17 files changed, 214 insertions, 20 deletions

diff --git a/makefu/2configs/audio/jack-on-pulse.nix b/makefu/2configs/audio/jack-on-pulse.nix
index a8ee05c7d..e18b2192a 100644
--- a/makefu/2configs/audio/jack-on-pulse.nix
+++ b/makefu/2configs/audio/jack-on-pulse.nix
@@ -45,7 +45,7 @@ in
         Restart = "always";
         RestartSec = "5";
       };
-      # after = [ "display-manager.service" "sound.target" ];
+      after = [ "display-manager.service" "sound.target" ];
       wantedBy = [ "default.target" ];
     };
   };
diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix
index 1cc78bfc1..166365ba0 100644
--- a/makefu/2configs/backup.nix
+++ b/makefu/2configs/backup.nix
@@ -31,6 +31,7 @@ in {
   krebs.backup.plans = {
     # wry-to-omo_root = defaultPull config.krebs.hosts.wry "/";
     gum-to-omo_root = defaultPull config.krebs.hosts.gum "/";
+    # wolf-to-omo_root = defaultPull config.krebs.hosts.wolf "/";
   };
   environment.systemPackages = [
     pkgs.borgbackup
diff --git a/makefu/2configs/deployment/gitlab.nix b/makefu/2configs/deployment/gitlab.nix
new file mode 100644
index 000000000..d61f50c1d
--- /dev/null
+++ b/makefu/2configs/deployment/gitlab.nix
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  web-port = 19453;
+  hostn = "gitlab.makefu.r";
+  internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
+in {
+
+  services.gitlab = {
+    enable = true;
+    https = false;
+    port = web-port;
+    secrets = import <secrets/gitlab/secrets.nix>;
+    databasePassword = import <secrets/gitlab/dbpw.nix>;
+    initialRootEmail = "makefu@x.r";
+    initialRootPassword = import <secrets/gitlab/rootpw.nix>;
+    host = hostn;
+    smtp = {
+      enable = true;
+      domain = "r";
+      enableStartTLSAuto = false;
+      port = 25;
+    };
+  };
+
+  services.nginx = {
+    enable = lib.mkDefault true;
+    virtualHosts."${hostn}".locations."/" = {
+        proxyPass  = "http://localhost:${toString web-port}/";
+        extraConfig = ''
+          if ( $server_addr != "${internal-ip}" ) {
+            return 403;
+          }
+          proxy_set_header   Host             $host;
+          proxy_set_header   X-Real-IP        $remote_addr;
+          proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
+      '';
+    };
+  };
+}
diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix
index 5777be373..521bfc80a 100644
--- a/makefu/2configs/elchos/search.nix
+++ b/makefu/2configs/elchos/search.nix
@@ -23,10 +23,21 @@ let
     pid=${ddclientPIDFile}
     ${concatStringsSep "\n" (mapAttrsToList (user: pass: ''
 
+      protocol=dyndns2
       use=if, if=${primary-itf}
-      protocol=dyndns2, server=ipv4.nsupdate.info, login=${user}, password='${pass}' ${user}
-      #usev6=if, if=${primary-itf}
-      #protocol=dyndns2, server=ipv6.nsupdate.info, login=${user}, password='${pass}' ${user}
+      ssl=yes
+      server=ipv4.nsupdate.info
+      login=${user}
+      password='${pass}'
+      ${user}
+
+      protocol=dyndns2
+      usev5=if, if=${primary-itf}
+      ssl=yes
+      server=ipv6.nsupdate.info
+      login=${user}
+      password='${pass}'
+      ${user}
     '') dict)}
   '';
 
diff --git a/makefu/2configs/fs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix
index cfa703aaf..55cfd74f5 100644
--- a/makefu/2configs/fs/sda-crypto-root.nix
+++ b/makefu/2configs/fs/sda-crypto-root.nix
@@ -4,6 +4,12 @@
 # sda1: boot ext4 (label nixboot) - must be unlocked on boot if required:
   # boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
 # sda2: cryptoluks -> ext4
+
+# fdisk /dev/sda
+  # boot 500M
+  # rest rest
+# cryptsetup luksFormat /dev/sda2
+#
 with import <stockholm/lib>;
 {
   boot = {
diff --git a/makefu/2configs/git/gitlab-runner-shackspace.nix b/makefu/2configs/git/gitlab-runner-shackspace.nix
new file mode 100644
index 000000000..a5a1247ba
--- /dev/null
+++ b/makefu/2configs/git/gitlab-runner-shackspace.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  url = "https://git.shackspace.de/";
+  # generate token from CI-token via:
+  ## gitlab-runner register
+  token = import <secrets/shackspace-gitlab-ci-token.nix> ;
+in {
+  virtualisation.docker.enable = true;
+  services.gitlab-runner = {
+    enable = true;
+    gracefulTimeout = "120min";
+    # configFile = "/var/src/secrets/runner.toml";
+    configOptions = {
+      concurrent = 2;
+      runners = [{
+        name = "nix-krebs-1.11";
+        inherit token url;
+        executor = "docker";
+        builds_dir = "";
+        docker = {
+          host = "";
+          image = "nixos/nix:1.11";
+          privileged = false;
+          disable_cache = false;
+          volumes = ["/cache"];
+          shm_size = 0;
+        };
+        cache = {};
+      }];
+    };
+  };
+}
diff --git a/makefu/2configs/hw/tp-x230.nix b/makefu/2configs/hw/tp-x230.nix
index c705b52a7..14572b35c 100644
--- a/makefu/2configs/hw/tp-x230.nix
+++ b/makefu/2configs/hw/tp-x230.nix
@@ -33,8 +33,8 @@ with import <stockholm/lib>;
       Option "Backlight"     "intel_backlight"
     '';
   };
-  # no entropy source working
-  # security.rngd.enable = true;
+
+  security.rngd.enable = true;
 
   services.xserver.displayManager.sessionCommands =''
     xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1
diff --git a/makefu/2configs/lanparty/samba.nix b/makefu/2configs/lanparty/samba.nix
new file mode 100644
index 000000000..de834ab16
--- /dev/null
+++ b/makefu/2configs/lanparty/samba.nix
@@ -0,0 +1,31 @@
+{config, ... }:{
+  networking.firewall.allowedUDPPorts = [ 137 138 ];
+  networking.firewall.allowedTCPPorts = [ 139 445 ];
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/data/lanparty";
+    createHome = true;
+  };
+  services.samba = {
+    enable = true;
+    shares = {
+      share-home = {
+        path = "/data/lanparty/";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}
diff --git a/makefu/2configs/nsupdate-data.nix b/makefu/2configs/nsupdate-data.nix
new file mode 100644
index 000000000..cfa6193c6
--- /dev/null
+++ b/makefu/2configs/nsupdate-data.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+# search also generates ddclient entries for all other logs
+
+with import <stockholm/lib>;
+let
+  #primary-itf = "eth0";
+  #primary-itf = "wlp2s0";
+  primary-itf = config.makefu.server.primary-itf;
+  ddclientUser = "ddclient";
+  sec = toString <secrets>;
+  nsupdate = import "${sec}/nsupdate-data.nix";
+  stateDir = "/var/spool/ddclient";
+  cfg = "${stateDir}/cfg";
+  ddclientPIDFile = "${stateDir}/ddclient.pid";
+
+  # TODO: correct cert generation requires a `real` internet ip address
+
+  gen-cfg = dict: ''
+    ssl=yes
+    cache=${stateDir}/ddclient.cache
+    pid=${ddclientPIDFile}
+    ${concatStringsSep "\n" (mapAttrsToList (user: pass: ''
+
+      use=if, if=${primary-itf} protocol=dyndns2, server=ipv4.nsupdate.info, login=${user}, password='${pass}' ${user}
+      usev6=if, if=${primary-itf} protocol=dyndns2, server=ipv6.nsupdate.info, login=${user}, password='${pass}' ${user}
+    '') dict)}
+  '';
+
+in {
+  users.extraUsers = singleton {
+    name = ddclientUser;
+    uid = genid "ddclient";
+    description = "ddclient daemon user";
+    home = stateDir;
+    createHome = true;
+  };
+
+  systemd.services = {
+    ddclient-nsupdate-elchos = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "ip-up.target" ];
+      serviceConfig = {
+        Type = "forking";
+        User = ddclientUser;
+        PIDFile = ddclientPIDFile;
+        ExecStartPre = pkgs.writeDash "init-nsupdate" ''
+          cp -vf ${pkgs.writeText "ddclient-config" (gen-cfg nsupdate)} ${cfg}
+          chmod 700 ${cfg}
+        '';
+        ExecStart = "${pkgs.ddclient}/bin/ddclient -verbose -daemon 1 -noquiet -file ${cfg}";
+      };
+    };
+  };
+}
diff --git a/makefu/2configs/share/anon-ftp.nix b/makefu/2configs/share/anon-ftp.nix
index 471f22cba..d2a535f97 100644
--- a/makefu/2configs/share/anon-ftp.nix
+++ b/makefu/2configs/share/anon-ftp.nix
@@ -1,6 +1,6 @@
 { config, lib, ... }:
 let
-  ftpdir = "/home/ftp";
+  ftpdir = "/data";
 in {
   networking.firewall = {
     allowedTCPPorts = [ 20 21 ];
diff --git a/makefu/2configs/share/gum.nix b/makefu/2configs/share/gum.nix
index e578f43d3..f5942a0f7 100644
--- a/makefu/2configs/share/gum.nix
+++ b/makefu/2configs/share/gum.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 
-with config.krebs.lib;
+with import <stockholm/lib>;
 let
   hostname = config.krebs.build.host.name;
 in {
@@ -11,7 +11,7 @@ in {
   #   home = "/var/empty";
   # };
 
-  users.users.download = { };
+  users.users.download.uid = genid "download";
   services.samba = {
     enable = true;
     shares = {
diff --git a/makefu/2configs/tools/android-pentest.nix b/makefu/2configs/tools/android-pentest.nix
index 3f65424cc..da8a357ae 100644
--- a/makefu/2configs/tools/android-pentest.nix
+++ b/makefu/2configs/tools/android-pentest.nix
@@ -10,5 +10,8 @@
     apktool
     jd-gui
     android-studio
+    jdk
+    jre
+    openssl
   ];
 }
diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix
index 42006eb22..6681484fd 100644
--- a/makefu/2configs/tools/dev.nix
+++ b/makefu/2configs/tools/dev.nix
@@ -1,9 +1,10 @@
 { pkgs, ... }:
 
 {
-  krebs.per-user.makefu.packages = with pkgs;[
+  users.users.makefu.packages = with pkgs;[
     python35Packages.virtualenv
     # embedded
+    gi
     flashrom
     mosquitto
     libcoap
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index 1e68e935c..b2d616764 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -13,5 +13,6 @@
     # Dev
     saleae-logic
     arduino-user-env
+    gitAndTools.gitFull
   ];
 }
diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix
index f17bcdc3a..47b5d7fc3 100644
--- a/makefu/2configs/urlwatch/default.nix
+++ b/makefu/2configs/urlwatch/default.nix
@@ -1,6 +1,11 @@
 { config, lib, ... }:
 
-{
+let
+  grss = name: { #github rss feed
+    url = "https://github.com/${name}/releases.atom";
+    filter = "grepi:(<updated|<media.thumbnail)";
+  };
+in {
   krebs.urlwatch = {
     enable = true;
     mailto = config.krebs.users.makefu.mail;
@@ -10,14 +15,7 @@
       ## nixpkgs maintenance
       # github 
       ## No rate limit
-      https://github.com/amadvance/snapraid/releases.atom
-      https://github.com/radare/radare2/releases.atom
-      https://github.com/ovh/python-ovh/releases.atom
-      https://github.com/embray/d2to1/releases.atom
-      https://github.com/Mic92/vicious/releases.atom
-      https://github.com/embray/d2to1/releases.atom
-      https://github.com/dorimanx/exfat-nofuse/releases.atom
-      https://github.com/rapid7/metasploit-framework/releases.atom
+
       ## rate limited
       # https://api.github.com/repos/dorimanx/exfat-nofuse/commits
       # https://api.github.com/repos/mcepl/gen-oath-safe/commits
@@ -39,6 +37,15 @@
         filter = "grep:Software/Linux/dymo-cups-drivers";
       }
       # TODO: dymo cups
+    ] ++ map grss [
+      "amadvance/snapraid"
+      "radare/radare2"
+      "ovh/python-ovh"
+      "embray/d2to1"
+      "Mic92/vicious"
+      "embray/d2to1"
+      "dorimanx/exfat-nofuse"
+      "rapid7/metasploit-framework"
     ];
   };
 }
diff --git a/makefu/2configs/vim.nix b/makefu/2configs/vim.nix
index 227d73c81..524caf8f5 100644
--- a/makefu/2configs/vim.nix
+++ b/makefu/2configs/vim.nix
@@ -21,6 +21,9 @@ in {
     vimrcConfig.customRC = ''
       set nocompatible
       syntax on
+      set list
+      set listchars=tab:▸
+      "set list listchars=tab:>-,trail:.,extends:>
 
       filetype off
       filetype plugin indent on
diff --git a/makefu/2configs/virtualisation/docker.nix b/makefu/2configs/virtualisation/docker.nix
index 98fd980cc..ddef9e371 100644
--- a/makefu/2configs/virtualisation/docker.nix
+++ b/makefu/2configs/virtualisation/docker.nix
@@ -1,4 +1,8 @@
-{...}:
+{ pkgs, ... }:
 {
   virtualisation.docker.enable = true;
+  environment.systemPackages = with pkgs;[
+    docker
+    docker_compose
+  ];
 }