summaryrefslogtreecommitdiffstats
path: root/old/modules/wu
diff options
context:
space:
mode:
Diffstat (limited to 'old/modules/wu')
-rw-r--r--old/modules/wu/default.nix464
-rw-r--r--old/modules/wu/hosts.nix22
-rw-r--r--old/modules/wu/paths.nix12
-rw-r--r--old/modules/wu/users.nix227
4 files changed, 725 insertions, 0 deletions
diff --git a/old/modules/wu/default.nix b/old/modules/wu/default.nix
new file mode 100644
index 000000000..e55fbaf3f
--- /dev/null
+++ b/old/modules/wu/default.nix
@@ -0,0 +1,464 @@
+{ config, pkgs, ... }:
+
+let
+ location = pkgs.lib.nameValuePair; # TODO this is also in modules/tv/git/cgit.nix
+in
+
+{
+ imports = [
+ ./hosts.nix
+ ../tv/base.nix
+ ../tv/config/consul-client.nix
+ ../tv/exim-retiolum.nix
+ ../tv/environment.nix
+ ../tv/sanitize.nix
+ ../tv/smartd.nix
+ ../tv/synaptics.nix
+ ../tv/urxvt.nix
+ ../tv/xserver.nix
+ ../wu/users.nix
+ {
+ imports = [ ../tv/identity ];
+ tv.identity = {
+ enable = true;
+ self = config.tv.identity.hosts.wu;
+ };
+ }
+ {
+ imports = [ ../tv/iptables ];
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "http"
+ "tinc"
+ "smtp"
+ ];
+ };
+ }
+ {
+ imports = [ ../tv/nginx ];
+ tv.nginx = {
+ enable = true;
+ retiolum-locations = [
+ (location "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ }
+ {
+ imports = [ ../tv/retiolum ];
+ tv.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ connectTo = [
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
+ {
+ imports = [ ../tv/urlwatch ];
+ tv.urlwatch = {
+ enable = true;
+ mailto = "tv@wu.retiolum";
+ onCalendar = "*-*-* 05:00:00";
+ urls = [
+ ## nixpkgs maintenance
+
+ # 2014-07-29 when one of the following urls change
+ # then we have to update the package
+
+ # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
+ http://simple-evcorr.sourceforge.net/
+
+ # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
+ https://thp.io/2008/urlwatch/
+
+ # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
+ https://api.github.com/repos/ioerror/tlsdate/tags
+
+ # 2015-02-18
+ # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
+ http://www.fourmilab.ch/webtools/qprint/
+
+ # 2014-09-24 ref https://github.com/4z3/xintmap
+ http://www.mathstat.dal.ca/~selinger/quipper/
+
+ # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
+ # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
+ http://nixos.org/releases/nixops/
+
+ ## other
+
+ https://nixos.org/channels/nixos-unstable/git-revision
+
+ ## 2014-10-17
+ ## TODO update ~/src/login/default.nix
+ #http://hackage.haskell.org/package/bcrypt
+ #http://hackage.haskell.org/package/cron
+ #http://hackage.haskell.org/package/hyphenation
+ #http://hackage.haskell.org/package/iso8601-time
+ #http://hackage.haskell.org/package/ixset-typed
+ #http://hackage.haskell.org/package/system-command
+ #http://hackage.haskell.org/package/transformers
+ #http://hackage.haskell.org/package/web-routes-wai
+ #http://hackage.haskell.org/package/web-page
+ ];
+ };
+ }
+ ];
+
+ nix = {
+ buildCores = 4;
+ maxJobs = 4;
+ daemonIONiceLevel = 1;
+ daemonNiceLevel = 1;
+ };
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
+ SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
+
+ # for jack
+ KERNEL=="rtc0", GROUP="audio"
+ KERNEL=="hpet", GROUP="audio"
+ '';
+
+ #services.virtualbox.enable = true;
+ #services.virtualboxGuest.enable = false;
+ services.virtualboxHost.enable = true;
+ #services.virtualboxHost.addNetworkInterface = false;
+ #systemd.services.vboxnet =
+ # let
+ # remove_vboxnets = ''
+ # for i in $(cd /sys/class/net && ls | grep ^vboxnet); do
+ # VBoxManage hostonlyif remove $i
+ # done
+ # '';
+ # in {
+ # wantedBy = [ "multi-user.target" ];
+ # requires = [ "dev-vboxnetctl.device" ];
+ # after = [ "dev-vboxnetctl.device" ];
+ # path = with pkgs; [
+ # linuxPackages.virtualbox
+ # nettools
+ # ];
+ # postStop = remove_vboxnets;
+ # script = ''
+ # ${remove_vboxnets} # just in case...
+ # VBoxManage hostonlyif create # vboxnet0
+ # ifconfig vboxnet0 up 169.254.13.37/16
+ # '';
+ # serviceConfig = {
+ # Type = "oneshot";
+ # PrivateTmp = true;
+ # RemainAfterExit = "yes";
+ # };
+ # environment.VBOX_USER_HOME = "/tmp";
+ # };
+
+
+ services.bitlbee.enable = true;
+
+ #services.rabbitmq = {
+ # enable = true;
+ # cookie = "f00f";
+ # plugins = [
+ # "rabbitmq_management"
+ # ];
+ #};
+
+
+ #services.elasticsearch.enable = true;
+
+ #services.cgserver = {
+ # enable = true;
+ # httpPort = 8003;
+ # #flushLog = false;
+ # #cgroupRoot = "/sys/fs/cgroup";
+ # #user = "zalora";
+ #};
+
+
+
+
+ #services.tlsdated = {
+ # enable = true;
+ # extraOptions = "-p";
+ #};
+
+ services.tor.enable = true;
+ services.tor.client.enable = true;
+
+
+
+ # hardware configuration
+ boot.initrd.luks.devices = [
+ { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
+ ];
+ boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ];
+ boot.initrd.availableKernelModules = [ "ahci" ];
+ #boot.kernelParams = [
+ # "intel_pstate=enable"
+ #];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ # 2014-12-17 pkgs.linuxPackages_3_14 is known good
+ boot.kernelPackages = pkgs.linuxPackages_3_18;
+
+ boot.kernel.sysctl = {
+ # Enable IPv6 Privacy Extensions
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+
+ boot.extraModprobeConfig = ''
+ options kvm_intel nested=1
+ '';
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/vg840-wuroot";
+ fsType = "btrfs";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/home" = {
+ device = "/dev/mapper/home";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = "nosuid,nodev,noatime";
+ };
+ };
+
+ swapDevices =[ ];
+
+
+ nixpkgs.config.firefox.enableAdobeFlash = true;
+ nixpkgs.config.chromium.enablePepperFlash = true;
+
+ nixpkgs.config.allowUnfree = true;
+ hardware.bumblebee.enable = true; # TODO this is host specific
+ hardware.bumblebee.group = "video";
+ #services.xserver.videoDrivers = [ "nvidia" ];
+ hardware.opengl.driSupport32Bit = true;
+
+ hardware.pulseaudio.enable = true;
+
+ hardware.enableAllFirmware = true;
+
+ # Use the gummiboot efi boot loader.
+ boot.loader.gummiboot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostName = "wu";
+ networking.wireless.enable = true;
+
+
+ # Select internationalisation properties.
+ # i18n = {
+ # consoleFont = "lat9w-16";
+ # consoleKeyMap = "us";
+ # defaultLocale = "en_US.UTF-8";
+ # };
+
+ system.activationScripts.powertopTunables =
+ ''
+ echo 1 > /sys/module/snd_hda_intel/parameters/power_save
+ echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
+ (cd /sys/bus/pci/devices
+ for i in *; do
+ echo auto > $i/power/control # defaults to 'on'
+ done)
+ # TODO maybe do this via udev or systemd
+ # ref https://wiki.archlinux.org/index.php/Wake-on-LAN
+ # disable wol this cannot find ethtool
+ # TODO (cd /sys/class/net
+ # TODO for i in *; do
+ # TODO if ethtool $i | grep -q Wake-on &&
+ # TODO ! ethtool $i | grep -q 'Wake-on: d'; then
+ # TODO ethtool -s $i wol d
+ # TODO fi
+ # TODO done)
+ ${pkgs.ethtool}/sbin/ethtool -s en0 wol d
+ '';
+
+ environment.systemPackages = with pkgs; [
+ xlibs.fontschumachermisc
+ slock
+ ethtool
+ #firefoxWrapper # with plugins
+ #chromiumDevWrapper
+ tinc
+ iptables
+ #jack2
+ ];
+
+ security.setuidPrograms = [
+ "sendmail" # for cron
+ "slock"
+ ];
+
+ # TODO
+ # Currently ./run doesn't know about certificates
+ #security.pki.certificateFiles = [
+ # ./certs/zalora-ca.crt
+ #];
+
+ #security.pam.loginLimits = [
+ # # for jack
+ # { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
+ # { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
+ #];
+
+ #services.haveged.enable = true;
+ #security.rngd.enable = true;
+
+ #services.privoxy = {
+ # enable = true;
+ # extraConfig = ''
+ # actionsfile /etc/privoxy/easylist.script.action
+ # actionsfile /etc/privoxy/easylistgermany.script.action
+ # filterfile /etc/privoxy/easylist.script.filter
+ # filterfile /etc/privoxy/easylistgermany.script.filter
+ # '';
+ #};
+
+ #services.dbus.enable = true; # rqd4 wpa_supplicant
+
+ services.logind.extraConfig = ''
+ HandleHibernateKey=ignore
+ HandleLidSwitch=ignore
+ HandlePowerKey=ignore
+ HandleSuspendKey=ignore
+ '';
+
+ # Enable the OpenSSH daemon.
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ # XXX bits here make no science
+ { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ };
+
+ # services.printing.enable = true;
+ services.printing = {
+ enable = true;
+ #extraConf = ''
+ # LogLevel debug
+ #'';
+ drivers = with pkgs; [
+ #cups_filters
+ #foomatic_filters
+ #gutenprint
+ #hplip
+ ];
+ };
+
+
+
+ #services.kmscon.enable = true;
+
+
+ # TODO virtualisation.libvirtd.enable = true;
+ # users.extraUsers.tv.extraGroups += [ "libvirtd" ]
+
+
+
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+
+ #systemd.timers.chargeMon = {
+ # wantedBy = [ "multi-user.target" ];
+ # timerConfig.OnCalendar = "*-*-* *:*:00";
+ #};
+ #systemd.services.chargeMon = {
+ # path = [ ];
+ # environment = {
+ # ac_online = "/sys/class/power_supply/AC/online";
+ # charge_now = "/sys/class/power_supply/BAT/charge_now";
+ # charge_full = "/sys/class/power_supply/BAT/charge_full";
+ # };
+ # serviceConfig = {
+ # User = "nobody";
+ # Type = "oneshot";
+ # };
+ # script = ''
+ # if test $(cat $ac_online) == 1; then
+ # echo "AC is online"
+ # exit
+ # fi
+ # cat $charge_now
+ # '';
+ #};
+
+ # see tmpfiles.d(5)
+ systemd.tmpfiles.rules = [
+ "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+ ];
+
+ # TODO services.smartd
+ # TODO services.statsd
+ # TODO services.tor
+ # TODO write arandr
+ # TODO what does system.copySystemConfiguration (we need some kind of bku scheme)
+ # TODO systemd.timers instead of cron(??)
+
+ virtualisation.libvirtd.enable = true;
+
+
+
+
+ #system.replaceRuntimeDependencies = with pkgs;
+ # let
+ # bashVulnPatches = [
+ # (fetchurl {
+ # url = "mirror://gnu/bash/bash-4.2-patches/bash42-048";
+ # sha256 = "091xk1ms7ycnczsl3fx461gjhj69j6ycnfijlymwj6mj60ims6km";
+ # })
+ # (fetchurl {
+ # url = "file:///etc/nixos/bash-20140926.patch";
+ # sha256 = "0gdwnimsbi4vh5l46krss4wjrgbch94skn4y2w3rpvb1w4jypha4";
+ # })
+ # ];
+ # in
+ # [
+ # {
+ # original = bash;
+ # replacement = pkgs.lib.overrideDerivation bash (oldAttrs: {
+ # patches = oldAttrs.patches ++ bashVulnPatches;
+ # });
+ # }
+ # {
+ # original = bashInteractive;
+ # replacement = pkgs.lib.overrideDerivation bashInteractive (oldAttrs: {
+ # patches = oldAttrs.patches ++ bashVulnPatches;
+ # });
+ # }
+ # {
+ # original = bitlbee;
+ # replacement = pkgs.lib.overrideDerivation bitlbee (oldAttrs: {
+ # configureFlags = [
+ # "--gcov=1"
+ # "--otr=1"
+ # "--ssl=gnutls"
+ # ];
+ # });
+ # }
+ #];
+
+
+}
diff --git a/old/modules/wu/hosts.nix b/old/modules/wu/hosts.nix
new file mode 100644
index 000000000..207553b08
--- /dev/null
+++ b/old/modules/wu/hosts.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+ networking.extraHosts =
+ ''
+ 192.168.1.1 wrt.gg23 wrt
+ 192.168.1.11 mors.gg23
+ 192.168.1.12 uriel.gg23
+ 192.168.1.23 raspi.gg23 raspi
+ 192.168.1.37 wu.gg23
+ 192.168.1.110 nomic.gg23
+ 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker
+
+ 127.0.0.1 dev.zalora.sg www.dev.zalora.sg bob.dev.zalora.sg static.dev.zalora.sg
+ 127.0.0.1 dev.zalora.com.my www.dev.zalora.com.my bob.dev.zalora.com.my static.dev.zalora.com.my
+ 127.0.0.1 dev.zalora.com.ph www.dev.zalora.com.ph bob.dev.zalora.com.ph static.dev.zalora.com.ph
+ 127.0.0.1 dev.zalora.vn www.dev.zalora.vn bob.dev.zalora.vn static.dev.zalora.vn
+ 127.0.0.1 dev.zalora.co.id www.dev.zalora.co.id bob.dev.zalora.co.id static.dev.zalora.co.id
+ 127.0.0.1 dev.zalora.co.th www.dev.zalora.co.th bob.dev.zalora.co.th static.dev.zalora.co.th
+ 127.0.0.1 dev.zalora.com.hk www.dev.zalora.com.hk bob.dev.zalora.com.hk static.dev.zalora.com.hk
+ '';
+}
diff --git a/old/modules/wu/paths.nix b/old/modules/wu/paths.nix
new file mode 100644
index 000000000..2d2ff7b74
--- /dev/null
+++ b/old/modules/wu/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/wu/nix;
+}
diff --git a/old/modules/wu/users.nix b/old/modules/wu/users.nix
new file mode 100644
index 000000000..e50878cd0
--- /dev/null
+++ b/old/modules/wu/users.nix
@@ -0,0 +1,227 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (builtins) attrValues;
+ inherit (pkgs.lib) concatMap filterAttrs mapAttrs concatStringsSep;
+
+
+ users = {
+ tv = {
+ uid = 1337;
+ group = "users";
+ extraGroups = [
+ "audio"
+ "video"
+ "wheel"
+ ];
+ };
+
+ ff = {
+ uid = 13378001;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ };
+
+ cr = {
+ uid = 13378002;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ vimb = {
+ uid = 13378003;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ fa = {
+ uid = 2300001;
+ group = "tv-sub";
+ };
+
+ rl = {
+ uid = 2300002;
+ group = "tv-sub";
+ };
+
+ tief = {
+ uid = 2300702;
+ group = "tv-sub";
+ };
+
+ btc-bitcoind = {
+ uid = 2301001;
+ group = "tv-sub";
+ };
+
+ btc-electrum = {
+ uid = 2301002;
+ group = "tv-sub";
+ };
+
+ ltc-litecoind = {
+ uid = 2301101;
+ group = "tv-sub";
+ };
+
+ eth = {
+ uid = 2302001;
+ group = "tv-sub";
+ };
+
+ emse-hsdb = {
+ uid = 4200101;
+ group = "tv-sub";
+ };
+
+ wine = {
+ uid = 13370400;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ # dwarffortress
+ df = {
+ uid = 13370401;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined
+ FTL = {
+ uid = 13370402;
+ #group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ freeciv = {
+ uid = 13370403;
+ group = "tv-sub";
+ };
+
+ xr = {
+ uid = 13370061;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ };
+
+ "23" = {
+ uid = 13370023;
+ group = "tv-sub";
+ };
+
+ electrum = {
+ uid = 13370102;
+ group = "tv-sub";
+ };
+
+ Reaktor = {
+ uid = 4230010;
+ group = "tv-sub";
+ };
+
+ gitolite = {
+ uid = 7700;
+ };
+
+ skype = {
+ uid = 6660001;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ ];
+ };
+
+ onion = {
+ uid = 6660010;
+ group = "tv-sub";
+ };
+
+ zalora = {
+ uid = 1000301;
+ group = "tv-sub";
+ extraGroups = [
+ "audio"
+ # TODO remove vboxusers when hardening is active
+ "vboxusers"
+ "video"
+ ];
+ };
+
+ };
+
+
+ extraUsers =
+ mapAttrs (name: user: user // {
+ inherit name;
+ home = "/home/${name}";
+ createHome = true;
+ useDefaultShell = true;
+ }) users;
+
+
+ extraGroups = {
+ tv-sub.gid = 1337;
+ };
+
+
+ sudoers =
+ let
+ inherit (builtins) filter hasAttr;
+ inherit (import ../../lib { inherit lib pkgs; })
+ concat isSuffixOf removeSuffix setToList;
+
+ hasMaster = { group ? "", ... }:
+ isSuffixOf "-sub" group;
+
+ masterOf = user : removeSuffix "-sub" user.group;
+ in
+ concatStringsSep "\n"
+ (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL")
+ (filter hasMaster (attrValues extraUsers)));
+
+in
+
+
+{
+ imports = [
+ { users.extraUsers = import <secrets/extraUsers.nix>; }
+ ];
+
+ users.defaultUserShell = "/run/current-system/sw/bin/bash";
+ users.extraGroups = extraGroups;
+ users.extraUsers = extraUsers;
+ users.mutableUsers = false;
+
+ security.sudo.extraConfig =
+ ''
+ Defaults mailto="tv@wu.retiolum"
+ ${sudoers}
+ '';
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 08:34:22 +0000