diff options
34 files changed, 379 insertions, 257 deletions
diff --git a/default.nix b/default.nix index c6a635c29..f14329d40 100644 --- a/default.nix +++ b/default.nix @@ -11,7 +11,21 @@ let user-modules-path = ./. + "/${current-user-name}/3modules"; user-pkgs-path = ./. + "/${current-user-name}/5pkgs"; + # XXX This is only used interactively, e.g. using get. + pkgs = + let + pkgs = import <nixpkgs> {}; + args = { + inherit pkgs; + lib = pkgs.lib; + }; + in + pkgs // + import krebs-pkgs-path args // + import user-pkgs-path args; + out = + { inherit pkgs; } // lib.mapAttrs (_: builtins.getAttr "main") (lib.filterAttrs (_: builtins.hasAttr "main") (lib.mapAttrs diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 8e9a42fd0..9ec9d0a8a 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,7 @@ let ./exim-smarthost.nix ./github-hosts-sync.nix ./git.nix + ./iptables.nix ./nginx.nix ./Reaktor.nix ./retiolum.nix diff --git a/lass/3modules/iptables.nix b/krebs/3modules/iptables.nix index 8c6ad3fa1..9596229de 100644 --- a/lass/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -3,6 +3,10 @@ arg@{ config, lib, pkgs, ... }: let inherit (pkgs) writeScript writeText; + inherit (builtins) + elem + ; + inherit (lib) concatMapStringsSep concatStringsSep @@ -20,15 +24,13 @@ let mkOption mkIf types - sort; - - elemIsIn = a: as: - any (x: x == a) as; + sort + ; - cfg = config.lass.iptables; + cfg = config.krebs.iptables; out = { - options.lass.iptables = api; + options.krebs.iptables = api; config = mkIf cfg.enable imp; }; @@ -74,8 +76,8 @@ let imp = { networking.firewall.enable = false; - systemd.services.lass-iptables = { - description = "lass-iptables"; + systemd.services.krebs-iptables = { + description = "krebs-iptables"; wantedBy = [ "network-pre.target" ]; before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; @@ -90,7 +92,7 @@ let Type = "simple"; RemainAfterExit = true; Restart = "always"; - ExecStart = "@${startScript} lass-iptables_start"; + ExecStart = "@${startScript} krebs-iptables_start"; }; }; }; @@ -110,13 +112,10 @@ let in #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules - ) + if ts.${tn}.${cn}.rules or null != null then + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) else "" ; @@ -124,7 +123,7 @@ let buildRule = tn: cn: rule: #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); + assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); #predicate validation test: #maybe use iptables-test @@ -171,11 +170,11 @@ let tables = tables-defaults // cfg.tables; in - writeText "lass-iptables-rules${toString iptables-version}" '' + writeText "krebs-iptables-rules${toString iptables-version}" '' ${buildTables iptables-version tables} ''; - startScript = writeScript "lass-iptables_start" '' + startScript = writeScript "krebs-iptables_start" '' #! /bin/sh set -euf iptables-restore < ${rules4 4} diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 32b366b91..0065f7692 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -9,7 +9,7 @@ with import ../../4lib { inherit lib; }; dc = "lass"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["104.233.84.57"]; + addrs4 = ["162.248.162.105"]; aliases = [ "echelon.internet" ]; diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 52b5dc78c..7e136d96f 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -15,6 +15,7 @@ rec { github-hosts-sync = callPackage ./github-hosts-sync {}; github-known_hosts = callPackage ./github-known_hosts {}; hashPassword = callPackage ./hashPassword {}; + jq = callPackage ./jq {}; krebszones = callPackage ./krebszones {}; lentil = callPackage ./lentil {}; much = callPackage ./much {}; diff --git a/krebs/5pkgs/get/default.nix b/krebs/5pkgs/get/default.nix index 20bbfd014..d4f5f6b46 100644 --- a/krebs/5pkgs/get/default.nix +++ b/krebs/5pkgs/get/default.nix @@ -1,12 +1,12 @@ { coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }: stdenv.mkDerivation { - name = "get-1.3.0"; + name = "get-1.3.1"; src = fetchgit { url = http://cgit.cd.retiolum/get; - rev = "fbe8f8d12ede9762fceb15b9944b69a4ee6331eb"; - sha256 = "bcdf036f8b5d1467285d0998aeac7e48280adfb9e1278f9f424c9c8b5e6ed8fa"; + rev = "64c97edd3f9952cd5e703208c46748a035a515bf"; + sha256 = "32ca83f4fd86fd3285bef9dcfd0917308086d239189858daceca175de49ff97c"; }; phases = [ diff --git a/krebs/5pkgs/jq/default.nix b/krebs/5pkgs/jq/default.nix new file mode 100644 index 000000000..41db0f284 --- /dev/null +++ b/krebs/5pkgs/jq/default.nix @@ -0,0 +1,33 @@ +{stdenv, fetchurl}: +let + s = # Generated upstream information + rec { + baseName="jq"; + version="1.5"; + name="${baseName}-${version}"; + url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz; + sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"; + }; + buildInputs = [ + ]; +in +stdenv.mkDerivation { + inherit (s) name version; + inherit buildInputs; + src = fetchurl { + inherit (s) url sha256; + }; + + # jq is linked to libjq: + configureFlags = [ + "LDFLAGS=-Wl,-rpath,\\\${libdir}" + ]; + meta = { + inherit (s) version; + description = ''A lightweight and flexible command-line JSON processor''; + license = stdenv.lib.licenses.mit ; + maintainers = [stdenv.lib.maintainers.raskin]; + platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; + }; +} + diff --git a/krebs/default.nix b/krebs/default.nix index 0ec4c6079..b98fad558 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -85,6 +85,7 @@ # s:^nix-env:chroot $mountPoint '"$nix_env"': #' nixos-install + unset SSL_CERT_FILE ./nixos-install ${builtins.readFile ./4lib/infest/finalize.sh} diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 5235c25e5..2a6a70ffd 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -1,6 +1,12 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: -{ +let + inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; + inherit (lib) head; + + ip = (head config.krebs.build.host.nets.internet.addrs4); + r_ip = (head config.krebs.build.host.nets.retiolum.addrs4); +in { imports = [ ../../tv/2configs/CAC-Developer-2.nix ../../tv/2configs/CAC-CentOS-7-64bit.nix @@ -8,14 +14,15 @@ ../2configs/retiolum.nix ../2configs/fastpoke-pages.nix ../2configs/new-repos.nix + ../2configs/realwallpaper.nix { networking.interfaces.enp2s1.ip4 = [ { - address = "104.167.113.104"; + address = ip; prefixLength = 24; } ]; - networking.defaultGateway = "104.167.113.1"; + networking.defaultGateway = getDefaultGateway ip; networking.nameservers = [ "8.8.8.8" ]; @@ -40,4 +47,8 @@ networking.hostName = "cloudkrebs"; + environment.systemPackages = [ + pkgs.dic + ]; + } diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index d1a3f34f7..782674cb0 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -11,6 +11,7 @@ in { ../../tv/2configs/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/retiolum.nix + ../2configs/realwallpaper.nix { networking.interfaces.enp2s1.ip4 = [ { diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index b7291a8f2..414afcbba 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -23,6 +23,7 @@ ../2configs/wordpress.nix ../2configs/bitlbee.nix ../2configs/firefoxPatched.nix + ../2configs/realwallpaper.nix ]; krebs.build = { @@ -174,7 +175,9 @@ environment.systemPackages = with pkgs; [ cac + sshpass get + genid ]; #TODO: fix this shit @@ -195,21 +198,11 @@ }; }; - networking.firewall = { - allowPing = true; - allowedTCPPorts = [ - 8000 - ]; - allowedUDPPorts = [ - 67 - ]; - }; - services.mongodb = { enable = true; }; - lass.iptables = { + krebs.iptables = { tables = { filter.INPUT.rules = [ { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 9d96e7814..bd3770b43 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -12,6 +12,8 @@ with builtins; ../2configs/new-repos.nix ../2configs/chromium-patched.nix ../2configs/retiolum.nix + ../2configs/bitlbee.nix + ../2configs/weechat.nix { users.extraUsers = { root = { @@ -82,9 +84,6 @@ with builtins; SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" ''; - #services.xserver = { - #}; - services.xserver.synaptics = { enable = true; twoFingerScroll = true; @@ -101,80 +100,4 @@ with builtins; #for google hangout users.extraUsers.google.extraGroups = [ "audio" "video" ]; - - - #users.extraGroups = { - # loot = { - # members = [ - # "lass" - # "firefox" - # "chromium" - # "google" - # ]; - # }; - #}; - # - # iptables - # - #networking.firewall.enable = false; - #system.activationScripts.iptables = - # let - # log = false; - # when = c: f: if c then f else ""; - # in - # '' - # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - # ipXtables() { ip4tables "$@"; ip6tables "$@"; } - - # # - # # nat - # # - - # # reset tables - # ipXtables -t nat -F - # ipXtables -t nat -X - - # # - # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # # - # # filter - # # - - # # reset tables - # ipXtables -P INPUT DROP - # ipXtables -P FORWARD DROP - # ipXtables -F - # ipXtables -X - - # # create custom chains - # ipXtables -N Retiolum - - # # INPUT - # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # ipXtables -A INPUT -j ACCEPT -i lo - # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - # ipXtables -A INPUT -j Retiolum -i retiolum - # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # # FORWARD - # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # # Retiolum - # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - - # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - # ip6tables -A Retiolum -j REJECT - - # ''; } diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 46435649b..43c4f4e34 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -3,14 +3,13 @@ with lib; { imports = [ - ../3modules/iptables.nix ../2configs/vim.nix ../2configs/zsh.nix ../2configs/mc.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/src/secrets/hashedPasswords.nix); + (import /root/secrets/hashedPasswords.nix); } { users.extraUsers = { @@ -45,7 +44,7 @@ with lib; build.source = { git.nixpkgs = { url = https://github.com/Lassulus/nixpkgs; - rev = "68bd8e4a9dc247726ae89cc8739574261718e328"; + rev = "e916273209560b302ab231606babf5ce1c481f08"; }; }; }; @@ -71,7 +70,12 @@ with lib; ''; environment.systemPackages = with pkgs; [ + #stockholm git + jq + parallel + + #style most rxvt_unicode.terminfo @@ -137,7 +141,7 @@ with lib; RuntimeMaxUse=128M ''; - lass.iptables = { + krebs.iptables = { enable = true; tables = { filter.INPUT.policy = "DROP"; diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index f37dace2c..5a1857973 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -6,14 +6,12 @@ let mainUser = config.users.extraUsers.mainUser; createChromiumUser = name: extraGroups: packages: { - users.extraUsers = { - ${name} = { - inherit name; - inherit extraGroups; - home = "/home/${name}"; - useDefaultShell = true; - createHome = true; - }; + users.extraUsers.${name} = { + inherit name; + inherit extraGroups; + home = "/home/${name}"; + useDefaultShell = true; + createHome = true; }; lass.per-user.${name}.packages = packages; security.sudo.extraConfig = '' @@ -28,14 +26,12 @@ let createFirefoxUser = name: extraGroups: packages: { - users.extraUsers = { - ${name} = { - inherit name; - inherit extraGroups; - home = "/home/${name}"; - useDefaultShell = true; - createHome = true; - }; + users.extraUsers.${name} = { + inherit name; + inherit extraGroups; + home = "/home/${name}"; + useDefaultShell = true; + createHome = true; }; lass.per-user.${name}.packages = packages; security.sudo.extraConfig = '' @@ -66,16 +62,16 @@ in { ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] ) ( createChromiumUser "fb" [ ] [ pkgs.chromium ] ) ( createChromiumUser "gm" [ ] [ pkgs.chromium ] ) - ( createChromiumUser "flash" [ ] [ pkgs.flash ] ) + # ( createChromiumUser "flash" [ ] [ pkgs.flash ] ) ]; nixpkgs.config.packageOverrides = pkgs : { flash = pkgs.chromium.override { - pulseSupport = true; + # pulseSupport = true; enablePepperFlash = true; }; - chromium = pkgs.chromium.override { - pulseSupport = true; - }; + #chromium = pkgs.chromium.override { + # pulseSupport = true; + #}; }; } diff --git a/lass/2configs/desktop-base.nix b/lass/2configs/desktop-base.nix index 8ae768ca9..ed84edefa 100644 --- a/lass/2configs/desktop-base.nix +++ b/lass/2configs/desktop-base.nix @@ -34,6 +34,8 @@ in { haskellPackages.yeganesh dmenu2 xlibs.fontschumachermisc + + sxiv ]; fonts.fonts = [ diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index e6d31a6c4..5052da5c8 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -2,7 +2,6 @@ { imports = [ - ../3modules/iptables.nix ../3modules/folderPerms.nix ]; @@ -47,7 +46,7 @@ }; }; - lass.iptables = { + krebs.iptables = { enable = true; tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix index 1c8106a88..0470865b6 100644 --- a/lass/2configs/fastpoke-pages.nix +++ b/lass/2configs/fastpoke-pages.nix @@ -29,9 +29,7 @@ let }; in { - imports = [ - ../3modules/iptables.nix - ] ++ map createStaticPage [ + imports = map createStaticPage [ "habsys.de" "pixelpocket.de" "karlaskop.de" @@ -39,7 +37,7 @@ in { "apanowicz.de" ]; - lass.iptables = { + krebs.iptables = { tables = { filter.INPUT.rules = [ { predicate = "-p tcp --dport http"; target = "ACCEPT"; } diff --git a/lass/2configs/mors/repos.nix b/lass/2configs/mors/repos.nix deleted file mode 100644 index 1f7f33456..000000000 --- a/lass/2configs/mors/repos.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ ... }: - -{ - imports = [ - ../lass/gitolite-base.nix - ../common/krebs-keys.nix - ../common/krebs-repos.nix - ]; - - services.gitolite = { - repos = { - - config = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - pass = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - load-env = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-drywall = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-hsdb = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - brain = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - #hooks.post-receive = irc-announce; - }; - - painload = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - services = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - xmonad-config = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - }; - }; -} diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix index 026f9a665..3d293d654 100644 --- a/lass/2configs/new-repos.nix +++ b/lass/2configs/new-repos.nix @@ -47,6 +47,7 @@ let nick = config.krebs.build.host.name; channel = "#retiolum"; server = "cd.retiolum"; + verbose = config.krebs.build.host.name == "cloudkrebs"; }; }; }; diff --git a/lass/2configs/privoxy-retiolum.nix b/lass/2configs/privoxy-retiolum.nix new file mode 100644 index 000000000..3a3641ad8 --- /dev/null +++ b/lass/2configs/privoxy-retiolum.nix @@ -0,0 +1,21 @@ +{ config, lib, ... }: + +let + r_ip = (head config.krebs.build.host.nets.retiolum.addrs4); + inherit (lib) head; + +in { + imports = [ + ./privoxy.nix + ]; + + services.privoxy.listenAddress = "${r_ip}:8118"; + + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 8118"; target = "ACCEPT"; } + ]; + }; + }; +} diff --git a/lass/2configs/privoxy.nix b/lass/2configs/privoxy.nix new file mode 100644 index 000000000..bf5f6e206 --- /dev/null +++ b/lass/2configs/privoxy.nix @@ -0,0 +1,15 @@ +{ config, ... }: + +{ + services.privoxy = { + enable = true; + extraConfig = '' + #use polipo + forward / localhost:8123 + + #route .onion through tor + forward-socks4a .onion localhost:9050 + ''; + }; + services.polipo.enable = true; +} diff --git a/lass/2configs/realwallpaper-server.nix b/lass/2configs/realwallpaper-server.nix new file mode 100644 index 000000000..7340fc7ca --- /dev/null +++ b/lass/2configs/realwallpaper-server.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: + +let + hostname = config.krebs.build.host.name; + inherit (lib) + nameValuePair + ; + +in { + imports = [ + ./realwallpaper.nix + ]; + + krebs.nginx.servers.wallpaper = { + server-names = [ + hostname + ]; + locations = [ + (nameValuePair "/wallpaper.png" '' + root /tmp/; + '') + ]; + }; + + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } + ]; + }; + }; +} diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix new file mode 100644 index 000000000..f1c8861e1 --- /dev/null +++ b/lass/2configs/realwallpaper.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + imports = [ + ../3modules/realwallpaper.nix + ]; + + lass.realwallpaper.enable = true; +} diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index d7df15027..7f0bcc5e8 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -1,11 +1,8 @@ { ... }: { - imports = [ - ../3modules/iptables.nix - ]; - lass.iptables = { + krebs.iptables = { tables = { filter.INPUT.rules = [ { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index bd895e156..225ddd308 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -16,7 +16,9 @@ environment.systemPackages = with pkgs; [ steam ]; - lass.iptables = { + + #ports for inhome streaming + krebs.iptables = { tables = { filter.INPUT.rules = [ |