From d213df5c00d3073d2f3bc09471fce466153df881 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Sat, 11 Jul 2015 16:55:22 +0200
Subject: NWO

---
 2configs/tv/AO753.nix              |  39 +++
 2configs/tv/CAC-CentOS-7-64bit.nix |  47 ++++
 2configs/tv/CAC-Developer-1.nix    |   6 +
 2configs/tv/CAC-Developer-2.nix    |   6 +
 2configs/tv/base.nix               | 175 ++++++++++++++
 2configs/tv/consul-client.nix      |   9 +
 2configs/tv/consul-server.nix      |  22 ++
 2configs/tv/cryptoroot.nix         |   4 +
 2configs/tv/exim-retiolum.nix      | 126 ++++++++++
 2configs/tv/exim-smarthost.nix     | 474 +++++++++++++++++++++++++++++++++++++
 2configs/tv/git-public.nix         |  83 +++++++
 2configs/tv/smartd.nix             |  17 ++
 2configs/tv/synaptics.nix          |  14 ++
 2configs/tv/urxvt.nix              |  24 ++
 2configs/tv/w110er.nix             |  42 ++++
 2configs/tv/xserver.nix            |  41 ++++
 16 files changed, 1129 insertions(+)
 create mode 100644 2configs/tv/AO753.nix
 create mode 100644 2configs/tv/CAC-CentOS-7-64bit.nix
 create mode 100644 2configs/tv/CAC-Developer-1.nix
 create mode 100644 2configs/tv/CAC-Developer-2.nix
 create mode 100644 2configs/tv/base.nix
 create mode 100644 2configs/tv/consul-client.nix
 create mode 100644 2configs/tv/consul-server.nix
 create mode 100644 2configs/tv/cryptoroot.nix
 create mode 100644 2configs/tv/exim-retiolum.nix
 create mode 100644 2configs/tv/exim-smarthost.nix
 create mode 100644 2configs/tv/git-public.nix
 create mode 100644 2configs/tv/smartd.nix
 create mode 100644 2configs/tv/synaptics.nix
 create mode 100644 2configs/tv/urxvt.nix
 create mode 100644 2configs/tv/w110er.nix
 create mode 100644 2configs/tv/xserver.nix

(limited to '2configs')

diff --git a/2configs/tv/AO753.nix b/2configs/tv/AO753.nix
new file mode 100644
index 000000000..70eae1786
--- /dev/null
+++ b/2configs/tv/AO753.nix
@@ -0,0 +1,39 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../2configs/tv/smartd.nix
+  ];
+
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+  ];
+
+  boot.kernelModules = [
+    "kvm-intel"
+    "wl"
+  ];
+
+  boot.extraModulePackages = [
+    config.boot.kernelPackages.broadcom_sta
+  ];
+
+  networking.wireless.enable = true;
+
+  services.logind.extraConfig = ''
+    HandleHibernateKey=ignore
+    HandleLidSwitch=ignore
+    HandlePowerKey=ignore
+    HandleSuspendKey=ignore
+  '';
+
+  nixpkgs.config = {
+    allowUnfree = false;
+    allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name);
+  };
+}
diff --git a/2configs/tv/CAC-CentOS-7-64bit.nix b/2configs/tv/CAC-CentOS-7-64bit.nix
new file mode 100644
index 000000000..95c6e815c
--- /dev/null
+++ b/2configs/tv/CAC-CentOS-7-64bit.nix
@@ -0,0 +1,47 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/centos/root";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/sda1";
+    fsType = "xfs";
+  };
+
+  swapDevices = [
+    { device = "/dev/centos/swap"; }
+  ];
+
+  users.extraGroups = {
+    # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+    #    Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+    #    Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+    #      Docs: man:tmpfiles.d(5)
+    #            man:systemd-tmpfiles(8)
+    #   Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+    #  Main PID: 19272 (code=exited, status=1/FAILURE)
+    # 
+    # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+    # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+    # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+    # warning: error(s) occured while switching to the new configuration
+    lock.gid = 10001;
+  };
+}
diff --git a/2configs/tv/CAC-Developer-1.nix b/2configs/tv/CAC-Developer-1.nix
new file mode 100644
index 000000000..37bc32afb
--- /dev/null
+++ b/2configs/tv/CAC-Developer-1.nix
@@ -0,0 +1,6 @@
+_:
+
+{
+  nix.maxJobs = 1;
+  sound.enable = false;
+}
diff --git a/2configs/tv/CAC-Developer-2.nix b/2configs/tv/CAC-Developer-2.nix
new file mode 100644
index 000000000..fedb808df
--- /dev/null
+++ b/2configs/tv/CAC-Developer-2.nix
@@ -0,0 +1,6 @@
+_:
+
+{
+  nix.maxJobs = 2;
+  sound.enable = false;
+}
diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix
new file mode 100644
index 000000000..f91e5bc50
--- /dev/null
+++ b/2configs/tv/base.nix
@@ -0,0 +1,175 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  # "7.4.335" -> "74"
+  majmin = x: concatStrings (take 2 (splitString "." x));
+in
+
+{
+  imports = [
+    {
+      users.extraUsers =
+        mapAttrs (_: h: { hashedPassword = h; })
+                 (import /root/src/secrets/hashedPasswords.nix);
+    }
+    {
+      users.defaultUserShell = "/run/current-system/sw/bin/bash";
+      users.mutableUsers = false;
+    }
+    {
+      users.extraUsers = {
+        root = {
+          openssh.authorizedKeys.keys = map readFile [
+            ../../Zpubkeys/tv_wu.ssh.pub
+          ];
+        };
+        tv = {
+          uid = 1337;
+          group = "users";
+          home = "/home/tv";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+            "audio"
+            "video"
+            "wheel"
+          ];
+          openssh.authorizedKeys.keys = map readFile [
+            ../../Zpubkeys/tv_wu.ssh.pub
+          ];
+        };
+      };
+    }
+    {
+      security.sudo.extraConfig = ''
+        Defaults mailto="tv@wu.retiolum"
+      '';
+      time.timeZone = "Europe/Berlin";
+    }
+    {
+      # TODO check if both are required:
+      nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+
+      nix.trustedBinaryCaches = [
+        "https://cache.nixos.org"
+        "http://cache.nixos.org"
+        "http://hydra.nixos.org"
+      ];
+
+      nix.useChroot = true;
+    }
+
+    {
+      environment.systemPackages = with pkgs; [
+        vim
+      ];
+
+      environment.etc."vim/vimrc".text = ''
+        set nocp
+      '';
+
+      environment.etc."vim/vim${majmin pkgs.vim.version}".source =
+          "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}";
+
+      # multiple-definition-problem when defining environment.variables.EDITOR
+      environment.extraInit = ''
+        EDITOR=vim
+      '';
+
+      environment.shellAliases = {
+        # alias cal='cal -m3'
+        gp = "${pkgs.pari}/bin/gp -q";
+        df = "df -h";
+        du = "du -h";
+        # alias grep='grep --color=auto'
+
+        # TODO alias cannot contain #\'
+        # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
+
+        # alias la='ls -lA'
+        lAtr = "ls -lAtr";
+        # alias ll='ls -l'
+        ls = "ls -h --color=auto --group-directories-first";
+        # alias vim='vim -p'
+        # alias vi='vim'
+        # alias view='vim -R'
+        dmesg = "dmesg -L --reltime";
+      };
+
+      environment.variables.VIM = "/etc/vim";
+
+      programs.bash = {
+        interactiveShellInit = ''
+          HISTCONTROL='erasedups:ignorespace'
+          HISTSIZE=65536
+          HISTFILESIZE=$HISTSIZE
+
+          shopt -s checkhash
+          shopt -s histappend histreedit histverify
+          shopt -s no_empty_cmd_completion
+          complete -d cd
+
+          # TODO source bridge
+        '';
+        promptInit = ''
+          case $UID in
+            0)
+              PS1='\[\e[1;31m\]\w\[\e[0m\] '
+              ;;
+            1337)
+              PS1='\[\e[1;32m\]\w\[\e[0m\] '
+              ;;
+            *)
+              PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
+              ;;
+          esac
+          if test -n "$SSH_CLIENT"; then
+            PS1='\[\e[35m\]\h'" $PS1"
+          fi
+          if test -n "$SSH_AGENT_PID"; then
+            PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
+          fi
+        '';
+      };
+
+      programs.ssh.startAgent = false;
+    }
+
+    {
+      nixpkgs.config.packageOverrides = pkgs:
+        {
+          nano = pkgs.runCommand "empty" {} "mkdir -p $out";
+        };
+
+      services.cron.enable = false;
+      services.nscd.enable = false;
+      services.ntp.enable = false;
+    }
+
+    {
+      boot.kernel.sysctl = {
+        # Enable IPv6 Privacy Extensions
+        "net.ipv6.conf.all.use_tempaddr" = 2;
+        "net.ipv6.conf.default.use_tempaddr" = 2;
+      };
+    }
+
+    {
+      services.openssh = {
+        enable = true;
+        hostKeys = [
+          { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+        ];
+      };
+    }
+
+    {
+      # TODO: exim
+      security.setuidPrograms = [
+        "sendmail"  # for sudo
+      ];
+    }
+  ];
+}
diff --git a/2configs/tv/consul-client.nix b/2configs/tv/consul-client.nix
new file mode 100644
index 000000000..0a8bf4d75
--- /dev/null
+++ b/2configs/tv/consul-client.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+  imports = [ ./consul-server.nix ];
+
+  tv.consul = {
+    server = pkgs.lib.mkForce false;
+  };
+}
diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix
new file mode 100644
index 000000000..1c8dcb884
--- /dev/null
+++ b/2configs/tv/consul-server.nix
@@ -0,0 +1,22 @@
+{ config, ... }:
+
+{
+  imports = [ ../../3modules/tv/consul.nix ];
+  tv.consul = rec {
+    enable = true;
+
+    inherit (config.tv.identity) self;
+    inherit (self) dc;
+
+    server = true;
+
+    hosts = with config.tv.identity.hosts; [
+      # TODO get this list automatically from each host where tv.consul.enable is true
+      cd
+      mkdir
+      nomic
+      rmdir
+      #wu
+    ];
+  };
+}
diff --git a/2configs/tv/cryptoroot.nix b/2configs/tv/cryptoroot.nix
new file mode 100644
index 000000000..04618ac4a
--- /dev/null
+++ b/2configs/tv/cryptoroot.nix
@@ -0,0 +1,4 @@
+{ ... }:
+
+{
+}
diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix
new file mode 100644
index 000000000..efab5cf32
--- /dev/null
+++ b/2configs/tv/exim-retiolum.nix
@@ -0,0 +1,126 @@
+{ config, pkgs, ... }:
+
+{
+  services.exim =
+    # This configuration makes only sense for retiolum-enabled hosts.
+    # TODO modular configuration
+    assert config.tv.retiolum.enable;
+    let
+      # TODO get the hostname from config.tv.retiolum.
+      retiolumHostname = "${config.networking.hostName}.retiolum";
+    in
+      { enable = true;
+        config = ''
+          primary_hostname = ${retiolumHostname}
+          domainlist local_domains    = @ : localhost
+          domainlist relay_to_domains = *.retiolum
+          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+
+          acl_smtp_rcpt = acl_check_rcpt
+          acl_smtp_data = acl_check_data
+
+          host_lookup = *
+          rfc1413_hosts = *
+          rfc1413_query_timeout = 5s
+
+          log_file_path = syslog
+          syslog_timestamp = false
+          syslog_duplication = false
+
+          begin acl
+
+          acl_check_rcpt:
+            accept  hosts = :
+                    control = dkim_disable_verify
+
+            deny    message       = Restricted characters in address
+                    domains       = +local_domains
+                    local_parts   = ^[.] : ^.*[@%!/|]
+
+            deny    message       = Restricted characters in address
+                    domains       = !+local_domains
+                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+            accept  local_parts   = postmaster
+                    domains       = +local_domains
+
+            #accept
+            #  hosts = *.retiolum
+            #  domains = *.retiolum
+            #  control = dkim_disable_verify
+
+            #require verify        = sender
+
+            accept  hosts         = +relay_from_hosts
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            accept  authenticated = *
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            require message = relay not permitted
+                    domains = +local_domains : +relay_to_domains
+
+            require verify = recipient
+
+            accept
+
+
+          acl_check_data:
+            accept
+
+
+          begin routers
+
+          retiolum:
+            driver = manualroute
+            domains = ! ${retiolumHostname} : *.retiolum
+            transport = remote_smtp
+            route_list = ^.* $0 byname
+            no_more
+
+          nonlocal:
+            debug_print = "R: nonlocal for $local_part@$domain"
+            driver = redirect
+            domains = ! +local_domains
+            allow_fail
+            data = :fail: Mailing to remote domains not supported
+            no_more
+
+          local_user:
+            # debug_print = "R: local_user for $local_part@$domain"
+            driver = accept
+            check_local_user
+          # local_part_suffix = +* : -*
+          # local_part_suffix_optional
+            transport = home_maildir
+            cannot_route_message = Unknown user
+
+
+          begin transports
+
+          remote_smtp:
+            driver = smtp
+
+          home_maildir:
+            driver = appendfile
+            maildir_format
+            directory = $home/Maildir
+            directory_mode = 0700
+            delivery_date_add
+            envelope_to_add
+            return_path_add
+          # group = mail
+          # mode = 0660
+
+          begin retry
+          *.retiolum             *           F,42d,1m
+          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+          begin rewrite
+
+          begin authenticators
+        '';
+      };
+}
diff --git a/2configs/tv/exim-smarthost.nix b/2configs/tv/exim-smarthost.nix
new file mode 100644
index 000000000..a4c47b399
--- /dev/null
+++ b/2configs/tv/exim-smarthost.nix
@@ -0,0 +1,474 @@
+{ config, pkgs, ... }:
+
+let
+  inherit (builtins) toFile;
+  inherit (pkgs.lib.attrsets) mapAttrs;
+  inherit (pkgs.lib.strings) concatMapStringsSep;
+in
+
+{
+  services.exim =
+    let
+      retiolumHostname = "${config.networking.hostName}.retiolum";
+
+      internet-aliases = [
+        { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; }
+
+        # (mindestens) lisp-stammtisch und elli haben die:
+        { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; }
+
+        { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; }
+
+        { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; }
+
+        # TODO killme (wo wird die benutzt?)
+        { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; }
+
+        { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; }
+      ];
+
+      system-aliases = [
+        { from = "mailer-daemon"; to = "postmaster"; }
+        { from = "postmaster"; to = "root"; }
+        { from = "nobody"; to = "root"; }
+        { from = "hostmaster"; to = "root"; }
+        { from = "usenet"; to = "root"; }
+        { from = "news"; to = "root"; }
+        { from = "webmaster"; to = "root"; }
+        { from = "www"; to = "root"; }
+        { from = "ftp"; to = "root"; }
+        { from = "abuse"; to = "root"; }
+        { from = "noc"; to = "root"; }
+        { from = "security"; to = "root"; }
+        { from = "root"; to = "tv"; }
+        { from = "mirko"; to = "mv"; }
+      ];
+
+      to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}");
+      lsearch =
+        mapAttrs (name: set: toFile name (to-lsearch set)) {
+          inherit internet-aliases;
+          inherit system-aliases;
+        };
+    in
+    {
+      enable = true;
+      config =
+        ''
+          primary_hostname = ${retiolumHostname}
+
+          # HOST_REDIR contains the real destinations for "local_domains".
+          #HOST_REDIR = /etc/exim4/host_redirect
+
+
+          # Domains not listed in local_domains need to be deliverable remotely.
+          # XXX We abuse local_domains to mean "domains, we're the gateway for".
+          domainlist local_domains    = @ : localhost
+          #: viljetic.de : SHACK_REDIR_HOSTNAME
+          domainlist relay_to_domains =
+          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37
+
+          acl_smtp_rcpt = acl_check_rcpt
+          acl_smtp_data = acl_check_data
+
+          # av_scanner = clamd:/tmp/clamd
+          # spamd_address = 127.0.0.1 783
+
+          # tls_advertise_hosts = *
+          # tls_certificate = /etc/ssl/exim.crt
+          # tls_privatekey = /etc/ssl/exim.pem
+          # (debian) tls_verify_certificates (to check client certs)
+
+          # daemon_smtp_ports = 25 : 465 : 587
+          # tls_on_connect_ports = 465
+
+          # qualify_domain defaults to primary_hostname
+          # qualify_recipient defaults to qualify_domain
+
+          # allow_domain_literals
+
+          never_users = root
+
+          host_lookup = *
+
+          # ident callbacks for all incoming SMTP calls
+          rfc1413_hosts = *
+          rfc1413_query_timeout = 5s
+
+          # sender_unqualified_hosts =
+          # recipient_unqualified_hosts =
+
+          # percent_hack_domains =
+
+          # arch & debian
+          #ignore_bounce_errors_after = 2d
+          #timeout_frozen_after = 7d
+          # debian
+          #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
+          #freeze_tell = postmaster
+          #trusted_users = uucp
+          # arch
+          #split_spool_directory = true
+
+          log_selector = -queue_run +address_rewrite +all_parents +queue_time
+          log_file_path = syslog
+          syslog_timestamp = false
+          syslog_duplication = false
+
+          begin acl
+
+          acl_check_rcpt:
+            # Accept if the source is local SMTP (i.e. not over TCP/IP).
+            # We do this by testing for an empty sending host field.
+            accept  hosts = :
+                    # arch & debian:
+                    control = dkim_disable_verify
+
+            deny    message       = Restricted characters in address
+                    domains       = +local_domains
+                    local_parts   = ^[.] : ^.*[@%!/|]
+
+            deny    message       = Restricted characters in address
+                    domains       = !+local_domains
+                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+            accept  local_parts   = postmaster
+                    domains       = +local_domains
+
+            ## feature RETIOLUM_MAIL
+            #accept
+            #  hosts = *.retiolum
+            #  domains = *.retiolum
+            #  control = dkim_disable_verify
+
+            #require verify        = sender
+
+            accept  hosts         = +relay_from_hosts
+                    control       = submission
+                    # debian: control = submission/sender_retain
+                    # arch & debian:
+                    control       = dkim_disable_verify
+
+            accept  authenticated = *
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            accept message = relay not permitted 2
+                    recipients = lsearch;${lsearch.internet-aliases}
+
+            require message = relay not permitted
+                    domains = +local_domains : +relay_to_domains
+
+            require
+              message = unknown user
+              verify = recipient/callout
+
+            # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+            #         dnslists      = black.list.example
+            #
+            # warn    dnslists      = black.list.example
+            #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+            #         log_message   = found in $dnslist_domain
+
+            # Client SMTP Authorization (csa) checks on the sending host.
+            # Such checks do DNS lookups for special SRV records.
+            # require verify = csa
+
+            accept
+
+
+          acl_check_data:
+            # see av_scanner
+            #deny    malware    = *
+            #        message    = This message contains a virus ($malware_name).
+
+            # Add headers to a message if it is judged to be spam. Before enabling this,
+            # you must install SpamAssassin. You may also need to set the spamd_address
+            # option above.
+            #
+            # warn    spam       = nobody
+            #         add_header = X-Spam_score: $spam_score\n\
+            #                      X-Spam_score_int: $spam_score_int\n\
+            #                      X-Spam_bar: $spam_bar\n\
+            #                      X-Spam_report: $spam_report
+
+            # feature HELO_REWRITE
+            # XXX note that the public ip (162.219.5.183) resolves to viljetic.de
+            warn
+              sender_domains = viljetic.de : shackspace.de
+              set acl_m_special_dom = $sender_address_domain
+
+            accept
+
+
+          begin routers
+
+          # feature RETIOLUM_MAIL
+          retiolum:
+            debug_print = "R: retiolum for $local_part@$domain"
+            driver = manualroute
+            domains = ! ${retiolumHostname} : *.retiolum
+            transport = retiolum_smtp
+            route_list = ^.* $0 byname
+            no_more
+
+          internet_aliases:
+            debug_print = "R: internet_aliases for $local_part@$domain"
+            driver = redirect
+            data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
+
+          dnslookup:
+            debug_print = "R: dnslookup for $local_part@$domain"
+            driver = dnslookup
+            domains = ! +local_domains
+            transport = remote_smtp
+            ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+            # if ipv6-enabled then instead use:
+            # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+
+            # (debian) same_domain_copy_routing = yes
+            # (debian) ignore private rfc1918 and APIPA addresses
+            # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
+            #                   172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
+            #                   255.255.255.255
+
+            # Fail and bounce if the router does not find the domain in the DNS.
+            # I.e. no more routers are tried.
+            # There are a few cases where a dnslookup router will decline to accept an
+            # address; if such a router is expected to handle "all remaining non-local
+            # domains", then it is important to set no_more.
+            no_more
+
+          # XXX this is only used because these "well known aliases" goto tv@cd.retiolum
+          # TODO bounce everything, there is no @cd.retiolum
+          system_aliases:
+            debug_print = "R: system_aliases for $local_part@$domain"
+            driver = redirect
+            data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
+
+          # TODO this is only b/c mv here... send mv's mails somewhere else...
+          local_user:
+            debug_print = "R: local_user for $local_part@$domain"
+            driver = accept
+            check_local_user
+          # local_part_suffix = +* : -*
+          # local_part_suffix_optional
+            transport = home_maildir
+            cannot_route_message = Unknown user
+
+          begin transports
+
+          retiolum_smtp:
+            driver = smtp
+            retry_include_ip_address = false
+            # serialize_hosts = TODO-all-slow-hosts
+
+          remote_smtp:
+            driver = smtp
+            # debian has also stuff for tls, headers_rewrite and more here
+
+            # feature HELO_REWRITE
+            # XXX note that the public ip (162.219.5.183) resolves to viljetic.de
+            helo_data = ''${if eq{$acl_m_special_dom}{}  \
+                                 {$primary_hostname}   \
+                                 {$acl_m_special_dom} }
+
+          home_maildir:
+            driver = appendfile
+            maildir_format
+            maildir_use_size_file
+            directory = $home/Mail
+            directory_mode = 0700
+            delivery_date_add
+            envelope_to_add
+            return_path_add
+
+          begin retry
+          *.retiolum             *           F,42d,1m
+          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+          begin rewrite
+          begin authenticators
+        '';
+
+
+          # group = mail
+          # mode = 0660
+
+
+          #address_pipe:
+          #  driver = pipe
+          #  return_output
+          #
+          #address_file:
+          #  driver = appendfile
+          #  delivery_date_add
+          #  envelope_to_add
+          #  return_path_add
+          #
+          #address_reply:
+          #  driver = autoreply
+
+
+          #maildrop_pipe:
+          #  debug_print = "T: maildrop_pipe for $local_part@$domain"
+          #  driver = pipe
+          #  path = "/bin:/usr/bin:/usr/local/bin"
+          #  command = "/usr/bin/maildrop"
+          #  return_path_add
+          #  delivery_date_add
+          #  envelope_to_add
+
+
+
+
+
+          ##begin retry
+          # Address or Domain    Error       Retries
+
+          # Our host_redirect destinations might be offline a lot.
+          # TODO define fallback destinations(?)
+          #lsearch;${lsearch.internet-aliases} * F,42d,1m
+
+
+          ## begin rewrite
+
+          # just in case (shackspace.de should already do this)
+          #tv@shackspace.de  tv@SHACK_REDIR_HOSTNAME  T
+
+
+          ## begin authenticators
+          #PLAIN:
+          #  driver                  = plaintext
+          #  server_set_id           = $auth2
+          #  server_prompts          = :
+          #  server_condition        = Authentication is not yet configured
+          #  server_advertise_condition = ''${if def:tls_in_cipher }
+
+          #LOGIN:
+          #  driver                  = plaintext
+          #  server_set_id           = $auth1
+          #  server_prompts          = <| Username: | Password:
+          #  server_condition        = Authentication is not yet configured
+          #  server_advertise_condition = ''${if def:tls_in_cipher }
+
+
+
+      };
+
+}
+
+#        config = ''
+#          primary_hostname = ${retiolumHostname}
+#          domainlist local_domains    = @ : localhost
+#          domainlist relay_to_domains = *.retiolum
+#          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+#
+#          acl_smtp_rcpt = acl_check_rcpt
+#          acl_smtp_data = acl_check_data
+#
+#          host_lookup = *
+#          rfc1413_hosts = *
+#          rfc1413_query_timeout = 5s
+#
+#          log_file_path = syslog
+#          syslog_timestamp = false
+#          syslog_duplication = false
+#
+#          begin acl
+#
+#          acl_check_rcpt:
+#            accept  hosts = :
+#                    control = dkim_disable_verify
+#
+#            deny    message       = Restricted characters in address
+#                    domains       = +local_domains
+#                    local_parts   = ^[.] : ^.*[@%!/|]
+#
+#            deny    message       = Restricted characters in address
+#                    domains       = !+local_domains
+#                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+#
+#            accept  local_parts   = postmaster
+#                    domains       = +local_domains
+#
+#            #accept
+#            #  hosts = *.retiolum
+#            #  domains = *.retiolum
+#            #  control = dkim_disable_verify
+#
+#            #require verify        = sender
+#
+#            accept  hosts         = +relay_from_hosts
+#                    control       = submission
+#                    control       = dkim_disable_verify
+#
+#            accept  authenticated = *
+#                    control       = submission
+#                    control       = dkim_disable_verify
+#
+#            require message = relay not permitted
+#                    domains = +local_domains : +relay_to_domains
+#
+#            require verify = recipient
+#
+#            accept
+#
+#
+#          acl_check_data:
+#            accept
+#
+#
+#          begin routers
+#
+#          retiolum:
+#            driver = manualroute
+#            domains = ! ${retiolumHostname} : *.retiolum
+#            transport = remote_smtp
+#            route_list = ^.* $0 byname
+#            no_more
+#
+#          nonlocal:
+#            debug_print = "R: nonlocal for $local_part@$domain"
+#            driver = redirect
+#            domains = ! +local_domains
+#            allow_fail
+#            data = :fail: Mailing to remote domains not supported
+#            no_more
+#
+#          local_user:
+#            # debug_print = "R: local_user for $local_part@$domain"
+#            driver = accept
+#            check_local_user
+#          # local_part_suffix = +* : -*
+#          # local_part_suffix_optional
+#            transport = home_maildir
+#            cannot_route_message = Unknown user
+#
+#
+#          begin transports
+#
+#          remote_smtp:
+#            driver = smtp
+#
+#          home_maildir:
+#            driver = appendfile
+#            maildir_format
+#            directory = $home/Maildir
+#            directory_mode = 0700
+#            delivery_date_add
+#            envelope_to_add
+#            return_path_add
+#          # group = mail
+#          # mode = 0660
+#
+#          begin retry
+#          *.retiolum             *           F,42d,1m
+#          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+#
+#          begin rewrite
+#
+#          begin authenticators
+#        '';
+#      };
+#}
diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix
new file mode 100644
index 000000000..0ca04d263
--- /dev/null
+++ b/2configs/tv/git-public.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  inherit (builtins) map readFile;
+  inherit (lib) concatMap listToAttrs;
+  # TODO lib should already include our stuff
+  inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git;
+
+  public-git-repos = [
+    (public "cgserver")
+    (public "crude-mail-setup")
+    (public "dot-xmonad")
+    (public "hack")
+    (public "load-env")
+    (public "make-snapshot")
+    (public "mime")
+    (public "much")
+    (public "nixos-infest")
+    (public "nixpkgs")
+    (public "painload")
+    (public "regfish")
+    (public' {
+      name = "shitment";
+      desc = "turn all the computers into one computer!";
+    })
+    (public "wai-middleware-time")
+    (public "web-routes-wai-custom")
+  ];
+
+  users = addNames {
+    tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; };
+    lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; };
+    uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; };
+    makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; };
+  };
+
+  repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos);
+
+  rules = concatMap ({ rules, ... }: rules) public-git-repos;
+
+  public' = { name, desc }:
+    let
+      x = public name;
+    in
+    x // { repo = x.repo // { inherit desc; }; };
+
+  public = repo-name:
+    rec {
+      repo = {
+        name = repo-name;
+        hooks = {
+          post-receive = git.irc-announce {
+            nick = config.networking.hostName; # TODO make this the default
+            channel = "#retiolum";
+            server = "ire.retiolum";
+          };
+        };
+        public = true;
+      };
+      rules = with git; with users; [
+        { user = tv;
+          repo = [ repo ];
+          perm = push "refs/*" [ non-fast-forward create delete merge ];
+        }
+        { user = [ lass makefu uriel ];
+          repo = [ repo ];
+          perm = fetch;
+        }
+      ];
+    };
+
+in
+
+{
+  imports = [
+    ../../3modules/tv/git.nix
+  ];
+  tv.git = {
+    enable = true;
+    inherit repos rules users;
+  };
+}
diff --git a/2configs/tv/smartd.nix b/2configs/tv/smartd.nix
new file mode 100644
index 000000000..2e9d955d1
--- /dev/null
+++ b/2configs/tv/smartd.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+
+{
+  services.smartd = {
+    enable = true;
+    devices = [
+      {
+        device = "DEVICESCAN";
+        options = toString [
+          "-a"
+          "-m tv@wu.retiolum"
+          "-s (O/../.././09|S/../.././04|L/../../6/05)"
+        ];
+      }
+    ];
+  };
+}
diff --git a/2configs/tv/synaptics.nix b/2configs/tv/synaptics.nix
new file mode 100644
index 000000000..c47cb9deb
--- /dev/null
+++ b/2configs/tv/synaptics.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+
+{
+  # TODO this is host specific
+  services.xserver.synaptics = {
+    enable = true;
+    twoFingerScroll = true;
+    accelFactor = "0.035";
+    additionalOptions = ''
+      Option "FingerHigh" "60"
+      Option "FingerLow"  "60"
+    '';
+  };
+}
diff --git a/2configs/tv/urxvt.nix b/2configs/tv/urxvt.nix
new file mode 100644
index 000000000..89bb421aa
--- /dev/null
+++ b/2configs/tv/urxvt.nix
@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+with builtins;
+
+let
+  users = [ "tv" ];
+  urxvt = pkgs.rxvt_unicode;
+  mkService = user: {
+    description = "urxvt terminal daemon";
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = false;
+    serviceConfig = {
+      Restart = "always";
+      User = user;
+      ExecStart = "${urxvt}/bin/urxvtd";
+    };
+  };
+
+in
+
+{
+  environment.systemPackages = [ urxvt ];
+  systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users);
+}
diff --git a/2configs/tv/w110er.nix b/2configs/tv/w110er.nix
new file mode 100644
index 000000000..7ef0e6e9d
--- /dev/null
+++ b/2configs/tv/w110er.nix
@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ../../2configs/tv/smartd.nix
+  ];
+
+  boot.extraModprobeConfig = ''
+    options kvm_intel nested=1
+  '';
+
+  boot.initrd.availableKernelModules = [ "ahci" ];
+  boot.kernelModules = [ "kvm-intel" ];
+
+  boot.loader.gummiboot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.wireless.enable = true;
+
+  nix = {
+    buildCores = 4;
+    maxJobs = 4;
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+
+  services.logind.extraConfig = ''
+    HandleHibernateKey=ignore
+    HandleLidSwitch=ignore
+    HandlePowerKey=ignore
+    HandleSuspendKey=ignore
+  '';
+
+  system.activationScripts.powertopTunables = ''
+    echo 1 > /sys/module/snd_hda_intel/parameters/power_save
+    echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
+    (cd /sys/bus/pci/devices
+      for i in *; do
+        echo auto > $i/power/control # defaults to 'on'
+      done)
+  '';
+}
diff --git a/2configs/tv/xserver.nix b/2configs/tv/xserver.nix
new file mode 100644
index 000000000..4a3de482a
--- /dev/null
+++ b/2configs/tv/xserver.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../2configs/tv/urxvt.nix # TODO via xserver
+  ];
+
+  services.xserver.enable = true;
+
+
+  #fonts.enableFontConfig = true;
+  #fonts.enableFontDir = true;
+  fonts.fonts = [
+    pkgs.xlibs.fontschumachermisc
+  ];
+  #services.xfs.enable = true;
+  #services.xserver.useXFS = "unix/:7100";
+
+  services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;
+
+  #services.xserver.display = 11;
+  #services.xserver.tty = 11;
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  #services.xserver.multitouch.enable = true;
+
+  services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
+    X11-xshape
+  ];
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+  services.xserver.windowManager.default = "xmonad";
+  services.xserver.desktopManager.default = "none";
+  services.xserver.desktopManager.xterm.enable = false;
+
+  services.xserver.displayManager.slim.enable = true;
+  #services.xserver.displayManager.auto.enable = true;
+  #services.xserver.displayManager.auto.user = "tv";
+  #services.xserver.displayManager.job.logsXsession = true;
+}
-- 
cgit v1.2.3