From c3319b88bdf17d956ff4d80d3f2747fc6c47c176 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Jul 2016 23:49:03 +0200 Subject: l 2 websites fritz: add golbarrendiebstahl --- lass/2configs/websites/fritz.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 39f0cce0..48d96b1b 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -7,6 +7,7 @@ let head ; inherit (import {inherit lib pkgs;}) + manageCerts ssl servePage serveWordpress @@ -48,6 +49,9 @@ in { (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) + + (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ]) + (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ]) ]; lass.mysqlBackup.config.all.databases = [ @@ -74,6 +78,16 @@ in { config.krebs.users.fritz.pubkey ]; + users.users.goldbarrendiebstahl = { + home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de"; + uid = genid "goldbarrendiebstahl"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.fritz.pubkey + ]; + }; + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { options = '' extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so -- cgit v1.2.3 From 169e5e6c4e9dfc14b5929262531141d6d3337767 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 14 Jul 2016 18:33:56 +0200 Subject: l 2 nixpkgs: 446d4c1 -> 11a7899 --- lass/2configs/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 0f940a36..bfbd187f 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs = { url = https://github.com/lassulus/nixpkgs; - rev = "446d4c1fc10f53cf97abea1996d067ad93de2ded"; + rev = "11a7899222929b6eb0951f7a1c0182f65b3b4637"; }; } -- cgit v1.2.3 From 38a50ffaeb10812eaa9530d8df0381f2d13e360c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 14 Jul 2016 21:18:02 +0200 Subject: l 2 buildbot: add vbob wbob & shoney --- lass/2configs/buildbot-standalone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 04bdcf9d..12e37866 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -90,7 +90,7 @@ in { method=build \ system={}".format(i)]) - for i in [ "pornocauster", "wry" ]: + for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]: addShell(f,name="build-{}".format(i),env=env_makefu, command=nixshell + \ ["make \ -- cgit v1.2.3 From a71a9ed33a92ba901f7c605506bb2c3ee506e6c7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 14 Jul 2016 22:59:34 +0200 Subject: s 2 repo-sync: change lassulus origin.url to prism --- shared/2configs/repo-sync.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/2configs/repo-sync.nix b/shared/2configs/repo-sync.nix index d1d9ab3f..753b0f47 100644 --- a/shared/2configs/repo-sync.nix +++ b/shared/2configs/repo-sync.nix @@ -17,7 +17,7 @@ with lib; mirror.url = mirror; }; lassulus = { - origin.url = http://cgit.cloudkrebs/stockholm ; + origin.url = http://cgit.prism/stockholm ; mirror.url = mirror; }; "@latest" = { -- cgit v1.2.3 From 01ee8749acb258431eee769e3993fa12bf716e24 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:13:22 +0200 Subject: k 3 retiolum-bootstrap: use secrets path as default, not /root/secrets --- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 40382d09..9d393c90 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -27,12 +27,12 @@ let ssl_certificate_key = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.key"; + default = "${toString }/tinc.krebsco.de.key"; }; ssl_certificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.crt" ; + default = "${toString }/tinc.krebsco.de.crt" ; }; # in use: # -- cgit v1.2.3 From 34e628453dda4e7aec9f715703eb6c21b05a8a82 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:34:46 +0200 Subject: k 2 bepasty-dual: use krebs.nginx.ssl + acme --- makefu/2configs/bepasty-dual.nix | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index 5682f5eb..f675c4ac 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -15,6 +15,9 @@ let sec = toString ; # secKey is nothing worth protecting on a local machine secKey = import ; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "paste.krebsco.de" ; in { krebs.nginx.enable = mkDefault true; @@ -25,7 +28,7 @@ in { servers = { internal = { nginx = { - server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; @@ -33,17 +36,25 @@ in { external = { nginx = { - server-names = [ "paste.krebsco.de" ]; + server-names = [ ext-dom ]; + ssl = { + enable = true; + certificate = "${acmepath}/${ext-dom}/fullchain.pem"; + certificate_key = "${acmepath}/${ext-dom}/key.pem"; + # these certs will be needed if acme has not yet created certificates: + #certificate = "${sec}/wildcard.krebsco.de.crt"; + #certificate_key = "${sec}/wildcard.krebsco.de.key"; + ciphers = "RC4:HIGH:!aNULL:!MD5" ; + }; + locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + ''); extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_certificate ${sec}/wildcard.krebsco.de.crt; - ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + if ($scheme = http){ return 301 https://$server_name$request_uri; }''; @@ -53,4 +64,12 @@ in { }; }; }; + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; } -- cgit v1.2.3 From a6a0cddeaabe2e30e314cdb3d7106180660c43cf Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:35:36 +0200 Subject: k 3 m: filepimp,omo expose lan net --- krebs/3modules/makefu/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index d5537cf5..52db3de8 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -259,8 +259,13 @@ with config.krebs.lib; }; filepimp = rec { cores = 1; - nets = { + lan = { + ip4.addr = "192.168.1.12"; + aliases = [ + "filepimp.lan" + ]; + }; retiolum = { ip4.addr = "10.243.153.102"; ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; @@ -286,6 +291,12 @@ with config.krebs.lib; cores = 2; nets = { + lan = { + ip4.addr = "192.168.1.11"; + aliases = [ + "omo.lan" + ]; + }; retiolum = { ip4.addr = "10.243.0.89"; ip6.addr = "42:f9f0::10"; -- cgit v1.2.3 From 835ddb0de049850c113de4f9870edb49fff05494 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 18:57:36 +0200 Subject: m 1 vbob: document forticlientsslvpn mess --- krebs/5pkgs/fortclientsslvpn/default.nix | 5 +++-- makefu/1systems/vbob.nix | 11 +++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix index 11d56740..07420c4d 100644 --- a/krebs/5pkgs/fortclientsslvpn/default.nix +++ b/krebs/5pkgs/fortclientsslvpn/default.nix @@ -5,9 +5,10 @@ stdenv.mkDerivation rec { # forticlient will be copied into /tmp before execution. this is necessary as # the software demands $base to be writeable + # TODO: chroot and create the following files instead of copying files manually # mkdir /etc/ppp ; touch /etc/ppp/options - ## i still have not found which tool uses tail ... i tried redirecting it in forticlientsslvpn and subproc # ln -s /run/current-system/sw/bin/tail /usr/bin/tail + # ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd src = fetchurl { # archive.org mirror: @@ -62,7 +63,7 @@ stdenv.mkDerivation rec { cp -r 64bit/. "$out/opt/fortinet" wrapProgram $out/opt/fortinet/forticlientsslvpn \ --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \ - --set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp + --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd mkdir -p "$out/bin/" diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 3fcb173c..4818cea2 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,7 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui - # (toString )/extra-hosts.nix + # environment @@ -28,8 +28,15 @@ openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ]; }; }; + + environment.shellAliases = { + forti = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn"; + }; + # TODO: for forticleintsslpn + # ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd + # ln -s /r/current-system/sw/bin/tail /usr/bin/tail environment.systemPackages = with pkgs;[ - fortclientsslvpn + fortclientsslvpn ppp xclip get logstash docker -- cgit v1.2.3 From ef71793d2507bbee8a5c85842fb90a1f5d00ab3b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Jul 2016 00:01:17 +0200 Subject: l 1 prism: inherit home from krebs.users.tv --- lass/1systems/prism.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 77d72a5a..1bc8d574 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -226,7 +226,7 @@ in { { users.users.tv = { uid = genid "tv"; - home = "/home/tv"; + inherit (config.krebs.users.tv) home; group = "users"; createHome = true; useDefaultShell = true; -- cgit v1.2.3 From 6ba6f28a5361a62ecb495bb10a7bfb820760dbdb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Jul 2016 00:02:34 +0200 Subject: l 2: add audit.nix --- lass/2configs/audit.nix | 9 +++++++++ lass/2configs/default.nix | 11 ++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 lass/2configs/audit.nix diff --git a/lass/2configs/audit.nix b/lass/2configs/audit.nix new file mode 100644 index 00000000..644741a5 --- /dev/null +++ b/lass/2configs/audit.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + security.audit = { + rules = [ + "-a task,never" + ]; + }; +} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 81abff3e..622ef118 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -3,13 +3,14 @@ with config.krebs.lib; { imports = [ - ../2configs/vim.nix - ../2configs/zsh.nix - ../2configs/mc.nix - ../2configs/retiolum.nix - ../2configs/nixpkgs.nix + ../2configs/audit.nix ../2configs/binary-cache/client.nix ../2configs/gc.nix + ../2configs/mc.nix + ../2configs/nixpkgs.nix + ../2configs/retiolum.nix + ../2configs/vim.nix + ../2configs/zsh.nix ./backups.nix { users.extraUsers = -- cgit v1.2.3 From 12223227b9bb87bd963913d829f0e80b5785b5d4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Jul 2016 20:25:42 +0200 Subject: l 2 nixpkgs: adapt to new populate --- lass/2configs/nixpkgs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index bfbd187f..931aabf0 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -1,8 +1,8 @@ { ... }: { - krebs.build.source.nixpkgs = { + krebs.build.source.nixpkgs.git = { url = https://github.com/lassulus/nixpkgs; - rev = "11a7899222929b6eb0951f7a1c0182f65b3b4637"; + ref = "11a7899222929b6eb0951f7a1c0182f65b3b4637"; }; } -- cgit v1.2.3 From 53d0ca2ddff537495ca96fb134663431a7b4cee3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Jul 2016 21:05:05 +0200 Subject: l 2 buildbot: fix target string --- lass/2configs/buildbot-standalone.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 46a4157e..ea6e38dd 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -86,7 +86,7 @@ in { ["make \ test \ ssh=${sshWrapper} \ - target=build@localhost:${config.users.users.build.home}/testbuild \ + target=build@localhost${config.users.users.build.home}/testbuild \ method=build \ system={}".format(i)]) @@ -96,7 +96,7 @@ in { ["make \ test \ ssh=${sshWrapper} \ - target=build@localhost:${config.users.users.build.home}/testbuild \ + target=build@localhost${config.users.users.build.home}/testbuild \ method=build \ system={}".format(i)]) -- cgit v1.2.3 From 461637c92851b2f57a5814ff4b2988bcf9a184a5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Jul 2016 21:05:24 +0200 Subject: l 2 buildbot: set NIX_PATH to /var/src --- lass/2configs/buildbot-standalone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index ea6e38dd..5afb2368 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -147,7 +147,7 @@ in { password = "lasspass"; packages = with pkgs; [ gnumake jq nix populate ]; extraEnviron = { - NIX_PATH="nixpkgs=/var/src/nixpkgs"; + NIX_PATH="/var/src"; }; }; config.krebs.iptables = { -- cgit v1.2.3 From 24db6439c4bc64d39b991a677a8dac4a6581ed74 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 10:06:04 +0200 Subject: retiolum: config which is working but not functioning (see TODO in retiolum.nix) --- krebs/3modules/exim-retiolum.nix | 2 +- krebs/3modules/retiolum.nix | 299 ++++++++++++++++++++------------------- 2 files changed, 152 insertions(+), 149 deletions(-) diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index d6b7ab75..fc127a41 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -37,7 +37,7 @@ let config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.krebs.retiolum.enable; + assert (lib.hasAttr "retiolum" config.krebs.tinc); '' keep_environment = diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 22991f09..1107e857 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -1,130 +1,164 @@ { config, pkgs, lib, ... }: with config.krebs.lib; let - cfg = config.krebs.retiolum; - out = { - options.krebs.retiolum = api; - config = lib.mkIf cfg.enable imp; + options.krebs.tinc = api; + config = imp; }; - api = { - enable = mkEnableOption "krebs.retiolum"; - - host = mkOption { - type = types.host; - default = config.krebs.build.host; - }; - - netname = mkOption { - type = types.enum (attrNames cfg.host.nets); - default = "retiolum"; - description = '' - The tinc network name. - It is used to name the TUN device and to generate the default value for - config.krebs.retiolum.hosts. - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Extra Configuration to be appended to tinc.conf - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - type = with types; attrsOf host; - default = - filterAttrs (_: h: hasAttr cfg.netname h.nets) config.krebs.hosts; - description = '' - Hosts to generate config.krebs.retiolum.hostsPackage. - Note that these hosts must have a network named - config.krebs.retiolum.netname. - ''; - }; - - hostsPackage = mkOption { - type = types.package; - default = pkgs.stdenv.mkDerivation { - name = "${cfg.netname}-tinc-hosts"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir $out - ${concatStrings (mapAttrsToList (_: host: '' - echo ${shell.escape host.nets.${cfg.netname}.tinc.config} \ - > $out/${shell.escape host.name} - '') cfg.hosts)} - ''; + api = mkOption { + default = {}; + description = '' + define a tinc network + ''; + type = with types; attrsOf (submodule (tinc: { + options = { + host = mkOption { + type = types.host; + default = config.krebs.build.host; + }; + + netname = mkOption { + type = types.enum (attrNames tinc.config.host.nets); + default = tinc.config._module.args.name; + description = '' + The tinc network name. + It is used to name the TUN device and to generate the default value for + config.krebs.tinc.retiolum.hosts. + ''; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Extra Configuration to be appended to tinc.conf + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + type = with types; attrsOf host; + default = + filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts; + description = '' + Hosts to generate config.krebs.retiolum.hostsPackage. + Note that these hosts must have a network named + config.krebs.retiolum.netname. + ''; + }; + + hostsPackage = mkOption { + type = types.package; + default = pkgs.stdenv.mkDerivation { + name = "${tinc.config.netname}-tinc-hosts"; + phases = [ "installPhase" ]; + installPhase = '' + mkdir $out + ${concatStrings (lib.mapAttrsToList (_: host: '' + echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ + > $out/${shell.escape host.name} + '') tinc.config.hosts)} + ''; + }; + description = '' + Package of tinc host configuration files. By default, a package will + be generated from config.krebs.${tinc.config.netname}.hosts. This + option's main purpose is to expose the generated hosts package to other + modules, like config.krebs.tinc_graphs. But it can + also be used to provide a custom hosts directory. + ''; + example = literalExample '' + (pkgs.stdenv.mkDerivation { + name = "my-tinc-hosts"; + src = /home/tv/my-tinc-hosts; + installPhase = "cp -R . $out"; + }) + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + privkey = mkOption { + type = types.secret-file; + default = { + path = "${tinc.config.user.home}/tinc.rsa_key.priv"; + owner = tinc.config.user; + source-path = toString + "/${tinc.config.netname}.rsa_key.priv"; + }; + }; + + connectTo = mkOption { + type = types.listOf types.str; + default = [ "fastpoke" "cd" "prism" "gum" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + + In stockholm this can be done by configuring: + krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = + [ "${external-ip} ${external-port}" ] + ''; + }; + + user = mkOption { + type = types.user; + default = { + name = tinc.config.netname; + home = "/var/lib/${tinc.config.user.name}"; + }; + }; }; - description = '' - Package of tinc host configuration files. By default, a package will - be generated from config.krebs.retiolum.hosts. This - option's main purpose is to expose the generated hosts package to other - modules, like config.krebs.tinc_graphs. But it can - also be used to provide a custom hosts directory. + })); + }; + imp = lib.mkMerge ( lib.mapAttrsToList (netname: cfg: + let + net = cfg.host.nets.${netname}; + + tinc = cfg.tincPackage; + + iproute = cfg.iproutePackage; + + confDir = let + namePathPair = name: path: { inherit name path; }; + in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} ''; - example = literalExample '' - (pkgs.stdenv.mkDerivation { - name = "my-tinc-hosts"; - src = /home/tv/my-tinc-hosts; - installPhase = "cp -R . $out"; - }) + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - privkey = mkOption { - type = types.secret-file; - default = { - path = "${cfg.user.home}/tinc.rsa_key.priv"; - owner = cfg.user; - source-path = toString + "/${cfg.netname}.rsa_key.priv"; - }; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "cd" "prism" "gum" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - - In stockholm this can be done by configuring: - krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = - [ "${external-ip} ${external-port}" ] - ''; - }; - - user = mkOption { - type = types.user; - default = { - name = cfg.netname; - home = "/var/lib/${cfg.user.name}"; - }; - }; - }; - - imp = { - krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey; + }); + in { + krebs.secret.files."${netname}.rsa_key.priv" = cfg.privkey; environment.systemPackages = [ tinc iproute ]; - systemd.services.${cfg.netname} = { - description = "Tinc daemon for Retiolum"; + systemd.services.${netname} = { + description = "Tinc daemon for ${netname}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; requires = [ "secret.service" ]; @@ -132,7 +166,7 @@ let serviceConfig = rec { Restart = "always"; ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = cfg.netname; + SyslogIdentifier = netname; }; }; @@ -140,36 +174,5 @@ let inherit (cfg.user) home name uid; createHome = true; }; - }; - - net = cfg.host.nets.${cfg.netname}; - - tinc = cfg.tincPackage; - - iproute = cfg.iproutePackage; - - confDir = let - namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${cfg.netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${cfg.netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname} - ''} - ''; - }); - + }) {} ); # TODO <<<< replace with the "config.krebs.tinc" and avoid infinite recursion in out -- cgit v1.2.3 From d35fc9f6d2fac0f9a4b1c26f78860ce9d9afbe6e Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 14:15:47 +0200 Subject: k 3 retiolum: explicitly build users, secrets and services --- krebs/3modules/retiolum.nix | 107 +++++++++++++++++++++++--------------------- 1 file changed, 55 insertions(+), 52 deletions(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 1107e857..7bf710dc 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -13,6 +13,9 @@ let ''; type = with types; attrsOf (submodule (tinc: { options = { + + enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; + host = mkOption { type = types.host; default = config.krebs.build.host; @@ -121,58 +124,58 @@ let }; })); }; - imp = lib.mkMerge ( lib.mapAttrsToList (netname: cfg: - let - net = cfg.host.nets.${netname}; - - tinc = cfg.tincPackage; - - iproute = cfg.iproutePackage; - - confDir = let - namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} - ''} - ''; - }); - in { - krebs.secret.files."${netname}.rsa_key.priv" = cfg.privkey; - - environment.systemPackages = [ tinc iproute ]; - - systemd.services.${netname} = { - description = "Tinc daemon for ${netname}"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; - path = [ tinc iproute ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = netname; - }; - }; - - users.users.${cfg.user.name} = { + imp = { + # TODO environment.systemPackages = [ tinc iproute ]; AND avoid conflicts + krebs.secret.files = lib.mapAttrs' (netname: cfg: + nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + users.users = lib.mapAttrs' (netname: cfg: + nameValuePair "${netname}" { inherit (cfg.user) home name uid; createHome = true; - }; - }) {} ); # TODO <<<< replace with the "config.krebs.tinc" and avoid infinite recursion + } ) config.krebs.tinc; + + systemd.services = lib.mapAttrs (netname: cfg: + let + net = cfg.host.nets.${netname}; + + tinc = cfg.tincPackage; + + iproute = cfg.iproutePackage; + + confDir = let + namePathPair = name: path: { inherit name path; }; + in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} + ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} + ''; + }); + in { + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; + path = [ tinc iproute ]; + serviceConfig = rec { + Restart = "always"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + SyslogIdentifier = netname; + }; + } ) config.krebs.tinc; + }; in out -- cgit v1.2.3 From 2d4b0dc227b2dc10fa6fe4aa9659391ac1c8c2b4 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 14:24:58 +0200 Subject: k 3 retiolum: remove lib. for imp part --- krebs/3modules/retiolum.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 7bf710dc..326dfa7f 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -126,15 +126,15 @@ let }; imp = { # TODO environment.systemPackages = [ tinc iproute ]; AND avoid conflicts - krebs.secret.files = lib.mapAttrs' (netname: cfg: + krebs.secret.files = mapAttrs' (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; - users.users = lib.mapAttrs' (netname: cfg: + users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { inherit (cfg.user) home name uid; createHome = true; } ) config.krebs.tinc; - systemd.services = lib.mapAttrs (netname: cfg: + systemd.services = mapAttrs (netname: cfg: let net = cfg.host.nets.${netname}; @@ -144,7 +144,7 @@ let confDir = let namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { + in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair { "hosts" = cfg.hostsPackage; "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' Name = ${cfg.host.name} -- cgit v1.2.3 From 4e0eb7d9c07fde00bff4b4b2875bf3a49a5bd7b8 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 14:38:59 +0200 Subject: k 3 retiolum: formatting --- krebs/3modules/retiolum.nix | 80 ++++++++++++++++++++++++--------------------- 1 file changed, 42 insertions(+), 38 deletions(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 326dfa7f..a80c510a 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -14,7 +14,7 @@ let type = with types; attrsOf (submodule (tinc: { options = { - enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; + enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; host = mkOption { type = types.host; @@ -124,58 +124,62 @@ let }; })); }; + imp = { - # TODO environment.systemPackages = [ tinc iproute ]; AND avoid conflicts + # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, + # avoid conflicts in environment if the packages differ + krebs.secret.files = mapAttrs' (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { - inherit (cfg.user) home name uid; - createHome = true; - } ) config.krebs.tinc; + inherit (cfg.user) home name uid; + createHome = true; + } + ) config.krebs.tinc; systemd.services = mapAttrs (netname: cfg: let net = cfg.host.nets.${netname}; - tinc = cfg.tincPackage; - iproute = cfg.iproutePackage; confDir = let namePathPair = name: path: { inherit name path; }; in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} - ''} - ''; - }); + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} + ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} + ''; + } + ); in { - description = "Tinc daemon for ${netname}"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; - path = [ tinc iproute ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = netname; - }; - } ) config.krebs.tinc; + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; + path = [ tinc iproute ]; + serviceConfig = rec { + Restart = "always"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + SyslogIdentifier = netname; + }; + } + ) config.krebs.tinc; }; in out -- cgit v1.2.3 From d04b0b4ebeffb347e998abd72fccfe718063c973 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 16:50:32 +0200 Subject: k 3 retiolum: prepare fallback to krebs.retiolum --- krebs/3modules/retiolum.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index a80c510a..d0dbd266 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -2,6 +2,7 @@ with config.krebs.lib; let out = { + options.krebs.retiolum = trace "krebs.retiolum is obsolete, use krebs.tinc.retiolum instead" config.krebs.tinc.retiolum; options.krebs.tinc = api; config = imp; }; -- cgit v1.2.3 From c5d7e14e9087097e55b809b33cd39de079c09bf1 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 16:51:25 +0200 Subject: k 3 exim-retiolum: assert to krebs.tinc.retiolum.enable again --- krebs/3modules/exim-retiolum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index fc127a41..a18f1c97 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -37,7 +37,7 @@ let config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert (lib.hasAttr "retiolum" config.krebs.tinc); + assert config.krebs.tinc.retiolum.enable; '' keep_environment = -- cgit v1.2.3 From 13a5662feb58b91287ac00c19925c70156612755 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 16:55:22 +0200 Subject: k 3 retiolum: krebs.retiolum is now officially obsolete --- krebs/3modules/retiolum.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index d0dbd266..a80c510a 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -2,7 +2,6 @@ with config.krebs.lib; let out = { - options.krebs.retiolum = trace "krebs.retiolum is obsolete, use krebs.tinc.retiolum instead" config.krebs.tinc.retiolum; options.krebs.tinc = api; config = imp; }; -- cgit v1.2.3 From 46232b30beba336ccc6a1a75e1cc9d66646b5dcc Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 17:18:57 +0200 Subject: makefu: s/krebs\.retiolum/krebs.tinc.retiolum/g --- makefu/1systems/darth.nix | 2 +- makefu/1systems/filepimp.nix | 2 +- makefu/1systems/gum.nix | 4 ++-- makefu/1systems/omo.nix | 2 +- makefu/1systems/pnp.nix | 5 +++-- makefu/1systems/pornocauster.nix | 10 +++++----- makefu/1systems/repunit.nix | 9 +-------- makefu/1systems/shoney.nix | 2 +- makefu/1systems/tsp.nix | 2 +- makefu/1systems/vbob.nix | 8 +------- makefu/1systems/wry.nix | 3 ++- 11 files changed, 19 insertions(+), 30 deletions(-) diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 87029a69..c63dcb49 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -17,6 +17,7 @@ in { ../2configs/exim-retiolum.nix ../2configs/virtualization.nix + ../2configs/tinc/retiolum.nix ../2configs/temp-share-samba.nix ]; services.samba.shares = { @@ -39,7 +40,6 @@ in { }; #networking.firewall.enable = false; - krebs.retiolum.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index 593f7737..c6966c99 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -22,8 +22,8 @@ in { ../. ../2configs/fs/single-partition-ext4.nix ../2configs/smart-monitor.nix + ../2configs/tinc/retiolum.nix ]; - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.filepimp; # AMD N54L boot = { diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 17b2b509..a4e2d176 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -19,6 +19,7 @@ in { ../2configs/deployment/mycube.connector.one.nix ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ]; @@ -27,8 +28,7 @@ in { ###### stable krebs.build.host = config.krebs.hosts.gum; - krebs.retiolum = { - enable = true; + krebs.tinc.retiolum = { extraConfig = '' ListenAddress = ${external-ip} 53 ListenAddress = ${external-ip} 655 diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 8c24e0ff..e11abd40 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -47,12 +47,12 @@ in { #../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix ../2configs/omo-share.nix + ../2configs/tinc/retiolum.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; - krebs.retiolum.enable = true; networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index 4b8d39c8..a460a87e 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -15,11 +15,12 @@ ../2configs/fs/vm-single-partition.nix + ../2configs/tinc/retiolum.nix + # config.system.build.vm - + (toString ) ]; - krebs.retiolum.enable = true; virtualisation.graphics = false; # also export secrets, see Usage above fileSystems = pkgs.lib.mkVMOverride { diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 2ab03091..b683e563 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -38,8 +38,9 @@ #../2configs/wordpress.nix ../2configs/nginx/public_html.nix + ../2configs/tinc/retiolum.nix # temporary modules - # ../2configs/temp/share-samba.nix + ../2configs/temp/share-samba.nix # ../2configs/temp/elkstack.nix # ../2configs/temp/sabnzbd.nix ]; @@ -69,10 +70,9 @@ krebs.build.host = config.krebs.hosts.pornocauster; krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; - krebs.retiolum = { - enable = true; - connectTo = [ "omo" "gum" "prism" ]; - }; + + krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; + networking.extraHosts = '' 192.168.1.11 omo.local ''; diff --git a/makefu/1systems/repunit.nix b/makefu/1systems/repunit.nix index bf6ff9fb..7102b8f8 100644 --- a/makefu/1systems/repunit.nix +++ b/makefu/1systems/repunit.nix @@ -10,6 +10,7 @@ ../. ../2configs/git/cgit-retiolum.nix + ../2configs/tinc/retiolum.nix ]; krebs.build.host = config.krebs.hosts.repunit; @@ -31,14 +32,6 @@ { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - "fastpoke" - ]; - }; # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 3a3ac9c7..0e6ae6e1 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -13,6 +13,7 @@ in { ../2configs/save-diskspace.nix ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/tinc/retiolum.nix ]; @@ -21,7 +22,6 @@ in { krebs = { enable = true; - retiolum.enable = true; build.host = config.krebs.hosts.shoney; nginx.enable = true; tinc_graphs = { diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 302ba6f9..9809abf4 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -17,9 +17,9 @@ ../2configs/zsh-user.nix ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix ]; # not working in vm - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.tsp; networking.firewall.allowedTCPPorts = [ diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 4818cea2..129a0602 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -11,6 +11,7 @@ # environment + ../2configs/tinc/retiolum.nix ]; # workaround for https://github.com/NixOS/nixpkgs/issues/16641 @@ -52,13 +53,6 @@ 8010 ]; - krebs.retiolum = { - enable = true; - connectTo = [ - "omo" - "gum" - ]; - }; virtualisation.docker.enable = false; fileSystems."/media/share" = { diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 5788cb65..3764ab4b 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -25,8 +25,9 @@ in { # collectd ../2configs/collectd/collectd-base.nix + + ../2configs/tinc/retiolum.nix ]; - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.wry; -- cgit v1.2.3 From 0c40af375f26788bd098b7594ae5425fedd68fb4 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 17:20:47 +0200 Subject: / : s/krebs\.retiolum/krebs.tinc.retiolum/g --- krebs/3modules/retiolum.nix | 4 ++-- krebs/3modules/tinc_graphs.nix | 2 +- lass/2configs/retiolum.nix | 2 +- shared/1systems/wolf.nix | 4 ++-- shared/2configs/base.nix | 2 +- tv/2configs/retiolum.nix | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index a80c510a..0bd81521 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -50,9 +50,9 @@ let default = filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts; description = '' - Hosts to generate config.krebs.retiolum.hostsPackage. + Hosts to generate config.krebs.tinc.retiolum.hostsPackage. Note that these hosts must have a network named - config.krebs.retiolum.netname. + config.krebs.tinc.retiolum.netname. ''; }; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 0f1bae09..d783ba03 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -23,7 +23,7 @@ let hostsPath = mkOption { type = types.str; description = "Path to Hosts directory"; - default = "${config.krebs.retiolum.hostsPackage}"; + default = "${config.krebs.tinc.retiolum.hostsPackage}"; }; network = mkOption { diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 89e0f217..eba40532 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -12,7 +12,7 @@ }; }; - krebs.retiolum = { + krebs.tinc.retiolum = { enable = true; connectTo = [ "prism" diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 18051006..3818cf2c 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -15,14 +15,14 @@ in ../2configs/shared-buildbot.nix ../2configs/cgit-mirror.nix ../2configs/repo-sync.nix - # ../2configs/graphite.nix + ../2configs/graphite.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by # apt-cacher-ng in first place) # local discovery in shackspace nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; - krebs.retiolum.extraConfig = "TCPOnly = yes"; + krebs.tinc.retiolum.extraConfig = "TCPOnly = yes"; services.grafana = { enable = true; addr = "0.0.0.0"; diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix index a92a0df3..5aa5897d 100644 --- a/shared/2configs/base.nix +++ b/shared/2configs/base.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { krebs.enable = true; - krebs.retiolum.enable = true; + krebs.tinc.retiolum.enable = true; # TODO rename shared user to "krebs" krebs.build.user = mkDefault config.krebs.users.shared; diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index f7945415..7179be57 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - krebs.retiolum = { + krebs.tinc.retiolum = { enable = true; connectTo = filter (ne config.krebs.build.host.name) [ "gum" -- cgit v1.2.3 From 18f0221313c75d129fc49ffd402e10102659abd7 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 18:52:40 +0200 Subject: s 1 test-all-krebs-modules: fix retiolum --- shared/1systems/test-all-krebs-modules.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix index 2034071f..60d5f325 100644 --- a/shared/1systems/test-all-krebs-modules.nix +++ b/shared/1systems/test-all-krebs-modules.nix @@ -38,7 +38,7 @@ in { }; nginx.enable = true; realwallpaper.enable = true; - retiolum.enable = true; + tinc.retiolum.enable = true; retiolum-bootstrap.enable = true; tinc_graphs.enable = true; urlwatch.enable = true; -- cgit v1.2.3 From df7416dc319e6815e32fa5fb32ba00d41481d368 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:09:47 +0200 Subject: m 2 tinc: add missing retiolum config --- makefu/2configs/tinc/retiolum.nix | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 makefu/2configs/tinc/retiolum.nix diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix new file mode 100644 index 00000000..dcb07246 --- /dev/null +++ b/makefu/2configs/tinc/retiolum.nix @@ -0,0 +1,4 @@ +_: +{ + krebs.tinc.retiolum.enable = true; +} -- cgit v1.2.3 From e03ae6d79d77e654bb586475b52c7e6aa24ac06f Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:35:30 +0200 Subject: m 1 wbob: add missing --- makefu/1systems/wbob.nix | 14 ++++++++------ makefu/2configs/temp/share-samba.nix | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 makefu/2configs/temp/share-samba.nix diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index 45b935af..e8e0b091 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: -{ +let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; +in { + makefu.awesome = { modkey = "Mod1"; #TODO: integrate kiosk config into full config by templating the autostart @@ -9,19 +11,19 @@ [ # Include the results of the hardware scan. ../. ../2configs/main-laptop.nix + ../2configs/virtualization.nix + ../2configs/tinc/retiolum.nix ]; krebs = { enable = true; - retiolum.enable = true; build.host = config.krebs.hosts.wbob; }; networking.firewall.allowedUDPPorts = [ 1655 ]; - networking.firewall.allowedTCPPorts = [ 1655 ]; + networking.firewall.allowedTCPPorts = [ 1655 49152 ]; services.tinc.networks.siem = { name = "display"; extraConfig = '' ConnectTo = sjump - Port = 1655 ''; }; @@ -35,12 +37,12 @@ # nuc hardware - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.device = rootdisk; hardware.cpu.intel.updateMicrocode = true; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; fileSystems."/" = { - device = "/dev/sda1"; + device = rootdisk + "-part1"; fsType = "ext4"; }; diff --git a/makefu/2configs/temp/share-samba.nix b/makefu/2configs/temp/share-samba.nix new file mode 100644 index 00000000..c021e66c --- /dev/null +++ b/makefu/2configs/temp/share-samba.nix @@ -0,0 +1,36 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + + networking.firewall.allowedTCPPorts = [ + 139 445 # samba + ]; + + networking.firewall.allowedUDPPorts = [ + 137 138 + ]; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} -- cgit v1.2.3 From 2b862262f2878c9f4ef35894a8343d94f6d636be Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:36:16 +0200 Subject: m 1 vbob: comment out extra-hosts --- makefu/1systems/vbob.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 129a0602..27a21631 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,7 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui - + # # environment ../2configs/tinc/retiolum.nix -- cgit v1.2.3 From 3c628cd4a29938ecf14e0e891f621a742987ddab Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 22:55:19 +0200 Subject: m 2 default: bump ref to 125ffff --- makefu/2configs/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 4562a123..cba7462f 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -17,7 +17,6 @@ with config.krebs.lib; krebs = { enable = true; - dns.providers.siem = "hosts"; dns.providers.lan = "hosts"; search-domain = "retiolum"; build = { @@ -25,7 +24,7 @@ with config.krebs.lib; source = let inherit (config.krebs.build) host user; in { nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "0546a4a"; # stable @ 2016-06-11 + ref = "125ffff"; # stable @ 2016-07-20 }; secrets.file = if getEnv "dummy_secrets" == "true" @@ -171,4 +170,10 @@ with config.krebs.lib; consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; }; + # suppress chrome autit event messages + security.audit = { + rules = [ + "-a task,never" + ]; + }; } -- cgit v1.2.3 From db4d4b8890b87064bf721c312f9e2229f489c2c2 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 00:11:24 +0200 Subject: m 5 honeyd: remove --- makefu/5pkgs/default.nix | 1 - makefu/5pkgs/honeyd/default.nix | 62 ----------------------------------- makefu/5pkgs/honeyd/fix-autogen.patch | 42 ------------------------ 3 files changed, 105 deletions(-) delete mode 100644 makefu/5pkgs/honeyd/default.nix delete mode 100644 makefu/5pkgs/honeyd/fix-autogen.patch diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index f94136c0..718b23c9 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -19,7 +19,6 @@ in skytraq-logger = callPackage ./skytraq-logger {}; taskserver = callPackage ./taskserver {}; ps3netsrv = callPackage ./ps3netsrv {}; - honeyd = callPackage ./honeyd {}; farpd = callPackage ./farpd {}; }; } diff --git a/makefu/5pkgs/honeyd/default.nix b/makefu/5pkgs/honeyd/default.nix deleted file mode 100644 index 5dca35f3..00000000 --- a/makefu/5pkgs/honeyd/default.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, - libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre, - ... }: -stdenv.mkDerivation rec { - name = "honeyd-${version}"; - - #version = "1.5c"; #original, does not compile due to libc errors - #src = fetchurl { - # url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz"; - # sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii"; - #}; - - #version = "64d087c"; # honeyd-1.6.7 - # sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31"; - - version = "c135fea08"; #nova-13.09 - src = fetchFromGitHub { - owner = "DataSoft"; - repo = "honeyd"; - rev = version; - sha256 = "1r9qds7a1yp3nkccwh3isrizpr2njhpf1m6qp3lqkj0i9c4w6x44"; - }; - - buildInputs = with pkgs;[ - automake - gnugrep - libpcap - libdnet - pcre - libevent - readline - autoconf - libtool - zlib - coreutils - python - pythonPackages.sqlite3 - ]; - patches = [ ./fix-autogen.patch ]; - - # removes user install script from Makefile before automake - preConfigure = '' - sed -i '/init.py$/d' Makefile.am - sh ./autogen.sh - ''; - - makeFlags = [ "LIBS=-lz" ]; - configureFlags = [ - "--with-libpcap=${libpcap}" - "--with-libevent=${libevent}" - "--with-zlib=${zlib}" - "--with-python" - "--with-libpcre=${pcre}" - "--with-libreadline=${readline}" - ]; - - meta = { - homepage = http://www.honeyd.org/; - description = "virtual Honeypots"; - license = lib.licenses.gpl2; - }; -} diff --git a/makefu/5pkgs/honeyd/fix-autogen.patch b/makefu/5pkgs/honeyd/fix-autogen.patch deleted file mode 100644 index 9fccafa8..00000000 --- a/makefu/5pkgs/honeyd/fix-autogen.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- ./configure.in 2016-06-27 18:36:06.640779048 +0200 -+++ ./configure.in 2016-06-27 18:34:53.968803854 +0200 -@@ -119,11 +119,11 @@ - ;; - *) - AC_MSG_RESULT($withval) -- if test -f $withval/pcap.h -a -f $withval/libpcap.a; then -+ if test -f $withval/include/pcap.h -a -f $withval/lib/libpcap.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi -- PCAPINC="-I$withval -I$withval/bpf" -- PCAPLIB="-L$withval -lpcap" -+ PCAPINC="-I$withval/include -I$withval/include/bpf" -+ PCAPLIB="-L$withval/lib -lpcap" - else - AC_ERROR(pcap.h or libpcap.a not found in $withval) - fi -@@ -230,7 +230,7 @@ - if cd $withval; then withval=`pwd`; cd $owd; fi - EVENTINC="-I$withval" - EVENTLIB="-L$withval -levent" -- elif test -f $withval/include/event.h -a -f $withval/lib/libevent.a; then -+ elif test -f $withval/include/event.h -a -f $withval/lib/libevent.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi - EVENTINC="-I$withval/include" -@@ -354,12 +354,12 @@ - ;; - *) - AC_MSG_RESULT($withval) -- if test -f $withval/readline/readline.h -a -f $withval/libreadline.a; then -+ if test -f $withval/include/readline/readline.h -o -f $withval/lib/libreadline.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi - AC_DEFINE(HAVE_LIBREADLINE, 1, [Define if you have libreadline]) -- EDITINC="-I$withval" -- EDITLIB="-L$withval -lreadline" -+ EDITINC="-I$withval/include" -+ EDITLIB="-L$withval/lib -lreadline" - else - AC_ERROR(readline/readline.h or libreadline.a not found in $withval) - fi -- cgit v1.2.3 From fbe1fcdd8e145493602da65f0a22b1907c2b3a95 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 00:13:01 +0200 Subject: m : update legacy options ,remove honeyd usage in shoney --- makefu/1systems/shoney.nix | 3 --- makefu/2configs/default.nix | 2 +- makefu/2configs/hw/tp-x220.nix | 3 +-- makefu/2configs/virtualization-virtualbox.nix | 12 +++++++----- 4 files changed, 9 insertions(+), 11 deletions(-) diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 0e6ae6e1..7081f6a9 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -17,9 +17,6 @@ in { ]; - environment.systemPackages = [ pkgs.honeyd ]; - services.tinc.networks.siem.name = "sjump"; - krebs = {