diff options
Diffstat (limited to 'lass/2configs')
| -rw-r--r-- | lass/2configs/backups.nix | 99 | ||||
| -rw-r--r-- | lass/2configs/baseX.nix | 3 | ||||
| -rw-r--r-- | lass/2configs/default.nix (renamed from lass/2configs/base.nix) | 26 | ||||
| -rw-r--r-- | lass/2configs/downloading.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/exim-retiolum.nix | 14 | ||||
| -rw-r--r-- | lass/2configs/exim-smarthost.nix | 50 | ||||
| -rw-r--r-- | lass/2configs/fastpoke-pages.nix | 101 | ||||
| -rw-r--r-- | lass/2configs/games.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/newsbot-js.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/pass.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 75 | ||||
| -rw-r--r-- | lass/2configs/websites/fritz.nix | 61 | ||||
| -rw-r--r-- | lass/2configs/websites/wohnprojekt-rhh.de.nix | 17 |
13 files changed, 296 insertions, 155 deletions
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix new file mode 100644 index 000000000..ca9ff20a1 --- /dev/null +++ b/lass/2configs/backups.nix @@ -0,0 +1,99 @@ +{ config, lib, ... }: +with config.krebs.lib; +{ + + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + dishfire-http-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; + startAt = "03:00"; + }; + dishfire-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; + startAt = "03:05"; + }; + dishfire-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + startAt = "03:10"; + }; + dishfire-sql-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; + startAt = "03:15"; + }; + dishfire-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; + startAt = "03:20"; + }; + dishfire-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + startAt = "03:25"; + }; + prism-chat-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; + startAt = "03:30"; + }; + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:35"; + }; + prism-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "03:40"; + }; + prism-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "03:45"; + }; + prism-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; + startAt = "03:50"; + }; + prism-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "03:55"; + }; + uriel-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + startAt = "05:00"; + }; + }; +} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 6c52240af..79fc4744f 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -4,7 +4,7 @@ let mainUser = config.users.extraUsers.mainUser; in { imports = [ - ./base.nix + ./default.nix #./urxvt.nix ./xserver ]; @@ -39,6 +39,7 @@ in { push slock sxiv + xclip xorg.xbacklight xsel zathura diff --git a/lass/2configs/base.nix b/lass/2configs/default.nix index 8017d4270..8c6078ba5 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/default.nix @@ -7,10 +7,11 @@ with config.krebs.lib; ../2configs/zsh.nix ../2configs/mc.nix ../2configs/retiolum.nix + ./backups.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/secrets/hashedPasswords.nix); + (import <secrets/hashedPasswords.nix>); } { users.extraUsers = { @@ -18,7 +19,6 @@ with config.krebs.lib; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-uriel.pubkey - config.krebs.users.lass-helios.pubkey ]; }; mainUser = { @@ -45,7 +45,6 @@ with config.krebs.lib; krebs = { enable = true; search-domain = "retiolum"; - exim-retiolum.enable = true; build = { user = config.krebs.users.lass; source = mapAttrs (_: mkDefault) ({ @@ -55,7 +54,7 @@ with config.krebs.lib; stockholm = "/home/lass/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { @@ -85,9 +84,12 @@ with config.krebs.lib; MANPAGER=most ''; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ #stockholm git + gnumake jq parallel proot @@ -108,6 +110,11 @@ with config.krebs.lib; #neat utils krebspaste + + #unpack stuff + p7zip + unzip + unrar ]; programs.bash = { @@ -145,10 +152,6 @@ with config.krebs.lib; ''; }; - security.setuidPrograms = [ - "sendmail" - ]; - services.openssh = { enable = true; hostKeys = [ @@ -165,6 +168,13 @@ with config.krebs.lib; krebs.iptables = { enable = true; tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 115cb8b61..ccd751413 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -20,6 +20,7 @@ in { ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey ]; }; diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix new file mode 100644 index 000000000..ea2f553b8 --- /dev/null +++ b/lass/2configs/exim-retiolum.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-retiolum.enable = true; + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix new file mode 100644 index 000000000..e1aa29c49 --- /dev/null +++ b/lass/2configs/exim-smarthost.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-smarthost = { + enable = true; + dkim = [ + { domain = "lassul.us"; } + ]; + sender_domains = [ + "lassul.us" + ]; + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + config.krebs.hosts.mors + config.krebs.hosts.uriel + config.krebs.hosts.helios + ]; + internet-aliases = with config.krebs.users; [ + { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 + { from = "lass@lassul.us"; to = lass.mail; } + { from = "lassulus@lassul.us"; to = lass.mail; } + { from = "test@lassul.us"; to = lass.mail; } + { from = "outlook@lassul.us"; to = lass.mail; } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "lass"; } + ]; + }; + + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 6043a8759..0eec97922 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -13,7 +13,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; + extraGroups = [ "audio" "video" "input" "loot" ]; createHome = true; useDefaultShell = true; }; diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index d7c68bd7d..636b44395 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -154,7 +154,6 @@ let telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news tigsource|http://www.tigsource.com/feed/|#news - times|http://www.thetimes.co.uk/tto/news/rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news topix_b|http://www.topix.com/rss/wire/de/berlin|#news torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 33eca0a17..610887621 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -6,5 +6,4 @@ gnupg1 ]; - services.xserver.startGnuPGAgent = true; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 109c216c0..caaee96bb 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,24 +1,36 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + manageCerts + activateACME + ssl + servePage + serveOwncloud + serveWordpress; + +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( ssl [ "reich-gebaeudereinigung.de" ]) + ( servePage [ "reich-gebaeudereinigung.de" ]) - lass.staticPage = { - "karlaskop.de" = {}; - "makeup.apanowicz.de" = {}; - "pixelpocket.de" = {}; - "reich-gebaeudereinigung.de" = {}; - }; + ( manageCerts [ "karlaskop.de" ]) + ( servePage [ "karlaskop.de" ]) - lass.owncloud = { - "o.ubikmedia.de" = { - instanceid = "oc8n8ddbftgh"; - }; - }; + ( ssl [ "makeup.apanowicz.de" ]) + ( servePage [ "makeup.apanowicz.de" ]) + + ( manageCerts [ "pixelpocket.de" ]) + ( servePage [ "pixelpocket.de" ]) + + ( ssl [ "o.ubikmedia.de" ]) + ( serveOwncloud [ "o.ubikmedia.de" ]) + + ( ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ]; services.mysql = { enable = true; @@ -26,10 +38,31 @@ rootPassword = toString (<secrets/mysql_rootPassword>); }; - #lass.wordpress = { - # "ubikmedia.de" = { - # }; - #}; + services.mysqlBackup = { + enable = true; + databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + location = "/bku/sql_dumps"; + }; + + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { + options = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + ''; + } '' + cat ${pkgs.php}/etc/php-recommended.ini > $out + echo "$options" >> $out + ''; } diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 073f3de14..c022dfbe2 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,22 +1,55 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import ../../4lib { inherit lib pkgs; }) + manageCerts + activateACME + ssl + servePage + serveWordpress; +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix + #( manageCerts [ "biostase.de" ]) + #( servePage [ "biostase.de" ]) + + #( manageCerts [ "gs-maubach.de" ]) + #( servePage [ "gs-maubach.de" ]) + + #( manageCerts [ "spielwaren-kern.de" ]) + #( servePage [ "spielwaren-kern.de" ]) + + #( manageCerts [ "societyofsimtech.de" ]) + #( servePage [ "societyofsimtech.de" ]) + + #( manageCerts [ "ttf-kleinaspach.de" ]) + #( servePage [ "ttf-kleinaspach.de" ]) + + #( manageCerts [ "edsn.de" ]) + #( servePage [ "edsn.de" ]) + + #( manageCerts [ "eab.berkeley.edu" ]) + #( servePage [ "eab.berkeley.edu" ]) + + ( manageCerts [ "eastuttgart.de" ]) + ( serveWordpress [ "eastuttgart.de" ]) + + ( manageCerts [ "habsys.de" ]) + ( servePage [ "habsys.de" ]) ]; - lass.staticPage = { - "biostase.de" = {}; - "gs-maubach.de" = {}; - "spielwaren-kern.de" = {}; - "societyofsimtech.de" = {}; - "ttf-kleinaspach.de" = {}; - "edsn.de" = {}; - "eab.berkeley.edu" = {}; - "habsys.de" = {}; + services.mysql = { + enable = true; + package = pkgs.mariadb; + rootPassword = toString (<secrets/mysql_rootPassword>); + }; + + services.mysqlBackup = { + enable = true; + databases = [ + "eastuttgart_de" + ]; + location = "/bku/sql_dumps"; }; #lass.owncloud = { diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index ac784d4c7..858054531 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,14 +1,17 @@ -{ config, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + ssl + servePage; + +in { imports = [ - ../../3modules/static_nginx.nix + ( ssl [ "wohnprojekt-rhh.de" ]) + ( servePage [ "wohnprojekt-rhh.de" ]) ]; - lass.staticPage = { - "wohnprojekt-rhh.de" = {}; - }; - users.users.laura = { home = "/srv/http/wohnprojekt-rhh.de"; createHome = true; |