Merge remote-tracking branch 'stro/master'

2017-08-29 21:08:02 +02:00 · 2017-08-29 21:08:02 +02:00 · 2474778636
commit 2474778636
parent fd69096a27 48c75276c5
12 changed files with 141 additions and 56 deletions
--- a/krebs/1systems/hope/config.nix
+++ b/krebs/1systems/hope/config.nix
@ -0,0 +1,41 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+  ip = config.krebs.build.host.nets.internet.ip4.addr;
+  bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1";
+
+in {
+  imports = [
+    <stockholm/krebs>
+    <stockholm/krebs/2configs>
+    <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
+
+    <stockholm/krebs/2configs/secret-passwords.nix>
+    {
+      users.extraUsers = {
+        satan = {
+          name = "satan";
+          uid = 1338;
+          home = "/home/satan";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          initialPassword = "test";
+        };
+      };
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.hope;
+
+  networking = let
+    address = config.krebs.build.host.nets.internet.ip4.addr;
+  in {
+    defaultGateway = bestGuessGateway address;
+    interfaces.enp2s1.ip4 = singleton {
+      inherit address;
+      prefixLength = 24;
+    };
+    nameservers = ["8.8.8.8"];
+  };
+}
--- a/krebs/1systems/hope/source.nix
+++ b/krebs/1systems/hope/source.nix
@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+  name = "hope";
+}
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@ -30,6 +30,38 @@ let
  });
 in {
  hosts = {
+    hope = {
+      owner = config.krebs.users.krebs;
+      managed = true;
+      nets = {
+        internet = {
+          ip4.addr = "45.62.225.18";
+          aliases = [
+            "hope.i"
+          ];
+          ssh.port = 45621;
+        };
+        retiolum = {
+          ip4.addr = "10.243.77.4";
+          ip6.addr = "42:0:0:0:0:0:77:4";
+          aliases = [
+            "hope.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5
+            uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a
+            2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4
+            A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK
+            fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC
+            K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/";
+    };
    hotdog = {
      owner = config.krebs.users.krebs;
      managed = true;
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -39,15 +39,6 @@ with import <stockholm/lib>;
        enable = true;
      };
    }
-    {
-      #zalando project
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql;
-      };
-      virtualisation.docker.enable = true;
-      #users.users.mainUser.extraGroups = [ "docker" ];
-    }
    {
      lass.umts = {
        enable = true;
@ -91,6 +82,9 @@ with import <stockholm/lib>;
        client.enable = true;
      };
    }
+    {
+      services.mongodb.enable = true;
+    }
  ];

  krebs.build.host = config.krebs.hosts.mors;
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@ -41,7 +41,11 @@ with import <stockholm/lib>;
    "/boot" = {
      device = "/dev/sda1";
    };
-
+    "/home" = {
+      device = "/dev/mapper/pool-home";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
    "/tmp" = {
      device = "tmpfs";
      fsType = "tmpfs";
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@ -200,6 +200,7 @@ with import <stockholm/lib>;
      filter.INPUT.policy = "DROP";
      filter.FORWARD.policy = "DROP";
      filter.INPUT.rules = [
+        { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
        { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
        { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
        { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false;  precedence = 10000; }
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@ -78,11 +78,13 @@ let
                     and NOT to:shackspace \
                     and NOT to:c-base \
                     and NOT from:security-alert@hpe.com \
-                     and NOT to:nix-devel"\
+                     and NOT to:nix-devel\
+                     and NOT to:radio"\
        "shack"     "notmuch://?query=to:shackspace"\
        "c-base"    "notmuch://?query=to:c-base"\
        "security"  "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
        "nix"       "notmuch://?query=to:nix-devel"\
+        "radio"     "notmuch://?query=to:radio or tag:radio"\
        "TODO"      "notmuch://?query=tag:TODO"\
        "Starred"   "notmuch://?query=tag:*"\
        "Archive"   "notmuch://?query=tag:archive"\
@ -126,7 +128,7 @@ let

    bind index t noop
    bind pager t noop
-    macro index t "<modify-labels>+TODO\n"        # tag as Archived
+    macro index t "<modify-labels>"        # tag as Archived

    # top index bar in email view
    set pager_index_lines=7
--- a/lass/2configs/mpv.nix
+++ b/lass/2configs/mpv.nix
@ -2,40 +2,16 @@

 let

-  scripts = lib.concatStringsSep "," [
-    good
-    delete
-  ];
-
  mpv = pkgs.symlinkJoin {
    name = "mpv";
    paths = [
      (pkgs.writeDashBin "mpv" ''
-        exec ${pkgs.mpv}/bin/mpv --no-config --script=${scripts} "$@"
+        exec ${pkgs.mpv}/bin/mpv --no-config "$@"
      '')
      pkgs.mpv
    ];
  };

-  moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" ''
-    tmp_dir = "${dir}"
-
-    function move_current_track_${key}()
-      track = mp.get_property("path")
-      os.execute("mkdir -p '" .. tmp_dir .. "'")
-      os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'")
-      print("moved '" .. track .. "' to " .. tmp_dir)
-    end
-
-    mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key})
-  '';
-
-  good = moveToDir "G" "./.good";
-  delete = moveToDir "D" "./.graveyard";
-
-  up = moveToDir "U" "./up";
-  down = moveToDir "Y" "./down";
-
 in {
  environment.systemPackages = [
    mpv
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@ -31,6 +31,16 @@ let
      type = types.str;
      default = "default";
    };
+    pppDefaults = mkOption {
+      type = types.str;
+      default = ''
+        noipdefault
+        usepeerdns
+        defaultroute
+        persist
+        noauth
+      '';
+    };
  };

  nixpkgs-1509 = import (pkgs.fetchFromGitHub {
@ -71,7 +81,16 @@ let
      lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
    '';

-    environment.wvdial.dialerDefaults = wvdial-defaults;
+    environment.etc = [
+      {
+        source = pkgs.writeText "wvdial.conf" wvdial-defaults;
+        target = "wvdial.conf";
+      }
+      {
+        source = pkgs.writeText "wvdial" cfg.pppDefaults;
+        target = "ppp/peers/wvdial";
+      }
+    ];

    systemd.services.umts = {
      description = "UMTS wvdial Service";
--- a/mv/1systems/stro/config.nix
+++ b/mv/1systems/stro/config.nix
@ -8,18 +8,6 @@ with import <stockholm/lib>;
    build = {
      user = config.krebs.users.mv;
      host = config.krebs.hosts.stro;
-      source = let
-        HOME = getEnv "HOME";
-        host = config.krebs.build.host;
-      in {
-        nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix";
-        secrets.file = "${HOME}/secrets/${host.name}";
-        stockholm.file = "${HOME}/stockholm";
-        nixpkgs.git = {
-          url = https://github.com/NixOS/nixpkgs;
-          ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f";
-        };
-      };
    };
  };

@ -27,7 +15,7 @@ with import <stockholm/lib>;
    <secrets>
    <stockholm/krebs>
    <stockholm/tv/2configs/audit.nix>
-    <stockholm/tv/2configs/bash.nix>
+    <stockholm/tv/2configs/bash>
    <stockholm/tv/2configs/exim-retiolum.nix>
    <stockholm/tv/2configs/hw/x220.nix>
    <stockholm/tv/2configs/im.nix>
@ -40,7 +28,6 @@ with import <stockholm/lib>;
    <stockholm/tv/2configs/xdg.nix>
    <stockholm/tv/2configs/xserver>
    <stockholm/tv/3modules>
-    <stockholm/tv/5pkgs>
  ];

  boot.kernel.sysctl = {
@ -124,13 +111,13 @@ with import <stockholm/lib>;

  nix = {
    binaryCaches = ["https://cache.nixos.org"];
-    # TODO check if both are required:
-    chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
    requireSignedBinaryCaches = true;
-    useChroot = true;
+    # TODO check if both are required:
+    sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+    useSandbox = true;
  };

-  nixpkgs.config.allowUnfree = false;
+  nixpkgs.config.packageOverrides = import <stockholm/tv/5pkgs> pkgs;

  users = {
    defaultUserShell = "/run/current-system/sw/bin/bash";
--- a/mv/1systems/stro/source.nix
+++ b/mv/1systems/stro/source.nix
@ -0,0 +1,3 @@
+import <stockholm/mv/source.nix> {
+  name = "stro";
+}
--- a/mv/source.nix
+++ b/mv/source.nix
@ -0,0 +1,23 @@
+with import <stockholm/lib>;
+host@{ name, override ? {} }: let
+  builder = if getEnv "dummy_secrets" == "true"
+              then "buildbot"
+              else "mv";
+  _file = <stockholm> + "/mv/1systems/${name}/source.nix";
+in
+  evalSource (toString _file) [
+    {
+      nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
+      nixpkgs.git = {
+        # nixos-17.03
+        ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78";
+        url = https://github.com/NixOS/nixpkgs;
+      };
+      secrets.file = getAttr builder {
+        buildbot = toString <stockholm/mv/dummy_secrets>;
+        mv = "/home/mv/secrets/${name}";
+      };
+      stockholm.file = toString <stockholm>;
+    }
+    override
+  ]