diff options
Diffstat (limited to 'lass/2configs')
40 files changed, 658 insertions, 456 deletions
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix index d23cf9a43..94272fdb0 100644 --- a/lass/2configs/backup.nix +++ b/lass/2configs/backup.nix @@ -2,19 +2,11 @@ with import <stockholm/lib>; { - fileSystems = { - "/backups" = { - device = "/dev/pool/backup"; - fsType = "ext4"; - }; - }; users.users.backup = { useDefaultShell = true; home = "/backups"; createHome = true; openssh.authorizedKeys.keys = with config.krebs.hosts; [ - mors.ssh.pubkey - prism.ssh.pubkey blue.ssh.pubkey ]; }; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 53d90ed7d..5003d2279 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,7 +9,7 @@ in { ./power-action.nix ./copyq.nix ./urxvt.nix - ./network-manager.nix + ./xdg-open.nix { hardware.pulseaudio = { enable = true; @@ -65,6 +65,7 @@ in { dic dmenu font-size + fzfmenu gitAndTools.qgit git-preview gnome3.dconf @@ -74,7 +75,7 @@ in { nmap pavucontrol powertop - rxvt_unicode_with-plugins + rxvt_unicode-with-plugins sxiv taskwarrior termite diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 9cf294afd..718a92e9c 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -7,6 +7,7 @@ let "daedalus" "skynet" "prism" + "littleT" ]; remote_hosts = filter (h: h != config.networking.hostName) all_hosts; diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 4d4a92eb9..aad8411b1 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -22,7 +22,9 @@ with (import <stockholm/lib>); krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} + { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i retiolum -p tcp --dport 9998:9999"; target = "ACCEPT";} + { predicate = "-i wiregrill -p tcp --dport 9998:9999"; target = "ACCEPT";} ]; systemd.services.chat = let diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index 425e0ee13..c0085995d 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -45,7 +45,7 @@ let createFirefoxUser = name: groups: precedence: createUser (pkgs.writeDash name '' - ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@" + ${pkgs.firefox}/bin/firefox "$@" '') name groups precedence 80; createQuteUser = name: groups: precedence: @@ -66,7 +66,6 @@ in { extensions = [ "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium - "liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold ]; }; @@ -89,8 +88,8 @@ in { })); }; } - ( createQuteUser "qb" [ "audio" ] 20 ) - ( createFirefoxUser "ff" [ "audio" ] 10 ) + ( createFirefoxUser "ff" [ "audio" ] 11 ) + ( createQuteUser "qb" [ "audio" ] 10 ) ( createChromiumUser "cr" [ "audio" "video" ] 9 ) ( createChromiumUser "gm" [ "video" "audio" ] 8 ) ( createChromiumUser "wk" [ "audio" ] 0 ) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix new file mode 100644 index 000000000..5f802148b --- /dev/null +++ b/lass/2configs/codimd.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; + +{ + services.nginx.virtualHosts.codimd = { + enableACME = true; + addSSL = true; + serverName = "codi.lassul.us"; + locations."/".extraConfig = '' + client_max_body_size 4G; + proxy_set_header Host $host; + proxy_pass http://localhost:3091; + ''; + }; + + services.codimd = { + enable = true; + configuration = { + db = { + dialect = "sqlite"; + storage = "/var/lib/codimd/db.codimd.sqlite"; + useCDN = false; + }; + port = 3091; + }; + }; +} + diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dea32d4d4..972b4760a 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -2,15 +2,16 @@ with import <stockholm/lib>; { config, pkgs, ... }: { imports = [ + <stockholm/krebs/2configs/nscd-fix.nix> ./binary-cache/client.nix + ./backup.nix ./gc.nix ./mc.nix ./vim.nix - ./monitoring/node-exporter.nix ./zsh.nix ./htop.nix ./security-workarounds.nix - ./wirelum.nix + ./wiregrill.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) @@ -41,8 +42,6 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ config.krebs.users.lass-mors.pubkey config.krebs.users.lass-blue.pubkey - config.krebs.users.lass-shodan.pubkey - config.krebs.users.lass-icarus.pubkey ]; }; }; @@ -72,7 +71,6 @@ with import <stockholm/lib>; krebs = { enable = true; - search-domain = "r"; build.user = config.krebs.users.lass; }; @@ -82,9 +80,6 @@ with import <stockholm/lib>; services.timesyncd.enable = mkForce true; - #why is this on in the first place? - services.nscd.enable = false; - systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" ]; @@ -116,6 +111,7 @@ with import <stockholm/lib>; #network iptables iftop + tcpdump #stuff for dl aria2 @@ -213,6 +209,7 @@ with import <stockholm/lib>; { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } ]; }; }; @@ -220,4 +217,7 @@ with import <stockholm/lib>; networking.dhcpcd.extraConfig = '' noipv4ll ''; + services.netdata = { + enable = true; + }; } diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 1acfe5056..d1e6b195b 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -95,6 +95,17 @@ with import <stockholm/lib>; { from = "lesswrong@lassul.us"; to = lass.mail; } { from = "nordvpn@lassul.us"; to = lass.mail; } { from = "csv-direct@lassul.us"; to = lass.mail; } + { from = "nintendo@lassul.us"; to = lass.mail; } + { from = "overleaf@lassul.us"; to = lass.mail; } + { from = "box@lassul.us"; to = lass.mail; } + { from = "paloalto@lassul.us"; to = lass.mail; } + { from = "subtitles@lassul.us"; to = lass.mail; } + { from = "lobsters@lassul.us"; to = lass.mail; } + { from = "fysitech@lassul.us"; to = lass.mail; } + { from = "threema@lassul.us"; to = lass.mail; } + { from = "ubisoft@lassul.us"; to = lass.mail; } + { from = "kottezeller@lassul.us"; to = lass.mail; } + { from = "pie@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 62e3f6d52..a3acb82bb 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -74,7 +74,6 @@ in { createHome = true; useDefaultShell = true; packages = with pkgs; [ - ftb minecraft steam-run dolphinEmu diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index c5073e384..a1bb26049 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer); + automatic = ! (elem config.krebs.build.host.name [ "mors" "helios" ] || config.boot.isContainer); }; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 62173e33f..7650f4294 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -154,7 +154,7 @@ let public = true; }; - make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: { + make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? true, hooks ? {}, ... }: { inherit admins collaborators name; public = false; hooks = { diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix new file mode 100644 index 000000000..1421eede7 --- /dev/null +++ b/lass/2configs/green-host.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + { #hack for already defined + systemd.services."container@green".reloadIfChanged = mkForce false; + systemd.services."container@green".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green ' + ''; + systemd.services."container@green".postStop = '' + set -x + ${pkgs.umount}/bin/umount /var/lib/containers/green + ls -la /dev/mapper/control + ${pkgs.devicemapper}/bin/dmsetup ls + ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img + ''; + } + ]; + + krebs.syncthing.folders."/var/lib/sync-containers".peers = [ "icarus" "skynet" "littleT" "shodan" ]; + krebs.permown."/var/lib/sync-containers" = { + owner = "root"; + group = "syncthing"; + umask = "0007"; + }; + + system.activationScripts.containerPermissions = '' + mkdir -p /var/lib/containers + chmod 711 /var/lib/containers + ''; + + containers.green = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt_unicode.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; + localAddress = "10.233.2.16"; + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-green" '' + set -fu + CONTAINER='green' + IMAGE='/var/lib/sync-containers/green.img' + + ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null + if [ "$?" -ne 0 ]; then + ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER" + fi + + mkdir -p /var/lib/containers/"$CONTAINER" + + ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" " + if [ "$?" -ne 0 ]; then + ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER" + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER") + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER" + fi + ping -c1 green.r + if [ "$?" -ne 0 ]; then + ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch + fi + + '') + ]; +} diff --git a/lass/2configs/hardening.nix b/lass/2configs/hardening.nix new file mode 100644 index 000000000..aee4bf06f --- /dev/null +++ b/lass/2configs/hardening.nix @@ -0,0 +1,11 @@ +{ pkgs, lib, ... }: +with lib; +{ + security.chromiumSuidSandbox.enable = true; + security.lockKernelModules = false; + boot.kernel.sysctl."user.max_user_namespaces" = 63414; + + imports = [ + <nixpkgs/nixos/modules/profiles/hardened.nix> + ]; +} diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix index f5651da13..5649041f9 100644 --- a/lass/2configs/hw/x220.nix +++ b/lass/2configs/hw/x220.nix @@ -30,8 +30,7 @@ }; }; - services.logind.extraConfig = '' - HandleLidSwitch=ignore - ''; + services.logind.lidSwitch = "ignore"; + services.logind.lidSwitchDocked = "ignore"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 36e797a96..6de111ba8 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -51,7 +51,7 @@ let eloop = [ "to:eloop.org" ]; github = [ "to:github@lassul.us" ]; gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ]; - india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ]; + india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" "to:hackbeach@mail.hackbeach.in" ]; kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ]; lugs = [ "to:lugs@lug-s.org" ]; meetup = [ "to:meetup@lassul.us" ]; @@ -60,7 +60,10 @@ let paypal = [ "to:paypal@lassul.us" ]; ptl = [ "to:ptl@posttenebraslab.ch" ]; retiolum = [ "to:lass@mors.r" ]; - security = [ "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" ]; + security = [ + "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" + "to:security-announce@lists.apple.com" + ]; shack = [ "to:shackspace.de" ]; steam = [ "to:steam@lassul.us" ]; tinc = [ "to:tinc@tinc-vpn.org" "to:tinc-devel@tinc-vpn.org" ]; @@ -82,7 +85,7 @@ let source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc set pgp_use_gpg_agent = yes set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D - set crypt_autosign = yes + set crypt_autosign = no set crypt_replyencrypt = yes set crypt_verify_sig = yes set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f" @@ -225,12 +228,9 @@ in { msmtp mutt pkgs.notmuch - pkgs.much + pkgs.muchsync + pkgs.haskellPackages.much tag-new-mails tag-old-mails ]; - - nixpkgs.config.packageOverrides = opkgs: { - notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); - }; } diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix deleted file mode 100644 index 561e3a25c..000000000 --- a/lass/2configs/monitoring/node-exporter.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; } - { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; } - ]; - services.prometheus.exporters = { - node = { - enable = true; - enabledCollectors = [ - "systemd" - ]; - }; - }; -} diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix deleted file mode 100644 index b7083c776..000000000 --- a/lass/2configs/monitoring/prometheus-server.nix +++ /dev/null @@ -1,217 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - #networking = { - # firewall.allowedTCPPorts = [ - # 3000 # grafana - # 9090 # prometheus - # 9093 # alertmanager - # ]; - # useDHCP = true; - #}; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } - ]; - - services = { - prometheus = { - enable = true; - extraFlags = [ - "-storage.local.retention 8760h" - "-storage.local.series-file-shrink-ratio 0.3" - "-storage.local.memory-chunks 2097152" - "-storage.local.max-chunks-to-persist 1048576" - "-storage.local.index-cache-size.fingerprint-to-metric 2097152" - "-storage.local.index-cache-size.fingerprint-to-timerange 1048576" - "-storage.local.index-cache-size.label-name-to-label-values 2097152" - "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040" - ]; - alertmanagerURL = [ "http://localhost:9093" ]; - rules = [ - '' - ALERT node_down - IF up == 0 - FOR 5m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Node is down.", - description = "{{$labels.alias}} has been down for more than 5 minutes." - } - ALERT node_systemd_service_failed - IF node_systemd_unit_state{state="failed"} == 1 - FOR 4m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", - description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." - } - ALERT node_filesystem_full_90percent - IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 - FOR 5m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Filesystem is running out of space soon.", - description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." - } - ALERT node_filesystem_full_in_4h - IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 - FOR 5m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", - description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" - } - ALERT node_filedescriptors_full_in_3h - IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum - FOR 20m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", - description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" - } - ALERT node_load1_90percent - IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 - FOR 1h - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Running on high load.", - description = "{{$labels.alias}} is running with > 90% total load for at least 1h." - } - ALERT node_cpu_util_90percent - IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 - FOR 1h - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: High CPU utilization.", - description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." - } - ALERT node_ram_using_90percent - IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 - FOR 30m - LABELS { - severity="page" - } - ANNOTATIONS { - summary="{{$labels.alias}}: Using lots of RAM.", - description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", - } - ALERT node_swap_using_80percent - IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 - FOR 10m - LABELS { - severity="page" - } - ANNOTATIONS { - summary="{{$labels.alias}}: Running out of swap soon.", - description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." - } - '' - ]; - scrapeConfigs = [ - { - job_name = "node"; - scrape_interval = "10s"; - static_configs = [ - { - targets = [ - ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts)); - #labels = { - # alias = "prometheus.example.com"; - #}; - } - ]; - } - ]; - alertmanager = { - enable = true; - listenAddress = "0.0.0.0"; - configuration = { - "global" = { - "smtp_smarthost" = "smtp.example.com:587"; - "smtp_from" = "alertmanager@example.com"; - }; - "route" = { - "group_by" = [ "alertname" "alias" ]; - "group_wait" = "30s"; - "group_interval" = "2m"; - "repeat_interval" = "4h"; - "receiver" = "team-admins"; - }; - "receivers" = [ - { - "name" = "team-admins"; - "email_configs" = [ - { - "to" = "devnull@example.com"; - } - ]; - "webhook_configs" = [ - { - "url" = "http://127.0.0.1:14813/prometheus-alerts"; - "send_resolved" = true; - } - ]; - } - ]; - }; - }; - }; - grafana = { - enable = true; - addr = "0.0.0.0"; - domain = "grafana.example.com"; - rootUrl = "https://grafana.example.com/"; - auth.anonymous.enable = true; - auth.anonymous.org_role = "Admin"; - }; - }; - services.logstash = { - enable = true; - inputConfig = '' - http { - port => 14813 - host => "127.0.0.1" - } - ''; - filterConfig = '' - if ([alerts]) { - ruby { - code => ' - lines = [] - event["alerts"].each {|p| - lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}" - } - event["output"] = lines.join("\n") - ' - } - } - ''; - outputConfig = '' - file { path => "/tmp/logs.json" codec => "json_lines" } - irc { - channels => [ "#noise" ] - host => "irc.r" - nick => "alarm" - codec => "json_lines" - format => "%{output}" - } - ''; - #plugins = [ ]; - }; -} diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix index 5b890b591..ab27eb841 100644 --- a/lass/2configs/network-manager.nix +++ b/lass/2configs/network-manager.nix @@ -15,6 +15,8 @@ }; }; networking.networkmanager = { + ethernet.macAddress = "random"; + wifi.macAddress = "random"; enable = true; unmanaged = [ "docker*" diff --git a/lass/2configs/nfs-dl.nix b/lass/2configs/nfs-dl.nix new file mode 100644 index 000000000..abbcc1d42 --- /dev/null +++ b/lass/2configs/nfs-dl.nix @@ -0,0 +1,7 @@ +{ + fileSystems."/mnt/prism" = { + device = "prism.w:/export"; + fsType = "nfs"; + }; +} + diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 293691c0f..3c3d8e636 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -10,6 +10,16 @@ with import <stockholm/lib>; proxy_pass http://localhost:9081; ''; }; + services.nginx.virtualHosts.paste-readonly = { + serverAliases = [ "p.krebsco.de" ]; + locations."/".extraConfig = '' + if ($request_method != GET) { + return 403; + } + proxy_set_header Host $host; + proxy_pas |