summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/baseX.nix6
-rw-r--r--lass/2configs/binary-cache/server.nix8
-rw-r--r--lass/2configs/blue-host.nix100
-rw-r--r--lass/2configs/blue.nix1
-rw-r--r--lass/2configs/ciko.nix4
-rw-r--r--lass/2configs/downloading.nix65
-rw-r--r--lass/2configs/exim-smarthost.nix4
-rw-r--r--lass/2configs/fetchWallpaper.nix3
-rw-r--r--lass/2configs/games.nix2
-rw-r--r--lass/2configs/git.nix4
-rw-r--r--lass/2configs/mail.nix16
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix3
-rw-r--r--lass/2configs/radio.nix17
-rw-r--r--lass/2configs/realwallpaper.nix10
-rw-r--r--lass/2configs/tests/dummy-secrets/nordvpn.txt0
-rw-r--r--lass/2configs/websites/domsen.nix7
-rw-r--r--lass/2configs/websites/fritz.nix70
-rw-r--r--lass/2configs/websites/lassulus.nix16
-rw-r--r--lass/2configs/websites/sqlBackup.nix1
19 files changed, 171 insertions, 166 deletions
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 9b44e8f0..d781f8c7 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -126,6 +126,12 @@ in {
restartIfChanged = false;
};
+ nixpkgs.config.packageOverrides = super: {
+ dmenu = pkgs.writeDashBin "dmenu" ''
+ ${pkgs.fzfmenu}/bin/fzfmenu "$@"
+ '';
+ };
+
krebs.xresources.enable = true;
lass.screenlock.enable = true;
}
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 991bbeb5..d3775b5d 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -25,6 +25,14 @@
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
};
+ virtualHosts."cache.krebsco.de" = {
+ forceSSL = true;
+ serverAliases = [ "cache.lassul.us" ];
+ enableACME = true;
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:${toString config.services.nix-serve.port};
+ '';
+ };
};
}
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 83c235f3..9cf294af 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -1,23 +1,115 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
+let
+ all_hosts = [
+ "icarus"
+ "shodan"
+ "daedalus"
+ "skynet"
+ "prism"
+ ];
+ remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
-{
+in {
imports = [
<stockholm/lass/2configs/container-networking.nix>
+ { #hack for already defined
+ systemd.services."container@blue".reloadIfChanged = mkForce false;
+ systemd.services."container@blue".preStart = ''
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+ '';
+ systemd.services."container@blue".preStop = ''
+ /run/wrappers/bin/fusermount -u /var/lib/containers/blue
+ '';
+ }
];
- systemd.services."container@blue".reloadIfChanged = mkForce false;
+
+ system.activationScripts.containerPermissions = ''
+ mkdir -p /var/lib/containers
+ chmod 711 /var/lib/containers
+ '';
+
containers.blue = {
config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt_unicode.terminfo
+ ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
- autoStart = true;
+ autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
+
+
+ systemd.services = builtins.listToAttrs (map (host:
+ let
+ in nameValuePair "sync-blue-${host}" {
+ bindsTo = [ "container@blue.service" ];
+ wantedBy = [ "container@blue.service" ];
+ # ssh needed for rsync
+ path = [ pkgs.openssh ];
+ serviceConfig = {
+ Restart = "always";
+ RestartSec = 10;
+ ExecStart = pkgs.writeDash "sync-blue-${host}" ''
+ set -efu
+ #make sure blue is running
+ /run/wrappers/bin/ping -c1 blue.r > /dev/null
+
+ #make sure the container is unlocked
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+
+ #make sure our target is reachable
+ ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
+
+ #start sync
+ ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
+ settings {
+ nodaemon = true,
+ inotifyMode = "CloseWrite or Modify",
+ }
+ sync {
+ default.rsyncssh,
+ source = "/var/lib/containers/.blue",
+ host = "${host}.r",
+ targetdir = "/var/lib/containers/.blue",
+ rsync = {
+ archive = true,
+ owner = true,
+ group = true,
+ };
+ ssh = {
+ binary = "${pkgs.openssh}/bin/ssh";
+ identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
+ },
+ }
+ ''}
+ '';
+ };
+ unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+ }
+ ) remote_hosts);
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-blue" ''
+ set -ef
+ if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
+ ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
+ fi
+ nixos-container start blue
+ nixos-container run blue -- nixos-rebuild -I /var/src dry-build
+ if ping -c1 blue.r >/dev/null; then
+ echo 'blue is already running. bailing out'
+ exit 23
+ fi
+ nixos-container run blue -- nixos-rebuild -I /var/src switch
+ '')
+ ];
}
diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
index 68f2256c..4d4a92eb 100644
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@@ -15,6 +15,7 @@ with (import <stockholm/lib>);
dic
nmap
git-preview
+ l-gen-secrets
];
services.tor.enable = true;
diff --git a/lass/2configs/ciko.nix b/lass/2configs/ciko.nix
index b08cf930..6818db46 100644
--- a/lass/2configs/ciko.nix
+++ b/lass/2configs/ciko.nix
@@ -19,5 +19,9 @@ with import <stockholm/lib>;
"slash16.net"
];
};
+
+ system.activationScripts.user-shadow = ''
+ ${pkgs.coreutils}/bin/chmod +x /home/ciko
+ '';
}
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
deleted file mode 100644
index 8d0fb0d0..00000000
--- a/lass/2configs/downloading.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-{
- users.extraUsers = {
- download = {
- name = "download";
- home = "/var/download";
- createHome = true;
- useDefaultShell = true;
- extraGroups = [
- "download"
- ];
- openssh.authorizedKeys.keys = with config.krebs.users; [
- lass.pubkey
- lass-shodan.pubkey
- lass-icarus.pubkey
- lass-daedalus.pubkey
- lass-helios.pubkey
- makefu.pubkey
- wine-mors.pubkey
- ];
- };
-
- transmission = {
- extraGroups = [
- "download"
- ];
- };
- };
-
- users.extraGroups = {
- download = {
- members = [
- "download"
- "transmission"
- ];
- };
- };
-
- krebs.rtorrent = {
- enable = true;
- web = {
- enable = true;
- port = 9091;
- basicAuth = import <secrets/torrent-auth>;
- };
- rutorrent.enable = true;
- enableXMLRPC = true;
- listenPort = 51413;
- downloadDir = "/var/download/finished";
- # dump old torrents into watch folder to have them re-added
- watchDir = "/var/download/watch";
- };
-
- krebs.iptables = {
- enable = true;
- tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
- { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
- ];
- };
-}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 6ef3c859..1ee45bb4 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -90,6 +90,10 @@ with import <stockholm/lib>;
{ from = "afra@lassul.us"; to = lass.mail; }
{ from = "ksp@lassul.us"; to = lass.mail; }
{ from = "ccc@lassul.us"; to = lass.mail; }
+ { from = "neocron@lassul.us"; to = lass.mail; }
+ { from = "osmocom@lassul.us"; to = lass.mail; }
+ { from = "lesswrong@lassul.us"; to = lass.mail; }
+ { from = "nordvpn@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index 31a01c75..065ee9c4 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -6,8 +6,7 @@ in {
krebs.fetchWallpaper = {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
- url = "prism/realwallpaper-sat-krebs.png";
- maxTime = 10;
+ url = "prism/realwallpaper-krebs.png";
};
}
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 17c3cf3b..49602898 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -75,6 +75,8 @@ in {
packages = with pkgs; [
ftb
minecraft
+ steam-run
+ dolphinEmu
];
};
};
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index c5b5c01f..62173e33 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -21,6 +21,10 @@ let
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
+
+ system.activationScripts.spool-chmod = ''
+ ${pkgs.coreutils}/bin/chmod +x /var/spool
+ '';
};
cgit-clear-cache = pkgs.cgit-clear-cache.override {
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index e5068925..36e797a9 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -31,6 +31,7 @@ let
'';
mailboxes = {
+ afra = [ "to:afra@afra-berlin.de" ];
c-base = [ "to:c-base.org" ];
coins = [
"to:btce@lassul.us"
@@ -46,12 +47,15 @@ let
];
dezentrale = [ "to:dezentrale.space" ];
dhl = [ "to:dhl@lassul.us" ];
+ dn42 = [ "to:dn42@lists.nox.tf" ];
eloop = [ "to:eloop.org" ];
github = [ "to:github@lassul.us" ];
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
+ india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
lugs = [ "to:lugs@lug-s.org" ];
- nix-devel = [ "to:nix-devel@googlegroups.com" ];
+ meetup = [ "to:meetup@lassul.us" ];
+ nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
patreon = [ "to:patreon@lassul.us" ];
paypal = [ "to:paypal@lassul.us" ];
ptl = [ "to:ptl@posttenebraslab.ch" ];
@@ -170,6 +174,16 @@ let
macro pager a "<modify-labels>-archive\n" # tag as Archived
+ bind index U noop
+ bind index u noop
+ bind pager U noop
+ bind pager u noop
+ macro index U "<modify-labels>+unread\n"
+ macro index u "<modify-labels>-unread\n"
+ macro pager U "<modify-labels>+unread\n"
+ macro pager u "<modify-labels>-unread\n"
+
+
bind index t noop
bind pager t noop
macro index t "<modify-labels>" # tag as Archived
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
index aef67163..b7083c77 100644
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -177,7 +177,8 @@
addr = "0.0.0.0";
domain = "grafana.example.com";
rootUrl = "https://grafana.example.com/";
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+ auth.anonymous.enable = true;
+ auth.anonymous.org_role = "Admin";
};
};
services.logstash = {
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index bf685580..85faded1 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -62,8 +62,23 @@ in {
extraConfig = ''
audio_output {
type "shout"
+ encoding "lame"
+ name "the_playlist_mp3"
+ host "localhost"
+ port "8000"
+ mount "/radio.mp3"
+ password "${source-password}"
+ bitrate "128"
+
+ format "44100:16:2"
+
+ user "source"
+ genre "good music"
+ }
+ audio_output {
+ type "shout"
encoding "ogg"
- name "the_playlist"
+ name "the_playlist_ogg"
host "localhost"
port "8000"
mount "/radio.ogg"
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 116d6627..e0cb37f6 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
let
hostname = config.krebs.build.host.name;
@@ -9,6 +9,9 @@ let
in {
krebs.realwallpaper.enable = true;
+ system.activationScripts.user-shadow = ''
+ ${pkgs.coreutils}/bin/chmod +x /var/realwallpaper
+ '';
services.nginx.virtualHosts.wallpaper = {
extraConfig = ''
if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
@@ -22,10 +25,7 @@ in {
locations."/realwallpaper.png".extraConfig = ''
root /var/realwallpaper/;
'';
- locations."/realwallpaper-sat.png".extraConfig = ''
- root /var/realwallpaper/;
- '';
- locations."/realwallpaper-sat-krebs.png".extraConfig = ''
+ locations."/realwallpaper-krebs.png".extraConfig = ''
root /var/realwallpaper/;
'';
};
diff --git a/lass/2configs/tests/dummy-secrets/nordvpn.txt b/lass/2configs/tests/dummy-secrets/nordvpn.txt
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/nordvpn.txt
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 828cab95..4935268a 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -139,6 +139,13 @@ in {
ssl_key = "/var/lib/acme/lassul.us/key.pem";
};
+ users.users.xanf = {
+ uid = genid_uint31 "xanf";
+ home = "/home/xanf";
+ useDefaultShell = true;
+ createHome = true;
+ };
+
users.users.domsen = {
uid = genid_uint31 "domsen";
description = "maintenance acc for domsen";
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
deleted file mode 100644
index 14d6ce9e..00000000
--- a/lass/2configs/websites/fritz.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-let
- inherit (import <stockholm/lib>)
- genid
- head
- ;
- inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
- servePage
- serveWordpress
- ;
-
- msmtprc = pkgs.writeText "msmtprc" ''
- account default
- host localhost
- '';
-
- sendmail = pkgs.writeDash "msmtp" ''
- exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
- '';
-
-in {
-
- services.nginx.enable = true;
-
- imports = [
- ./default.nix
- ./sqlBackup.nix
-
- (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
-
- (serveWordpress [ "gs-maubach.de" "www.gs-maubach.de" ])
-
- (serveWordpress [ "spielwaren-kern.de" "www.spielwaren-kern.de" ])
-
- (servePage [ "familienpraxis-korntal.de" "www.familienpraxis-korntal.de" ])
-
- (serveWordpress [ "ttf-kleinaspach.de" "www.ttf-kleinaspach.de" ])
-
- (serveWordpress [ "eastuttgart.de" "www.eastuttgart.de" ])
-
- (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
- ];
-
- lass.mysqlBackup.config.all.databases = [
- "eastuttgart_de"
- "radical_dreamers_de"
- "spielwaren_kern_de"
- "ttf_kleinaspach_de"
- ];
-
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.fritz.pubkey
- ];
-
- users.users.goldbarrendiebstahl = {
- home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";
- uid = genid "goldbarrendiebstahl";
- createHome = true;
- useDefaultShell = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.fritz.pubkey
- ];
- };
-
- services.phpfpm.phpOptions = ''
- sendmail_path = ${sendmail} -t
- '';
-}
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index b72b2092..6470d86f 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -66,22 +66,6 @@ in {
locations."/tinc".extraConfig = ''
alias ${config.krebs.tinc_graphs.workingDir}/external;
'';
- locations."/urlaubyay2018".extraConfig = ''
- autoindex on;
- alias /srv/http/lassul.us-media/india2018;
- auth_basic "Restricted Content";
- auth_basic_user_file ${pkgs.writeText "pics-user-pass" ''
- paolo:$apr1$aQ6mYNR3$ho.aJ7icqSO.y.xKo3GQf0
- ''};
- '';
- locations."/heilstadt".extraConfig = ''
- autoindex on;
- alias /srv/http/lassul.us-media/grabowsee2018;
- auth_basic "Restricted Content";
- auth_basic_user_file ${pkgs.writeText "pics-user-pass" ''
- c-base:$apr1$aQ6mYNR3$ho.aJ7icqSO.y.xKo3GQf0
- ''};
- '';
locations."/krebspage".extraConfig = ''
default_type "text/html";
alias ${pkgs.krebspage}/index.html;
diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix
index 2fffa6cc..897e35e6 100644
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@@ -11,7 +11,6 @@
enable = true;
dataDir = "/var/mysql";
package = pkgs.mariadb;
- rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
};
systemd.services.mysql = {
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 09:49:59 +0000