From db2158f35ede127bedbe465887b15f4d55ffacd4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 12 Jan 2022 19:53:05 +0100 Subject: l prism.r: add ipv6 --- lass/1systems/prism/physical.nix | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lass') diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 26ecd1cda..151cfbf41 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -79,9 +79,11 @@ boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; boot.kernelParams = [ "net.ifnames=0" ]; + networking.dhcpcd.enable = false; networking = { hostId = "2283aaae"; defaultGateway = "95.216.1.129"; + defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; # Use google's public DNS server nameservers = [ "8.8.8.8" ]; interfaces.eth0.ipv4.addresses = [ @@ -94,5 +96,11 @@ prefixLength = 26; } ]; + interfaces.eth0.ipv6.addresses = [ + { + address = "2a01:4f9:2a:1e9::1"; + prefixLength = 64; + } + ]; }; } -- cgit v1.2.3 From 712ee76c04de0f4c2f04da5a17d9330fb1952324 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Jan 2022 12:22:15 +0100 Subject: l yubikey: use scdaemon via pcscd --- lass/2configs/yubikey.nix | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) (limited to 'lass') diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index 9ab6b6ccb..a53f55016 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -9,12 +9,39 @@ services.pcscd.enable = true; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; - ##restart pcscd if yubikey is plugged in - #services.udev.extraRules = '' - # ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" '' - # ${pkgs.systemd}/bin/systemctl restart pcscd.service - # ''}" - #''; + services.pcscd.enable = true; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' + set -x + ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' + disable-ccid + pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 + card-timeout 1 + + # Always try to use yubikey as the first reader + # even when other smart card readers are connected + # Name of the reader can be found using the pcsc_scan command + # If you have problems with gpg not recognizing the Yubikey + # then make sure that the string here matches exacly pcsc_scan + # command output. Also check journalctl -f for errors. + reader-port Yubico YubiKey + ''} $HOME/.gnupg/scdaemon.conf + ''; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + ( + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card" + ) && subject.user == "lass" + ) { + return polkit.Result.YES; + } + }); + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then -- cgit v1.2.3 From 346164ba1d8fcec0ee986bed91ee9b6b473292cb Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Jan 2022 12:22:35 +0100 Subject: l yubikey: access remote builders via yubikey --- lass/2configs/yubikey.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass') diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index a53f55016..4ac21caac 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -55,6 +55,9 @@ fi ''; + # allow nix to acces remote builders via yubikey + systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh"; + programs = { ssh.startAgent = false; gnupg.agent = { -- cgit v1.2.3 From 8d67a33709db13fade3460cc01f385f5bcffd794 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Jan 2022 20:14:50 +0100 Subject: l yubikey: remove duplicate definition --- lass/2configs/yubikey.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index 4ac21caac..d92b18f81 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -6,7 +6,6 @@ ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; - services.pcscd.enable = true; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; services.pcscd.enable = true; -- cgit v1.2.3 From 39d808829c185db7f3393a86b12cb04a8ba24050 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 24 Jan 2022 14:34:18 +0100 Subject: l xjails: switch from sudo to machinectl --- lass/3modules/xjail.nix | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) (limited to 'lass') diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix index f94e7ebbf..08a28b8e3 100644 --- a/lass/3modules/xjail.nix +++ b/lass/3modules/xjail.nix @@ -41,10 +41,6 @@ with import ; type = types.path; default = pkgs.writeScript "echo_lol" "echo lol"; }; - vglrun = mkOption { - type = types.bool; - default = false; - }; wm = mkOption { #TODO find type type = types.str; @@ -122,21 +118,14 @@ with import ; ${pkgs.coreutils}/bin/kill $XEPHYR_PID ''; # TODO fix xephyr which doesn't honor resizes anymore - sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@" - '' else '' + sudo_ = pkgs.writeDash "${cfg.name}-sudo" '' #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" - - ''); - vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" '' - DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@" + ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@" ''; in nameValuePair name { existing = newOrExisting; xephyr = xephyr_; sudo = sudo_; - vglrun = vglrun_; } ) config.lass.xjail; in { @@ -161,10 +150,19 @@ with import ; } ) config.lass.xjail; - security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: - # TODO allow just the right script with sudo - "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" - ) config.lass.xjail)); + security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: '' + polkit.addRule(function(action, subject) { + if ( + subject.user == "${cfg.from}" && + action.id == "org.freedesktop.machine1.host-shell" && + action.lookup("user") == "${cfg.user}" && + action.lookup("program") == "${cfg.script}" && + true + ) { + return polkit.Result.YES; + } + }); + '') config.lass.xjail)); lass.xjail-bins = mapAttrs' (name: cfg: nameValuePair name (pkgs.writeScriptBin cfg.name '' -- cgit v1.2.3 From 77440ee9a7f040f735bce6e5c06ba15c62451742 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 24 Jan 2022 14:34:48 +0100 Subject: l pipewire: use systemWide mode --- lass/2configs/pipewire.nix | 51 +--------------------------------------------- 1 file changed, 1 insertion(+), 50 deletions(-) (limited to 'lass') diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix index c21ab5d9c..24de0e9ed 100644 --- a/lass/2configs/pipewire.nix +++ b/lass/2configs/pipewire.nix @@ -8,67 +8,18 @@ powerOnBoot = true; }; - # autostart with login - systemd.user.services.pipewire-pulse = { - wantedBy = [ "graphical-session.target" ]; - }; - environment.systemPackages = with pkgs; [ alsaUtils pulseaudioLight ponymix ]; - environment.variables.PULSE_SERVER = "localhost:4713"; services.pipewire = { enable = true; - socketActivation = false; + systemWide = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; - - # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp - config.pipewire-pulse = { - "context.properties" = { - "log.level" = 2; - }; - "context.modules" = [ - { - name = "libpipewire-module-rtkit"; - # args = { - # "nice.level" = -15; - # "rt.prio" = 88; - # "rt.time.soft" = 200000; - # "rt.time.hard" = 200000; - # }; - flags = [ "ifexists" "nofail" ]; - } - { name = "libpipewire-module-protocol-native"; } - { name = "libpipewire-module-client-node"; } - { name = "libpipewire-module-adapter"; } - { name = "libpipewire-module-metadata"; } - { - name = "libpipewire-module-protocol-pulse"; - args = { - "vm.overrides" = { - # "pulse.min.req" = "32/48000"; - # "pulse.default.req" = "32/48000"; - # "pulse.max.req" = "32/48000"; - "pulse.min.quantum" = "1024/48000"; - # "pulse.max.quantum" = "32/48000"; - }; - "server.address" = [ - "unix:native" - "tcp:4713" - ]; - }; - } - ]; - "stream.properties" = { - # "node.latency" = "32/48000"; - # "resample.quality" = 1; - }; - }; }; } -- cgit v1.2.3 From 1c519aa143be66dc41575b1e646ccfa2eb8ef4ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 24 Jan 2022 15:13:59 +0100 Subject: l: fix gnome-keyring alias --- lass/2configs/network-manager.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix index b41cc7ac8..3cdda198f 100644 --- a/lass/2configs/network-manager.nix +++ b/lass/2configs/network-manager.nix @@ -14,7 +14,7 @@ users.users.mainUser = { extraGroups = [ "networkmanager" ]; packages = with pkgs; [ - gnome3.gnome_keyring + gnome3.gnome-keyring gnome3.dconf ]; }; -- cgit v1.2.3 From 62431bd8b934a83e476ac0c364362cd755c8242e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 24 Jan 2022 15:23:51 +0100 Subject: l: use new dconf pkgname --- lass/2configs/baseX.nix | 2 +- lass/2configs/network-manager.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'lass') diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 124eef2cf..59d1e0182 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -65,7 +65,7 @@ in { gitAndTools.hub git-crypt git-preview - gnome3.dconf + dconf iodine libarchive lm_sensors diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix index 3cdda198f..0c59b9592 100644 --- a/lass/2configs/network-manager.nix +++ b/lass/2configs/network-manager.nix @@ -15,7 +15,7 @@ extraGroups = [ "networkmanager" ]; packages = with pkgs; [ gnome3.gnome-keyring - gnome3.dconf + dconf ]; }; environment.systemPackages = [ -- cgit v1.2.3 From 1d3c4e6355afaa4c8b2f694dbc44df5d8b80d25e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 24 Jan 2022 17:08:09 +0100 Subject: l retiolum: never connect via gum --- lass/2configs/retiolum.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lass') diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index f900bc28e..2ddfbcf8f 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -17,14 +17,17 @@ enable = true; connectTo = [ "prism" - "gum" "ni" + "eve" ]; extraConfig = '' - LocalDiscovery = yes + StrictSubnets = yes ''; }; + # never connect via gum (he eats our packets!) + krebs.hosts.gum.nets.retiolum.tinc.weight = 9000; + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; -- cgit v1.2.3 From b749315dc7db653d1f077e775eab28d206a029a4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 26 Jan 2022 12:17:04 +0100 Subject: l: workaround for CVE-2021-4034 --- lass/2configs/security-workarounds.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix index 537c8a59b..4b0d48671 100644 --- a/lass/2configs/security-workarounds.nix +++ b/lass/2configs/security-workarounds.nix @@ -1,8 +1,10 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: with import ; { # http://seclists.org/oss-sec/2017/q1/471 boot.extraModprobeConfig = '' install dccp /run/current-system/sw/bin/false ''; + + security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); } -- cgit v1.2.3 From 76668334958011b69747d5e09691cf21703938cc Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 26 Jan 2022 13:11:06 +0100 Subject: move security-workarounds to krebs and cleanup --- lass/2configs/default.nix | 2 +- lass/2configs/security-workarounds.nix | 10 ---------- 2 files changed, 1 insertion(+), 11 deletions(-) delete mode 100644 lass/2configs/security-workarounds.nix (limited to 'lass') diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dc97719ad..e2163b688 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -8,7 +8,7 @@ with import ; ./vim.nix ./zsh.nix ./htop.nix - ./security-workarounds.nix + ./wiregrill.nix { users.extraUsers = diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix deleted file mode 100644 index 4b0d48671..000000000 --- a/lass/2configs/security-workarounds.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -{ - # http://seclists.org/oss-sec/2017/q1/471 - boot.extraModprobeConfig = '' - install dccp /run/current-system/sw/bin/false - ''; - - security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); -} -- cgit v1.2.3 From 31fc5a95c735ab3b9b832d407195e422c07cd4c0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 26 Jan 2022 16:41:59 +0100 Subject: l prism.r: add fysiirc github bridge --- lass/1systems/prism/config.nix | 1 + lass/2configs/fysiirc.nix | 51 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 lass/2configs/fysiirc.nix (limited to 'lass') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c92a239f9..a082ea623 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -123,6 +123,7 @@ with import ; + { services.tor = { enable = true; diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix new file mode 100644 index 000000000..d2aaa73c5 --- /dev/null +++ b/lass/2configs/fysiirc.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: +{ + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 44002"; target = "ACCEPT"; } + ]; + krebs.reaktor2.fysiweb-github = { + hostname = "irc.libera.chat"; + port = "6697"; + useTLS = true; + nick = "fysiweb-github"; + API.listen = "inet://127.0.0.1:44001"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#fysi" + ]; + }; + } + ]; + }; + krebs.htgen.fysiweb-github = { + port = 44002; + user = { + name = "reaktor2-fysiweb-github"; + }; + script = ''. ${pkgs.writeDash "github-irc" '' + case "$Method $Request_URI" in + "POST /") + payload=$(head -c "$req_content_length" \ + | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ + | xargs -0 echo -e \ + ) + ${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \ + -H content-type:application/json \ + -d "$(echo "$payload" | ${pkgs.jq}/bin/jq \ + '{ + command:"PRIVMSG", + params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"] + }' + )" + printf 'HTTP/1.1 200 OK\r\n' + printf 'Connection: close\r\n' + printf '\r\n' + exit + ;; + esac + ''}''; + }; +} -- cgit v1.2.3