From 2bc5c58d85990e483af8fde57ed5f2442351b69c Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 11 Jul 2015 19:44:12 +0200 Subject: move old stuff --- old/modules/cd/default.nix | 91 +++ old/modules/cd/networking.nix | 14 + old/modules/cd/paths.nix | 12 + old/modules/cd/users.nix | 53 ++ old/modules/cloudkrebs/default.nix | 69 +++ old/modules/cloudkrebs/networking.nix | 14 + old/modules/common/krebs-keys.nix | 18 + old/modules/common/krebs-repos.nix | 36 ++ old/modules/common/nixpkgs.nix | 25 + old/modules/common/sshkeys.nix | 26 + old/modules/lass/base.nix | 110 ++++ old/modules/lass/binary-caches.nix | 13 + old/modules/lass/bird.nix | 13 + old/modules/lass/bitcoin.nix | 17 + old/modules/lass/browsers.nix | 67 +++ old/modules/lass/chromium-patched.nix | 48 ++ old/modules/lass/desktop-base.nix | 37 ++ old/modules/lass/elster.nix | 20 + old/modules/lass/games.nix | 25 + old/modules/lass/gitolite-base.nix | 173 ++++++ old/modules/lass/ircd.nix | 83 +++ old/modules/lass/pass.nix | 10 + old/modules/lass/programs.nix | 24 + old/modules/lass/retiolum-cloudkrebs.nix | 21 + old/modules/lass/retiolum-mors.nix | 21 + old/modules/lass/retiolum-uriel.nix | 21 + old/modules/lass/sshkeys.nix | 11 + old/modules/lass/steam.nix | 29 + old/modules/lass/texlive.nix | 7 + old/modules/lass/urxvt.nix | 40 ++ old/modules/lass/urxvtd.nix | 55 ++ old/modules/lass/vim.nix | 116 ++++ old/modules/lass/virtualbox.nix | 22 + old/modules/lass/wine.nix | 23 + old/modules/lass/xresources.nix | 57 ++ old/modules/lass/xserver-lass.nix | 43 ++ old/modules/mkdir/default.nix | 86 +++ old/modules/mkdir/networking.nix | 14 + old/modules/mkdir/paths.nix | 12 + old/modules/mkdir/users.nix | 19 + old/modules/mors/default.nix | 283 +++++++++ old/modules/mors/git.nix | 71 +++ old/modules/mors/repos.nix | 78 +++ old/modules/mu/default.nix | 466 ++++++++++++++ old/modules/mu/paths.nix | 12 + old/modules/nomic/default.nix | 105 ++++ old/modules/nomic/hardware-configuration.nix | 49 ++ old/modules/nomic/paths.nix | 12 + old/modules/nomic/users.nix | 42 ++ old/modules/rmdir/default.nix | 87 +++ old/modules/rmdir/networking.nix | 15 + old/modules/rmdir/paths.nix | 12 + old/modules/rmdir/users.nix | 19 + old/modules/tv/base-cac-CentOS-7-64bit.nix | 27 + old/modules/tv/base.nix | 16 + old/modules/tv/config/consul-client.nix | 9 + old/modules/tv/config/consul-server.nix | 22 + old/modules/tv/consul/default.nix | 121 ++++ old/modules/tv/ejabberd.nix | 867 +++++++++++++++++++++++++++ old/modules/tv/environment.nix | 93 +++ old/modules/tv/exim-retiolum.nix | 126 ++++ old/modules/tv/exim-smarthost.nix | 474 +++++++++++++++ old/modules/tv/git/cgit.nix | 93 +++ old/modules/tv/git/config.nix | 272 +++++++++ old/modules/tv/git/default.nix | 27 + old/modules/tv/git/options.nix | 93 +++ old/modules/tv/git/public.nix | 82 +++ old/modules/tv/identity/default.nix | 71 +++ old/modules/tv/iptables/config.nix | 93 +++ old/modules/tv/iptables/default.nix | 11 + old/modules/tv/iptables/options.nix | 29 + old/modules/tv/nginx/config.nix | 49 ++ old/modules/tv/nginx/default.nix | 11 + old/modules/tv/nginx/options.nix | 21 + old/modules/tv/retiolum/config.nix | 130 ++++ old/modules/tv/retiolum/default.nix | 11 + old/modules/tv/retiolum/options.nix | 87 +++ old/modules/tv/sanitize.nix | 12 + old/modules/tv/smartd.nix | 17 + old/modules/tv/synaptics.nix | 14 + old/modules/tv/urlwatch/default.nix | 158 +++++ old/modules/tv/urxvt.nix | 24 + old/modules/tv/users/default.nix | 67 +++ old/modules/tv/xserver.nix | 40 ++ old/modules/uriel/default.nix | 184 ++++++ old/modules/uriel/repos.nix | 78 +++ old/modules/wu/default.nix | 464 ++++++++++++++ old/modules/wu/hosts.nix | 22 + old/modules/wu/paths.nix | 12 + old/modules/wu/users.nix | 227 +++++++ 90 files changed, 7000 insertions(+) create mode 100644 old/modules/cd/default.nix create mode 100644 old/modules/cd/networking.nix create mode 100644 old/modules/cd/paths.nix create mode 100644 old/modules/cd/users.nix create mode 100644 old/modules/cloudkrebs/default.nix create mode 100644 old/modules/cloudkrebs/networking.nix create mode 100644 old/modules/common/krebs-keys.nix create mode 100644 old/modules/common/krebs-repos.nix create mode 100644 old/modules/common/nixpkgs.nix create mode 100644 old/modules/common/sshkeys.nix create mode 100644 old/modules/lass/base.nix create mode 100644 old/modules/lass/binary-caches.nix create mode 100644 old/modules/lass/bird.nix create mode 100644 old/modules/lass/bitcoin.nix create mode 100644 old/modules/lass/browsers.nix create mode 100644 old/modules/lass/chromium-patched.nix create mode 100644 old/modules/lass/desktop-base.nix create mode 100644 old/modules/lass/elster.nix create mode 100644 old/modules/lass/games.nix create mode 100644 old/modules/lass/gitolite-base.nix create mode 100644 old/modules/lass/ircd.nix create mode 100644 old/modules/lass/pass.nix create mode 100644 old/modules/lass/programs.nix create mode 100644 old/modules/lass/retiolum-cloudkrebs.nix create mode 100644 old/modules/lass/retiolum-mors.nix create mode 100644 old/modules/lass/retiolum-uriel.nix create mode 100644 old/modules/lass/sshkeys.nix create mode 100644 old/modules/lass/steam.nix create mode 100644 old/modules/lass/texlive.nix create mode 100644 old/modules/lass/urxvt.nix create mode 100644 old/modules/lass/urxvtd.nix create mode 100644 old/modules/lass/vim.nix create mode 100644 old/modules/lass/virtualbox.nix create mode 100644 old/modules/lass/wine.nix create mode 100644 old/modules/lass/xresources.nix create mode 100644 old/modules/lass/xserver-lass.nix create mode 100644 old/modules/mkdir/default.nix create mode 100644 old/modules/mkdir/networking.nix create mode 100644 old/modules/mkdir/paths.nix create mode 100644 old/modules/mkdir/users.nix create mode 100644 old/modules/mors/default.nix create mode 100644 old/modules/mors/git.nix create mode 100644 old/modules/mors/repos.nix create mode 100644 old/modules/mu/default.nix create mode 100644 old/modules/mu/paths.nix create mode 100644 old/modules/nomic/default.nix create mode 100644 old/modules/nomic/hardware-configuration.nix create mode 100644 old/modules/nomic/paths.nix create mode 100644 old/modules/nomic/users.nix create mode 100644 old/modules/rmdir/default.nix create mode 100644 old/modules/rmdir/networking.nix create mode 100644 old/modules/rmdir/paths.nix create mode 100644 old/modules/rmdir/users.nix create mode 100644 old/modules/tv/base-cac-CentOS-7-64bit.nix create mode 100644 old/modules/tv/base.nix create mode 100644 old/modules/tv/config/consul-client.nix create mode 100644 old/modules/tv/config/consul-server.nix create mode 100644 old/modules/tv/consul/default.nix create mode 100644 old/modules/tv/ejabberd.nix create mode 100644 old/modules/tv/environment.nix create mode 100644 old/modules/tv/exim-retiolum.nix create mode 100644 old/modules/tv/exim-smarthost.nix create mode 100644 old/modules/tv/git/cgit.nix create mode 100644 old/modules/tv/git/config.nix create mode 100644 old/modules/tv/git/default.nix create mode 100644 old/modules/tv/git/options.nix create mode 100644 old/modules/tv/git/public.nix create mode 100644 old/modules/tv/identity/default.nix create mode 100644 old/modules/tv/iptables/config.nix create mode 100644 old/modules/tv/iptables/default.nix create mode 100644 old/modules/tv/iptables/options.nix create mode 100644 old/modules/tv/nginx/config.nix create mode 100644 old/modules/tv/nginx/default.nix create mode 100644 old/modules/tv/nginx/options.nix create mode 100644 old/modules/tv/retiolum/config.nix create mode 100644 old/modules/tv/retiolum/default.nix create mode 100644 old/modules/tv/retiolum/options.nix create mode 100644 old/modules/tv/sanitize.nix create mode 100644 old/modules/tv/smartd.nix create mode 100644 old/modules/tv/synaptics.nix create mode 100644 old/modules/tv/urlwatch/default.nix create mode 100644 old/modules/tv/urxvt.nix create mode 100644 old/modules/tv/users/default.nix create mode 100644 old/modules/tv/xserver.nix create mode 100644 old/modules/uriel/default.nix create mode 100644 old/modules/uriel/repos.nix create mode 100644 old/modules/wu/default.nix create mode 100644 old/modules/wu/hosts.nix create mode 100644 old/modules/wu/paths.nix create mode 100644 old/modules/wu/users.nix (limited to 'old/modules') diff --git a/old/modules/cd/default.nix b/old/modules/cd/default.nix new file mode 100644 index 000000000..e3abd47ef --- /dev/null +++ b/old/modules/cd/default.nix @@ -0,0 +1,91 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) readFile; +in + +{ + imports = + [ + { users.extraUsers = import ; } + ./networking.nix + ./users.nix + ../tv/base.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/config/consul-server.nix + ../tv/ejabberd.nix # XXX echtes modul + ../tv/exim-smarthost.nix + ../tv/git/public.nix + ../tv/sanitize.nix + { + imports = [ ../tv/identity ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.cd; + }; + } + { + imports = [ ../tv/iptables ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../tv/retiolum ]; + tv.retiolum = { + enable = true; + hosts = ; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + # "Developer 2" plan has two vCPUs. + nix.maxJobs = 2; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.ejabberd-cd = { + enable = true; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + sound.enable = false; +} diff --git a/old/modules/cd/networking.nix b/old/modules/cd/networking.nix new file mode 100644 index 000000000..215e20829 --- /dev/null +++ b/old/modules/cd/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cd"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/cd/paths.nix b/old/modules/cd/paths.nix new file mode 100644 index 000000000..f873912fb --- /dev/null +++ b/old/modules/cd/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/old/modules/cd/users.nix b/old/modules/cd/users.nix new file mode 100644 index 000000000..656336d6c --- /dev/null +++ b/old/modules/cd/users.nix @@ -0,0 +1,53 @@ +{ ... }: + +let + inherit (builtins) readFile; +in + +{ + users.extraGroups = { + + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + + }; + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + (readFile ) + (readFile ) + ]; + }; + + mv = rec { + name = "mv"; + uid = 1338; + group = "users"; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + (readFile ) + ]; + }; + + }; + + users.mutableUsers = false; +} diff --git a/old/modules/cloudkrebs/default.nix b/old/modules/cloudkrebs/default.nix new file mode 100644 index 000000000..938447e0e --- /dev/null +++ b/old/modules/cloudkrebs/default.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/base-cac-CentOS-7-64bit.nix + ../lass/retiolum-cloudkrebs.nix + ./networking.nix + ../../secrets/cloudkrebs-pw.nix + ../lass/sshkeys.nix + ../lass/base.nix + ../common/nixpkgs.nix + ]; + + nixpkgs = { + url = "https://github.com/Lassulus/nixpkgs"; + rev = "b42ecfb8c61e514bf7733b4ab0982d3e7e27dacb"; + }; + + nix.maxJobs = 1; + + #activationScripts + #split up and move into base + + #TODO move into modules + users.extraUsers = { + #main user + root = { + openssh.authorizedKeys.keys = [ + config.sshKeys.lass.pub + ]; + }; + mainUser = { + uid = 1337; + name = "lass"; + #isNormalUser = true; + group = "users"; + createHome = true; + home = "/home/lass"; + useDefaultShell = true; + isSystemUser = false; + description = "lassulus"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + config.sshKeys.lass.pub + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + ]; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 + ]; + }; + +} diff --git a/old/modules/cloudkrebs/networking.nix b/old/modules/cloudkrebs/networking.nix new file mode 100644 index 000000000..fc5007365 --- /dev/null +++ b/old/modules/cloudkrebs/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cloudkrebs"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/common/krebs-keys.nix b/old/modules/common/krebs-keys.nix new file mode 100644 index 000000000..5e349338d --- /dev/null +++ b/old/modules/common/krebs-keys.nix @@ -0,0 +1,18 @@ +# alle public keys der krebsminister fuer R in krebs repos +{ config, ... }: + +let + inherit (builtins) readFile; +in + +with import ../lass/sshkeys.nix { + config.sshKeys.lass.pub = config.sshKeys.lass.pub; + config.sshKeys.uriel.pub = config.sshKeys.uriel.pub; + }; +{ + imports = [ + ./sshkeys.nix + ]; + + config.sshKeys.tv.pub = readFile ; +} diff --git a/old/modules/common/krebs-repos.nix b/old/modules/common/krebs-repos.nix new file mode 100644 index 000000000..86f373123 --- /dev/null +++ b/old/modules/common/krebs-repos.nix @@ -0,0 +1,36 @@ +{ lib, ... }: + +let + inherit (lib) mkDefault; + + mkSecureRepo = name: + { inherit name; + value = { + users = { + lass = mkDefault "R"; + tv = mkDefault "R"; + makefu = mkDefault "R"; + }; + }; + }; + + mkRepo = name: + { inherit name; + value = { + users = { + lass = mkDefault "R"; + tv = mkDefault "R"; + makefu = mkDefault "R"; + }; + }; + }; + +in { + services.gitolite.repos = + (lib.listToAttrs (map mkSecureRepo [ "brain" ])) // + (lib.listToAttrs (map mkRepo [ + "painload" + "services" + "hosts" + ])); +} diff --git a/old/modules/common/nixpkgs.nix b/old/modules/common/nixpkgs.nix new file mode 100644 index 000000000..486cf0207 --- /dev/null +++ b/old/modules/common/nixpkgs.nix @@ -0,0 +1,25 @@ +{ lib, ... }: + +with lib; + +{ + options = { + nixpkgs.url = mkOption { + type = types.str; + description = "URL of the nixpkgs repository."; + }; + nixpkgs.rev = mkOption { + type = types.str; + default = "origin/master"; + description = "Revision of the remote repository."; + }; + nixpkgs.dirty = mkOption { + type = types.bool; + default = false; + description = '' + If nixpkgs.url is a local path, then use that as it is. + TODO this break if URL is not a local path. + ''; + }; + }; +} diff --git a/old/modules/common/sshkeys.nix b/old/modules/common/sshkeys.nix new file mode 100644 index 000000000..5f1c60668 --- /dev/null +++ b/old/modules/common/sshkeys.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + options = { + sshKeys = mkOption { + type = types.attrsOf (types.submodule ( + { config, ... }: + { + options = { + pub = mkOption { + type = types.str; + description = "Public part of the ssh key."; + }; + + priv = mkOption { + type = types.str; + description = "Private part of the ssh key."; + }; + }; + })); + description = "collection of ssh-keys"; + }; + }; +} diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix new file mode 100644 index 000000000..3a8d879eb --- /dev/null +++ b/old/modules/lass/base.nix @@ -0,0 +1,110 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./sshkeys.nix + ]; + + nix.useChroot = true; + + users.mutableUsers = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + PAGER=most + ''; + + environment.systemPackages = with pkgs; [ + git + most + rxvt_unicode.terminfo + + #network + iptables + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.gitolite = { + enable = true; + dataDir = "/home/gitolite"; + adminPubkey = config.sshKeys.lass.pub; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 + ]; + + extraCommands = '' + iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + iptables -A INPUT -j ACCEPT -i lo + iptables -A INPUT -j ACCEPT -p icmp + + #iptables -N Retiolum + iptables -A INPUT -j Retiolum -i retiolum + iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + iptables -A Retiolum -j REJECT + ''; + + extraStopCommands = "iptables -F"; + }; +} diff --git a/old/modules/lass/binary-caches.nix b/old/modules/lass/binary-caches.nix new file mode 100644 index 000000000..c2727520d --- /dev/null +++ b/old/modules/lass/binary-caches.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + nix.sshServe.enable = true; + nix.sshServe.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" + ]; + nix.binaryCaches = [ + #"scp://nix-ssh@mors" + #"scp://nix-ssh@uriel" + ]; +} diff --git a/old/modules/lass/bird.nix b/old/modules/lass/bird.nix new file mode 100644 index 000000000..3fc265cd7 --- /dev/null +++ b/old/modules/lass/bird.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + config.services.bird = { + enable = true; + config = '' + router id 192.168.122.1; + protocol device { + scan time 10; + } + ''; + }; +} diff --git a/old/modules/lass/bitcoin.nix b/old/modules/lass/bitcoin.nix new file mode 100644 index 000000000..d3bccbf5c --- /dev/null +++ b/old/modules/lass/bitcoin.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + electrum + ]; + + users.extraUsers = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + useDefaultShell = true; + createHome = true; + }; + }; +} diff --git a/old/modules/lass/browsers.nix b/old/modules/lass/browsers.nix new file mode 100644 index 000000000..8aecea925 --- /dev/null +++ b/old/modules/lass/browsers.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + + nixpkgs.config.packageOverrides = pkgs : { + chromium = pkgs.chromium.override { + pulseSupport = true; + }; + }; + + environment.systemPackages = with pkgs; [ + firefox + ]; + + users.extraUsers = { + firefox = { + name = "firefox"; + description = "user for running firefox"; + home = "/home/firefox"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + chromium = { + name = "chromium"; + description = "user for running chromium"; + home = "/home/chromium"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + facebook = { + name = "facebook"; + description = "user for running facebook in chromium"; + home = "/home/facebook"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + google = { + name = "google"; + description = "user for running google+/gmail in chromium"; + home = "/home/google"; + useDefaultShell = true; + createHome = true; + }; + flash = { + name = "flash"; + description = "user for running flash stuff"; + home = "/home/flash"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(firefox) NOPASSWD: ALL + ${mainUser.name} ALL=(chromium) NOPASSWD: ALL + ${mainUser.name} ALL=(facebook) NOPASSWD: ALL + ${mainUser.name} ALL=(google) NOPASSWD: ALL + ${mainUser.name} ALL=(flash) NOPASSWD: ALL + ''; +} diff --git a/old/modules/lass/chromium-patched.nix b/old/modules/lass/chromium-patched.nix new file mode 100644 index 000000000..715181778 --- /dev/null +++ b/old/modules/lass/chromium-patched.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +#settings to test: +# + #"ForceEphemeralProfiles": true, +let + masterPolicy = pkgs.writeText "master.json" '' + { + "PasswordManagerEnabled": false, + "DefaultGeolocationSetting": 2, + "RestoreOnStartup": 1, + "AutoFillEnabled": false, + "BackgroundModeEnabled": false, + "DefaultBrowserSettingEnabled": false, + "SafeBrowsingEnabled": false, + "ExtensionInstallForcelist": [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", + "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" + ] + } + ''; + + master_preferences = pkgs.writeText "master_preferences" '' + { + "browser": { + "custom_chrome_frame": true + }, + + "extensions": { + "theme": { + "id": "", + "use_system": true + } + } + } + ''; +in { + environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; + + environment.systemPackages = [ + #pkgs.chromium + (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { + buildCommand = attrs.buildCommand + '' + touch $out/TEST123 + ''; + })) + ]; +} diff --git a/old/modules/lass/desktop-base.nix b/old/modules/lass/desktop-base.nix new file mode 100644 index 000000000..94184548e --- /dev/null +++ b/old/modules/lass/desktop-base.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./base.nix + ]; + + time.timeZone = "Europe/Berlin"; + + virtualisation.libvirtd.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + programs.ssh.startAgent = false; + + security.setuidPrograms = [ "slock" ]; + + services.printing = { + enable = true; + drivers = [ pkgs.foomatic_filters ]; + }; + + environment.systemPackages = with pkgs; [ + + powertop + + #window manager stuff + haskellPackages.xmobar + haskellPackages.yeganesh + dmenu2 + xlibs.fontschumachermisc + ]; + +} diff --git a/old/modules/lass/elster.nix b/old/modules/lass/elster.nix new file mode 100644 index 000000000..1edd01896 --- /dev/null +++ b/old/modules/lass/elster.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + users.extraUsers = { + elster = { + name = "elster"; + description = "user for running elster-online"; + home = "/home/elster"; + useDefaultShell = true; + extraGroups = []; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(elster) NOPASSWD: ALL + ''; +} diff --git a/old/modules/lass/games.nix b/old/modules/lass/games.nix new file mode 100644 index 000000000..6043a8759 --- /dev/null +++ b/old/modules/lass/games.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + environment.systemPackages = with pkgs; [ + dwarf_fortress + ]; + + users.extraUsers = { + games = { + name = "games"; + description = "user playing games"; + home = "/home/games"; + extraGroups = [ "audio" "video" "input" ]; + createHome = true; + useDefaultShell = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(games) NOPASSWD: ALL + ''; +} diff --git a/old/modules/lass/gitolite-base.nix b/old/modules/lass/gitolite-base.nix new file mode 100644 index 000000000..b47629956 --- /dev/null +++ b/old/modules/lass/gitolite-base.nix @@ -0,0 +1,173 @@ +{ config, ... }: + +{ + services.gitolite = { + mutable = false; + keys = { + lass = config.sshKeys.lass.pub; + uriel = config.sshKeys.uriel.pub; + }; + rc = '' + %RC = ( + UMASK => 0077, + GIT_CONFIG_KEYS => "", + LOG_EXTRA => 1, + ROLES => { + READERS => 1, + WRITERS => 1, + }, + LOCAL_CODE => "$ENV{HOME}/.gitolite", + ENABLE => [ + 'help', + 'desc', + 'info', + 'perms', + 'writable', + 'ssh-authkeys', + 'git-config', + 'daemon', + 'gitweb', + 'repo-specific-hooks', + ], + ); + 1; + ''; + + repoSpecificHooks = { + irc-announce = '' + #! /bin/sh + set -euf + + config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" + if test -f "$config_file"; then + . "$config_file" + fi + + # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update + # any relevant gitolite LOCAL_CODE! + # CAVEAT we hope that IRC_NICK is unique + IRC_NICK="''${IRC_NICK-gl$GL_TID}" + IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" + IRC_SERVER="''${IRC_SERVER-ire.retiolum}" + IRC_PORT="''${IRC_PORT-6667}" + + # for privmsg_cat below + export IRC_CHANNEL + + # collect users that are mentioned in the gitolite configuration + interested_users="$(perl -e ' + do "gl-conf"; + print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); + ')" + + # CAVEAT beware of real TABs in grep pattern! + # CAVEAT there will never be more than 42 relevant log entries! + tab=$(printf '\x09') + log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" + + update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" + + # (debug output) + env | sed 's/^/env: /' + echo "$log" | sed 's/^/log: /' + + # see http://gitolite.com/gitolite/dev-notes.html#lff + reponame=$(echo "$update_log" | cut -f 4) + username=$(echo "$update_log" | cut -f 5) + ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') + old_sha=$(echo "$update_log" | cut -f 8) + new_sha=$(echo "$update_log" | cut -f 9) + + # check if new branch is created + if test $old_sha = 0000000000000000000000000000000000000000; then + # TODO what should we really show? + old_sha=$new_sha^ + fi + + # + git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" + commit_count=$(echo "$git_log" | wc -l) + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + # + # + # + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + echo "$interested_users" \ + | tr ' ' '\n' \ + | grep -v "^$GL_USER" \ + | sed 's/$/: poke/' \ + | privmsg_cat \ + | cat2 + + printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ + "$reponame" \ + "$username" \ + "$commit_count" \ + "$(test $commit_count = 1 || echo s)" \ + "$(hostname)" \ + "$ref_name" \ + | privmsg_cat \ + | cat2 + + echo "$git_log" \ + | sed 's/^/\x0314/;s/ /\x03 /' \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + ''; + }; + customFiles = [ + { + path = ".gitolite/conf/irc-announce.conf"; + file = '' + IRC_NICK="$(hostname)$GL_TID" + case "$GL_REPO" in + brain|painload|services|load-env|config) + IRC_CHANNEL='#retiolum' + ;; + *) + IRC_CHANNEL='&testing' + ;; + esac + ''; + } + ]; + }; +} diff --git a/old/modules/lass/ircd.nix b/old/modules/lass/ircd.nix new file mode 100644 index 000000000..3c9e25718 --- /dev/null +++ b/old/modules/lass/ircd.nix @@ -0,0 +1,83 @@ +{ config, pkgs, ... }: + +{ + config.services.charybdis = { + enable = true; + config = '' + serverinfo { + name = "ire.irc.retiolum"; + sid = "4z3"; + description = "miep!"; + network_name = "irc.retiolum"; + network_desc = "Retiolum IRC Network"; + hub = yes; + + vhost = "0.0.0.0"; + vhost6 = "::"; + + #ssl_private_key = "etc/ssl.key"; + #ssl_cert = "etc/ssl.cert"; + #ssl_dh_params = "etc/dh.pem"; + #ssld_count = 1; + + #default_max_clients = 1024; + #nicklen = 30; + }; + + listen { + defer_accept = yes; + + /* If you want to listen on a specific IP only, specify host. + * host definitions apply only to the following port line. + */ + host = "0.0.0.0"; + port = 6667; + sslport = 6697; + + /* Listen on IPv6 (if you used host= above). */ + host = "::"; + port = 6667; + sslport = 9999; + }; + + auth { + user = "*@*"; + class = "users"; + }; + + class "users" { + ping_time = 2 minutes; + number_per_ident = 10; + number_per_ip = 10; + number_per_ip_global = 50; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 200; + max_number = 3000; + sendq = 400 kbytes; + }; + + channel { + use_invex = yes; + use_except = yes; + use_forward = yes; + use_knock = yes; + knock_delay = 5 minutes; + knock_delay_channel = 1 minute; + max_chans_per_user = 15; + max_bans = 100; + max_bans_large = 500; + default_split_user_count = 0; + default_split_server_count = 0; + no_create_on_split = no; + no_join_on_split = no; + burst_topicwho = yes; + kick_on_split_riding = no; + only_ascii_channels = no; + resv_forcepart = yes; + channel_target_change = yes; + disable_local_channels = no; + }; + ''; + }; +} diff --git a/old/modules/lass/pass.nix b/old/modules/lass/pass.nix new file mode 100644 index 000000000..33eca0a17 --- /dev/null +++ b/old/modules/lass/pass.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + pass + gnupg1 + ]; + + services.xserver.startGnuPGAgent = true; +} diff --git a/old/modules/lass/programs.nix b/old/modules/lass/programs.nix new file mode 100644 index 000000000..41d241bac --- /dev/null +++ b/old/modules/lass/programs.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +## TODO sort and split up +{ + environment.systemPackages = with pkgs; [ + aria2 + gnupg1compat + htop + i3lock + mc + mosh + mpv + pass + pavucontrol + pv + pwgen + python34Packages.livestreamer + remmina + silver-searcher + wget + xsel + youtube-dl + ]; +} diff --git a/old/modules/lass/retiolum-cloudkrebs.nix b/old/modules/lass/retiolum-cloudkrebs.nix new file mode 100644 index 000000000..1f035271d --- /dev/null +++ b/old/modules/lass/retiolum-cloudkrebs.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum.nix + ]; + + services.retiolum = { + enable = true; + hosts = ../../hosts; + privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; +} diff --git a/old/modules/lass/retiolum-mors.nix b/old/modules/lass/retiolum-mors.nix new file mode 100644 index 000000000..61a7856c1 --- /dev/null +++ b/old/modules/lass/retiolum-mors.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum.nix + ]; + + services.retiolum = { + enable = true; + hosts = ../../hosts; + privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; +} diff --git a/old/modules/lass/retiolum-uriel.nix b/old/modules/lass/retiolum-uriel.nix new file mode 100644 index 000000000..11dc61c11 --- /dev/null +++ b/old/modules/lass/retiolum-uriel.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum.nix + ]; + + services.retiolum = { + enable = true; + hosts = ../../hosts; + privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; +} diff --git a/old/modules/lass/sshkeys.nix b/old/modules/lass/sshkeys.nix new file mode 100644 index 000000000..f2b0786e5 --- /dev/null +++ b/old/modules/lass/sshkeys.nix @@ -0,0 +1,11 @@ +{ config, ... }: + +{ + imports = [ + ../common/sshkeys.nix + ]; + + config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; + + config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; +} diff --git a/old/modules/lass/steam.nix b/old/modules/lass/steam.nix new file mode 100644 index 000000000..d54873b1f --- /dev/null +++ b/old/modules/lass/steam.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: + +{ + + imports = [ + ./games.nix + ]; + # + # Steam stuff + # source: https://nixos.org/wiki/Talk:Steam + # + ##TODO: make steam module + hardware.opengl.driSupport32Bit = true; + + environment.systemPackages = with pkgs; [ + steam + ]; + networking.firewall = { + allowedUDPPorts = [ + 27031 + 27036 + ]; + allowedTCPPorts = [ + 27036 + 27037 + ]; + }; + +} diff --git a/old/modules/lass/texlive.nix b/old/modules/lass/texlive.nix new file mode 100644 index 000000000..295df31cd --- /dev/null +++ b/old/modules/lass/texlive.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + (pkgs.texLiveAggregationFun { paths = [ pkgs.texLive pkgs.texLiveFull ]; }) + ]; +} diff --git a/old/modules/lass/urxvt.nix b/old/modules/lass/urxvt.nix new file mode 100644 index 000000000..889f768ac --- /dev/null +++ b/old/modules/lass/urxvt.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +let + inherit (config.users.extraUsers) mainUser; + +in + +{ + imports = [ + ./urxvtd.nix + ./xresources.nix + ]; + + services.urxvtd = { + enable = true; + users = [ mainUser.name ]; + urxvtPackage = pkgs.rxvt_unicode_with-plugins; + }; + services.xresources.enable = true; + services.xresources.resources.urxvt = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select + URxvt.url-select.launcher: browser-select + URxvt.url-select.underline: true + URxvt.keysym.M-u: perl:url-select:select_next + URxvt.keysym.M-Escape: perl:keyboard-select:activate + URxvt.keysym.M-s: perl:keyboard-select:search + + URxvt.intensityStyles: false + + URxvt*background: #000000 + URxvt*foreground: #ffffff + + !change unreadable blue + URxvt*color4: #268bd2 + ''; +} diff --git a/old/modules/lass/urxvtd.nix b/old/modules/lass/urxvtd.nix new file mode 100644 index 000000000..469616a9f --- /dev/null +++ b/old/modules/lass/urxvtd.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let +in + +with builtins; +with lib; + +{ + options = { + services.urxvtd = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable urxvtd per user"; + }; + users = mkOption { + type = types.listOf types.string; + default = []; + description = "users to run urxvtd for"; + }; + urxvtPackage = mkOption { + type = types.package; + default = pkgs.rxvt_unicode; + description = "urxvt package to use"; + }; + }; + }; + + config = + let + cfg = config.services.urxvtd; + users = cfg.users; + urxvt = cfg.urxvtPackage; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + path = [ pkgs.xlibs.xrdb ]; + environment = { + DISPLAY = ":0"; + URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; + }; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + in + mkIf cfg.enable { + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); + }; +} diff --git a/old/modules/lass/vim.nix b/old/modules/lass/vim.nix new file mode 100644 index 000000000..e1cff0d24 --- /dev/null +++ b/old/modules/lass/vim.nix @@ -0,0 +1,116 @@ +{ config, pkgs, ... }: + +let + customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { + name = "Mustang2"; + src = pkgs.fetchFromGitHub { + owner = "croaker"; + repo = "mustang-vim"; + rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; + sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; + }; + }; + +in { + + environment.systemPackages = [ + (pkgs.vim_configurable.customize { + name = "vim"; + + vimrcConfig.customRC = '' + set nocompatible + set t_Co=16 + syntax on + " TODO autoload colorscheme file + set background=dark + colorscheme mustang + filetype off + filetype plugin indent on + + imap + + set mouse=a + set ruler + set showmatch + set backspace=2 + set visualbell + set encoding=utf8 + set showcmd + set wildmenu + + set title + set titleold= + set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} + + set autoindent + + set ttyfast + + set pastetoggle= + + + " Force Saving Files that Require Root Permission + command! W silent w !sudo tee "%" >/dev/null + + nnoremap :q + vnoremap < >gv + + "Tabwidth + set ts=2 sts=2 sw=2 et + + " create Backup/tmp/undo dirs + function! InitBackupDir() + let l:parent = $HOME . '/.vim/' + let l:backup = l:parent . 'backups/' + let l:tmpdir = l:parent . 'tmp/' + let l:undodi = l:parent . 'undo/' + + if !isdirectory(l:parent) + call mkdir(l:parent) + endif + if !isdirectory(l:backup) + call mkdir(l:backup) + endif + if !isdirectory(l:tmpdir) + call mkdir(l:tmpdir) + endif + if !isdirectory(l:undodi) + call mkdir(l:undodi) + endif + endfunction + call InitBackupDir() + + " Backups & Files + set backup + set backupdir=~/.vim/backups + set directory=~/.vim/tmp// + set viminfo='20,<1000,s100,h,n~/.vim/tmp/info + set undodir=$HOME/.vim/undo + set undofile + + " highlight whitespaces + highlight ExtraWhitespace ctermbg=red guibg=red + match ExtraWhitespace /\s\+$/ + autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ + autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@; } + ./networking.nix + ./users.nix + ../tv/base.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/config/consul-server.nix + ../tv/exim-smarthost.nix + ../tv/git/public.nix + ../tv/sanitize.nix + { + imports = [ ../tv/identity ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.mkdir; + }; + } + { + imports = [ ../tv/iptables ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../tv/retiolum ]; + tv.retiolum = { + enable = true; + hosts = ; + connectTo = [ + "cd" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + nix.maxJobs = 1; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + sound.enable = false; +} diff --git a/old/modules/mkdir/networking.nix b/old/modules/mkdir/networking.nix new file mode 100644 index 000000000..c75e33a1b --- /dev/null +++ b/old/modules/mkdir/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "mkdir"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.248.167.241"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.248.167.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/mkdir/paths.nix b/old/modules/mkdir/paths.nix new file mode 100644 index 000000000..f873912fb --- /dev/null +++ b/old/modules/mkdir/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/old/modules/mkdir/users.nix b/old/modules/mkdir/users.nix new file mode 100644 index 000000000..82f078b4e --- /dev/null +++ b/old/modules/mkdir/users.nix @@ -0,0 +1,19 @@ +{ ... }: + +let + inherit (builtins) readFile; +in + +{ + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + (readFile ) + (readFile ) + ]; + }; + }; + + users.mutableUsers = false; +} diff --git a/old/modules/mors/default.nix b/old/modules/mors/default.nix new file mode 100644 index 000000000..d83d6abc9 --- /dev/null +++ b/old/modules/mors/default.nix @@ -0,0 +1,283 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../lass/xresources.nix + ../lass/desktop-base.nix + ../lass/programs.nix + ../lass/retiolum-mors.nix + ../lass/xserver-lass.nix + ../tv/synaptics.nix + ../lass/bitcoin.nix + ../lass/browsers.nix + ../lass/games.nix + ../tv/exim-retiolum.nix + ../lass/pass.nix + ../lass/vim.nix + ../lass/virtualbox.nix + ../lass/elster.nix + ../lass/urxvt.nix + ../lass/steam.nix + ../lass/wine.nix + ../lass/texlive.nix + ../common/nixpkgs.nix + ../lass/binary-caches.nix + ../lass/ircd.nix + ../../secrets/mors-pw.nix + ./repos.nix + ../lass/chromium-patched.nix + ./git.nix + ]; + + nixpkgs = { + url = "https://github.com/Lassulus/nixpkgs"; + rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530"; + }; + + networking.hostName = "mors"; + networking.wireless.enable = true; + + networking.extraHosts = '' + ''; + + nix.maxJobs = 4; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + boot = { + kernelParams = [ + "acpi.brightness_switch_enabled=0" + ]; + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/big/nix"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + + "/mnt/loot" = { + device = "/dev/big/loot"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/big/home"; + fsType = "ext4"; + }; + + "/home/lass" = { + device = "/dev/big/home-lass"; + fsType = "ext4"; + }; + + "/mnt/backups" = { + device = "/dev/big/backups"; + fsType = "ext4"; + }; + + "/home/games/.local/share/Steam" = { + device = "/dev/big/steam"; + fsType = "ext4"; + }; + + "/home/virtual/virtual" = { + device = "/dev/big/virtual"; + fsType = "ext4"; + }; + + "/mnt/public" = { + device = "/dev/big/public"; + fsType = "ext4"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; + + #activationScripts + #split up and move into base + system.activationScripts.powertopTunables = '' + #Enable Audio codec power management + echo '1' > '/sys/module/snd_hda_intel/parameters/power_save' + #VM writeback timeout + echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs' + #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] + echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' + #Autosuspend for USB device Biometric Coprocessor + echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' + + #Runtime PMs + echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' + ''; + system.activationScripts.trackpoint = '' + echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' + echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' + ''; + + services.xserver = { + videoDriver = "intel"; + vaapiDrivers = [ pkgs.vaapiIntel ]; + deviceSection = '' + Option "AccelMethod" "sna" + BusID "PCI:0:2:0" + ''; + }; + + users.extraUsers = { + #main user + mainUser = { + uid = 1337; + name = "lass"; + #isNormalUser = true; + group = "users"; + createHome = true; + home = "/home/lass"; + useDefaultShell = true; + isSystemUser = false; + extraGroups = [ "wheel" "audio" ]; + }; + }; + + environment.systemPackages = with pkgs; [ + ]; + + #TODO: fix this shit + ##fprint stuff + ##sudo fprintd-enroll $USER to save fingerprints + #services.fprintd.enable = true; + #security.pam.services.sudo.fprintAuth = true; + + users.extraGroups = { + loot = { + members = [ + config.users.extraUsers.mainUser.name + "firefox" + "chromium" + "google" + "virtual" + ]; + }; + }; + + networking.firewall = { + allowPing = true; + allowedTCPPorts = [ + 8000 + ]; + allowedUDPPorts = [ + 67 + ]; + }; + + #services.ircdHybrid = { + # enable = true; + + # description = "local test server"; + #}; + + #TODO + #services.urxvtd = { + # enable = true; + # users = [ "lass" ]; + # urxvtPackage = pkgs.rxvt_unicode_with-plugins; + #}; + + #system.activationScripts.iptables = + # let + # log = false; + # when = c: f: if c then f else ""; + # in + # '' + # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + # ipXtables() { ip4tables "$@"; ip6tables "$@"; } + + # # + # # nat + # # + + # # reset tables + # ipXtables -t nat -F + # ipXtables -t nat -X + + # # + # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # # + # # filter + # # + + # # reset tables + # ipXtables -P INPUT DROP + # ipXtables -P FORWARD DROP + # ipXtables -F + # ipXtables -X + + # # create custom chains + # ipXtables -N Retiolum + + # # INPUT + # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # ipXtables -A INPUT -j ACCEPT -i lo + # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + + # #mc + # ipXtables -A INPUT -j ACCEPT -p tcp --dport 25565 + # ipXtables -A INPUT -j ACCEPT -p udp --dport 25565 + + # ipXtables -A INPUT -j Retiolum -i retiolum + # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # # FORWARD + # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # # Retiolum + # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + # ip6tables -A Retiolum -j REJECT + + # ''; +} diff --git a/old/modules/mors/git.nix b/old/modules/mors/git.nix new file mode 100644 index 000000000..1dd61d164 --- /dev/null +++ b/old/modules/mors/git.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../tv/git + ]; + + services.git = + let + inherit (builtins) readFile; + # TODO lib should already includ