Merge remote-tracking branch 'stro/master'

This commit is contained in:
tv 2017-08-29 21:08:02 +02:00
commit 2474778636
12 changed files with 141 additions and 56 deletions

View File

@ -0,0 +1,41 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
ip = config.krebs.build.host.nets.internet.ip4.addr;
bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1";
in {
imports = [
<stockholm/krebs>
<stockholm/krebs/2configs>
<stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/krebs/2configs/secret-passwords.nix>
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
initialPassword = "test";
};
};
}
];
krebs.build.host = config.krebs.hosts.hope;
networking = let
address = config.krebs.build.host.nets.internet.ip4.addr;
in {
defaultGateway = bestGuessGateway address;
interfaces.enp2s1.ip4 = singleton {
inherit address;
prefixLength = 24;
};
nameservers = ["8.8.8.8"];
};
}

View File

@ -0,0 +1,3 @@
import <stockholm/krebs/source.nix> {
name = "hope";
}

View File

@ -30,6 +30,38 @@ let
});
in {
hosts = {
hope = {
owner = config.krebs.users.krebs;
managed = true;
nets = {
internet = {
ip4.addr = "45.62.225.18";
aliases = [
"hope.i"
];
ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.77.4";
ip6.addr = "42:0:0:0:0:0:77:4";
aliases = [
"hope.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5
uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a
2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4
A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK
fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC
K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/";
};
hotdog = {
owner = config.krebs.users.krebs;
managed = true;

View File

@ -39,15 +39,6 @@ with import <stockholm/lib>;
enable = true;
};
}
{
#zalando project
services.postgresql = {
enable = true;
package = pkgs.postgresql;
};
virtualisation.docker.enable = true;
#users.users.mainUser.extraGroups = [ "docker" ];
}
{
lass.umts = {
enable = true;
@ -91,6 +82,9 @@ with import <stockholm/lib>;
client.enable = true;
};
}
{
services.mongodb.enable = true;
}
];
krebs.build.host = config.krebs.hosts.mors;

View File

@ -41,7 +41,11 @@ with import <stockholm/lib>;
"/boot" = {
device = "/dev/sda1";
};
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";

View File

@ -200,6 +200,7 @@ with import <stockholm/lib>;
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; }

View File

@ -78,11 +78,13 @@ let
and NOT to:shackspace \
and NOT to:c-base \
and NOT from:security-alert@hpe.com \
and NOT to:nix-devel"\
and NOT to:nix-devel\
and NOT to:radio"\
"shack" "notmuch://?query=to:shackspace"\
"c-base" "notmuch://?query=to:c-base"\
"security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
"nix" "notmuch://?query=to:nix-devel"\
"radio" "notmuch://?query=to:radio or tag:radio"\
"TODO" "notmuch://?query=tag:TODO"\
"Starred" "notmuch://?query=tag:*"\
"Archive" "notmuch://?query=tag:archive"\
@ -126,7 +128,7 @@ let
bind index t noop
bind pager t noop
macro index t "<modify-labels>+TODO\n" # tag as Archived
macro index t "<modify-labels>" # tag as Archived
# top index bar in email view
set pager_index_lines=7

View File

@ -2,40 +2,16 @@
let
scripts = lib.concatStringsSep "," [
good
delete
];
mpv = pkgs.symlinkJoin {
name = "mpv";
paths = [
(pkgs.writeDashBin "mpv" ''
exec ${pkgs.mpv}/bin/mpv --no-config --script=${scripts} "$@"
exec ${pkgs.mpv}/bin/mpv --no-config "$@"
'')
pkgs.mpv
];
};
moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" ''
tmp_dir = "${dir}"
function move_current_track_${key}()
track = mp.get_property("path")
os.execute("mkdir -p '" .. tmp_dir .. "'")
os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'")
print("moved '" .. track .. "' to " .. tmp_dir)
end
mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key})
'';
good = moveToDir "G" "./.good";
delete = moveToDir "D" "./.graveyard";
up = moveToDir "U" "./up";
down = moveToDir "Y" "./down";
in {
environment.systemPackages = [
mpv

View File

@ -31,6 +31,16 @@ let
type = types.str;
default = "default";
};
pppDefaults = mkOption {
type = types.str;
default = ''
noipdefault
usepeerdns
defaultroute
persist
noauth
'';
};
};
nixpkgs-1509 = import (pkgs.fetchFromGitHub {
@ -71,7 +81,16 @@ let
lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
'';
environment.wvdial.dialerDefaults = wvdial-defaults;
environment.etc = [
{
source = pkgs.writeText "wvdial.conf" wvdial-defaults;
target = "wvdial.conf";
}
{
source = pkgs.writeText "wvdial" cfg.pppDefaults;
target = "ppp/peers/wvdial";
}
];
systemd.services.umts = {
description = "UMTS wvdial Service";

View File

@ -8,18 +8,6 @@ with import <stockholm/lib>;
build = {
user = config.krebs.users.mv;
host = config.krebs.hosts.stro;
source = let
HOME = getEnv "HOME";
host = config.krebs.build.host;
in {
nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix";
secrets.file = "${HOME}/secrets/${host.name}";
stockholm.file = "${HOME}/stockholm";
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f";
};
};
};
};
@ -27,7 +15,7 @@ with import <stockholm/lib>;
<secrets>
<stockholm/krebs>
<stockholm/tv/2configs/audit.nix>
<stockholm/tv/2configs/bash.nix>
<stockholm/tv/2configs/bash>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/im.nix>
@ -40,7 +28,6 @@ with import <stockholm/lib>;
<stockholm/tv/2configs/xdg.nix>
<stockholm/tv/2configs/xserver>
<stockholm/tv/3modules>
<stockholm/tv/5pkgs>
];
boot.kernel.sysctl = {
@ -124,13 +111,13 @@ with import <stockholm/lib>;
nix = {
binaryCaches = ["https://cache.nixos.org"];
# TODO check if both are required:
chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
requireSignedBinaryCaches = true;
useChroot = true;
# TODO check if both are required:
sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
useSandbox = true;
};
nixpkgs.config.allowUnfree = false;
nixpkgs.config.packageOverrides = import <stockholm/tv/5pkgs> pkgs;
users = {
defaultUserShell = "/run/current-system/sw/bin/bash";

View File

@ -0,0 +1,3 @@
import <stockholm/mv/source.nix> {
name = "stro";
}

23
mv/source.nix Normal file
View File

@ -0,0 +1,23 @@
with import <stockholm/lib>;
host@{ name, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "mv";
_file = <stockholm> + "/mv/1systems/${name}/source.nix";
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
nixpkgs.git = {
# nixos-17.03
ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78";
url = https://github.com/NixOS/nixpkgs;
};
secrets.file = getAttr builder {
buildbot = toString <stockholm/mv/dummy_secrets>;
mv = "/home/mv/secrets/${name}";
};
stockholm.file = toString <stockholm>;
}
override
]