diff options
Diffstat (limited to 'makefu')
36 files changed, 1109 insertions, 159 deletions
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 934bfa685..e1357ff01 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -44,6 +44,7 @@ in { <stockholm/makefu/2configs/iodined.nix> <stockholm/makefu/2configs/vpn/openvpn-server.nix> <stockholm/makefu/2configs/dnscrypt/server.nix> + <stockholm/makefu/2configs/remote-build/slave.nix> ## Web <stockholm/makefu/2configs/nginx/share-download.nix> @@ -74,6 +75,9 @@ in { <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> + # Temporary: + <stockholm/makefu/2configs/temp/rst-issue.nix> + ]; makefu.dl-dir = "/var/download"; @@ -143,6 +147,8 @@ in { 53589 # temp vnc 18001 + # temp reverseshell + 31337 ]; allowedUDPPorts = [ # tinc diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix new file mode 100644 index 000000000..d532f216f --- /dev/null +++ b/makefu/1systems/latte/config.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: +let + + # external-ip = config.krebs.build.host.nets.internet.ip4.addr; + # internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + # default-gw = "185.215.224.1"; + # prefixLength = 24; + # external-mac = "46:5b:fc:f4:44:c9"; + # ext-if = "et0"; +in { + + imports = [ + <stockholm/makefu> + # configure your hw: + <stockholm/makefu/2configs/hw/CAC.nix> + <stockholm/makefu/2configs/tinc/retiolum.nix> + <stockholm/makefu/2configs/save-diskspace.nix> + + # Security + <stockholm/makefu/2configs/sshd-totp.nix> + <stockholm/makefu/2configs/stats/client.nix> + + # Tools + <stockholm/makefu/2configs/tools/core.nix> + <stockholm/makefu/2configs/vim.nix> + <stockholm/makefu/2configs/zsh-user.nix> + # Services + <stockholm/makefu/2configs/remote-build/slave.nix> + + ]; + krebs = { + enable = true; + build.host = config.krebs.hosts.latte; + }; + boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; + + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.copyKernels = true; + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + networking = { + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ 655 ]; + }; + # network interface receives dhcp address + nameservers = [ "8.8.8.8" ]; + }; +} diff --git a/makefu/1systems/latte/source.nix b/makefu/1systems/latte/source.nix new file mode 100644 index 000000000..d997fb3f0 --- /dev/null +++ b/makefu/1systems/latte/source.nix @@ -0,0 +1,3 @@ +import <stockholm/makefu/source.nix> { + name="latte"; +} diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 4c93a7a3e..a22ff10bd 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -60,10 +60,13 @@ in { <stockholm/makefu/2configs/stats/nodisk-client.nix> # logs to influx <stockholm/makefu/2configs/stats/external/aralast.nix> + <stockholm/makefu/2configs/stats/telegraf> # services <stockholm/makefu/2configs/syncthing.nix> <stockholm/makefu/2configs/mqtt.nix> + <stockholm/makefu/2configs/remote-build/slave.nix> + # security <stockholm/makefu/2configs/sshd-totp.nix> @@ -77,6 +80,9 @@ in { ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload + + # Temporary: + <stockholm/makefu/2configs/temp/rst-issue.nix> ]; makefu.full-populate = true; makefu.server.primary-itf = primaryInterface; diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index b776b49d6..3a53b70cb 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -25,7 +25,9 @@ in { # <stockholm/makefu/2configs/audio/realtime-audio.nix> # <stockholm/makefu/2configs/vncserver.nix> <stockholm/makefu/2configs/temp/rst-issue.nix> - ]; + # Services + <stockholm/makefu/2configs/remote-build/slave.nix> + ]; krebs = { enable = true; @@ -33,10 +35,48 @@ in { }; swapDevices = [ { device = "/var/swap"; } ]; + services.collectd.extraConfig = lib.mkAfter '' + #LoadPlugin ping + # does not work because it requires privileges + #<Plugin "ping"> + # Host "google.de" + # Host "heise.de" + #</Plugin> + + LoadPlugin curl + <Plugin curl> + TotalTime true + NamelookupTime true + ConnectTime true + + <Page "google"> + MeasureResponseTime true + MeasureResponseCode true + URL "https://google.de" + </Page> + + <Page "webde"> + MeasureResponseTime true + MeasureResponseCode true + URL "http://web.de" + </Page> + + </Plugin> + #LoadPlugin netlink + #<Plugin "netlink"> + # Interface "enp0s25" + # Interface "wlp2s0" + # IgnoreSelected false + #</Plugin> + ''; networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 655 49152 ]; + networking.firewall.allowedTCPPorts = [ + 655 + 8081 #smokeping + 49152 + ]; networking.firewall.trustedInterfaces = [ "enp0s25" ]; #services.tinc.networks.siem = { # name = "display"; @@ -90,4 +130,66 @@ in { serverAddress = "x.r"; }; }; + security.wrappers.fping = { + source = "${pkgs.fping}/bin/fping"; + setuid = true; + }; + services.smokeping = { + enable = true; + targetConfig = '' + probe = FPing + menu = Top + title = Network Latency Grapher + remark = Welcome to this SmokePing website. + + + network + menu = Net latency + title = Network latency (ICMP pings) + + ++ google + probe = FPing + host = google.de + ++ webde + probe = FPing + host = web.de + + + services + menu = Service latency + title = Service latency (DNS, HTTP) + + ++ HTTP + menu = HTTP latency + title = Service latency (HTTP) + + +++ webdeping + probe = EchoPingHttp + host = web.de + + +++ googwebping + probe = EchoPingHttp + host = google.de + + #+++ webwww + #probe = Curl + #host = web.de + + #+++ googwebwww + #probe = Curl + #host = google.de + ''; + probeConfig = '' + + FPing + binary = /run/wrappers/bin/fping + + EchoPingHttp + pings = 5 + url = / + + #+ Curl + ## probe-specific variables + #binary = ${pkgs.curl}/bin/curl + #step = 60 + ## a default for this target-specific variable + #urlformat = http://%host%/ + ''; + }; } diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index faa29f3db..443f912d8 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -56,8 +56,8 @@ with import <stockholm/lib>; <stockholm/makefu/2configs/git/brain-retiolum.nix> <stockholm/makefu/2configs/tor.nix> <stockholm/makefu/2configs/vpn/vpngate.nix> - <stockholm/makefu/2configs/steam.nix> # <stockholm/makefu/2configs/buildbot-standalone.nix> + <stockholm/makefu/2configs/remote-build/master.nix> # Hardware <stockholm/makefu/2configs/hw/tp-x230.nix> diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix index 678370c69..4c17a1d50 100644 --- a/makefu/2configs/deployment/led-fader.nix +++ b/makefu/2configs/deployment/led-fader.nix @@ -29,11 +29,11 @@ in { environment = { NIX_PATH = "/var/src"; }; - # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; + after = [ "network-online.target" ] ++ (lib.optional config.services.mosquitto.enable "mosquitto.service"); wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; serviceConfig = { # User = "nobody"; # need a user with permissions to run nix-shell + ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2"; ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json"; PrivateTmp = true; }; diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 30c0b0b87..5604383e7 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -24,6 +24,7 @@ let cac-api = { }; euer_blog = { }; ampel = { }; + europastats = { }; init-stockholm = { cgit.desc = "Init stuff for stockholm"; }; diff --git a/makefu/2configs/gui/base.nix b/makefu/2configs/gui/base.nix index 0247010b1..daa0282b8 100644 --- a/makefu/2configs/gui/base.nix +++ b/makefu/2configs/gui/base.nix @@ -58,7 +58,7 @@ in hardware.pulseaudio = { enable = true; - systemWide = true; + # systemWide = true; }; services.xserver.displayManager.sessionCommands = let xdefaultsfile = pkgs.writeText "Xdefaults" '' diff --git a/makefu/2configs/printer.nix b/makefu/2configs/printer.nix index 0865a0841..51e69d8b7 100644 --- a/makefu/2configs/printer.nix +++ b/makefu/2configs/printer.nix @@ -14,17 +14,20 @@ in { # scanners are printers just in reverse anyway services.saned.enable = true; - users.users."${mainUser}".extraGroups = [ "scanner" ]; + users.users."${mainUser}".extraGroups = [ "scanner" "lp" ]; hardware.sane = { enable = true; - extraBackends = [ pkgs.samsungUnifiedLinuxDriver ]; + extraBackends = [ ]; # $ scanimage -p --format=jpg --mode=Gray --source="Automatic Document Feeder" -v --batch="lol%d.jpg" --resolution=150 # requires 'sane-extra', scan via: - extraConfig."magicolor" = '' - net 10.42.20.30 0x2098 - ''; # 10.42.20.30: uhrenkind.shack magicolor 1690mf + #extraConfig."magicolor" = '' + # net 10.42.20.30 0x2098 + #''; # 10.42.20.30: uhrenkind.shack magicolor 1690mf + extraConfig."xerox_mfp" = '' + tcp 192.168.1.5 + ''; #home printer SCX-3205W }; } diff --git a/makefu/2configs/remote-build/master.nix b/makefu/2configs/remote-build/master.nix new file mode 100644 index 000000000..4ad2c5ed8 --- /dev/null +++ b/makefu/2configs/remote-build/master.nix @@ -0,0 +1,14 @@ +{ pkgs, ...}: +let + sshKey = (toString <secrets>) + "/id_nixBuild"; +in { + nix.distributedBuilds = true; + # TODO: iterate over krebs.hosts + nix.buildMachines = map ( hostName: + { inherit hostName sshKey; + sshUser = "nixBuild"; + system = "x86_64-linux"; + maxJobs = 1; + }) [ "omo.r" "gum.r" "latte.r" ]; + # puyak.r "wbob.r" +} diff --git a/makefu/2configs/remote-build/slave.nix b/makefu/2configs/remote-build/slave.nix new file mode 100644 index 000000000..b6e000a34 --- /dev/null +++ b/makefu/2configs/remote-build/slave.nix @@ -0,0 +1,11 @@ +{ + nix.trustedUsers = [ "nixBuild" ]; + users.users.nixBuild = { + name = "nixBuild"; + useDefaultShell = true; + # TODO: put this somewhere else + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild" + ]; + }; +} diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix index 8f9935658..bb91b4478 100644 --- a/makefu/2configs/stats/server.nix +++ b/makefu/2configs/stats/server.nix @@ -2,6 +2,8 @@ with import <stockholm/lib>; let + irc-server = "ni.r"; + irc-nick = "m-alarm"; collectd-port = 25826; influx-port = 8086; grafana-port = 3000; # TODO nginx forward @@ -37,9 +39,9 @@ in { echoToIrc = pkgs.writeDash "echo_irc" '' set -euf data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=malarm + export LOGNAME=${irc-nick} ${pkgs.irc-announce}/bin/irc-announce \ - irc.freenode.org 6667 malarm \#krebs-bots "$data" >/dev/null + ${irc-server} 6667 ${irc-nick} \#noise "$data" >/dev/null ''; in { enable = true; diff --git a/makefu/2configs/stats/telegraf/default.nix b/makefu/2configs/stats/telegraf/default.nix new file mode 100644 index 000000000..4da6561d6 --- /dev/null +++ b/makefu/2configs/stats/telegraf/default.nix @@ -0,0 +1,20 @@ +{...}: +let + url = "http://localhost:8086"; +in { + imports = [ + ./europastats.nix + ]; + services.telegraf = { + enable = true; + extraConfig = { + agent.debug = true; + outputs = { + influxdb = [{ + urls = [ url ]; + database = "telegraf"; + }]; + }; + }; + }; +} diff --git a/makefu/2configs/stats/telegraf/europastats.nix b/makefu/2configs/stats/telegraf/europastats.nix new file mode 100644 index 000000000..9249280c5 --- /dev/null +++ b/makefu/2configs/stats/telegraf/europastats.nix @@ -0,0 +1,43 @@ +{ pkgs, ...}: +let + pkg = with pkgs.python3Packages;buildPythonPackage rec { + rev = "be31da7"; + name = "europastats-${rev}"; + propagatedBuildInputs = [ + requests2 + docopt + ]; + src = pkgs.fetchgit { + url = "http://cgit.euer.krebsco.de/europastats"; + inherit rev; + sha256 = "0qj18vgj9nm6aisyqhk3iz3rf8xp7mn5jc6sfylcaw588a9sjfvc"; + }; + }; +in { + services.telegraf.extraConfig.inputs.exec = [ + { + commands = [ "${pkg}/bin/europa-attractions"]; + timeout = "1m"; + data_format = "json"; + name_override = "europawaiting"; + interval = "1m"; + tag_keys = [ + "status" + "type" + "name" + ]; + } + { + commands = [ "${pkg}/bin/europa-weather"]; + timeout = "20s"; + data_format = "json"; + name_override = "europaweather"; + interval = "10m"; + tag_keys = [ + "type" + "name" + "offset" + ]; + } + ]; +} diff --git a/makefu/2configs/tools/all.nix b/makefu/2configs/tools/all.nix index c7a116918..7755e2872 100644 --- a/makefu/2configs/tools/all.nix +++ b/makefu/2configs/tools/all.nix @@ -7,6 +7,7 @@ ./extra-gui.nix ./games.nix ./media.nix + ./scanner-tools.nix ./sec.nix ./sec-gui.nix ./studio.nix diff --git a/makefu/2configs/tools/games.nix b/makefu/2configs/tools/games.nix index 47f06287b..8e815da5e 100644 --- a/makefu/2configs/tools/games.nix +++ b/makefu/2configs/tools/games.nix @@ -1,8 +1,10 @@ { pkgs, ... }: { - krebs.per-user.makefu.packages = with pkgs; [ - steam + imports = [ + ./steam.nix + ]; + users.users.makefu.packages = with pkgs; [ games-user-env ]; } diff --git a/makefu/2configs/tools/scanner-tools.nix b/makefu/2configs/tools/scanner-tools.nix new file mode 100644 index 000000000..ef2e913e4 --- /dev/null +++ b/makefu/2configs/tools/scanner-tools.nix @@ -0,0 +1,7 @@ +{ + # ln -s /run/current-system/sw/bin/xsane ~/.gimp-2.8/plug-ins/xsane + nixpkgs.config.packageOverrides = pkgs: { + xsaneGimp = pkgs.xsane.override { gimpSupport = true; }; + }; +} + diff --git a/makefu/2configs/steam.nix b/makefu/2configs/tools/steam.nix index d4ec84abf..200ea4719 100644 --- a/makefu/2configs/steam.nix +++ b/makefu/2configs/tools/steam.nix @@ -1,6 +1,10 @@ {pkgs, ...}: { - environment.systemPackages = [ pkgs.steam ]; + users.users.makefu.packages = [ + (pkgs.steam.override { + newStdcpp = true; + }) + ]; hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.support32Bit = true; } diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix index 47b5d7fc3..2eecd6428 100644 --- a/makefu/2configs/urlwatch/default.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -24,8 +24,12 @@ in { # pypi https://pypi.python.org/simple/bepasty/ - https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/devpi-client/ + https://pypi.python.org/simple/oslo.config/ + https://pypi.python.org/simple/sqlalchemy_migrate/ + https://pypi.python.org/simple/xstatic/ + https://pypi.python.org/simple/pyserial/ + https://pypi.python.org/simple/semantic_version/ # weird shit http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ diff --git a/makefu/2configs/vim.nix b/makefu/2configs/vim.nix index 9f3a59717..43d362ed9 100644 --- a/makefu/2configs/vim.nix +++ b/makefu/2configs/vim.nix @@ -127,6 +127,7 @@ in { { names = [ "undotree" # "YouCompleteMe" "vim-better-whitespace" ]; } + # vim-nix handles indentation better but does not perform sanity { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } ]; diff --git a/makefu/2configs/virtualisation/docker.nix b/makefu/2configs/virtualisation/docker.nix index ddef9e371..951bdbf26 100644 --- a/makefu/2configs/virtualisation/docker.nix +++ b/makefu/2configs/virtualisation/docker.nix @@ -1,8 +1,9 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { virtualisation.docker.enable = true; environment.systemPackages = with pkgs;[ docker docker_compose ]; + users.extraUsers.${config.krebs.build.user.name}.extraGroups = [ "docker" ]; } diff --git a/makefu/2configs/vncserver.nix b/makefu/2configs/vncserver.nix index 3d1d9fe75..e62a3f748 100644 --- a/makefu/2configs/vncserver.nix +++ b/makefu/2configs/vncserver.nix @@ -33,7 +33,7 @@ in { serviceConfig = { User = "nobody"; ExecStart = "${pkgs.novnc}/bin/launch-novnc.sh --listen ${toString web_port} --vnc localhost:${toString vnc_port}"; - PrivateTmp = true; + PrivateTmp = true; }; }; }; diff --git a/makefu/2configs/vpn/openvpn-server.nix b/makefu/2configs/vpn/openvpn-server.nix index 1e7edbf78..79754264f 100644 --- a/makefu/2configs/vpn/openvpn-server.nix +++ b/makefu/2configs/vpn/openvpn-server.nix @@ -1,13 +1,13 @@ { config, pkgs, ... }: let - out-itf = config.makefu.server.primary-itf; - # generate via openvpn --genkey --secret static.key - client-key = (toString <secrets>) + "/openvpn-laptop.key"; + out-itf = config.makefu.server.primary-itf; + # generate via openvpn --genkey --secret static.key + client-key = (toString <secrets>) + "/openvpn-laptop.key"; # domain = "vpn.euer.krebsco.de"; domain = "gum.krebsco.de"; dev = "tun0"; port = 1194; - tcp-port = 3306; + tcp-port = 3306; in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nat = { diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index af0e81df5..00df56bee 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -15,7 +15,6 @@ _: ./torrent.nix ./udpt.nix ./umts.nix - ./wvdial.nix ]; } diff --git a/makefu/3modules/wvdial.nix b/makefu/3modules/wvdial.nix deleted file mode 100644 index 982f4a7db..000000000 --- a/makefu/3modules/wvdial.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, lib, pkgs, ... }: -# from 17.03/nixos/modules/programs/wvdial.nix - -with lib; - -let - - configFile = '' - [Dialer Defaults] - PPPD PATH = ${pkgs.ppp}/sbin/pppd - ${config.environment.wvdial.dialerDefaults} - ''; - - cfg = config.environment.wvdial; - -in -{ - ###### interface - - options = { - - environment.wvdial = { - - dialerDefaults = mkOption { - default = ""; - type = types.str; - example = ''Init1 = AT+CGDCONT=1,"IP","internet.t-mobile"''; - description = '' - Contents of the "Dialer Defaults" section of - <filename>/etc/wvdial.conf</filename>. - ''; - }; - - pppDefaults = mkOption { - default = '' - noipdefault - usepeerdns - defaultroute - persist - noauth - ''; - type = types.str; - description = "Default ppp settings for wvdial."; - }; - - }; - - }; - - ###### implementation - - config = mkIf (cfg.dialerDefaults != "") { - - environment = { - - etc = - [ - { source = pkgs.writeText "wvdial.conf" configFile; - target = "wvdial.conf"; - } - { source = pkgs.writeText "wvdial" cfg.pppDefaults; - target = "ppp/peers/wvdial"; - } - ]; - - }; - - }; - -} diff --git a/makefu/5pkgs/beef/Gemfile b/makefu/5pkgs/beef/Gemfile new file mode 100644 index 000000000..1420feffd --- /dev/null +++ b/makefu/5pkgs/beef/Gemfile @@ -0,0 +1,97 @@ +# BeEF's Gemfile + +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# + +gem 'eventmachine' +gem 'thin' +gem 'sinatra' +gem 'rack', '~> 1.6.5' +gem 'em-websocket' # WebSocket support +gem 'uglifier' +gem 'mime-types' +gem 'execjs' +gem 'ansi' +gem 'term-ansicolor', :require => 'term/ |