diff options
| author | makefu <github@syntax-fehler.de> | 2016-02-11 21:31:15 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2016-02-11 21:31:15 +0100 |
| commit | 107115dd1a126558c7befccf1dbe31b970324bed (patch) | |
| tree | 75449913737104b382b3e71ef0340a7af4eba402 | |
| parent | 02efcd83eac9907b8d29145b53840868615d1543 (diff) | |
| parent | 75302b57df117828664a591ca672820deb216e41 (diff) | |
Merge remote-tracking branch 'cd/master'
| -rw-r--r-- | Makefile | 12 | ||||
| -rw-r--r-- | miefda/1systems/bobby.nix | 102 | ||||
| -rw-r--r-- | miefda/2configs/git.nix | 87 | ||||
| -rw-r--r-- | miefda/2configs/hardware-configuration.nix | 23 | ||||
| -rw-r--r-- | miefda/2configs/miefda.nix | 8 | ||||
| -rw-r--r-- | miefda/2configs/tinc-basic-retiolum.nix | 14 | ||||
| -rw-r--r-- | miefda/2configs/tlp.nix | 25 | ||||
| -rw-r--r-- | miefda/2configs/x220t.nix | 27 | ||||
| -rw-r--r-- | mv/1systems/stro.nix | 2 | ||||
| -rw-r--r-- | mv/2configs/git.nix | 2 | ||||
| -rw-r--r-- | mv/5pkgs/default.nix | 39 | ||||
| l--------- | nixpkgs/default.nix | 2 | ||||
| l--------- | nixpkgs/lib | 2 | ||||
| l--------- | nixpkgs/pkgs | 2 | ||||
| -rw-r--r-- | shared/1systems/wolf.nix | 1 | ||||
| -rw-r--r-- | shared/5pkgs/default.nix | 5 | ||||
| -rw-r--r-- | tv/1systems/cd.nix | 6 | ||||
| -rw-r--r-- | tv/1systems/mkdir.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/rmdir.nix | 2 | ||||
| -rw-r--r-- | tv/1systems/wu.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/backup.nix | 14 | ||||
| -rw-r--r-- | tv/2configs/default.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/git.nix | 14 | ||||
| -rw-r--r-- | tv/2configs/hw/AO753.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/hw/x220.nix | 16 | ||||
| -rw-r--r-- | tv/2configs/vim.nix | 27 | ||||
| -rw-r--r-- | tv/3modules/iptables.nix | 58 | ||||
| -rw-r--r-- | tv/5pkgs/default.nix | 37 |
28 files changed, 406 insertions, 128 deletions
@@ -1,6 +1,3 @@ -.ONESHELL: -.SHELLFLAGS := -eufc - ifndef system $(error unbound variable: system) endif @@ -17,12 +14,15 @@ evaluate = \ --show-trace \ $(1) -execute = $(call evaluate,-A config.krebs.build.$(1) --json) | jq -r . | sh +execute = \ + result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \ + script=$$(echo "$$result" | jq -r .) && \ + echo "$$script" | sh # usage: make deploy system=foo [target_host=bar] deploy: $(call execute,populate) - ssh "$$target_user@$$target_host" nixos-rebuild switch -I "$$target_path" + @set -x; ssh "$$target_user@$$target_host" nixos-rebuild switch -I "$$target_path" # usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name eval eval.:;@$(call evaluate) @@ -33,7 +33,7 @@ eval.%:;@$(call evaluate,-A $*) #install: ssh = ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null #install:;@set -x # $(ssh) "$$target_user@$$target_host" \ -# env target_path=/var/src \ +# env target_path="$target_path" \ # sh -s prepare < krebs/4lib/infest/prepare.sh # make -s populate target_path=/mnt"$$target_path" # $(ssh) "$$target_user@$$target_host" \ diff --git a/miefda/1systems/bobby.nix b/miefda/1systems/bobby.nix new file mode 100644 index 0000000..d245952 --- /dev/null +++ b/miefda/1systems/bobby.nix @@ -0,0 +1,102 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + + ../2configs/miefda.nix + ../2configs/tlp.nix + ../2configs/x220t.nix + ../2configs/hardware-configuration.nix + ../2configs/tinc-basic-retiolum.nix + ../2configs/git.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; + + networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Select internationalisation properties. + i18n = { + # consoleFont = "Lat2-Terminus16"; + consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + }; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + wget chromium + ]; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable the X11 windowing system. + services.xserver.enable = true; + services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable the KDE Desktop Environment. + #services.xserver.displayManager.kdm.enable = true; + services.xserver.desktopManager = { + xfce.enable = true; + xterm.enable= false; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.extraUsers.miefda = { + isNormalUser = true; + initialPassword= "welcome"; + uid = 1000; + extraGroups= [ + "wheel" + ]; + }; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + + + networking.hostName = config.krebs.build.host.name; + + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + host = config.krebs.hosts.bobby; + user = config.krebs.users.miefda; + source = { + git.nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "363c8430f1efad8b03d5feae6b3a4f2fe7b29251"; + target-path = "/var/src/nixpkgs"; + }; + dir.secrets = { + host = config.krebs.hosts.bobby; + path = "/home/miefda/secrets/${config.krebs.build.host.name}"; + }; + dir.stockholm = { + host = config.krebs.hosts.bobby; + path = "/home/miefda/gits/stockholm"; + }; + }; + }; + }; +} diff --git a/miefda/2configs/git.nix b/miefda/2configs/git.nix new file mode 100644 index 0000000..fec828f --- /dev/null +++ b/miefda/2configs/git.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; + rules = rules; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } + ]; + }; + + repos = + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos; + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + #wai-middleware-time = {}; + #web-routes-wai-custom = {}; + #go = {}; + #newsbot-js = {}; + #kimsufi-check = {}; + #realwallpaper = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import <secrets/repos.nix> { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + verbose = config.krebs.build.host.name == "bobby"; + }; + }; + }; + + make-restricted-repo = name: { collaborators ? [], desc ? null, ... }: { + inherit name collaborators desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = miefda; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/miefda/2configs/hardware-configuration.nix b/miefda/2configs/hardware-configuration.nix new file mode 100644 index 0000000..3eb1f43 --- /dev/null +++ b/miefda/2configs/hardware-configuration.nix @@ -0,0 +1,23 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "usb_storage" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4db70ae3-1ff9-43d7-8fcc-83264761a0bb"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = 4; +} diff --git a/miefda/2configs/miefda.nix b/miefda/2configs/miefda.nix new file mode 100644 index 0000000..545987a --- /dev/null +++ b/miefda/2configs/miefda.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + + #networking.wicd.enable = true; + +} diff --git a/miefda/2configs/tinc-basic-retiolum.nix b/miefda/2configs/tinc-basic-retiolum.nix new file mode 100644 index 0000000..b31fe15 --- /dev/null +++ b/miefda/2configs/tinc-basic-retiolum.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + krebs.retiolum = { + enable = true; + connectTo = [ + "gum" + "pigstarter" + "prism" + "ire" + ]; + }; +} diff --git a/miefda/2configs/tlp.nix b/miefda/2configs/tlp.nix new file mode 100644 index 0000000..0e1bb0d --- /dev/null +++ b/miefda/2configs/tlp.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + hardware.cpu.intel.updateMicrocode = true; + + zramSwap.enable = true; + zramSwap.numDevices = 2; + + hardware.trackpoint = { + enable = true; + sensitivity = 220; + speed = 220; + emulateWheel = true; + }; + + + services.tlp.enable = true; + services.tlp.extraConfig = '' + START_CHARGE_THRESH_BAT0=80 + ''; +} diff --git a/miefda/2configs/x220t.nix b/miefda/2configs/x220t.nix new file mode 100644 index 0000000..bea84f7 --- /dev/null +++ b/miefda/2configs/x220t.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + + services.xserver = { + xkbVariant = "altgr-intl"; + videoDriver = "intel"; + # vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; + deviceSection = '' + Option "AccelMethod" "sna" + ''; + }; + + + + services.xserver.displayManager.sessionCommands ='' + xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1 + xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2 + xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5 + # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 8 200 + ''; + + hardware.bluetooth.enable = true; + + +} diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix index 38d4b4b..3915219 100644 --- a/mv/1systems/stro.nix +++ b/mv/1systems/stro.nix @@ -8,8 +8,6 @@ with lib; krebs.build.source.git.nixpkgs.rev = "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; - krebs.build.target = "lolwat"; - imports = [ ../2configs/hw/x220.nix ../2configs/git.nix diff --git a/mv/2configs/git.nix b/mv/2configs/git.nix index 991d0c4..c182d0d 100644 --- a/mv/2configs/git.nix +++ b/mv/2configs/git.nix @@ -45,7 +45,7 @@ let perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ optional repo.public { - user = [ lass makefu uriel tv tv_xu ]; + user = [ lass makefu uriel tv tv-xu ]; repo = [ repo ]; perm = fetch; } ++ diff --git a/mv/5pkgs/default.nix b/mv/5pkgs/default.nix index 0c72c45..882ac04 100644 --- a/mv/5pkgs/default.nix +++ b/mv/5pkgs/default.nix @@ -1,23 +1,24 @@ { pkgs, ... }: { - # TODO use XDG_RUNTIME_DIR? - cr = pkgs.writeScriptBin "cr" '' - #! /bin/sh - set -efu - export LC_TIME=de_DE.utf8 - exec ${pkgs.chromium}/bin/chromium \ - --ssl-version-min=tls1 \ - --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ - --disk-cache-size=50000000 \ - "%@" - ''; - ff = pkgs.writeScriptBin "ff" '' - #! /bin/sh - set -efu - exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") - ''; - xmonad-tv = - let src = pkgs.writeNixFromCabal "xmonad-tv.nix" ./xmonad-tv; in - pkgs.haskellPackages.callPackage src {}; + nixpkgs.config.packageOverrides = rec { + cr = pkgs.writeScriptBin "cr" '' + #! /bin/sh + set -efu + export LC_TIME=de_DE.utf8 + exec ${pkgs.chromium}/bin/chromium \ + --ssl-version-min=tls1 \ + --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ + --disk-cache-size=50000000 \ + "%@" + ''; + ff = pkgs.writeScriptBin "ff" '' + #! /bin/sh + set -efu + exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") + ''; + xmonad-tv = + let src = pkgs.writeNixFromCabal "xmonad-tv.nix" ./xmonad-tv; in + pkgs.haskellPackages.callPackage src {}; + }; } diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix index 74e9d76..6e5223c 120000 --- a/nixpkgs/default.nix +++ b/nixpkgs/default.nix @@ -1 +1 @@ -../upstream-nixpkgs/default.nix
\ No newline at end of file +../../upstream-nixpkgs/default.nix
\ No newline at end of file diff --git a/nixpkgs/lib b/nixpkgs/lib index 2284ef4..7b13c80 120000 --- a/nixpkgs/lib +++ b/nixpkgs/lib @@ -1 +1 @@ -../upstream-nixpkgs/lib
\ No newline at end of file +../../upstream-nixpkgs/lib
\ No newline at end of file diff --git a/nixpkgs/pkgs b/nixpkgs/pkgs index ce5f544..9833849 120000 --- a/nixpkgs/pkgs +++ b/nixpkgs/pkgs @@ -1 +1 @@ -../upstream-nixpkgs/pkgs
\ No newline at end of file +../../upstream-nixpkgs/pkgs
\ No newline at end of file diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index bcfbd68..9a51442 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -45,7 +45,6 @@ in # uninteresting stuff ##################### krebs.build.host = config.krebs.hosts.wolf; - krebs.build.target = "wolf"; boot.kernel.sysctl = { # Enable IPv6 Privacy Extensions diff --git a/shared/5pkgs/default.nix b/shared/5pkgs/default.nix deleted file mode 100644 index fdcfbb2..0000000 --- a/shared/5pkgs/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -# TODO don't require 5pkgs -_: - -{ -} diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index e42d575..b96548d 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -4,12 +4,6 @@ with lib; { krebs.build.host = config.krebs.hosts.cd; - krebs.build.target = "root@cd.internet"; - - krebs.build.source.upstream-nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "b7ff030"; - }; imports = [ ../2configs/hw/CAC-Developer-2.nix diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 79e5f73..2010dcd 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -17,7 +17,6 @@ in { krebs.build.host = config.krebs.hosts.mkdir; - krebs.build.target = "root@${primary-addr4}"; imports = [ ../2configs/hw/CAC-Developer-1.nix diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 6fd79c5..4005b5e 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -18,8 +18,6 @@ in { krebs.build.host = config.krebs.hosts.rmdir; - krebs.build.target = "root@rmdir.internet"; - imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 29e6de0..4ed13a0 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -157,7 +157,7 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name; + krebs.nixpkgs.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name; hardware.bumblebee.enable = true; hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index ce937a7..6c90709 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -1,7 +1,7 @@ { config, lib, ... }: with lib; { - krebs.backup.plans = addNames { + krebs.backup.plans = { wu-home-xu = { method = "push"; src = { host = config.krebs.hosts.wu; path = "/home"; }; @@ -14,5 +14,17 @@ with lib; yearly = { format = "%Y"; }; }; }; + xu-home-wu = { + method = "push"; + src = { host = config.krebs.hosts.xu; path = "/home"; }; + dst = { host = config.krebs.hosts.wu; path = "/bku/xu-home"; }; + startAt = "06:00"; + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }; }; } diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 57c4620..b5639af 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -7,7 +7,6 @@ with lib; krebs.build = { user = config.krebs.users.tv; - target = mkDefault "root@${config.krebs.build.host.name}"; source = mapAttrs (_: mkDefault) ({ nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix"; nixpkgs = symlink:stockholm/nixpkgs; @@ -165,6 +164,7 @@ with lib; { tv.iptables.enable = true; + tv.iptables.accept-echo-request = "internet"; } { diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index b818008..f248a8c 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -7,8 +7,8 @@ let out = { krebs.git = { enable = true; - root-title = "public repositories at ${config.krebs.build.host.name}"; - root-desc = "keep calm and engage"; + root-title = "repositories at ${config.krebs.build.host.name}"; + root-desc = "mostly krebs"; repos = repos; rules = rules; }; @@ -21,7 +21,7 @@ let rules = concatMap make-rules (attrValues repos); public-repos = mapAttrs make-public-repo ({ - } // mapAttrValues (setAttr "section" "1. Miscellaneous") { + } // mapAttrValues (setAttr "section" "1. miscellaneous") { cac-api = { desc = "CloudAtCost API command line interface"; }; @@ -37,7 +37,7 @@ let desc = "SoundCloud command line interface"; }; stockholm = { - desc = "take all the computers hostage, they'll love you!"; + desc = "NixOS configuration"; }; with-tmpdir = {}; } // mapAttrValues (setAttr "section" "2. Haskell libraries") { @@ -49,7 +49,7 @@ let web-routes-wai-custom = {}; xintmap = {}; xmonad-stockholm = {}; - } // mapAttrValues (setAttr "section" "3. Museum") { + } // mapAttrValues (setAttr "section" "3. museum") { cgserver = {}; crude-mail-setup = {}; dot-xmonad = {}; @@ -90,12 +90,12 @@ let with git // config.krebs.users; repo: singleton { - user = [ tv tv_xu ]; + user = [ tv tv-xu ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ optional repo.public { - user = [ lass makefu uriel ]; + user = [ lass makefu ]; repo = [ repo ]; perm = fetch; } ++ diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index 72a4081..e7a2b92 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -41,5 +41,5 @@ with lib; HandleSuspendKey=ignore ''; - nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name; + krebs.nixpkgs.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name; } diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index 7cec670..9b3dd12 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -5,18 +5,11 @@ ../smartd.nix ]; - boot.initrd.availableKernelModules = [ "ahci" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.loader.gummiboot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.wireless.enable = true; - #hardware.enableAllFirmware = true; - #zramSwap.enable = true; - #zramSwap.numDevices = 2; - hardware.trackpoint = { enable = true; sensitivity = 220; @@ -46,14 +39,5 @@ services.xserver = { videoDriver = "intel"; vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; - deviceSection = '' - Option "AccelMethod" "sna" - ''; }; - - #services.xserver.displayManager.sessionCommands ='' - # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1 - # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2 - # xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5 - #''; } diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 23f90af..69a880d 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -13,9 +13,21 @@ let environment.variables.VIMINIT = ":so /etc/vimrc"; }; - extra-runtimepath = concatStringsSep "," [ - "${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree" - ]; + extra-runtimepath = let + inherit (pkgs.vimUtils) buildVimPlugin rtpPath; + fromVimPlugins = pkgs: concatStringsSep "," + (mapAttrsToList (name: pkg: "${pkg}/${rtpPath}/${name}") pkgs); + in fromVimPlugins { + inherit (pkgs.vimPlugins) undotree; + file-line = buildVimPlugin { + name = "file-line-1.0"; + src = pkgs.fetchgit { + url = git://github.com/bogado/file-line; + rev = "refs/tags/1.0"; + sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0"; + }; + }; + }; dirs = { backupdir = "$HOME/.cache/vim/backup"; @@ -32,12 +44,9 @@ let alldirs = attrValues dirs ++ map dirOf (attrValues files); in unique (sort lessThan alldirs); - vim = pkgs.writeScriptBin "vim" '' - #! ${pkgs.dash}/bin/dash - set -f - umask 0077 - ${concatStringsSep "\n" (map (x: "mkdir -p ${x}") mkdirs)} - umask 0022 + vim = pkgs.writeDashBin "vim" '' + set -efu + (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs}) exec ${pkgs.vim}/bin/vim "$@" ''; diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index cbf49f5..4924db4 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -13,6 +13,11 @@ let api = { enable = mkEnableOption "tv.iptables"; + accept-echo-request = mkOption { + type = with types; nullOr (enum ["internet" "retiolum"]); + default = "retiolum"; + }; + input-internet-accept-new-tcp = mkOption { type = with types; listOf (either int str); default = []; @@ -43,28 +48,38 @@ let Type = "simple"; RemainAfterExit = true; Restart = "always"; - ExecStart = "@${startScript} tv-iptables_start"; + SyslogIdentifier = "tv-iptables_start"; + ExecStart = pkgs.writeDash "tv-iptables_start" '' + set -euf + iptables-restore < ${rules 4} + ip6tables-restore < ${rules 6} + ''; }; }; }; - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; - - rules = iptables-version: + rules = iptables-version: let + accept-echo-request = { + ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"; + ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"; + }."ip${toString iptables-version}tables"; + accept-new-tcp = port: + "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + in pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] - ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] - ++ [ - "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" - "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" - ] - )} + ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [ + "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" + "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ]} + ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [ + "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ]} COMMIT *filter :INPUT DROP [0:0] @@ -76,18 +91,12 @@ let "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "-i lo -j ACCEPT" ] + ++ optional (cfg.accept-echo-request == "internet") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) ++ ["-i retiolum -j Retiolum"] )} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] - ++ { - ip4tables = [ - "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" - ]; - ip6tables = [ - "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" - ]; - }."ip${toString iptables-version}tables" + ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) ++ { ip4tables = [ @@ -104,16 +113,7 @@ let )} COMMIT ''; - - startScript = pkgs.writeScript "tv-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules 4} - ip6tables-restore < ${rules 6} - ''; - -in -out +in out #let # cfg = config.tv.iptables; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index be10e91..b520e1a 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -1,22 +1,25 @@ { pkgs, ... }: { - cr = pkgs.writeScriptBin "cr" '' - #! /bin/sh - set -efu - export LC_TIME=de_DE.utf8 - exec ${pkgs.chromium}/bin/chromium \ - --ssl-version-min=tls1 \ - --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ - --disk-cache-size=50000000 \ - "%@" - ''; - ejabberd = pkgs.callPackage ./ejabberd { - erlang = pkgs.erlangR16; + nixpkgs.config.packageOverrides = { + # TODO use XDG_RUNTIME_DIR? + cr = pkgs.writeScriptBin "cr" '' + #! /bin/sh + set -efu + export LC_TIME=de_DE.utf8 + exec ${pkgs.chromium}/bin/chromium \ + --ssl-version-min=tls1 \ + --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ + --disk-cache-size=50000000 \ + "%@" + ''; + ejabberd = pkgs.callPackage ./ejabberd { + erlang = pkgs.erlangR16; + }; + ff = pkgs.callPackage ./ff {}; + viljetic-pages = pkgs.callPackage ./viljetic-pages {}; + xmonad-tv = + let src = pkgs.writeNixFromCabal "xmonad-tv.nix" ./xmonad-tv; in + pkgs.haskellPackages.callPackage src {}; }; - ff = pkgs.callPackage ./ff {}; - viljetic-pages = pkgs.callPackage ./viljetic-pages {}; - xmonad-tv = - let src = pkgs.writeNixFromCabal "xmonad-tv.nix" ./xmonad-tv; in - pkgs.haskellPackages.callPackage src {}; } |