nin: init

2017-01-12 22:21:21 +01:00 · 2017-01-12 22:21:21 +01:00 · 270f385c72
commit 270f385c72
parent 8616bb393f
7 changed files with 374 additions and 0 deletions
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -93,6 +93,7 @@ let
    { krebs = import ./lass   { inherit config; }; }
    { krebs = import ./makefu { inherit config; }; }
    { krebs = import ./mv     { inherit config; }; }
+    { krebs = import ./nin    { inherit config; }; }
    { krebs = import ./shared { inherit config; }; }
    { krebs = import ./tv     { inherit config; }; }
    {
--- a/krebs/3modules/nin/default.nix
+++ b/krebs/3modules/nin/default.nix
@ -0,0 +1,40 @@
+{ config, ... }:
+
+with import <stockholm/lib>;
+
+{
+  hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) {
+    hiawatha = {
+      cores = 2;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.132.96";
+          ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
+          aliases = [
+            "hiawatha.retiolum"
+            "hiawatha.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o
+            Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB
+            iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E
+            UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr
+            lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ
+            yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
+    };
+
+  };
+  users = {
+    nin = {
+      mail = "nin@hiawatha.retiolum";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
+    };
+  };
+}
--- a/nin/1systems/hiawatha.nix
+++ b/nin/1systems/hiawatha.nix
@ -0,0 +1,125 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../.
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ../2configs/retiolum.nix
+  ];
+
+  krebs.build.host = config.krebs.hosts.hiawatha;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/tmp" =
+    { device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010";
+      fsType = "ext2";
+    };
+
+  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
+  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  fileSystems."/home/nin/.local/share/Steam" = {
+    device = "/dev/fam/steam";
+  };
+
+  # nin config
+  time.timeZone = "Europe/Berlin";
+  services.xserver.enable = true;
+
+  networking.networkmanager.enable = true;
+  #networking.wireless.enable = true;
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
+
+  hardware.bluetooth.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+
+  #nixpkgs.config.steam.java = true;
+
+  environment.variables.EDITOR = mkForce "vim";
+  environment.variables.VIMINIT = ":so /etc/vimrc";
+  environment.etc.vimrc.source = pkgs.writeText "vimrc" ''
+    set nocp
+  '';
+
+  environment.systemPackages = with pkgs; [
+    firefox
+    steam
+    thunderbird
+    vim
+    git
+    hexchat
+    networkmanagerapplet
+  ];
+
+  nixpkgs.config = {
+
+    allowUnfree = true;
+
+    firefox = {
+      enableGoogleTalkPlugin = true;
+      enableAdobeFlash = true;
+    };
+  };
+
+  #services.logind.extraConfig = "HandleLidSwitch=ignore";
+
+  services.xserver.synaptics = {
+    enable = true;
+  };
+
+
+  services.xserver.desktopManager.xfce = let
+    xbindConfig = pkgs.writeText "xbindkeysrc" ''
+      "${pkgs.pass}/bin/passmenu --type"
+        Control + p
+  '';
+  in {
+    enable = true;
+      extraSessionCommands = ''
+      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
+    '';
+  };
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+  system.stateVersion = "17.03";
+
+}
--- a/nin/2configs/default.nix
+++ b/nin/2configs/default.nix
@ -0,0 +1,165 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  imports = [
+    ../2configs/nixpkgs.nix
+    {
+      users.extraUsers =
+        mapAttrs (_: h: { hashedPassword = h; })
+                 (import <secrets/hashedPasswords.nix>);
+    }
+    {
+      users.extraUsers = {
+        root = {
+          openssh.authorizedKeys.keys = [
+            config.krebs.users.nin.pubkey
+          ];
+        };
+        mainUser = {
+          name = "nin";
+          uid = 1337;
+          home = "/home/nin";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+            "audio"
+            "fuse"
+          ];
+          openssh.authorizedKeys.keys = [
+            config.krebs.users.nin.pubkey
+          ];
+        };
+      };
+    }
+    {
+      environment.variables = {
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
+      };
+    }
+    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+      environment.variables = {
+        CURL_CA_BUNDLE = ca-bundle;
+        GIT_SSL_CAINFO = ca-bundle;
+        SSL_CERT_FILE = ca-bundle;
+      };
+    })
+  ];
+
+  networking.hostName = config.krebs.build.host.name;
+  nix.maxJobs = config.krebs.build.host.cores;
+
+  krebs = {
+    enable = true;
+    search-domain = "retiolum";
+    build = {
+      user = config.krebs.users.nin;
+      source = let inherit (config.krebs.build) host; in {
+        nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix";
+        secrets.file = "/home/nin/secrets/${host.name}";
+        stockholm.file = getEnv "PWD";
+      };
+    };
+  };
+
+  nix.useSandbox = true;
+
+  services.timesyncd.enable = true;
+
+  #why is this on in the first place?
+  services.nscd.enable = false;
+
+  boot.tmpOnTmpfs = true;
+  # see tmpfiles.d(5)
+  systemd.tmpfiles.rules = [
+    "d /tmp 1777 root root - -"
+  ];
+
+  # multiple-definition-problem when defining environment.variables.EDITOR
+  environment.extraInit = ''
+    EDITOR=vim
+    MANPAGER=most
+  '';
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+  #stockholm
+    git
+    gnumake
+    jq
+    proot
+    populate
+    p7zip
+    unzip
+    unrar
+  ];
+
+  programs.bash = {
+    enableCompletion = true;
+    interactiveShellInit = ''
+      HISTCONTROL='erasedups:ignorespace'
+      HISTSIZE=65536
+      HISTFILESIZE=$HISTSIZE
+
+      shopt -s checkhash
+      shopt -s histappend histreedit histverify
+      shopt -s no_empty_cmd_completion
+      complete -d cd
+    '';
+    promptInit = ''
+      if test $UID = 0; then
+        PS1='\[\033[1;31m\]\w\[\033[0m\] '
+      elif test $UID = 1337; then
+        PS1='\[\033[1;32m\]\w\[\033[0m\] '
+      else
+        PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
+      fi
+      if test -n "$SSH_CLIENT"; then
+        PS1='\[\033[35m\]\h'" $PS1"
+      fi
+    '';
+  };
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      # XXX bits here make no science
+      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+    ];
+  };
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  krebs.iptables = {
+    enable = true;
+    tables = {
+      nat.PREROUTING.rules = [
+        { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
+        { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
+      ];
+      nat.OUTPUT.rules = [
+        { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
+      ];
+      filter.INPUT.policy = "DROP";
+      filter.FORWARD.policy = "DROP";
+      filter.INPUT.rules = [
+        { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
+        { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+        { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
+        { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
+        { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
+        { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
+        { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
+      ];
+    };
+  };
+
+  networking.dhcpcd.extraConfig = ''
+    noipv4ll
+  '';
+}
--- a/nin/2configs/nixpkgs.nix
+++ b/nin/2configs/nixpkgs.nix
@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  krebs.build.source.nixpkgs.git = {
+    url = https://github.com/nixos/nixpkgs;
+    ref = "fd1dbe551cf6338c5f4e4f80c2f5dde9f9e6a271";
+  };
+}
--- a/nin/2configs/retiolum.nix
+++ b/nin/2configs/retiolum.nix
@ -0,0 +1,28 @@
+{ ... }:
+
+{
+
+  krebs.iptables = {
+    tables = {
+      filter.INPUT.rules = [
+        { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
+        { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
+      ];
+    };
+  };
+
+  krebs.tinc.retiolum = {
+    enable = true;
+    connectTo = [
+      "prism"
+      "pigstarter"
+      "gum"
+      "flap"
+    ];
+  };
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    tinc = pkgs.tinc_pre;
+  };
+}
--- a/nin/default.nix
+++ b/nin/default.nix
@ -0,0 +1,7 @@
+_:
+{
+  imports = [
+    ../krebs
+    ./2configs
+  ];
+}