Merge remote-tracking branch 'ni/master'

This commit is contained in:
lassulus 2023-09-14 12:18:45 +02:00
commit 4820fc27cd
198 changed files with 4 additions and 8560 deletions

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.39";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.0.110";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.42";

View File

@ -2,7 +2,6 @@
binary-cache = {
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
};
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.38";

View File

@ -1,5 +1,4 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.40";

View File

@ -16,6 +16,9 @@ with lib; {
@ 3600 IN NS ns2.he.net.
@ 3600 IN NS ns3.he.net.
@ 3600 IN NS ns2.hosting.de.
panda NS panda
panda A 130.61.237.100
'';
};
};

View File

@ -1,87 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/retiolum.nix>
];
boot = {
initrd = {
availableKernelModules = [ "ahci" ];
luks.devices.luksroot.device = "/dev/sda2";
};
};
environment.systemPackages = [
pkgs.firefox
pkgs.networkmanagerapplet
(pkgs.pidgin.override {
plugins = [ pkgs.pidgin-otr ];
})
];
fileSystems = {
"/boot" = {
device = "/dev/sda1";
};
"/" = {
device = "/dev/mapper/main-root";
fsType = "ext4";
options = [ "defaults" "noatime" ];
};
"/home" = {
device = "/dev/mapper/main-home";
fsType = "ext4";
options = [ "defaults" "noatime" ];
};
};
hardware = {
opengl.driSupport32Bit = true;
pulseaudio.enable = true;
};
i18n.defaultLocale = "de_DE.UTF-8";
krebs.build = {
host = config.krebs.hosts.alnus;
user = mkForce config.krebs.users.dv;
};
networking.networkmanager.enable = true;
services.earlyoom.enable = true;
services.earlyoom.freeMemThreshold = 5;
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
"--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs
];
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign:e";
libinput.enable = false;
synaptics = {
enable = true;
twoFingerScroll = true;
};
};
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "dv";
system.stateVersion = "22.05";
users.users.dv = {
inherit (config.krebs.users.dv) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,23 +0,0 @@
{ config, ... }: {
imports = [
./disks.nix
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/ppp.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xsessions>
];
krebs.build.host = config.krebs.hosts.au;
networking.wireless.enable = true;
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
networking.interfaces.wlp3s0.useDHCP = true;
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
system.stateVersion = "20.03";
tv.hw.screens.primary.width = 1920;
tv.hw.screens.primary.height = 1080;
}

View File

@ -1,19 +0,0 @@
{
boot.initrd.luks.devices.main.device = "/dev/sda2";
fileSystems."/" = {
device = "/dev/main/root";
options = ["defaults" "noatime" "commit=60"];
};
fileSystems."/boot" = {
device = "/dev/sda1";
options = ["defaults" "noatime"];
};
fileSystems."/bku" = {
device = "/dev/main/bku";
options = ["defaults" "noatime"];
};
fileSystems."/home" = {
device = "/dev/main/home";
options = ["defaults" "noatime" "commit=60"];
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,35 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
./disks.nix
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xsessions>
];
krebs.build.host = config.krebs.hosts.bu;
networking.wireless.enable = true;
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
networking.interfaces.wlp3s0.useDHCP = true;
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
networking.wireless.interfaces = [
"wlp3s0"
];
programs.gnupg.agent.enable = true;
programs.gnupg.agent.pinentryFlavor = "gtk2";
services.earlyoom.enable = true;
services.earlyoom.freeMemThreshold = 5;
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
"--prefer '(^|/)chromium$'"
];
system.stateVersion = "21.11";
}

View File

@ -1,19 +0,0 @@
{
boot.initrd.luks.devices.buda2.device = "/dev/sda2";
fileSystems."/" = {
device = "buda2/root";
fsType = "zfs";
};
fileSystems."/bku" = {
device = "buda2/bku";
fsType = "zfs";
};
fileSystems."/home" = {
device = "buda2/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1 +0,0 @@
../lib

View File

@ -1,127 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
<stockholm/tv>
<stockholm/tv/2configs/br.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.mu;
krebs.build.user = mkForce config.krebs.users.vv;
tv.x0vncserver.enable = true;
boot.initrd.luks.devices.muca.device = "/dev/sda2";
boot.initrd.availableKernelModules = [ "ahci" ];
boot.kernelModules = [ "fbcon" "kvm-intel" ];
boot.kernelParams = [ "fsck.repair=yes" ];
boot.extraModulePackages = [ ];
fileSystems = {
"/" = {
device = "/dev/mapper/muvga-root";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/home" = {
device = "/dev/mapper/muvga-home";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/boot" = {
device = "/dev/sda1";
fsType = "vfat";
};
};
nixpkgs.config.allowUnfree = true;
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.enable = true;
hardware.enableRedistributableFirmware = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = true;
networking.networkmanager.enable = true;
# XXX reload to work around occasional "Failed to load firmware chunk!"
# TODO only do this if firmware is actually broken(?)
system.activationScripts.reload-iwlwifi = /* sh */ ''
${pkgs.kmod}/bin/modprobe -vr iwlwifi
${pkgs.kmod}/bin/modprobe -v iwlwifi
'';
environment.systemPackages = [
pkgs.chromium
pkgs.firefox
pkgs.gimp
pkgs.iptables
pkgs.libreoffice
pkgs.plasma-pa
(pkgs.pidgin.override {
plugins = [ pkgs.pidgin-otr ];
})
pkgs.skypeforlinux
pkgs.slock
pkgs.tinc_pre
pkgs.vim
pkgs.xsane
#pkgs.foomatic_filters
#pkgs.gutenprint
#pkgs.cups_pdf_filter
#pkgs.ghostscript
];
i18n.defaultLocale = "de_DE.UTF-8";
programs.ssh.startAgent = false;
krebs.setuid = {
slock = {
filename = "${pkgs.slock}/bin/slock";
mode = "4111";
};
};
security.pam.loginLimits = [
# for jack
{ domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
{ domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
];
fonts.fonts = [
pkgs.xorg.fontschumachermisc
];
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
# TODO this is host specific
services.xserver.libinput.enable = false;
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
};
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "vv";
users.users.vv = {
inherit (config.krebs.users.vv) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,62 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.build.host = config.krebs.hosts.nomic;
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitrepos.nix>
<stockholm/tv/2configs/mail-client.nix>
<stockholm/tv/2configs/nginx/public_html.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xserver>
];
boot.initrd.luks.devices.luks1.device = "/dev/sda2";
# Don't use UEFI because current disk was partitioned/formatted for AO753.
# TODO remove following bool.loader section after repartitioning/reformatting
boot.loader = {
grub = {
device = "/dev/sda";
splashImage = null;
};
systemd-boot.enable = mkForce false;
};
fileSystems."/" =
{ device = "/dev/mapper/nomic1-root";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/sda1";
fsType = "ext4";
};
fileSystems."/home" =
{ device = "/dev/mapper/nomic1-home";
fsType = "btrfs";
};
environment.systemPackages = with pkgs; [
(writeDashBin "play" ''
set -euf
mpv() { exec ${mpv}/bin/mpv "$@"; }
case $1 in
deepmix) mpv http://deepmix.ru/deepmix128.pls;;
groovesalad) mpv http://somafm.com/play/groovesalad;;
ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;;
*)
echo "$0: bad argument: $*" >&2
exit 23
esac
'')
gnupg
tmux
];
networking.wireless.enable = true;
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,86 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
<stockholm/tv>
<stockholm/tv/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.querel;
krebs.build.user = mkForce config.krebs.users.itak;
boot.initrd.availableKernelModules = [ "ahci" ];
boot.initrd.luks.devices.querel-luks1 = {
allowDiscards = true;
device = "/dev/sda2";
};
boot.kernelModules = [ "kvm-intel" ];
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
environment.systemPackages = [
pkgs.firefox
pkgs.gimp
pkgs.kate
pkgs.libreoffice
(pkgs.pidgin.override {
plugins = [ pkgs.pidgin-otr ];
})
pkgs.sxiv
pkgs.texlive.combined.scheme-full
pkgs.vim
pkgs.xsane
pkgs.zathura
];
fileSystems = {
"/" = {
device = "/dev/mapper/querel-root";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/home" = {
device = "/dev/mapper/querel-home";
fsType = "ext4";
options = [ "defaults" "discard" ];
};
"/boot" = {
device = "/dev/sda1";
};
};
hardware.enableRedistributableFirmware = true;
hardware.pulseaudio.enable = true;
i18n.defaultLocale = "de_DE.UTF-8";
networking.networkmanager.enable = true;
programs.ssh.startAgent = false;
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
services.xserver.libinput.enable = false;
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
};
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "itak";
users.users.itak = {
inherit (config.krebs.users.itak) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,37 +0,0 @@
with import ./lib;
{ config, ... }: {
imports = [
../..
../../2configs/hw/winmax2.nix
../../2configs/retiolum.nix
../../2configs/wiregrill.nix
];
boot.initrd.luks.devices.main.device = "/dev/nvme0n1p2";
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = true;
fileSystems."/" = {
device = "/dev/mapper/ruvg0-root";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd"];
};
fileSystems."/boot" = {
device = "/dev/nvme0n1p1";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/mapper/ruvg0-home";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd"];
};
fileSystems."/bku" = {
device = "/dev/mapper/ruvg0-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "compress=zstd"];
};
krebs.build.host = config.krebs.hosts.ru;
system.stateVersion = "22.11";
}

View File

@ -1,154 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.build.host = config.krebs.hosts.xu;
imports = [
<stockholm/tv>
../../2configs/autotether.nix
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix>
<stockholm/tv/2configs/gitrepos.nix>
<stockholm/tv/2configs/mail-client.nix>
<stockholm/tv/2configs/man.nix>
<stockholm/tv/2configs/nginx/public_html.nix>
<stockholm/tv/2configs/ppp.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/binary-cache>
<stockholm/tv/2configs/br.nix>
<stockholm/tv/2configs/xserver>
<stockholm/tv/2configs/xsessions>
<stockholm/tv/2configs/xserver/xkiller.nix>
{
environment.systemPackages = with pkgs; [
# root
cryptsetup
# tv
bc
bind # dig
brain
cac-api
dic
file
gnupg1compat
haskellPackages.hledger
jq
mkpasswd
netcat
netcup
nmap
p7zip
(pkgs.pass.withExtensions (ext: [
ext.pass-otp
]))
q
qrencode
texlive.combined.scheme-full
tmux
#ack
#apache-httpd
#ascii
#emacs
#es
#esniper
#gcc
#gptfdisk
#graphviz
#haskellPackages.cabal2nix
#haskellPackages.ghc
#haskellPackages.shake
#hdparm
#i7z
#iftop
#imagemagick
#inotifyTools
#iodine
#iotop
#lshw
#lsof
#minicom
#mtools
#ncmpc
#nethogs
#nix-prefetch-scripts #cvs bug
#openssl
#openswan
#parted
#perl
#powertop
#ppp
#proot
#pythonPackages.arandr
#pythonPackages.youtube-dl
#racket
#rxvt_unicode-with-plugins
#scrot
#sec
#silver-searcher
#sloccount
#smartmontools
#socat
#sshpass
#strongswan
#sysdig
#sysstat
#tcpdump
#tlsdate
#unetbootin
#utillinuxCurses
#xdotool
#xkill
#xl2tpd
#xsel
unison
];
}
];
boot.initrd.luks.devices.xuca.device = "/dev/sda2";
fileSystems = {
"/" = {
device = "/dev/mapper/xuvga-root";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/bku" = {
device = "/dev/mapper/xuvga-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/xuvga-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
};
};
environment.systemPackages = with pkgs; [
ethtool
tinc_pre
iptables
#jack2
gptfdisk
];
networking.wireless.enable = true;
#services.bitlbee.enable = true;
#services.tor.client.enable = true;
#services.tor.enable = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,51 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.build.host = config.krebs.hosts.zu;
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitrepos.nix>
<stockholm/tv/2configs/mail-client.nix>
<stockholm/tv/2configs/man.nix>
<stockholm/tv/2configs/nginx/public_html.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
<stockholm/tv/2configs/xserver>
];
boot.initrd.luks.devices.zuca.device = "/dev/sda2";
fileSystems = {
"/" = {
device = "/dev/mapper/zuvga-root";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/bku" = {
device = "/dev/mapper/zuvga-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/zuvga-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
};
};
networking.wireless.enable = true;
services.printing.enable = true;
#services.bitlbee.enable = true;
#services.tor.client.enable = true;
#services.tor.enable = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
}

View File

@ -1,19 +0,0 @@
{ config, pkgs, ... }: let
cfg.serial = "17e064850405";
in {
systemd.services.usb_tether.serviceConfig = {
SyslogIdentifier = "usb_tether";
ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device";
ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis";
};
services.udev.extraRules = /* sh */ ''
ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android"
ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \
TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
'';
systemd.network.networks.android = {
matchConfig.Name = "android";
DHCP = "yes";
};
}

View File

@ -1,109 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
bu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; };
startAt = "05:20";
};
bu-home-zu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; };
startAt = "05:25";
};
nomic-home-xu = {
method = "push";
src = { host = config.krebs.hosts.nomic; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; };
startAt = "05:00";
};
nomic-home-zu = {
method = "push";
src = { host = config.krebs.hosts.nomic; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/nomic-home"; };
startAt = "04:20";
};
nomic-pull-querel-home = {
method = "pull";
src = { host = config.krebs.hosts.querel; path = "/home"; };
dst = { host = config.krebs.hosts.nomic; path = "/fs/ponyhof/bku/querel-home"; };
startAt = "22:00";
};
xu-home-bu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; };
startAt = "04:50";
};
xu-home-nomic = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.nomic; path = "/fs/cis3hG/bku/xu-home"; };
startAt = "05:20";
};
xu-home-zu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/xu-home"; };
startAt = "06:20";
};
xu-pull-ni-ejabberd = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/var/lib/ejabberd"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-ejabberd"; };
startAt = "07:00";
};
xu-pull-ni-home = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-home"; };
startAt = "07:00";
};
zu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.zu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/zu-home"; };
startAt = "05:00";
};
zu-pull-ni-ejabberd = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/var/lib/ejabberd"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-ejabberd"; };
startAt = "06:00";
};
zu-pull-ni-home = {
method = "pull";
src = { host = config.krebs.hosts.ni; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-home"; };
startAt = "06:30";
};
} // mapAttrs (_: recursiveUpdate {
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
hourly = { format = "%Y-%m-%dT%H"; retain = 3; };
daily = { format = "%Y-%m-%d"; retain = 3; };
};
startAt = null;
}) {
xu-test-push-xu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-bku-test-data"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/xu-test-push"; };
};
xu-test-pull-xu = {
method = "pull";
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-bku-test-data"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/xu-test-pull"; };
};
};
}

View File

@ -1,67 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
programs.bash = {
interactiveShellInit = /* sh */ ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
HISTTIMEFORMAT=
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
case $UID in
${shell.escape (toString config.krebs.users.tv.uid)})
if test ''${SHLVL-1} = 1 && test -n "''${DISPLAY-}"; then
_CURRENT_DESKTOP_NAME=''${_CURRENT_DESKTOP_NAME-$(
${pkgs.xorg.xprop}/bin/xprop -notype -root \
32i _NET_CURRENT_DESKTOP \
8s _NET_DESKTOP_NAMES \
|
${pkgs.gnused}/bin/sed -r 's/.* = //;s/"//g;s/, /\a/g' |
{
read -r _NET_CURRENT_DESKTOP
IFS=$'\a' read -ra _NET_DESKTOP_NAMES
echo "''${_NET_DESKTOP_NAMES[$_NET_CURRENT_DESKTOP]}"
}
)}
case $_CURRENT_DESKTOP_NAME in
stockholm)
cd ~/stockholm
;;
esac
fi
export NIX_PATH="stockholm=$HOME/stockholm:$NIX_PATH"
;;
esac
${pkgs.bash-fzf-history.bind}
if test -n "''${BASH_EXTRA_INIT-}"; then
. "$BASH_EXTRA_INIT"
fi
'';
promptInit = /* sh */ ''
case $UID in
0)
PS1='\[\e[1;31m\]\w\[\e[0m\] '
;;
${toString config.krebs.build.user.uid})
PS1='\[\e[1;32m\]\w\[\e[0m\] '
;;
*)
PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
;;
esac
if test -n "$SSH_CLIENT"; then
PS1='\[\e[35m\]\h'" $PS1"
fi
if test -n "$SSH_AGENT_PID"; then
PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
fi
'';
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }: with import ./lib;
{
environment.etc."binary-cache.pubkey".text =
config.krebs.build.host.binary-cache.pubkey;
nixpkgs.overlays = [
(self: super: {
nix-serve = self.haskellPackages.nix-serve-ng;
})
];
services.nix-serve = {
enable = true;
secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key";
};
services.nginx = {
enable = true;
virtualHosts.nix-serve = {
serverAliases = [
"cache.${config.krebs.build.host.name}.hkw"
"cache.${config.krebs.build.host.name}.r"
];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
};
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,49 +0,0 @@
with import ./lib;
{ config, modulesPath, pkgs, ... }: {
imports = [
(modulesPath + "/services/hardware/sane_extra_backends/brscan4.nix")
];
krebs.nixpkgs.allowUnfreePredicate = pkg: any (eq (packageName pkg)) [
"brother-udev-rule-type1"
"brscan4"
"brscan4-etc-files"
"mfcl2700dnlpr"
];
hardware.sane = {
enable = true;
brscan4 = {
enable = true;
netDevices = {
bra = {
model = "MFCL2700DN";
ip = "10.23.1.214";
};
};
};
};
services.saned.enable = true;
# usage: scanimage -d "$(find-scanner bra)" --batch --format=tiff --resolution 150 -x 211 -y 298
environment.systemPackages = [
(pkgs.writeDashBin "find-scanner" ''
set -efu
name=$1
${pkgs.sane-backends}/bin/scanimage -f '%m %d
' \
| ${pkgs.gawk}/bin/awk -v dev="*$name" '$1 == dev { print $2; exit }' \
| ${pkgs.gnugrep}/bin/grep .
'')
];
services.printing = {
enable = true;
drivers = [
pkgs.mfcl2700dncupswrapper
];
};
}

View File

@ -1,137 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
boot.tmpOnTmpfs = true;
krebs.enable = true;
krebs.build.user = config.krebs.users.tv;
networking.hostId = mkDefault (hashToLength 8 config.networking.hostName);
networking.hostName = config.krebs.build.host.name;
imports = [
./backup.nix
./bash
./htop.nix
./nets/hkw.nix
./networkd.nix
./nginx
./nix.nix
./pki
./ssh.nix
./sshd.nix
./vim.nix
./xdg.nix
{
users = {
defaultUserShell = "/run/current-system/sw/bin/bash";
mutableUsers = false;
users = {
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
tv = {
inherit (config.krebs.users.tv) home uid;
isNormalUser = true;
extraGroups = [ "tv" ];
};
};
};
}
{
i18n.defaultLocale = mkDefault "C.UTF-8";
security.sudo.extraConfig = ''
Defaults env_keep+="SSH_CLIENT _CURRENT_DESKTOP_NAME"
Defaults mailto="${config.krebs.users.tv.mail}"
Defaults !lecture
'';
time.timeZone = "Europe/Berlin";
}
{
nixpkgs.config.allowUnfree = false;
}
{
environment.homeBinInPath = true;
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
environment.systemPackages = with pkgs; [
rxvt_unicode.terminfo
];
environment.shellAliases = mkForce {
gp = "${pkgs.pari}/bin/gp -q";
df = "df -h";
du = "du -h";
# TODO alias cannot contain #\'
# "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
ls = "ls -h --color=auto --group-directories-first";
dmesg = "dmesg -L --reltime";
view = "vim -R";
};
environment.variables = {
NIX_PATH = mkForce (concatStringsSep ":" [
"secrets=/var/src/stockholm/null"
"/var/src"
]);
};
}
{
services.cron.enable = false;
services.ntp.enable = false;
services.timesyncd.enable = true;
}
{
boot.kernel.sysctl = {
# Enable IPv6 Privacy Extensions
#
# XXX use mkForce here because since NixOS 21.11 there's a collision in
# net.ipv6.conf.default.use_tempaddr, and boot.kernel.sysctl incapable
# of merging.
#
# XXX net.ipv6.conf.all.use_tempaddr is set because it was mentioned in
# https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html
# TODO check if that is really necessary, otherwise we can rely solely
# on networking.tempAddresses in the future (when nothing is <21.11)
"net.ipv6.conf.all.use_tempaddr" = mkForce 2;
"net.ipv6.conf.default.use_tempaddr" = mkForce 2;
};
}
{
tv.iptables.enable = true;
tv.iptables.accept-echo-request = "internet";
}
{
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
}
{
environment.systemPackages = [
pkgs.field
pkgs.get
pkgs.git
pkgs.git-crypt
pkgs.git-preview
pkgs.hashPassword
pkgs.htop
pkgs.kpaste
pkgs.nix-prefetch-scripts
pkgs.ovh-zone
pkgs.push
];
}
];
}

View File

@ -1,359 +0,0 @@
{ config, lib, pkgs, ... }: let
cfg.nameserver = "1.1.1.1";
cfg.packageDir = "/var/lib/elm-packages";
cfg.port = 7782;
# TODO secret files
cfg.htpasswd = "/var/lib/certs/package.elm-lang.org/htpasswd";
cfg.sslCertificate = "/var/lib/certs/package.elm-lang.org/fullchain.pem";
cfg.sslCertificateKey = "/var/lib/certs/package.elm-lang.org/key.pem";
semverRegex =
"(?<major>0|[1-9]\\d*)\\.(?<minor>0|[1-9]\\d*)\\.(?<patch>0|[1-9]\\d*)(?:-(?<prerelease>(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+(?<buildmetadata>[0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?";
in {
services.nginx.virtualHosts."package.elm-lang.org" = {
addSSL = true;
sslCertificate = cfg.sslCertificate;
sslCertificateKey = cfg.sslCertificateKey;
locations."/all-packages".extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
proxy_pass_header Server;
'';
locations."/all-packages/since/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
proxy_pass_header Server;
'';
locations."~ ^/packages/(?<author>[A-Za-z0-9-]+)/(?<pname>[A-Za-z0-9-]+)/(?<version>${semverRegex})\$".extraConfig = ''
auth_basic "Restricted Area";
auth_basic_user_file ${cfg.htpasswd};
proxy_set_header X-User $remote_user;
proxy_set_header X-Author $author;
proxy_set_header X-Package $pname;
proxy_set_header X-Version $version;
proxy_pass_header Server;
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
'';
locations."~ ^/packages/(?<author>[A-Za-z0-9-]+)/(?<pname>[A-Za-z0-9-]+)/(?<version>${semverRegex})/(?:zipball|elm.json|endpoint.json)\$".extraConfig = ''
set $zipball "${cfg.packageDir}/$author/$pname/$version/zipball";
proxy_set_header X-Author $author;
proxy_set_header X-Package $pname;
proxy_set_header X-Version $version;
proxy_set_header X-Zipball $zipball;
proxy_pass_header Server;
resolver ${cfg.nameserver};
if (-f $zipball) {
set $new_uri http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
}
if (!-f $zipball) {
set $new_uri https://package.elm-lang.org$request_uri;
}
proxy_pass $new_uri;
'';
locations."/search.json".extraConfig = ''
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
proxy_pass_header Server;
'';
};
krebs.htgen.elm-packages-proxy = {
port = cfg.port;
script = /* sh */ ''. ${pkgs.writeDash "elm-packages-proxy.sh" ''
PATH=${lib.makeBinPath [
pkgs.attr
pkgs.coreutils
pkgs.curl
pkgs.findutils
pkgs.gnugrep
pkgs.jq
pkgs.p7zip
]}
export PATH
file_response() {(
status_code=$1
status_reason=$2
file=$3
content_type=$4
content_length=$(wc -c "$file" | cut -d\ -f1)
printf "HTTP/1.1 $status_code $status_reason\r\n"
printf 'Connection: close\r\n'
printf 'Content-Length: %d\r\n' "$content_length"
printf 'Content-Type: %s\r\n' "$content_type"
printf 'Server: %s\r\n' "$Server"
printf '\r\n'
cat "$file"
)}
string_response() {(
status_code=$1
status_reason=$2
response_body=$3
content_type=$4
printf "HTTP/1.1 $status_code $status_reason\r\n"
printf 'Connection: close\r\n'
printf 'Content-Length: %d\r\n' "$(expr ''${#response_body} + 1)"
printf 'Content-Type: %s\r\n' "$content_type"
printf 'Server: %s\r\n' "$Server"
printf '\r\n'
printf '%s\n' "$response_body"
)}
case "$Method $Request_URI" in
'GET /packages/'*)
author=$req_x_author
pname=$req_x_package
version=$req_x_version
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
mkdir -p "$HOME/cache"
case $(basename $Request_URI) in
zipball)
file_response 200 OK "$zipball" application/zip
exit
;;
elm.json)
if ! test -f "$elmjson"; then
7z x -so "$zipball" \*/elm.json > "$elmjson"
fi
file_response 200 OK "$elmjson" 'application/json; charset=UTF-8'
exit
;;
endpoint.json)
if ! test -f "$endpointjson"; then
hash=$(sha1sum "$zipball" | cut -d\ -f1)
url=https://package.elm-lang.org/packages/$author/$pname/$version/zipball
jq -n \
--arg hash "$hash" \
--arg url "$url" \
'{ $hash, $url }' \
> "$endpointjson"
fi
file_response 200 OK "$endpointjson" 'application/json; charset=UTF-8'
exit
;;
esac
;;
'POST /packages/'*)
author=$req_x_author
pname=$req_x_package
user=$req_x_user
version=$req_x_version
action=uploading
force=''${req_x_force-false}
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
if test -e "$zipball"; then
if test "$force" = true; then
zipball_owner=$(attr -q -g X-User "$zipball" || :)
if test "$zipball_owner" = "$req_x_user"; then
action=replacing
rm -f "$elmjson"
rm -f "$endpointjson"
else
string_response 403 Forbidden \
"package already exists: $author/$pname@$version" \
text/plain
exit
fi
else
string_response 409 Conflict \
"package already exists: $author/$pname@$version" \
text/plain
exit
fi
fi
echo "user $user is $action package $author/$pname@$version" >&2
# TODO check package
mkdir -p "$(dirname "$zipball")"
head -c $req_content_length > "$zipball"
attr -q -s X-User -V "$user" "$zipball" || :
string_response 200 OK \
"package created: $author/$pname@$version" \
text/plain
exit
;;
'DELETE /packages/'*)
author=$req_x_author
pname=$req_x_package
user=$req_x_user
version=$req_x_version
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
if test -e "$zipball"; then
zipball_owner=$(attr -q -g X-User "$zipball" || :)
if test "$zipball_owner" = "$req_x_user"; then
echo "user $user is deleting package $author/$pname@$version" >&2
rm -f "$elmjson"
rm -f "$endpointjson"
rm "$zipball"
string_response 200 OK \
"package deleted: $author/$pname@$version" \
text/plain
exit
else
string_response 403 Forbidden \
"package already exists: $author/$pname@$version" \
text/plain
exit
fi
fi
;;
'GET /all-packages'|'POST /all-packages')
response=$(mktemp -t htgen.$$.elm-packages-proxy.all-packages.XXXXXXXX)
trap "rm $response >&2" EXIT
{
# upstream packages
curl -fsS https://package.elm-lang.org"$Request_URI"
# private packages
(cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
jq -Rs '
split("\n") |
map(
select(.!="") |
match("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$").captures |
map({key:.name,value:.string}) |
from_entries
) |
reduce .[] as $item ({};
($item|"\(.author)/\(.pname)") as $name |
. + { "\($name)": ((.[$name] // []) + [$item.version]) }
)
'
} |
jq -cs add > $response
file_response 200 OK "$response" 'application/json; charset=UTF-8'
exit
;;
'GET /all-packages/since/'*|'POST /all-packages/since/'*)
response=$(mktemp -t htgen.$$.elm-packages-proxy.all-packages.XXXXXXXX)
trap "rm $response >&2" EXIT
{
# upstream packages
curl -fsS https://package.elm-lang.org"$Request_URI"
# private packages
(cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
jq -Rs '
split("\n") |
map(
select(.!="") |
sub("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$";"\(.author)/\(.pname)@\(.version)")
) |
sort_by(split("@") | [.[0]]+(.[1]|split(".")|map(tonumber))) |
reverse
'
} |
jq -cs add > $response
file_response 200 OK "$response" 'application/json; charset=UTF-8'
exit
;;
'GET /search.json')
searchjson=$HOME/cache/search.json
mkdir -p "$HOME/cache"
# update cached search.json
(
last_modified=$(
if test -f "$searchjson"; then
date -Rr "$searchjson"
else
date -R -d @0
fi
)
tempsearchjson=$(mktemp "$searchjson.XXXXXXXX")
trap 'rm "$tempsearchjson" >&2' EXIT
curl -fsS --compressed https://package.elm-lang.org/search.json \
-H "If-Modified-Since: $last_modified" \
-o "$tempsearchjson"
if test -s "$tempsearchjson"; then
mv "$tempsearchjson" "$searchjson"
trap - EXIT
fi
)
response=$(mktemp -t htgen.$$.elm-packages-proxy.search.XXXXXXXX)
trap 'rm "$response" >&2' EXIT
{
printf '{"upstream":'; cat "$searchjson"
printf ',"private":'; (cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
jq -Rs '
split("\n") |
map(
select(.!="") |
match("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$").captures |
map({key:.name,value:.string}) |
from_entries
) |
map({
key: "\(.author)/\(.pname)",
value: .version,
}) |
from_entries
'
printf '}'
} |
jq -c '
reduce .upstream[] as $upstreamItem ({ private, output: [] };
.private[$upstreamItem.name] as $privateItem |
if $privateItem then
.output += [$upstreamItem * { version: $privateItem.version }] |
.private |= del(.[$upstreamItem.name])
else
.output += [$upstreamItem]
end
) |
.output + (.private | to_entries | sort_by(.key) | map({
name: .key,
version: .value,
summary: "dummy summary",
license: "dummy license",
}))
' \
> $response
file_response 200 OK "$response" 'application/json; charset=UTF-8'
exit
;;
esac
''}'';
};
}

View File

@ -1,9 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.systemPackages = [
pkgs.eximlog
];
krebs.exim-retiolum.enable = true;
krebs.exim-retiolum.rspamd.enable = config.krebs.build.host.name == "nomic";
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
}

View File

@ -1,46 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.systemPackages = [
pkgs.eximlog
];
krebs.exim-smarthost = {
enable = true;
dkim = [
{ domain = "viljetic.de"; }
];
sender_domains = [
"krebsco.de"
"shackspace.de"
"viljetic.de"
];
relay_from_hosts = concatMap (host: host.nets.retiolum.addrs) [
config.krebs.hosts.nomic
config.krebs.hosts.xu
];
internet-aliases = with config.krebs.users; [
{ from = "bku-eppler@viljetic.de"; to = tv.mail; }
{ from = "postmaster@viljetic.de"; to = tv.mail; } # RFC 822
{ from = "mirko@viljetic.de"; to = mv-ni.mail; }
{ from = "tomislav@viljetic.de"; to = tv.mail; }
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@shackspace.de"; to = tv.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "tv"; }
{ from = "mirko"; to = "mv"; }
];
};
tv.iptables.input-internet-accept-tcp = singleton "smtp";
}

View File

@ -1,20 +0,0 @@
_:
{
boot.loader.grub = {
device = "/dev/sda";
};
fileSystems = {
"/" = {
device = "/dev/centos/root";
fsType = "xfs";
};
"/boot" = {
device = "/dev/sda1";
fsType = "xfs";
};
};
swapDevices = [
{ device = "/dev/centos/swap"; }
];
}

View File

@ -1,16 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.etc.gitconfig.text = ''
[alias]
patch = !${pkgs.git}/bin/git --no-pager diff --no-color
[diff-so-fancy]
markEmptyLines = false
stripLeadingSymbols = false
[pager]
diff = ${pkgs.gitAndTools.diff-so-fancy}/bin/diff-so-fancy \
| ${pkgs.less}/bin/less -FRX
[user]
email = tv@krebsco.de
name = tv
'';
}

View File

@ -1,233 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let {
body = {
nixpkgs.config.packageOverrides = super: {
cgit = pkgs.symlinkJoin {
name = "${super.cgit.name}-tv";
paths = [
(pkgs.runCommand "${super.cgit.name}-tv-overrides" {
} /* sh */ ''
mkdir -p $out/lib/cgit/filters
cd $out/lib/cgit/filters
cp \
${super.cgit}/lib/cgit/filters/syntax-highlighting.py \
${super.cgit}/lib/cgit/filters/.syntax-highlighting.py-wrapped \
.
sed -i "s:${super.cgit}:$out:" syntax-highlighting.py
sed -i '
s:^\(formatter =\).*:\1 HtmlFormatter(style="algol_nu"):
' .syntax-highlighting.py-wrapped
'')
super.cgit
];
};
};
krebs.git = {
enable = true;
cgit = {
settings = {
about-filter = pkgs.exec "krebs.cgit.about-filter" rec {
filename = "${pkgs.python3Packages.markdown2}/bin/markdown2";
argv = [
filename
"--extras=fenced-code-blocks"
];
envp = {};
};
readme = [
":README.md"
];
root-desc = "mostly krebs";
root-title = "repositories at ${config.krebs.build.host.name}";
source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
};
};
repos = repos;
rules = rules;
};
};
cgit-clear-cache = pkgs.cgit-clear-cache.override {
inherit (config.krebs.git.cgit.settings) cache-root;
};
repos =
public-repos //
optionalAttrs config.krebs.build.host.secure restricted-repos;
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo ({
} // mapAttrs (_: recursiveUpdate { cgit.section = "1. miscellaneous"; }) {
couchfs = {
cgit.desc = "filesystem (in userspace) on top of CouchDB";
};
crx = {
cgit.desc = "utilities for working with Chrome extensions";
};
dic = {
cgit.desc = "dict.leo.org command line interface";
};
disko = {
cgit.desc = "declarative partitioning and formatting tool";
};
fswm = {
cgit.desc = "simple full screen window manager";
};
htgen = {
cgit.desc = "toy HTTP server";
};
ircaids = {
cgit.desc = "Assortment of aids for working with Internet relay chat";
};
krops = {
cgit.desc = "deployment tools";
};
mailaids = {
cgit.desc = "Assortment of aids for working with electronic mail";
};
much = {};
netcup = {
cgit.desc = "netcup command line interface";
};
nix-writers = {
cgit.desc = "collection of package builders";
};
nixpkgs = {
cgit.desc = "Nix Packages collection";
};
pager = {
};
populate = {
cgit.desc = "source code installer";
};
q = {};
reaktor2 = {};
stockholm = {
cgit.desc = "NixOS configuration";
};
TabFS = {
cgit.desc = "mount browser tabs & co. as a filesystem";
};
texnix = {
cgit.desc = "TeX live environment generator";
};
with-ssh = {};
} // mapAttrs (_: recursiveUpdate { cgit.section = "2. Host configurations"; }) {
ni = {
};
} // mapAttrs (_: recursiveUpdate { cgit.section = "3. Haskell libraries"; }) {
X11-aeson = {};
blessings = {};
hack = {};
hc = {};
mime = {};
quipper = {};
scanner = {};
wai-middleware-time = {};
web-routes-wai-custom = {};
xintmap = {};
xmonad-aeson = {};
xmonad-web = {};
} // mapAttrs (_: recursiveUpdate { cgit.section = "4. museum"; }) {
cac-api = {
cgit.desc = "CloudAtCost API command line interface";
};
cgserver = {};
crude-mail-setup = {};
dot-xmonad = {};
flameshot-once = {
cgit.desc = "flameshot runner that automatically starts/stops the daemon";
};
hirc = {};
hstool = {
cgit.desc = "Haskell Development Environment ^_^";
};
kirk = {
cgit.desc = "IRC tools";
};
make-snapshot = {};
nixos-infest = {};
painload = {};
push = {};
Reaktor = {};
regfish = {};
with-tmpdir = {};
get = {};
load-env = {};
loldns = {
cgit.desc = "toy DNS server";
};
soundcloud = {
cgit.desc = "SoundCloud command line interface";
};
xmonad-stockholm = {};
});
restricted-repos = mapAttrs make-restricted-repo (
{
brain = {
collaborators = with config.krebs.users; [ lass makefu ];
hooks = {
post-receive = /* sh */ ''
(${irc-announce { cgit_endpoint = null; }})
${cgit-clear-cache}/bin/cgit-clear-cache
'';
};
};
}
);
irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
channel = "#xxx";
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
server = "irc.r";
verbose = {
exclude = [
"refs/heads/head"
];
};
} args);
make-public-repo = name: { cgit ? {}, ... }: {
inherit cgit name;
public = true;
hooks = {
post-receive = /* sh */ ''
(${optionalString (config.krebs.build.host.name == "ni")
(irc-announce {})})
${cgit-clear-cache}/bin/cgit-clear-cache
'';
};
};
make-restricted-repo = name: { collaborators ? [], hooks ? {}, ... }: {
inherit collaborators name;
public = false;
hooks = hooks // {
post-receive = /* sh */ ''
(${hooks.post-receive or ":"})
${cgit-clear-cache}/bin/cgit-clear-cache
'';
};
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = [ tv tv-xu ];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional (repo.collaborators or [] != []) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
};
}

View File

@ -1,40 +0,0 @@
with import ./lib;
{ pkgs, ... }: {
nixpkgs.config.packageOverrides = super: {
htop = pkgs.symlinkJoin {
name = "htop";
paths = [
(pkgs.writeDashBin "htop" ''
export HTOPRC=${pkgs.writeText "htoprc" ''
fields=0 48 17 18 38 39 40 2 46 47 49 1
sort_key=46
sort_direction=1
hide_threads=0
hide_kernel_threads=1
hide_userland_threads=0
shadow_other_users=1
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=1
header_margin=0
detailed_cpu_time=0
cpu_count_from_zero=0
update_process_names=0
account_guest_in_cpu_meter=1
color_scheme=0
delay=15
left_meters=LeftCPUs2 RightCPUs2 Memory Swap
left_meter_modes=1 1 1 1
right_meters=Uptime Tasks LoadAverage Battery
right_meter_modes=2 2 2 2
''}
exec ${super.htop}/bin/htop "$@"
'')
super.htop
];
};
};
}

View File

@ -1,48 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
../smartd.nix
{
nix.settings.cores = 2;
nix.settings.max-jobs = 2;
}
(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then {
nix.daemonCPUSchedPolicy = "batch";
nix.daemonIOSchedPriority = 1;
} else {
nix.daemonIONiceLevel = 1;
nix.daemonNiceLevel = 1;
})
];
boot.loader.grub = {
device = "/dev/sda";
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ahci"
];
boot.kernelModules = [
"kvm-intel"
"wl"
];
boot.extraModulePackages = [
config.boot.kernelPackages.broadcom_sta
];
services.logind.extraConfig = ''
HandleHibernateKey=ignore
HandleLidSwitch=ignore
HandlePowerKey=ignore
HandleSuspendKey=ignore
'';
krebs.nixpkgs.allowUnfreePredicate = pkg: packageName pkg == "broadcom-sta";
tv.hw.screens.primary.width = 1366;
tv.hw.screens.primary.height = 768;
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,48 +0,0 @@
{ pkgs, ... }: {
imports = [
../smartd.nix
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ];
boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelModules = [
"amd-pstate"
"kvm-amd"
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [
"amd_pstate=passive"
];
hardware.bluetooth.enable = true;
hardware.cpu.amd.updateMicrocode = true;
hardware.enableRedistributableFirmware = true;
hardware.opengl.enable = true;
hardware.opengl.extraPackages = [
pkgs.amdvlk
pkgs.rocm-opencl-icd
pkgs.rocm-opencl-runtime
];
networking.wireless.enable = true;
networking.wireless.interfaces = [
"wlp1s0"
];
networking.interfaces.wlp1s0.useDHCP = true;
nixpkgs.hostPlatform = "x86_64-linux";
services.illum.enable = true;
services.logind.extraConfig = /* ini */ ''
HandlePowerKey=ignore
'';
tv.lidControl.enable = true;
tv.hw.screens.primary.width = 2560;
tv.hw.screens.primary.height = 1600;
}

View File

@ -1,89 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
imports = [
../smartd.nix
{
boot.extraModulePackages = [
config.boot.kernelPackages.acpi_call
];
boot.kernelModules = [
"acpi_call"
];
environment.systemPackages = [
pkgs.tpacpi-bat
];
}
# fix jumpy touchpad
# https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_X220#X220_Touchpad_cursor_jump/imprecise
{
services.udev.extraHwdb = /* sh */ ''
touchpad:i8042:*
LIBINPUT_MODEL_LENOVO_X220_TOUCHPAD_FW81=1
'';
}
{
nix.settings.cores = 2;
nix.settings.max-jobs = 2;
}
(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then {
nix.daemonCPUSchedPolicy = "batch";
nix.daemonIOSchedPriority = 1;
} else {
nix.daemonIONiceLevel = 1;
nix.daemonNiceLevel = 1;
})
];
boot.extraModulePackages = [
config.boot.kernelPackages.tp_smapi
];
boot.kernelModules = [ "tp_smapi" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Required for Centrino.
hardware.enableRedistributableFirmware = true;
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
# Conflicts with TLP, but gets enabled by DEs.
services.power-profiles-daemon.enable = false;
services.tlp.enable = true;
services.tlp.settings = {
START_CHARGE_THRESH_BAT0 = 80;
};
services.logind.extraConfig = ''
HandleHibernateKey=ignore
HandleLidSwitch=ignore
HandlePowerKey=ignore
HandleSuspendKey=ignore
'';
# because extraConfig is not extra enough:
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
services.logind.lidSwitchExternalPower = "ignore";
services.xserver = {
videoDriver = "intel";
};
tv.hw.screens.primary.width = lib.mkDefault 1366;
tv.hw.screens.primary.height = lib.mkDefault 768;
}

View File

@ -1,22 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
services.nginx.virtualHosts."ni.r" = {
locations."/image" = {
extraConfig = /* nginx */ ''
client_max_body_size 20M;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port};
proxy_pass_header Server;
'';
};
};
krebs.htgen.imgur = {
port = 7771;
scriptFile = "${pkgs.htgen-imgur}/bin/htgen-imgur";
};
}

View File

@ -1,17 +0,0 @@
{ config, ... }: {
boot.initrd.availableKernelModules = [
"e1000e"
];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 11423;
authorizedKeys = [
config.krebs.users.tv.pubkey
];
ignoreEmptyHostKeys = true;
};
boot.initrd.secrets = {
"/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key";
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,9 +0,0 @@
{ pkgs, ... }: {
environment.systemPackages = [
pkgs.haskellPackages.much
pkgs.msmtp
pkgs.notmuch
pkgs.qprint
pkgs.w3m
];
}

View File

@ -1,13 +0,0 @@
{ config, lib, pkgs, ... }:
{
#environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
# ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
# s:^NROFF\t.*:& -Wbreak:
# '
#'';
environment.systemPackages = [
pkgs.man-pages
pkgs.posix_man_pages
pkgs.xorg.xorgdocs
];
}

View File

@ -1,68 +0,0 @@
{
krebs = {
dns.providers.hkw = "hosts";
hosts = {
au = {
nets.hkw = {
ip4 = {
addr = "10.23.1.39";
prefix = "10.23.1.0/24";
};
aliases = [
"au.hkw"
];
ssh.port = 11423;
};
};
nomic = {
nets.hkw = {
ip4 = {
addr = "10.23.1.110";
prefix = "10.23.1.0/24";
};
aliases = [
"nomic.hkw"
];
ssh.port = 11423;
};
};
ok = {
external = true;
nets.hkw = {
ip4 = {
addr = "10.23.1.1";
prefix = "10.23.1.0/24";
};
aliases = [
"ok.hkw"
];
};
};
xu = {
nets.hkw = {
ip4 = {
addr = "10.23.1.38";
prefix = "10.23.1.0/24";
};
aliases = [
"xu.hkw"
"cache.xu.hkw"
];
ssh.port = 11423;
};
};
zu = {
nets.hkw = {
ip4 = {
addr = "10.23.1.40";
prefix = "10.23.1.0/24";
};
aliases = [
"zu.hkw"
];
ssh.port = 11423;
};
};
};
};
}

View File

@ -1,4 +0,0 @@
{
# often hangs
systemd.services.systemd-networkd-wait-online.enable = false;
}

View File

@ -1,22 +0,0 @@
with import ./lib;
{ config, ... }: {
services.nginx = {
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts.${toJSON ""} = {
default = true;
extraConfig = ''
error_page 400 =444 /;
return 444;
'';
rejectSSL = true;
};
};
tv.iptables = {
input-retiolum-accept-tcp = singleton "http";
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,18 +0,0 @@
with import ./lib;
{ config, ... }: {
services.nginx = {
enable = true;
virtualHosts.default = {
serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.hkw"
"${config.krebs.build.host.name}.r"
];
locations."~ ^/~([a-z]+)(?:/(.*))?\$" = {
alias = "/srv/$1/public_html/$2";
};
};
};
tv.iptables.input-internet-accept-tcp = singleton "http";
}

View File

@ -1,9 +0,0 @@
{ pkgs, ... }: {
nix.settings.auto-optimise-store = true;
# TODO check if both are required:
nix.settings.extra-sandbox-paths = [
"/etc/protocols"
pkgs.iana-etc.outPath
];
}

View File

@ -1,31 +0,0 @@
tv Root CA
-----BEGIN CERTIFICATE-----
MIIFGzCCAwOgAwIBAgIUbLFkDA1OgKbej/FQiJZ4gpGPg/4wDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAwwKdHYgUm9vdCBDQTAeFw0xOTA0MjEwNzI1MTdaFw0yOTA0
MTgwNzI1MTdaMBUxEzARBgNVBAMMCnR2IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDEVpZo1PLayK2AULwNtRY/2RIs/h+Uz1k/I7AY5o7H
HTD6pxNH3DZS82Y89nAHDVEnotK26TW6N1O2fBHUxH2GXVD+MaA/D9ngbNTJa7DW
2EThezOyesAbXk7dkoHh4Bouj5L7Ronka5+IREFmb3mHmcXLuR/sot9Pwr9A7Lwm
55Avv+VwMFnqVMXiCYQsDL7Mxf7Vm79+kXShpfDhNmHhyZc/xPjVk7lttSEp0LCq
hhJjte3xDGbk7OThTSxoqP+K4Ek7NGatCcm4AUZlDl1kLN2QKudYqj0VRQpfE+4Q
jMAAtttc/10MV0e08pRK0FvJsDsi70YZrHnDP6hIBrRNjC8iB/8rz2pjnYzgriUt
HHEDr26234VB5Zqhsi8pmXA16FVkoKlucADXXKEcR/3VreTvZLdSsP3OrDdSCwhi
H2W/7tshDPp+I9Q9fGNixry7PODbud1h/wLsq3Geg/U6VkDdl7uDNMB/O7LvlFaC
7jkHv/xFLqV1Xx9+yFMdJTKLf9jnIIjeINfV4VcJZDrtgGpnC6cYD5DNLA4j7Mny
EnBV9IRhmKiZLvUZP62dPhqIfSSPNxXV2+rT5ZfaXCuVe79R5npgJzF7/qslvnZ6
0mjZfQdJiXY+/oT9zPUxTroFx7Qtda15aIVwXR+1cMRY/Hg/uBQyp7yWsvwhPYwH
awIDAQABo2MwYTAdBgNVHQ4EFgQUWYjGpR7J/UqggxQV87hBQ8ZT0qkwHwYDVR0j
BBgwFoAUWYjGpR7J/UqggxQV87hBQ8ZT0qkwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAA++eAA7KLEd4n05n8w95sJ7
cxqQSkVxV3ASnEUQRwVGo3CqEKcNufbCTG7KKGQFUi2Xd3/SWgnEiSZZWo06azbV
vlquG+9ilwnrnqfjlbUEjLMHDzukrEeIiRuFY7gZv6S2o4WkW/M9IPkP34+PRjip
AJ8kFcy7wLPaeH7OagslAVUcf68lMm+8W4U1g0HZaY2zXFgdRrIO1dXKlJ22Wh4X
fcblHjkASAGi+BK+xRJ9G7s3sie2wPyk+WKKv0Z+WheKf+L+TPBg2sJ+d25gW+gG
XNJSQOzCqSfHrCtcW1xkGgifog28/ymN03ggn8oMBUebOp+ayLkbPQDaj6te3y1v
YE0cfkzQ0T6sSzPzoOrwBEuSX8cLWTpzO2Zgqbf36UtHjgxi58vY46p7MjAInxAf
j+k67rF7qWH38drg4nfGjNgiEdeJw9dtDFdmso+ZiWipUyGF4VYh+Q6JnXDMF0+A
wXcYWa7ckXvVOLVpHJfrLDYTXznGnk2u4ToVNEk1j/klMRn96lxfFg04iv8fz8m6
/Y8g0G1uIT5Mq9l68oZUoEkUHZabPNhYOiYtg4t5v/T3AIV8nm2A5jZYj0am26xT
iqF/tqL3alWXs9OHP7FNdrVWtwO8vcspYcd4mOHdAC/dmhq+77BowR5Lldx9T+mR
QT8jW9PXL0IH0wKMBXxf
-----END CERTIFICATE-----

View File

@ -1,68 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source;
in {
environment.etc."pki/nssdb".source =
pkgs.runCommand "system-wide-nssdb" {
inherit certFile;
buildInputs = [
pkgs.jq
pkgs.nssTools
];
parseInfoScript = /* jq */ ''
${toJSON certFile} as $certFile |
split("\t-----END CERTIFICATE-----\n")[] |
select(test("\t-----BEGIN CERTIFICATE-----\n")) |
. + "\t-----END CERTIFICATE-----\n" |
sub("^([0-9]+\t\n)*";"") |
(match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber |
gsub("(?m)^[0-9]+\t";"") |
match("^([^\n]+)\n(.*)";"m").captures | map(.string) |
# Line numbers are added to the names to ensure uniqueness.
"\(.[0]) (\($certFile):\($lineNumber))" as $name |
.[1] as $cert |
{ $name, $cert }
'';
passAsFile = [
"parseInfoScript"
];
} /* sh */ ''
mkdir nssdb
nl -ba -w1 "$certFile" |
jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson
exec < certinfo.ndjson
while read -r certinfo; do
name=$(printf %s "$certinfo" | jq -er .name)
cert=$(printf %s "$certinfo" | jq -er .cert)
printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C
done
mv nssdb "$out"
'';
environment.variables = flip genAttrs (_: toString certFile) [
"CURL_CA_BUNDLE"
"GIT_SSL_CAINFO"
"SSL_CERT_FILE"
];
security.pki.certificateFiles =
mapAttrsToList
(name: const (./certs + "/${name}"))
(filterAttrs (const (eq "regular"))
(readDir ./certs));
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,86 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = {
pin = "@${config.krebs.secret.directory}/o2.pin";
ttys.ppp = "/dev/ttyACM0";
ttys.com = "/dev/ttyACM1";
};
in {
assertions = [
{
assertion =
config.networking.resolvconf.enable ||
config.networking.useNetworkd;
message = "ppp configuration needs resolvconf or networkd";
}
];
environment.etc."ppp/ip-up".source = pkgs.writeDash "ppp.ip-up" ''
${pkgs.openresolv}/bin/resolvconf -a "$IFNAME" < /etc/ppp/resolv.conf
'';
environment.etc."ppp/ip-down".source = pkgs.writeDash "ppp.ip-down" ''
${pkgs.openresolv}/bin/resolvconf -fd "$IFNAME"
'';
environment.etc."ppp/peers/o2".text = /* sh */ ''
${cfg.ttys.ppp}
921600
crtscts
defaultroute
holdoff 10
lock
maxfail 0
noauth
nodetach
noipdefault
passive
persist
usepeerdns
connect "${pkgs.ppp}/bin/chat ''${DEBUG+-v} -Ss -f ${pkgs.writeText "o2.chat" /* sh */ ''
ABORT "BUSY"
ABORT "NO CARRIER"
REPORT CONNECT
"*EMRDY: 1"
ATZ OK
AT+CFUN=1 OK
${cfg.pin} TIMEOUT 2 ERROR-AT-OK
AT+CGDCONT=1,\042IP\042,\042internet\042 OK
ATDT*99***1# CONNECT
''}"
'';
users.users.root.packages = [
(pkgs.writeDashBin "connect" ''
# usage:
# connect wlan
# connect wwan [PEERNAME]
set -efu
rfkill_wlan=/sys/class/rfkill/rfkill2
rfkill_wwan=/sys/class/rfkill/rfkill1
case $1 in
wlan)
${pkgs.procps}/bin/pkill pppd || :
echo 0 > "$rfkill_wwan"/state
echo 1 > "$rfkill_wlan"/state
;;
wwan)
name=''${2-o2}
echo 0 > "$rfkill_wlan"/state
echo 1 > "$rfkill_wwan"/state
${pkgs.ppp}/bin/pppd call "$name" updetach
;;
*)
echo "$0: error: bad arguments: $*" >&2
exit 1
esac
'')
(pkgs.writeDashBin "modem-send" ''
# usage: modem-send ATCOMMAND
set -efu
tty=${lib.shell.escape cfg.ttys.com}
exec <"$tty"
printf '%s\r\n' "$1" >"$tty"
${pkgs.gnused}/bin/sed -E '
/^OK\r?$/q
/^ERROR\r?$/q
'
'')
];
}

View File

@ -1,120 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
pkg = pkgs.pulseaudio;
runDir = "/run/pulse";
pkgs_i686 = pkgs.pkgsi686Linux;
support32Bit =
pkgs.stdenv.isx86_64 &&
pkgs_i686.alsaLib != null &&
pkgs_i686.libpulseaudio != null;
alsaConf = pkgs.writeText "asound.conf" ''
ctl_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
${optionalString support32Bit
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;"}
}
pcm_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
${optionalString support32Bit
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;"}
}
ctl.!default {
type pulse
}
pcm.!default {
type pulse
}
'';
clientConf = pkgs.writeText "client.conf" ''
autospawn=no
default-server = unix:${runDir}/socket
'';
configFile = pkgs.writeText "default.pa" ''
.include ${pkg}/etc/pulse/default.pa
load-module ${toString [
"module-native-protocol-unix"
"auth-anonymous=1"
"socket=${runDir}/socket"
]}
${lib.optionalString (config.krebs.build.host.name == "au") ''
load-module ${toString [
"module-native-protocol-tcp"
"auth-ip-acl=127.0.0.1;10.23.1.0/24"
]}
''}
${lib.optionalString (config.krebs.build.host.name != "au") ''
load-module ${toString [
"module-tunnel-sink-new"
"server=au.hkw"
"sink_name=au"
"channels=2"
"rate=44100"
]}
''}
'';
in
{
environment = {
etc = {
"asound.conf".source = alsaConf;
# XXX mkForce is not strong enough (and neither is mkOverride) to create
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
#"pulse/client.conf" = mkForce { source = clientConf; };
#"pulse/client.conf".source = mkForce clientConf;
"pulse/default.pa".source = configFile;
};
systemPackages = [
pkg
] ++ optionals config.services.xserver.enable [
pkgs.pavucontrol
];
};
hardware.pulseaudio = {
inherit support32Bit;
};
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
system.activationScripts.pulseaudio-hack = ''
ln -fns ${clientConf} /etc/pulse/client.conf
'';
systemd.services.pulse = {
wantedBy = [ "sound.target" ];
before = [ "sound.target" ];
environment = {
PULSE_RUNTIME_PATH = "${runDir}/home";
};
serviceConfig = {
ExecStart = "${pkg}/bin/pulseaudio --exit-idle-time=-1";
ExecStartPre = pkgs.writeDash "pulse-start" ''
install -o pulse -g pulse -m 0750 -d ${runDir}
install -o pulse -g pulse -m 0700 -d ${runDir}/home
'';
PermissionsStartOnly = "true";
User = "pulse";
};
};
# TODO assert that pulse is the only user with "audio" in group/extraGroups
# otherwise the audio device can be hijacked while the pulse service restarts
# (e.g. when mpv is running) and then the service will fail.
users = {
groups.pulse.gid = config.users.users.pulse.uid;
users.pulse = {
uid = genid_uint31 "pulse";
group = "pulse";
extraGroups = [ "audio" ];
home = "${runDir}/home";
isSystemUser = true;
};
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,40 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.repo-sync.enable = true;
krebs.repo-sync.repos.wiki.branches.hotdog = {
origin.url = "http://cgit.hotdog.r/wiki";
mirror.url = "git@${config.krebs.build.host.name}.r:wiki";
};
krebs.git.repos.wiki = {
public = true;
name = "wiki";
cgit.desc = toString [
"mirror of"
config.krebs.repo-sync.repos.wiki.branches.hotdog.origin.url
];
cgit.section = "7. mirrors";
hooks.post-receive = /* sh */ ''
${pkgs.git-hooks.irc-announce {
channel = "#xxx";
nick = config.krebs.build.host.name;
server = "irc.r";
}}
${pkgs.cgit-clear-cache.override {
inherit (config.krebs.git.cgit.settings) cache-root;
}}/bin/cgit-clear-cache
'';
};
krebs.git.rules = lib.singleton {
user = lib.singleton config.krebs.users.repo-sync;
repo = lib.singleton config.krebs.git.repos.wiki;
perm = lib.git.push "refs/*" [
lib.git.create
lib.git.delete
lib.git.merge
lib.git.non-fast-forward
];
};
krebs.users.${config.krebs.repo-sync.user.name}.pubkey = {
ni = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINK9U0Ob9/O0kxg3trhZY/vDnbqfN+R5cASGiClRr4IM";
}.${config.krebs.build.host.name};
}

View File

@ -1,27 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
krebs.tinc.retiolum = {
enable = true;
connectTo = filter (ne config.krebs.build.host.name) [
"ni"
"prism"
"eve"
];
extraConfig = ''
LocalDiscovery = yes
'';
tincPackage = pkgs.tinc_pre;
tincUp = lib.mkIf config.systemd.network.enable "";
};
systemd.network.networks.retiolum = {
matchConfig.Name = "retiolum";
address = let
inherit (config.krebs.build.host.nets.retiolum) ip4 ip6;
in [
"${ip4.addr}/${toString ip4.prefixLength}"
"${ip6.addr}/${toString ip6.prefixLength}"
];
};
tv.iptables.input-internet-accept-tcp = singleton "tinc";
tv.iptables.input-internet-accept-udp = singleton "tinc";
}

View File

@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
services.smartd = {
enable = true;
devices = [
{
device = "DEVICESCAN";
options = toString [
"-a"
"-m ${config.krebs.users.tv.mail}"
"-s (O/../.././09|S/../.././04|L/../../6/05)"
];
}
];
};
}

View File

@ -1,22 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
# Override NixOS's "Allow DSA keys for now."
environment.etc."ssh/ssh_config".text = mkForce ''
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${optionalString config.programs.ssh.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''}
ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"}
${config.programs.ssh.extraConfig}
'';
programs.ssh = {
extraConfig = ''
UseRoaming no
'';
startAgent = false;
};
}

View File

@ -1,27 +0,0 @@
with import ./lib;
{ config, ... }: let
cfg.host = config.krebs.build.host;
nets =
optional (cfg.host.nets?retiolum) cfg.host.nets.retiolum ++
optional (cfg.host.nets?wiregrill) cfg.host.nets.wiregrill;
in {
services.openssh = {
enable = true;
};
tv.iptables.input-internet-accept-tcp = singleton "ssh";
tv.iptables.extra.nat.OUTPUT = [
"-o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22"
];
tv.iptables.extra4.nat.PREROUTING =
map
(net: "-d ${net.ip4.addr} -p tcp --dport 22 -j ACCEPT")
(filter (net: net.ip4 != null) nets);
tv.iptables.extra6.nat.PREROUTING =
map
(net: "-d ${net.ip6.addr} -p tcp --dport 22 -j ACCEPT")
(filter (net: net.ip6 != null) nets);
tv.iptables.extra.nat.PREROUTING = [
"-p tcp --dport 22 -j REDIRECT --to-ports 0"
"-p tcp --dport 11423 -j REDIRECT --to-ports 22"
];
}

View File

@ -1,117 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
exec = filename: args: url: {
inherit url;
filter = singleton {
system =
concatMapStringsSep " " shell.escape ([filename] ++ toList args);
};
};
json = json' ["."];
json' = exec "${pkgs.jq}/bin/jq";
urigrep' = exec (pkgs.writeDash "urigrep" ''
${pkgs.urix}/bin/urix | ${pkgs.gnugrep}/bin/grep -E "$1"
'');
xml = xml' ["--format" "-"];
xml' = exec "${pkgs.libxml2}/bin/xmllint";
in {
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.tv.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
# 2014-07-29 when one of the following urls change
# then we have to update the package
http://www.exim.org/
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
{
url = https://thp.io/2008/urlwatch/;
# workaround: ('Received response with content-encoding: gzip, but
# failed to decode it.', error('Error -3 while decompressing data:
# incorrect header check',))
ignore_cached = true;
}
# 2015-02-18
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
http://www.fourmilab.ch/webtools/qprint/
# 2014-09-24 ref https://github.com/4z3/xintmap
http://www.mathstat.dal.ca/~selinger/quipper/
## 2014-10-17
## TODO update ~/src/login/default.nix
#http://hackage.haskell.org/package/bcrypt
#http://hackage.haskell.org/package/cron
#http://hackage.haskell.org/package/hyphenation
#http://hackage.haskell.org/package/iso8601-time
#http://hackage.haskell.org/package/ixset-typed
#http://hackage.haskell.org/package/system-command
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
# ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
(json https://api.github.com/meta)
# ref <nixpkgs/pkgs/tools/security/ssh-audit>
(json https://api.github.com/repos/arthepsy/ssh-audit/tags)
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
(json https://api.github.com/repos/ioerror/tlsdate/tags)
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
(json https://api.github.com/repos/simple-evcorr/sec/tags)
# <stockholm/tv/2configs/xserver/xserver.conf.nix>
# is derived from `configFile` in:
https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix
https://www.rabbitmq.com/changelog.html
(urigrep' ["software-resources"] https://semiconductor.samsung.com/consumer-storage/support/tools/)
];
hooksFile = toFile "hooks.py" ''
import subprocess
import urlwatch
class SystemFilter(urlwatch.filters.FilterBase):
"""Filter for piping data through an external process"""
__kind__ = 'system'
__supported_subfilters__ = {
'command': 'shell command line to tranform data',
}
__default_subfilter__ = 'command'
def filter(self, data, subfilter=None):
if 'command' not in subfilter:
raise ValueError('{} filter needs a command'.format(self.__kind__))
proc = subprocess.Popen(
subfilter['command'],
shell=True,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
(stdout, stderr) = proc.communicate(data.encode())
if proc.returncode != 0:
raise RuntimeError(
"system filter returned non-zero exit status %d; stderr:\n"
% proc.returncode
+ stderr.decode()
)
return stdout.decode()
'';
};
}

View File

@ -1,183 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let {
body = {
environment.systemPackages = [
vim-wrapper
];
environment.etc.vimrc.source = vimrc;
environment.variables.EDITOR = mkForce "vim";
environment.variables.VIMINIT = ":so /etc/vimrc";
};
base-plugins = [
pkgs.tv.vimPlugins.file-line
pkgs.tv.vimPlugins.hack
pkgs.vimPlugins.undotree
(pkgs.tv.vim.makePlugin (pkgs.write "vim-tv-base" {
"/ftplugin/haskell.vim".text = ''
if exists("g:vim_tv_ftplugin_haskell_loaded")
finish
endif
let g:vim_tv_ftplugin_haskell_loaded = 1
setlocal iskeyword+='
'';
}))
];
extra-plugins = [
pkgs.tv.vimPlugins.elixir
pkgs.tv.vimPlugins.fzf
pkgs.tv.vimPlugins.jq
pkgs.tv.vimPlugins.nix
pkgs.tv.vimPlugins.showsyntax
pkgs.tv.vimPlugins.tv
pkgs.tv.vimPlugins.vim
pkgs.vimPlugins.fzfWrapper
pkgs.vimPlugins.vim-nftables
];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
swapdir = "$HOME/.cache/vim/swap";
undodir = "$HOME/.cache/vim/undo";
};
files = {
viminfo = "$HOME/.cache/vim/info";
};
need-dirs = let
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
in assert out != ""; out;
alldirs = attrValues dirs ++ map dirOf (attrValues files);
in unique (sort lessThan alldirs);
vim-wrapper = pkgs.symlinkJoin {
name = "vim";
paths = [
(pkgs.writeDashBin "vim" ''
set -efu
export FZF_DEFAULT_COMMAND='${pkgs.ripgrep}/bin/rg --files'
export PATH=$PATH:${makeBinPath [
pkgs.fzf
pkgs.ripgrep
]}
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString need-dirs})
exec ${pkgs.vim}/bin/vim "$@"
'')
pkgs.vim
];
};
vimrc = pkgs.writeText "vimrc" /* vim */ ''
vim9script
set nocompatible
set autoindent
set backspace=indent,eol,start
set backup
set backupdir=${dirs.backupdir}/
set directory=${dirs.swapdir}//
set hlsearch
set incsearch
set mouse=a
set noruler
set pastetoggle=<INS>
set runtimepath=${pkgs.tv.vim.makeRuntimePath base-plugins},$VIMRUNTIME
set shortmess+=I
set showcmd
set showmatch
set timeoutlen=0
set ttimeoutlen=0
set ttymouse=sgr
set undodir=${dirs.undodir}
set undofile
set undolevels=1000000
set undoreload=1000000
set viminfo='20,<1000,s100,h,n${files.viminfo}
set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu
set wildmode=longest,full
set runtimepath^=${pkgs.tv.vim.makeRuntimePath extra-plugins}
syntax on
set et ts=2 sts=2 sw=2
filetype plugin indent on
set t_Co=256
colorscheme hack
au Syntax * syn match Garbage containedin=ALL /\s\+$/
\ | syn match TabStop containedin=ALL /\t\+/
\ | syn keyword Todo containedin=ALL TODO
au BufRead,BufNewFile *.nix set ft=nix
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
cnoremap <C-A> <Home>
noremap <C-c> :q<cr>
nnoremap <esc>[5^ :tabp<cr>
nnoremap <esc>[6^ :tabn<cr>
nnoremap <esc>[5@ :tabm -1<cr>
nnoremap <esc>[6@ :tabm +1<cr>
nnoremap <f1> :tabp<cr>
nnoremap <f2> :tabn<cr>
imap <f1> <esc><f1>
imap <f2> <esc><f2>
nnoremap <S-f1> :tabm -1<cr>
nnoremap <S-f2> :tabm +1<cr>
imap <S-f1> <esc><S-f1>
imap <S-f2> <esc><S-f2>
noremap <f3> :ShowSyntax<cr>
# <C-{Up,Down,Right,Left}>
noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
noremap <esc>Od <nop> | noremap! <esc>Od <nop>
# <[C]S-{Up,Down,Right,Left}>
noremap <esc>[a <nop> | noremap! <esc>[a <nop>
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
vnoremap u <nop>
# fzf
nnoremap <esc>q :Buffers<cr>
nnoremap <esc>f :Files<cr>
nnoremap <esc>w :Rg<cr>
# edit alternate buffer
# For some reason neither putting <ctrl>6 nor <ctrl>^ works here...
nnoremap <esc>a 
if $TOUCHSCREEN == "1"
nnoremap <ScrollWheelUp> <C-y>
nnoremap <ScrollWheelDown> <C-e>
nnoremap <C-ScrollWheelUp> 3<C-y>
nnoremap <C-ScrollWheelDown> 3<C-e>
nnoremap <S-ScrollWheelUp> 3<C-y>
nnoremap <S-ScrollWheelDown> 3<C-e>
nnoremap <C-S-ScrollWheelUp> <PageUp>
nnoremap <C-S-ScrollWheelDown> <PageDown>
endif
# remember last position
autocmd BufReadPost *
\ if line("'\"") > 0 && line("'\"") <= line("$") |
\ exe "normal! g`\"" |
\ endif
'';
}

View File

@ -1,24 +0,0 @@
{ config, pkgs, ... }: {
users.users.tv.packages = [
(pkgs.writers.writeDashBin "weechat-client" ''
set -efu
exec ${pkgs.tmux}/bin/tmux attach -t weechat
'')
];
systemd.services.weechat = {
wantedBy = [ "multi-user.target" ];
environment = {
TERM = "rxvt-unicode-256color";
};
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux new -d -s weechat ${pkgs.weechat}/bin/weechat";
OOMScoreAdjust = -1000;
Restart = "always";
RestartSec = "100ms";
Type = "forking";
StartLimitBurst = 0;
User = "tv";
WorkingDirectory = "/home/tv";
};
};
}

View File

@ -1,37 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = {
enable = cfg.net != null;
net = config.krebs.build.host.nets.wiregrill or null;
};
toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}";
in
mkIf cfg.enable {
networking.wireguard.interfaces.wiregrill = {
ips =
optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
listenPort = 51820;
privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
allowedIPs = host.nets.wiregrill.wireguard.subnets;
endpoint =
mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (host.nets.wiregrill.via != null) 61;
publicKey =
replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey;
})
(filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
};
systemd.network.networks.wiregrill = {
matchConfig.Name = "wiregrill";
address =
optional (cfg.net.ip4 != null) (toCidrNotation cfg.net.ip4) ++
optional (cfg.net.ip6 != null) (toCidrNotation cfg.net.ip6);
};
tv.iptables.extra.filter.INPUT = [
"-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT"
];
}

View File

@ -1,11 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
systemd.tmpfiles.rules = let
forUsers = flip map users;
isUser = { name, group, ... }:
name == "root" || hasSuffix "users" group;
users = filter isUser (mapAttrsToList (_: id) config.users.users);
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
}

View File

@ -1,28 +0,0 @@
{ config, pkgs, ... }:
with import ./lib;
pkgs.writeText "Xmodmap" ''
!keycode 66 = Caps_Lock
!remove Lock = Caps_Lock
clear Lock
! caps lock
keycode 66 = Mode_switch
keycode 13 = 4 dollar EuroSign cent
keycode 30 = u U udiaeresis Udiaeresis
keycode 32 = o O odiaeresis Odiaeresis
keycode 38 = a A adiaeresis Adiaeresis
keycode 39 = s S ssharp
keycode 33 = p P Greek_pi Greek_PI
keycode 40 = d D Greek_delta Greek_DELTA
keycode 46 = l L Greek_lambda Greek_LAMBDA
keycode 54 = c C cacute Cacute
! BULLET OPERATOR
keycode 17 = 8 asterisk U2219
keycode 27 = r R r U211D
''

View File

@ -1,167 +0,0 @@
with import ./lib;
{ config, pkgs, ... }@args: let
cfg = {
cacheDir = cfg.dataDir;
configDir = "/var/empty";
dataDir = "/run/xdg/${cfg.user.name}/xmonad";
user = config.krebs.build.user;
xmonad.pkg = pkgs.haskellPackages.xmonad-tv.overrideAttrs (_: {
au = {
XMONAD_BUILD_SCREEN_WIDTH = 1920;
XMONAD_BUILD_TERM_FONT_WIDTH = 10;
XMONAD_BUILD_TERM_FONT = "xft:Input Mono:size=12:style=Regular";
XMONAD_BUILD_TERM_PADDING = 2;
};
}.${config.krebs.build.host.name} or {
XMONAD_BUILD_SCREEN_WIDTH = 1366;
XMONAD_BUILD_TERM_FONT_WIDTH = 6;
XMONAD_BUILD_TERM_FONT = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
XMONAD_BUILD_TERM_PADDING = 2;
});
};
in {
imports = [
./sxiv.nix
./urxvt.nix
];
environment.systemPackages = [
pkgs.ff
pkgs.font-size
pkgs.gitAndTools.qgit
pkgs.mpv
pkgs.xdotool
pkgs.xsel
pkgs.zathura
];
fonts.fonts = [
pkgs.xorg.fontschumachermisc
];
services.xserver = {
# Don't install feh into systemPackages
# refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
desktopManager.session = mkForce [];
displayManager.lightdm.enable = mkForce false;
displayManager.job.execCmd = mkForce "derp";
enable = true;
display = mkForce 11;
tty = mkForce 11;
};
systemd.services.display-manager.enable = false;
systemd.services.xmonad = let
xmonad = "${cfg.xmonad.pkg}/bin/xmonad";
xmonad-start = pkgs.writeDash "xmonad-start" ''
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CACHE_DIR"
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CONFIG_DIR"
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_DATA_DIR"
f=$HOME/.dbus/session-bus/$(${pkgs.coreutils}/bin/cat /etc/machine-id)-${
toString config.services.xserver.display
}
if test -e "$f" &&
. "$f" &&
${pkgs.coreutils}/bin/kill -0 "$DBUS_SESSION_BUS_PID"
then
export DBUS_SESSION_BUS_ADDRESS
else
eval "$(${pkgs.dbus.lib}/bin/dbus-launch --sh-syntax)"
fi
exec ${xmonad}
'';
xmonad-ready = pkgs.writeDash "xmonad-ready" ''
${pkgs.systemd}/bin/systemd-notify --ready
{
${pkgs.xorg.xhost}/bin/xhost +SI:localuser:${cfg.user.name}
${pkgs.xorg.xhost}/bin/xhost -LOCAL:
} &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait
'';
in {
wantedBy = [ "graphical.target" ];
requires = [ "xserver.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
FZMENU_FZF_DEFAULT_OPTS = toString [
"--color=dark,border:126,bg+:090"
"--inline-info"
];
XMONAD_CACHE_DIR = cfg.cacheDir;
XMONAD_CONFIG_DIR = cfg.configDir;
XMONAD_DATA_DIR = cfg.dataDir;
XMONAD_STARTUP_HOOK = xmonad-ready;
XMONAD_WORKSPACES0_FILE = pkgs.writeJSON "xmonad-workspaces0.json" [
"Dashboard" # we start here
"23"
"cr"
"ff"
"hack"
"im"
"mail"
"stockholm"
"za" "zh" "zj" "zs"
];
};
path = [
config.tv.slock.package
pkgs.flameshot-once-tv
pkgs.pulseaudio.out
pkgs.rxvt_unicode
pkgs.xcalib
"/run/wrappers" # for su
];
serviceConfig = {
ExecStart = "@${xmonad-start} xmonad-${currentSystem}";
ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown";
SyslogIdentifier = "xmonad";
User = cfg.user.name;
WorkingDirectory = cfg.user.home;
NotifyAccess = "all";
Type = "notify";
};
};
systemd.services.xserver = {
after = [
"acpid.service"
"local-fs.target"
"systemd-udev-settle.service"
];
wants = [
"systemd-udev-settle.service"
];
restartIfChanged = false;
environment = {
LD_LIBRARY_PATH = concatStringsSep ":" ([ "/run/opengl-driver/lib" ]
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
serviceConfig = {
SyslogIdentifier = "xserver";
ExecStart = toString [
"${pkgs.xorg.xorgserver}/bin/X"
":${toString config.services.xserver.display}"
"vt${toString config.services.xserver.tty}"
"-config ${import ./xserver.conf.nix args}"
"-logfile /dev/null -logverbose 0 -verbose 3"
"-nolisten tcp"
"-xkbdir ${config.services.xserver.xkbDir}"
];
};
};
tv.slock = {
enable = true;
user = cfg.user;
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,12 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg.user = config.krebs.build.user;
in {
tv.Xresources = {
"Sxiv.foreground" = "#232323";
"Sxiv.background" = "#424242";
};
users.users.${cfg.user.name}.packages = [
pkgs.sxiv
];
}

View File

@ -1,73 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg.user = config.krebs.build.user;
in {
systemd.services.urxvtd = {
wantedBy = [ "graphical.target" ];
restartIfChanged = false;
serviceConfig = {
SyslogIdentifier = "urxvtd";
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
Restart = "always";
RestartSec = "2s";
StartLimitBurst = 0;
User = cfg.user.name;
};
};
tv.Xresources = {
"URxvt*cutchars" = ''"\\`\"'&()*,;<=>?@[]^{|}"'';
"URxvt*eightBitInput" = "false";
"URxvt*font" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
"URxvt*boldFont" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
"URxvt*scrollBar" = "false";
"URxvt*background" = "#050505";
"URxvt*foreground" = "#d0d7d0";
"URxvt*cursorColor" = "#f042b0";
"URxvt*cursorColor2" = "#f0b000";
"URxvt*cursorBlink" = "off";
"URxvt*jumpScroll" = "true";
"URxvt*allowSendEvents" = "false";
"URxvt*charClass" = "33:48,37-38:48,45-47:48,61:48,63-64:48";
"URxvt*cutNewline" = "False";
"URxvt*cutToBeginningOfLine" = "False";
"URxvt*color0" = "#232342";
"URxvt*color3" = "#c07000";
"URxvt*color4" = "#4040c0";
"URxvt*color7" = "#c0c0c0";
"URxvt*color8" = "#707070";
"URxvt*color9" = "#ff6060";
"URxvt*color10" = "#70ff70";
"URxvt*color11" = "#ffff70";
"URxvt*color12" = "#7070ff";
"URxvt*color13" = "#ff50ff";
"URxvt*color14" = "#70ffff";
"URxvt*color15" = "#ffffff";
"URxvt*iso14755" = "False";
"URxvt*urgentOnBell" = "True";
"URxvt*visualBell" = "True";
# ref https://github.com/muennich/urxvt-perls
"URxvt*perl-ext" = "default,url-select";
"URxvt*keysym.M-u" = "perl:url-select:select_next";
"URxvt*url-select.launcher" =
"/etc/profiles/per-user/${cfg.user.name}/bin/ff -new-tab";
"URxvt*url-select.underline" = "true";
"URxvt*colorUL" = "#4682B4";
"URxvt.perl-lib" = "${pkgs.urxvt_perls}/lib/urxvt/perl";
"URxvt*saveLines" = "10000";
"URxvt*modifier" = "mod1";
"root-urxvt*background" = "#230000";
"root-urxvt*foreground" = "#e0c0c0";
"root-urxvt*BorderColor" = "#400000";
"root-urxvt*color0" = "#800000";
"fzmenu-urxvt*background" = "rgb:42/23/42";
"fzmenu-urxvt*externalBorder" = "1";
"fzmenu-urxvt*geometry" = "70x9";
"fzmenu-urxvt*internalBorder" = "1";
};
}

View File

@ -1,14 +0,0 @@
{ pkgs, ... }: {
services.acpid.enable = true;
services.acpid.handlers.xkiller = {
action = /* sh */ ''
event=($1)
if test "''${event[2]}" = 00000080; then
${pkgs.systemd}/bin/systemd-cat -t xkiller ${pkgs.xkiller}
fi
'';
event = "button/prog1";
};
}

View File

@ -1,39 +0,0 @@
with import ./lib;
{ config, pkgs, ... }:
let
cfg = config.services.xserver;
in
pkgs.stdenv.mkDerivation {
name = "xserver.conf";
fontPath = optionalString (cfg.fontPath != null)
''FontPath "${toString cfg.fontPath}"'';
inherit (cfg) config;
buildCommand =
''
echo 'Section "Files"' >> $out
echo $fontPath >> $out
for i in ${toString config.fonts.fonts}; do
if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
for j in $(find $i -name fonts.dir); do
echo " FontPath \"$(dirname $j)\"" >> $out
done
fi
done
for i in $(find ${toString cfg.modules} -type d); do
if test $(echo $i/*.so* | wc -w) -ne 0; then
echo " ModulePath \"$i\"" >> $out
fi
done
echo 'EndSection' >> $out
echo "$config" >> $out
'';
}

View File

@ -1,5 +0,0 @@
{
imports = [
./urxvtd.nix
];
}

View File

@ -1,15 +0,0 @@
{ pkgs, ... }: {
systemd.user.sockets.urxvtd = {
wantedBy = [ "sockets.target" ];
socketConfig.ListenStream = "%t/urxvtd";
};
systemd.user.services.urxvtd = {
restartIfChanged = false;
environment = {
RXVT_SOCKET = "%t/urxvtd";
};
serviceConfig = {
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
};
};
}

View File

@ -1,38 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = {
enable = config.services.xserver.enable && config.tv.Xresources != {};
user = config.krebs.build.user;
};
in {
options.tv.Xresources = mkOption {
default = {};
type = types.attrsOf types.str;
};
config = {
nixpkgs.overlays = singleton (self: super: {
tv = super.tv or {} // {
Xresources =
self.writeText "Xresources"
(concatStrings (mapAttrsToList (name: value: /* xdefaults */ ''
${name}: ${value}
'') config.tv.Xresources));
};
});
systemd.services.${if cfg.enable then "Xresources" else null} = {
wantedBy = [ "graphical.target" ];
after = [ "xmonad.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
};
serviceConfig = {
ExecStart = "${pkgs.xorg.xrdb}/bin/xrdb ${pkgs.tv.Xresources}";
RemainAfterExit = true;
SyslogIdentifier = "Xresources";
Type = "oneshot";
User = cfg.user.name;
WorkingDirectory = cfg.user.home;
};
};
};
}

View File

@ -1,519 +0,0 @@
{ config, ... }: with import ./lib; let
cfg = config.tv.charybdis;
in toFile "charybdis.conf" ''
/* doc/example.conf - brief example configuration file
*
* Copyright (C) 2000-2002 Hybrid Development Team
* Copyright (C) 2002-2005 ircd-ratbox development team
* Copyright (C) 2005-2006 charybdis development team
*
* $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $
*
* See reference.conf for more information.
*/
/* Extensions */
#loadmodule "extensions/chm_operonly_compat.so";
#loadmodule "extensions/chm_quietunreg_compat.so";
#loadmodule "extensions/chm_sslonly_compat.so";
#loadmodule "extensions/createauthonly.so";
#loadmodule "extensions/extb_account.so";
#loadmodule "extensions/extb_canjoin.so";
#loadmodule "extensions/extb_channel.so";
#loadmodule "extensions/extb_extgecos.so";
#loadmodule "extensions/extb_oper.so";
#loadmodule "extensions/extb_realname.so";
#loadmodule "extensions/extb_server.so";
#loadmodule "extensions/extb_ssl.so";
#loadmodule "extensions/hurt.so";
#loadmodule "extensions/m_findforwards.so";
#loadmodule "extensions/m_identify.so";
#loadmodule "extensions/no_oper_invis.so";
#loadmodule "extensions/sno_farconnect.so";
#loadmodule "extensions/sno_globalkline.so";
#loadmodule "extensions/sno_globaloper.so";
#loadmodule "extensions/sno_whois.so";
loadmodule "extensions/override.so";
/*
* IP cloaking extensions: use ip_cloaking_4.0
* if you're linking 3.2 and later, otherwise use
* ip_cloaking.so, for compatibility with older 3.x
* releases.
*/
#loadmodule "extensions/ip_cloaking_4.0.so";
#loadmodule "extensions/ip_cloaking.so";
serverinfo {
name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)};
sid = "4z3";
description = "miep!";
network_name = "irc.r";
#network_desc = "Retiolum IRC Network";
hub = yes;
/* On multi-homed hosts you may need the following. These define
* the addresses we connect from to other servers. */
/* for IPv4 */
vhost = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
/* for IPv6 */
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
/* ssl_private_key: our ssl private key */
ssl_private_key = "/tmp/credentials/ssl_private_key";
/* ssl_cert: certificate for our ssl server */
ssl_cert = ${toJSON cfg.ssl_cert};
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
ssl_dh_params = "/tmp/credentials/ssl_dh_params";
/* ssld_count: number of ssld processes you want to start, if you
* have a really busy server, using N-1 where N is the number of
* cpu/cpu cores you have might be useful. A number greater than one
* can also be useful in case of bugs in ssld and because ssld needs
* two file descriptors per SSL connection.
*/
ssld_count = 1;
/* default max clients: the default maximum number of clients
* allowed to connect. This can be changed once ircd has started by
* issuing:
* /quote set maxclients <limit>
*/
default_max_clients = 1024;
/* nicklen: enforced nickname length (for this server only; must not
* be longer than the maximum length set while building).
*/
nicklen = 30;
};
admin {
name = "tv";
description = "peer";
};
log {
fname_userlog = "/dev/stderr";
fname_fuserlog = "/dev/stderr";
fname_operlog = "/dev/stderr";
fname_foperlog = "/dev/stderr";
fname_serverlog = "/dev/stderr";
fname_klinelog = "/dev/stderr";
fname_killlog = "/dev/stderr";
fname_operspylog = "/dev/stderr";
fname_ioerrorlog = "/dev/stderr";
};
/* class {} blocks MUST be specified before anything that uses them. That
* means they must be defined before auth {} and before connect {}.
*/
class "krebs" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 2048;
number_per_ip_global = 4096;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 65536;
max_number = 3000;
sendq = 1 megabyte;
};
class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 1024;
number_per_ip_global = 4096;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 65536;
max_number = 3000;
sendq = 400 kbytes;
};
class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};
class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 1;
sendq = 4 megabytes;
};
listen {
/* defer_accept: wait for clients to send IRC handshake data before
* accepting them. if you intend to use software which depends on the
* server replying first, such as BOPM, you should disable this feature.
* otherwise, you probably want to leave it on.
*/
defer_accept = yes;
/* If you want to listen on a specific IP only, specify host.
* host definitions apply only to the following port line.
*/
#host = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
port = ${toString cfg.port};
sslport = ${toString cfg.sslport};
};
/* auth {}: allow users to connect to the ircd (OLD I:)
* auth {} blocks MUST be specified in order of precedence. The first one
* that matches a user will be used. So place spoofs first, then specials,
* then general access, then restricted.
*/
auth {
/* user: the user@host allowed to connect. Multiple IPv4/IPv6 user
* lines are permitted per auth block. This is matched against the
* hostname and IP address (using :: shortening for IPv6 and
* prepending a 0 if it starts with a colon) and can also use CIDR
* masks.
*/
user = "*@10.243.0.0/16";
user = "*@42::/16";
/* password: an optional password that is required to use this block.
* By default this is not encrypted, specify the flag "encrypted" in
* flags = ...; below if it is.
*/
#password = "letmein";
/* spoof: fake the users user@host to be be this. You may either
* specify a host or a user@host to spoof to. This is free-form,
* just do everyone a favour and dont abuse it. (OLD I: = flag)
*/
#spoof = "I.still.hate.packets";
/* Possible flags in auth:
*
* encrypted | password is encrypted with mkpasswd
* spoof_notice | give a notice when spoofing hosts
* exceed_limit (old > flag) | allow user to exceed class user limits
* kline_exempt (old ^ flag) | exempt this user from k/g/xlines&dnsbls
* dnsbl_exempt | exempt this user from dnsbls
* spambot_exempt | exempt this user from spambot checks
* shide_exempt | exempt this user from serverhiding
* jupe_exempt | exempt this user from generating
* warnings joining juped channels
* resv_exempt | exempt this user from resvs
* flood_exempt | exempt this user from flood limits
* USE WITH CAUTION.
* no_tilde (old - flag) | don't prefix ~ to username if no ident
* need_ident (old + flag) | require ident for user in this class
* need_ssl | require SSL/TLS for user in this class
* need_sasl | require SASL id for user in this class
*/
flags = kline_exempt, exceed_limit, flood_exempt;
/* class: the class the user is placed in */
class = "krebs";
};
auth {
user = "*@*";
class = "users";
};
/* privset {} blocks MUST be specified before anything that uses them. That
* means they must be defined before operator {}.
*/
privset "local_op" {
privs = oper:local_kill, oper:operwall;
};
privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};
privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};
privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override;
};
privset "aids" {
privs = oper:override, oper:rehash;
};
operator "aids" {
user = "*@10.243.*";
privset = "aids";
flags = ~encrypted;
password = "balls";
};
operator "god" {
/* name: the name of the oper must go above */
/* user: the user@host required for this operator. CIDR *is*
* supported now. auth{} spoofs work here, other spoofs do not.
* multiple user="" lines are supported.
*/
user = "*god@127.0.0.1";
/* password: the password required to oper. Unless ~encrypted is
* contained in flags = ...; this will need to be encrypted using
* mkpasswd, MD5 is supported
*/
password = "5";
/* rsa key: the public key for this oper when using Challenge.
* A password should not be defined when this is used, see
* doc/challenge.txt for more information.
*/
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
/* umodes: the specific umodes this oper gets when they oper.
* If this is specified an oper will not be given oper_umodes
* These are described above oper_only_umodes in general {};
*/
#umodes = locops, servnotice, operwall, wallop;
/* fingerprint: if specified, the oper's client certificate
* fingerprint will be checked against the specified fingerprint
* below.
*/
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
/* snomask: specific server notice mask on oper up.
* If this is specified an oper will not be given oper_snomask.
*/
snomask = "+Zbfkrsuy";
/* flags: misc options for the operator. You may prefix an option
* with ~ to disable it, e.g. ~encrypted.
*
* Default flags are encrypted.
*
* Available options:
*
* encrypted: the password above is encrypted [DEFAULT]
* need_ssl: must be using SSL/TLS to oper up
*/
flags = encrypted;
/* privset: privileges set to grant */
privset = "admin";
};
service {
name = "services.int";
};
cluster {
name = "*";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};
shared {
oper = "*@*", "*";
flags = all, rehash;
};
/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "127.0.0.1";
};
channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};
serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};
/* These are the blacklist settings.
* You can have multiple combinations of host and rejection reasons.
* They are used in pairs of one host/rejection reason.
*
* These settings should be adequate for most networks, and are (presently)
* required for use on StaticBox.
*
* Word to the wise: Do not use blacklists like SPEWS for blocking IRC
* connections.
*
* As of charybdis 2.2, you can do some keyword substitution on the rejection
* reason. The available keyword substitutions are:
*
* ''${ip} - the user's IP
* ''${host} - the user's canonical hostname
* ''${dnsbl-host} - the dnsbl hostname the lookup was done against
* ''${nick} - the user's nickname
* ''${network-name} - the name of the network
*
* As of charybdis 3.4, a type parameter is supported, which specifies the
* address families the blacklist supports. IPv4 and IPv6 are supported.
* IPv4 is currently the default as few blacklists support IPv6 operation
* as of this writing.
*
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
* contacted, via email, at admins@2mbit.com before using these BLs.
* See <http://www.ahbl.org/services.php> for more information.
*/
blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "''${nick}, your IP (''${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=''${ip}";
# host = "ircbl.ahbl.org";
# type = ipv4;
# reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for having an open proxy. In order to protect ''${network-name} from abuse, we are not allowing connections with open proxies to connect.";
#
# host = "tor.ahbl.org";
# type = ipv4;
# reject_reason = "''${nick}, your IP (''${ip}) is listed as a TOR exit node. In order to protect ''${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
#
/* Example of a blacklist that supports both IPv4 and IPv6 */
# host = "foobl.blacklist.invalid";
# type = ipv4, ipv6;
# reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for some reason. In order to protect ''${network-name} from abuse, we are not allowing connections listed in ''${dnsbl-host} to connect";
};
alias "NickServ" {
target = "NickServ";
};
alias "ChanServ" {
target = "ChanServ";
};
alias "OperServ" {
target = "OperServ";
};
alias "MemoServ" {
target = "MemoServ";
};
alias "NS" {
target = "NickServ";
};
alias "CS" {
target = "ChanServ";
};
alias "OS" {
target = "OperServ";
};
alias "MS" {
target = "MemoServ";
};
general {
hide_error_messages = opers;
hide_spoof_ips = yes;
/*
* default_umodes: umodes to enable on connect.
* If you have enabled the new ip_cloaking_4.0 module, and you want
* to make use of it, add +x to this option, i.e.:
* default_umodes = "+ix";
*
* If you have enabled the old ip_cloaking module, and you want
* to make use of it, add +h to this option, i.e.:
* default_umodes = "+ih";
*/
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 1000;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
client_flood_max_lines = 16000;
client_flood_burst_rate = 32000;
client_flood_burst_max = 32000;
client_flood_message_num = 32000;
client_flood_message_time = 32000;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 1;
throttle_count = 1000;
max_ratelimit_tokens = 30;
away_interval = 30;
disable_auth = yes;
};
modules {
path = "modules";
path = "modules/autoload";
};
exempt {
ip = "10.243.0.0/16";
};
''

View File

@ -1,81 +0,0 @@
with import ./lib;
{ config, pkgs, ... }@args: let
cfg = config.tv.charybdis;
in {
options.tv.charybdis = {
enable = mkEnableOption "tv.charybdis";
motd = mkOption {
type = types.str;
default = "/join #retiolum";
};
port = mkOption {
type = types.int;
default = 6667;
};
ssl_cert = mkOption {
type = types.path;
};
ssl_dh_params = mkOption {
type = types.absolute-pathname;
default = "${config.krebs.secret.directory}/charybdis.dh.pem";
};
ssl_private_key = mkOption {
type = types.absolute-pathname;
default = "${config.krebs.secret.directory}/charybdis.key.pem";
};
sslport = mkOption {
type = types.int;
default = 6697;
};
user = mkOption {
type = types.user;
default = {
name = "charybdis";
home = "/var/lib/charybdis";
};
};
};
config = lib.mkIf cfg.enable {
environment.etc."charybdis-ircd.motd".text = cfg.motd;
krebs.systemd.services.charybdis = {};
systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db";
};
serviceConfig = {
SyslogIdentifier = "charybdis";
User = cfg.user.name;
PrivateTmp = true;
Restart = "always";
ExecStartPre = [
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
];
ExecStart = toString [
"${pkgs.charybdis}/bin/charybdis"
"-configfile ${import ./config.nix args}"
"-foreground"
"-logfile /dev/stderr"
];
LoadCredential = [
"ssl_dh_params:${cfg.ssl_dh_params}"
"ssl_private_key:${cfg.ssl_private_key}"
];
};
};
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
group = cfg.user.name;
isSystemUser = true;
};
users.groups.${cfg.user.name} = {};
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,8 +0,0 @@
with import ./lib;
{
imports =
map
(name: ./. + "/${name}")
(attrNames
(filterAttrs isNixDirEntry (readDir ./.)));
}

View File

@ -1,58 +0,0 @@
with import ./lib;
{ config, ... }: let
cfg = config.tv.dnsmasq;
in {
options.tv.dnsmasq = {
enable = mkEnableOption "tv.dnsmasq";
dhcp-range = mkOption {
type = types.str;
};
interface = mkOption {
type = types.str;
};
address = mkOption {
type = types.str;
};
prefixLength = mkOption {
type = types.addCheck types.int (x: x >= 0 && x <= 32);
};
};
config = mkIf cfg.enable (mkMerge [
{
networking.dhcpcd.denyInterfaces = [ cfg.interface ];
services.dnsmasq.resolveLocalQueries = false;
networking.interfaces.${cfg.interface} = {
ipv4.addresses = singleton {
address = cfg.address;
prefixLength = cfg.prefixLength;
};
};
services.dnsmasq.enable = true;
services.dnsmasq.extraConfig = ''
bind-interfaces
dhcp-range=${cfg.dhcp-range}
listen-address=${cfg.address}
'';
tv.iptables.extra.filter.INPUT = [
"-i ${cfg.interface} -p tcp -m tcp --dport bootps -j ACCEPT"
"-i ${cfg.interface} -p udp -m udp --dport bootps -j ACCEPT"
"-i ${cfg.interface} -p tcp -m tcp --dport domain -j ACCEPT"
"-i ${cfg.interface} -p udp -m udp --dport domain -j ACCEPT"
];
}
{
# enable forwarding
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
tv.iptables.extra.filter.FORWARD = [
"-m state --state RELATED,ESTABLISHED -j ACCEPT"
"-i ${cfg.interface} -j ACCEPT"
];
tv.iptables.extra.nat.POSTROUTING = [
"-j MASQUERADE"
];
}
]);
}

View File

@ -1,275 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = config.tv.ejabberd;
gen-dhparam = pkgs.writeDash "gen-dhparam" ''
set -efu
path=$1
bits=2048
# TODO regenerate dhfile after some time?
if ! test -e "$path"; then
${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
fi
'';
settingsFormat = pkgs.formats.json {};
in {
options.tv.ejabberd = {
enable = mkEnableOption "tv.ejabberd";
certfiles = mkOption {
type = types.listOf types.absolute-pathname;
default = [
"${config.krebs.secret.directory}/ejabberd.pem"
];
};
configFile = mkOption {
type = types.either types.package types.absolute-pathname;
default = settingsFormat.generate "ejabberd.yaml" cfg.settings;
};
ciphers = mkOption {
type = types.listOf types.str;
default = [
"ECDHE-ECDSA-AES256-GCM-SHA384"
"ECDHE-RSA-AES256-GCM-SHA384"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-RSA-CHACHA20-POLY1305"
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-RSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-AES256-SHA384"
"ECDHE-RSA-AES256-SHA384"
"ECDHE-ECDSA-AES128-SHA256"
"ECDHE-RSA-AES128-SHA256"
];
};
credentials.certfiles = mkOption {
internal = true;
readOnly = true;
default =
imap
(i: const "/tmp/credentials/certfile${toJSON i}")
cfg.certfiles;
};
hosts = mkOption {
type = with types; listOf str;
};
pkgs.ejabberd = mkOption {
type = types.package;
default = pkgs.symlinkJoin {
name = "ejabberd-wrapper";
paths = [
(pkgs.writeDashBin "ejabberdctl" ''
exec ${pkgs.ejabberd}/bin/ejabberdctl \
--config /etc/ejabberd/ejabberd.yaml \
--ctl-config /etc/ejabberd/ejabberdctl.cfg \
--logs ${cfg.stateDir} \
--spool ${cfg.stateDir} \
"$@"
'')
pkgs.ejabberd
];
};
};
protocol_options = mkOption {
type = types.listOf types.str;
default = [
"no_sslv2"
"no_sslv3"
"no_tlsv1"
"no_tlsv1_10"
];
};
registration_watchers = mkOption {
type = types.listOf types.str;
default = [
config.krebs.users.tv.mail
];
};
settings = mkOption {
type = settingsFormat.type;
default = {};
};
stateDir = mkOption {
type =
types.addCheck
types.absolute-pathname
(path:
hasPrefix "/var/lib/" path &&
types.filename.check (removePrefix "/var/lib/" path)
);
default = "/var/lib/ejabberd";
};
};
config = lib.mkIf cfg.enable {
environment.etc."ejabberd/ejabberd.yaml".source = cfg.configFile;
environment.etc."ejabberd/ejabberdctl.cfg".source =
builtins.toFile "ejabberdctl.cfg" /* sh */ ''
ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
'';
environment.systemPackages = [
(pkgs.symlinkJoin {
name = "ejabberd-sudo-wrapper";
paths = [
(pkgs.writeDashBin "ejabberdctl" ''
exec ${pkgs.systemd}/bin/systemd-run \
--unit=ejabberdctl \
--property=StateDirectory=ejabberd \
--property=User=ejabberd \
--collect \
--pipe \
--quiet \
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
'')
cfg.pkgs.ejabberd
];
})
];
krebs.systemd.services.ejabberd.restartIfCredentialsChange = true;
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
reloadTriggers = [
config.environment.etc."ejabberd/ejabberd.yaml".source
config.environment.etc."ejabberd/ejabberdctl.cfg".source
];
serviceConfig = {
ExecStartPre = [
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
"${gen-dhparam} ${cfg.stateDir}/dhfile"
];
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
ExecStop = [
"${cfg.pkgs.ejabberd}/bin/ejabberdctl stop"
"${cfg.pkgs.ejabberd}/bin/ejabberdctl stopped"
];
ExecReload = "${cfg.pkgs.ejabberd}/bin/ejabberdctl reload_config";
LoadCredential =
zipListsWith
(dst: src: "${baseNameOf dst}:${src}")
cfg.credentials.certfiles
cfg.certfiles;
LimitNOFILE = 65536;
PrivateDevices = true;
PrivateTmp = true;
SyslogIdentifier = "ejabberd";
StateDirectory = "ejabberd";
User = "ejabberd";
DynamicUser = true;
TimeoutSec = 60;
RestartSec = 5;
Restart = "on-failure";
Type = "notify";
NotifyAccess = "all";
WatchdogSec = 30;
};
};
# preset config values
tv.ejabberd.settings = {
access_rules = {
announce = mkDefault [{ allow = "admin"; }];
local = mkDefault [{ allow = "local"; }];
configure = mkDefault [{ allow = "admin"; }];
register = mkDefault ["allow"];
s2s = mkDefault ["allow"];
trusted_network = mkDefault [{ allow = "loopback"; }];
};
acl = {
local.user_regexp = mkDefault "";
loopback.ip = mkDefault [
"127.0.0.0/8"
"::1/128"
"::FFFF:127.0.0.1/128"
];
};
certfiles = mkDefault cfg.credentials.certfiles;
hosts = mkDefault cfg.hosts;
language = mkDefault "en";
listen = mkDefault [
{
port = 5222;
ip = "::";
module = "ejabberd_c2s";
shaper = "c2s_shaper";
ciphers = concatStringsSep ":" cfg.ciphers;
protocol_options = cfg.protocol_options;
starttls = true;
starttls_required = true;
tls = false;
tls_compression = false;
max_stanza_size = 65536;
}
{
port = 5269;
ip = "::";
module = "ejabberd_s2s_in";
shaper = "s2s_shaper";
dhfile = "${cfg.stateDir}/dhfile";
max_stanza_size = 131072;
}
];
loglevel = mkDefault "4";
modules = {
mod_adhoc = mkDefault {};
mod_admin_extra = mkDefault {};
mod_announce.access = mkDefault "announce";
mod_caps = mkDefault {};
mod_carboncopy = mkDefault {};
mod_client_state = mkDefault {};
mod_configure = mkDefault {};
mod_disco = mkDefault {};
mod_echo = mkDefault {};
mod_bosh = mkDefault {};
mod_last = mkDefault {};
mod_offline.access_max_user_messages = mkDefault "max_user_offline_messages";
mod_ping = mkDefault {};
mod_privacy = mkDefault {};
mod_private = mkDefault {};
mod_register = {
access_from = mkDefault "deny";
access = mkDefault "register";
ip_access = mkDefault "trusted_network";
registration_watchers = mkDefault cfg.registration_watchers;
};
mod_roster = mkDefault {};
mod_shared_roster = mkDefault {};
mod_stats = mkDefault {};
mod_time = mkDefault {};
mod_vcard.search = mkDefault false;
mod_version = mkDefault {};
mod_http_api = mkDefault {};
};
s2s_access = mkDefault "s2s";
s2s_ciphers = concatStringsSep ":" cfg.ciphers;
s2s_dhfile = mkDefault "${cfg.stateDir}/dhfile";
s2s_protocol_options = mkDefault cfg.protocol_options;
s2s_tls_compression = mkDefault false;
s2s_use_starttls = mkDefault "required";
shaper_rules = {
max_user_offline_messages = mkDefault [
{ "5000" = "admin"; }
100
];
max_user_sessions = mkDefault 10;
c2s_shaper = mkDefault [
{ "none" = "admin"; }
"normal"
];
s2s_shaper = mkDefault "fast";
};
};
};
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,4 +0,0 @@
with import ./lib;
{
options.tv.focus.enable = mkEnableOption "tv.focus";
}

View File

@ -1,9 +0,0 @@
with import ./lib;
{ config, ... }: {
options.tv.hosts = mkOption {
type = types.attrsOf types.host;
default =
filterAttrs (_: host: host.owner.name == "tv")
config.krebs.hosts;
};
}

View File

@ -1,16 +0,0 @@
with import ./lib;
let
local.types.screen = lib.types.submodule {
options.width = lib.mkOption {
type = lib.types.uint;
};
options.height = lib.mkOption {
type = lib.types.uint;
};
};
in {
options.tv.hw.screens = lib.mkOption {
type = lib.types.attrsOf local.types.screen;
default = {};
};
}

View File

@ -1,110 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let
im = config.tv.im;
in {
options = {
tv.im.client.enable = lib.mkEnableOption "tv.im.client" // {
default = config.krebs.build.host.name == im.client.host.name;
};
tv.im.client.term = lib.mkOption {
default = "rxvt-unicode-256color";
type = lib.types.filename;
};
tv.im.client.useIPv6 = lib.mkEnableOption "tv.im.client.useIPv6" // {
default = true;
};
tv.im.client.host = lib.mkOption {
default = config.krebs.hosts.xu;
type = lib.types.host;
};
tv.im.client.user = lib.mkOption {
default = config.krebs.users.tv;
type = lib.types.user;
};
tv.im.server.enable = lib.mkEnableOption "tv.im.server" // {
default = config.krebs.build.host.name == im.server.host.name;
};
tv.im.server.host = lib.mkOption {
default = config.krebs.hosts.nomic;
type = lib.types.host;
};
tv.im.server.mosh.enable = lib.mkEnableOption "tv.im.server.mosh" // {
default = true;
};
tv.im.server.weechat.relay.enable =
lib.mkEnableOption "tv.im.server.weechat.relay";
tv.im.server.user = lib.mkOption {
default = config.krebs.users.tv;
type = lib.types.user;
};
};
imports = [
(lib.mkIf im.client.enable {
users.users.${im.client.user.name}.packages = [
(pkgs.writeDashBin "im" ''
${if im.server.mosh.enable then /* sh */ ''
exec ${pkgs.mosh}/bin/mosh \
${lib.optionalString im.client.useIPv6 "-6"} \
${im.server.user.name}@${lib.head im.server.host.nets.retiolum.aliases} \
env TERM=${im.client.term} im
'' else /* sh */ ''
exec ${pkgs.openssh}/bin/ssh \
${lib.optionalString im.client.useIPv6 "-6"} \
${im.server.user.name}@${lib.head im.server.host.nets.retiolum.aliases} \
-t \
im
''}
'')
];
})
(lib.mkIf im.server.enable {
services.bitlbee = {
enable = true;
plugins = [
pkgs.bitlbee-facebook
];
};
users.users.${im.server.user.name}.packages = [
pkgs.mosh
(pkgs.writeDashBin "im" ''
export PATH=${lib.makeSearchPath "bin" [
pkgs.tmux
pkgs.gnugrep
pkgs.weechat-tv
]}
if tmux list-sessions -F\#S | grep -q '^im''$'; then
exec tmux attach -t im
else
exec tmux new -s im weechat
fi
'')
];
})
(lib.mkIf im.server.mosh.enable {
krebs.setuid.utempter = {
filename = "${pkgs.libutempter}/lib/utempter/utempter";
owner = "nobody";
group = "utmp";
mode = "2111";
};
tv.iptables.extra4.filter.Retiolum = [
"-s ${im.client.host.nets.retiolum.ip4.addr} -p udp --dport 60000:61000 -j ACCEPT"
];
tv.iptables.extra6.filter.Retiolum = [
"-s ${im.client.host.nets.retiolum.ip6.addr} -p udp --dport 60000:61000 -j ACCEPT"
];
})
(lib.mkIf im.server.weechat.relay.enable {
krebs.iana-etc.services = {
"9001".tcp.name = "weechat-ssl";
};
tv.iptables.extra4.filter.Retiolum = [
"-s ${im.client.host.nets.retiolum.ip4.addr} -p tcp -m tcp --dport 9001 -j ACCEPT"
];
tv.iptables.extra6.filter.Retiolum = [
"-s ${im.client.host.nets.retiolum.ip6.addr} -p tcp -m tcp --dport 9001 -j ACCEPT"
];
})
];
}

View File

@ -1,208 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: let {
cfg = config.tv.iptables;
body = {
options.tv.iptables = api;
config = lib.mkIf cfg.enable imp;
};
extraTypes = {
rules = types.submodule {
options = {
nat.OUTPUT = mkOption {
type = with types; listOf str;
default = [];
};
nat.PREROUTING = mkOption {
type = with types; listOf str;
default = [];
};
nat.POSTROUTING = mkOption {
type = with types; listOf str;
default = [];
};
filter.FORWARD = mkOption {
type = with types; listOf str;
default = [];
};
filter.INPUT = mkOption {
type = with types; listOf str;
default = [];
};
filter.Retiolum = mkOption {
type = with types; listOf str;
default = [];
};
filter.Wiregrill = mkOption {
type = with types; listOf str;
default = [];
};
};
};
};
api = {
enable = mkEnableOption "tv.iptables";
accept-echo-request = mkOption {
type = with types; nullOr (enum ["internet" "retiolum"]);
default = "retiolum";
};
input-internet-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-internet-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-retiolum-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-retiolum-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-wiregrill-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-wiregrill-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
extra = mkOption {
default = {};
type = extraTypes.rules;
};
extra4 = mkOption {
default = {};
type = extraTypes.rules;
};
extra6 = mkOption {
default = {};
type = extraTypes.rules;
};
};
imp = {
networking.firewall.enable = false;
systemd.services.tv-iptables = {
wantedBy = [ "sysinit.target" ];
wants = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = with pkgs; [
iptables
];
restartIfChanged = true;
serviceConfig = {
Type = "simple";
RemainAfterExit = true;
Restart = "always";
SyslogIdentifier = "tv-iptables_start";
ExecStart = pkgs.writeDash "tv-iptables_start" ''
set -euf
iptables-restore < ${rules 4}
ip6tables-restore < ${rules 6}
'';
};
unitConfig.DefaultDependencies = false;
};
};
formatTable = table:
(concatStringsSep "\n"
(mapAttrsToList
(chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
table));
rules = iptables-version: let
accept-echo-request = {
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
}."ip${toString iptables-version}tables";
accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
in
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
${formatTable cfg."extra${toString iptables-version}".nat}
${formatTable cfg.extra.nat}
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Retiolum - [0:0]
:Wiregrill - [0:0]
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
++ [
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"-i lo -j ACCEPT"
]
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
++ ["-i retiolum -j Retiolum"]
++ ["-i wiregrill -j Wiregrill"]
)}
${formatTable cfg.extra.filter}
${formatTable cfg."extra${toString iptables-version}".filter}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp-port-unreachable"
"-j REJECT --reject-with icmp-proto-unreachable"
];
ip6tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
"-j REJECT"
];
}."ip${toString iptables-version}tables"
)}
${concatMapStringsSep "\n" (rule: "-A Wiregrill ${rule}") ([]
++ optional (cfg.accept-echo-request == "wiregrill") accept-echo-request
++ map accept-tcp (unique (map toString cfg.input-wiregrill-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-wiregrill-accept-udp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp-port-unreachable"
"-j REJECT --reject-with icmp-proto-unreachable"
];
ip6tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
"-j REJECT"
];
}."ip${toString iptables-version}tables"
)}
COMMIT
'';
}

View File

@ -1 +0,0 @@
../lib

View File

@ -1,45 +0,0 @@
with import ./lib;
{ config, pkgs, ... }: {
options = {
tv.lidControl.enable = mkEnableOption "tv.lidControl";
};
config = let
cfg = config.tv.lidControl;
in mkIf cfg.enable {
services.acpid.enable = true;
services.acpid.lidEventCommands = /* sh */ ''
set -- $1
# usage: vt_is_xserver NUMBER
vt_is_xserver() {
${pkgs.iproute}/bin/ss -lp src unix:/tmp/.X11-unix/X* |
${pkgs.gnused}/bin/sed -n 's|.*/tmp/.X11-unix/X\([0-9]\+\)\>.*|\1|p' |
${pkgs.gnugrep}/bin/grep -Fqx "$1"
}
console=$(${pkgs.kbd}/bin/fgconsole)
if vt_is_xserver "$console"; then
# usage: run_on_display COMMAND [ARG...]
run_on_display() {
owner=$(${pkgs.coreutils}/bin/stat -c %u /tmp/.X11-unix/X$console)
${pkgs.systemd}/bin/systemd-run -GPq \
-E DISPLAY=:$console \
--uid=$owner \
"$@"
}
case $3 in
open)
run_on_display ${pkgs.xorg.xset}/bin/xset dpms force on
;;
close)
run_on_display ${pkgs.xorg.xset}/bin/xset dpms force off
;;
esac
fi
'';
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
services.logind.lidSwitchExternalPower = "ignore";
};
}

View File

@ -1,29 +0,0 @@
with import ./lib;
{ config, ... }: {
options.org.freedesktop.machine1.host-shell.access = lib.mkOption {
default = {};
type =
lib.types.addCheck
(lib.types.attrsOf (lib.types.attrsOf lib.types.bool))
(x:
lib.all
lib.types.username.check
(lib.concatLists
(lib.mapAttrsToList
(name: value: [name] ++ lib.attrNames value)
x)));
};
config.security.polkit.extraConfig = let
cfg = config.org.freedesktop.machine1.host-shell;
enable = cfg.access != {};
in lib.optionalString enable /* js */ ''
polkit.addRule(function () {
var access = ${lib.toJSON cfg.access};
return function(action, subject) {
if (action.id === "org.freedesktop.machine1.host-shell"
&& (access[subject.user]||{})[action.lookup("user")])
return polkit.Result.YES;
}
}());
'';
}

Some files were not shown because too many files have changed in this diff Show More