7 files changed, 105 insertions, 29 deletions

diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
index 7d3046d4..916e0821 100644
--- a/lass/2configs/backups.nix
+++ b/lass/2configs/backups.nix
@@ -23,10 +23,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-http"; };
       startAt = "03:05";
     };
-    dishfire-http-uriel = {
+    dishfire-http-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
-      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-http"; };
+      dst = { host = config.krebs.hosts.shodan;    path = "/bku/dishfire-http"; };
       startAt = "03:10";
     };
     dishfire-sql-prism = {
@@ -41,10 +41,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-sql"; };
       startAt = "03:20";
     };
-    dishfire-sql-uriel = {
+    dishfire-sql-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
-      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-sql"; };
+      dst = { host = config.krebs.hosts.shodan;    path = "/bku/dishfire-sql"; };
       startAt = "03:25";
     };
     prism-bitlbee-mors = {
@@ -53,10 +53,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
       startAt = "03:25";
     };
-    prism-bitlbee-uriel = {
+    prism-bitlbee-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
       startAt = "03:25";
     };
     prism-chat-mors = {
@@ -65,10 +65,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-chat"; };
       startAt = "03:30";
     };
-    prism-chat-uriel = {
+    prism-chat-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
       startAt = "03:35";
     };
     prism-sql-mors = {
@@ -77,10 +77,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-sql_dumps"; };
       startAt = "03:40";
     };
-    prism-sql-uriel = {
+    prism-sql-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
       startAt = "03:45";
     };
     prism-http-mors = {
@@ -89,22 +89,22 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-http"; };
       startAt = "03:50";
     };
-    prism-http-uriel = {
+    prism-http-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
       startAt = "03:55";
     };
-    uriel-home-mors = {
+    shodan-home-mors = {
       method = "pull";
-      src = { host = config.krebs.hosts.uriel; path = "/home"; };
-      dst = { host = config.krebs.hosts.mors;  path = "/bku/uriel-home"; };
+      src = { host = config.krebs.hosts.shodan; path = "/home"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/shodan-home"; };
       startAt = "04:00";
     };
-    mors-home-uriel = {
+    mors-home-shodan = {
       method = "push";
       src = { host = config.krebs.hosts.mors;  path = "/home"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
       startAt = "05:00";
     };
     dishfire-http-helios = {
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 5575b7e7..af3ed1d3 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -21,7 +21,6 @@ with config.krebs.lib;
         root = {
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.lass-uriel.pubkey
             config.krebs.users.lass-shodan.pubkey
           ];
         };
@@ -37,7 +36,6 @@ with config.krebs.lib;
           ];
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.lass-uriel.pubkey
             config.krebs.users.lass-shodan.pubkey
           ];
         };
diff --git a/lass/2configs/iodined.nix b/lass/2configs/iodined.nix
new file mode 100644
index 00000000..ff254f39
--- /dev/null
+++ b/lass/2configs/iodined.nix
@@ -0,0 +1,20 @@
+{ pkgs, config, ... }:
+
+let
+  # TODO: make this a parameter
+  domain = "io.lassul.us";
+  pw = import <secrets/iodinepw.nix>;
+in {
+
+  services.iodined = {
+    enable = true;
+    domain = domain;
+    ip = "172.16.10.1/24";
+    extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}";
+  };
+
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p udp --dport 53"; target = "ACCEPT";}
+  ];
+
+}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 9e3fe888..879da19b 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://github.com/lassulus/nixpkgs;
-    ref = "3fb009d94e70f5d1151f4ec239a90d2de1979a74";
+    ref = "8a8948167324f67d26a1c7ddc8e387128332b622";
   };
 }
diff --git a/lass/2configs/tests/dummy-secrets/iodinepw.nix b/lass/2configs/tests/dummy-secrets/iodinepw.nix
new file mode 100644
index 00000000..f5e70470
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/iodinepw.nix
@@ -0,0 +1 @@
+"derp"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index d5ad38c0..2f93c1f9 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -1,9 +1,11 @@
 { config, pkgs, lib, ... }:
 
 let
+
   inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
     genid
-    ;
+    genid_signed
+  ;
   inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
     ssl
     servePage
@@ -20,6 +22,25 @@ let
     exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
   '';
 
+  check-password = pkgs.writeDash "check-password" ''
+    read pw
+
+    file="/home/$PAM_USER/.shadow"
+
+    #check if shadow file exists
+    test -e "$file" || exit 123
+
+    hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+    salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+    calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+    if [ "$calc_hash" == $hash ]; then
+      exit 0
+    else
+      exit 1
+    fi
+  '';
+
 in {
   imports = [
     ./sqlBackup.nix
@@ -132,6 +153,9 @@ in {
       extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
       sendmail_path = "${sendmail} -t -i"
       always_populate_raw_post_data = -1
+      upload_max_filesize = 100M
+      post_max_size = 100M
+      file_uploads = on
     '';
   } ''
     cat ${pkgs.php}/etc/php-recommended.ini > $out
@@ -140,21 +164,53 @@ in {
 
   # MAIL STUFF
   # TODO: make into its own module
-    services.dovecot2 = {
-      enable = true;
-      mailLocation = "maildir:~/Mail";
-    };
-    krebs.iptables.tables.filter.INPUT.rules = [
-      { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
-      { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
-    ];
+  services.dovecot2 = {
+    enable = true;
+    mailLocation = "maildir:~/Mail";
+    sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
+    sslServerKey = "/var/lib/acme/lassul.us/key.pem";
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
+  ];
+
+  security.pam.services.exim.text = ''
+    auth        required      pam_env.so
+    auth        sufficient    pam_exec.so debug expose_authtok ${check-password}
+    auth        sufficient    pam_unix.so likeauth nullok
+    auth        required      pam_deny.so
+    account     required      pam_unix.so
+    password    required      pam_cracklib.so retry=3 type=
+    password    sufficient    pam_unix.so nullok use_authtok md5shadow
+    password    required      pam_deny.so
+    session     required      pam_limits.so
+    session     required      pam_unix.so
+  '';
+
   krebs.exim-smarthost = {
+    authenticators.PLAIN = ''
+      driver = plaintext
+      server_prompts = :
+      server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
+      server_set_id = $auth2
+    '';
+    authenticators.LOGIN = ''
+      driver = plaintext
+      server_prompts = "Username:: : Password::"
+      server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
+      server_set_id = $auth1
+    '';
     internet-aliases = [
       { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
       { from = "mail@jla-trading.com"; to = "jla-trading"; }
+      { from = "testuser@lassul.us"; to = "testuser"; }
     ];
     system-aliases = [
     ];
+    ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
+    ssl_key = "/var/lib/acme/lassul.us/key.pem";
   };
 
   users.users.domsen = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 330d8ba8..467229c0 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -188,6 +188,7 @@ rec {
           error_log /tmp/nginx_err.log;
           error_page 404 /404.html;
           error_page 500 502 503 504 /50x.html;
+          client_max_body_size 100m;
         '';
         locations = [
           (nameValuePair "/" ''