summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/lass/default.nix71
-rw-r--r--krebs/3modules/realwallpaper.nix185
-rw-r--r--krebs/5pkgs/simple/realwallpaper/default.nix24
-rw-r--r--lass/1systems/cabal/config.nix16
-rw-r--r--lass/1systems/cabal/physical.nix12
-rw-r--r--lass/1systems/icarus/config.nix4
-rw-r--r--lass/1systems/mors/config.nix5
-rw-r--r--lass/1systems/prism/config.nix56
-rw-r--r--lass/1systems/prism/physical.nix5
-rw-r--r--lass/1systems/skynet/config.nix1
-rw-r--r--lass/1systems/yellow/config.nix140
-rw-r--r--lass/1systems/yellow/physical.nix8
-rw-r--r--lass/2configs/baseX.nix6
-rw-r--r--lass/2configs/binary-cache/server.nix1
-rw-r--r--lass/2configs/downloading.nix65
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/mail.nix10
-rw-r--r--lass/2configs/tests/dummy-secrets/nordvpn.txt0
-rw-r--r--lass/2configs/websites/fritz.nix70
-rw-r--r--lass/2configs/websites/lassulus.nix16
-rw-r--r--lass/5pkgs/custom/xmonad-lass/default.nix21
-rw-r--r--lass/5pkgs/emot-menu/default.nix31
-rw-r--r--lass/5pkgs/fzfmenu/default.nix45
23 files changed, 530 insertions, 263 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 836ecb3f6..09c8ba675 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -644,47 +644,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
};
- cabal = {
- cores = 2;
- nets = rec {
- retiolum = {
- ip4.addr = "10.243.1.4";
- ip6.addr = "42::1:4";
- aliases = [
- "cabal.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIECgKCBAEAukXm8xPpC6/F+wssYqQbqt1QDwsPrF3TJ9ToLFcN1WgDlhDhjM3A
- SuRDMNjRT1fvVTuXyplH5g16eokW/yLOpNnznMS3/VR372pLPEOqfuRf7wAy18jj
- rZkW3EO7nyZ8KMb+SXA8Q0KIpHY50Ezh+tqGoTZDICwoK6N5dKLgAZShS55JXwwK
- qRG3vyzV3mDjgVyT0FNfyL1/BN1qvJ+tQQ40lEbkcQauMunMzNbH058kAd6H2/0e
- LK4JkxI9XpZHE6Pf1epXyClHW7vT7APFRp9gL9tZS/XMC18+aEMFfQrNW9jb3FIq
- rU5MfJ7aubboe7dT6CRaRSWpduiKLVzY/JCoGvUziyvmR7qHsQWTEjtNuQX9joc3
- 6iq1o+gmLV0G8Xwq8cEcg5USlLxNsGBQPwYnTG6iTPPHqOv7BKucekE/opnVZseE
- fSNCGl1+tGwa3soSMI97LkpQTZxdeqf+jWZve0RbSa2Ihyod91ldFCqi1+PZx68v
- yBI0PJamlt+dBx6WQKbPngWYeD8hXo7tg0XVRVa3ZQyX+Mq6uCCb2GM8ewMUPl+A
- kcY1osFt6+sdkFGdiv3FMyijAiZumPoPprXC/4SGIsMnkoI4JfSAbTpHi2QuesqR
- KMeairdB7XGUYlMvWpDLKN2dbMdRc+l3kDUKT7hALjKeyWS/27WYeK/STxvZXEXi
- TZGHopvOFv6wcrb6nI49vIJo5mDLFamAPN3ZjeR20wP95UP7cUUSaTYX49M4lX6U
- oL5BaFrcLn2PTvS84pUxcXKAp70FgTpvGJbaWwETgDjW+H+qlGmI/BTejpL7flVs
- TOtaP/uCMxhVZSFv9bzo0ih10o+4gtU8lqxfJsVxlf2K7LVZ++LQba/u+XxRY+xw
- 3IFBfg34tnO6zYlV8XgAiJ6IUOHUZANsuBD4iMoFSVOig6t5eIOkgXR6GEkP8FBD
- rkroRMmxcu4lTCOzWIuAVOxCd4XXguoGQ4HAzpGd5ccdcb8Ev4RYEvNJY7B5tIQZ
- 4J0F9ECzJuSu1HvWTL+T6a36d2MDTkXU2IJ2tSHciXqiP+QMMF7p9Ux0tiAq4mtf
- luA94uKWg3cSyTyEM/jF66CgO6Ts3AivNE0MRNupV6AbUdr+TjzotGn9rxi168py
- w/49OVbpR9EIGC2wxx7qcSEk5chFOcgvNQMRqgIx51bbOL7JYb0f4XuA38GUqLkG
- 09PXmPeyqGzR9HsV2XZDprZdD3Dy4ojdexw0+YILg9bHaAxLHYs6WFZvzfaLLsf1
- K2I39vvrEEOy8tHi4jvMk7oVX6RWG+DOZMeXTvyUCaBHyYkA0eDlC6NeKOHxnW/g
- ZtN1W93UdklEqc5okM0/ZIke1HDRt3ZLdQIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- secure = true;
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
- };
red = {
monitoring = false;
cores = 1;
@@ -716,6 +675,36 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
};
+ yellow = {
+ cores = 1;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.14";
+ ip6.addr = "42:0:0:0:0:0:0:14";
+ aliases = [
+ "yellow.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
+ MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY
+ b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU
+ Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd
+ OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP
+ vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6
+ C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp
+ Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU
+ 52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg
+ zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p
+ DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ
+ Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
+ };
blue = {
cores = 1;
nets = {
diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index 044811c7d..cb940efef 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -77,7 +77,190 @@ let
serviceConfig = {
Type = "simple";
- ExecStart = "${pkgs.realwallpaper}/realwallpaper.sh";
+ ExecStart = pkgs.writeDash "generate-wallpaper" ''
+ set -xeuf
+
+ # usage: getimg FILENAME URL
+ fetch() {
+ echo "fetch $1"
+ curl -LsS -z "$1" -o "$1" "$2"
+ }
+
+ # usage: check_type FILENAME TYPE
+ check_type() {
+ if ! file -ib "$1" | grep -q "^$2/"; then
+ echo "$1 is not of type $2" >&2
+ rm "$1"
+ return 1
+ fi
+ }
+
+ # usage: image_size FILENAME
+ image_size() {
+ identify "$1" | awk '{print$3}'
+ }
+
+ # usage: make_mask DST SRC MASK
+ make_layer() {
+ if needs_rebuild "$@"; then
+ echo "make $1 (apply mask)" >&2
+ convert "$2" "$3" -alpha off -compose copy_opacity -composite "$1"
+ fi
+ }
+
+ # usage: flatten DST HILAYER LOLAYER
+ flatten() {
+ if needs_rebuild "$@"; then
+ echo "make $1 (flatten)" >&2
+ composite "$2" "$3" "$1"
+ fi
+ }
+
+ # usage: needs_rebuild DST SRC...
+ needs_rebuild() {
+ a="$1"
+ shift
+ if ! test -e "$a"; then
+ #echo " $a does not exist" >&2
+ result=0
+ else
+ result=1
+ for b; do
+ if test "$b" -nt "$a"; then
+ #echo " $b is newer than $a" >&2
+ result=0
+ fi
+ done
+ fi
+ #case $result in
+ # 0) echo "$a needs rebuild" >&2;;
+ #esac
+ return $result
+ }
+
+ main() {
+ cd ${cfg.workingDir}
+
+ # fetch source images in parallel
+ fetch nightmap-raw.jpg \
+ ${cfg.nightmap} &
+ fetch daymap-raw.png \
+ ${cfg.daymap} &
+ fetch clouds-raw.jpg \
+ ${cfg.cloudmap} &
+ fetch marker.json \
+ ${cfg.marker} &
+ wait
+
+ check_type nightmap-raw.jpg image
+ check_type daymap-raw.png image
+ check_type clouds-raw.jpg image
+
+ in_size=2048x1024
+ xplanet_out_size=1466x1200
+ out_geometry=1366x768+100+160
+
+ nightsnow_color='#0c1a49' # nightmap
+
+ for raw in \
+ nightmap-raw.jpg \
+ daymap-raw.png \
+ clouds-raw.jpg \
+ ;
+ do
+ normal=''${raw%-raw.*}.png
+ if needs_rebuild $normal $raw; then
+ echo "make $normal; normalize $raw" >&2
+ convert $raw -scale $in_size $normal
+ fi
+ done
+
+ # create nightmap-fullsnow
+ if needs_rebuild nightmap-fullsnow.png; then
+ convert -size $in_size xc:$nightsnow_color nightmap-fullsnow.png
+ fi
+
+ # extract daymap-snowmask from daymap-final
+ if needs_rebuild daymap-snowmask.png daymap.png; then
+ convert daymap.png -threshold 95% daymap-snowmask.png
+ fi
+
+ # extract nightmap-lightmask from nightmap
+ if needs_rebuild nightmap-lightmask.png nightmap.png; then
+ convert nightmap.png -threshold 25% nightmap-lightmask.png
+ fi
+
+ # create layers
+ make_layer nightmap-snowlayer.png nightmap-fullsnow.png daymap-snowmask.png
+ make_layer nightmap-lightlayer.png nightmap.png nightmap-lightmask.png
+
+ # apply layers
+ flatten nightmap-lightsnowlayer.png \
+ nightmap-lightlayer.png \
+ nightmap-snowlayer.png
+
+ flatten nightmap-final.png \
+ nightmap-lightsnowlayer.png \
+ nightmap.png
+
+ # create marker file from json
+ if [ -s marker.json ]; then
+ jq -r 'to_entries[] | @json "\(.value.latitude) \(.value.longitude)"' marker.json > marker_file
+ fi
+
+ # make all unmodified files as final
+ for normal in \
+ daymap.png \
+ clouds.png \
+ ;
+ do
+ final=''${normal%.png}-final.png
+ needs_rebuild $final &&
+ ln $normal $final
+ done
+
+ # rebuild every time to update shadow
+ xplanet --num_times 1 --geometry $xplanet_out_size \
+ --output xplanet-output.png --projection merc \
+ -config ${pkgs.writeText "xplanet.config" ''
+ [earth]
+ "Earth"
+ map=daymap-final.png
+ night_map=nightmap-final.png
+ cloud_map=clouds-final.png
+ cloud_threshold=10
+ shade=15
+ ''}
+
+ xplanet --num_times 1 --geometry $xplanet_out_size \
+ --output xplanet-krebs-output.png --projection merc \
+ -config ${pkgs.writeText "xplanet-krebs.config" ''
+ [earth]
+ "Earth"
+ map=daymap-final.png
+ night_map=nightmap-final.png
+ cloud_map=clouds-final.png
+ cloud_threshold=10
+ marker_file=marker_file
+ shade=15
+ ''}
+
+ # trim xplanet output
+ if needs_rebuild realwallpaper.png xplanet-output.png; then
+ convert xplanet-output.png -crop $out_geometry \
+ realwallpaper-tmp.png
+ mv realwallpaper-tmp.png realwallpaper.png
+ fi
+
+ if needs_rebuild realwallpaper-krebs.png xplanet-krebs-output.png; then
+ convert xplanet-krebs-output.png -crop $out_geometry \
+ realwallpaper-krebs-tmp.png
+ mv realwallpaper-krebs-tmp.png realwallpaper-krebs.png
+ fi
+ }
+
+ main "$@"
+ '';
User = "realwallpaper";
};
};
diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
deleted file mode 100644
index 7c9812117..000000000
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ stdenv, fetchgit, xplanet, imagemagick, curl, file }:
-
-stdenv.mkDerivation {
- name = "realwallpaper";
-
- src = fetchgit {
- url = https://github.com/Lassulus/realwallpaper;
- rev = "847faebc9b7e87e4bea078e3a2304ec00b4cdfc0";
- sha256 = "10zihkwj9vpshlxw2jk67zbsy8g4i8b1y4jzna9fdcsgn7s12jrr";
- };
-
- phases = [
- "unpackPhase"
- "installPhase"
- ];
-
- buildInputs = [
- ];
-
- installPhase = ''
- mkdir -p $out
- cp realwallpaper.sh $out/realwallpaper.sh
- '';
-}
diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix
deleted file mode 100644
index 6a8040c9d..000000000
--- a/lass/1systems/cabal/config.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
- <stockholm/lass>
-
- <stockholm/lass/2configs/mouse.nix>
- <stockholm/lass/2configs/retiolum.nix>
- <stockholm/lass/2configs/exim-retiolum.nix>
- <stockholm/lass/2configs/baseX.nix>
- <stockholm/lass/2configs/AP.nix>
- <stockholm/lass/2configs/blue-host.nix>
- ];
-
- krebs.build.host = config.krebs.hosts.cabal;
-}
diff --git a/lass/1systems/cabal/physical.nix b/lass/1systems/cabal/physical.nix
deleted file mode 100644
index 3cc4af03b..000000000
--- a/lass/1systems/cabal/physical.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- imports = [
- ./config.nix
- <stockholm/lass/2configs/hw/x220.nix>
- <stockholm/lass/2configs/boot/stock-x220.nix>
- ];
-
- services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0"
- SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0"
- '';
-}
diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix
index 1957c8ba4..d2d4bd3eb 100644
--- a/lass/1systems/icarus/config.nix
+++ b/lass/1systems/icarus/config.nix
@@ -25,9 +25,5 @@
macchanger
dpass
];
- services.redshift = {
- enable = true;
- provider = "geoclue2";
- };
programs.adb.enable = true;
}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index cac13be2b..207c7c640 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -102,6 +102,7 @@ with import <stockholm/lib>;
urban
mk_sql_pair
remmina
+ transmission
iodine
@@ -148,10 +149,6 @@ with import <stockholm/lib>;
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true;
- services.redshift = {
- enable = true;
- provider = "geoclue2";
- };
lass.restic = genAttrs [
"daedalus"
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index a9fbae695..0ca39447d 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -207,7 +207,6 @@ with import <stockholm/lib>;
RandomizedDelaySec = "2min";
};
}
- <stockholm/lass/2configs/downloading.nix>
<stockholm/lass/2configs/minecraft.nix>
{
services.taskserver = {
@@ -338,6 +337,61 @@ with import <stockholm/lib>;
];
}
+ {
+ systemd.services."container@yellow".reloadIfChanged = mkForce false;
+ containers.yellow = {
+ config = { ... }: {
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.13";
+ localAddress = "10.233.2.14";
+ };
+
+ services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = ''
+ if ($scheme != "https") {
+ rewrite ^ https://$host$uri permanent;
+ }
+ auth_basic "Restricted Content";
+ auth_basic_user_file ${pkgs.writeText "transmission-user-pass" ''
+ krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
+ ''};
+ proxy_pass http://10.233.2.14:9091;
+ '';
+
+ users.groups.download = {};
+ users.users = {
+ download = {
+ createHome = true;
+ group = "download";
+ name = "download";
+ home = "/var/download";
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = with config.krebs.users; [
+ lass.pubkey
+ lass-shodan.pubkey
+ lass-icarus.pubkey
+ lass-daedalus.pubkey
+ lass-helios.pubkey
+ makefu.pubkey
+ wine-mors.pubkey
+ ];
+ };
+ };
+
+ system.activationScripts.downloadFolder = ''
+ mkdir -p /var/download
+ chmod 775 /var/download
+ ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || :
+ chown download: /var/download/finished
+ '';
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix
index 4388c13fa..116bdb92f 100644
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@@ -25,6 +25,11 @@
fsType = "zfs";
};
+ fileSystems."/var/download" = {
+ device = "tank/download";
+ fsType = "zfs";
+ };
+
fileSystems."/var/lib/containers" = {
device = "tank/containers";
fsType = "zfs";
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index 14aca598e..13a8b3e41 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -7,6 +7,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/blue-host.nix>
+ <stockholm/lass/2configs/power-action.nix>
{
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
new file mode 100644
index 000000000..48d405111
--- /dev/null
+++ b/lass/1systems/yellow/config.nix
@@ -0,0 +1,140 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs>
+ <stockholm/lass/2configs/retiolum.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.yellow;
+
+ system.activationScripts.downloadFolder = ''
+ mkdir -p /var/download
+ chown download:download /var/download
+ chmod 775 /var/download
+ '';
+
+ users.users.download = { uid = genid "download"; };
+ users.groups.download.members = [ "transmission" ];
+ users.users.transmission.group = mkForce "download";
+
+ systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
+ services.transmission = {
+ enable = true;
+ settings = {
+ download-dir = "/var/download/finished";
+ incomplete-dir = "/var/download/incoming";
+ incomplete-dir-enable = true;
+ umask = "002";
+ rpc-whitelist-enabled = false;
+ rpc-host-whitelist-enabled = false;
+ };
+ };
+
+ services.nginx = {
+ enable = true;
+ virtualHosts."yellow.r".locations."/dl".extraConfig = ''
+ autoindex on;
+ alias /var/download/finished;
+ '';
+ };
+
+ krebs.iptables = {
+ enable = true;
+ tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
+ ];
+ };
+
+ services.openvpn.servers.nordvpn.config = ''
+ client
+ dev tun
+ proto udp
+ remote 82.102.16.229 1194
+ resolv-retry infinite
+ remote-random
+ nobind
+ tun-mtu 1500
+ tun-mtu-extra 32
+ mssfix 1450
+ persist-key
+ persist-tun
+ ping 15
+ ping-restart 0
+ ping-timer-rem
+ reneg-sec 0
+ comp-lzo no
+
+ explicit-exit-notify 3
+
+ remote-cert-tls server
+
+ #mute 10000
+ auth-user-pass ${toString <secrets/nordvpn.txt>}
+
+ verb 3
+ pull
+ fast-io
+ cipher AES-256-CBC
+ auth SHA512
+
+ <ca>
+ -----BEGIN CERTIFICATE-----
+ MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+ VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
+ Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw
+ bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
+ ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG
+ A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
+ B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2
+ cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
+ cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG
+ UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny
+ mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X
+ +D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT
+ ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI
+ 583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA
+ VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT
+ Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh
+ MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
+ MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy
+ Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
+ EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG
+ SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ
+ e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW
+ //DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB
+ wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB
+ KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p
+ lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9
+ -----END CERTIFICATE-----
+ </ca>
+ key-direction 1
+ <tls-auth>
+ #
+ # 2048 bit OpenVPN static key
+ #
+ -----BEGIN OpenVPN Static key V1-----
+ 49b2f54c6ee58d2d97331681bb577d55
+ 054f56d92b743c31e80b684de0388702
+ ad3bf51088cd88f3fac7eb0729f2263c
+ 51d82a6eb7e2ed4ae6dfa65b1ac764d0
+ b9dedf1379c1b29b36396d64cb6fd6b2
+ e61f869f9a13001dadc02db171f04c4d
+ c46d1132c1f31709e7b54a6eabae3ea8
+ fbd2681363c185f4cb1be5aa42a27c31
+ 21db7b2187fd11c1acf224a0d5a44466
+ b4b5a3cc34ec0227fe40007e8b379654
+ f1e8e2b63c6b46ee7ab6f1bd82f57837
+ 92c209e8f25bc9ed493cb5c1d891ae72
+ 7f54f4693c5b20f136ca23e639fd8ea0
+ 865b4e22dd2af43e13e6b075f12427b2
+ 08af9ffd09c56baa694165f57fe2697a
+ 3377fa34aebcba587c79941d83deaf45
+ -----END OpenVPN Static key V1-----
+ </tls-auth>
+ '';
+}
diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix
new file mode 100644
index 000000000..7499ff723
--- /dev/null
+++ b/lass/1systems/yellow/physical.nix
@@ -0,0 +1,8 @@
+{
+ imports = [
+ ./config.nix
+ ];
+ boot.isContainer = true;
+ networking.useDHCP = false;
+ environment.variables.NIX_REMOTE = "daemon";
+}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 9b44e8f0e..d781f8c71 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -126,6 +126,12 @@ in {
restartIfChanged = false;
};
+ nixpkgs.config.packageOverrides = super: {
+ dmenu = pkgs.writeDashBin "dmenu" ''
+ ${pkgs.fzfmenu}/bin/fzfmenu "$@"
+ '';
+ };
+
krebs.xresources.enable = true;
lass.screenlock.enable = true;
}
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 86158c468..d3775b5df 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -26,6 +26,7 @@
'';
};
virtualHosts."cache.krebsco.de" = {
+ forceSSL = true;
serverAliases = [ "cache.lassul.us" ];
enableACME = true;
locations."/".extraConfig = ''
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
deleted file mode 100644
index 8d0fb0d02..000000000
--- a/lass/2configs/downloading.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-{
- users.extraUsers = {
- download = {
- name = "download";
- home = "/var/download";
- createHome = true;
- useDefaultShell = true;
- extraGroups = [
- "download"
- ];
- openssh.authorizedKeys.keys = with config.krebs.users; [
- lass.pubkey
- lass-shodan.pubkey
- lass-icarus.pubkey
- lass-daedalus.pubkey
- lass-helios.pubkey
- makefu.pubkey
- wine-mors.pubkey
- ];
- };
-
- transmission = {
- extraGroups = [
- "download"
- ];
- };
- };
-
- users.extraGroups = {
- download = {
- members = [
- "download"
- "transmission"
- ];
- };
- };
-
- krebs.rtorrent = {
- enable = true;
- web = {
- enable = true;
- port = 9091;
- basicAuth = import <secrets/torrent-auth>;
- };
- rutorrent.enable = true;
- enableXMLRPC = true;
- listenPort = 51413;
- downloadDir = "/var/download/finished";
- # dump old torrents into watch folder to have them re-added
- watchDir = "/var/download/watch";
- };
-
- krebs.iptables = {
- enable = true;
- tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
- { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
- ];
- };
-}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 9bb70d1c2..1ee45bb41 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -93,6 +93,7 @@ with import <stockholm/lib>;
{ from = "neocron@lassul.us"; to = lass.mail; }
{ from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
+ { from = "nordvpn@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 9ea91ae19..36e797a96 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -174,6 +174,16 @@ let
macro pager a "<modify-labels>-archive\n" # tag as Archived
+ bind index U noop
+ bind index u noop
+ bind pager U noop
+ bind pager u noop
+ macro index U "<modify-labels>+unread\n"
+ macro index u "<modify-labels>-unread\n"
+ macro pager U "<modify-labels>+unread\n"
+ macro pager u "<modify-labels>-unread\n"
+
+
bind index t noop
bind pager t noop
macro index t "<modify-labels>" # tag as Archived
diff --git a/lass/2configs/tests/dummy-secrets/nordvpn.txt b/lass/2configs/tests/dummy-secrets/nordvpn.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/nordvpn.txt
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
deleted file mode 100644
index 14d6ce9ec..000000000
--- a/lass/2configs/websites/fritz.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-let
- inherit (import <stockholm/lib>)
- genid
- head
- ;
- inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
- servePage
- serveWordpress
- ;
-
- msmtprc = pkgs.writeText "msmtprc" ''
- account default
- host localhost
- '';
-
- sendmail = pkgs.writeDash "msmtp" ''
- exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
- '';
-
-in {
-
- services.nginx.enable = true;
-
- imports = [
- ./default.nix
- ./sqlBackup.nix
-
- (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
-
- (serveWordpress [ "gs-maubach.de" "www.gs-maubach.de" ])
-
- (serveWordpress [ "spielwaren-kern.de" "www.spielwaren-kern.de" ])
-
- (servePage [ "familienpraxis-korntal.de" "www.familienpraxis-korntal.de" ])
-
- (serveWordpress [ "ttf-kleinaspach.de" "www.ttf-kleinaspach.de" ])
-
- (serveWordpress [ "eastuttgart.de" "www.eastuttgart.de" ])
-
- (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
- ];
-
- lass.mysqlBackup.config.all.databases = [
- "eastuttgart_de"
- "radical_dreamers_de"
- "spielwaren_kern_de"
- "ttf_kleinaspach_de"
- ];
-
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.fritz.pubkey
- ];
-
- users.users.goldbarrendiebstahl = {
- home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";