nin: init

author: nin <nineinchnade@gmail.com> 2017-01-12 22:21:21 +0100
committer: nin <nineinchnade@gmail.com> 2017-01-12 22:21:21 +0100
commit: b651b2ba6bd814fb81147519d3e910ebc08a05ff (patch)
tree: b5d9f365198ca6f4df7c834045197afaedf69b3c /nin
parent: df07324e4c096c13900bfab57e3c62e1b18e39ac (diff)
5 files changed, 333 insertions, 0 deletions
diff --git a/nin/1systems/hiawatha.nix b/nin/1systems/hiawatha.nix
new file mode 100644
index 0000000..26de00d
--- /dev/null
+++ b/nin/1systems/hiawatha.nix
@@ -0,0 +1,125 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../.
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ../2configs/retiolum.nix
+  ];
+
+  krebs.build.host = config.krebs.hosts.hiawatha;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/tmp" =
+    { device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010";
+      fsType = "ext2";
+    };
+
+  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
+  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  fileSystems."/home/nin/.local/share/Steam" = {
+    device = "/dev/fam/steam";
+  };
+
+  # nin config
+  time.timeZone = "Europe/Berlin";
+  services.xserver.enable = true;
+
+  networking.networkmanager.enable = true;
+  #networking.wireless.enable = true;
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
+
+  hardware.bluetooth.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+
+  #nixpkgs.config.steam.java = true;
+
+  environment.variables.EDITOR = mkForce "vim";
+  environment.variables.VIMINIT = ":so /etc/vimrc";
+  environment.etc.vimrc.source = pkgs.writeText "vimrc" ''
+    set nocp
+  '';
+
+  environment.systemPackages = with pkgs; [
+    firefox
+    steam
+    thunderbird
+    vim
+    git
+    hexchat
+    networkmanagerapplet
+  ];
+
+  nixpkgs.config = {
+
+    allowUnfree = true;
+
+    firefox = {
+      enableGoogleTalkPlugin = true;
+      enableAdobeFlash = true;
+    };
+  };
+
+  #services.logind.extraConfig = "HandleLidSwitch=ignore";
+
+  services.xserver.synaptics = {
+    enable = true;
+  };
+
+
+  services.xserver.desktopManager.xfce = let
+    xbindConfig = pkgs.writeText "xbindkeysrc" ''
+      "${pkgs.pass}/bin/passmenu --type"
+        Control + p
+  '';
+  in {
+    enable = true;
+      extraSessionCommands = ''
+      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
+    '';
+  };
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+  system.stateVersion = "17.03";
+
+}
diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix
new file mode 100644
index 0000000..9b33e9c
--- /dev/null
+++ b/nin/2configs/default.nix
@@ -0,0 +1,165 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  imports = [
+    ../2configs/nixpkgs.nix
+    {
+      users.extraUsers =
+        mapAttrs (_: h: { hashedPassword = h; })
+                 (import <secrets/hashedPasswords.nix>);
+    }
+    {
+      users.extraUsers = {
+        root = {
+          openssh.authorizedKeys.keys = [
+            config.krebs.users.nin.pubkey
+          ];
+        };
+        mainUser = {
+          name = "nin";
+          uid = 1337;
+          home = "/home/nin";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+            "audio"
+            "fuse"
+          ];
+          openssh.authorizedKeys.keys = [
+            config.krebs.users.nin.pubkey
+          ];
+        };
+      };
+    }
+    {
+      environment.variables = {
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
+      };
+    }
+    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+      environment.variables = {
+        CURL_CA_BUNDLE = ca-bundle;
+        GIT_SSL_CAINFO = ca-bundle;
+        SSL_CERT_FILE = ca-bundle;
+      };
+    })
+  ];
+
+  networking.hostName = config.krebs.build.host.name;
+  nix.maxJobs = config.krebs.build.host.cores;
+
+  krebs = {
+    enable = true;
+    search-domain = "retiolum";
+    build = {
+      user = config.krebs.users.nin;
+      source = let inherit (config.krebs.build) host; in {
+        nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix";
+        secrets.file = "/home/nin/secrets/${host.name}";
+        stockholm.file = getEnv "PWD";
+      };
+    };
+  };
+
+  nix.useSandbox = true;
+
+  services.timesyncd.enable = true;
+
+  #why is this on in the first place?
+  services.nscd.enable = false;
+
+  boot.tmpOnTmpfs = true;
+  # see tmpfiles.d(5)
+  systemd.tmpfiles.rules = [
+    "d /tmp 1777 root root - -"
+  ];
+
+  # multiple-definition-problem when defining environment.variables.EDITOR
+  environment.extraInit = ''
+    EDITOR=vim
+    MANPAGER=most
+  '';
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+  #stockholm
+    git
+    gnumake
+    jq
+    proot
+    populate
+    p7zip
+    unzip
+    unrar
+  ];
+
+  programs.bash = {
+    enableCompletion = true;
+    interactiveShellInit = ''
+      HISTCONTROL='erasedups:ignorespace'
+      HISTSIZE=65536
+      HISTFILESIZE=$HISTSIZE
+
+      shopt -s checkhash
+      shopt -s histappend histreedit histverify
+      shopt -s no_empty_cmd_completion
+      complete -d cd
+    '';
+    promptInit = ''
+      if test $UID = 0; then
+        PS1='\[\033[1;31m\]\w\[\033[0m\] '
+      elif test $UID = 1337; then
+        PS1='\[\033[1;32m\]\w\[\033[0m\] '
+      else
+        PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
+      fi
+      if test -n "$SSH_CLIENT"; then
+        PS1='\[\033[35m\]\h'" $PS1"
+      fi
+    '';
+  };
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      # XXX bits here make no science
+      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+    ];
+  };
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  krebs.iptables = {
+    enable = true;
+    tables = {
+      nat.PREROUTING.rules = [
+        { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
+        { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
+      ];
+      nat.OUTPUT.rules = [
+        { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
+      ];
+      filter.INPUT.policy = "DROP";
+      filter.FORWARD.policy = "DROP";
+      filter.INPUT.rules = [
+        { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
+        { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+        { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
+        { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
+        { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
+        { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
+        { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
+      ];
+    };
+  };
+
+  networking.dhcpcd.extraConfig = ''
+    noipv4ll
+  '';
+}
diff --git a/nin/2configs/nixpkgs.nix b/nin/2configs/nixpkgs.nix
new file mode 100644
index 0000000..eceab7e
--- /dev/null
+++ b/nin/2configs/nixpkgs.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  krebs.build.source.nixpkgs.git = {
+    url = https://github.com/nixos/nixpkgs;
+    ref = "fd1dbe551cf6338c5f4e4f80c2f5dde9f9e6a271";
+  };
+}
diff --git a/nin/2configs/retiolum.nix b/nin/2configs/retiolum.nix
new file mode 100644
index 0000000..821e3cc
--- /dev/null
+++ b/nin/2configs/retiolum.nix
@@ -0,0 +1,28 @@
+{ ... }:
+
+{
+
+  krebs.iptables = {
+    tables = {
+      filter.INPUT.rules = [
+        { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
+        { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
+      ];
+    };
+  };
+
+  krebs.tinc.retiolum = {
+    enable = true;
+    connectTo = [
+      "prism"
+      "pigstarter"
+      "gum"
+      "flap"
+    ];
+  };
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    tinc = pkgs.tinc_pre;
+  };
+}
diff --git a/nin/default.nix b/nin/default.nix
new file mode 100644
index 0000000..c31d6d9
--- /dev/null
+++ b/nin/default.nix
@@ -0,0 +1,7 @@
+_:
+{
+  imports = [
+    ../krebs
+    ./2configs
+  ];
+}
author	nin <nineinchnade@gmail.com>	2017-01-12 22:21:21 +0100
committer	nin <nineinchnade@gmail.com>	2017-01-12 22:21:21 +0100
commit	b651b2ba6bd814fb81147519d3e910ebc08a05ff (patch)
tree	b5d9f365198ca6f4df7c834045197afaedf69b3c /nin
parent	df07324e4c096c13900bfab57e3c62e1b18e39ac (diff)