diff options
Diffstat (limited to 'old/modules')
90 files changed, 7000 insertions, 0 deletions
diff --git a/old/modules/cd/default.nix b/old/modules/cd/default.nix new file mode 100644 index 0000000..e3abd47 --- /dev/null +++ b/old/modules/cd/default.nix @@ -0,0 +1,91 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) readFile; +in + +{ + imports = + [ + { users.extraUsers = import <secrets/extraUsers.nix>; } + ./networking.nix + ./users.nix + ../tv/base.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/config/consul-server.nix + ../tv/ejabberd.nix # XXX echtes modul + ../tv/exim-smarthost.nix + ../tv/git/public.nix + ../tv/sanitize.nix + { + imports = [ ../tv/identity ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.cd; + }; + } + { + imports = [ ../tv/iptables ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../tv/retiolum ]; + tv.retiolum = { + enable = true; + hosts = <retiolum-hosts>; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + # "Developer 2" plan has two vCPUs. + nix.maxJobs = 2; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.ejabberd-cd = { + enable = true; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + sound.enable = false; +} diff --git a/old/modules/cd/networking.nix b/old/modules/cd/networking.nix new file mode 100644 index 0000000..215e208 --- /dev/null +++ b/old/modules/cd/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cd"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/cd/paths.nix b/old/modules/cd/paths.nix new file mode 100644 index 0000000..f873912 --- /dev/null +++ b/old/modules/cd/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/old/modules/cd/users.nix b/old/modules/cd/users.nix new file mode 100644 index 0000000..656336d --- /dev/null +++ b/old/modules/cd/users.nix @@ -0,0 +1,53 @@ +{ ... }: + +let + inherit (builtins) readFile; +in + +{ + users.extraGroups = { + + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + + }; + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + (readFile <pubkeys/deploy_wu.ssh.pub>) + (readFile <pubkeys/tv_wu.ssh.pub>) + ]; + }; + + mv = rec { + name = "mv"; + uid = 1338; + group = "users"; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + (readFile <pubkeys/mv_vod.ssh.pub>) + ]; + }; + + }; + + users.mutableUsers = false; +} diff --git a/old/modules/cloudkrebs/default.nix b/old/modules/cloudkrebs/default.nix new file mode 100644 index 0000000..938447e --- /dev/null +++ b/old/modules/cloudkrebs/default.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/base-cac-CentOS-7-64bit.nix + ../lass/retiolum-cloudkrebs.nix + ./networking.nix + ../../secrets/cloudkrebs-pw.nix + ../lass/sshkeys.nix + ../lass/base.nix + ../common/nixpkgs.nix + ]; + + nixpkgs = { + url = "https://github.com/Lassulus/nixpkgs"; + rev = "b42ecfb8c61e514bf7733b4ab0982d3e7e27dacb"; + }; + + nix.maxJobs = 1; + + #activationScripts + #split up and move into base + + #TODO move into modules + users.extraUsers = { + #main user + root = { + openssh.authorizedKeys.keys = [ + config.sshKeys.lass.pub + ]; + }; + mainUser = { + uid = 1337; + name = "lass"; + #isNormalUser = true; + group = "users"; + createHome = true; + home = "/home/lass"; + useDefaultShell = true; + isSystemUser = false; + description = "lassulus"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + config.sshKeys.lass.pub + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + ]; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 + ]; + }; + +} diff --git a/old/modules/cloudkrebs/networking.nix b/old/modules/cloudkrebs/networking.nix new file mode 100644 index 0000000..fc50073 --- /dev/null +++ b/old/modules/cloudkrebs/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cloudkrebs"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/common/krebs-keys.nix b/old/modules/common/krebs-keys.nix new file mode 100644 index 0000000..5e34933 --- /dev/null +++ b/old/modules/common/krebs-keys.nix @@ -0,0 +1,18 @@ +# alle public keys der krebsminister fuer R in krebs repos +{ config, ... }: + +let + inherit (builtins) readFile; +in + +with import ../lass/sshkeys.nix { + config.sshKeys.lass.pub = config.sshKeys.lass.pub; + config.sshKeys.uriel.pub = config.sshKeys.uriel.pub; + }; +{ + imports = [ + ./sshkeys.nix + ]; + + config.sshKeys.tv.pub = readFile <pubkeys/tv_wu.ssh.pub>; +} diff --git a/old/modules/common/krebs-repos.nix b/old/modules/common/krebs-repos.nix new file mode 100644 index 0000000..86f3731 --- /dev/null +++ b/old/modules/common/krebs-repos.nix @@ -0,0 +1,36 @@ +{ lib, ... }: + +let + inherit (lib) mkDefault; + + mkSecureRepo = name: + { inherit name; + value = { + users = { + lass = mkDefault "R"; + tv = mkDefault "R"; + makefu = mkDefault "R"; + }; + }; + }; + + mkRepo = name: + { inherit name; + value = { + users = { + lass = mkDefault "R"; + tv = mkDefault "R"; + makefu = mkDefault "R"; + }; + }; + }; + +in { + services.gitolite.repos = + (lib.listToAttrs (map mkSecureRepo [ "brain" ])) // + (lib.listToAttrs (map mkRepo [ + "painload" + "services" + "hosts" + ])); +} diff --git a/old/modules/common/nixpkgs.nix b/old/modules/common/nixpkgs.nix new file mode 100644 index 0000000..486cf02 --- /dev/null +++ b/old/modules/common/nixpkgs.nix @@ -0,0 +1,25 @@ +{ lib, ... }: + +with lib; + +{ + options = { + nixpkgs.url = mkOption { + type = types.str; + description = "URL of the nixpkgs repository."; + }; + nixpkgs.rev = mkOption { + type = types.str; + default = "origin/master"; + description = "Revision of the remote repository."; + }; + nixpkgs.dirty = mkOption { + type = types.bool; + default = false; + description = '' + If nixpkgs.url is a local path, then use that as it is. + TODO this break if URL is not a local path. + ''; + }; + }; +} diff --git a/old/modules/common/sshkeys.nix b/old/modules/common/sshkeys.nix new file mode 100644 index 0000000..5f1c606 --- /dev/null +++ b/old/modules/common/sshkeys.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + options = { + sshKeys = mkOption { + type = types.attrsOf (types.submodule ( + { config, ... }: + { + options = { + pub = mkOption { + type = types.str; + description = "Public part of the ssh key."; + }; + + priv = mkOption { + type = types.str; + description = "Private part of the ssh key."; + }; + }; + })); + description = "collection of ssh-keys"; + }; + }; +} diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix new file mode 100644 index 0000000..3a8d879 --- /dev/null +++ b/old/modules/lass/base.nix @@ -0,0 +1,110 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./sshkeys.nix + ]; + + nix.useChroot = true; + + users.mutableUsers = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + PAGER=most + ''; + + environment.systemPackages = with pkgs; [ + git + most + rxvt_unicode.terminfo + + #network + iptables + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.gitolite = { + enable = true; + dataDir = "/home/gitolite"; + adminPubkey = config.sshKeys.lass.pub; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxU |