From ac64527c5707cca5fc6e6e6ecf3957129cdb32b2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 20:28:21 +0200 Subject: lass: port everything to stockholm --- lass/2configs/base.nix | 143 ++++++++++++++++++++++++++++++ lass/2configs/binary-caches.nix | 13 +++ lass/2configs/bird.nix | 13 +++ lass/2configs/bitcoin.nix | 17 ++++ lass/2configs/browsers.nix | 67 ++++++++++++++ lass/2configs/chromium-patched.nix | 48 ++++++++++ lass/2configs/desktop-base.nix | 63 ++++++++++++++ lass/2configs/elster.nix | 20 +++++ lass/2configs/fastpoke-pages.nix | 97 +++++++++++++++++++++ lass/2configs/games.nix | 25 ++++++ lass/2configs/gitolite-base.nix | 173 +++++++++++++++++++++++++++++++++++++ lass/2configs/identity.nix | 48 ++++++++++ lass/2configs/ircd.nix | 92 ++++++++++++++++++++ lass/2configs/mors/repos.nix | 87 +++++++++++++++++++ lass/2configs/mors/retiolum.nix | 21 +++++ lass/2configs/new-repos.nix | 77 +++++++++++++++++ lass/2configs/pass.nix | 10 +++ lass/2configs/programs.nix | 24 +++++ lass/2configs/retiolum.nix | 28 ++++++ lass/2configs/sshkeys.nix | 11 +++ lass/2configs/steam.nix | 30 +++++++ lass/2configs/texlive.nix | 7 ++ lass/2configs/urxvt.nix | 40 +++++++++ lass/2configs/vim.nix | 118 +++++++++++++++++++++++++ lass/2configs/virtualbox.nix | 22 +++++ lass/2configs/wine.nix | 23 +++++ 26 files changed, 1317 insertions(+) create mode 100644 lass/2configs/base.nix create mode 100644 lass/2configs/binary-caches.nix create mode 100644 lass/2configs/bird.nix create mode 100644 lass/2configs/bitcoin.nix create mode 100644 lass/2configs/browsers.nix create mode 100644 lass/2configs/chromium-patched.nix create mode 100644 lass/2configs/desktop-base.nix create mode 100644 lass/2configs/elster.nix create mode 100644 lass/2configs/fastpoke-pages.nix create mode 100644 lass/2configs/games.nix create mode 100644 lass/2configs/gitolite-base.nix create mode 100644 lass/2configs/identity.nix create mode 100644 lass/2configs/ircd.nix create mode 100644 lass/2configs/mors/repos.nix create mode 100644 lass/2configs/mors/retiolum.nix create mode 100644 lass/2configs/new-repos.nix create mode 100644 lass/2configs/pass.nix create mode 100644 lass/2configs/programs.nix create mode 100644 lass/2configs/retiolum.nix create mode 100644 lass/2configs/sshkeys.nix create mode 100644 lass/2configs/steam.nix create mode 100644 lass/2configs/texlive.nix create mode 100644 lass/2configs/urxvt.nix create mode 100644 lass/2configs/vim.nix create mode 100644 lass/2configs/virtualbox.nix create mode 100644 lass/2configs/wine.nix (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix new file mode 100644 index 000000000..8d4a9c896 --- /dev/null +++ b/lass/2configs/base.nix @@ -0,0 +1,143 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../2configs/lass/vim.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import /root/src/secrets/hashedPasswords.nix); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } + ]; + + krebs = { + enable = true; + search-domain = "retiolum"; + }; + + nix.useChroot = true; + + users.mutableUsers = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + PAGER=most + ''; + + environment.systemPackages = with pkgs; [ + nmap + + git + most + rxvt_unicode.terminfo + + #network + iptables + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + security.setuidPrograms = [ + "sendmail" + ]; + + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + lass.iptables = { + enable = true; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + ]; + }; + }; + +} diff --git a/lass/2configs/binary-caches.nix b/lass/2configs/binary-caches.nix new file mode 100644 index 000000000..c2727520d --- /dev/null +++ b/lass/2configs/binary-caches.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + nix.sshServe.enable = true; + nix.sshServe.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" + ]; + nix.binaryCaches = [ + #"scp://nix-ssh@mors" + #"scp://nix-ssh@uriel" + ]; +} diff --git a/lass/2configs/bird.nix b/lass/2configs/bird.nix new file mode 100644 index 000000000..3fc265cd7 --- /dev/null +++ b/lass/2configs/bird.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + config.services.bird = { + enable = true; + config = '' + router id 192.168.122.1; + protocol device { + scan time 10; + } + ''; + }; +} diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix new file mode 100644 index 000000000..d3bccbf5c --- /dev/null +++ b/lass/2configs/bitcoin.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + electrum + ]; + + users.extraUsers = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + useDefaultShell = true; + createHome = true; + }; + }; +} diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix new file mode 100644 index 000000000..8aecea925 --- /dev/null +++ b/lass/2configs/browsers.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + + nixpkgs.config.packageOverrides = pkgs : { + chromium = pkgs.chromium.override { + pulseSupport = true; + }; + }; + + environment.systemPackages = with pkgs; [ + firefox + ]; + + users.extraUsers = { + firefox = { + name = "firefox"; + description = "user for running firefox"; + home = "/home/firefox"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + chromium = { + name = "chromium"; + description = "user for running chromium"; + home = "/home/chromium"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + facebook = { + name = "facebook"; + description = "user for running facebook in chromium"; + home = "/home/facebook"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + google = { + name = "google"; + description = "user for running google+/gmail in chromium"; + home = "/home/google"; + useDefaultShell = true; + createHome = true; + }; + flash = { + name = "flash"; + description = "user for running flash stuff"; + home = "/home/flash"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(firefox) NOPASSWD: ALL + ${mainUser.name} ALL=(chromium) NOPASSWD: ALL + ${mainUser.name} ALL=(facebook) NOPASSWD: ALL + ${mainUser.name} ALL=(google) NOPASSWD: ALL + ${mainUser.name} ALL=(flash) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/chromium-patched.nix b/lass/2configs/chromium-patched.nix new file mode 100644 index 000000000..715181778 --- /dev/null +++ b/lass/2configs/chromium-patched.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +#settings to test: +# + #"ForceEphemeralProfiles": true, +let + masterPolicy = pkgs.writeText "master.json" '' + { + "PasswordManagerEnabled": false, + "DefaultGeolocationSetting": 2, + "RestoreOnStartup": 1, + "AutoFillEnabled": false, + "BackgroundModeEnabled": false, + "DefaultBrowserSettingEnabled": false, + "SafeBrowsingEnabled": false, + "ExtensionInstallForcelist": [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", + "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" + ] + } + ''; + + master_preferences = pkgs.writeText "master_preferences" '' + { + "browser": { + "custom_chrome_frame": true + }, + + "extensions": { + "theme": { + "id": "", + "use_system": true + } + } + } + ''; +in { + environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; + + environment.systemPackages = [ + #pkgs.chromium + (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { + buildCommand = attrs.buildCommand + '' + touch $out/TEST123 + ''; + })) + ]; +} diff --git a/lass/2configs/desktop-base.nix b/lass/2configs/desktop-base.nix new file mode 100644 index 000000000..9b98e4a8b --- /dev/null +++ b/lass/2configs/desktop-base.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; +in { + imports = [ + ./base.nix + ]; + + time.timeZone = "Europe/Berlin"; + + virtualisation.libvirtd.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + programs.ssh.startAgent = false; + + security.setuidPrograms = [ "slock" ]; + + services.printing = { + enable = true; + drivers = [ pkgs.foomatic_filters ]; + }; + + environment.systemPackages = with pkgs; [ + + powertop + + #window manager stuff + haskellPackages.xmobar + haskellPackages.yeganesh + dmenu2 + xlibs.fontschumachermisc + ]; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + services.xserver = { + enable = true; + + windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + windowManager.xmonad.enable = true; + windowManager.xmonad.enableContribAndExtras = true; + windowManager.default = "xmonad"; + desktopManager.default = "none"; + desktopManager.xterm.enable = false; + displayManager.slim.enable = true; + displayManager.auto.enable = true; + displayManager.auto.user = mainUser.name; + + layout = "us"; + xkbModel = "evdev"; + xkbVariant = "altgr-intl"; + }; + +} diff --git a/lass/2configs/elster.nix b/lass/2configs/elster.nix new file mode 100644 index 000000000..1edd01896 --- /dev/null +++ b/lass/2configs/elster.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + users.extraUsers = { + elster = { + name = "elster"; + description = "user for running elster-online"; + home = "/home/elster"; + useDefaultShell = true; + extraGroups = []; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(elster) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix new file mode 100644 index 000000000..74e92ccc3 --- /dev/null +++ b/lass/2configs/fastpoke-pages.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + createStaticPage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/${domain}; + '') + ]; + }; + #networking.extraHosts = '' + # 10.243.206.102 ${domain} + #''; + }; + +in { + imports = [ + ../../3modules/lass/iptables.nix + ] ++ map createStaticPage [ + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + + krebs.nginx = { + enable = true; + servers = { + + #"habsys.de" = { + # server-names = [ + # "habsys.de" + # "www.habsys.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/habsys.de; + # '') + # ]; + #}; + + #"karlaskop.de" = { + # server-names = [ + # "karlaskop.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + #"pixelpocket.de" = { + # server-names = [ + # "pixelpocket.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + }; + }; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix new file mode 100644 index 000000000..6043a8759 --- /dev/null +++ b/lass/2configs/games.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + environment.systemPackages = with pkgs; [ + dwarf_fortress + ]; + + users.extraUsers = { + games = { + name = "games"; + description = "user playing games"; + home = "/home/games"; + extraGroups = [ "audio" "video" "input" ]; + createHome = true; + useDefaultShell = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(games) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/gitolite-base.nix b/lass/2configs/gitolite-base.nix new file mode 100644 index 000000000..b47629956 --- /dev/null +++ b/lass/2configs/gitolite-base.nix @@ -0,0 +1,173 @@ +{ config, ... }: + +{ + services.gitolite = { + mutable = false; + keys = { + lass = config.sshKeys.lass.pub; + uriel = config.sshKeys.uriel.pub; + }; + rc = '' + %RC = ( + UMASK => 0077, + GIT_CONFIG_KEYS => "", + LOG_EXTRA => 1, + ROLES => { + READERS => 1, + WRITERS => 1, + }, + LOCAL_CODE => "$ENV{HOME}/.gitolite", + ENABLE => [ + 'help', + 'desc', + 'info', + 'perms', + 'writable', + 'ssh-authkeys', + 'git-config', + 'daemon', + 'gitweb', + 'repo-specific-hooks', + ], + ); + 1; + ''; + + repoSpecificHooks = { + irc-announce = '' + #! /bin/sh + set -euf + + config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" + if test -f "$config_file"; then + . "$config_file" + fi + + # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update + # any relevant gitolite LOCAL_CODE! + # CAVEAT we hope that IRC_NICK is unique + IRC_NICK="''${IRC_NICK-gl$GL_TID}" + IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" + IRC_SERVER="''${IRC_SERVER-ire.retiolum}" + IRC_PORT="''${IRC_PORT-6667}" + + # for privmsg_cat below + export IRC_CHANNEL + + # collect users that are mentioned in the gitolite configuration + interested_users="$(perl -e ' + do "gl-conf"; + print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); + ')" + + # CAVEAT beware of real TABs in grep pattern! + # CAVEAT there will never be more than 42 relevant log entries! + tab=$(printf '\x09') + log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" + + update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" + + # (debug output) + env | sed 's/^/env: /' + echo "$log" | sed 's/^/log: /' + + # see http://gitolite.com/gitolite/dev-notes.html#lff + reponame=$(echo "$update_log" | cut -f 4) + username=$(echo "$update_log" | cut -f 5) + ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') + old_sha=$(echo "$update_log" | cut -f 8) + new_sha=$(echo "$update_log" | cut -f 9) + + # check if new branch is created + if test $old_sha = 0000000000000000000000000000000000000000; then + # TODO what should we really show? + old_sha=$new_sha^ + fi + + # + git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" + commit_count=$(echo "$git_log" | wc -l) + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + # + # + # + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + echo "$interested_users" \ + | tr ' ' '\n' \ + | grep -v "^$GL_USER" \ + | sed 's/$/: poke/' \ + | privmsg_cat \ + | cat2 + + printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ + "$reponame" \ + "$username" \ + "$commit_count" \ + "$(test $commit_count = 1 || echo s)" \ + "$(hostname)" \ + "$ref_name" \ + | privmsg_cat \ + | cat2 + + echo "$git_log" \ + | sed 's/^/\x0314/;s/ /\x03 /' \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + ''; + }; + customFiles = [ + { + path = ".gitolite/conf/irc-announce.conf"; + file = '' + IRC_NICK="$(hostname)$GL_TID" + case "$GL_REPO" in + brain|painload|services|load-env|config) + IRC_CHANNEL='#retiolum' + ;; + *) + IRC_CHANNEL='&testing' + ;; + esac + ''; + } + ]; + }; +} diff --git a/lass/2configs/identity.nix b/lass/2configs/identity.nix new file mode 100644 index 000000000..bfaad14d2 --- /dev/null +++ b/lass/2configs/identity.nix @@ -0,0 +1,48 @@ +{ config, ... }: + +{ + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + search = "retiolum"; + hosts = { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + }; +} diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix new file mode 100644 index 000000000..f71b769fd --- /dev/null +++ b/lass/2configs/ircd.nix @@ -0,0 +1,92 @@ +{ config, pkgs, ... }: + +{ + config.services.charybdis = { + enable = true; + config = '' + serverinfo { + name = "ire.irc.retiolum"; + sid = "4z3"; + description = "miep!"; + network_name = "irc.retiolum"; + network_desc = "Retiolum IRC Network"; + hub = yes; + + vhost = "0.0.0.0"; + vhost6 = "::"; + + #ssl_private_key = "etc/ssl.key"; + #ssl_cert = "etc/ssl.cert"; + #ssl_dh_params = "etc/dh.pem"; + #ssld_count = 1; + + default_max_clients = 10000; + #nicklen = 30; + }; + + listen { + defer_accept = yes; + + /* If you want to listen on a specific IP only, specify host. + * host definitions apply only to the following port line. + */ + host = "0.0.0.0"; + port = 6667; + sslport = 6697; + + /* Listen on IPv6 (if you used host= above). */ + host = "::"; + port = 6667; + sslport = 9999; + }; + + class "users" { + ping_time = 2 minutes; + number_per_ident = 200; + number_per_ip = 200; + number_per_ip_global = 500; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 9000; + max_number = 10000; + sendq = 400 kbytes; + }; + + exempt { + ip = "127.0.0.1"; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + + channel { + use_invex = yes; + use_except = yes; + use_forward = yes; + use_knock = yes; + knock_delay = 5 minutes; + knock_delay_channel = 1 minute; + max_chans_per_user = 15; + max_bans = 100; + max_bans_large = 500; + default_split_user_count = 0; + default_split_server_count = 0; + no_create_on_split = no; + no_join_on_split = no; + burst_topicwho = yes; + kick_on_split_riding = no; + only_ascii_channels = no; + resv_forcepart = yes; + channel_target_change = yes; + disable_local_channels = no; + }; + general { + #maybe we want ident someday? + disable_auth = yes; + }; + ''; + }; +} diff --git a/lass/2configs/mors/repos.nix b/lass/2configs/mors/repos.nix new file mode 100644 index 000000000..1f7f33456 --- /dev/null +++ b/lass/2configs/mors/repos.nix @@ -0,0 +1,87 @@ +{ ... }: + +{ + imports = [ + ../lass/gitolite-base.nix + ../common/krebs-keys.nix + ../common/krebs-repos.nix + ]; + + services.gitolite = { + repos = { + + config = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + pass = { + users = { + lass = "RW+"; + uriel = "R"; + }; + }; + + load-env = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + emse-drywall = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + emse-hsdb = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + brain = { + users = { + lass = "RW+"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + #hooks.post-receive = irc-announce; + }; + + painload = { + users = { + lass = "RW+"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + services = { + users = { + lass = "RW+"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + xmonad-config = { + users = { + lass = "RW+"; + uriel = "R"; + }; + }; + + }; + }; +} diff --git a/lass/2configs/mors/retiolum.nix b/lass/2configs/mors/retiolum.nix new file mode 100644 index 000000000..1148bee9c --- /dev/null +++ b/lass/2configs/mors/retiolum.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum + ]; + + tv.retiolum = { + enable = true; + hosts = ; + privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; +} diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix new file mode 100644 index 000000000..809091b32 --- /dev/null +++ b/lass/2configs/new-repos.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with import ../../tv/lib { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix new file mode 100644 index 000000000..33eca0a17 --- /dev/null +++ b/lass/2configs/pass.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + pass + gnupg1 + ]; + + services.xserver.startGnuPGAgent = true; +} diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix new file mode 100644 index 000000000..41d241bac --- /dev/null +++ b/lass/2configs/programs.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +## TODO sort and split up +{ + environment.systemPackages = with pkgs; [ + aria2 + gnupg1compat + htop + i3lock + mc + mosh + mpv + pass + pavucontrol + pv + pwgen + python34Packages.livestreamer + remmina + silver-searcher + wget + xsel + youtube-dl + ]; +} diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix new file mode 100644 index 000000000..95890f70e --- /dev/null +++ b/lass/2configs/retiolum.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../tv/configs/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} diff --git a/lass/2configs/sshkeys.nix b/lass/2configs/sshkeys.nix new file mode 100644 index 000000000..114a2596b --- /dev/null +++ b/lass/2configs/sshkeys.nix @@ -0,0 +1,11 @@ +{ config, ... }: + +{ + imports = [ + ../../3modules/lass/sshkeys.nix + ]; + + config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; + + config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; +} diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix new file mode 100644 index 000000000..7d088fc6a --- /dev/null +++ b/lass/2configs/steam.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +{ + + imports = [ + ./games.nix + ]; + # + # Steam stuff + # source: https://nixos.org/wiki/Talk:Steam + # + ##TODO: make steam module + hardware.opengl.driSupport32Bit = true; + + nixpkgs.config.steam.java = true; + environment.systemPackages = with pkgs; [ + steam + ]; + networking.firewall = { + allowedUDPPorts = [ + 27031 + 27036 + ]; + allowedTCPPorts = [ + 27036 + 27037 + ]; + }; + +} diff --git a/lass/2configs/texlive.nix b/lass/2configs/texlive.nix new file mode 100644 index 000000000..295df31cd --- /dev/null +++ b/lass/2configs/texlive.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + (pkgs.texLiveAggregationFun { paths = [ pkgs.texLive pkgs.texLiveFull ]; }) + ]; +} diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix new file mode 100644 index 000000000..a2074ba02 --- /dev/null +++ b/lass/2configs/urxvt.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +let + inherit (config.users.extraUsers) mainUser; + +in + +{ + imports = [ + ../../3modules/lass/urxvtd.nix + ../../3modules/lass/xresources.nix + ]; + + services.urxvtd = { + enable = true; + users = [ mainUser.name ]; + urxvtPackage = pkgs.rxvt_unicode_with-plugins; + }; + services.xresources.enable = true; + services.xresources.resources.urxvt = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select + URxvt.url-select.launcher: browser-select + URxvt.url-select.underline: true + URxvt.keysym.M-u: perl:url-select:select_next + URxvt.keysym.M-Escape: perl:keyboard-select:activate + URxvt.keysym.M-s: perl:keyboard-select:search + + URxvt.intensityStyles: false + + URxvt*background: #000000 + URxvt*foreground: #ffffff + + !change unreadable blue + URxvt*color4: #268bd2 + ''; +} diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix new file mode 100644 index 000000000..3fe45e1d1 --- /dev/null +++ b/lass/2configs/vim.nix @@ -0,0 +1,118 @@ +{ config, pkgs, ... }: + +let + customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { + name = "Mustang2"; + src = pkgs.fetchFromGitHub { + owner = "croaker"; + repo = "mustang-vim"; + rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; + sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; + }; + }; + +in { + + environment.systemPackages = [ + (pkgs.vim_configurable.customize { + name = "vim"; + + vimrcConfig.customRC = '' + set nocompatible + set t_Co=16 + syntax on + " TODO autoload colorscheme file + set background=dark + colorscheme mustang + filetype off + filetype plugin indent on + + imap + + set mouse=a + set ruler + set showmatch + set backspace=2 + set visualbell + set encoding=utf8 + set showcmd + set wildmenu + + set title + set titleold= + set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} + + set autoindent + + set ttyfast + + set pastetoggle= + + + " Force Saving Files that Require Root Permission + command! W silent w !sudo tee "%" >/dev/null + + nnoremap :q + vnoremap < >gv + + nmap q :buffer + + "Tabwidth + set ts=2 sts=2 sw=2 et + + " create Backup/tmp/undo dirs + function! InitBackupDir() + let l:parent = $HOME . '/.vim/' + let l:backup = l:parent . 'backups/' + let l:tmpdir = l:parent . 'tmp/' + let l:undodi = l:parent . 'undo/' + + if !isdirectory(l:parent) + call mkdir(l:parent) + endif + if !isdirectory(l:backup) + call mkdir(l:backup) + endif + if !isdirectory(l:tmpdir) + call mkdir(l:tmpdir) + endif + if !isdirectory(l:undodi) + call mkdir(l:undodi) + endif + endfunction + call InitBackupDir() + + " Backups & Files + set backup + set backupdir=~/.vim/backups + set directory=~/.vim/tmp// + set viminfo='20,<1000,s100,h,n~/.vim/tmp/info + set undodir=$HOME/.vim/undo + set undofile + + " highlight whitespaces + highlight ExtraWhitespace ctermbg=red guibg=red + match ExtraWhitespace /\s\+$/ + autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ + autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@