diff options
| -rw-r--r-- | krebs/3modules/tv/default.nix | 31 | ||||
| -rw-r--r-- | tv/1systems/cd.nix | 58 | ||||
| -rw-r--r-- | tv/1systems/mu.nix | 5 | ||||
| -rw-r--r-- | tv/1systems/nomic.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/wu.nix | 6 | ||||
| -rw-r--r-- | tv/1systems/xu.nix | 6 | ||||
| -rw-r--r-- | tv/1systems/zu.nix | 229 | ||||
| -rw-r--r-- | tv/2configs/default.nix | 8 | ||||
| -rw-r--r-- | tv/2configs/nginx/default.nix | 4 |
9 files changed, 309 insertions, 39 deletions
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 2d18a7e8d..075066961 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -358,6 +358,37 @@ with config.krebs.lib; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu"; }; + zu = { + cores = 4; + nets = { + #gg23 = { + # ip4.addr = ""; + # aliases = ["zu.gg23"]; + # ssh.port = 11423; + #}; + retiolum = { + ip4.addr = "10.243.13.40"; + ip6.addr = "42:0:0:0:0:0:0:1340"; + aliases = [ + "zu.r" + "zu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d + idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u + BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a + OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj + /NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk + b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + ssh.privkey.path = <secrets/ssh.id_rsa>; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu"; + }; }; users = { mv = { diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index a46edb4d9..2ad4a1505 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -44,20 +44,50 @@ with config.krebs.lib; "cgit.cd.viljetic.de" ]; # TODO make public_html also available to cd, cd.retiolum (AKA default) - krebs.nginx.servers.public_html = { - server-names = singleton "cd.viljetic.de"; - locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - ''); + krebs.nginx.servers."https://viljetic.de" = { + server-names = singleton "viljetic.de"; + listen = mkForce []; # disable default + ssl = { + enable = true; + certificate = "/var/lib/acme/viljetic.de/fullchain.pem"; + certificate_key = "/var/lib/acme/viljetic.de/key.pem"; + }; + locations = [ + (nameValuePair "/" '' + root ${pkgs.viljetic-pages}; + '') + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; }; - krebs.nginx.servers.viljetic = { + krebs.nginx.servers."http://viljetic.de" = { server-names = singleton "viljetic.de"; - # TODO directly set root (instead via location) - locations = singleton (nameValuePair "/" '' - root ${pkgs.viljetic-pages}; - ''); + locations = [ + (nameValuePair "/.well-known/acme-challenge/" '' + root /var/lib/acme/challenges/viljetic.de/; + '') + (nameValuePair "/" '' + return 301 https://viljetic.de$request_uri; + '') + ]; + }; + security.acme = { + certs."viljetic.de" = { + email = "tomislav@viljetic.de"; + webroot = "/var/lib/acme/challenges/viljetic.de"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + user = "nginx"; + }; }; - tv.iptables.input-internet-accept-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = [ + "http" + "https" + ]; } ]; @@ -78,13 +108,7 @@ with config.krebs.lib; iotop iptables nethogs - ntp # ntpate rxvt_unicode.terminfo tcpdump ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; } diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix index ec208a0bd..e7908e299 100644 --- a/tv/1systems/mu.nix +++ b/tv/1systems/mu.nix @@ -157,11 +157,6 @@ with config.krebs.lib; ]; }; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - # see tmpfiles.d(5) systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" # does this work with mounted /tmp? diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 3696bcdfc..5415e50b1 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -60,7 +60,6 @@ with config.krebs.lib; esac '') gnupg - ntp # ntpate rxvt_unicode.terminfo tmux ]; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index d115e274b..a2e113e18 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -29,7 +29,6 @@ with config.krebs.lib; # root cryptsetup - ntp # ntpate # tv bc @@ -164,11 +163,6 @@ with config.krebs.lib; services.printing.enable = true; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - # see tmpfiles.d(5) systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" # does this work with mounted /tmp? diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 7277f5cb7..b832470d0 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -41,7 +41,6 @@ with config.krebs.lib; # root cryptsetup - ntp # ntpate # tv bc @@ -176,11 +175,6 @@ with config.krebs.lib; services.printing.enable = true; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - # see tmpfiles.d(5) systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" # does this work with mounted /tmp? diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix new file mode 100644 index 000000000..bfc018cc3 --- /dev/null +++ b/tv/1systems/zu.nix @@ -0,0 +1,229 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.build.host = config.krebs.hosts.zu; + + imports = [ + { + options.tv.test.sercret-file = mkOption { + type = types.secret-file; + default = {}; + }; + } + ../. + ../2configs/hw/x220.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix + ../2configs/mail-client.nix + ../2configs/man.nix + ../2configs/nginx/public_html.nix + ../2configs/pulse.nix + ../2configs/retiolum.nix + ../2configs/wu-binary-cache/client.nix + ../2configs/xserver + { + environment.systemPackages = with pkgs; [ + + # stockholm + gnumake + hashPassword + haskellPackages.lentil + parallel + (pkgs.writeBashBin "im" '' + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + + # root + cryptsetup + + # tv + bc + bind # dig + cac-api + dic + file + gnupg1compat + haskellPackages.hledger + htop + jq + mkpasswd + netcat + nix-repl + nmap + p7zip + pass + q + qrencode + # XXX fails at systemd.services.dbus.unitConfig + #texlive + tmux + + #ack + #apache-httpd + #ascii + #emacs + #es + #esniper + #gcc + #gptfdisk + #graphviz + #haskellPackages.cabal2nix + #haskellPackages.ghc + #haskellPackages.shake + #hdparm + #i7z + #iftop + #imagemagick + #inotifyTools + #iodine + #iotop + #lshw + #lsof + #minicom + #mtools + #ncmpc + #nethogs + #nix-prefetch-scripts #cvs bug + #openssl + #openswan + #parted + #perl + #powertop + #ppp + #proot + #pythonPackages.arandr + #pythonPackages.youtube-dl + #racket + #rxvt_unicode-with-plugins + #scrot + #sec + #silver-searcher + #sloccount + #smartmontools + #socat + #sshpass + #strongswan + #sysdig + #sysstat + #tcpdump + #tlsdate + #unetbootin + #utillinuxCurses + #wvdial + #xdotool + #xkill + #xl2tpd + #xsel + + unison + ]; + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "zuca"; device = "/dev/sda2"; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/zuvga-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/home" = { + device = "/dev/mapper/zuvga-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + nixpkgs.config.chromium.enablePepperFlash = true; + + #hardware.bumblebee.enable = true; + #hardware.bumblebee.group = "video"; + hardware.enableAllFirmware = true; + #hardware.opengl.driSupport32Bit = true; + + environment.systemPackages = with pkgs; [ + ethtool + tinc_pre + iptables + #jack2 + + gptfdisk + ]; + + security.setuidPrograms = [ + "sendmail" # for cron + ]; + + services.printing.enable = true; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + #services.bitlbee.enable = true; + #services.tor.client.enable = true; + #services.tor.enable = true; + #services.virtualboxHost.enable = true; + + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + +#/* +#{ host api.doraemon.sg.zalora.net | awk '{print$4" api.zalora.sg"}'; +# host bob.live.sg.zalora.net | awk '{print$4" bob.zalora.sg"}'; +# host www.live.sg.zalora.net | awk '{print$4" www.zalora.sg costa.zalora.sg"}'; } +#*/ +# networking.extraHosts = optionalString (1 == 1) '' +#54.255.133.72 api.zalora.sg +#52.77.12.194 bob.zalora.sg +#52.74.232.49 www.zalora.sg costa.zalora.sg +# ''; + + + #services.elasticsearch.enable = true; + #services.kibana.enable = true; + #services.logstash.enable = true; + + environment.etc."ssh/ssh_config".text = mkForce '' + AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} + + ${optionalString config.programs.ssh.setXAuthLocation '' + XAuthLocation ${pkgs.xorg.xauth}/bin/xauth + ''} + + ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"} + + # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) + #PubkeyAcceptedKeyTypes +ssh-dss + + ${config.programs.ssh.extraConfig} + ''; + +} diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index dcc3edd82..a9ba1eadd 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -153,6 +153,7 @@ with config.krebs.lib; services.cron.enable = false; services.nscd.enable = false; services.ntp.enable = false; + services.timesyncd.enable = true; } { @@ -169,6 +170,13 @@ with config.krebs.lib; } { + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + } + + { services.openssh = { enable = true; hostKeys = [ diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 70e25e2e5..d0d07d5ca 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,10 +4,6 @@ with config.krebs.lib; { krebs.nginx = { - extraConfig = '' - events { - } - ''; servers.default.locations = [ (nameValuePair "= /etc/os-release" '' default_type text/plain; |