From 34e628453dda4e7aec9f715703eb6c21b05a8a82 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:34:46 +0200 Subject: k 2 bepasty-dual: use krebs.nginx.ssl + acme --- makefu/2configs/bepasty-dual.nix | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) (limited to 'makefu/2configs') diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index 5682f5eb..f675c4ac 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -15,6 +15,9 @@ let sec = toString ; # secKey is nothing worth protecting on a local machine secKey = import ; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "paste.krebsco.de" ; in { krebs.nginx.enable = mkDefault true; @@ -25,7 +28,7 @@ in { servers = { internal = { nginx = { - server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; @@ -33,17 +36,25 @@ in { external = { nginx = { - server-names = [ "paste.krebsco.de" ]; + server-names = [ ext-dom ]; + ssl = { + enable = true; + certificate = "${acmepath}/${ext-dom}/fullchain.pem"; + certificate_key = "${acmepath}/${ext-dom}/key.pem"; + # these certs will be needed if acme has not yet created certificates: + #certificate = "${sec}/wildcard.krebsco.de.crt"; + #certificate_key = "${sec}/wildcard.krebsco.de.key"; + ciphers = "RC4:HIGH:!aNULL:!MD5" ; + }; + locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + ''); extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_certificate ${sec}/wildcard.krebsco.de.crt; - ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + if ($scheme = http){ return 301 https://$server_name$request_uri; }''; @@ -53,4 +64,12 @@ in { }; }; }; + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; } -- cgit v1.2.3 From df7416dc319e6815e32fa5fb32ba00d41481d368 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:09:47 +0200 Subject: m 2 tinc: add missing retiolum config --- makefu/2configs/tinc/retiolum.nix | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 makefu/2configs/tinc/retiolum.nix (limited to 'makefu/2configs') diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix new file mode 100644 index 00000000..dcb07246 --- /dev/null +++ b/makefu/2configs/tinc/retiolum.nix @@ -0,0 +1,4 @@ +_: +{ + krebs.tinc.retiolum.enable = true; +} -- cgit v1.2.3 From e03ae6d79d77e654bb586475b52c7e6aa24ac06f Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:35:30 +0200 Subject: m 1 wbob: add missing --- makefu/2configs/temp/share-samba.nix | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 makefu/2configs/temp/share-samba.nix (limited to 'makefu/2configs') diff --git a/makefu/2configs/temp/share-samba.nix b/makefu/2configs/temp/share-samba.nix new file mode 100644 index 00000000..c021e66c --- /dev/null +++ b/makefu/2configs/temp/share-samba.nix @@ -0,0 +1,36 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + + networking.firewall.allowedTCPPorts = [ + 139 445 # samba + ]; + + networking.firewall.allowedUDPPorts = [ + 137 138 + ]; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} -- cgit v1.2.3 From 3c628cd4a29938ecf14e0e891f621a742987ddab Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 22:55:19 +0200 Subject: m 2 default: bump ref to 125ffff --- makefu/2configs/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'makefu/2configs') diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 4562a123..cba7462f 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -17,7 +17,6 @@ with config.krebs.lib; krebs = { enable = true; - dns.providers.siem = "hosts"; dns.providers.lan = "hosts"; search-domain = "retiolum"; build = { @@ -25,7 +24,7 @@ with config.krebs.lib; source = let inherit (config.krebs.build) host user; in { nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "0546a4a"; # stable @ 2016-06-11 + ref = "125ffff"; # stable @ 2016-07-20 }; secrets.file = if getEnv "dummy_secrets" == "true" @@ -171,4 +170,10 @@ with config.krebs.lib; consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; }; + # suppress chrome autit event messages + security.audit = { + rules = [ + "-a task,never" + ]; + }; } -- cgit v1.2.3 From fbe1fcdd8e145493602da65f0a22b1907c2b3a95 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 00:13:01 +0200 Subject: m : update legacy options ,remove honeyd usage in shoney --- makefu/2configs/default.nix | 2 +- makefu/2configs/hw/tp-x220.nix | 3 +-- makefu/2configs/virtualization-virtualbox.nix | 12 +++++++----- 3 files changed, 9 insertions(+), 8 deletions(-) (limited to 'makefu/2configs') diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index cba7462f..c94f1be7 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -66,7 +66,7 @@ with config.krebs.lib; startAgent = false; }; services.openssh.enable = true; - nix.useChroot = true; + nix.useSandbox = true; users.mutableUsers = false; diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix index 1c9a3496..58390e48 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x220.nix @@ -8,10 +8,9 @@ with config.krebs.lib; kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; }; - + hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; services.xserver = { videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; deviceSection = '' Option "AccelMethod" "sna" ''; diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix index 2b4e2477..7a14dea7 100644 --- a/makefu/2configs/virtualization-virtualbox.nix +++ b/makefu/2configs/virtualization-virtualbox.nix @@ -2,20 +2,22 @@ let mainUser = config.krebs.build.user; - version = "5.0.20"; - rev = "106931"; - vboxguestpkg = pkgs.fetchurl { + vboxguestpkg = lib.stdenv.mkDerivation rec { + name = "Virtualbox-Extensions-${version}-${rev}"; + version = "5.0.20"; + rev = "106931"; + src = pkgs.fetchurl { url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; }; + }; in { - #inherit vboxguestpkg; virtualisation.virtualbox.host.enable = true; nixpkgs.config.virtualbox.enableExtensionPack = true; users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; nixpkgs.config.packageOverrides = super: { - boot.kernelPackages = super.boot.kernelPackages.virtualbox.override { + boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override { buildInputs = super.boot.kernelPackages.virtualBox.buildInputs ++ [ vboxguestpkg ]; }; -- cgit v1.2.3 From 964062c8071b7b069ec6a2661a3530629a95a1c2 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 02:04:45 +0200 Subject: m 2 zsh-user: use gpg-agent 2.1 style daemon --- makefu/2configs/zsh-user.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'makefu/2configs') diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix index 9527ead1..99c1315e 100644 --- a/makefu/2configs/zsh-user.nix +++ b/makefu/2configs/zsh-user.nix @@ -22,15 +22,11 @@ in bindkey "\e[3~" delete-char zstyle ':completion:*' menu select - # load gpg-agent - envfile="$HOME/.gnupg/gpg-agent.env" - if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then - eval "$(cat "$envfile")" - else - eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")" - fi - export GPG_AGENT_INFO - export SSH_AUTH_SOCK + gpg-connect-agent updatestartuptty /bye >/dev/null + GPG_TTY=$(tty) + export GPG_TTY + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" ''; promptInit = '' -- cgit v1.2.3