13 files changed, 157 insertions, 37 deletions
diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix
index 2f2358ddc..08ac7e66e 100644
--- a/makefu/1systems/darth.nix
+++ b/makefu/1systems/darth.nix
@@ -17,19 +17,37 @@ in {
       ../2configs/exim-retiolum.nix
       ../2configs/virtualization.nix
   ];
-
-  networking.firewall.allowedUDPPorts = [ 80 655 67 ];
-  networking.firewall.allowedTCPPorts = [ 80 655 ];
-  networking.firewall.checkReversePath = false;
+  services.tinc.networks.siem = {
+    name = "sdarth";
+    extraConfig = "ConnectTo = sjump";
+  };
   #networking.firewall.enable = false;
-  # virtualisation.nova.enableSingleNode = true;
   krebs.retiolum.enable = true;
 
   boot.kernelModules = [ "coretemp" "f71882fg" ];
 
   hardware.enableAllFirmware = true;
   nixpkgs.config.allowUnfree = true;
-  networking.wireless.enable = true;
+  networking = {
+    wireless.enable = true;
+    firewall = {
+      allowPing = true;
+      logRefusedConnections = false;
+      allowedUDPPorts = [ 80 655 67 ];
+      allowedTCPPorts = [ 80 655 ];
+    };
+    nat = {
+      enable = true;
+      internalIPs = [ "10.8.10.0/24" ];
+      #internalInterfaces = [ "tinc.siem" ];
+      externalIP = "10.8.8.2";
+      externalInterface = "virbr3";
+    };
+    interfaces.virbr3.ip4 =  [{
+      address = "10.8.8.2";
+      prefixLength = 24;
+    }];
+  };
 
   # TODO smartd omo darth gum all-in-one
   services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index fbd06a9c7..e71055f54 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -5,9 +5,10 @@
 { config, pkgs, lib, ... }:
 let
   byid = dev: "/dev/disk/by-id/" + dev;
-  keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
-  rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
-  homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
+  keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
+  rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
+  rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
+  primaryInterface = "enp1s0";
   # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
   # cryptsetup luksAddKey $dev tmpkey
   # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
@@ -15,14 +16,14 @@ let
 
   # omo Chassis:
   # __FRONT_
-  # |* d2   |
+  # |* d0   |
   # |       |
   # |* d3   |
   # |       |
-  # |* d0   |
+  # |* d3   |
   # |       |
-  # |* d1   |
   # |*      |
+  # |* d2   |
   # |  * r0 |
   # |_______|
   cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
@@ -38,27 +39,31 @@ in {
     [
       ../.
       # TODO: unlock home partition via ssh
-      ../2configs/fs/single-partition-ext4.nix
+      ../2configs/fs/sda-crypto-root.nix
       ../2configs/zsh-user.nix
       ../2configs/exim-retiolum.nix
       ../2configs/smart-monitor.nix
       ../2configs/mail-client.nix
-      ../2configs/share-user-sftp.nix
-      ../2configs/graphite-standalone.nix
+      #../2configs/graphite-standalone.nix
+      #../2configs/share-user-sftp.nix
       ../2configs/omo-share.nix
+
+      ## as long as pyload is not in nixpkgs:
+      # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
     ];
 
   krebs.retiolum.enable = true;
-  networking.firewall.trustedInterfaces = [ "enp3s0" ];
+  networking.firewall.trustedInterfaces = [ primaryInterface ];
   # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
   # tcp:80          - nginx for sharing files
   # tcp:655 udp:655 - tinc
   # tcp:8111        - graphite
+  # tcp:8112        - pyload
   # tcp:9090        - sabnzbd
   # tcp:9200        - elasticsearch
   # tcp:5601        - kibana
   networking.firewall.allowedUDPPorts = [ 655 ];
-  networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ];
+  networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ];
 
   # services.openssh.allowSFTP = false;
 
@@ -66,6 +71,9 @@ in {
   services.sabnzbd.enable = true;
   systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
+  virtualisation.docker.enable = true;
+
+
   # HDD Array stuff
   services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
 
@@ -76,15 +84,11 @@ in {
     disks = map toMapper [ 0 1 ];
     parity = toMapper 2;
   };
+
   fileSystems = let
     cryptMount = name:
       { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
-  in {
-    "/home" = {
-      device = "/dev/mapper/home";
-      fsType = "ext4";
-    };
-  } // cryptMount "crypt0"
+  in   cryptMount "crypt0"
     // cryptMount "crypt1"
     // cryptMount "crypt2";
 
@@ -101,15 +105,16 @@ in {
         usbkey = name: device: {
           inherit name device keyFile;
           keyFileSize = 4096;
+          allowDiscards = true;
         };
       in [
-        (usbkey "home" homePartition)
+        (usbkey "luksroot" rootPartition)
         (usbkey "crypt0" cryptDisk0)
         (usbkey "crypt1" cryptDisk1)
         (usbkey "crypt2" cryptDisk2)
       ];
     };
-    loader.grub.device = rootDisk;
+    loader.grub.device = lib.mkForce rootDisk;
 
     initrd.availableKernelModules = [
       "ahci"
@@ -121,12 +126,12 @@ in {
       "usbhid"
     ];
 
-    kernelModules = [ "kvm-amd" ];
+    kernelModules = [ "kvm-intel" ];
     extraModulePackages = [ ];
   };
 
   hardware.enableAllFirmware = true;
-  hardware.cpu.amd.updateMicrocode = true;
+  hardware.cpu.intel.updateMicrocode = true;
 
   zramSwap.enable = true;
 
diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix
index fa39b121c..2fb93798a 100644
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@@ -31,6 +31,7 @@
 
       # hardware specifics are in here
       ../2configs/hw/tp-x220.nix
+      ../2configs/hw/rtl8812au.nix
       # mount points
       ../2configs/fs/sda-crypto-root-home.nix
       # ../2configs/mediawiki.nix
@@ -59,7 +60,6 @@
   networking.firewall.allowedUDPPorts = [ 665 ];
 
   krebs.build.host = config.krebs.hosts.pornocauster;
-
   krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
   krebs.retiolum = {
     enable = true;
@@ -68,4 +68,6 @@
   networking.extraHosts = ''
     192.168.1.11 omo.local
   '';
+  # hard dependency because otherwise the device will not be unlocked
+  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
 }
diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
new file mode 100644
index 000000000..48679fe58
--- /dev/null
+++ b/makefu/1systems/shoney.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+let
+  ip     = "64.137.234.215";
+  alt-ip = "64.137.234.210";
+  extra-ip = "64.137.234.114"; #currently unused
+  gw = "64.137.234.1";
+in {
+  imports = [
+    ../.
+    ../2configs/hw/CAC.nix
+    ../2configs/fs/CAC-CentOS-7-64bit.nix
+
+  ];
+
+
+  services.tinc.networks.siem.name = "sjump";
+
+  # minimal resources
+  services.nixosManual.enable = false;
+  programs.man.enable = false;
+  nix.gc.automatic = true;
+  nix.gc.dates = "03:10";
+
+  krebs = {
+    enable = true;
+    retiolum.enable = true;
+    build.host = config.krebs.hosts.shoney;
+  };
+  networking.interfaces.enp2s1.ip4 = [
+    { address = ip; prefixLength = 24; }
+    { address = alt-ip; prefixLength = 24; }
+  ];
+
+  networking.defaultGateway = gw;
+  networking.nameservers = [ "8.8.8.8" ];
+  networking.firewall.allowedUDPPorts = [ 655 1655 ];
+  networking.firewall.allowedTCPPorts = [ 655 1655 ];
+}
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index d9f8ded83..ed48c6abe 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -9,8 +9,8 @@ in {
   imports = [
       ../.
       # TODO: copy this config or move to krebs
-      ../../tv/2configs/hw/CAC.nix
-      ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix
+      ../2configs/hw/CAC.nix
+      ../2configs/fs/CAC-CentOS-7-64bit.nix
       ../2configs/headless.nix
 
       ../2configs/bepasty-dual.nix
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index 62daed8be..e7366e182 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -154,6 +154,15 @@ with config.krebs.lib;
     "net.ipv6.conf.default.use_tempaddr" = 2;
   };
 
+  system.activationScripts.nix-defexpr = ''
+    (set -euf
+     for i in /home/makefu /root/;do
+       f="$i/.nix-defexpr"
+       rm -fr "$f"
+       ln -s /var/src/nixpkgs "$f"
+     done)
+  '';
+
   i18n = {
     consoleKeyMap = "us";
     defaultLocale = "en_US.UTF-8";
diff --git a/makefu/2configs/fs/CAC-CentOS-7-64bit.nix b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix
new file mode 100644
index 000000000..c9eb97f44
--- /dev/null
+++ b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix
@@ -0,0 +1,20 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/centos/root";
+      fsType = "xfs";
+    };
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+    };
+  };
+  swapDevices = [
+    { device = "/dev/centos/swap"; }
+  ];
+}
diff --git a/makefu/2configs/fs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix
index b82c0e44e..5c7cdf716 100644
--- a/makefu/2configs/fs/sda-crypto-root.nix
+++ b/makefu/2configs/fs/sda-crypto-root.nix
@@ -1,16 +1,16 @@
 { config, lib, pkgs, ... }:
 
 # sda:  bootloader grub2
-# sda1: boot ext4 (label nixboot)
+# sda1: boot ext4 (label nixboot) - must be unlocked on boot if required:
+  # boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
 # sda2: cryptoluks -> ext4
 with config.krebs.lib;
 {
   boot = {
     loader.grub.enable = true;
     loader.grub.version = 2;
-    loader.grub.device = "/dev/sda";
+    loader.grub.device = lib.mkDefault "/dev/sda";
 
-    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
     initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ];
     initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
   };
diff --git a/makefu/2configs/hw/CAC.nix b/makefu/2configs/hw/CAC.nix
new file mode 100644
index 000000000..9ed18344a
--- /dev/null
+++ b/makefu/2configs/hw/CAC.nix
@@ -0,0 +1,13 @@
+_:
+{
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+  boot.loader.grub.splashImage = null;
+  nix = {
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+  sound.enable = false;
+}
diff --git a/makefu/2configs/hw/fingerprint-reader.nix b/makefu/2configs/hw/fingerprint-reader.nix
new file mode 100644
index 000000000..1f2f00b03
--- /dev/null
+++ b/makefu/2configs/hw/fingerprint-reader.nix
@@ -0,0 +1,6 @@
+_: {
+  # add fingerprint with fprintd-enroll
+  services.fprintd.enable = true;
+  security.pam.services.login.fprintAuth = true;
+  security.pam.services.xscreensaver.fprintAuth = true;
+}
diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix
index be3d1eb70..1c9a34965 100644
--- a/makefu/2configs/hw/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x220.nix
@@ -5,7 +5,7 @@ with config.krebs.lib;
 
   imports = [ ./tp-x2x0.nix ];
   boot = {
-    kernelModules = [ "kvm-intel" "acpi_call" ];
+    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
   };
 
@@ -28,7 +28,7 @@ with config.krebs.lib;
 
   # enable HDMI output switching with pulseaudio
   hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
-    ${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"}
+    ${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"}
     load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"
   '';
 
diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix
index 7f9dc67a5..c10ec1314 100644
--- a/makefu/2configs/hw/tp-x2x0.nix
+++ b/makefu/2configs/hw/tp-x2x0.nix
@@ -22,7 +22,8 @@ with config.krebs.lib;
 
   services.tlp.enable = true;
   services.tlp.extraConfig = ''
-    START_CHARGE_THRESH_BAT0=80
+    # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
+    #START_CHARGE_THRESH_BAT0=80
     STOP_CHARGE_THRESH_BAT0=95
 
     CPU_SCALING_GOVERNOR_ON_AC=performance
diff --git a/makefu/3modules/umts.nix b/makefu/3modules/umts.nix
index e527a5cb7..300467e1f 100644
--- a/makefu/3modules/umts.nix
+++ b/makefu/3modules/umts.nix
@@ -3,6 +3,14 @@
 with config.krebs.lib;
 
 let
+  nixpkgs-1509 = import (pkgs.fetchFromGitHub {
+    owner = "NixOS"; repo = "nixpkgs-channels";
+    rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
+    sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
+  }) {};
+
+  wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
+
   # TODO: currently it is only netzclub
   umts-bin = pkgs.writeScriptBin "umts" ''
     #!/bin/sh
@@ -62,7 +70,7 @@ let
         Type = "simple";
         Restart = "always";
         RestartSec = "10s";
-        ExecStart = "${pkgs.wvdial}/bin/wvdial -n";
+        ExecStart = "${wvdial}/bin/wvdial -n";
       };
     };
   };