summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/cabal/config.nix2
-rw-r--r--lass/1systems/daedalus/config.nix2
-rw-r--r--lass/1systems/echelon/config.nix50
-rw-r--r--lass/1systems/helios/config.nix38
-rw-r--r--lass/1systems/icarus/config.nix2
-rw-r--r--lass/1systems/littleT/config.nix2
-rw-r--r--lass/1systems/mors/config.nix46
-rw-r--r--lass/1systems/prism/config.nix114
-rw-r--r--lass/1systems/red/config.nix31
-rw-r--r--lass/1systems/red/source.nix (renamed from lass/1systems/echelon/source.nix)3
-rw-r--r--lass/1systems/shodan/config.nix2
-rw-r--r--lass/1systems/skynet/config.nix1
-rw-r--r--lass/1systems/xerxes/source.nix6
-rw-r--r--lass/2configs/AP.nix77
-rw-r--r--lass/2configs/backup.nix20
-rw-r--r--lass/2configs/backups.nix173
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/bitcoin.nix10
-rw-r--r--lass/2configs/dcso-dev.nix1
-rw-r--r--lass/2configs/default.nix3
-rw-r--r--lass/2configs/dns-stuff.nix16
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/gc.nix2
-rw-r--r--lass/2configs/git.nix14
-rw-r--r--lass/2configs/go.nix19
-rw-r--r--lass/2configs/mail.nix5
-rw-r--r--lass/2configs/monitoring/client.nix26
-rw-r--r--lass/2configs/monitoring/monit-alarms.nix44
-rw-r--r--lass/2configs/monitoring/node-exporter.nix15
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix217
-rw-r--r--lass/2configs/monitoring/server.nix87
-rw-r--r--lass/2configs/reaktor-coders.nix15
-rw-r--r--lass/2configs/repo-sync.nix1
-rw-r--r--lass/2configs/syncthing.nix1
-rw-r--r--lass/2configs/websites/lassulus.nix56
-rw-r--r--lass/2configs/websites/util.nix59
-rw-r--r--lass/2configs/zsh.nix4
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/restic.nix119
-rw-r--r--lass/5pkgs/l-gen-secrets/default.nix (renamed from lass/5pkgs/generate-secrets/default.nix)6
40 files changed, 724 insertions, 568 deletions
diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix
index 7eba86c52..9ac3cb681 100644
--- a/lass/1systems/cabal/config.nix
+++ b/lass/1systems/cabal/config.nix
@@ -13,9 +13,9 @@
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
- <stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
+ <stockholm/lass/2configs/AP.nix>
];
krebs.build.host = config.krebs.hosts.cabal;
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 609fae3c8..c15fcdc21 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -8,9 +8,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/coreboot.nix>
<stockholm/lass/2configs/retiolum.nix>
- <stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
+ <stockholm/lass/2configs/backup.nix>
{
# bubsy config
users.users.bubsy = {
diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix
deleted file mode 100644
index 6f96883bf..000000000
--- a/lass/1systems/echelon/config.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
- inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway;
- ip = config.krebs.build.host.nets.internet.ip4.addr;
-in {
- imports = [
- <stockholm/lass>
- <stockholm/lass/2configs/retiolum.nix>
- <stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix>
- <stockholm/lass/2configs/exim-retiolum.nix>
- <stockholm/lass/2configs/privoxy-retiolum.nix>
- <stockholm/lass/2configs/git.nix>
- {
- networking.interfaces.enp2s1.ip4 = [
- {
- address = ip;
- prefixLength = 24;
- }
- ];
- networking.defaultGateway = getDefaultGateway ip;
- networking.nameservers = [
- "8.8.8.8"
- ];
-
- }
- {
- sound.enable = false;
- }
- {
- users.extraUsers = {
- satan = {
- name = "satan";
- uid = 1338;
- home = "/home/satan";
- group = "users";
- createHome = true;
- useDefaultShell = true;
- extraGroups = [
- ];
- openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
- ];
- };
- };
- }
- ];
-
- krebs.build.host = config.krebs.hosts.echelon;
-}
diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix
index e64cfbe79..759bb6d06 100644
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@@ -17,6 +17,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/dcso-dev.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
+ <stockholm/lass/2configs/backup.nix>
{ # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
@@ -137,35 +138,14 @@ with import <stockholm/lib>;
networking.hostName = lib.mkForce "BLN02NB0162";
security.pki.certificateFiles = [
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
-
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
- (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
- (pkgs.writeText "minio.cert" ''
- -----BEGIN CERTIFICATE-----
- MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
- MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
- OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
- AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
- 8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
- YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
- ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
- CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
- hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
- MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
- I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
- CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
- hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
- jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
- EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
- zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
- qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
- -----END CERTIFICATE-----
- '')
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
+
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
];
programs.adb.enable = true;
diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix
index 46dc5e873..b6a0822b9 100644
--- a/lass/1systems/icarus/config.nix
+++ b/lass/1systems/icarus/config.nix
@@ -14,9 +14,9 @@
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
- <stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
+ <stockholm/lass/2configs/backup.nix>
];
krebs.build.host = config.krebs.hosts.icarus;
diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix
index 7211c78eb..ef19e8d16 100644
--- a/lass/1systems/littleT/config.nix
+++ b/lass/1systems/littleT/config.nix
@@ -8,7 +8,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix>
- <stockholm/lass/2configs/backups.nix>
+ <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/steam.nix>
{
users.users.blacky = {
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index cd259d0fe..f8a16ad2e 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
+ <stockholm/lass/2configs/backup.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@@ -140,7 +141,18 @@ with import <stockholm/lib>;
dpass
dnsutils
+ woeusb
+ l-gen-secrets
generate-secrets
+ (pkgs.writeDashBin "btc-coinbase" ''
+ ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
+ '')
+ (pkgs.writeDashBin "btc-wex" ''
+ ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg'
+ '')
+ (pkgs.writeDashBin "btc-kraken" ''
+ ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
+ '')
];
#TODO: fix this shit
@@ -177,4 +189,38 @@ with import <stockholm/lib>;
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true;
+ services.redshift = {
+ enable = true;
+ provider = "geoclue2";
+ };
+
+ lass.restic = genAttrs [
+ "daedalus"
+ "icarus"
+ "littleT"
+ "prism"
+ "shodan"
+ "skynet"
+ ] (dest: {
+ dirs = [
+ "/home/lass/src"
+ "/home/lass/work"
+ "/home/lass/.gnupg"
+ "/home/lass/Maildir"
+ "/home/lass/stockholm"
+ "/home/lass/.password-store"
+ "/home/bitcoin"
+ "/home/bch"
+ ];
+ passwordFile = (toString <secrets>) + "/restic/${dest}";
+ repo = "sftp:backup@${dest}.r:/backups/mors";
+ #sshPrivateKey = config.krebs.build.host.ssh.privkey.path;
+ extraArguments = [
+ "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+ ];
+ timerConfig = {
+ OnCalendar = "00:05";
+ RandomizedDelaySec = "5h";
+ };
+ });
}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index c0e4620cc..564315e8f 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -8,11 +8,15 @@ in {
imports = [
<stockholm/lass>
{
- networking.interfaces.et0.ip4 = [
+ networking.interfaces.et0.ipv4.addresses = [
{
address = ip;
prefixLength = 27;
}
+ {
+ address = "46.4.114.243";
+ prefixLength = 27;
+ }
];
networking.defaultGateway = "46.4.114.225";
networking.nameservers = [
@@ -100,6 +104,7 @@ in {
];
}
{ # TODO make new hfos.nix out of this vv
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
uid = genid "riot";
isNormalUser = true;
@@ -110,29 +115,13 @@ in {
};
# TODO write function for proxy_pass (ssl/nonssl)
- services.nginx.virtualHosts."hackerfleet.de" = {
- serverAliases = [
- "*.hackerfleet.de"
- ];
- locations."/".extraConfig = ''
- proxy_pass http://192.168.122.92:80;
- '';
- };
- services.nginx.virtualHosts."hackerfleet.de-s" = {
- serverName = "hackerfleet.de";
- listen = [
- {
- addr = "0.0.0.0";
- port = 443;
- }
- ];
- serverAliases = [
- "*.hackerfleet.de"
- ];
- locations."/".extraConfig = ''
- proxy_pass http://192.168.122.92:443;
- '';
- };
+
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+ ];
}
{
users.users.tv = {
@@ -202,26 +191,6 @@ in {
};
}
{
- #kaepsele
- systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
- containers.kaepsele = {
- config = { ... }: {
- imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
- lass.pubkey
- tv.pubkey
- ];
- };
- autoStart = true;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.3";
- localAddress = "10.233.2.4";
- };
- }
- {
#onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false;
containers.onondaga = {
@@ -249,13 +218,12 @@ in {
<stockholm/lass/2configs/repo-sync.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix>
- <stockholm/lass/2configs/monitoring/server.nix>
- <stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix
imports = [
<stockholm/lass/2configs/bepasty.nix>
@@ -336,6 +304,60 @@ in {
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
+ <stockholm/lass/2configs/go.nix>
+ {
+ environment.systemPackages = [ pkgs.cryptsetup ];
+ systemd.services."container@red".reloadIfChanged = mkForce false;
+ containers.red = {
+ config = { ... }: {
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.3";
+ localAddress = "10.233.2.4";
+ };
+ services.nginx.virtualHosts."rote-allez-fraktion.de" = {
+ enableACME = true;
+ addSSL = true;
+ locations."/" = {
+ extraConfig = ''
+ proxy_set_header Host rote-allez-fraktion.de;
+ proxy_pass http://10.233.2.4;
+ '';
+ };
+ };
+ }
+ {
+ imports = [ <stockholm/lass/2configs/backup.nix> ];
+ lass.restic = genAttrs [
+ "daedalus"
+ "icarus"
+ "littleT"
+ "mors"
+ "shodan"
+ "skynet"
+ ] (dest: {
+ dirs = [
+ "/home/chat/.weechat"
+ "/bku/sql_dumps"
+ ];
+ passwordFile = (toString <secrets>) + "/restic/${dest}";
+ repo = "sftp:backup@${dest}.r:/backups/prism";
+ extraArguments = [
+ "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+ ];
+ timerConfig = {
+ OnCalendar = "00:05";
+ RandomizedDelaySec = "5h";
+ };
+ });
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix
new file mode 100644
index 000000000..31e2de966
--- /dev/null
+++ b/lass/1systems/red/config.nix
@@ -0,0 +1,31 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+let
+ inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
+ servephpBB
+ ;
+in
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs>
+ <stockholm/lass/2configs/retiolum.nix>
+ <stockholm/lass/2configs/websites>
+ <stockholm/lass/2configs/websites/sqlBackup.nix>
+ (servephpBB [ "rote-allez-fraktion.de" ])
+ ];
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
+ ];
+
+ krebs.build.host = config.krebs.hosts.red;
+ boot.isContainer = true;
+ networking.useDHCP = false;
+
+ services.nginx.enable = true;
+ environment.variables.NIX_REMOTE = "daemon";
+ environment.systemPackages = [
+ pkgs.mk_sql_pair
+ ];
+}
diff --git a/lass/1systems/echelon/source.nix b/lass/1systems/red/source.nix
index 96888d5a8..f2bad743c 100644
--- a/lass/1systems/echelon/source.nix
+++ b/lass/1systems/red/source.nix
@@ -1,3 +1,4 @@
import <stockholm/lass/source.nix> {
- name = "echelon";
+ name = "red";
+ secure = true;
}
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 7fb57544f..42a46c5f5 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -15,9 +15,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
- <stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix>
+ <stockholm/lass/2configs/backup.nix>
];
krebs.build.host = config.krebs.hosts.shodan;
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index 0b9499982..b2210282f 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -9,7 +9,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
- <stockholm/lass/2configs/backups.nix>
{
# discordius config
services.xserver.enable = true;
diff --git a/lass/1systems/xerxes/source.nix b/lass/1systems/xerxes/source.nix
index 11f5bf796..d256b885b 100644
--- a/lass/1systems/xerxes/source.nix
+++ b/lass/1systems/xerxes/source.nix
@@ -2,10 +2,4 @@ with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "xerxes";
secure = true;
- override = {
- nixpkgs.git = mkForce {
- url = https://github.com/lassulus/nixpkgs;
- ref = "3eccd0b";
- };
- };
}
diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix
new file mode 100644
index 000000000..5ce7cfff8
--- /dev/null
+++ b/lass/2configs/AP.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+ wifi = "wlp0s29u1u2";
+in {
+ boot.extraModulePackages = [
+ pkgs.linuxPackages.rtl8814au
+ ];
+ networking.networkmanager.unmanaged = [ wifi ];
+
+ systemd.services.hostapd = {
+ description = "hostapd wireless AP";
+ path = [ pkgs.hostapd ];
+ wantedBy = [ "network.target" ];
+
+ after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
+
+ serviceConfig = {
+ ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
+ interface=${wifi}
+ hw_mode=a
+ channel=36
+ ieee80211d=1
+ country_code=DE
+ ieee80211n=1
+ ieee80211ac=1
+ wmm_enabled=1
+
+ # 5ghz
+ ssid=krebsing
+ auth_algs=1
+ wpa=2
+ wpa_key_mgmt=WPA-PSK
+ rsn_pairwise=CCMP
+ wpa_passphrase=aidsballz
+ ''}";
+ Restart = "always";
+ };
+ };
+
+ networking.interfaces.${wifi}.ipv4.addresses = [
+ { address = "10.99.0.1"; prefixLength = 24; }
+ ];
+ services.dhcpd4 = {
+ enable = true;
+ interfaces = [ wifi ];
+ extraConfig = ''
+ option subnet-mask 255.255.255.0;
+ option routers 10.99.0.1;
+ option domain-name-servers 1.1.1.1, 8.8.8.8;
+ subnet 10.99.0.0 netmask 255.255.255.0 {
+ range 10.99.0.100 10.99.0.200;
+ }
+ '';
+ };
+
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ ];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
+ ];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ #TODO find out what this is about?
+ { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
+
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ ];
+}
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix
new file mode 100644
index 000000000..27adf6d2a
--- /dev/null
+++ b/lass/2configs/backup.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+with import <stockholm/lib>;
+
+{
+ fileSystems = {
+ "/backups" = {
+ device = "/dev/pool/backup";
+ fsType = "ext4";
+ };
+ };
+ users.users.backup = {
+ useDefaultShell = true;
+ home = "/backups";
+ createHome = true;
+ openssh.authorizedKeys.keys = with config.krebs.hosts; [
+ mors.ssh.pubkey
+ prism.ssh.pubkey
+ ];
+ };
+}
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
deleted file mode 100644
index c4fb85420..000000000
--- a/lass/2configs/backups.nix
+++ /dev/null
@@ -1,173 +0,0 @@
-{ config, lib, ... }:
-with import <stockholm/lib>;
-{
-
- # TODO add timerConfig to krebs.backup and randomize startup
- # TODO define plans more abstract
- krebs.backup.plans = {
- } // mapAttrs (_: recursiveUpdate {
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
- }) {
- dishfire-http-prism = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
- startAt = "03:00";
- };
- dishfire-http-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
- startAt = "03:10";
- };
- dishfire-http-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
- startAt = "03:05";
- };
- dishfire-http-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
- startAt = "03:10";
- };
- dishfire-sql-prism = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
- startAt = "03:15";
- };
- dishfire-sql-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
- startAt = "03:25";
- };
- dishfire-sql-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
- startAt = "03:20";
- };
- dishfire-sql-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
- startAt = "03:25";
- };
- prism-bitlbee-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-bitlbee-mors = {
-