diff options
Diffstat (limited to 'lass/2configs')
| -rw-r--r-- | lass/2configs/copyq.nix | 3 | ||||
| -rw-r--r-- | lass/2configs/dcso-vpn.nix | 44 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/green-host.nix | 99 | ||||
| -rw-r--r-- | lass/2configs/minecraft.nix | 22 | ||||
| -rw-r--r-- | lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem | 0 | ||||
| -rw-r--r-- | lass/2configs/tests/dummy-secrets/dcsovpn/cert.key | 0 | ||||
| -rw-r--r-- | lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem | 0 | ||||
| -rw-r--r-- | lass/2configs/tests/dummy-secrets/dcsovpn/login.txt | 0 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 14 | ||||
| -rw-r--r-- | lass/2configs/websites/lassulus.nix | 2 |
11 files changed, 20 insertions, 165 deletions
diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix index 56c091a6e..ed78699b0 100644 --- a/lass/2configs/copyq.nix +++ b/lass/2configs/copyq.nix @@ -25,9 +25,6 @@ in { environment = { DISPLAY = ":${toString config.services.xserver.display}"; }; - path = with pkgs; [ - qt5.full - ]; serviceConfig = { SyslogIdentifier = "copyq"; ExecStart = "${pkgs.copyq}/bin/copyq"; diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix deleted file mode 100644 index 0a5623bf0..000000000 --- a/lass/2configs/dcso-vpn.nix +++ /dev/null @@ -1,44 +0,0 @@ -with import <stockholm/lib>; -{ ... }: - -{ - - users.extraUsers = { - dcsovpn = rec { - name = "dcsovpn"; - uid = genid "dcsovpn"; - description = "user for running dcso openvpn"; - home = "/home/${name}"; - }; - }; - - users.extraGroups.dcsovpn.gid = genid "dcsovpn"; - - services.openvpn.servers = { - dcso = { - config = '' - client - dev tun - tun-mtu 1356 - mssfix - proto udp - float - remote 217.111.55.41 1194 - nobind - user dcsovpn - group dcsovpn - persist-key - persist-tun - ca ${toString <secrets/dcsovpn/ca.pem>} - cert ${toString <secrets/dcsovpn/cert.pem>} - key ${toString <secrets/dcsovpn/cert.key>} - verb 3 - mute 20 - auth-user-pass ${toString <secrets/dcsovpn/login.txt>} - route-method exe - route-delay 2 - ''; - updateResolvConf = true; - }; - }; -} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index f59988b75..babcb51de 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -2,7 +2,6 @@ with import <stockholm/lib>; { config, pkgs, ... }: { imports = [ - <stockholm/krebs/2configs/nscd-fix.nix> ./binary-cache/client.nix ./backup.nix ./gc.nix diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix deleted file mode 100644 index 6cccab4b3..000000000 --- a/lass/2configs/green-host.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, lib, pkgs, ... }: -with import <stockholm/lib>; - -let - - cname = "green"; - cryfs = pkgs.cryfs.overrideAttrs (old: { - patches = [ - (pkgs.writeText "file_mode.patch" '' - --- a/src/cryfs/filesystem/CryNode.cpp - +++ b/src/cryfs/filesystem/CryNode.cpp - @@ -171,7 +171,7 @@ CryNode::stat_info CryNode::stat() const { - result.uid = fspp::uid_t(getuid()); - result.gid = fspp::gid_t(getgid()); - #endif - - result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag(); - + result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag().addGroupReadFlag().addGroupExecFlag().addOtherReadFlag().addOtherExecFlag();; - result.size = fsblobstore::DirBlob::DIR_LSTAT_SIZE; - //TODO If possible without performance loss, then for a directory, st_nlink should return number of dir entries (including "." and "..") - result.nlink = 1; - '') - ] ++ old.patches; - }); - -in { - imports = [ - <stockholm/lass/2configs/container-networking.nix> - <stockholm/lass/2configs/syncthing.nix> - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}".devices = [ "icarus" "skynet" "littleT" "shodan" ]; - # krebs.permown."/var/lib/sync-containers/${cname}" = { - # owner = "root"; - # group = "syncthing"; - # umask = "0007"; - # }; - - systemd.services."container@green".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt_unicode.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "start-${cname}" '' - set -euf - - mkdir -p /var/lib/containers/${cname}/var/state - chown ${config.services.syncthing.user}: /var/lib/containers/${cname}/var/state - if ! ${pkgs.mount}/bin/mount | grep -q '^cryfs@/var/lib/sync-containers/${cname} on /var/lib/containers/${cname}/var/state '; then - /run/wrappers/bin/sudo -u "${config.services.syncthing.user}" \ - ${cryfs}/bin/cryfs /var/lib/sync-containers/${cname} /var/lib/containers/${cname}/var/state -o allow_other -o default_permissions - fi - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - if ! ping -c1 -q -w5 ${cname}.r && [ -d /var/lib/containers/${cname}/var/src ]; then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - mkdir -p /var/state/var_src - ln -sf state/var_Src /var/src - nixos-rebuild -I /var/src switch - ''} - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - ${cryfs}/bin/cryfs-unmount /var/lib/containers/${cname}/var/state - '') - ]; -} diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix index 6f8ceb358..d2a3672c5 100644 --- a/lass/2configs/minecraft.nix +++ b/lass/2configs/minecraft.nix @@ -1,19 +1,13 @@ -{ pkgs, ... }: +{ pkgs, ... }: let -{ - users.users = { - mc = { - name = "mc"; - description = "user playing mc"; - home = "/home/mc"; - createHome = true; - useDefaultShell = true; - packages = with pkgs; [ - tmux - ]; - }; + unstable = import <nixpkgs-unstable> { config.allowUnfree = true; }; + +in { + services.minecraft-server = { + enable = true; + eula = true; + package = unstable.minecraft-server; }; - krebs.per-user.mc.packages = [ pkgs.jdk ]; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem deleted file mode 100644 index e69de29bb..000000000 --- a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem +++ /dev/null diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key deleted file mode 100644 index e69de29bb..000000000 --- a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key +++ /dev/null diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem deleted file mode 100644 index e69de29bb..000000000 --- a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem +++ /dev/null diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt deleted file mode 100644 index e69de29bb..000000000 --- a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt +++ /dev/null diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index a177a0228..ac7db10f5 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -91,13 +91,12 @@ in { services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud18; + package = pkgs.nextcloud19; config = { adminpassFile = toString <secrets> + "/nextcloud_pw"; overwriteProtocol = "https"; }; https = true; - nginx.enable = true; }; services.nginx.virtualHosts."o.xanf.org" = { enableACME = true; @@ -175,6 +174,7 @@ in { users.users.xanf = { uid = genid_uint31 "xanf"; + group = "xanf"; home = "/home/xanf"; useDefaultShell = true; createHome = true; @@ -252,6 +252,16 @@ in { createHome = true; }; + users.users.XANF_TEAM = { + uid = genid_uint31 "XANF_TEAM"; + group = "xanf"; + home = "/home/XANF_TEAM"; + useDefaultShell = true; + createHome = true; + }; + + users.groups.xanf = {}; + krebs.on-failure.plans.restic-backups-domsen = { journalctl = { lines = 1000; diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 74585a6f8..17df71310 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -16,7 +16,6 @@ in { email = "acme@lassul.us"; acceptTerms = true; certs."lassul.us" = { - allowKeysForGroup = true; group = "lasscert"; }; }; @@ -78,7 +77,6 @@ in { email = "lassulus@lassul.us"; webroot = "/var/lib/acme/acme-challenge"; group = "nginx"; - user = "nginx"; }; |