summaryrefslogtreecommitdiffstats
path: root/old/modules/mors
diff options
context:
space:
mode:
Diffstat (limited to 'old/modules/mors')
-rw-r--r--old/modules/mors/default.nix283
-rw-r--r--old/modules/mors/git.nix71
-rw-r--r--old/modules/mors/repos.nix78
3 files changed, 432 insertions, 0 deletions
diff --git a/old/modules/mors/default.nix b/old/modules/mors/default.nix
new file mode 100644
index 000000000..d83d6abc9
--- /dev/null
+++ b/old/modules/mors/default.nix
@@ -0,0 +1,283 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ../lass/xresources.nix
+ ../lass/desktop-base.nix
+ ../lass/programs.nix
+ ../lass/retiolum-mors.nix
+ ../lass/xserver-lass.nix
+ ../tv/synaptics.nix
+ ../lass/bitcoin.nix
+ ../lass/browsers.nix
+ ../lass/games.nix
+ ../tv/exim-retiolum.nix
+ ../lass/pass.nix
+ ../lass/vim.nix
+ ../lass/virtualbox.nix
+ ../lass/elster.nix
+ ../lass/urxvt.nix
+ ../lass/steam.nix
+ ../lass/wine.nix
+ ../lass/texlive.nix
+ ../common/nixpkgs.nix
+ ../lass/binary-caches.nix
+ ../lass/ircd.nix
+ ../../secrets/mors-pw.nix
+ ./repos.nix
+ ../lass/chromium-patched.nix
+ ./git.nix
+ ];
+
+ nixpkgs = {
+ url = "https://github.com/Lassulus/nixpkgs";
+ rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
+ };
+
+ networking.hostName = "mors";
+ networking.wireless.enable = true;
+
+ networking.extraHosts = ''
+ '';
+
+ nix.maxJobs = 4;
+
+ hardware.enableAllFirmware = true;
+ nixpkgs.config.allowUnfree = true;
+
+ boot = {
+ kernelParams = [
+ "acpi.brightness_switch_enabled=0"
+ ];
+ loader.grub.enable = true;
+ loader.grub.version = 2;
+ loader.grub.device = "/dev/sda";
+
+ initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
+ initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+ initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
+ #kernelModules = [ "kvm-intel" "msr" ];
+ kernelModules = [ "msr" ];
+ };
+ fileSystems = {
+ "/" = {
+ device = "/dev/big/nix";
+ fsType = "ext4";
+ };
+
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+
+ "/mnt/loot" = {
+ device = "/dev/big/loot";
+ fsType = "ext4";
+ };
+
+ "/home" = {
+ device = "/dev/big/home";
+ fsType = "ext4";
+ };
+
+ "/home/lass" = {
+ device = "/dev/big/home-lass";
+ fsType = "ext4";
+ };
+
+ "/mnt/backups" = {
+ device = "/dev/big/backups";
+ fsType = "ext4";
+ };
+
+ "/home/games/.local/share/Steam" = {
+ device = "/dev/big/steam";
+ fsType = "ext4";
+ };
+
+ "/home/virtual/virtual" = {
+ device = "/dev/big/virtual";
+ fsType = "ext4";
+ };
+
+ "/mnt/public" = {
+ device = "/dev/big/public";
+ fsType = "ext4";
+ };
+ };
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
+ SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
+ '';
+
+ #activationScripts
+ #split up and move into base
+ system.activationScripts.powertopTunables = ''
+ #Enable Audio codec power management
+ echo '1' > '/sys/module/snd_hda_intel/parameters/power_save'
+ #VM writeback timeout
+ echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs'
+ #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp]
+ echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control'
+ #Autosuspend for USB device Biometric Coprocessor
+ echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control'
+
+ #Runtime PMs
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
+ echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
+ '';
+ system.activationScripts.trackpoint = ''
+ echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
+ echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
+ '';
+
+ services.xserver = {
+ videoDriver = "intel";
+ vaapiDrivers = [ pkgs.vaapiIntel ];
+ deviceSection = ''
+ Option "AccelMethod" "sna"
+ BusID "PCI:0:2:0"
+ '';
+ };
+
+ users.extraUsers = {
+ #main user
+ mainUser = {
+ uid = 1337;
+ name = "lass";
+ #isNormalUser = true;
+ group = "users";
+ createHome = true;
+ home = "/home/lass";
+ useDefaultShell = true;
+ isSystemUser = false;
+ extraGroups = [ "wheel" "audio" ];
+ };
+ };
+
+ environment.systemPackages = with pkgs; [
+ ];
+
+ #TODO: fix this shit
+ ##fprint stuff
+ ##sudo fprintd-enroll $USER to save fingerprints
+ #services.fprintd.enable = true;
+ #security.pam.services.sudo.fprintAuth = true;
+
+ users.extraGroups = {
+ loot = {
+ members = [
+ config.users.extraUsers.mainUser.name
+ "firefox"
+ "chromium"
+ "google"
+ "virtual"
+ ];
+ };
+ };
+
+ networking.firewall = {
+ allowPing = true;
+ allowedTCPPorts = [
+ 8000
+ ];
+ allowedUDPPorts = [
+ 67
+ ];
+ };
+
+ #services.ircdHybrid = {
+ # enable = true;
+
+ # description = "local test server";
+ #};
+
+ #TODO
+ #services.urxvtd = {
+ # enable = true;
+ # users = [ "lass" ];
+ # urxvtPackage = pkgs.rxvt_unicode_with-plugins;
+ #};
+
+ #system.activationScripts.iptables =
+ # let
+ # log = false;
+ # when = c: f: if c then f else "";
+ # in
+ # ''
+ # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
+ # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
+ # ipXtables() { ip4tables "$@"; ip6tables "$@"; }
+
+ # #
+ # # nat
+ # #
+
+ # # reset tables
+ # ipXtables -t nat -F
+ # ipXtables -t nat -X
+
+ # #
+ # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
+ # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
+
+ # #
+ # # filter
+ # #
+
+ # # reset tables
+ # ipXtables -P INPUT DROP
+ # ipXtables -P FORWARD DROP
+ # ipXtables -F
+ # ipXtables -X
+
+ # # create custom chains
+ # ipXtables -N Retiolum
+
+ # # INPUT
+ # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ # ipXtables -A INPUT -j ACCEPT -i lo
+ # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
+ # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+ # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
+ # ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
+
+ # #mc
+ # ipXtables -A INPUT -j ACCEPT -p tcp --dport 25565
+ # ipXtables -A INPUT -j ACCEPT -p udp --dport 25565
+
+ # ipXtables -A INPUT -j Retiolum -i retiolum
+ # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
+
+ # # FORWARD
+ # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
+
+ # # Retiolum
+ # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
+ # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
+
+
+ # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
+ # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
+ # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
+ # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
+ # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
+ # ip6tables -A Retiolum -j REJECT
+
+ # '';
+}
diff --git a/old/modules/mors/git.nix b/old/modules/mors/git.nix
new file mode 100644
index 000000000..1dd61d164
--- /dev/null
+++ b/old/modules/mors/git.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports = [
+ ../tv/git
+ ];
+
+ services.git =
+ let
+ inherit (builtins) readFile;
+ # TODO lib should already include our stuff
+ inherit (import ../../lib { inherit lib pkgs; }) addNames git;
+
+ krebs-private = name: desc:
+ {
+ inherit desc;
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#retiolum";
+ server = "ire.retiolum";
+ };
+ };
+ }
+ in rec {
+ enable = true;
+
+ users = addNames {
+ tv = { pubkey = readFile <pubkeys/tv.ssh.pub>; };
+ lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
+ uriel = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
+ makefu = { pubkey = "xxx"; };
+ };
+
+ repos = addNames {
+ shitment = {
+ desc = "shitment repository";
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#retiolum";
+ server = "ire.retiolum";
+ };
+ };
+ public = true;
+ };
+ testing = {
+ desc = "testing repository";
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#repository";
+ server = "ire.retiolum";
+ };
+ };
+ public = true;
+ };
+ };
+
+ rules = with git; with users; with repos; [
+ { user = lass;
+ repo = [ testing shitment ];
+ perm = push master [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv uriel makefu ];
+ repo = [ testing shitment ];
+ perm = fetch;
+ }
+ ];
+ };
+}
diff --git a/old/modules/mors/repos.nix b/old/modules/mors/repos.nix
new file mode 100644
index 000000000..e31ba9481
--- /dev/null
+++ b/old/modules/mors/repos.nix
@@ -0,0 +1,78 @@
+{ ... }:
+
+{
+ imports = [
+ ../lass/gitolite-base.nix
+ ../common/krebs-keys.nix
+ ../common/krebs-repos.nix
+ ];
+
+ services.gitolite = {
+ repos = {
+
+ config = {
+ users = {
+ lass = "RW+";
+ uriel = "R";
+ tv = "R";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ };
+
+ pass = {
+ users = {
+ lass = "RW+";
+ uriel = "R";
+ };
+ };
+
+ load-env = {
+ users = {
+ lass = "RW+";
+ uriel = "R";
+ tv = "R";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ };
+
+ emse-hsdb = {
+ users = {
+ lass = "RW+";
+ uriel = "R";
+ tv = "R";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ };
+
+ brain = {
+ users = {
+ lass = "RW+";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ #hooks.post-receive = irc-announce;
+ };
+
+ painload = {
+ users = {
+ lass = "RW+";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ };
+
+ services = {
+ users = {
+ lass = "RW+";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ };
+
+ xmonad-config = {
+ users = {
+ lass = "RW+";
+ uriel = "R";
+ };
+ };
+
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 06:48:52 +0000