diff options
Diffstat (limited to 'krebs')
35 files changed, 425 insertions, 455 deletions
diff --git a/krebs/0tests/data/test-config.nix b/krebs/0tests/data/test-config.nix index f0927ddd9..33cb01245 100644 --- a/krebs/0tests/data/test-config.nix +++ b/krebs/0tests/data/test-config.nix @@ -8,7 +8,6 @@ ]; krebs.hosts.minimal = { - cores = 1; secure = false; }; diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 02749dafe..9849937d5 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -14,6 +14,7 @@ <stockholm/krebs/2configs/mud.nix> <stockholm/krebs/2configs/cal.nix> + <stockholm/krebs/2configs/mastodon.nix> ## shackie irc bot <stockholm/krebs/2configs/shack/reaktor.nix> @@ -21,6 +22,7 @@ krebs.build.host = config.krebs.hosts.hotdog; krebs.github-hosts-sync.enable = true; + krebs.pages.enable = true; boot.isContainer = true; networking.useDHCP = false; diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8250ebad9..2f55995cf 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -7,5 +7,31 @@ <stockholm/krebs/2configs/matterbridge.nix> ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.logRefusedConnections = false; + networking.firewall.logRefusedUnicastsOnly = false; + + # Move Internet-facing SSH port to reduce logspam. + networking.firewall.extraCommands = let + host = config.krebs.build.host; + in /* sh */ '' + iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22 + iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22 + iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT + iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0 + + ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22 + ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22 + ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT + ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0 + ''; + krebs.build.host = config.krebs.hosts.ponte; + + krebs.pages.enable = true; + krebs.pages.nginx.addSSL = true; + krebs.pages.nginx.enableACME = true; + + security.acme.acceptTerms = true; + security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de"; } diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index f4bd472a4..033cb94d1 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -110,7 +110,8 @@ <stockholm/krebs/2configs/shack/prometheus/server.nix> <stockholm/krebs/2configs/shack/prometheus/blackbox.nix> #<stockholm/krebs/2configs/shack/prometheus/unifi.nix> - <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> + # TODO: alertmanager 0.24+ supports telegram + # <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> ]; krebs.build.host = config.krebs.hosts.puyak; diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 38d770316..fffe128e6 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -27,9 +27,6 @@ with import <stockholm/lib>; ]; console.keyMap = "us"; - i18n = { - defaultLocale = lib.mkForce "C"; - }; programs.ssh.startAgent = false; @@ -60,4 +57,7 @@ with import <stockholm/lib>; # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; + + # maybe fix Error: unsupported locales detected: + i18n.defaultLocale = mkDefault "C.UTF-8"; } diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index c6c91e074..5435ea166 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -5,9 +5,10 @@ 6667 ]; - krebs.ergo = { + services.ergochat = { enable = true; - config = { + settings = { + server.name = "irc.r"; server.secure-nets = [ "42::0/16" "10.240.0.0/12" diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix new file mode 100644 index 000000000..4d359c3fe --- /dev/null +++ b/krebs/2configs/mastodon-proxy.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."social.krebsco.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + # TODO use this in 22.11 + # recommendedProxySettings = true; + proxyPass = "http://hotdog.r"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + }; + }; + }; +} diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix new file mode 100644 index 000000000..145b383ed --- /dev/null +++ b/krebs/2configs/mastodon.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresql = { + enable = true; + dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; + package = pkgs.postgresql_11; + }; + systemd.tmpfiles.rules = [ + "d /var/state/postgresql 0700 postgres postgres -" + ]; + + services.mastodon = { + enable = true; + localDomain = "social.krebsco.de"; + configureNginx = true; + trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; + smtp.createLocally = false; + smtp.fromAddress = "derp"; + }; + + services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { + forceSSL = lib.mkForce false; + enableACME = lib.mkForce false; + locations."@proxy".extraConfig = '' + proxy_redirect off; + proxy_pass_header Server; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + ''; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + ]; + + environment.systemPackages = [ + (pkgs.writers.writeDashBin "tootctl" '' + sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + '') + (pkgs.writers.writeDashBin "create-mastodon-user" '' + set -efu + nick=$1 + /run/current-system/sw/bin/tootctl accounts create "$nick" --email "$nick"@krebsco.de --confirmed + /run/current-system/sw/bin/tootctl accounts approve "$nick" + '') + ]; +} diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 3649aeeea..d6c6371da 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -68,8 +68,8 @@ wantedBy = [ "multi-user.target" ]; }; - krebs.ergo.openFilesLimit = 16384; - krebs.ergo.config = { + services.ergochat.openFilesLimit = 16384; + services.ergochat.settings = { limits.nicklen = 100; limits.identlen = 100; history.enabled = false; diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 13b59fa82..11aaf876a 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -64,8 +64,7 @@ let pkgs.curl pkgs.stable-generate ]} - stable_url=$(stable-generate "$@") - paste_url=$(curl -Ss "$stable_url" | + paste_url=$(stable-generate "$@" | curl -Ss http://p.r --data-binary @- | tail -1 ) @@ -73,6 +72,22 @@ let ''; }; }; + interrogate = { + pattern = "^!interrogate (.*)$"; + activate = "match"; + arguments = [1]; + command = { + filename = pkgs.writeDash "interrogate" '' + set -efux + + export PATH=${makeBinPath [ + pkgs.stable-interrogate + ]} + caption=$(stable-interrogate "$@") + echo "$_from: $caption" + ''; + }; + }; confuse_hackint = { pattern = "^!confuse (.*)$"; @@ -87,8 +102,7 @@ let pkgs.stable-generate ]} case $_msgtarget in \#*) - stable_url=$(stable-generate "$@") - paste_url=$(curl -Ss "$stable_url" | + paste_url=$(stable-generate "$@" | curl -Ss https://p.krebsco.de --data-binary @- | tail -1 ) @@ -132,7 +146,7 @@ let command = 1; arguments = [2]; env.TASKDATA = "${stateDir}/${name}"; - commands = { + commands = rec { add.filename = pkgs.writeDash "${name}-task-add" '' ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" ''; @@ -145,6 +159,7 @@ let delete.filename = pkgs.writeDash "${name}-task-delete" '' ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" ''; + del = delete; done.filename = pkgs.writeDash "${name}-task-done" '' ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" ''; @@ -289,7 +304,18 @@ let longitude=$(echo "$poi" | jq -r .longitude) fi - restaurant=$(osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude") + for api_endpoint in \ + https://lz4.overpass-api.de/api/interpreter \ + https://z.overpass-api.de/api/interpreter \ + https://maps.mail.ru/osm/tools/overpass/api/interpreter \ + https://overpass.openstreetmap.ru/api/interpreter \ + https://overpass.kumi.systems/api/interpreter + do + restaurant=$(osm-restaurants --endpoint "$api_endpoint" --radius "$2" --latitude "$latitude" --longitude "$longitude") + if [ "$?" -eq 0 ]; then + break + fi + done printf '%s' "$restaurant" | tail -1 | jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"' ''; }; @@ -297,6 +323,7 @@ let bedger-add bedger-balance hooks.sed + interrogate say (generators.command_hook { inherit (commands) dance random-emoji nixos-version; diff --git a/krebs/2configs/shack/prometheus/alertmanager-telegram.nix b/krebs/2configs/shack/prometheus/alertmanager-telegram.nix deleted file mode 100644 index 8527001cb..000000000 --- a/krebs/2configs/shack/prometheus/alertmanager-telegram.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ...}: -{ - systemd.services.alertmanager-bot-telegram = { - wantedBy = [ "multi-user.target" ]; - after = [ "ip-up.target" ]; - serviceConfig = { - EnvironmentFile = toString <secrets/shack/telegram_bot.env>; - DynamicUser = true; - StateDirectory = "alertbot"; - ExecStart = ''${pkgs.alertmanager-bot-telegram}/bin/alertmanager-bot \ - --alertmanager.url=http://alert.prometheus.shack --log.level=info \ - --store=bolt --bolt.path=/var/lib/alertbot/bot.db \ - --listen.addr="0.0.0.0:16320" \ - --template.paths=${./templates}/shack.tmpl''; - }; - }; -} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 70fc05813..bff7e135f 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -7,6 +7,7 @@ let out = { imports = [ ../../kartei + ../../submodules/disko/module.nix ./acl.nix ./airdcpp.nix ./announce-activation.nix @@ -20,7 +21,6 @@ let ./ci ./current.nix ./dns.nix - ./ergo.nix ./exim-retiolum.nix ./exim-smarthost.nix ./exim.nix @@ -35,6 +35,7 @@ let ./iptables.nix ./kapacitor.nix ./konsens.nix + ./krebs-pages.nix ./monit.nix ./nixpkgs.nix ./on-failure.nix @@ -49,6 +50,7 @@ let ./secret.nix ./setuid.nix ./shadow.nix + ./sitemap.nix ./ssl.nix ./sync-containers.nix ./systemd.nix @@ -56,6 +58,7 @@ let ./tinc_graphs.nix ./upstream ./urlwatch.nix + ./users.nix ./xresources.nix ./zones.nix ]; @@ -66,15 +69,6 @@ let api = { enable = mkEnableOption "krebs"; - users = mkOption { - type = with types; attrsOf user; - }; - - sitemap = mkOption { - default = {}; - type = types.attrsOf types.sitemap.entry; - }; - zone-head-config = mkOption { type = with types; attrsOf str; description = '' @@ -91,10 +85,6 @@ let @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) IN NS ns19.ovh.net. IN NS dns19.ovh.net. - IN A 185.199.108.153 - IN A 185.199.109.153 - IN A 185.199.110.153 - IN A 185.199.111.153 ''; }; }; @@ -102,28 +92,6 @@ let imp = lib.mkMerge [ { - krebs.dns.providers = { - "krebsco.de" = "zones"; - shack = "hosts"; - i = "hosts"; - r = "hosts"; - w = "hosts"; - }; - - krebs.dns.search-domain = mkDefault "r"; - - krebs.users = { - krebs = { - home = "/krebs"; - mail = "spam@krebsco.de"; - }; - root = { - home = "/root"; - pubkey = config.krebs.build.host.ssh.pubkey; - uid = 0; - }; - }; - services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) [privkey]; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix index 8acc4ccd8..8a74d3067 100644 --- a/krebs/3modules/dns.nix +++ b/krebs/3modules/dns.nix @@ -1,12 +1,21 @@ with import <stockholm/lib>; -{ +{ config, ... }: { options = { krebs.dns.providers = mkOption { type = types.attrsOf types.str; }; - krebs.dns.search-domain = mkOption { type = types.nullOr types.hostname; }; }; + config = mkIf config.krebs.enable { + krebs.dns.providers = { + "krebsco.de" = "zones"; + shack = "hosts"; + i = "hosts"; + r = "hosts"; + w = "hosts"; + }; + krebs.dns.search-domain = mkDefault "r"; + }; } diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix deleted file mode 100644 index d5f167e79..000000000 --- a/krebs/3modules/ergo.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, lib, options, pkgs, ... }: { - options = { - krebs.ergo = { - enable = lib.mkEnableOption "Ergo IRC daemon"; - openFilesLimit = lib.mkOption { - type = lib.types.int; - default = 1024; - description = '' - Maximum number of open files. Limits the clients and server connections. - ''; - }; - config = lib.mkOption { - type = (pkgs.formats.json {}).type; - description = '' - Ergo IRC daemon configuration file. - https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml - ''; - default = { - network = { - name = "krebstest"; - }; - server = { - name = "${config.networking.hostName}.r"; - listeners = { - ":6667" = {}; - }; - casemapping = "permissive"; - enforce-utf = true; - lookup-hostnames = false; - ip-cloaking = { - enabled = false; - }; - forward-confirm-hostnames = false; - check-ident = false; - relaymsg = { - enabled = false; - }; - max-sendq = "1M"; - ip-limits = { - count = false; - throttle = false; - }; - }; - datastore = { - autoupgrade = true; - path = "/var/lib/ergo/ircd.db"; - }; - accounts = { - authentication-enabled = true; - registration = { - enabled = true; - allow-before-connect = true; - throttling = { - enabled = true; - duration = "10m"; - max-attempts = 30; - }; - bcrypt-cost = 4; - email-verification.enabled = false; - }; - multiclient = { - enabled = true; - allowed-by-default = true; - always-on = "opt-out"; - auto-away = "opt-out"; - }; - }; - channels = { - default-modes = "+ntC"; - registration = { - enabled = true; - }; - }; - limits = { - nicklen = 32; - identlen = 20; - channellen = 64; - awaylen = 390; - kicklen = 390; - topiclen = 390; - }; - history = { - enabled = true; - channel-length = 2048; - client-length = 256; - autoresize-window = "3d"; - autoreplay-on-join = 0; - chathistory-maxmessages = 100; - znc-maxmessages = 2048; - restrictions = { - expire-time = "1w"; - query-cutoff = "none"; - grace-period = "1h"; - }; - retention = { - allow-individual-delete = false; - enable-account-indexing = false; - }; - tagmsg-storage = { - default = false; - whitelist = [ - "+draft/react" - "+react" - ]; - }; - }; - }; - }; - }; - }; - config = let - cfg = config.krebs.ergo; - configFile = pkgs.writeJSON "ergo.conf" cfg.config; - in lib.mkIf cfg.enable ({ - environment.etc."ergo.yaml".source = configFile; - krebs.ergo.config = - lib.mapAttrsRecursive (_: lib.mkDefault) options.krebs.ergo.config.default; - systemd.services.ergo = { - description = "Ergo IRC daemon"; - wantedBy = [ "multi-user.target" ]; - # reload currently not working as expected - # reloadIfChanged = true; - restartTriggers = [ configFile ]; - serviceConfig = { - ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml"; - ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; - DynamicUser = true; - StateDirectory = "ergo"; - LimitNOFILE = "${toString cfg.openFilesLimit}"; - }; - }; - }); -} diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index fe149448b..7c176d224 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -12,6 +12,8 @@ let api = { enable = mkEnableOption "krebs.exim-smarthost"; + enableSPFVerification = mkEnableOption "SPF verification"; + authenticators = mkOption { type = types.attrsOf types.str; default = {}; @@ -123,10 +125,12 @@ let # XXX We abuse local_domains to mean "domains, we're the gateway for". domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} + domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains} hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts} - acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data + acl_smtp_mail = acl_check_mail + acl_smtp_rcpt = acl_check_rcpt never_users = root @@ -173,11 +177,46 @@ let acl_check_data: warn - sender_domains = ${concatStringsSep ":" cfg.sender_domains} + sender_domains = +sender_domains set acl_m_special_dom = $sender_address_domain accept + acl_check_mail: + ${if cfg.enableSPFVerification then indent /* exim */ '' + accept + authenticated = * + accept + hosts = +relay_from_hosts + deny + spf = fail : softfail + log_message = spf=$spf_result + message = SPF validation failed: \ + $sender_host_address is not allowed to send mail from \ + ''${if def:sender_address_domain\ + {$sender_address_domain}\ + {$sender_helo_name}} + deny + spf = permerror + log_message = spf=$spf_result + message = SPF validation failed: \ + syntax error in SPF record(s) for \ + ''${if def:sender_address_domain\ + {$sender_address_domain}\ + {$sender_helo_name}} + defer + spf = temperror + log_message = spf=$spf_result; deferred + message = temporary error during SPF validation; \ + please try again later + warn + spf = none : neutral + log_message = spf=$spf_result + accept + add_header = $spf_received + '' else indent /* exim */ '' + accept + ''} begin routers diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index ae0136303..bd1bb1652 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -11,7 +11,7 @@ in { }; }; - config = { + config = mkIf config.krebs.enable { networking.hosts = filterAttrs (_name: value: value != []) diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix index 375e26974..b760ea671 100644 --- a/krebs/3modules/htgen.nix +++ b/krebs/3modules/htgen.nix @@ -2,6 +2,12 @@ with import <stockholm/lib>; let + optionalAttr = name: value: + if name != null then + { ${name} = value; } + else + {}; + cfg = config.krebs.htgen; out = { @@ -30,8 +36,15 @@ let }; script = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; + }; + + scriptFile = mkOption { + type = types.nullOr (types.either types.package types.pathname); + default = null; }; + user = mkOption { type = types.user; default = { @@ -54,8 +67,10 @@ let after = [ "network.target" ]; environment = { HTGEN_PORT = toString htgen.port; - HTGEN_SCRIPT = htgen.script; - }; + } + // optionalAttr "HTGEN_SCRIPT" htgen.script + // optionalAttr "HTGEN_SCRIPT_FILE" htgen.scriptFile + ; serviceConfig = { SyslogIdentifier = "htgen"; User = htgen.user.name; diff --git a/krebs/3modules/krebs-pages.nix b/krebs/3modules/krebs-pages.nix new file mode 100644 index 000000000..6dd046a8b --- /dev/null +++ b/krebs/3modules/krebs-pages.nix |