
password <- BS8.hGetLine stdin
hash <- makePasswordWith pbkdf2 password 10
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 96b12b9d4..70be61022 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -129,6 +129,7 @@ myKeyMap =
, ("M4-<Esc>", toggleWS)
, ("M4-S-<Enter>", spawn urxvtcPath)
, ("M4-x", floatNext True >> spawn urxvtcPath)
+ , ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite")
, ("M4-f", floatNext True)
, ("M4-b", sendMessage ToggleStruts)
diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix
index e7f5d0dae..e1aec360d 100644
--- a/makefu/1systems/x.nix
+++ b/makefu/1systems/x.nix
@@ -32,7 +32,7 @@
# ../2configs/buildbot-standalone.nix
# hardware specifics are in here
- ../2configs/hw/tp-x220.nix
+ ../2configs/hw/tp-x230.nix
../2configs/hw/rtl8812au.nix
../2configs/hw/bcm4352.nix
# mount points
@@ -46,7 +46,7 @@
# temporary modules
../2configs/temp/share-samba.nix
../2configs/laptop-backup.nix
- ../2configs/temp/elkstack.nix
+ #../2configs/temp/elkstack.nix
# ../2configs/temp/sabnzbd.nix
../2configs/tinc/siem.nix
#../2configs/torrent.nix
@@ -62,7 +62,7 @@
environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
- # virtualisation.docker.enable = true;
+ virtualisation.docker.enable = true;
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;
diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix
index 2877d2227..091b7f21b 100644
--- a/makefu/2configs/deployment/mycube.connector.one.nix
+++ b/makefu/2configs/deployment/mycube.connector.one.nix
@@ -6,7 +6,11 @@ let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock";
in {
- services.redis.enable = true;
+ services.redis = {
+ enable = true;
+ };
+ systemd.services.redis.serviceConfig.LimitNOFILE=10032;
+
services.uwsgi = {
enable = true;
user = "nginx";
diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x230.nix
index ce3e34ad3..99563a771 100644
--- a/makefu/2configs/hw/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x230.nix
@@ -5,9 +5,19 @@ with import <stockholm/lib>;
imports = [ ./tp-x2x0.nix ];
boot = {
- kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ];
- extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
+ # tp-smapi is not supported bt x230 anymore
+ kernelModules = [
+ "kvm-intel"
+ "thinkpad_ec"
+ # "acpi_call"
+ # "thinkpad_acpi"
+ # "tpm-rng"
+ ];
+ extraModulePackages = [
+ # config.boot.kernelPackages.acpi_call
+ ];
};
+ services.acpid.enable = true;
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
services.xserver = {
videoDriver = "intel";
@@ -15,8 +25,8 @@ with import <stockholm/lib>;
Option "AccelMethod" "sna"
'';
};
-
- security.rngd.enable = true;
+ # no entropy source working
+ # security.rngd.enable = true;
services.xserver.displayManager.sessionCommands =''
xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1