diff options
-rw-r--r-- | krebs/3modules/exim-smarthost.nix | 4 | ||||
-rw-r--r-- | krebs/3modules/go.nix | 4 | ||||
-rw-r--r-- | krebs/5pkgs/go-shortener/default.nix (renamed from krebs/5pkgs/go/default.nix) | 2 | ||||
-rw-r--r-- | krebs/5pkgs/go-shortener/packages.nix (renamed from krebs/5pkgs/go/packages.nix) | 0 | ||||
-rw-r--r-- | lass/1systems/mors.nix | 2 | ||||
-rw-r--r-- | lass/1systems/prism.nix | 5 | ||||
-rw-r--r-- | lass/2configs/default.nix | 7 | ||||
-rw-r--r-- | lass/2configs/go.nix | 2 | ||||
-rw-r--r-- | lass/2configs/nixpkgs.nix | 2 | ||||
-rw-r--r-- | lass/2configs/repo-sync.nix | 1 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 14 | ||||
-rw-r--r-- | lass/2configs/websites/fritz.nix | 10 | ||||
-rw-r--r-- | lass/3modules/usershadow.nix | 41 | ||||
-rw-r--r-- | lass/5pkgs/xmonad-lass.nix | 1 | ||||
-rw-r--r-- | makefu/1systems/x.nix | 6 | ||||
-rw-r--r-- | makefu/2configs/deployment/mycube.connector.one.nix | 6 | ||||
-rw-r--r-- | makefu/2configs/hw/tp-x230.nix (renamed from makefu/2configs/hw/tp-x220.nix) | 18 |
17 files changed, 87 insertions, 38 deletions
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 2ed5607f1..c96b14723 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -246,12 +246,12 @@ let remote_smtp: driver = smtp - ${optionalString (cfg.dkim != []) '' + ${optionalString (cfg.dkim != []) (indent '' dkim_canon = relaxed dkim_domain = $sender_address_domain dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} - ''} + '')} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ {$acl_m_special_dom} } diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index a86f444dc..218ac9221 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -44,7 +44,7 @@ let wantedBy = [ "multi-user.target" ]; path = with pkgs; [ - go + go-shortener ]; environment = { @@ -57,7 +57,7 @@ let serviceConfig = { User = "go"; Restart = "always"; - ExecStart = "${pkgs.go}/bin/go"; + ExecStart = "${pkgs.go-shortener}/bin/go"; }; }; }; diff --git a/krebs/5pkgs/go/default.nix b/krebs/5pkgs/go-shortener/default.nix index 2871e5a99..996f7072a 100644 --- a/krebs/5pkgs/go/default.nix +++ b/krebs/5pkgs/go-shortener/default.nix @@ -19,7 +19,7 @@ let }; in np.buildNodePackage { - name = "go"; + name = "go-shortener"; src = fetchgit { url = "http://cgit.lassul.us/go/"; diff --git a/krebs/5pkgs/go/packages.nix b/krebs/5pkgs/go-shortener/packages.nix index 9acfd7658..9acfd7658 100644 --- a/krebs/5pkgs/go/packages.nix +++ b/krebs/5pkgs/go-shortener/packages.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index c3d027edc..742d42bf8 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -54,7 +54,7 @@ with import <stockholm/lib>; enable = true; package = pkgs.postgresql; }; - #virtualisation.docker.enable = true; + virtualisation.docker.enable = true; #users.users.mainUser.extraGroups = [ "docker" ]; } { diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 76710ac9d..5da66d265 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -224,6 +224,11 @@ in { OnCalendar = "*:0/5"; }; } + { + lass.usershadow = { + enable = true; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 43c4d5b0d..a7d2a6cef 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -46,6 +46,13 @@ with import <stockholm/lib>; NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; }; } + (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { + environment.variables = { + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + }) ]; networking.hostName = config.krebs.build.host.name; diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix index 7d694c173..f6ddbe96d 100644 --- a/lass/2configs/go.nix +++ b/lass/2configs/go.nix @@ -3,7 +3,7 @@ with import <stockholm/lib>; { environment.systemPackages = [ - pkgs.go + pkgs.go-shortener ]; krebs.go = { enable = true; diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 4ef4c6ce7..e665b6c6f 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d"; + ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731"; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index f88149730..f2e4de6a7 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -93,6 +93,7 @@ in { (sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") + (sync-remote "painload" "https://github.com/krebscode/painload") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-retiolum "go") (sync-retiolum "much") diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 18c771fad..fa56d0e12 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -142,28 +142,26 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } ]; krebs.exim-smarthost = { authenticators.PLAIN = '' driver = plaintext - server_prompts = : - server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" - server_set_id = $auth2 + public_name = PLAIN + server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} ''; authenticators.LOGIN = '' driver = plaintext + public_name = LOGIN server_prompts = "Username:: : Password::" - server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" - server_set_id = $auth1 + server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } - { from = "testuser@lassul.us"; to = "testuser"; } ]; - system-aliases = [ + sender_domains = [ + "jla-trading.com" ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index d93d310da..52914f444 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -88,13 +88,7 @@ in { ]; }; - services.phpfpm.phpIni = pkgs.runCommand "php.ini" { - options = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - sendmail_path = "${sendmail} -t -i" - ''; - } '' - cat ${pkgs.php}/etc/php-recommended.ini > $out - echo "$options" >> $out + services.phpfpm.phpOptions = '' + sendmail_path = ${sendmail} -t ''; } diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index 1ee01e8d9..a8ab1c52a 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -13,22 +13,27 @@ type = types.str; default = "/home/%/.shadow"; }; + path = mkOption { + type = types.str; + }; }; imp = { environment.systemPackages = [ usershadow ]; + lass.usershadow.path = "${usershadow}"; security.pam.services.sshd.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} auth required pam_permit.so account required pam_permit.so session required pam_permit.so ''; - security.pam.services.exim.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + security.pam.services.dovecot2.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} auth required pam_permit.so account required pam_permit.so session required pam_permit.so + session required pam_env.so envfile=${config.system.build.pamEnvironment} ''; }; @@ -38,7 +43,7 @@ "bytestring" ]; body = pkgs.writeHaskell "passwords" { - executables.verify = { + executables.verify_pam = { extra-depends = deps; text = '' import Data.Monoid @@ -61,18 +66,42 @@ if res then exitSuccess else exitFailure ''; }; + executables.verify_arg = { + extra-depends = deps; + text = '' + import Data.Monoid + import System.IO + import Data.Char (chr) + import System.Environment (getEnv, getArgs) + import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.Exit (exitFailure, exitSuccess) + + main :: IO () + main = do + argsList <- getArgs + let shadowFilePattern = argsList !! 0 + let user = argsList !! 1 + let password = argsList !! 2 + let shadowFile = lhs <> user <> tail rhs + (lhs, rhs) = span (/= '%') shadowFilePattern + hash <- readFile shadowFile + let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) + if res then do (putStr "yes") else exitFailure + ''; + }; executables.passwd = { extra-depends = deps; text = '' import System.Environment (getEnv) import Crypto.PasswordStore (makePasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 - import System.IO (stdin, hSetEcho, putStr) + import System.IO (stdin, hSetEcho, putStrLn) main :: IO () main = do home <- getEnv "HOME" - putStr "password:" + putStrLn "password:" hSetEcho stdin False password <- BS8.hGetLine stdin hash <- makePasswordWith pbkdf2 password 10 diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 96b12b9d4..70be61022 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -129,6 +129,7 @@ myKeyMap = , ("M4-<Esc>", toggleWS) , ("M4-S-<Enter>", spawn urxvtcPath) , ("M4-x", floatNext True >> spawn urxvtcPath) + , ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite") , ("M4-f", floatNext True) , ("M4-b", sendMessage ToggleStruts) diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index e7f5d0dae..e1aec360d 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -32,7 +32,7 @@ # ../2configs/buildbot-standalone.nix # hardware specifics are in here - ../2configs/hw/tp-x220.nix + ../2configs/hw/tp-x230.nix ../2configs/hw/rtl8812au.nix ../2configs/hw/bcm4352.nix # mount points @@ -46,7 +46,7 @@ # temporary modules ../2configs/temp/share-samba.nix ../2configs/laptop-backup.nix - ../2configs/temp/elkstack.nix + #../2configs/temp/elkstack.nix # ../2configs/temp/sabnzbd.nix ../2configs/tinc/siem.nix #../2configs/torrent.nix @@ -62,7 +62,7 @@ environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; - # virtualisation.docker.enable = true; + virtualisation.docker.enable = true; # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 2877d2227..091b7f21b 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -6,7 +6,11 @@ let external-ip = config.krebs.build.host.nets.internet.ip4.addr; wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock"; in { - services.redis.enable = true; + services.redis = { + enable = true; + }; + systemd.services.redis.serviceConfig.LimitNOFILE=10032; + services.uwsgi = { enable = true; user = "nginx"; diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x230.nix index ce3e34ad3..99563a771 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x230.nix @@ -5,9 +5,19 @@ with import <stockholm/lib>; imports = [ ./tp-x2x0.nix ]; boot = { - kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ]; - extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; + # tp-smapi is not supported bt x230 anymore + kernelModules = [ + "kvm-intel" + "thinkpad_ec" + # "acpi_call" + # "thinkpad_acpi" + # "tpm-rng" + ]; + extraModulePackages = [ + # config.boot.kernelPackages.acpi_call + ]; }; + services.acpid.enable = true; hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; services.xserver = { videoDriver = "intel"; @@ -15,8 +25,8 @@ with import <stockholm/lib>; Option "AccelMethod" "sna" ''; }; - - security.rngd.enable = true; + # no entropy source working + # security.rngd.enable = true; services.xserver.displayManager.sessionCommands ='' xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1 |