nin: init

This commit is contained in:
nin 2017-01-12 22:21:21 +01:00
parent 8616bb393f
commit 270f385c72
7 changed files with 374 additions and 0 deletions

View File

@ -93,6 +93,7 @@ let
{ krebs = import ./lass { inherit config; }; } { krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; } { krebs = import ./makefu { inherit config; }; }
{ krebs = import ./mv { inherit config; }; } { krebs = import ./mv { inherit config; }; }
{ krebs = import ./nin { inherit config; }; }
{ krebs = import ./shared { inherit config; }; } { krebs = import ./shared { inherit config; }; }
{ krebs = import ./tv { inherit config; }; } { krebs = import ./tv { inherit config; }; }
{ {

View File

@ -0,0 +1,40 @@
{ config, ... }:
with import <stockholm/lib>;
{
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) {
hiawatha = {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.132.96";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
aliases = [
"hiawatha.retiolum"
"hiawatha.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o
Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB
iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E
UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr
lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ
yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
};
};
users = {
nin = {
mail = "nin@hiawatha.retiolum";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
};
};
}

125
nin/1systems/hiawatha.nix Normal file
View File

@ -0,0 +1,125 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
../.
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
../2configs/retiolum.nix
];
krebs.build.host = config.krebs.hosts.hiawatha;
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e";
fsType = "ext4";
};
fileSystems."/tmp" =
{ device = "tmpfs";
fsType = "tmpfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010";
fsType = "ext2";
};
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda";
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Enable CUPS to print documents.
# services.printing.enable = true;
fileSystems."/home/nin/.local/share/Steam" = {
device = "/dev/fam/steam";
};
# nin config
time.timeZone = "Europe/Berlin";
services.xserver.enable = true;
networking.networkmanager.enable = true;
#networking.wireless.enable = true;
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
hardware.bluetooth.enable = true;
hardware.opengl.driSupport32Bit = true;
#nixpkgs.config.steam.java = true;
environment.variables.EDITOR = mkForce "vim";
environment.variables.VIMINIT = ":so /etc/vimrc";
environment.etc.vimrc.source = pkgs.writeText "vimrc" ''
set nocp
'';
environment.systemPackages = with pkgs; [
firefox
steam
thunderbird
vim
git
hexchat
networkmanagerapplet
];
nixpkgs.config = {
allowUnfree = true;
firefox = {
enableGoogleTalkPlugin = true;
enableAdobeFlash = true;
};
};
#services.logind.extraConfig = "HandleLidSwitch=ignore";
services.xserver.synaptics = {
enable = true;
};
services.xserver.desktopManager.xfce = let
xbindConfig = pkgs.writeText "xbindkeysrc" ''
"${pkgs.pass}/bin/passmenu --type"
Control + p
'';
in {
enable = true;
extraSessionCommands = ''
${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
'';
};
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "17.03";
}

165
nin/2configs/default.nix Normal file
View File

@ -0,0 +1,165 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
../2configs/nixpkgs.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
}
{
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.nin.pubkey
];
};
mainUser = {
name = "nin";
uid = 1337;
home = "/home/nin";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
"audio"
"fuse"
];
openssh.authorizedKeys.keys = [
config.krebs.users.nin.pubkey
];
};
};
}
{
environment.variables = {
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
}
(let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
environment.variables = {
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
})
];
networking.hostName = config.krebs.build.host.name;
nix.maxJobs = config.krebs.build.host.cores;
krebs = {
enable = true;
search-domain = "retiolum";
build = {
user = config.krebs.users.nin;
source = let inherit (config.krebs.build) host; in {
nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix";
secrets.file = "/home/nin/secrets/${host.name}";
stockholm.file = getEnv "PWD";
};
};
};
nix.useSandbox = true;
services.timesyncd.enable = true;
#why is this on in the first place?
services.nscd.enable = false;
boot.tmpOnTmpfs = true;
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -"
];
# multiple-definition-problem when defining environment.variables.EDITOR
environment.extraInit = ''
EDITOR=vim
MANPAGER=most
'';
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
#stockholm
git
gnumake
jq
proot
populate
p7zip
unzip
unrar
];
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
if test $UID = 0; then
PS1='\[\033[1;31m\]\w\[\033[0m\] '
elif test $UID = 1337; then
PS1='\[\033[1;32m\]\w\[\033[0m\] '
else
PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
fi
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
fi
'';
};
services.openssh = {
enable = true;
hostKeys = [
# XXX bits here make no science
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
krebs.iptables = {
enable = true;
tables = {
nat.PREROUTING.rules = [
{ predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
];
nat.OUTPUT.rules = [
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
];
};
};
networking.dhcpcd.extraConfig = ''
noipv4ll
'';
}

8
nin/2configs/nixpkgs.nix Normal file
View File

@ -0,0 +1,8 @@
{ ... }:
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
ref = "fd1dbe551cf6338c5f4e4f80c2f5dde9f9e6a271";
};
}

28
nin/2configs/retiolum.nix Normal file
View File

@ -0,0 +1,28 @@
{ ... }:
{
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
{ predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
];
};
};
krebs.tinc.retiolum = {
enable = true;
connectTo = [
"prism"
"pigstarter"
"gum"
"flap"
];
};
nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre;
};
}

7
nin/default.nix Normal file
View File

@ -0,0 +1,7 @@
_:
{
imports = [
../krebs
./2configs
];
}