diff options
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/prism/config.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/prism/physical.nix | 8 | ||||
| -rw-r--r-- | lass/2configs/baseX.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/fysiirc.nix | 51 | ||||
| -rw-r--r-- | lass/2configs/network-manager.nix | 4 | ||||
| -rw-r--r-- | lass/2configs/pipewire.nix | 51 | ||||
| -rw-r--r-- | lass/2configs/retiolum.nix | 7 | ||||
| -rw-r--r-- | lass/2configs/security-workarounds.nix | 8 | ||||
| -rw-r--r-- | lass/2configs/yubikey.nix | 43 | ||||
| -rw-r--r-- | lass/3modules/xjail.nix | 32 |
11 files changed, 121 insertions, 88 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c92a239f..a082ea62 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -123,6 +123,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/jitsi.nix> + <stockholm/lass/2configs/fysiirc.nix> { services.tor = { enable = true; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 26ecd1cd..151cfbf4 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -79,9 +79,11 @@ boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; boot.kernelParams = [ "net.ifnames=0" ]; + networking.dhcpcd.enable = false; networking = { hostId = "2283aaae"; defaultGateway = "95.216.1.129"; + defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; # Use google's public DNS server nameservers = [ "8.8.8.8" ]; interfaces.eth0.ipv4.addresses = [ @@ -94,5 +96,11 @@ prefixLength = 26; } ]; + interfaces.eth0.ipv6.addresses = [ + { + address = "2a01:4f9:2a:1e9::1"; + prefixLength = 64; + } + ]; }; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 124eef2c..59d1e018 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -65,7 +65,7 @@ in { gitAndTools.hub git-crypt git-preview - gnome3.dconf + dconf iodine libarchive lm_sensors diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dc97719a..e2163b68 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -8,7 +8,7 @@ with import <stockholm/lib>; ./vim.nix ./zsh.nix ./htop.nix - ./security-workarounds.nix + <stockholm/krebs/2configs/security-workarounds.nix> ./wiregrill.nix { users.extraUsers = diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix new file mode 100644 index 00000000..d2aaa73c --- /dev/null +++ b/lass/2configs/fysiirc.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: +{ + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 44002"; target = "ACCEPT"; } + ]; + krebs.reaktor2.fysiweb-github = { + hostname = "irc.libera.chat"; + port = "6697"; + useTLS = true; + nick = "fysiweb-github"; + API.listen = "inet://127.0.0.1:44001"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#fysi" + ]; + }; + } + ]; + }; + krebs.htgen.fysiweb-github = { + port = 44002; + user = { + name = "reaktor2-fysiweb-github"; + }; + script = ''. ${pkgs.writeDash "github-irc" '' + case "$Method $Request_URI" in + "POST /") + payload=$(head -c "$req_content_length" \ + | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ + | xargs -0 echo -e \ + ) + ${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \ + -H content-type:application/json \ + -d "$(echo "$payload" | ${pkgs.jq}/bin/jq \ + '{ + command:"PRIVMSG", + params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"] + }' + )" + printf 'HTTP/1.1 200 OK\r\n' + printf 'Connection: close\r\n' + printf '\r\n' + exit + ;; + esac + ''}''; + }; +} diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix index b41cc7ac..0c59b959 100644 --- a/lass/2configs/network-manager.nix +++ b/lass/2configs/network-manager.nix @@ -14,8 +14,8 @@ users.users.mainUser = { extraGroups = [ "networkmanager" ]; packages = with pkgs; [ - gnome3.gnome_keyring - gnome3.dconf + gnome3.gnome-keyring + dconf ]; }; environment.systemPackages = [ diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix index c21ab5d9..24de0e9e 100644 --- a/lass/2configs/pipewire.nix +++ b/lass/2configs/pipewire.nix @@ -8,67 +8,18 @@ powerOnBoot = true; }; - # autostart with login - systemd.user.services.pipewire-pulse = { - wantedBy = [ "graphical-session.target" ]; - }; - environment.systemPackages = with pkgs; [ alsaUtils pulseaudioLight ponymix ]; - environment.variables.PULSE_SERVER = "localhost:4713"; services.pipewire = { enable = true; - socketActivation = false; + systemWide = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; - - # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp - config.pipewire-pulse = { - "context.properties" = { - "log.level" = 2; - }; - "context.modules" = [ - { - name = "libpipewire-module-rtkit"; - # args = { - # "nice.level" = -15; - # "rt.prio" = 88; - # "rt.time.soft" = 200000; - # "rt.time.hard" = 200000; - # }; - flags = [ "ifexists" "nofail" ]; - } - { name = "libpipewire-module-protocol-native"; } - { name = "libpipewire-module-client-node"; } - { name = "libpipewire-module-adapter"; } - { name = "libpipewire-module-metadata"; } - { - name = "libpipewire-module-protocol-pulse"; - args = { - "vm.overrides" = { - # "pulse.min.req" = "32/48000"; - # "pulse.default.req" = "32/48000"; - # "pulse.max.req" = "32/48000"; - "pulse.min.quantum" = "1024/48000"; - # "pulse.max.quantum" = "32/48000"; - }; - "server.address" = [ - "unix:native" - "tcp:4713" - ]; - }; - } - ]; - "stream.properties" = { - # "node.latency" = "32/48000"; - # "resample.quality" = 1; - }; - }; }; } diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index f900bc28..2ddfbcf8 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -17,14 +17,17 @@ enable = true; connectTo = [ "prism" - "gum" "ni" + "eve" ]; extraConfig = '' - LocalDiscovery = yes + StrictSubnets = yes ''; }; + # never connect via gum (he eats our packets!) + krebs.hosts.gum.nets.retiolum.tinc.weight = 9000; + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix deleted file mode 100644 index 537c8a59..00000000 --- a/lass/2configs/security-workarounds.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - # http://seclists.org/oss-sec/2017/q1/471 - boot.extraModprobeConfig = '' - install dccp /run/current-system/sw/bin/false - ''; -} diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index 9ab6b6cc..d92b18f8 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -6,15 +6,41 @@ ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; - services.pcscd.enable = true; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; - ##restart pcscd if yubikey is plugged in - #services.udev.extraRules = '' - # ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" '' - # ${pkgs.systemd}/bin/systemctl restart pcscd.service - # ''}" - #''; + services.pcscd.enable = true; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' + set -x + ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' + disable-ccid + pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 + card-timeout 1 + + # Always try to use yubikey as the first reader + # even when other smart card readers are connected + # Name of the reader can be found using the pcsc_scan command + # If you have problems with gpg not recognizing the Yubikey + # then make sure that the string here matches exacly pcsc_scan + # command output. Also check journalctl -f for errors. + reader-port Yubico YubiKey + ''} $HOME/.gnupg/scdaemon.conf + ''; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + ( + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card" + ) && subject.user == "lass" + ) { + return polkit.Result.YES; + } + }); + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then @@ -28,6 +54,9 @@ fi ''; + # allow nix to acces remote builders via yubikey + systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh"; + programs = { ssh.startAgent = false; gnupg.agent = { diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix index f94e7ebb..08a28b8e 100644 --- a/lass/3modules/xjail.nix +++ b/lass/3modules/xjail.nix @@ -41,10 +41,6 @@ with import <stockholm/lib>; type = types.path; default = pkgs.writeScript "echo_lol" "echo lol"; }; - vglrun = mkOption { - type = types.bool; - default = false; - }; wm = mkOption { #TODO find type type = types.str; @@ -122,21 +118,14 @@ with import <stockholm/lib>; ${pkgs.coreutils}/bin/kill $XEPHYR_PID ''; # TODO fix xephyr which doesn't honor resizes anymore - sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@" - '' else '' + sudo_ = pkgs.writeDash "${cfg.name}-sudo" '' #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" - - ''); - vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" '' - DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@" + ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@" ''; in nameValuePair name { existing = newOrExisting; xephyr = xephyr_; sudo = sudo_; - vglrun = vglrun_; } ) config.lass.xjail; in { @@ -161,10 +150,19 @@ with import <stockholm/lib>; } ) config.lass.xjail; - security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: - # TODO allow just the right script with sudo - "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" - ) config.lass.xjail)); + security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: '' + polkit.addRule(function(action, subject) { + if ( + subject.user == "${cfg.from}" && + action.id == "org.freedesktop.machine1.host-shell" && + action.lookup("user") == "${cfg.user}" && + action.lookup("program") == "${cfg.script}" && + true + ) { + return polkit.Result.YES; + } + }); + '') config.lass.xjail)); lass.xjail-bins = mapAttrs' (name: cfg: nameValuePair name (pkgs.writeScriptBin cfg.name '' |