From e15b9e5a44b69c7b2c81ab6d3d6c91edc6d69712 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 26 Oct 2016 15:12:52 +0200 Subject: Revert "l 2 websites domsen: remove obsolete code" This reverts commit 0398342657a9548b9ada4524335b3ca864fd9c2e. --- lass/2configs/websites/domsen.nix | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 18c771fa..0a53bc93 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -22,6 +22,25 @@ let exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" ''; + check-password = pkgs.writeDash "check-password" '' + read pw + + file="/home/$PAM_USER/.shadow" + + #check if shadow file exists + test -e "$file" || exit 123 + + hash="$(${pkgs.coreutils}/bin/head -1 $file)" + salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')" + + calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)" + if [ "$calc_hash" == $hash ]; then + exit 0 + else + exit 1 + fi + ''; + in { imports = [ ./sqlBackup.nix @@ -145,6 +164,19 @@ in { { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } ]; + security.pam.services.exim.text = '' + auth required pam_env.so + auth sufficient pam_exec.so debug expose_authtok ${check-password} + auth sufficient pam_unix.so likeauth nullok + auth required pam_deny.so + account required pam_unix.so + password required pam_cracklib.so retry=3 type= + password sufficient pam_unix.so nullok use_authtok md5shadow + password required pam_deny.so + session required pam_limits.so + session required pam_unix.so + ''; + krebs.exim-smarthost = { authenticators.PLAIN = '' driver = plaintext -- cgit v1.2.3 From 7e809cfc8b6112068b872b85c400794b5b102cc5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 27 Oct 2016 12:50:03 +0200 Subject: l 2: globally set CA/SSL stuff --- lass/2configs/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 43c4d5b0..a7d2a6ce 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -46,6 +46,13 @@ with import ; NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; }; } + (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { + environment.variables = { + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + }) ]; networking.hostName = config.krebs.build.host.name; -- cgit v1.2.3 From d06da3496447d369bef0c9f52d3eb0ebdef8a801 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 27 Oct 2016 12:50:28 +0200 Subject: l 2 nixpkgs: 686bc9c -> 0195ab8 --- lass/2configs/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 4ef4c6ce..e665b6c6 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d"; + ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731"; }; } -- cgit v1.2.3 From 809a42339d2fa3e52d69a5d6966e60ae45968be5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 27 Oct 2016 13:16:51 +0200 Subject: l 2 repo-sync: sync painload --- lass/2configs/repo-sync.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index f8814973..f2e4de6a 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -93,6 +93,7 @@ in { (sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") + (sync-remote "painload" "https://github.com/krebscode/painload") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-retiolum "go") (sync-retiolum "much") -- cgit v1.2.3 From b97145eedd566925d6c94fb2039f6de86cfec9c8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 27 Oct 2016 13:30:16 +0200 Subject: l 2 websites fritz: update phpConfig --- lass/2configs/websites/fritz.nix | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index d93d310d..52914f44 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -88,13 +88,7 @@ in { ]; }; - services.phpfpm.phpIni = pkgs.runCommand "php.ini" { - options = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - sendmail_path = "${sendmail} -t -i" - ''; - } '' - cat ${pkgs.php}/etc/php-recommended.ini > $out - echo "$options" >> $out + services.phpfpm.phpOptions = '' + sendmail_path = ${sendmail} -t ''; } -- cgit v1.2.3 From c091949a151e0a613ad31fd390b1c19bfddfde3a Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 27 Oct 2016 14:19:26 +0200 Subject: l 2 websites domsen: make smtp/imap finally work --- lass/2configs/websites/domsen.nix | 46 +++++---------------------------------- 1 file changed, 6 insertions(+), 40 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 0a53bc93..fa56d0e1 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -22,25 +22,6 @@ let exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" ''; - check-password = pkgs.writeDash "check-password" '' - read pw - - file="/home/$PAM_USER/.shadow" - - #check if shadow file exists - test -e "$file" || exit 123 - - hash="$(${pkgs.coreutils}/bin/head -1 $file)" - salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')" - - calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)" - if [ "$calc_hash" == $hash ]; then - exit 0 - else - exit 1 - fi - ''; - in { imports = [ ./sqlBackup.nix @@ -161,41 +142,26 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } ]; - security.pam.services.exim.text = '' - auth required pam_env.so - auth sufficient pam_exec.so debug expose_authtok ${check-password} - auth sufficient pam_unix.so likeauth nullok - auth required pam_deny.so - account required pam_unix.so - password required pam_cracklib.so retry=3 type= - password sufficient pam_unix.so nullok use_authtok md5shadow - password required pam_deny.so - session required pam_limits.so - session required pam_unix.so - ''; - krebs.exim-smarthost = { authenticators.PLAIN = '' driver = plaintext - server_prompts = : - server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" - server_set_id = $auth2 + public_name = PLAIN + server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} ''; authenticators.LOGIN = '' driver = plaintext + public_name = LOGIN server_prompts = "Username:: : Password::" - server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" - server_set_id = $auth1 + server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } - { from = "testuser@lassul.us"; to = "testuser"; } ]; - system-aliases = [ + sender_domains = [ + "jla-trading.com" ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; -- cgit v1.2.3 From 38a6281fbd8d34c0404c8f2bfffe55be431ba73d Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 27 Oct 2016 14:47:21 +0200 Subject: pkgs.go -> pkgs.go-shortener --- lass/2configs/go.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix index 7d694c17..f6ddbe96 100644 --- a/lass/2configs/go.nix +++ b/lass/2configs/go.nix @@ -3,7 +3,7 @@ with import ; { environment.systemPackages = [ - pkgs.go + pkgs.go-shortener ]; krebs.go = { enable = true; -- cgit v1.2.3 From 2ebd0a1fdd2c8e82f3a960ba7fb09bb66ace89ca Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 28 Oct 2016 15:02:46 +0200 Subject: l 2 websites domsen: disable backups until fixed --- lass/2configs/websites/domsen.nix | 21 --------------------- 1 file changed, 21 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index fa56d0e1..2a6df06f 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -103,27 +103,6 @@ in { "o_ubikmedia_de" ]; - krebs.backup.plans = { - prism-sql-domsen = { - method = "push"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; }; - startAt = "00:01"; - }; - prism-http-domsen = { - method = "push"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; }; - startAt = "00:10"; - }; - prism-o-ubikmedia-domsen = { - method = "push"; - src = { host = config.krebs.hosts.prism; path = "/srv/o.ubikmedia.de-data"; }; - dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; }; - startAt = "00:30"; - }; - }; - services.phpfpm.phpOptions = '' sendmail_path = ${sendmail} -t upload_max_filesize = 100M -- cgit v1.2.3 From d02cebe5cef7ac6c12d8971f2a49a43a9a51e6bb Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 10 Nov 2016 22:34:15 +0100 Subject: l 2 websites lass: add some experimental stuff --- lass/2configs/websites/lassulus.nix | 47 +++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index b8342e14..29374e97 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -37,6 +37,31 @@ in { }; }; + krebs.tinc_graphs.enable = true; + + users.users.lass-stuff = { + uid = genid "lass-stuff"; + description = "lassul.us blog cgi stuff"; + home = "/var/empty"; + }; + + services.phpfpm.poolConfigs."lass-stuff" = '' + listen = /var/run/lass-stuff.socket + user = lass-stuff + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 1 + pm.min_spare_servers = 1 + pm.max_spare_servers = 1 + listen.owner = lass-stuff + listen.group = nginx + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + security.limit_extensions = + ''; + users.groups.lasscert.members = [ "dovecot2" "ejabberd" @@ -53,6 +78,28 @@ in { (nameValuePair "/.well-known/acme-challenge" '' root /var/lib/acme/challenges/lassul.us/; '') + (nameValuePair "= /retiolum-hosts.tar.bz2" '' + alias ${config.krebs.tinc.retiolum.hostsArchive}; + '') + (nameValuePair "/tinc" '' + alias ${config.krebs.tinc_graphs.workingDir}/external; + '') + (let + script = pkgs.writeBash "test" '' + echo "hello world" + ''; + #script = pkgs.execve "ddate-wrapper" { + # filename = "${pkgs.ddate}/bin/ddate"; + # argv = []; + #}; + in nameValuePair "= /ddate" '' + gzip off; + fastcgi_pass unix:/var/run/lass-stuff.socket; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param DOCUMENT_ROOT /var/empty; + fastcgi_param SCRIPT_FILENAME ${script}; + fastcgi_param SCRIPT_NAME ${script}; + '') ]; ssl = { enable = true; -- cgit v1.2.3 From dd67d49ea87d4248e7ad12844564302025d603c4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 10 Nov 2016 22:34:34 +0100 Subject: l 2 websites util: add ownloud headers --- lass/2configs/websites/util.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 23f41719..55be8a8d 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -79,6 +79,8 @@ rec { add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; # Path to the root of your installation root /srv/http/${domain}/; -- cgit v1.2.3 From 46a27e5aa0b6c23f3be70484db0a390a2a0dbe10 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 10 Nov 2016 22:40:39 +0100 Subject: l 2 buildbot: disable fast-tests (broken anyway)t --- lass/2configs/buildbot-standalone.nix | 51 ----------------------------------- 1 file changed, 51 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index df01a84c..d453479d 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -25,20 +25,6 @@ in { pollinterval=120)) ''; scheduler = { - force-scheduler = '' - sched.append(schedulers.ForceScheduler( - name="force", - builderNames=["fast-tests"])) - ''; - fast-tests-scheduler = '' - # test everything real quick - sched.append(schedulers.SingleBranchScheduler( - ## all branches - change_filter=util.ChangeFilter(branch_re=".*"), - treeStableTimer=10, - name="fast-all-branches", - builderNames=["fast-tests"])) - ''; build-scheduler = '' # build all hosts sched.append(schedulers.SingleBranchScheduler( @@ -113,43 +99,6 @@ in { ''; - fast-tests = '' - f = util.BuildFactory() - f.addStep(grab_repo) - for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]: - addShell(f,name="build-{}".format(i),env=env_lass, - command=nixshell + \ - ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ - make \ - test \ - target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ - method=eval \ - system={}".format(i)]) - - for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: - addShell(f,name="build-{}".format(i),env=env_makefu, - command=nixshell + \ - ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ - make \ - test \ - target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ - method=eval \ - system={}".format(i)]) - - for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf" ]: - addShell(f,name="build-{}".format(i),env=env_shared, - command=nixshell + \ - ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ - make \ - test \ - target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ - method=eval \ - system={}".format(i)]) - - bu.append(util.BuilderConfig(name="fast-tests", - slavenames=slavenames, - factory=f)) - ''; build-pkgs = '' f = util.BuildFactory() f.addStep(grab_repo) -- cgit v1.2.3 From e6c7b13f5990d96e269ee12b9bf6b15bfa7d5b82 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 10 Nov 2016 23:20:05 +0100 Subject: l 2 repo-sync: fetch from ni (was cd) --- lass/2configs/repo-sync.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index f2e4de6a..f5879a82 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -41,7 +41,7 @@ let mirror.url = "${mirror}${name}"; }; tv = { - origin.url = "http://cgit.cd/${name}"; + origin.url = "http://cgit.ni.i/${name}"; mirror.url = "${mirror}${name}"; }; lassulus = { -- cgit v1.2.3