Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2023-09-28 23:22:59 +02:00
commit 2db6777b7c
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
222 changed files with 141 additions and 8625 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
kartei/Ra33it0/default.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, ... }: let
slib = import ../../lib/pure.nix { inherit lib; };
in {
users.Ra33it0 = {
mail = "Ra33it0@posteo.net";
};
hosts.DUMMYHOST = {
owner = config.krebs.users.Ra33it0;
nets.retiolum = {
aliases = [ "Ra33it0.Ra33it0.r" ];
ip6.addr = (slib.krebs.genipv6 "retiolum" "Ra33it0" { hostName = "unispore"; }).address;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA6Cb+b+snYpsQv1J0yMPSL4P0iKs2EkDtqtt6kBOvqFTr2lRB2thp
mu9fRbz/CFmcvFXoEMWQEEkKcyhgJEola2+7Ra49iMNX55o/I0iZ499ZI5rIK/JG
+A60ijPCh5TSGYIMiD7VWRsxoAtzB1DZ6n4z94KN0wQB5dXKuLPjk/TDfJPuzMrS
J5k9uSyBKcRdW2iop78wNOnYO8NVd9wr6odUBc/L5J0krDU2gLGRGJGDfoW4zfly
5DwtY58DBCZS7uFAymKBdvEBUzj7/wD0B2Jfq/EUOdEKeFbP2G4fdOTQBuXGDqMi
dqufCy2cK3AOi5l3VaC2LfkCMztRBPzryY8+EcfjgqENBPCx55GBZDrtn/W+29S7
ynMfI+1e8TntpFGLhuJXyl9//rG68tvYUED5MQ98OXViiffW7lBo7i5TCck3f9Cv
CWYM/HzSffzztK8bF0DwhdWzjtNcwZ05XfA2krGZyMj9UxpwN84o1syCnnYC1Xzg
4r48fUhubXXE4SbdnN68pCNCct9DT8exPeYeJL2FHi6s+EsfBY+NGEAaQGJTeQEW
zUSnX/txoZV6xGUKZ4iOgfQ4MBCVVdtPAaurNP/esVwOr0WF0DTuBDPGBaOqo+Us
Ef5cREwrCE8nEY8tu3xl4M9iuCTwBuT79YFhfNI3jr1lcg6f8wGaTYsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "cFCAfLbDYv/Ty3m34aHgHr1dXGp2DSwfP0K7GG1TA7D";
};
};
}

30
kartei/berber/default.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, ... }: let
slib = import ../../lib/pure.nix { inherit lib; };
in {
users.berber = {
mail = "berber@zmberber.com";
};
hosts.schlepptop = {
owner = config.krebs.users.berber;
nets.retiolum = {
aliases = [ "schlepptop.berber.r" ];
ip6.addr = (slib.krebs.genipv6 "retiolum" "berber" { hostName = "schlepptop"; }).address;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAsotvQWb0zgZzHQheM2LBMCyxYZ4JqWcpLkfz8nvLJl6wktEWz8IH
7hkc9qjrvR0jLecO79PzFaF9n6h47OBMhJC2BzJJJys0iiOUcjWpMtLGUZTy2M83
Wtfz8YuY0zMJmnt63cVFpEsorj2v99YmYxQww8IU1iSpxotNx1hED/3dEN44qqlL
/aYRrnuFb/UOMxTcanpezJRqgqQpXBmlXYM0uE/uqUOWxHpWtQB5DsMf3s3YET/j
N7yp8DStlAqRruWS52GtWqnqXTgRBjqcIdGvmSRP0ZsHEEXk7du7icAlo1ZdGDQ1
BXo1LTeiKr7Ujb7f5Kz/aq0+xZsODXVjYwiS5ZuZvHO+YD0/eDD4YwQyCovJDNRS
1GEkOBcE3acVn55ygg27PiRdm4FLbPoEL8t6CpgUCFVt1LTuuu/h++8WrbR4ggVp
A8/5xmcUPd0DtWk9Uj++3ZW1PmPLnMtTFuUSkzLv1rdfCHgtQbTcTSEXByaizKlp
CZdCSZjQnycBhPRW56ySWX3du38MNeAAlwGfXUjt4lOQsFiPs55MAedN9/JoTQCp
2uJ+oy2I2zPWxt03e/3WW8eD0csTiSA4c/KRCtHKr9DCaT83Lmal52ztwmxzXhzU
Aa8Zk+rzxj+e48Lab8COzOuqUyWYruxsFoM4BumEfmNOBrkXKCPjVokCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "soXXSBhFM1/V7otecSzUIwTT4Zpn4DLyJ5B5p7Euz/B";
};
};
}

1
kartei/krebs/default.nix
View File

@ -77,6 +77,7 @@ in {
aliases = [
"hotdog.r"
"agenda.r"
"bedge.r"
"kri.r"
"build.r"
"build.hotdog.r"

42
kartei/lass/echelon.nix
View File

@ -1,42 +0,0 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.3";
ip6.addr = r6 "4";
aliases = [
"echelon.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp
1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A
MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe
UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V
rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez
gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO
c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna
dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze
ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D
KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq
GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr
43jjLL40ONdFxX7qW/DhT9MCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "LgJ7+/sq7t+Ym/DjJrWesIpUw1Lw7bxPi0XFHtsVWLB";
};
};
wiregrill = {
ip6.addr = w6 "3";
aliases = [
"echelon.w"
];
wireguard.pubkey = ''
SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ";
}

3
kartei/lass/prism.nix
View File

@ -37,6 +37,8 @@ rec {
mail 60 IN A ${nets.internet.ip4.addr}
mail 60 IN AAAA ${nets.internet.ip6.addr}
flix 60 IN A ${nets.internet.ip4.addr}
flex 60 IN A ${nets.internet.ip4.addr}
flux 60 IN A ${nets.internet.ip4.addr}
testing 60 IN A ${nets.internet.ip4.addr}
schrott 60 IN A ${nets.internet.ip4.addr}
'';
@ -66,7 +68,6 @@ rec {
"cache.prism.r"
"cgit.prism.r"
"bota.r"
"flix.r"
"paste.r"
"c.r"
"p.r"

1
kartei/lass/yellow.nix
View File

@ -7,6 +7,7 @@
aliases = [
"yellow.r"
"jelly.r"
"flix.r"
"radar.r"
"sonar.r"
"transmission.r"

2
kartei/makefu/default.nix
View File

@ -51,7 +51,7 @@
ssh.pubkey = readFile pubkey-path;
# We assume that if the sshd pubkey exits then there must be a privkey in
# the screts store as well
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.privkey.path = "${config.krebs.secret.directory}/ssh_host_ed25519_key";
})
host
];

2
kartei/tv/default.nix
View File

@ -43,7 +43,7 @@ in {
})
(host: mkIf (host.config.ssh.pubkey != null) {
ssh.privkey = mapAttrs (const mkDefault) {
path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}";
path = "${config.krebs.secret.directory}/ssh.id_${host.config.ssh.privkey.type}";
type = head (toList (builtins.match "ssh-([^ ]+) .*" host.config.ssh.pubkey));
};
})

1
kartei/tv/hosts/alnus.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";

1
kartei/tv/hosts/au.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.39";

1
kartei/tv/hosts/bu.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";

1
kartei/tv/hosts/mu.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";

1
kartei/tv/hosts/nomic.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.0.110";

1
kartei/tv/hosts/querel.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";

1
kartei/tv/hosts/ru.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.42";

1
kartei/tv/hosts/xu.nix
View File

@ -2,7 +2,6 @@
binary-cache = {
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
};
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.38";

1
kartei/tv/hosts/zu.nix
View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.40";

65
kartei/xkey/default.nix
View File

@ -28,47 +28,10 @@ in
};
hosts = mapAttrs hostDefaults {
aland = {
nets.wiregrill = {
ip4.addr = "10.244.12.34";
aliases = [ "aland.xkey.w" ];
wireguard.pubkey = "m2IymGYQiRma2cyZbwRsOw1rCpB5ZdFkfYII1hnHzGE=";
};
};
catalonia = {
nets = {
retiolum = {
ip4.addr = "10.243.13.12";
aliases = [ "catalonia.xkey.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y
gT6iBN8IKnMjYk3bAS7MxmgiyVE17MQlaQi0RSYY47M8I9TvCYtWX/FcXuP9e6CA
VcalDUNpy2qNB+yEE8gMa8vDA3smKk/iK47jTtpWoPtvejLK/SCi8RdlYjKlOErE
Yl9mCniGD1WEYgdrjf6Nl7av6uuGYNibivIMkB2JyGwGGmzvP+oBFi2Cwarw8K2e
FK2VGrAfkgiP5rTPACHseoeCsJtRLozgzYzmS5M9XhP5ZoPkbtR/pL5btCwoCTlZ
HotmLVg4DezbPjNOBB9gtJF4UuzQjSPNY6K1VvvLOhDwXdyln82LuNcm9l+cy9y3
mGeSvqOouBugDqie6OpkF0KrRwlGQVwzwtnDohGd/5f7TbiPf1QjC+JP/m4mxZl3
zE0BCOct9b4hUc/CFto71CPlytSbTsMhfJAn8JxttGvsWIAj+dQ0iuLXfLDflWt6
sImmnOo28YInvFx6pKoxTwcV1AVrPWn5TSePhZM50dmzs0exltOISFECDhpPabU3
ZymRCze8fH9Z3SHxfxTlTZV7IaW2kpyyBe1KsWpM46gLPk5icX+Xc6mdGwbdGBpf
vDZ+BoHCjq9FfQrAu1+E83yCYyu+3fWrLSgYyrqjg0gPcCcnb1g6hqECAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "PiqJGofbo6941m20NJM3yhUoWKTNyLCtTPzsKcrvFSL";
};
};
};
cybercube = {
nets.wiregrill = {
aliases = [ "cybercube.xkey.w" ];
wireguard.pubkey = "ZPOCyThKQUlR/gPFWoJ4XICHYFMNtI70XH+y5v2f6VQ=";
};
};
rojava = {
nets = {
retiolum = {
ip4.addr = "10.243.23.42";
aliases = [ "rojava.xkey.r" ];
aliases = [ "aland.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA3Xafx5PYDNRxRwWGo25paveBgEFQYWWOg5YYcqSlBsUzWkEwZPdd
@ -88,11 +51,35 @@ in
};
};
};
catalonia = {
nets = {
retiolum = {
ip4.addr = "10.243.13.12";
aliases = [ "catalonia.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y
gT6iBN8IKnMjYk3bAS7MxmgiyVE17MQlaQi0RSYY47M8I9TvCYtWX/FcXuP9e6CA
VcalDUNpy2qNB+yEE8gMa8vDA3smKk/iK47jTtpWoPtvejLK/SCi8RdlYjKlOErE
Yl9mCniGD1WEYgdrjf6Nl7av6uuGYNibivIMkB2JyGwGGmzvP+oBFi2Cwarw8K2e
FK2VGrAfkgiP5rTPACHseoeCsJtRLozgzYzmS5M9XhP5ZoPkbtR/pL5btCwoCTlZ
HotmLVg4DezbPjNOBB9gtJF4UuzQjSPNY6K1VvvLOhDwXdyln82LuNcm9l+cy9y3
mGeSvqOouBugDqie6OpkF0KrRwlGQVwzwtnDohGd/5f7TbiPf1QjC+JP/m4mxZl3
zE0BCOct9b4hUc/CFto71CPlytSbTsMhfJAn8JxttGvsWIAj+dQ0iuLXfLDflWt6
sImmnOo28YInvFx6pKoxTwcV1AVrPWn5TSePhZM50dmzs0exltOISFECDhpPabU3
ZymRCze8fH9Z3SHxfxTlTZV7IaW2kpyyBe1KsWpM46gLPk5icX+Xc6mdGwbdGBpf
vDZ+BoHCjq9FfQrAu1+E83yCYyu+3fWrLSgYyrqjg0gPcCcnb1g6hqECAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "PiqJGofbo6941m20NJM3yhUoWKTNyLCtTPzsKcrvFSL";
};
};
};
sicily = {
nets = {
retiolum = {
ip4.addr = "10.243.161.1";
aliases = [ "sicily.xkey.r" "mukke.r" "bie.r" ];
aliases = [ "sicily.r" "mukke.r" "bie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAzjCrsMRptg22QJTXsNgrxE/CjpGiDD9NYExqiDQ7kyKJ7+nrjtJg

2
krebs/1systems/hotdog/config.nix
View File

@ -22,7 +22,7 @@
];
krebs.build.host = config.krebs.hosts.hotdog;
krebs.hosts.hotdog.ssh.privkey.path = <secrets/ssh.id_ed25519>;
krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
krebs.pages.enable = true;
boot.isContainer = true;

2
krebs/1systems/puyak/config.nix
View File

@ -113,7 +113,7 @@
];
krebs.build.host = config.krebs.hosts.puyak;
krebs.hosts.puyak.ssh.privkey.path = <secrets/ssh.id_ed25519>;
krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
sound.enable = false;
boot = {

2
krebs/1systems/wolf/config.nix
View File

@ -51,7 +51,7 @@ in
# uninteresting stuff
#####################
krebs.build.host = config.krebs.hosts.wolf;
krebs.hosts.wolf.ssh.privkey.path = <secrets/ssh.id_ed25519>;
krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
boot.initrd.availableKernelModules = [
"ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk"

2
krebs/2configs/cache.nsupdate.info.nix
View File

@ -9,7 +9,7 @@ in {
enable = true;
server = "ipv4.nsupdate.info";
username = domain;
password = import ((toString <secrets>) + "/nsupdate-cache.nix");
password = import "${config.krebs.secret.directory}/nsupdate-cache.nix";
domains = [ domain ];
use= "if, if=et0";
# use = "web, web=http://ipv4.nsupdate.info/myip";

2
krebs/2configs/matterbridge.nix
View File

@ -2,7 +2,7 @@
services.matterbridge = {
enable = true;
configPath = let
bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>;
bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token";
in
toString ((pkgs.formats.toml {}).generate "config.toml" {
general = {

18
krebs/2configs/reaktor2.nix
View File

@ -528,6 +528,24 @@ in {
'';
};
services.nginx.virtualHosts."bedge.r" = {
locations."/".extraConfig = ''
proxy_set_header Host $host;
proxy_pass http://localhost:${toString config.services.hledger-web.port};
'';
locations."/bedger.json".extraConfig = ''
proxy_set_header Host $host;
proxy_pass http://localhost:8011;
'';
extraConfig = ''
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
'';
};
services.hledger-web = {
enable = true;
};
systemd.services.reaktor2-r.serviceConfig.DynamicUser = mkForce false;
systemd.services.reaktor2-hackint.serviceConfig.DynamicUser = mkForce false;
krebs.reaktor2 = {

4
krebs/2configs/secret-passwords.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
{ config, lib, ... }:
with lib;
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
(import "${config.krebs.secret.directory}/hashedPasswords.nix");
}

4
krebs/2configs/shack/gitlab-runner.nix
View File

@ -1,4 +1,4 @@
{ pkgs,lib, ... }:
{ config, lib, pkgs, ... }:
{
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
services.gitlab-runner = {
@ -10,7 +10,7 @@
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = toString <secrets/shackspace-gitlab-ci>;
registrationConfigFile = "${config.krebs.secret.directory}/shackspace-gitlab-ci";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"

5
krebs/2configs/shack/grafana.nix
View File

@ -1,7 +1,6 @@
let
{ config, ... }: let
port = 3000;
in {
networking.firewall.allowedTCPPorts = [ port ]; # legacy
services.nginx.virtualHosts."grafana.shack" = {
locations."/" = {
@ -25,6 +24,6 @@ in {
users.allowOrgCreate = true;
users.autoAssignOrg = true;
auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>;
security = import "${config.krebs.secret.directory}/grafana_security.nix";
};
}

2
krebs/2configs/shack/muell_caller.nix
View File

@ -21,7 +21,7 @@ let
install -m755 -D call.py $out/bin/call-muell
'';
};
cfg = "${toString <secrets>}/tell.json";
cfg = "${config.krebs.secret.directory}/tell.json";
in {
systemd.services.call_muell = {
description = "call muell";

2
krebs/2configs/shack/muell_mail.nix
View File

@ -9,7 +9,7 @@ let
sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx";
}) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };
home = "/var/lib/muell_mail";
cfg = toString <secrets/shack/muell_mail.js>;
cfg = "${config.krebs.secret.directory}/shack/muell_mail.js";
in {
users.users.muell_mail = {
inherit home;

2
krebs/2configs/shack/prometheus/unifi.nix
View File

@ -5,6 +5,6 @@
unifiAddress = "https://unifi.shack:8443/";
unifiInsecure = true;
unifiUsername = "prometheus"; # needed manual login after setup to confirm the password
unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile <secrets/shack/unifi-prometheus-pw>);
unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile "${config.krebs.secret.directory}/shack/unifi-prometheus-pw");
};
}

2
krebs/2configs/shack/s3-power.nix
View File

@ -10,7 +10,7 @@ let
}) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };
home = "/var/lib/s3-power";
cfg = toString <secrets/shack/s3-power.json>;
cfg = "${config.krebs.secret.directory}/shack/s3-power.json";
in {
users.users.s3_power = {
inherit home;

4
krebs/3modules/retiolum-bootstrap.nix
View File

@ -22,8 +22,8 @@ in
default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
};
# in use:
# <secrets/tinc.krebsco.de.crt>
# <secrets/tinc.krebsco.de.key>
# ${config.krebs.secret.directory}/tinc.krebsco.de.crt
# ${config.krebs.secret.directory}/tinc.krebsco.de.key
};
config = mkIf cfg.enable {

12
krebs/3modules/secret.nix
View File

@ -7,13 +7,17 @@ in {
default = toString <secrets>;
type = types.absolute-pathname;
};
file = mkOption {
default = relpath: "${cfg.directory}/${relpath}";
readOnly = true;
};
files = mkOption {
type = with pkgs.stockholm.lib.types; attrsOf secret-file;
default = {};
apply = mapAttrs (name: secret-file:
if types.absolute-pathname.check secret-file.source-path then
secret-file
else
secret-file // {
source-path = "${config.krebs.secret.directory}/secret-file.source-path";
}
);
};
};
config = lib.mkIf (cfg.files != {}) {

3
krebs/3modules/zones.nix
View File

@ -16,6 +16,9 @@ with lib; {
@ 3600 IN NS ns2.he.net.
@ 3600 IN NS ns3.he.net.
@ 3600 IN NS ns2.hosting.de.
panda NS panda
panda A 130.61.237.100
'';
};
};

2
krebs/5pkgs/simple/generate-secrets/default.nix
View File

@ -39,7 +39,7 @@ pkgs.writers.writeDashBin "generate-secrets" ''
};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.privkey.path = "\''${config.krebs.secret.directory}/ssh.id_ed25519";
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
};
EOF

2
lib/types.nix
View File

@ -340,7 +340,7 @@ rec {
};
source-path = mkOption {
type = str;
default = toString <secrets> + "/${config.name}";
default = config.name;
defaultText = "secrets/name";
};
};

87
tv/1systems/alnus/config.nix
View File

@ -1,87 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/retiolum.nix>
];
boot = {
initrd = {
availableKernelModules = [ "ahci" ];
luks.devices.luksroot.device = "/dev/sda2";
};
};
environment.systemPackages = [
pkgs.firefox
pkgs.networkmanagerapplet
(pkgs.pidgin.override {
plugins = [ pkgs.pidgin-otr ];
})
];
fileSystems = {
"/boot" = {
device = "/dev/sda1";
};
"/" = {
device = "/dev/mapper/main-root";
fsType = "ext4";
options = [ "defaults" "noatime" ];
};
"/home" = {
device = "/dev/mapper/main-home";
fsType = "ext4";
options = [ "defaults" "noatime" ];
};
};
hardware = {
opengl.driSupport32Bit = true;
pulseaudio.enable = true;
};
i18n.defaultLocale = "de_DE.UTF-8";
krebs.build = {
host = config.krebs.hosts.alnus;
user = mkForce config.krebs.users.dv;
};
networking.networkmanager.enable = true;
services.earlyoom.enable = true;
services.earlyoom.freeMemThreshold = 5;
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
"--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs
];
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign:e";
libinput.enable = false;
synaptics = {
enable = true;
twoFingerScroll = true;
};
};
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "dv";
system.stateVersion = "22.05";
users.users.dv = {
inherit (config.krebs.users.dv) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

1
tv/1systems/alnus/lib
View File

@ -1 +0,0 @@
../lib

23
tv/1systems/au/config.nix
View File

@ -1,23 +0,0 @@
{ config, ... }: {
imports = [
./disks.nix
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/ppp.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xsessions>
];
krebs.build.host = config.krebs.hosts.au;
networking.wireless.enable = true;
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
networking.interfaces.wlp3s0.useDHCP = true;
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
system.stateVersion = "20.03";
tv.hw.screens.primary.width = 1920;
tv.hw.screens.primary.height = 1080;
}

19
tv/1systems/au/disks.nix
View File

@ -1,19 +0,0 @@
{
boot.initrd.luks.devices.main.device = "/dev/sda2";
fileSystems."/" = {
device = "/dev/main/root";
options = ["defaults" "noatime" "commit=60"];
};
fileSystems."/boot" = {
device = "/dev/sda1";
options = ["defaults" "noatime"];
};
fileSystems."/bku" = {
device = "/dev/main/bku";
options = ["defaults" "noatime"];
};
fileSystems."/home" = {
device = "/dev/main/home";
options = ["defaults" "noatime" "commit=60"];
};
}

1
tv/1systems/au/lib
View File

@ -1 +0,0 @@
../lib

35
tv/1systems/bu/config.nix
View File

@ -1,35 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
./disks.nix
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xsessions>
];
krebs.build.host = config.krebs.hosts.bu;
networking.wireless.enable = true;
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
networking.interfaces.wlp3s0.useDHCP = true;
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
networking.wireless.interfaces = [
"wlp3s0"
];
programs.gnupg.agent.enable = true;
programs.gnupg.agent.pinentryFlavor = "gtk2";
services.earlyoom.enable = true;
services.earlyoom.freeMemThreshold = 5;
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
"--prefer '(^|/)chromium$'"
];
system.stateVersion = "21.11";
}

19
tv/1systems/bu/disks.nix
View File

@ -1,19 +0,0 @@
{
boot.initrd.luks.devices.buda2.device = "/dev/sda2";
fileSystems."/" = {
device = "buda2/root";
fsType = "zfs";
};
fileSystems."/bku" = {
device = "buda2/bku";
fsType = "zfs";
};
fileSystems."/home" = {
device = "buda2/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
};
}

1
tv/1systems/bu/lib
View File

@ -1 +0,0 @@
../lib

1
tv/1systems/lib
View File

@ -1 +0,0 @@
../lib

127
tv/1systems/mu/config.nix
View File

@ -1,127 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
<stockholm/tv>
<stockholm/tv/2configs/br.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.mu;
krebs.build.user = mkForce config.krebs.users.vv;
tv.x0vncserver.enable = true;
boot.initrd.luks.devices.muca.device = "/dev/sda2";
boot.initrd.availableKernelModules = [ "ahci" ];
boot.kernelModules = [ "fbcon" "kvm-intel" ];
boot.kernelParams = [ "fsck.repair=yes" ];
boot.extraModulePackages = [ ];
fileSystems = {
"/" = {
device = "/dev/mapper/muvga-root";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/home" = {
device = "/dev/mapper/muvga-home";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/boot" = {
device = "/dev/sda1";
fsType = "vfat";
};
};
nixpkgs.config.allowUnfree = true;
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.enable = true;
hardware.enableRedistributableFirmware = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = true;
networking.networkmanager.enable = true;
# XXX reload to work around occasional "Failed to load firmware chunk!"
# TODO only do this if firmware is actually broken(?)
system.activationScripts.reload-iwlwifi = /* sh */ ''
${pkgs.kmod}/bin/modprobe -vr iwlwifi
${pkgs.kmod}/bin/modprobe -v iwlwifi
'';
environment.systemPackages = [
pkgs.chromium
pkgs.firefox
pkgs.gimp
pkgs.iptables
pkgs.libreoffice
pkgs.plasma-pa
(pkgs.pidgin.override {
plugins = [ pkgs.pidgin-otr ];
})
pkgs.skypeforlinux
pkgs.slock
pkgs.tinc_pre
pkgs.vim
pkgs.xsane
#pkgs.foomatic_filters
#pkgs.gutenprint
#pkgs.cups_pdf_filter
#pkgs.ghostscript
];
i18n.defaultLocale = "de_DE.UTF-8";
programs.ssh.startAgent = false;
krebs.setuid = {
slock = {
filename = "${pkgs.slock}/bin/slock";
mode = "4111";
};
};
security.pam.loginLimits = [
# for jack
{ domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
{ domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
];
fonts.fonts = [
pkgs.xorg.fontschumachermisc
];
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
# TODO this is host specific
services.xserver.libinput.enable = false;
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
};
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "vv";
users.users.vv = {
inherit (config.krebs.users.vv) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

1
tv/1systems/mu/lib
View File

@ -1 +0,0 @@
../lib

62
tv/1systems/nomic/config.nix
View File

@ -1,62 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.build.host = config.krebs.hosts.nomic;
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitrepos.nix>
<stockholm/tv/2configs/mail-client.nix>
<stockholm/tv/2configs/nginx/public_html.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xserver>
];
boot.initrd.luks.devices.luks1.device = "/dev/sda2";
# Don't use UEFI because current disk was partitioned/formatted for AO753.
# TODO remove following bool.loader section after repartitioning/reformatting
boot.loader = {
grub = {
device = "/dev/sda";
splashImage = null;
};
systemd-boot.enable = mkForce false;
};
fileSystems."/" =
{ device = "/dev/mapper/nomic1-root";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/sda1";
fsType = "ext4";
};
fileSystems."/home" =
{ device = "/dev/mapper/nomic1-home";
fsType = "btrfs";
};
environment.systemPackages = with pkgs; [
(writeDashBin "play" ''
set -euf
mpv() { exec ${mpv}/bin/mpv "$@"; }
case $1 in
deepmix) mpv http://deepmix.ru/deepmix128.pls;;
groovesalad) mpv http://somafm.com/play/groovesalad;;
ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;;
*)
echo "$0: bad argument: $*" >&2
exit 23
esac
'')
gnupg
tmux
];
networking.wireless.enable = true;
}

1
tv/1systems/nomic/lib
View File

@ -1 +0,0 @@
../lib

86
tv/1systems/querel/config.nix
View File

@ -1,86 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
<stockholm/tv>
<stockholm/tv/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.querel;
krebs.build.user = mkForce config.krebs.users.itak;
boot.initrd.availableKernelModules = [ "ahci" ];
boot.initrd.luks.devices.querel-luks1 = {
allowDiscards = true;
device = "/dev/sda2";
};
boot.kernelModules = [ "kvm-intel" ];
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
environment.systemPackages = [
pkgs.firefox
pkgs.gimp
pkgs.kate
pkgs.libreoffice
(pkgs.pidgin.override {
plugins = [ pkgs.pidgin-otr ];
})
pkgs.sxiv
pkgs.texlive.combined.scheme-full
pkgs.vim
pkgs.xsane
pkgs.zathura
];
fileSystems = {
"/" = {
device = "/dev/mapper/querel-root";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/home" = {
device = "/dev/mapper/querel-home";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/boot" = {
device = "/dev/sda1";
};
};
hardware.enableRedistributableFirmware = true;
hardware.pulseaudio.enable = true;
i18n.defaultLocale = "de_DE.UTF-8";
networking.networkmanager.enable = true;
programs.ssh.startAgent = false;
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
services.xserver.libinput.enable = false;
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
};
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "itak";
users.users.itak = {
inherit (config.krebs.users.itak) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

1
tv/1systems/querel/lib
View File

@ -1 +0,0 @@
../lib

37
tv/1systems/ru/config.nix
View File

@ -1,37 +0,0 @@
with import ./lib;
{ config, ... }: {
imports = [
../..
../../2configs/hw/winmax2.nix
../../2configs/retiolum.nix
../../2configs/wiregrill.nix
];
boot.initrd.luks.devices.main.device = "/dev/nvme0n1p2";
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = true;
fileSystems."/" = {
device = "/dev/mapper/ruvg0-root";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd"];
};
fileSystems."/boot" = {
device = "/dev/nvme0n1p1";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/mapper/ruvg0-home";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd"];
};
fileSystems."/bku" = {
device = "/dev/mapper/ruvg0-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd"];
};
krebs.build.host = config.krebs.hosts.ru;
system.stateVersion = "22.11";
}

154
tv/1systems/xu/config.nix
View File

@ -1,154 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.build.host = config.krebs.hosts.xu;
imports = [
<stockholm/tv>
../../2configs/autotether.nix
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix>
<stockholm/tv/2configs/gitrepos.nix>
<stockholm/tv/2configs/mail-client.nix>
<stockholm/tv/2configs/man.nix>
<stockholm/tv/2configs/nginx/public_html.nix>
<stockholm/tv/2configs/ppp.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/binary-cache>
<stockholm/tv/2configs/br.nix>
<stockholm/tv/2configs/xserver>
<stockholm/tv/2configs/xsessions>
<stockholm/tv/2configs/xserver/xkiller.nix>
{
environment.systemPackages = with pkgs; [
# root
cryptsetup
# tv
bc
bind # dig
brain
cac-api
dic
file
gnupg1compat
haskellPackages.hledger
jq
mkpasswd
netcat
netcup
nmap
p7zip
(pkgs.pass.withExtensions (ext: [
ext.pass-otp
]))
q
qrencode
texlive.combined.scheme-full
tmux
#ack
#apache-httpd
#ascii
#emacs
#es
#esniper
#gcc
#gptfdisk
#graphviz
#haskellPackages.cabal2nix
#haskellPackages.ghc
#haskellPackages.shake
#hdparm
#i7z
#iftop
#imagemagick
#inotifyTools
#iodine
#iotop
#lshw
#lsof
#minicom
#mtools
#ncmpc
#nethogs
#nix-prefetch-scripts #cvs bug
#openssl
#openswan
#parted
#perl
#powertop
#ppp
#proot
#pythonPackages.arandr
#pythonPackages.youtube-dl
#racket
#rxvt_unicode-with-plugins
#scrot
#sec
#silver-searcher
#sloccount
#smartmontools
#socat
#sshpass
#strongswan
#sysdig
#sysstat
#tcpdump
#tlsdate
#unetbootin
#utillinuxCurses
#xdotool
#xkill
#xl2tpd
#xsel
unison
];
}
];
boot.initrd.luks.devices.xuca.device = "/dev/sda2";
fileSystems = {
"/" = {
device = "/dev/mapper/xuvga-root";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/bku" = {
device = "/dev/mapper/xuvga-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/xuvga-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
};
};
environment.systemPackages = with pkgs; [
ethtool
tinc_pre
iptables
#jack2
gptfdisk
];
networking.wireless.enable = true;
#services.bitlbee.enable = true;
#services.tor.client.enable = true;
#services.tor.enable = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
}

1
tv/1systems/xu/lib
View File

@ -1 +0,0 @@
../lib

51
tv/1systems/zu/config.nix
View File

@ -1,51 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.build.host = config.krebs.hosts.zu;
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitrepos.nix>
<stockholm/tv/2configs/mail-client.nix>
<stockholm/tv/2configs/man.nix>
<stockholm/tv/2configs/nginx/public_html.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xserver>
];
boot.initrd.luks.devices.zuca.device = "/dev/sda2";
fileSystems = {
"/" = {
device = "/dev/mapper/zuvga-root";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/bku" = {
device = "/dev/mapper/zuvga-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/zuvga-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
};
};
networking.wireless.enable = true;
services.printing.enable = true;
#services.bitlbee.enable = true;
#services.tor.client.enable = true;
#services.tor.enable = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
}

19
tv/2configs/autotether.nix
View File

@ -1,19 +0,0 @@
{ config, pkgs, ... }: let
cfg.serial = "17e064850405";
in {
systemd.services.usb_tether.serviceConfig = {
SyslogIdentifier = "usb_tether";
ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device";
ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis";
};
services.udev.extraRules = /* sh */ ''
ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android"
ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \
TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
'';
systemd.network.networks.android = {
matchConfig.Name = "android";
DHCP = "yes";
};
}

109
tv/2configs/backup.nix
View File

@ -1,109 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
bu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; };
startAt = "05:20";
};
bu-home-zu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; };
startAt = "05:25";
};
nomic-home-xu = {
method = "push";
src = { host = config.krebs.hosts.nomic; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; };
startAt = "05:00";
};
nomic-home-zu = {
method = "push";
src = { host = config.krebs.hosts.nomic; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/nomic-home"; };
startAt = "04:20";
};
nomic-pull-querel-home = {
method = "pull";
src = { host = config.krebs.hosts.querel; path = "/home"; };
dst = { host = config.krebs.hosts.nomic; path = "/fs/ponyhof/bku/querel-home"; };
startAt = "22:00";
};
xu-home-bu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; };
startAt = "04:50";
};
xu-home-nomic = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.nomic; path = "/fs/cis3hG/bku/xu-home"; };
startAt = "05:20";
};
xu-home-zu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/xu-home"; };
startAt = "06:20";
};
xu-pull-ni-ejabberd = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/var/lib/ejabberd"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-ejabberd"; };
startAt = "07:00";
};
xu-pull-ni-home = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-home"; };
startAt = "07:00";
};
zu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.zu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/zu-home"; };
startAt = "05:00";
};
zu-pull-ni-ejabberd = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/var/lib/ejabberd"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-ejabberd"; };
startAt = "06:00";
};
zu-pull-ni-home = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-home"; };
startAt = "06:30";
};
} // mapAttrs (_: recursiveUpdate {
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
hourly = { format = "%Y-%m-%dT%H"; retain = 3; };
daily = { format = "%Y-%m-%d"; retain = 3; };
};
startAt = null;
}) {
xu-test-push-xu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-bku-test-data"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/xu-test-push"; };
};
xu-test-pull-xu = {
method = "pull";
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-bku-test-data"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/xu-test-pull"; };
};
};
}

67
tv/2configs/bash/default.nix
View File

@ -1,67 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
programs.bash = {
interactiveShellInit = /* sh */ ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
HISTTIMEFORMAT=
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
case $UID in
${shell.escape (toString config.krebs.users.tv.uid)})
if test ''${SHLVL-1} = 1 && test -n "''${DISPLAY-}"; then
_CURRENT_DESKTOP_NAME=''${_CURRENT_DESKTOP_NAME-$(
${pkgs.xorg.xprop}/bin/xprop -notype -root \
32i _NET_CURRENT_DESKTOP \
8s _NET_DESKTOP_NAMES \
|
${pkgs.gnused}/bin/sed -r 's/.* = //;s/"//g;s/, /\a/g' |
{
read -r _NET_CURRENT_DESKTOP
IFS=$'\a' read -ra _NET_DESKTOP_NAMES
echo "''${_NET_DESKTOP_NAMES[$_NET_CURRENT_DESKTOP]}"
}
)}
case $_CURRENT_DESKTOP_NAME in
stockholm)
cd ~/stockholm
;;
esac
fi
export NIX_PATH="stockholm=$HOME/stockholm:$NIX_PATH"
;;
esac
${pkgs.bash-fzf-history.bind}
if test -n "''${BASH_EXTRA_INIT-}"; then
. "$BASH_EXTRA_INIT"
fi
'';
promptInit = /* sh */ ''
case $UID in
0)
PS1='\[\e[1;31m\]\w\[\e[0m\] '
;;
${toString config.krebs.build.user.uid})
PS1='\[\e[1;32m\]\w\[\e[0m\] '
;;
*)
PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
;;
esac
if test -n "$SSH_CLIENT"; then
PS1='\[\e[35m\]\h'" $PS1"
fi
if test -n "$SSH_AGENT_PID"; then
PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
fi
'';
};
}

1
tv/2configs/bash/lib
View File

@ -1 +0,0 @@
../lib

29
tv/2configs/binary-cache/default.nix
View File

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }: with import ./lib;
{
environment.etc."binary-cache.pubkey".text =
config.krebs.build.host.binary-cache.pubkey;
nixpkgs.overlays = [
(self: super: {
nix-serve = self.haskellPackages.nix-serve-ng;
})
];
services.nix-serve = {
enable = true;
secretKeyFile = toString <secrets> + "/nix-serve.key";
};
services.nginx = {
enable = true;
virtualHosts.nix-serve = {
serverAliases = [
"cache.${config.krebs.build.host.name}.hkw"
"cache.${config.krebs.build.host.name}.r"
];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
};
};
}

1
tv/2configs/binary-cache/lib
View File

@ -1 +0,0 @@
../lib

49
tv/2configs/br.nix
View File

@ -1,49 +0,0 @@
with import ./lib;
{ config, modulesPath, pkgs, ... }: {
imports = [
(modulesPath + "/services/hardware/sane_extra_backends/brscan4.nix")
];
krebs.nixpkgs.allowUnfreePredicate = pkg: any (eq (packageName pkg)) [
"brother-udev-rule-type1"
"brscan4"
"brscan4-etc-files"
"mfcl2700dnlpr"
];
hardware.sane = {
enable = true;
brscan4 = {
enable = true;
netDevices = {
bra = {
model = "MFCL2700DN";
ip = "10.23.1.214";
};
};
};
};
services.saned.enable = true;
# usage: scanimage -d "$(find-scanner bra)" --batch --format=tiff --resolution 150 -x 211 -y 298
environment.systemPackages = [
(pkgs.writeDashBin "find-scanner" ''
set -efu
name=$1
${pkgs.sane-backends}/bin/scanimage -f '%m %d
' \
| ${pkgs.gawk}/bin/awk -v dev="*$name" '$1 == dev { print $2; exit }' \
| ${pkgs.gnugrep}/bin/grep .
'')
];
services.printing = {
enable = true;
drivers = [
pkgs.mfcl2700dncupswrapper
];
};
}

133
tv/2configs/default.nix
View File

@ -1,133 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
boot.tmpOnTmpfs = true;
krebs.enable = true;
krebs.build.user = config.krebs.users.tv;
networking.hostId = mkDefault (hashToLength 8 config.networking.hostName);
networking.hostName = config.krebs.build.host.name;
imports = [
<secrets>
./backup.nix
./bash
./htop.nix
./nets/hkw.nix
./networkd.nix
./nginx
./nix.nix
./pki
./ssh.nix
./sshd.nix
./vim.nix
./xdg.nix
{
users = {
defaultUserShell = "/run/current-system/sw/bin/bash";
mutableUsers = false;
users = {
tv = {
inherit (config.krebs.users.tv) home uid;
isNormalUser = true;
extraGroups = [ "tv" ];
};
};
};
}
{
i18n.defaultLocale = mkDefault "C.UTF-8";
security.sudo.extraConfig = ''
Defaults env_keep+="SSH_CLIENT _CURRENT_DESKTOP_NAME"
Defaults mailto="${config.krebs.users.tv.mail}"
Defaults !lecture
'';
time.timeZone = "Europe/Berlin";
}
{
nixpkgs.config.allowUnfree = false;
}
{
environment.homeBinInPath = true;
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
environment.systemPackages = with pkgs; [
rxvt_unicode.terminfo
];
environment.shellAliases = mkForce {
gp = "${pkgs.pari}/bin/gp -q";
df = "df -h";
du = "du -h";
# TODO alias cannot contain #\'
# "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
ls = "ls -h --color=auto --group-directories-first";
dmesg = "dmesg -L --reltime";
view = "vim -R";
};
environment.variables = {
NIX_PATH = mkForce (concatStringsSep ":" [
"secrets=/var/src/stockholm/null"
"/var/src"
]);
};
}
{
services.cron.enable = false;
services.ntp.enable = false;
services.timesyncd.enable = true;
}
{
boot.kernel.sysctl = {
# Enable IPv6 Privacy Extensions
#
# XXX use mkForce here because since NixOS 21.11 there's a collision in
# net.ipv6.conf.default.use_tempaddr, and boot.kernel.sysctl incapable
# of merging.
#
# XXX net.ipv6.conf.all.use_tempaddr is set because it was mentioned in
# https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html
# TODO check if that is really necessary, otherwise we can rely solely
# on networking.tempAddresses in the future (when nothing is <21.11)
"net.ipv6.conf.all.use_tempaddr" = mkForce 2;
"net.ipv6.conf.default.use_tempaddr" = mkForce 2;
};
}
{
tv.iptables.enable = true;
tv.iptables.accept-echo-request = "internet";
}
{
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
}
{
environment.systemPackages = [
pkgs.field
pkgs.get
pkgs.git
pkgs.git-crypt
pkgs.git-preview
pkgs.hashPassword
pkgs.htop
pkgs.kpaste
pkgs.nix-prefetch-scripts
pkgs.ovh-zone
pkgs.push
];
}
];
}

359
tv/2configs/elm-packages-proxy.nix
View File

@ -1,359 +0,0 @@
{ config, lib, pkgs, ... }: let
cfg.nameserver = "1.1.1.1";
cfg.packageDir = "/var/lib/elm-packages";
cfg.port = 7782;
# TODO secret files
cfg.htpasswd = "/var/lib/certs/package.elm-lang.org/htpasswd";
cfg.sslCertificate = "/var/lib/certs/package.elm-lang.org/fullchain.pem";
cfg.sslCertificateKey = "/var/lib/certs/package.elm-lang.org/key.pem";
semverRegex =
"(?<major>0|[1-9]\\d*)\\.(?<minor>0|[1-9]\\d*)\\.(?<patch>0|[1-9]\\d*)(?:-(?<prerelease>(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+(?<buildmetadata>[0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?";
in {
services.nginx.virtualHosts."package.elm-lang.org" = {
addSSL = true;
sslCertificate = cfg.sslCertificate;
sslCertificateKey = cfg.sslCertificateKey;
locations."/all-packages".extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
proxy_pass_header Server;
'';
locations."/all-packages/since/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
proxy_pass_header Server;
'';
locations."~ ^/packages/(?<author>[A-Za-z0-9-]+)/(?<pname>[A-Za-z0-9-]+)/(?<version>${semverRegex})\$".extraConfig = ''
auth_basic "Restricted Area";
auth_basic_user_file ${cfg.htpasswd};
proxy_set_header X-User $remote_user;
proxy_set_header X-Author $author;
proxy_set_header X-Package $pname;
proxy_set_header X-Version $version;
proxy_pass_header Server;
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
'';
locations."~ ^/packages/(?<author>[A-Za-z0-9-]+)/(?<pname>[A-Za-z0-9-]+)/(?<version>${semverRegex})/(?:zipball|elm.json|endpoint.json)\$".extraConfig = ''
set $zipball "${cfg.packageDir}/$author/$pname/$version/zipball";
proxy_set_header X-Author $author;
proxy_set_header X-Package $pname;
proxy_set_header X-Version $version;
proxy_set_header X-Zipball $zipball;
proxy_pass_header Server;
resolver ${cfg.nameserver};
if (-f $zipball) {
set $new_uri http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
}
if (!-f $zipball) {
set $new_uri https://package.elm-lang.org$request_uri;
}
proxy_pass $new_uri;
'';
locations."/search.json".extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
proxy_pass_header Server;
'';
};
krebs.htgen.elm-packages-proxy = {
port = cfg.port;
script = /* sh */ ''. ${pkgs.writeDash "elm-packages-proxy.sh" ''
PATH=${lib.makeBinPath [
pkgs.attr
pkgs.coreutils
pkgs.curl
pkgs.findutils
pkgs.gnugrep
pkgs.jq
pkgs.p7zip
]}
export PATH
file_response() {(
status_code=$1
status_reason=$2
file=$3
content_type=$4
content_length=$(wc -c "$file" | cut -d\ -f1)
printf "HTTP/1.1 $status_code $status_reason\r\n"
printf 'Connection: close\r\n'
printf 'Content-Length: %d\r\n' "$content_length"
printf 'Content-Type: %s\r\n' "$content_type"
printf 'Server: %s\r\n' "$Server"
printf '\r\n'
cat "$file"
)}
string_response() {(
status_code=$1
status_reason=$2
response_body=$3
content_type=$4
printf "HTTP/1.1 $status_code $status_reason\r\n"
printf 'Connection: close\r\n'
printf 'Content-Length: %d\r\n' "$(expr ''${#response_body} + 1)"
printf 'Content-Type: %s\r\n' "$content_type"
printf 'Server: %s\r\n' "$Server"
printf '\r\n'
printf '%s\n' "$response_body"
)}
case "$Method $Request_URI" in
'GET /packages/'*)
author=$req_x_author
pname=$req_x_package
version=$req_x_version
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
mkdir -p "$HOME/cache"
case $(basename $Request_URI) in
zipball)
file_response 200 OK "$zipball" application/zip
exit
;;
elm.json)
if ! test -f "$elmjson"; then
7z x -so "$zipball" \*/elm.json > "$elmjson"
fi
file_response 200 OK "$elmjson" 'application/json; charset=UTF-8'
exit
;;
endpoint.json)
if ! test -f "$endpointjson"; then
hash=$(sha1sum "$zipball" | cut -d\ -f1)
url=https://package.elm-lang.org/packages/$author/$pname/$version/zipball
jq -n \
--arg hash "$hash" \
--arg url "$url" \
'{ $hash, $url }' \
> "$endpointjson"
fi
file_response 200 OK "$endpointjson" 'application/json; charset=UTF-8'
exit
;;
esac
;;
'POST /packages/'*)
author=$req_x_author
pname=$req_x_package
user=$req_x_user
version=$req_x_version
action=uploading
force=''${req_x_force-false}
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
if test -e "$zipball"; then
if test "$force" = true; then
zipball_owner=$(attr -q -g X-User "$zipball" || :)
if test "$zipball_owner" = "$req_x_user"; then
action=replacing
rm -f "$elmjson"
rm -f "$endpointjson"
else
string_response 403 Forbidden \
"package already exists: $author/$pname@$version" \
text/plain
exit
fi
else
string_response 409 Conflict \
"package already exists: $author/$pname@$version" \
text/plain
exit
fi
fi
echo "user $user is $action package $author/$pname@$version" >&2
# TODO check package
mkdir -p "$(dirname "$zipball")"
head -c $req_content_length > "$zipball"
attr -q -s X-User -V "$user" "$zipball" || :
string_response 200 OK \
"package created: $author/$pname@$version" \
text/plain
exit
;;
'DELETE /packages/'*)
author=$req_x_author
pname=$req_x_package
user=$req_x_user
version=$req_x_version
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
if test -e "$zipball"; then
zipball_owner=$(attr -q -g X-User "$zipball" || :)
if test "$zipball_owner" = "$req_x_user"; then
echo "user $user is deleting package $author/$pname@$version" >&2
rm -f "$elmjson"
rm -f "$endpointjson"
rm "$zipball"
string_response 200 OK \
"package deleted: $author/$pname@$version" \
text/plain
exit
else
string_response 403 Forbidden \
"package already exists: $author/$pname@$version" \
text/plain
exit
fi
fi
;;
'GET /all-packages'|'POST /all-packages')
response=$(mktemp -t htgen.$$.elm-packages-proxy.all-packages.XXXXXXXX)
trap "rm $response >&2" EXIT
{
# upstream packages
curl -fsS https://package.elm-lang.org"$Request_URI"
# private packages
(cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
jq -Rs '
split("\n") |
map(
select(.!="") |
match("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$").captures |
map({key:.name,value:.string}) |
from_entries
) |
reduce .[] as $item ({};
($item|"\(.author)/\(.pname)") as $name |
. + { "\($name)": ((.[$name] // []) + [$item.version]) }
)
'
} |
jq -cs add > $response
file_response 200 OK "$response" 'application/json; charset=UTF-8'
exit
;;
'GET /all-packages/since/'*|'POST /all-packages/since/'*)
response=$(mktemp -t htgen.$$.elm-packages-proxy.all-packages.XXXXXXXX)
trap "rm $response >&2" EXIT
{
# upstream packages
curl -fsS https://package.elm-lang.org"$Request_URI"
# private packages
(cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
jq -Rs '
split("\n") |
map(
select(.!="") |
sub("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$";"\(.author)/\(.pname)@\(.version)")
) |
sort_by(split("@") | [.[0]]+(.[1]|split(".")|map(tonumber))) |
reverse
'
} |
jq -cs add > $response
file_response 200 OK "$response" 'application/json; charset=UTF-8'
exit
;;
'GET /search.json')
searchjson=$HOME/cache/search.json
mkdir -p "$HOME/cache"
# update cached search.json
(
last_modified=$(
if test -f "$searchjson"; then
date -Rr "$searchjson"
else
date -R -d @0
fi
)
tempsearchjson=$(mktemp "$searchjson.XXXXXXXX")
trap 'rm "$tempsearchjson" >&2' EXIT
curl -fsS --compressed https://package.elm-lang.org/search.json \
-H "If-Modified-Since: $last_modified" \
-o "$tempsearchjson"
if test -s "$tempsearchjson"; then
mv "$tempsearchjson" "$searchjson"
trap - EXIT
fi
)
response=$(mktemp -t htgen.$$.elm-packages-proxy.search.XXXXXXXX)
trap 'rm "$response" >&2' EXIT
{
printf '{"upstream":'; cat "$searchjson"
printf ',"private":'; (cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
jq -Rs '
split("\n") |
map(
select(.!="") |
match("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$").captures |
map({key:.name,value:.string}) |
from_entries
) |
map({
key: "\(.author)/\(.pname)",
value: .version,
}) |
from_entries
'
printf '}'
} |
jq -c '
reduce .upstream[] as $upstreamItem ({ private, output: [] };
.private[$upstreamItem.name] as $privateItem |
if $privateItem then
.output += [$upstreamItem * { version: $privateItem.version }] |
.private |= del(.[$upstreamItem.name])
else
.output += [$upstreamItem]
end
) |
.output + (.private | to_entries | sort_by(.key) | map({
name: .key,
version: .value,
summary: "dummy summary",
license: "dummy license",
}))
' \
> $response
file_response 200 OK "$response" 'application/json; charset=UTF-8'
exit
;;
esac
''}'';
};
}

9
tv/2configs/exim-retiolum.nix
View File

@ -1,9 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.systemPackages = [
pkgs.eximlog
];
krebs.exim-retiolum.enable = true;
krebs.exim-retiolum.rspamd.enable = config.krebs.build.host.name == "nomic";
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
}

46
tv/2configs/exim-smarthost.nix
View File

@ -1,46 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.systemPackages = [
pkgs.eximlog
];
krebs.exim-smarthost = {
enable = true;
dkim = [
{ domain = "viljetic.de"; }
];
sender_domains = [
"krebsco.de"
"shackspace.de"
"viljetic.de"
];
relay_from_hosts = concatMap (host: host.nets.retiolum.addrs) [
config.krebs.hosts.nomic
config.krebs.hosts.xu
];
internet-aliases = with config.krebs.users; [
{ from = "bku-eppler@viljetic.de"; to = tv.mail; }
{ from = "postmaster@viljetic.de"; to = tv.mail; } # RFC 822
{ from = "mirko@viljetic.de"; to = mv-ni.mail; }
{ from = "tomislav@viljetic.de"; to = tv.mail; }
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@shackspace.de"; to = tv.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "tv"; }
{ from = "mirko"; to = "mv"; }
];
};
tv.iptables.input-internet-accept-tcp = singleton "smtp";
}

20
tv/2configs/fs/CAC-CentOS-7-64bit.nix
View File

@ -1,20 +0,0 @@
_:
{
boot.loader.grub = {
device = "/dev/sda";
};
fileSystems = {
"/" = {
device = "/dev/centos/root";
fsType = "xfs";
};
"/boot" = {
device = "/dev/sda1";
fsType = "xfs";
};
};
swapDevices = [
{ device = "/dev/centos/swap"; }
];
}

16
tv/2configs/gitconfig.nix
View File

@ -1,16 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.etc.gitconfig.text = ''
[alias]
patch = !${pkgs.git}/bin/git --no-pager diff --no-color
[diff-so-fancy]
markEmptyLines = false
stripLeadingSymbols = false
[pager]
diff = ${pkgs.gitAndTools.diff-so-fancy}/bin/diff-so-fancy \
| ${pkgs.less}/bin/less -FRX
[user]
email = tv@krebsco.de
name = tv
'';
}

235
tv/2configs/gitrepos.nix
View File

@ -1,235 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let {
body = {
nixpkgs.config.packageOverrides = super: {
cgit = pkgs.symlinkJoin {
name = "${super.cgit.name}-tv";
paths = [
(pkgs.runCommand "${super.cgit.name}-tv-overrides" {
} /* sh */ ''
mkdir -p $out/lib/cgit/filters
cd $out/lib/cgit/filters
cp \
${super.cgit}/lib/cgit/filters/syntax-highlighting.py \
${super.cgit}/lib/cgit/filters/.syntax-highlighting.py-wrapped \
.
sed -i "s:${super.cgit}:$out:" syntax-highlighting.py
sed -i '
s:^\(formatter =\).*:\1 HtmlFormatter(style="algol_nu"):
' .syntax-highlighting.py-wrapped
'')
super.cgit
];
};
};
krebs.git = {
enable = true;
cgit = {
settings = {
about-filter = pkgs.exec "krebs.cgit.about-filter" rec {
filename = "${pkgs.python3Packages.markdown2}/bin/markdown2";
argv = [
filename
"--extras=fenced-code-blocks"
];
envp = {};
};
readme = [
":README.md"
];
root-desc = "mostly krebs";
root-title = "repositories at ${config.krebs.build.host.name}";
source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
};
};
repos = repos;
rules = rules;
};
};
cgit-clear-cache = pkgs.cgit-clear-cache.override {
inherit (config.krebs.git.cgit.settings) cache-root;
};
repos =
public-repos //
optionalAttrs config.krebs.build.host.secure restricted-repos;
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo ({
} // mapAttrs (_: recursiveUpdate { cgit.section = "1. miscellaneous"; }) {
couchfs = {
cgit.desc = "filesystem (in userspace) on top of CouchDB";
};
crx = {
cgit.desc = "utilities for working with Chrome extensions";
};
dic = {
cgit.desc = "dict.leo.org command line interface";
};
disko = {
cgit.desc = "declarative partitioning and formatting tool";
};
fswm = {
cgit.desc = "simple full screen window manager";
};
htgen = {
cgit.desc = "toy HTTP server";
};
ircaids = {
cgit.desc = "Assortment of aids for working with Internet relay chat";
};
krops = {
cgit.desc = "deployment tools";
};
mailaids = {
cgit.desc = "Assortment of aids for working with electronic mail";
};
much = {};
netcup = {
cgit.desc = "netcup command line interface";
};
nix-writers = {
cgit.desc = "collection of package builders";
};
nixpkgs = {
cgit.desc = "Nix Packages collection";
};
pager = {
};
populate = {
cgit.desc = "source code installer";
};
q = {};
reaktor2 = {};
stockholm = {
cgit.desc = "NixOS configuration";
};
TabFS = {
cgit.desc = "mount browser tabs & co. as a filesystem";
};
texnix = {
cgit.desc = "TeX live environment generator";
};
with-ssh = {};
} // mapAttrs (_: recursiveUpdate { cgit.section = "2. Host configurations"; }) {
ni = {
};
} // mapAttrs (_: recursiveUpdate { cgit.section = "3. Haskell libraries"; }) {
X11-aeson = {};
blessings = {};
hack = {};
hc = {};
mime = {};
quipper = {};
scanner = {};
wai-middleware-time = {};
web-routes-wai-custom = {};
xintmap = {};
xmonad-aeson = {};
xmonad-web = {};
} // mapAttrs (_: recursiveUpdate { cgit.section = "4. museum"; }) {
cac-api = {
cgit.desc = "CloudAtCost API command line interface";
};
cgserver = {};
crude-mail-setup = {};
dot-xmonad = {};
flameshot-once = {
cgit.desc = "flameshot runner that automatically starts/stops the daemon";
};
hirc = {};
hstool = {
cgit.desc = "Haskell Development Environment ^_^";
};
kirk = {
cgit.desc = "IRC tools";
};
make-snapshot = {};
nixos-infest = {};
painload = {};
push = {};
Reaktor = {};
regfish = {};
with-tmpdir = {};
get = {};
load-env = {};
loldns = {
cgit.desc = "toy DNS server";
};
soundcloud = {
cgit.desc = "SoundCloud command line interface";
};
xmonad-stockholm = {};
});
restricted-repos = mapAttrs make-restricted-repo (
{
brain = {
collaborators = with config.krebs.users; [ lass makefu ];
hooks = {
post-receive = /* sh */ ''
(${irc-announce { cgit_endpoint = null; }})
${cgit-clear-cache}/bin/cgit-clear-cache
'';
};
};
} //
# TODO don't put secrets/repos.nix into the store
import <secrets/repos.nix> { inherit config lib pkgs; }
);
irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
channel = "#xxx";
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
server = "irc.r";
verbose = {
exclude = [
"refs/heads/head"
];
};
} args);
make-public-repo = name: { cgit ? {}, ... }: {
inherit cgit name;
public = true;
hooks = {
post-receive = /* sh */ ''
(${optionalString (config.krebs.build.host.name == "ni")
(irc-announce {})})
${cgit-clear-cache}/bin/cgit-clear-cache
'';
};
};
make-restricted-repo = name: { collaborators ? [], hooks ? {}, ... }: {
inherit collaborators name;
public = false;
hooks = hooks // {
post-receive = /* sh */ ''
(${hooks.post-receive or ":"})
${cgit-clear-cache}/bin/cgit-clear-cache
'';
};
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = [ tv tv-xu ];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional (repo.collaborators or [] != []) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
};
}

40
tv/2configs/htop.nix
View File

@ -1,40 +0,0 @@
with import ./lib;
{ pkgs, ... }: {
nixpkgs.config.packageOverrides = super: {
htop = pkgs.symlinkJoin {
name = "htop";
paths = [
(pkgs.writeDashBin "htop" ''
export HTOPRC=${pkgs.writeText "htoprc" ''
fields=0 48 17 18 38 39 40 2 46 47 49 1
sort_key=46
sort_direction=1
hide_threads=0
hide_kernel_threads=1
hide_userland_threads=0
shadow_other_users=1
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=1
header_margin=0
detailed_cpu_time=0
cpu_count_from_zero=0
update_process_names=0
account_guest_in_cpu_meter=1
color_scheme=0
delay=15
left_meters=LeftCPUs2 RightCPUs2 Memory Swap
left_meter_modes=1 1 1 1
right_meters=Uptime Tasks LoadAverage Battery
right_meter_modes=2 2 2 2
''}
exec ${super.htop}/bin/htop "$@"
'')
super.htop
];
};
};
}

48
tv/2configs/hw/AO753.nix
View File

@ -1,48 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
../smartd.nix
{
nix.settings.cores = 2;
nix.settings.max-jobs = 2;
}
(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then {
nix.daemonCPUSchedPolicy = "batch";
nix.daemonIOSchedPriority = 1;
} else {
nix.daemonIONiceLevel = 1;
nix.daemonNiceLevel = 1;
})
];
boot.loader.grub = {
device = "/dev/sda";
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ahci"
];
boot.kernelModules = [
"kvm-intel"
"wl"
];
boot.extraModulePackages = [
config.boot.kernelPackages.broadcom_sta
];
services.logind.extraConfig = ''
HandleHibernateKey=ignore
HandleLidSwitch=ignore
HandlePowerKey=ignore
HandleSuspendKey=ignore
'';
krebs.nixpkgs.allowUnfreePredicate = pkg: packageName pkg == "broadcom-sta";
tv.hw.screens.primary.width = 1366;
tv.hw.screens.primary.height = 768;
}

1
tv/2configs/hw/lib
View File

@ -1 +0,0 @@
../lib

48
tv/2configs/hw/winmax2.nix
View File

@ -1,48 +0,0 @@
{ pkgs, ... }: {
imports = [
../smartd.nix
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ];
boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelModules = [
"amd-pstate"
"kvm-amd"
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [
"amd_pstate=passive"
];
hardware.bluetooth.enable = true;
hardware.cpu.amd.updateMicrocode = true;
hardware.enableRedistributableFirmware = true;
hardware.opengl.enable = true;
hardware.opengl.extraPackages = [
pkgs.amdvlk
pkgs.rocm-opencl-icd
pkgs.rocm-opencl-runtime
];
networking.wireless.enable = true;
networking.wireless.interfaces = [
"wlp1s0"
];
networking.interfaces.wlp1s0.useDHCP = true;
nixpkgs.hostPlatform = "x86_64-linux";
services.illum.enable = true;
services.logind.extraConfig = /* ini */ ''
HandlePowerKey=ignore
'';
tv.lidControl.enable = true;
tv.hw.screens.primary.width = 2560;
tv.hw.screens.primary.height = 1600;
}

89
tv/2configs/hw/x220.nix
View File

@ -1,89 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
../smartd.nix
{
boot.extraModulePackages = [
config.boot.kernelPackages.acpi_call
];
boot.kernelModules = [
"acpi_call"
];
environment.systemPackages = [
pkgs.tpacpi-bat
];
}
# fix jumpy touchpad
# https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_X220#X220_Touchpad_cursor_jump/imprecise
{
services.udev.extraHwdb = /* sh */ ''
touchpad:i8042:*
LIBINPUT_MODEL_LENOVO_X220_TOUCHPAD_FW81=1
'';
}
{
nix.settings.cores = 2;
nix.settings.max-jobs = 2;
}
(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then {
nix.daemonCPUSchedPolicy = "batch";
nix.daemonIOSchedPriority = 1;
} else {
nix.daemonIONiceLevel = 1;
nix.daemonNiceLevel = 1;
})
];
boot.extraModulePackages = [
config.boot.kernelPackages.tp_smapi
];
boot.kernelModules = [ "tp_smapi" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Required for Centrino.
hardware.enableRedistributableFirmware = true;
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
# Conflicts with TLP, but gets enabled by DEs.
services.power-profiles-daemon.enable = false;
services.tlp.enable = true;
services.tlp.settings = {
START_CHARGE_THRESH_BAT0 = 80;
};
services.logind.extraConfig = ''
HandleHibernateKey=ignore
HandleLidSwitch=ignore
HandlePowerKey=ignore
HandleSuspendKey=ignore
'';
# because extraConfig is not extra enough:
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
services.logind.lidSwitchExternalPower = "ignore";
services.xserver = {
videoDriver = "intel";
};
tv.hw.screens.primary.width = lib.mkDefault 1366;
tv.hw.screens.primary.height = lib.mkDefault 768;
}

22
tv/2configs/imgur.nix
View File

@ -1,22 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
services.nginx.virtualHosts."ni.r" = {
locations."/image" = {
extraConfig = /* nginx */ ''
client_max_body_size 20M;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port};
proxy_pass_header Server;
'';
};
};
krebs.htgen.imgur = {
port = 7771;
scriptFile = "${pkgs.htgen-imgur}/bin/htgen-imgur";
};
}

1
tv/2configs/lib
View File

@ -1 +0,0 @@
../lib

9
tv/2configs/mail-client.nix
View File

@ -1,9 +0,0 @@
{ pkgs, ... }: {
environment.systemPackages = [
pkgs.haskellPackages.much
pkgs.msmtp
pkgs.notmuch
pkgs.qprint
pkgs.w3m
];
}

13
tv/2configs/man.nix
View File

@ -1,13 +0,0 @@
{ config, lib, pkgs, ... }:
{
#environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
# ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
# s:^NROFF\t.*:& -Wbreak:
# '
#'';
environment.systemPackages = [
pkgs.man-pages
pkgs.posix_man_pages
pkgs.xorg.xorgdocs
];
}

68
tv/2configs/nets/hkw.nix
View File

@ -1,68 +0,0 @@
{
krebs = {
dns.providers.hkw = "hosts";
hosts = {
au = {
nets.hkw = {
ip4 = {
addr = "10.23.1.39";
prefix = "10.23.1.0/24";
};
aliases = [
"au.hkw"
];
ssh.port = 11423;
};
};
nomic = {
nets.hkw = {
ip4 = {
addr = "10.23.1.110";
prefix = "10.23.1.0/24";
};
aliases = [
"nomic.hkw"
];
ssh.port = 11423;
};
};
ok = {
external = true;
nets.hkw = {
ip4 = {
addr = "10.23.1.1";
prefix = "10.23.1.0/24";
};
aliases = [
"ok.hkw"
];
};
};
xu = {
nets.hkw = {
ip4 = {
addr = "10.23.1.38";
prefix = "10.23.1.0/24";
};
aliases = [
"xu.hkw"
"cache.xu.hkw"
];
ssh.port = 11423;
};
};
zu = {
nets.hkw = {
ip4 = {
addr = "10.23.1.40";
prefix = "10.23.1.0/24";
};
aliases = [
"zu.hkw"
];
ssh.port = 11423;
};
};
};
};
}

4
tv/2configs/networkd.nix
View File

@ -1,4 +0,0 @@
{
# often hangs
systemd.services.systemd-networkd-wait-online.enable = false;
}

22
tv/2configs/nginx/default.nix
View File

@ -1,22 +0,0 @@
with import ./lib;
{ config, ... }: {
services.nginx = {
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts.${toJSON ""} = {
default = true;
extraConfig = ''
error_page 400 =444 /;
return 444;
'';
rejectSSL = true;
};
};
tv.iptables = {
input-retiolum-accept-tcp = singleton "http";
};
}

1
tv/2configs/nginx/lib
View File

@ -1 +0,0 @@
../lib

18
tv/2configs/nginx/public_html.nix
View File

@ -1,18 +0,0 @@
with import ./lib;
{ config, ... }: {
services.nginx = {
enable = true;
virtualHosts.default = {
serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.hkw"
"${config.krebs.build.host.name}.r"
];
locations."~ ^/~([a-z]+)(?:/(.*))?\$" = {
alias = "/srv/$1/public_html/$2";
};
};
};
tv.iptables.input-internet-accept-tcp = singleton "http";
}

9
tv/2configs/nix.nix
View File

@ -1,9 +0,0 @@
{ pkgs, ... }: {
nix.settings.auto-optimise-store = true;
# TODO check if both are required:
nix.settings.extra-sandbox-paths = [
"/etc/protocols"
pkgs.iana-etc.outPath
];
}

31
tv/2configs/pki/certs/tv.crt
View File

@ -1,31 +0,0 @@
tv Root CA
-----BEGIN CERTIFICATE-----
MIIFGzCCAwOgAwIBAgIUbLFkDA1OgKbej/FQiJZ4gpGPg/4wDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAwwKdHYgUm9vdCBDQTAeFw0xOTA0MjEwNzI1MTdaFw0yOTA0
MTgwNzI1MTdaMBUxEzARBgNVBAMMCnR2IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDEVpZo1PLayK2AULwNtRY/2RIs/h+Uz1k/I7AY5o7H
HTD6pxNH3DZS82Y89nAHDVEnotK26TW6N1O2fBHUxH2GXVD+MaA/D9ngbNTJa7DW
2EThezOyesAbXk7dkoHh4Bouj5L7Ronka5+IREFmb3mHmcXLuR/sot9Pwr9A7Lwm
55Avv+VwMFnqVMXiCYQsDL7Mxf7Vm79+kXShpfDhNmHhyZc/xPjVk7lttSEp0LCq
hhJjte3xDGbk7OThTSxoqP+K4Ek7NGatCcm4AUZlDl1kLN2QKudYqj0VRQpfE+4Q
jMAAtttc/10MV0e08pRK0FvJsDsi70YZrHnDP6hIBrRNjC8iB/8rz2pjnYzgriUt
HHEDr26234VB5Zqhsi8pmXA16FVkoKlucADXXKEcR/3VreTvZLdSsP3OrDdSCwhi
H2W/7tshDPp+I9Q9fGNixry7PODbud1h/wLsq3Geg/U6VkDdl7uDNMB/O7LvlFaC
7jkHv/xFLqV1Xx9+yFMdJTKLf9jnIIjeINfV4VcJZDrtgGpnC6cYD5DNLA4j7Mny
EnBV9IRhmKiZLvUZP62dPhqIfSSPNxXV2+rT5ZfaXCuVe79R5npgJzF7/qslvnZ6
0mjZfQdJiXY+/oT9zPUxTroFx7Qtda15aIVwXR+1cMRY/Hg/uBQyp7yWsvwhPYwH
awIDAQABo2MwYTAdBgNVHQ4EFgQUWYjGpR7J/UqggxQV87hBQ8ZT0qkwHwYDVR0j
BBgwFoAUWYjGpR7J/UqggxQV87hBQ8ZT0qkwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAA++eAA7KLEd4n05n8w95sJ7
cxqQSkVxV3ASnEUQRwVGo3CqEKcNufbCTG7KKGQFUi2Xd3/SWgnEiSZZWo06azbV
vlquG+9ilwnrnqfjlbUEjLMHDzukrEeIiRuFY7gZv6S2o4WkW/M9IPkP34+PRjip
AJ8kFcy7wLPaeH7OagslAVUcf68lMm+8W4U1g0HZaY2zXFgdRrIO1dXKlJ22Wh4X
fcblHjkASAGi+BK+xRJ9G7s3sie2wPyk+WKKv0Z+WheKf+L+TPBg2sJ+d25gW+gG
XNJSQOzCqSfHrCtcW1xkGgifog28/ymN03ggn8oMBUebOp+ayLkbPQDaj6te3y1v
YE0cfkzQ0T6sSzPzoOrwBEuSX8cLWTpzO2Zgqbf36UtHjgxi58vY46p7MjAInxAf
j+k67rF7qWH38drg4nfGjNgiEdeJw9dtDFdmso+ZiWipUyGF4VYh+Q6JnXDMF0+A
wXcYWa7ckXvVOLVpHJfrLDYTXznGnk2u4ToVNEk1j/klMRn96lxfFg04iv8fz8m6
/Y8g0G1uIT5Mq9l68oZUoEkUHZabPNhYOiYtg4t5v/T3AIV8nm2A5jZYj0am26xT
iqF/tqL3alWXs9OHP7FNdrVWtwO8vcspYcd4mOHdAC/dmhq+77BowR5Lldx9T+mR
QT8jW9PXL0IH0wKMBXxf
-----END CERTIFICATE-----

68
tv/2configs/pki/default.nix
View File

@ -1,68 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source;
in {
environment.etc."pki/nssdb".source =
pkgs.runCommand "system-wide-nssdb" {
inherit certFile;
buildInputs = [
pkgs.jq
pkgs.nssTools
];
parseInfoScript = /* jq */ ''
${toJSON certFile} as $certFile |
split("\t-----END CERTIFICATE-----\n")[] |
select(test("\t-----BEGIN CERTIFICATE-----\n")) |
. + "\t-----END CERTIFICATE-----\n" |
sub("^([0-9]+\t\n)*";"") |
(match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber |
gsub("(?m)^[0-9]+\t";"") |
match("^([^\n]+)\n(.*)";"m").captures | map(.string) |
# Line numbers are added to the names to ensure uniqueness.
"\(.[0]) (\($certFile):\($lineNumber))" as $name |
.[1] as $cert |
{ $name, $cert }
'';
passAsFile = [
"parseInfoScript"
];
} /* sh */ ''
mkdir nssdb
nl -ba -w1 "$certFile" |
jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson
exec < certinfo.ndjson
while read -r certinfo; do
name=$(printf %s "$certinfo" | jq -er .name)
cert=$(printf %s "$certinfo" | jq -er .cert)
printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C
done
mv nssdb "$out"
'';
environment.variables = flip genAttrs (_: toString certFile) [
"CURL_CA_BUNDLE"
"GIT_SSL_CAINFO"
"SSL_CERT_FILE"
];
security.pki.certificateFiles =
mapAttrsToList
(name: const (./certs + "/${name}"))
(filterAttrs (const (eq "regular"))
(readDir ./certs));
}

1
tv/2configs/pki/lib
View File

@ -1 +0,0 @@
../lib

86
tv/2configs/ppp.nix
View File

@ -1,86 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = {
pin = "@${toString <secrets/o2.pin>}";
ttys.ppp = "/dev/ttyACM0";
ttys.com = "/dev/ttyACM1";
};
in {
assertions = [
{
assertion =
config.networking.resolvconf.enable ||
config.networking.useNetworkd;
message = "ppp configuration needs resolvconf or networkd";
}
];
environment.etc."ppp/ip-up".source = pkgs.writeDash "ppp.ip-up" ''
${pkgs.openresolv}/bin/resolvconf -a "$IFNAME" < /etc/ppp/resolv.conf
'';
environment.etc."ppp/ip-down".source = pkgs.writeDash "ppp.ip-down" ''
${pkgs.openresolv}/bin/resolvconf -fd "$IFNAME"
'';
environment.etc."ppp/peers/o2".text = /* sh */ ''
${cfg.ttys.ppp}
921600
crtscts
defaultroute
holdoff 10
lock
maxfail 0
noauth
nodetach
noipdefault
passive
persist
usepeerdns
connect "${pkgs.ppp}/bin/chat ''${DEBUG+-v} -Ss -f ${pkgs.writeText "o2.chat" /* sh */ ''
ABORT "BUSY"
ABORT "NO CARRIER"
REPORT CONNECT
"*EMRDY: 1"
ATZ OK
AT+CFUN=1 OK
${cfg.pin} TIMEOUT 2 ERROR-AT-OK
AT+CGDCONT=1,\042IP\042,\042internet\042 OK
ATDT*99***1# CONNECT
''}"
'';
users.users.root.packages = [
(pkgs.writeDashBin "connect" ''
# usage:
# connect wlan
# connect wwan [PEERNAME]
set -efu
rfkill_wlan=/sys/class/rfkill/rfkill2
rfkill_wwan=/sys/class/rfkill/rfkill1
case $1 in
wlan)
${pkgs.procps}/bin/pkill pppd || :
echo 0 > "$rfkill_wwan"/state
echo 1 > "$rfkill_wlan"/state
;;
wwan)
name=''${2-o2}
echo 0 > "$rfkill_wlan"/state
echo 1 > "$rfkill_wwan"/state
${pkgs.ppp}/bin/pppd call "$name" updetach
;;
*)
echo "$0: error: bad arguments: $*" >&2
exit 1
esac
'')
(pkgs.writeDashBin "modem-send" ''
# usage: modem-send ATCOMMAND
set -efu
tty=${lib.shell.escape cfg.ttys.com}
exec <"$tty"
printf '%s\r\n' "$1" >"$tty"
${pkgs.gnused}/bin/sed -E '
/^OK\r?$/q
/^ERROR\r?$/q
'
'')
];
}

120
tv/2configs/pulse.nix
View File

@ -1,120 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
pkg = pkgs.pulseaudio;
runDir = "/run/pulse";
pkgs_i686 = pkgs.pkgsi686Linux;
support32Bit =
pkgs.stdenv.isx86_64 &&
pkgs_i686.alsaLib != null &&
pkgs_i686.libpulseaudio != null;
alsaConf = pkgs.writeText "asound.conf" ''
ctl_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
${optionalString support32Bit
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;"}
}
pcm_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
${optionalString support32Bit
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;"}
}
ctl.!default {
type pulse
}
pcm.!default {
type pulse
}
'';
clientConf = pkgs.writeText "client.conf" ''
autospawn=no
default-server = unix:${runDir}/socket
'';
configFile = pkgs.writeText "default.pa" ''
.include ${pkg}/etc/pulse/default.pa
load-module ${toString [
"module-native-protocol-unix"
"auth-anonymous=1"
"socket=${runDir}/socket"
]}
${lib.optionalString (config.krebs.build.host.name == "au") ''
load-module ${toString [
"module-native-protocol-tcp"
"auth-ip-acl=127.0.0.1;10.23.1.0/24"
]}
''}
${lib.optionalString (config.krebs.build.host.name != "au") ''
load-module ${toString [
"module-tunnel-sink-new"
"server=au.hkw"
"sink_name=au"
"channels=2"
"rate=44100"
]}
''}
'';
in
{
environment = {
etc = {
"asound.conf".source = alsaConf;
# XXX mkForce is not strong enough (and neither is mkOverride) to create
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
#"pulse/client.conf" = mkForce { source = clientConf; };
#"pulse/client.conf".source = mkForce clientConf;
"pulse/default.pa".source = configFile;
};
systemPackages = [
pkg
] ++ optionals config.services.xserver.enable [
pkgs.pavucontrol
];
};
hardware.pulseaudio = {
inherit support32Bit;
};
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
system.activationScripts.pulseaudio-hack = ''
ln -fns ${clientConf} /etc/pulse/client.conf
'';
systemd.services.pulse = {
wantedBy = [ "sound.target" ];
before = [ "sound.target" ];
environment = {
PULSE_RUNTIME_PATH = "${runDir}/home";
};
serviceConfig = {
ExecStart = "${pkg}/bin/pulseaudio --exit-idle-time=-1";
ExecStartPre = pkgs.writeDash "pulse-start" ''
install -o pulse -g pulse -m 0750 -d ${runDir}
install -o pulse -g pulse -m 0700 -d ${runDir}/home
'';
PermissionsStartOnly = "true";
User = "pulse";
};
};
# TODO assert that pulse is the only user with "audio" in group/extraGroups
# otherwise the audio device can be hijacked while the pulse service restarts
# (e.g. when mpv is running) and then the service will fail.
users = {
groups.pulse.gid = config.users.users.pulse.uid;
users.pulse = {
uid = genid_uint31 "pulse";
group = "pulse";
extraGroups = [ "audio" ];
home = "${runDir}/home";
isSystemUser = true;
};
};
}

1
tv/2configs/repo-sync/lib
View File

@ -1 +0,0 @@
../lib

40
tv/2configs/repo-sync/wiki.nix
View File

@ -1,40 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.repo-sync.enable = true;
krebs.repo-sync.repos.wiki.branches.hotdog = {
origin.url = "http://cgit.hotdog.r/wiki";
mirror.url = "git@${config.krebs.build.host.name}.r:wiki";
};
krebs.git.repos.wiki = {
public = true;
name = "wiki";
cgit.desc = toString [
"mirror of"
config.krebs.repo-sync.repos.wiki.branches.hotdog.origin.url
];
cgit.section = "7. mirrors";
hooks.post-receive = /* sh */ ''
${pkgs.git-hooks.irc-announce {
channel = "#xxx";
nick = config.krebs.build.host.name;
server = "irc.r";
}}
${pkgs.cgit-clear-cache.override {
inherit (config.krebs.git.cgit.settings) cache-root;
}}/bin/cgit-clear-cache
'';
};
krebs.git.rules = lib.singleton {
user = lib.singleton config.krebs.users.repo-sync;
repo = lib.singleton config.krebs.git.repos.wiki;
perm = lib.git.push "refs/*" [
lib.git.create
lib.git.delete
lib.git.merge
lib.git.non-fast-forward
];
};
krebs.users.${config.krebs.repo-sync.user.name}.pubkey = {
ni = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINK9U0Ob9/O0kxg3trhZY/vDnbqfN+R5cASGiClRr4IM";
}.${config.krebs.build.host.name};
}

27
tv/2configs/retiolum.nix
View File

@ -1,27 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.tinc.retiolum = {
enable = true;
connectTo = filter (ne config.krebs.build.host.name) [
"ni"
"prism"
"eve"
];
extraConfig = ''
LocalDiscovery = yes
'';
tincPackage = pkgs.tinc_pre;
tincUp = lib.mkIf config.systemd.network.enable "";
};
systemd.network.networks.retiolum = {
matchConfig.Name = "retiolum";
address = let
inherit (config.krebs.build.host.nets.retiolum) ip4 ip6;
in [
"${ip4.addr}/${toString ip4.prefixLength}"
"${ip6.addr}/${toString ip6.prefixLength}"
];
};
tv.iptables.input-internet-accept-tcp = singleton "tinc";
tv.iptables.input-internet-accept-udp = singleton "tinc";
}

17
tv/2configs/smartd.nix
View File

@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
services.smartd = {
enable = true;
devices = [
{
device = "DEVICESCAN";
options = toString [
"-a"
"-m ${config.krebs.users.tv.mail}"
"-s (O/../.././09|S/../.././04|L/../../6/05)"
];
}
];
};
}

22
tv/2configs/ssh.nix
View File

@ -1,22 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
# Override NixOS's "Allow DSA keys for now."
environment.etc."ssh/ssh_config".text = mkForce ''
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${optionalString config.programs.ssh.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''}
ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"}
${config.programs.ssh.extraConfig}
'';
programs.ssh = {
extraConfig = ''
UseRoaming no
'';
startAgent = false;
};
}

27
tv/2configs/sshd.nix
View File

@ -1,27 +0,0 @@
with import ./lib;
{ config, ... }: let
cfg.host = config.krebs.build.host;
nets =
optional (cfg.host.nets?retiolum) cfg.host.nets.retiolum ++
optional (cfg.host.nets?wiregrill) cfg.host.nets.wiregrill;
in {
services.openssh = {
enable = true;
};
tv.iptables.input-internet-accept-tcp = singleton "ssh";
tv.iptables.extra.nat.OUTPUT = [
"-o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22"
];
tv.iptables.extra4.nat.PREROUTING =
map
(net: "-d ${net.ip4.addr} -p tcp --dport 22 -j ACCEPT")
(filter (net: net.ip4 != null) nets);
tv.iptables.extra6.nat.PREROUTING =
map
(net: "-d ${net.ip6.addr} -p tcp --dport 22 -j ACCEPT")
(filter (net: net.ip6 != null) nets);
tv.iptables.extra.nat.PREROUTING = [
"-p tcp --dport 22 -j REDIRECT --to-ports 0"
"-p tcp --dport 11423 -j REDIRECT --to-ports 22"
];
}

117
tv/2configs/urlwatch.nix
View File

@ -1,117 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
exec = filename: args: url: {
inherit url;
filter = singleton {
system =
concatMapStringsSep " " shell.escape ([filename] ++ toList args);
};
};
json = json' ["."];
json' = exec "${pkgs.jq}/bin/jq";
urigrep' = exec (pkgs.writeDash "urigrep" ''
${pkgs.urix}/bin/urix | ${pkgs.gnugrep}/bin/grep -E "$1"
'');
xml = xml' ["--format" "-"];
xml' = exec "${pkgs.libxml2}/bin/xmllint";
in {
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.tv.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
# 2014-07-29 when one of the following urls change
# then we have to update the package
http://www.exim.org/
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
{
url = https://thp.io/2008/urlwatch/;
# workaround: ('Received response with content-encoding: gzip, but
# failed to decode it.', error('Error -3 while decompressing data:
# incorrect header check',))
ignore_cached = true;
}
# 2015-02-18
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
http://www.fourmilab.ch/webtools/qprint/
# 2014-09-24 ref https://github.com/4z3/xintmap
http://www.mathstat.dal.ca/~selinger/quipper/
## 2014-10-17
## TODO update ~/src/login/default.nix
#http://hackage.haskell.org/package/bcrypt
#http://hackage.haskell.org/package/cron
#http://hackage.haskell.org/package/hyphenation
#http://hackage.haskell.org/package/iso8601-time
#http://hackage.haskell.org/package/ixset-typed
#http://hackage.haskell.org/package/system-command
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
# ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
(json https://api.github.com/meta)
# ref <nixpkgs/pkgs/tools/security/ssh-audit>
(json https://api.github.com/repos/arthepsy/ssh-audit/tags)
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
(json https://api.github.com/repos/ioerror/tlsdate/tags)
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
(json https://api.github.com/repos/simple-evcorr/sec/tags)
# <stockholm/tv/2configs/xserver/xserver.conf.nix>
# is derived from `configFile` in:
https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix
https://www.rabbitmq.com/changelog.html
(urigrep' ["software-resources"] https://semiconductor.samsung.com/consumer-storage/support/tools/)
];
hooksFile = toFile "hooks.py" ''
import subprocess
import urlwatch
class SystemFilter(urlwatch.filters.FilterBase):
"""Filter for piping data through an external process"""
__kind__ = 'system'
__supported_subfilters__ = {
'command': 'shell command line to tranform data',
}
__default_subfilter__ = 'command'
def filter(self, data, subfilter=None):
if 'command' not in subfilter:
raise ValueError('{} filter needs a command'.format(self.__kind__))
proc = subprocess.Popen(
subfilter['command'],
shell=True,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
(stdout, stderr) = proc.communicate(data.encode())
if proc.returncode != 0:
raise RuntimeError(
"system filter returned non-zero exit status %d; stderr:\n"
% proc.returncode
+ stderr.decode()
)
return stdout.decode()
'';
};
}

183
tv/2configs/vim.nix
View File

@ -1,183 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let {
body = {
environment.systemPackages = [
vim-wrapper
];
environment.etc.vimrc.source = vimrc;
environment.variables.EDITOR = mkForce "vim";
environment.variables.VIMINIT = ":so /etc/vimrc";
};
base-plugins = [
pkgs.tv.vimPlugins.file-line
pkgs.tv.vimPlugins.hack
pkgs.vimPlugins.undotree
(pkgs.tv.vim.makePlugin (pkgs.write "vim-tv-base" {
"/ftplugin/haskell.vim".text = ''
if exists("g:vim_tv_ftplugin_haskell_loaded")
finish
endif
let g:vim_tv_ftplugin_haskell_loaded = 1
setlocal iskeyword+='
'';
}))
];
extra-plugins = [
pkgs.tv.vimPlugins.elixir
pkgs.tv.vimPlugins.fzf
pkgs.tv.vimPlugins.jq
pkgs.tv.vimPlugins.nix
pkgs.tv.vimPlugins.showsyntax
pkgs.tv.vimPlugins.tv
pkgs.tv.vimPlugins.vim
pkgs.vimPlugins.fzfWrapper
pkgs.vimPlugins.vim-nftables
];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
swapdir = "$HOME/.cache/vim/swap";
undodir = "$HOME/.cache/vim/undo";
};
files = {
viminfo = "$HOME/.cache/vim/info";
};
need-dirs = let
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
in assert out != ""; out;
alldirs = attrValues dirs ++ map dirOf (attrValues files);
in unique (sort lessThan alldirs);
vim-wrapper = pkgs.symlinkJoin {
name = "vim";
paths = [
(pkgs.writeDashBin "vim" ''
set -efu
export FZF_DEFAULT_COMMAND='${pkgs.ripgrep}/bin/rg --files'
export PATH=$PATH:${makeBinPath [
pkgs.fzf
pkgs.ripgrep
]}
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString need-dirs})
exec ${pkgs.vim}/bin/vim "$@"
'')
pkgs.vim
];
};
vimrc = pkgs.writeText "vimrc" /* vim */ ''
vim9script
set nocompatible
set autoindent
set backspace=indent,eol,start
set backup
set backupdir=${dirs.backupdir}/
set directory=${dirs.swapdir}//
set hlsearch
set incsearch
set mouse=a
set noruler
set pastetoggle=<INS>
set runtimepath=${pkgs.tv.vim.makeRuntimePath base-plugins},$VIMRUNTIME
set shortmess+=I
set showcmd
set showmatch
set timeoutlen=0
set ttimeoutlen=0
set ttymouse=sgr
set undodir=${dirs.undodir}
set undofile
set undolevels=1000000
set undoreload=1000000
set viminfo='20,<1000,s100,h,n${files.viminfo}
set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu
set wildmode=longest,full
set runtimepath^=${pkgs.tv.vim.makeRuntimePath extra-plugins}
syntax on
set et ts=2 sts=2 sw=2
filetype plugin indent on
set t_Co=256
colorscheme hack
au Syntax * syn match Garbage containedin=ALL /\s\+$/
\ | syn match TabStop containedin=ALL /\t\+/
\ | syn keyword Todo containedin=ALL TODO
au BufRead,BufNewFile *.nix set ft=nix
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
cnoremap <C-A> <Home>
noremap <C-c> :q<cr>
nnoremap <esc>[5^ :tabp<cr>
nnoremap <esc>[6^ :tabn<cr>
nnoremap <esc>[5@ :tabm -1<cr>
nnoremap <esc>[6@ :tabm +1<cr>
nnoremap <f1> :tabp<cr>
nnoremap <f2> :tabn<cr>
imap <f1> <esc><f1>
imap <f2> <esc><f2>
nnoremap <S-f1> :tabm -1<cr>
nnoremap <S-f2> :tabm +1<cr>
imap <S-f1> <esc><S-f1>
imap <S-f2> <esc><S-f2>
noremap <f3> :ShowSyntax<cr>
# <C-{Up,Down,Right,Left}>
noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
noremap <esc>Od <nop> | noremap! <esc>Od <nop>
# <[C]S-{Up,Down,Right,Left}>
noremap <esc>[a <nop> | noremap! <esc>[a <nop>
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
vnoremap u <nop>
# fzf
nnoremap <esc>q :Buffers<cr>
nnoremap <esc>f :Files<cr>
nnoremap <esc>w :Rg<cr>
# edit alternate buffer
# For some reason neither putting <ctrl>6 nor <ctrl>^ works here...
nnoremap <esc>a 
if $TOUCHSCREEN == "1"
nnoremap <ScrollWheelUp> <C-y>
nnoremap <ScrollWheelDown> <C-e>
nnoremap <C-ScrollWheelUp> 3<C-y>
nnoremap <C-ScrollWheelDown> 3<C-e>
nnoremap <S-ScrollWheelUp> 3<C-y>
nnoremap <S-ScrollWheelDown> 3<C-e>
nnoremap <C-S-ScrollWheelUp> <PageUp>
nnoremap <C-S-ScrollWheelDown> <PageDown>
endif
# remember last position
autocmd BufReadPost *
\ if line("'\"") > 0 && line("'\"") <= line("$") |
\ exe "normal! g`\"" |
\ endif
'';
}

37
tv/2configs/wiregrill.nix
View File

@ -1,37 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = {
enable = cfg.net != null;
net = config.krebs.build.host.nets.wiregrill or null;
};
toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}";
in
mkIf cfg.enable {
networking.wireguard.interfaces.wiregrill = {
ips =
optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wiregrill.key";
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
allowedIPs = host.nets.wiregrill.wireguard.subnets;
endpoint =
mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (host.nets.wiregrill.via != null) 61;
publicKey =
replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey;
})
(filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
};
systemd.network.networks.wiregrill = {
matchConfig.Name = "wiregrill";
address =
optional (cfg.net.ip4 != null) (toCidrNotation cfg.net.ip4) ++
optional (cfg.net.ip6 != null) (toCidrNotation cfg.net.ip6);
};
tv.iptables.extra.filter.INPUT = [
"-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT"
];
}

11
tv/2configs/xdg.nix
View File

@ -1,11 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
systemd.tmpfiles.rules = let
forUsers = flip map users;
isUser = { name, group, ... }:
name == "root" || hasSuffix "users" group;
users = filter isUser (mapAttrsToList (_: id) config.users.users);
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
}

28
tv/2configs/xserver/Xmodmap.nix
View File

@ -1,28 +0,0 @@
{ config, pkgs, ... }:
with import ./lib;
pkgs.writeText "Xmodmap" ''
!keycode 66 = Caps_Lock
!remove Lock = Caps_Lock
clear Lock
! caps lock
keycode 66 = Mode_switch
keycode 13 = 4 dollar EuroSign cent
keycode 30 = u U udiaeresis Udiaeresis
keycode 32 = o O odiaeresis Odiaeresis
keycode 38 = a A adiaeresis Adiaeresis
keycode 39 = s S ssharp
keycode 33 = p P Greek_pi Greek_PI
keycode 40 = d D Greek_delta Greek_DELTA
keycode 46 = l L Greek_lambda Greek_LAMBDA
keycode 54 = c C cacute Cacute
! BULLET OPERATOR
keycode 17 = 8 asterisk U2219
keycode 27 = r R r U211D
''

Some files were not shown because too many files have changed in this diff Show More