Merge remote-tracking branch 'ni/master'
This commit is contained in:
commit
4820fc27cd
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.21.1";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.13.39";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.13.36";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.20.1";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.0.110";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.22.22";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.13.42";
|
||||
|
@ -2,7 +2,6 @@
|
||||
binary-cache = {
|
||||
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
|
||||
};
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.13.38";
|
||||
|
@ -1,5 +1,4 @@
|
||||
{
|
||||
ci = true;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.13.40";
|
||||
|
@ -16,6 +16,9 @@ with lib; {
|
||||
@ 3600 IN NS ns2.he.net.
|
||||
@ 3600 IN NS ns3.he.net.
|
||||
@ 3600 IN NS ns2.hosting.de.
|
||||
|
||||
panda NS panda
|
||||
panda A 130.61.237.100
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -1,87 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [ "ahci" ];
|
||||
luks.devices.luksroot.device = "/dev/sda2";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.firefox
|
||||
pkgs.networkmanagerapplet
|
||||
(pkgs.pidgin.override {
|
||||
plugins = [ pkgs.pidgin-otr ];
|
||||
})
|
||||
];
|
||||
|
||||
fileSystems = {
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
};
|
||||
"/" = {
|
||||
device = "/dev/mapper/main-root";
|
||||
fsType = "ext4";
|
||||
options = [ "defaults" "noatime" ];
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/main-home";
|
||||
fsType = "ext4";
|
||||
options = [ "defaults" "noatime" ];
|
||||
};
|
||||
};
|
||||
|
||||
hardware = {
|
||||
opengl.driSupport32Bit = true;
|
||||
pulseaudio.enable = true;
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "de_DE.UTF-8";
|
||||
|
||||
krebs.build = {
|
||||
host = config.krebs.hosts.alnus;
|
||||
user = mkForce config.krebs.users.dv;
|
||||
};
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
services.earlyoom.enable = true;
|
||||
services.earlyoom.freeMemThreshold = 5;
|
||||
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
|
||||
"--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
layout = "de";
|
||||
xkbOptions = "eurosign:e";
|
||||
|
||||
libinput.enable = false;
|
||||
synaptics = {
|
||||
enable = true;
|
||||
twoFingerScroll = true;
|
||||
};
|
||||
};
|
||||
services.xserver.desktopManager.plasma5.enable = true;
|
||||
services.xserver.displayManager.autoLogin.enable = true;
|
||||
services.xserver.displayManager.autoLogin.user = "dv";
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
users.users.dv = {
|
||||
inherit (config.krebs.users.dv) home uid;
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"video"
|
||||
"networkmanager"
|
||||
];
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,23 +0,0 @@
|
||||
{ config, ... }: {
|
||||
imports = [
|
||||
./disks.nix
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/ppp.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
<stockholm/tv/2configs/xsessions>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.au;
|
||||
|
||||
networking.wireless.enable = true;
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp0s25.useDHCP = true;
|
||||
networking.interfaces.wlp3s0.useDHCP = true;
|
||||
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
|
||||
|
||||
system.stateVersion = "20.03";
|
||||
|
||||
tv.hw.screens.primary.width = 1920;
|
||||
tv.hw.screens.primary.height = 1080;
|
||||
}
|
@ -1,19 +0,0 @@
|
||||
{
|
||||
boot.initrd.luks.devices.main.device = "/dev/sda2";
|
||||
fileSystems."/" = {
|
||||
device = "/dev/main/root";
|
||||
options = ["defaults" "noatime" "commit=60"];
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/sda1";
|
||||
options = ["defaults" "noatime"];
|
||||
};
|
||||
fileSystems."/bku" = {
|
||||
device = "/dev/main/bku";
|
||||
options = ["defaults" "noatime"];
|
||||
};
|
||||
fileSystems."/home" = {
|
||||
device = "/dev/main/home";
|
||||
options = ["defaults" "noatime" "commit=60"];
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,35 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
./disks.nix
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||
<stockholm/tv/2configs/gitconfig.nix>
|
||||
<stockholm/tv/2configs/pulse.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
<stockholm/tv/2configs/xsessions>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.bu;
|
||||
|
||||
networking.wireless.enable = true;
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp0s25.useDHCP = true;
|
||||
networking.interfaces.wlp3s0.useDHCP = true;
|
||||
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
|
||||
networking.wireless.interfaces = [
|
||||
"wlp3s0"
|
||||
];
|
||||
|
||||
programs.gnupg.agent.enable = true;
|
||||
programs.gnupg.agent.pinentryFlavor = "gtk2";
|
||||
|
||||
services.earlyoom.enable = true;
|
||||
services.earlyoom.freeMemThreshold = 5;
|
||||
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
|
||||
"--prefer '(^|/)chromium$'"
|
||||
];
|
||||
|
||||
system.stateVersion = "21.11";
|
||||
}
|
@ -1,19 +0,0 @@
|
||||
{
|
||||
boot.initrd.luks.devices.buda2.device = "/dev/sda2";
|
||||
fileSystems."/" = {
|
||||
device = "buda2/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/bku" = {
|
||||
device = "buda2/bku";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/home" = {
|
||||
device = "buda2/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/sda1";
|
||||
fsType = "vfat";
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,127 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/br.nix>
|
||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.mu;
|
||||
krebs.build.user = mkForce config.krebs.users.vv;
|
||||
|
||||
tv.x0vncserver.enable = true;
|
||||
|
||||
boot.initrd.luks.devices.muca.device = "/dev/sda2";
|
||||
boot.initrd.availableKernelModules = [ "ahci" ];
|
||||
boot.kernelModules = [ "fbcon" "kvm-intel" ];
|
||||
boot.kernelParams = [ "fsck.repair=yes" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/mapper/muvga-root";
|
||||
fsType = "ext4";
|
||||
options = [ "defaults" "discard" ];
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/muvga-home";
|
||||
fsType = "ext4";
|
||||
options = [ "defaults" "discard" ];
|
||||
};
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
fsType = "vfat";
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
# XXX reload to work around occasional "Failed to load firmware chunk!"
|
||||
# TODO only do this if firmware is actually broken(?)
|
||||
system.activationScripts.reload-iwlwifi = /* sh */ ''
|
||||
${pkgs.kmod}/bin/modprobe -vr iwlwifi
|
||||
${pkgs.kmod}/bin/modprobe -v iwlwifi
|
||||
'';
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.chromium
|
||||
pkgs.firefox
|
||||
pkgs.gimp
|
||||
pkgs.iptables
|
||||
pkgs.libreoffice
|
||||
pkgs.plasma-pa
|
||||
(pkgs.pidgin.override {
|
||||
plugins = [ pkgs.pidgin-otr ];
|
||||
})
|
||||
pkgs.skypeforlinux
|
||||
pkgs.slock
|
||||
pkgs.tinc_pre
|
||||
pkgs.vim
|
||||
pkgs.xsane
|
||||
|
||||
#pkgs.foomatic_filters
|
||||
#pkgs.gutenprint
|
||||
#pkgs.cups_pdf_filter
|
||||
#pkgs.ghostscript
|
||||
];
|
||||
|
||||
|
||||
i18n.defaultLocale = "de_DE.UTF-8";
|
||||
|
||||
programs.ssh.startAgent = false;
|
||||
|
||||
krebs.setuid = {
|
||||
slock = {
|
||||
filename = "${pkgs.slock}/bin/slock";
|
||||
mode = "4111";
|
||||
};
|
||||
};
|
||||
|
||||
security.pam.loginLimits = [
|
||||
# for jack
|
||||
{ domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
|
||||
{ domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
|
||||
];
|
||||
|
||||
fonts.fonts = [
|
||||
pkgs.xorg.fontschumachermisc
|
||||
];
|
||||
|
||||
services.xserver.enable = true;
|
||||
services.xserver.layout = "de";
|
||||
services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
# TODO this is host specific
|
||||
services.xserver.libinput.enable = false;
|
||||
services.xserver.synaptics = {
|
||||
enable = true;
|
||||
twoFingerScroll = true;
|
||||
};
|
||||
|
||||
services.xserver.desktopManager.plasma5.enable = true;
|
||||
|
||||
services.xserver.displayManager.autoLogin.enable = true;
|
||||
services.xserver.displayManager.autoLogin.user = "vv";
|
||||
|
||||
users.users.vv = {
|
||||
inherit (config.krebs.users.vv) home uid;
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"video"
|
||||
"networkmanager"
|
||||
];
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,62 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
krebs.build.host = config.krebs.hosts.nomic;
|
||||
|
||||
imports = [
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||
<stockholm/tv/2configs/gitrepos.nix>
|
||||
<stockholm/tv/2configs/mail-client.nix>
|
||||
<stockholm/tv/2configs/nginx/public_html.nix>
|
||||
<stockholm/tv/2configs/pulse.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
<stockholm/tv/2configs/xserver>
|
||||
];
|
||||
|
||||
boot.initrd.luks.devices.luks1.device = "/dev/sda2";
|
||||
|
||||
# Don't use UEFI because current disk was partitioned/formatted for AO753.
|
||||
# TODO remove following bool.loader section after repartitioning/reformatting
|
||||
boot.loader = {
|
||||
grub = {
|
||||
device = "/dev/sda";
|
||||
splashImage = null;
|
||||
};
|
||||
systemd-boot.enable = mkForce false;
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/mapper/nomic1-root";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/sda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "/dev/mapper/nomic1-home";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
(writeDashBin "play" ''
|
||||
set -euf
|
||||
mpv() { exec ${mpv}/bin/mpv "$@"; }
|
||||
case $1 in
|
||||
deepmix) mpv http://deepmix.ru/deepmix128.pls;;
|
||||
groovesalad) mpv http://somafm.com/play/groovesalad;;
|
||||
ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;;
|
||||
*)
|
||||
echo "$0: bad argument: $*" >&2
|
||||
exit 23
|
||||
esac
|
||||
'')
|
||||
gnupg
|
||||
tmux
|
||||
];
|
||||
|
||||
networking.wireless.enable = true;
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,86 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.querel;
|
||||
krebs.build.user = mkForce config.krebs.users.itak;
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" ];
|
||||
boot.initrd.luks.devices.querel-luks1 = {
|
||||
allowDiscards = true;
|
||||
device = "/dev/sda2";
|
||||
};
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.loader = {
|
||||
efi.canTouchEfiVariables = true;
|
||||
systemd-boot.enable = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.firefox
|
||||
pkgs.gimp
|
||||
pkgs.kate
|
||||
pkgs.libreoffice
|
||||
(pkgs.pidgin.override {
|
||||
plugins = [ pkgs.pidgin-otr ];
|
||||
})
|
||||
pkgs.sxiv
|
||||
pkgs.texlive.combined.scheme-full
|
||||
pkgs.vim
|
||||
pkgs.xsane
|
||||
pkgs.zathura
|
||||
];
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/mapper/querel-root";
|
||||
fsType = "ext4";
|
||||
options = [ "defaults" "discard" ];
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/querel-home";
|
||||
fsType = "ext4";
|
||||
options = [ "defaults" "discard" ];
|
||||
};
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
};
|
||||
};
|
||||
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
i18n.defaultLocale = "de_DE.UTF-8";
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
programs.ssh.startAgent = false;
|
||||
|
||||
services.xserver.enable = true;
|
||||
services.xserver.layout = "de";
|
||||
services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
services.xserver.libinput.enable = false;
|
||||
services.xserver.synaptics = {
|
||||
enable = true;
|
||||
twoFingerScroll = true;
|
||||
};
|
||||
|
||||
services.xserver.desktopManager.plasma5.enable = true;
|
||||
|
||||
services.xserver.displayManager.autoLogin.enable = true;
|
||||
services.xserver.displayManager.autoLogin.user = "itak";
|
||||
|
||||
users.users.itak = {
|
||||
inherit (config.krebs.users.itak) home uid;
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"video"
|
||||
"networkmanager"
|
||||
];
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,37 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: {
|
||||
imports = [
|
||||
../..
|
||||
../../2configs/hw/winmax2.nix
|
||||
../../2configs/retiolum.nix
|
||||
../../2configs/wiregrill.nix
|
||||
];
|
||||
|
||||
boot.initrd.luks.devices.main.device = "/dev/nvme0n1p2";
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/mapper/ruvg0-root";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "compress=zstd"];
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/nvme0n1p1";
|
||||
fsType = "vfat";
|
||||
};
|
||||
fileSystems."/home" = {
|
||||
device = "/dev/mapper/ruvg0-home";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "compress=zstd"];
|
||||
};
|
||||
fileSystems."/bku" = {
|
||||
device = "/dev/mapper/ruvg0-bku";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "compress=zstd"];
|
||||
};
|
||||
|
||||
krebs.build.host = config.krebs.hosts.ru;
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
}
|
@ -1,154 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
krebs.build.host = config.krebs.hosts.xu;
|
||||
|
||||
imports = [
|
||||
<stockholm/tv>
|
||||
../../2configs/autotether.nix
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||
<stockholm/tv/2configs/gitconfig.nix>
|
||||
<stockholm/tv/2configs/gitrepos.nix>
|
||||
<stockholm/tv/2configs/mail-client.nix>
|
||||
<stockholm/tv/2configs/man.nix>
|
||||
<stockholm/tv/2configs/nginx/public_html.nix>
|
||||
<stockholm/tv/2configs/ppp.nix>
|
||||
<stockholm/tv/2configs/pulse.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
<stockholm/tv/2configs/binary-cache>
|
||||
<stockholm/tv/2configs/br.nix>
|
||||
<stockholm/tv/2configs/xserver>
|
||||
<stockholm/tv/2configs/xsessions>
|
||||
<stockholm/tv/2configs/xserver/xkiller.nix>
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
|
||||
# root
|
||||
cryptsetup
|
||||
|
||||
# tv
|
||||
bc
|
||||
bind # dig
|
||||
brain
|
||||
cac-api
|
||||
dic
|
||||
file
|
||||
gnupg1compat
|
||||
haskellPackages.hledger
|
||||
jq
|
||||
mkpasswd
|
||||
netcat
|
||||
netcup
|
||||
nmap
|
||||
p7zip
|
||||
(pkgs.pass.withExtensions (ext: [
|
||||
ext.pass-otp
|
||||
]))
|
||||
q
|
||||
qrencode
|
||||
texlive.combined.scheme-full
|
||||
tmux
|
||||
|
||||
#ack
|
||||
#apache-httpd
|
||||
#ascii
|
||||
#emacs
|
||||
#es
|
||||
#esniper
|
||||
#gcc
|
||||
#gptfdisk
|
||||
#graphviz
|
||||
#haskellPackages.cabal2nix
|
||||
#haskellPackages.ghc
|
||||
#haskellPackages.shake
|
||||
#hdparm
|
||||
#i7z
|
||||
#iftop
|
||||
#imagemagick
|
||||
#inotifyTools
|
||||
#iodine
|
||||
#iotop
|
||||
#lshw
|
||||
#lsof
|
||||
#minicom
|
||||
#mtools
|
||||
#ncmpc
|
||||
#nethogs
|
||||
#nix-prefetch-scripts #cvs bug
|
||||
#openssl
|
||||
#openswan
|
||||
#parted
|
||||
#perl
|
||||
#powertop
|
||||
#ppp
|
||||
#proot
|
||||
#pythonPackages.arandr
|
||||
#pythonPackages.youtube-dl
|
||||
#racket
|
||||
#rxvt_unicode-with-plugins
|
||||
#scrot
|
||||
#sec
|
||||
#silver-searcher
|
||||
#sloccount
|
||||
#smartmontools
|
||||
#socat
|
||||
#sshpass
|
||||
#strongswan
|
||||
#sysdig
|
||||
#sysstat
|
||||
#tcpdump
|
||||
#tlsdate
|
||||
#unetbootin
|
||||
#utillinuxCurses
|
||||
#xdotool
|
||||
#xkill
|
||||
#xl2tpd
|
||||
#xsel
|
||||
|
||||
unison
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
boot.initrd.luks.devices.xuca.device = "/dev/sda2";
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/mapper/xuvga-root";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/bku" = {
|
||||
device = "/dev/mapper/xuvga-bku";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/xuvga-home";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
ethtool
|
||||
tinc_pre
|
||||
iptables
|
||||
#jack2
|
||||
|
||||
gptfdisk
|
||||
];
|
||||
|
||||
networking.wireless.enable = true;
|
||||
|
||||
#services.bitlbee.enable = true;
|
||||
#services.tor.client.enable = true;
|
||||
#services.tor.enable = true;
|
||||
|
||||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "15.09";
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,51 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
krebs.build.host = config.krebs.hosts.zu;
|
||||
|
||||
imports = [
|
||||
<stockholm/tv>
|
||||
<stockholm/tv/2configs/hw/x220.nix>
|
||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||
<stockholm/tv/2configs/gitrepos.nix>
|
||||
<stockholm/tv/2configs/mail-client.nix>
|
||||
<stockholm/tv/2configs/man.nix>
|
||||
<stockholm/tv/2configs/nginx/public_html.nix>
|
||||
<stockholm/tv/2configs/pulse.nix>
|
||||
<stockholm/tv/2configs/retiolum.nix>
|
||||
<stockholm/tv/2configs/xserver>
|
||||
];
|
||||
|
||||
boot.initrd.luks.devices.zuca.device = "/dev/sda2";
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/mapper/zuvga-root";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/bku" = {
|
||||
device = "/dev/mapper/zuvga-bku";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/zuvga-home";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
};
|
||||
};
|
||||
|
||||
networking.wireless.enable = true;
|
||||
|
||||
services.printing.enable = true;
|
||||
|
||||
#services.bitlbee.enable = true;
|
||||
#services.tor.client.enable = true;
|
||||
#services.tor.enable = true;
|
||||
|
||||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "15.09";
|
||||
}
|
@ -1,19 +0,0 @@
|
||||
{ config, pkgs, ... }: let
|
||||
cfg.serial = "17e064850405";
|
||||
in {
|
||||
systemd.services.usb_tether.serviceConfig = {
|
||||
SyslogIdentifier = "usb_tether";
|
||||
ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device";
|
||||
ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis";
|
||||
};
|
||||
services.udev.extraRules = /* sh */ ''
|
||||
ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android"
|
||||
|
||||
ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \
|
||||
TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
|
||||
'';
|
||||
systemd.network.networks.android = {
|
||||
matchConfig.Name = "android";
|
||||
DHCP = "yes";
|
||||
};
|
||||
}
|
@ -1,109 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
krebs.backup.plans = {
|
||||
} // mapAttrs (_: recursiveUpdate {
|
||||
snapshots = {
|
||||
daily = { format = "%Y-%m-%d"; retain = 7; };
|
||||
weekly = { format = "%YW%W"; retain = 4; };
|
||||
monthly = { format = "%Y-%m"; retain = 12; };
|
||||
yearly = { format = "%Y"; };
|
||||
};
|
||||
}) {
|
||||
bu-home-xu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.bu; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; };
|
||||
startAt = "05:20";
|
||||
};
|
||||
bu-home-zu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.bu; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; };
|
||||
startAt = "05:25";
|
||||
};
|
||||
nomic-home-xu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.nomic; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; };
|
||||
startAt = "05:00";
|
||||
};
|
||||
nomic-home-zu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.nomic; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.zu; path = "/bku/nomic-home"; };
|
||||
startAt = "04:20";
|
||||
};
|
||||
nomic-pull-querel-home = {
|
||||
method = "pull";
|
||||
src = { host = config.krebs.hosts.querel; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.nomic; path = "/fs/ponyhof/bku/querel-home"; };
|
||||
startAt = "22:00";
|
||||
};
|
||||
xu-home-bu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.xu; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; };
|
||||
startAt = "04:50";
|
||||
};
|
||||
xu-home-nomic = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.xu; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.nomic; path = "/fs/cis3hG/bku/xu-home"; };
|
||||
startAt = "05:20";
|
||||
};
|
||||
xu-home-zu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.xu; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.zu; path = "/bku/xu-home"; };
|
||||
startAt = "06:20";
|
||||
};
|
||||
xu-pull-ni-ejabberd = {
|
||||
method = "pull";
|
||||
src = { host = config.krebs.hosts.ni; path = "/var/lib/ejabberd"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-ejabberd"; };
|
||||
startAt = "07:00";
|
||||
};
|
||||
xu-pull-ni-home = {
|
||||
method = "pull";
|
||||
src = { host = config.krebs.hosts.ni; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-home"; };
|
||||
startAt = "07:00";
|
||||
};
|
||||
zu-home-xu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.zu; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/zu-home"; };
|
||||
startAt = "05:00";
|
||||
};
|
||||
zu-pull-ni-ejabberd = {
|
||||
method = "pull";
|
||||
src = { host = config.krebs.hosts.ni; path = "/var/lib/ejabberd"; };
|
||||
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-ejabberd"; };
|
||||
startAt = "06:00";
|
||||
};
|
||||
zu-pull-ni-home = {
|
||||
method = "pull";
|
||||
src = { host = config.krebs.hosts.ni; path = "/home"; };
|
||||
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-home"; };
|
||||
startAt = "06:30";
|
||||
};
|
||||
} // mapAttrs (_: recursiveUpdate {
|
||||
snapshots = {
|
||||
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
|
||||
hourly = { format = "%Y-%m-%dT%H"; retain = 3; };
|
||||
daily = { format = "%Y-%m-%d"; retain = 3; };
|
||||
};
|
||||
startAt = null;
|
||||
}) {
|
||||
xu-test-push-xu = {
|
||||
method = "push";
|
||||
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-bku-test-data"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/xu-test-push"; };
|
||||
};
|
||||
xu-test-pull-xu = {
|
||||
method = "pull";
|
||||
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-bku-test-data"; };
|
||||
dst = { host = config.krebs.hosts.xu; path = "/bku/xu-test-pull"; };
|
||||
};
|
||||
};
|
||||
}
|
@ -1,67 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
programs.bash = {
|
||||
interactiveShellInit = /* sh */ ''
|
||||
HISTCONTROL='erasedups:ignorespace'
|
||||
HISTSIZE=900001
|
||||
HISTFILESIZE=$HISTSIZE
|
||||
HISTTIMEFORMAT=
|
||||
|
||||
shopt -s checkhash
|
||||
shopt -s histappend histreedit histverify
|
||||
shopt -s no_empty_cmd_completion
|
||||
complete -d cd
|
||||
|
||||
case $UID in
|
||||
${shell.escape (toString config.krebs.users.tv.uid)})
|
||||
if test ''${SHLVL-1} = 1 && test -n "''${DISPLAY-}"; then
|
||||
_CURRENT_DESKTOP_NAME=''${_CURRENT_DESKTOP_NAME-$(
|
||||
${pkgs.xorg.xprop}/bin/xprop -notype -root \
|
||||
32i _NET_CURRENT_DESKTOP \
|
||||
8s _NET_DESKTOP_NAMES \
|
||||
|
|
||||
${pkgs.gnused}/bin/sed -r 's/.* = //;s/"//g;s/, /\a/g' |
|
||||
{
|
||||
read -r _NET_CURRENT_DESKTOP
|
||||
IFS=$'\a' read -ra _NET_DESKTOP_NAMES
|
||||
echo "''${_NET_DESKTOP_NAMES[$_NET_CURRENT_DESKTOP]}"
|
||||
}
|
||||
)}
|
||||
case $_CURRENT_DESKTOP_NAME in
|
||||
stockholm)
|
||||
cd ~/stockholm
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
export NIX_PATH="stockholm=$HOME/stockholm:$NIX_PATH"
|
||||
;;
|
||||
esac
|
||||
|
||||
${pkgs.bash-fzf-history.bind}
|
||||
|
||||
if test -n "''${BASH_EXTRA_INIT-}"; then
|
||||
. "$BASH_EXTRA_INIT"
|
||||
fi
|
||||
'';
|
||||
promptInit = /* sh */ ''
|
||||
case $UID in
|
||||
0)
|
||||
PS1='\[\e[1;31m\]\w\[\e[0m\] '
|
||||
;;
|
||||
${toString config.krebs.build.user.uid})
|
||||
PS1='\[\e[1;32m\]\w\[\e[0m\] '
|
||||
;;
|
||||
*)
|
||||
PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
|
||||
;;
|
||||
esac
|
||||
if test -n "$SSH_CLIENT"; then
|
||||
PS1='\[\e[35m\]\h'" $PS1"
|
||||
fi
|
||||
if test -n "$SSH_AGENT_PID"; then
|
||||
PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,29 +0,0 @@
|
||||
{ config, lib, pkgs, ... }: with import ./lib;
|
||||
{
|
||||
environment.etc."binary-cache.pubkey".text =
|
||||
config.krebs.build.host.binary-cache.pubkey;
|
||||
|
||||
nixpkgs.overlays = [
|
||||
(self: super: {
|
||||
nix-serve = self.haskellPackages.nix-serve-ng;
|
||||
})
|
||||
];
|
||||
|
||||
services.nix-serve = {
|
||||
enable = true;
|
||||
secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.nix-serve = {
|
||||
serverAliases = [
|
||||
"cache.${config.krebs.build.host.name}.hkw"
|
||||
"cache.${config.krebs.build.host.name}.r"
|
||||
];
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,49 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, modulesPath, pkgs, ... }: {
|
||||
|
||||
imports = [
|
||||
(modulesPath + "/services/hardware/sane_extra_backends/brscan4.nix")
|
||||
];
|
||||
|
||||
krebs.nixpkgs.allowUnfreePredicate = pkg: any (eq (packageName pkg)) [
|
||||
"brother-udev-rule-type1"
|
||||
"brscan4"
|
||||
"brscan4-etc-files"
|
||||
"mfcl2700dnlpr"
|
||||
];
|
||||
|
||||
hardware.sane = {
|
||||
enable = true;
|
||||
brscan4 = {
|
||||
enable = true;
|
||||
netDevices = {
|
||||
bra = {
|
||||
model = "MFCL2700DN";
|
||||
ip = "10.23.1.214";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.saned.enable = true;
|
||||
|
||||
# usage: scanimage -d "$(find-scanner bra)" --batch --format=tiff --resolution 150 -x 211 -y 298
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeDashBin "find-scanner" ''
|
||||
set -efu
|
||||
name=$1
|
||||
${pkgs.sane-backends}/bin/scanimage -f '%m %d
|
||||
' \
|
||||
| ${pkgs.gawk}/bin/awk -v dev="*$name" '$1 == dev { print $2; exit }' \
|
||||
| ${pkgs.gnugrep}/bin/grep .
|
||||
'')
|
||||
];
|
||||
|
||||
services.printing = {
|
||||
enable = true;
|
||||
drivers = [
|
||||
pkgs.mfcl2700dncupswrapper
|
||||
];
|
||||
};
|
||||
|
||||
}
|
@ -1,137 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
boot.tmpOnTmpfs = true;
|
||||
|
||||
krebs.enable = true;
|
||||
|
||||
krebs.build.user = config.krebs.users.tv;
|
||||
|
||||
networking.hostId = mkDefault (hashToLength 8 config.networking.hostName);
|
||||
networking.hostName = config.krebs.build.host.name;
|
||||
|
||||
imports = [
|
||||
./backup.nix
|
||||
./bash
|
||||
./htop.nix
|
||||
./nets/hkw.nix
|
||||
./networkd.nix
|
||||
./nginx
|
||||
./nix.nix
|
||||
./pki
|
||||
./ssh.nix
|
||||
./sshd.nix
|
||||
./vim.nix
|
||||
./xdg.nix
|
||||
{
|
||||
users = {
|
||||
defaultUserShell = "/run/current-system/sw/bin/bash";
|
||||
mutableUsers = false;
|
||||
users = {
|
||||
root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.tv.pubkey
|
||||
];
|
||||
};
|
||||
tv = {
|
||||
inherit (config.krebs.users.tv) home uid;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "tv" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
i18n.defaultLocale = mkDefault "C.UTF-8";
|
||||
security.sudo.extraConfig = ''
|
||||
Defaults env_keep+="SSH_CLIENT _CURRENT_DESKTOP_NAME"
|
||||
Defaults mailto="${config.krebs.users.tv.mail}"
|
||||
Defaults !lecture
|
||||
'';
|
||||
time.timeZone = "Europe/Berlin";
|
||||
}
|
||||
|
||||
{
|
||||
nixpkgs.config.allowUnfree = false;
|
||||
}
|
||||
{
|
||||
environment.homeBinInPath = true;
|
||||
|
||||
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
rxvt_unicode.terminfo
|
||||
];
|
||||
|
||||
environment.shellAliases = mkForce {
|
||||
gp = "${pkgs.pari}/bin/gp -q";
|
||||
df = "df -h";
|
||||
du = "du -h";
|
||||
|
||||
# TODO alias cannot contain #\'
|
||||
# "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
|
||||
|
||||
ls = "ls -h --color=auto --group-directories-first";
|
||||
dmesg = "dmesg -L --reltime";
|
||||
view = "vim -R";
|
||||
};
|
||||
|
||||
environment.variables = {
|
||||
NIX_PATH = mkForce (concatStringsSep ":" [
|
||||
"secrets=/var/src/stockholm/null"
|
||||
"/var/src"
|
||||
]);
|
||||
};
|
||||
}
|
||||
|
||||
{
|
||||
services.cron.enable = false;
|
||||
services.ntp.enable = false;
|
||||
services.timesyncd.enable = true;
|
||||
}
|
||||
|
||||
{
|
||||
boot.kernel.sysctl = {
|
||||
# Enable IPv6 Privacy Extensions
|
||||
#
|
||||
# XXX use mkForce here because since NixOS 21.11 there's a collision in
|
||||
# net.ipv6.conf.default.use_tempaddr, and boot.kernel.sysctl incapable
|
||||
# of merging.
|
||||
#
|
||||
# XXX net.ipv6.conf.all.use_tempaddr is set because it was mentioned in
|
||||
# https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html
|
||||
# TODO check if that is really necessary, otherwise we can rely solely
|
||||
# on networking.tempAddresses in the future (when nothing is <21.11)
|
||||
"net.ipv6.conf.all.use_tempaddr" = mkForce 2;
|
||||
"net.ipv6.conf.default.use_tempaddr" = mkForce 2;
|
||||
};
|
||||
}
|
||||
|
||||
{
|
||||
tv.iptables.enable = true;
|
||||
tv.iptables.accept-echo-request = "internet";
|
||||
}
|
||||
|
||||
{
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=1G
|
||||
RuntimeMaxUse=128M
|
||||
'';
|
||||
}
|
||||
|
||||
{
|
||||
environment.systemPackages = [
|
||||
pkgs.field
|
||||
pkgs.get
|
||||
pkgs.git
|
||||
pkgs.git-crypt
|
||||
pkgs.git-preview
|
||||
pkgs.hashPassword
|
||||
pkgs.htop
|
||||
pkgs.kpaste
|
||||
pkgs.nix-prefetch-scripts
|
||||
pkgs.ovh-zone
|
||||
pkgs.push
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
@ -1,359 +0,0 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
|
||||
cfg.nameserver = "1.1.1.1";
|
||||
cfg.packageDir = "/var/lib/elm-packages";
|
||||
cfg.port = 7782;
|
||||
|
||||
# TODO secret files
|
||||
cfg.htpasswd = "/var/lib/certs/package.elm-lang.org/htpasswd";
|
||||
cfg.sslCertificate = "/var/lib/certs/package.elm-lang.org/fullchain.pem";
|
||||
cfg.sslCertificateKey = "/var/lib/certs/package.elm-lang.org/key.pem";
|
||||
|
||||
semverRegex =
|
||||
"(?<major>0|[1-9]\\d*)\\.(?<minor>0|[1-9]\\d*)\\.(?<patch>0|[1-9]\\d*)(?:-(?<prerelease>(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+(?<buildmetadata>[0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?";
|
||||
|
||||
in {
|
||||
services.nginx.virtualHosts."package.elm-lang.org" = {
|
||||
addSSL = true;
|
||||
|
||||
sslCertificate = cfg.sslCertificate;
|
||||
sslCertificateKey = cfg.sslCertificateKey;
|
||||
|
||||
locations."/all-packages".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
|
||||
proxy_pass_header Server;
|
||||
'';
|
||||
|
||||
locations."/all-packages/since/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
|
||||
proxy_pass_header Server;
|
||||
'';
|
||||
|
||||
locations."~ ^/packages/(?<author>[A-Za-z0-9-]+)/(?<pname>[A-Za-z0-9-]+)/(?<version>${semverRegex})\$".extraConfig = ''
|
||||
auth_basic "Restricted Area";
|
||||
auth_basic_user_file ${cfg.htpasswd};
|
||||
|
||||
proxy_set_header X-User $remote_user;
|
||||
proxy_set_header X-Author $author;
|
||||
proxy_set_header X-Package $pname;
|
||||
proxy_set_header X-Version $version;
|
||||
proxy_pass_header Server;
|
||||
|
||||
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
|
||||
'';
|
||||
|
||||
locations."~ ^/packages/(?<author>[A-Za-z0-9-]+)/(?<pname>[A-Za-z0-9-]+)/(?<version>${semverRegex})/(?:zipball|elm.json|endpoint.json)\$".extraConfig = ''
|
||||
set $zipball "${cfg.packageDir}/$author/$pname/$version/zipball";
|
||||
proxy_set_header X-Author $author;
|
||||
proxy_set_header X-Package $pname;
|
||||
proxy_set_header X-Version $version;
|
||||
proxy_set_header X-Zipball $zipball;
|
||||
proxy_pass_header Server;
|
||||
resolver ${cfg.nameserver};
|
||||
|
||||
if (-f $zipball) {
|
||||
set $new_uri http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
|
||||
}
|
||||
if (!-f $zipball) {
|
||||
set $new_uri https://package.elm-lang.org$request_uri;
|
||||
}
|
||||
|
||||
proxy_pass $new_uri;
|
||||
'';
|
||||
|
||||
locations."/search.json".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.elm-packages-proxy.port};
|
||||
proxy_pass_header Server;
|
||||
'';
|
||||
};
|
||||
|
||||
krebs.htgen.elm-packages-proxy = {
|
||||
port = cfg.port;
|
||||
script = /* sh */ ''. ${pkgs.writeDash "elm-packages-proxy.sh" ''
|
||||
PATH=${lib.makeBinPath [
|
||||
pkgs.attr
|
||||
pkgs.coreutils
|
||||
pkgs.curl
|
||||
pkgs.findutils
|
||||
pkgs.gnugrep
|
||||
pkgs.jq
|
||||
pkgs.p7zip
|
||||
]}
|
||||
export PATH
|
||||
file_response() {(
|
||||
status_code=$1
|
||||
status_reason=$2
|
||||
file=$3
|
||||
content_type=$4
|
||||
|
||||
content_length=$(wc -c "$file" | cut -d\ -f1)
|
||||
|
||||
printf "HTTP/1.1 $status_code $status_reason\r\n"
|
||||
printf 'Connection: close\r\n'
|
||||
printf 'Content-Length: %d\r\n' "$content_length"
|
||||
printf 'Content-Type: %s\r\n' "$content_type"
|
||||
printf 'Server: %s\r\n' "$Server"
|
||||
printf '\r\n'
|
||||
cat "$file"
|
||||
)}
|
||||
string_response() {(
|
||||
status_code=$1
|
||||
status_reason=$2
|
||||
response_body=$3
|
||||
content_type=$4
|
||||
|
||||
printf "HTTP/1.1 $status_code $status_reason\r\n"
|
||||
printf 'Connection: close\r\n'
|
||||
printf 'Content-Length: %d\r\n' "$(expr ''${#response_body} + 1)"
|
||||
printf 'Content-Type: %s\r\n' "$content_type"
|
||||
printf 'Server: %s\r\n' "$Server"
|
||||
printf '\r\n'
|
||||
printf '%s\n' "$response_body"
|
||||
)}
|
||||
|
||||
case "$Method $Request_URI" in
|
||||
'GET /packages/'*)
|
||||
|
||||
author=$req_x_author
|
||||
pname=$req_x_package
|
||||
version=$req_x_version
|
||||
|
||||
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
|
||||
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
|
||||
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
|
||||
mkdir -p "$HOME/cache"
|
||||
|
||||
case $(basename $Request_URI) in
|
||||
zipball)
|
||||
file_response 200 OK "$zipball" application/zip
|
||||
exit
|
||||
;;
|
||||
elm.json)
|
||||
if ! test -f "$elmjson"; then
|
||||
7z x -so "$zipball" \*/elm.json > "$elmjson"
|
||||
fi
|
||||
file_response 200 OK "$elmjson" 'application/json; charset=UTF-8'
|
||||
exit
|
||||
;;
|
||||
endpoint.json)
|
||||
if ! test -f "$endpointjson"; then
|
||||
hash=$(sha1sum "$zipball" | cut -d\ -f1)
|
||||
url=https://package.elm-lang.org/packages/$author/$pname/$version/zipball
|
||||
jq -n \
|
||||
--arg hash "$hash" \
|
||||
--arg url "$url" \
|
||||
'{ $hash, $url }' \
|
||||
> "$endpointjson"
|
||||
fi
|
||||
file_response 200 OK "$endpointjson" 'application/json; charset=UTF-8'
|
||||
exit
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
'POST /packages/'*)
|
||||
|
||||
author=$req_x_author
|
||||
pname=$req_x_package
|
||||
user=$req_x_user
|
||||
version=$req_x_version
|
||||
|
||||
action=uploading
|
||||
force=''${req_x_force-false}
|
||||
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
|
||||
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
|
||||
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
|
||||
|
||||
if test -e "$zipball"; then
|
||||
if test "$force" = true; then
|
||||
zipball_owner=$(attr -q -g X-User "$zipball" || :)
|
||||
if test "$zipball_owner" = "$req_x_user"; then
|
||||
action=replacing
|
||||
rm -f "$elmjson"
|
||||
rm -f "$endpointjson"
|
||||
else
|
||||
string_response 403 Forbidden \
|
||||
"package already exists: $author/$pname@$version" \
|
||||
text/plain
|
||||
exit
|
||||
fi
|
||||
else
|
||||
string_response 409 Conflict \
|
||||
"package already exists: $author/$pname@$version" \
|
||||
text/plain
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "user $user is $action package $author/$pname@$version" >&2
|
||||
# TODO check package
|
||||
mkdir -p "$(dirname "$zipball")"
|
||||
head -c $req_content_length > "$zipball"
|
||||
|
||||
attr -q -s X-User -V "$user" "$zipball" || :
|
||||
|
||||
string_response 200 OK \
|
||||
"package created: $author/$pname@$version" \
|
||||
text/plain
|
||||
|
||||
exit
|
||||
;;
|
||||
'DELETE /packages/'*)
|
||||
|
||||
author=$req_x_author
|
||||
pname=$req_x_package
|
||||
user=$req_x_user
|
||||
version=$req_x_version
|
||||
|
||||
zipball=${cfg.packageDir}/$author/$pname/$version/zipball
|
||||
elmjson=$HOME/cache/$author%2F$pname%2F$version%2Felm.json
|
||||
endpointjson=$HOME/cache/$author%2F$pname%2F$version%2Fendpoint.json
|
||||
|
||||
if test -e "$zipball"; then
|
||||
zipball_owner=$(attr -q -g X-User "$zipball" || :)
|
||||
if test "$zipball_owner" = "$req_x_user"; then
|
||||
echo "user $user is deleting package $author/$pname@$version" >&2
|
||||
rm -f "$elmjson"
|
||||
rm -f "$endpointjson"
|
||||
rm "$zipball"
|
||||
string_response 200 OK \
|
||||
"package deleted: $author/$pname@$version" \
|
||||
text/plain
|
||||
exit
|
||||
else
|
||||
string_response 403 Forbidden \
|
||||
"package already exists: $author/$pname@$version" \
|
||||
text/plain
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
'GET /all-packages'|'POST /all-packages')
|
||||
|
||||
response=$(mktemp -t htgen.$$.elm-packages-proxy.all-packages.XXXXXXXX)
|
||||
trap "rm $response >&2" EXIT
|
||||
|
||||
{
|
||||
# upstream packages
|
||||
curl -fsS https://package.elm-lang.org"$Request_URI"
|
||||
|
||||
# private packages
|
||||
(cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
|
||||
jq -Rs '
|
||||
split("\n") |
|
||||
map(
|
||||
select(.!="") |
|
||||
match("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$").captures |
|
||||
map({key:.name,value:.string}) |
|
||||
from_entries
|
||||
) |
|
||||
reduce .[] as $item ({};
|
||||
($item|"\(.author)/\(.pname)") as $name |
|
||||
. + { "\($name)": ((.[$name] // []) + [$item.version]) }
|
||||
)
|
||||
'
|
||||
} |
|
||||
jq -cs add > $response
|
||||
|
||||
file_response 200 OK "$response" 'application/json; charset=UTF-8'
|
||||
exit
|
||||
;;
|
||||
'GET /all-packages/since/'*|'POST /all-packages/since/'*)
|
||||
|
||||
response=$(mktemp -t htgen.$$.elm-packages-proxy.all-packages.XXXXXXXX)
|
||||
trap "rm $response >&2" EXIT
|
||||
|
||||
{
|
||||
# upstream packages
|
||||
curl -fsS https://package.elm-lang.org"$Request_URI"
|
||||
|
||||
# private packages
|
||||
(cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
|
||||
jq -Rs '
|
||||
split("\n") |
|
||||
map(
|
||||
select(.!="") |
|
||||
sub("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$";"\(.author)/\(.pname)@\(.version)")
|
||||
) |
|
||||
sort_by(split("@") | [.[0]]+(.[1]|split(".")|map(tonumber))) |
|
||||
reverse
|
||||
'
|
||||
} |
|
||||
jq -cs add > $response
|
||||
|
||||
file_response 200 OK "$response" 'application/json; charset=UTF-8'
|
||||
exit
|
||||
;;
|
||||
'GET /search.json')
|
||||
|
||||
searchjson=$HOME/cache/search.json
|
||||
mkdir -p "$HOME/cache"
|
||||
|
||||
# update cached search.json
|
||||
(
|
||||
last_modified=$(
|
||||
if test -f "$searchjson"; then
|
||||
date -Rr "$searchjson"
|
||||
else
|
||||
date -R -d @0
|
||||
fi
|
||||
)
|
||||
tempsearchjson=$(mktemp "$searchjson.XXXXXXXX")
|
||||
trap 'rm "$tempsearchjson" >&2' EXIT
|
||||
curl -fsS --compressed https://package.elm-lang.org/search.json \
|
||||
-H "If-Modified-Since: $last_modified" \
|
||||
-o "$tempsearchjson"
|
||||
if test -s "$tempsearchjson"; then
|
||||
mv "$tempsearchjson" "$searchjson"
|
||||
trap - EXIT
|
||||
fi
|
||||
)
|
||||
|
||||
response=$(mktemp -t htgen.$$.elm-packages-proxy.search.XXXXXXXX)
|
||||
trap 'rm "$response" >&2' EXIT
|
||||
|
||||
{
|
||||
printf '{"upstream":'; cat "$searchjson"
|
||||
printf ',"private":'; (cd ${cfg.packageDir}; find -mindepth 3 -maxdepth 3) |
|
||||
jq -Rs '
|
||||
split("\n") |
|
||||
map(
|
||||
select(.!="") |
|
||||
match("^\\./(?<author>[^/]+)/(?<pname>[^/]+)/(?<version>[^/]+)$").captures |
|
||||
map({key:.name,value:.string}) |
|
||||
from_entries
|
||||
) |
|
||||
map({
|
||||
key: "\(.author)/\(.pname)",
|
||||
value: .version,
|
||||
}) |
|
||||
from_entries
|
||||
'
|
||||
printf '}'
|
||||
} |
|
||||
jq -c '
|
||||
reduce .upstream[] as $upstreamItem ({ private, output: [] };
|
||||
.private[$upstreamItem.name] as $privateItem |
|
||||
if $privateItem then
|
||||
.output += [$upstreamItem * { version: $privateItem.version }] |
|
||||
.private |= del(.[$upstreamItem.name])
|
||||
else
|
||||
.output += [$upstreamItem]
|
||||
end
|
||||
) |
|
||||
|
||||
.output + (.private | to_entries | sort_by(.key) | map({
|
||||
name: .key,
|
||||
version: .value,
|
||||
summary: "dummy summary",
|
||||
license: "dummy license",
|
||||
}))
|
||||
' \
|
||||
> $response
|
||||
|
||||
file_response 200 OK "$response" 'application/json; charset=UTF-8'
|
||||
exit
|
||||
;;
|
||||
esac
|
||||
''}'';
|
||||
};
|
||||
}
|
@ -1,9 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
environment.systemPackages = [
|
||||
pkgs.eximlog
|
||||
];
|
||||
krebs.exim-retiolum.enable = true;
|
||||
krebs.exim-retiolum.rspamd.enable = config.krebs.build.host.name == "nomic";
|
||||
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
|
||||
}
|
@ -1,46 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
environment.systemPackages = [
|
||||
pkgs.eximlog
|
||||
];
|
||||
krebs.exim-smarthost = {
|
||||
enable = true;
|
||||
dkim = [
|
||||
{ domain = "viljetic.de"; }
|
||||
];
|
||||
sender_domains = [
|
||||
"krebsco.de"
|
||||
"shackspace.de"
|
||||
"viljetic.de"
|
||||
];
|
||||
relay_from_hosts = concatMap (host: host.nets.retiolum.addrs) [
|
||||
config.krebs.hosts.nomic
|
||||
config.krebs.hosts.xu
|
||||
];
|
||||
internet-aliases = with config.krebs.users; [
|
||||
{ from = "bku-eppler@viljetic.de"; to = tv.mail; }
|
||||
{ from = "postmaster@viljetic.de"; to = tv.mail; } # RFC 822
|
||||
{ from = "mirko@viljetic.de"; to = mv-ni.mail; }
|
||||
{ from = "tomislav@viljetic.de"; to = tv.mail; }
|
||||
{ from = "tv@viljetic.de"; to = tv.mail; }
|
||||
{ from = "tv@shackspace.de"; to = tv.mail; }
|
||||
];
|
||||
system-aliases = [
|
||||
{ from = "mailer-daemon"; to = "postmaster"; }
|
||||
{ from = "postmaster"; to = "root"; }
|
||||
{ from = "nobody"; to = "root"; }
|
||||
{ from = "hostmaster"; to = "root"; }
|
||||
{ from = "usenet"; to = "root"; }
|
||||
{ from = "news"; to = "root"; }
|
||||
{ from = "webmaster"; to = "root"; }
|
||||
{ from = "www"; to = "root"; }
|
||||
{ from = "ftp"; to = "root"; }
|
||||
{ from = "abuse"; to = "root"; }
|
||||
{ from = "noc"; to = "root"; }
|
||||
{ from = "security"; to = "root"; }
|
||||
{ from = "root"; to = "tv"; }
|
||||
{ from = "mirko"; to = "mv"; }
|
||||
];
|
||||
};
|
||||
tv.iptables.input-internet-accept-tcp = singleton "smtp";
|
||||
}
|
@ -1,20 +0,0 @@
|
||||
_:
|
||||
|
||||
{
|
||||
boot.loader.grub = {
|
||||
device = "/dev/sda";
|
||||
};
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/centos/root";
|
||||
fsType = "xfs";
|
||||
};
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
fsType = "xfs";
|
||||
};
|
||||
};
|
||||
swapDevices = [
|
||||
{ device = "/dev/centos/swap"; }
|
||||
];
|
||||
}
|
@ -1,16 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
environment.etc.gitconfig.text = ''
|
||||
[alias]
|
||||
patch = !${pkgs.git}/bin/git --no-pager diff --no-color
|
||||
[diff-so-fancy]
|
||||
markEmptyLines = false
|
||||
stripLeadingSymbols = false
|
||||
[pager]
|
||||
diff = ${pkgs.gitAndTools.diff-so-fancy}/bin/diff-so-fancy \
|
||||
| ${pkgs.less}/bin/less -FRX
|
||||
[user]
|
||||
email = tv@krebsco.de
|
||||
name = tv
|
||||
'';
|
||||
}
|
@ -1,233 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let {
|
||||
|
||||
body = {
|
||||
|
||||
nixpkgs.config.packageOverrides = super: {
|
||||
cgit = pkgs.symlinkJoin {
|
||||
name = "${super.cgit.name}-tv";
|
||||
paths = [
|
||||
(pkgs.runCommand "${super.cgit.name}-tv-overrides" {
|
||||
} /* sh */ ''
|
||||
mkdir -p $out/lib/cgit/filters
|
||||
cd $out/lib/cgit/filters
|
||||
cp \
|
||||
${super.cgit}/lib/cgit/filters/syntax-highlighting.py \
|
||||
${super.cgit}/lib/cgit/filters/.syntax-highlighting.py-wrapped \
|
||||
.
|
||||
sed -i "s:${super.cgit}:$out:" syntax-highlighting.py
|
||||
sed -i '
|
||||
s:^\(formatter =\).*:\1 HtmlFormatter(style="algol_nu"):
|
||||
' .syntax-highlighting.py-wrapped
|
||||
'')
|
||||
super.cgit
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
krebs.git = {
|
||||
enable = true;
|
||||
cgit = {
|
||||
settings = {
|
||||
about-filter = pkgs.exec "krebs.cgit.about-filter" rec {
|
||||
filename = "${pkgs.python3Packages.markdown2}/bin/markdown2";
|
||||
argv = [
|
||||
filename
|
||||
"--extras=fenced-code-blocks"
|
||||
];
|
||||
envp = {};
|
||||
};
|
||||
readme = [
|
||||
":README.md"
|
||||
];
|
||||
root-desc = "mostly krebs";
|
||||
root-title = "repositories at ${config.krebs.build.host.name}";
|
||||
source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
|
||||
};
|
||||
};
|
||||
repos = repos;
|
||||
rules = rules;
|
||||
};
|
||||
};
|
||||
|
||||
cgit-clear-cache = pkgs.cgit-clear-cache.override {
|
||||
inherit (config.krebs.git.cgit.settings) cache-root;
|
||||
};
|
||||
|
||||
repos =
|
||||
public-repos //
|
||||
optionalAttrs config.krebs.build.host.secure restricted-repos;
|
||||
|
||||
rules = concatMap make-rules (attrValues repos);
|
||||
|
||||
public-repos = mapAttrs make-public-repo ({
|
||||
} // mapAttrs (_: recursiveUpdate { cgit.section = "1. miscellaneous"; }) {
|
||||
couchfs = {
|
||||
cgit.desc = "filesystem (in userspace) on top of CouchDB";
|
||||
};
|
||||
crx = {
|
||||
cgit.desc = "utilities for working with Chrome extensions";
|
||||
};
|
||||
dic = {
|
||||
cgit.desc = "dict.leo.org command line interface";
|
||||
};
|
||||
disko = {
|
||||
cgit.desc = "declarative partitioning and formatting tool";
|
||||
};
|
||||
fswm = {
|
||||
cgit.desc = "simple full screen window manager";
|
||||
};
|
||||
htgen = {
|
||||
cgit.desc = "toy HTTP server";
|
||||
};
|
||||
ircaids = {
|
||||
cgit.desc = "Assortment of aids for working with Internet relay chat";
|
||||
};
|
||||
krops = {
|
||||
cgit.desc = "deployment tools";
|
||||
};
|
||||
mailaids = {
|
||||
cgit.desc = "Assortment of aids for working with electronic mail";
|
||||
};
|
||||
much = {};
|
||||
netcup = {
|
||||
cgit.desc = "netcup command line interface";
|
||||
};
|
||||
nix-writers = {
|
||||
cgit.desc = "collection of package builders";
|
||||
};
|
||||
nixpkgs = {
|
||||
cgit.desc = "Nix Packages collection";
|
||||
};
|
||||
pager = {
|
||||
};
|
||||
populate = {
|
||||
cgit.desc = "source code installer";
|
||||
};
|
||||
q = {};
|
||||
reaktor2 = {};
|
||||
stockholm = {
|
||||
cgit.desc = "NixOS configuration";
|
||||
};
|
||||
TabFS = {
|
||||
cgit.desc = "mount browser tabs & co. as a filesystem";
|
||||
};
|
||||
texnix = {
|
||||
cgit.desc = "TeX live environment generator";
|
||||
};
|
||||
with-ssh = {};
|
||||
} // mapAttrs (_: recursiveUpdate { cgit.section = "2. Host configurations"; }) {
|
||||
ni = {
|
||||
};
|
||||
} // mapAttrs (_: recursiveUpdate { cgit.section = "3. Haskell libraries"; }) {
|
||||
X11-aeson = {};
|
||||
blessings = {};
|
||||
hack = {};
|
||||
hc = {};
|
||||
mime = {};
|
||||
quipper = {};
|
||||
scanner = {};
|
||||
wai-middleware-time = {};
|
||||
web-routes-wai-custom = {};
|
||||
xintmap = {};
|
||||
xmonad-aeson = {};
|
||||
xmonad-web = {};
|
||||
} // mapAttrs (_: recursiveUpdate { cgit.section = "4. museum"; }) {
|
||||
cac-api = {
|
||||
cgit.desc = "CloudAtCost API command line interface";
|
||||
};
|
||||
cgserver = {};
|
||||
crude-mail-setup = {};
|
||||
dot-xmonad = {};
|
||||
flameshot-once = {
|
||||
cgit.desc = "flameshot runner that automatically starts/stops the daemon";
|
||||
};
|
||||
hirc = {};
|
||||
hstool = {
|
||||
cgit.desc = "Haskell Development Environment ^_^";
|
||||
};
|
||||
kirk = {
|
||||
cgit.desc = "IRC tools";
|
||||
};
|
||||
make-snapshot = {};
|
||||
nixos-infest = {};
|
||||
painload = {};
|
||||
push = {};
|
||||
Reaktor = {};
|
||||
regfish = {};
|
||||
with-tmpdir = {};
|
||||
get = {};
|
||||
load-env = {};
|
||||
loldns = {
|
||||
cgit.desc = "toy DNS server";
|
||||
};
|
||||
soundcloud = {
|
||||
cgit.desc = "SoundCloud command line interface";
|
||||
};
|
||||
xmonad-stockholm = {};
|
||||
});
|
||||
|
||||
restricted-repos = mapAttrs make-restricted-repo (
|
||||
{
|
||||
brain = {
|
||||
collaborators = with config.krebs.users; [ lass makefu ];
|
||||
hooks = {
|
||||
post-receive = /* sh */ ''
|
||||
(${irc-announce { cgit_endpoint = null; }})
|
||||
${cgit-clear-cache}/bin/cgit-clear-cache
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
|
||||
channel = "#xxx";
|
||||
# TODO make nick = config.krebs.build.host.name the default
|
||||
nick = config.krebs.build.host.name;
|
||||
server = "irc.r";
|
||||
verbose = {
|
||||
exclude = [
|
||||
"refs/heads/head"
|
||||
];
|
||||
};
|
||||
} args);
|
||||
|
||||
make-public-repo = name: { cgit ? {}, ... }: {
|
||||
inherit cgit name;
|
||||
public = true;
|
||||
hooks = {
|
||||
post-receive = /* sh */ ''
|
||||
(${optionalString (config.krebs.build.host.name == "ni")
|
||||
(irc-announce {})})
|
||||
${cgit-clear-cache}/bin/cgit-clear-cache
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
make-restricted-repo = name: { collaborators ? [], hooks ? {}, ... }: {
|
||||
inherit collaborators name;
|
||||
public = false;
|
||||
hooks = hooks // {
|
||||
post-receive = /* sh */ ''
|
||||
(${hooks.post-receive or ":"})
|
||||
${cgit-clear-cache}/bin/cgit-clear-cache
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
make-rules =
|
||||
with git // config.krebs.users;
|
||||
repo:
|
||||
singleton {
|
||||
user = [ tv tv-xu ];
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
} ++
|
||||
optional (repo.collaborators or [] != []) {
|
||||
user = repo.collaborators;
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
};
|
||||
|
||||
}
|
@ -1,40 +0,0 @@
|
||||
with import ./lib;
|
||||
{ pkgs, ... }: {
|
||||
nixpkgs.config.packageOverrides = super: {
|
||||
htop = pkgs.symlinkJoin {
|
||||
name = "htop";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "htop" ''
|
||||
export HTOPRC=${pkgs.writeText "htoprc" ''
|
||||
fields=0 48 17 18 38 39 40 2 46 47 49 1
|
||||
sort_key=46
|
||||
sort_direction=1
|
||||
hide_threads=0
|
||||
hide_kernel_threads=1
|
||||
hide_userland_threads=0
|
||||
shadow_other_users=1
|
||||
show_thread_names=1
|
||||
show_program_path=1
|
||||
highlight_base_name=1
|
||||
highlight_megabytes=1
|
||||
highlight_threads=1
|
||||
tree_view=1
|
||||
header_margin=0
|
||||
detailed_cpu_time=0
|
||||
cpu_count_from_zero=0
|
||||
update_process_names=0
|
||||
account_guest_in_cpu_meter=1
|
||||
color_scheme=0
|
||||
delay=15
|
||||
left_meters=LeftCPUs2 RightCPUs2 Memory Swap
|
||||
left_meter_modes=1 1 1 1
|
||||
right_meters=Uptime Tasks LoadAverage Battery
|
||||
right_meter_modes=2 2 2 2
|
||||
''}
|
||||
exec ${super.htop}/bin/htop "$@"
|
||||
'')
|
||||
super.htop
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
@ -1,48 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
../smartd.nix
|
||||
|
||||
{
|
||||
nix.settings.cores = 2;
|
||||
nix.settings.max-jobs = 2;
|
||||
}
|
||||
(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then {
|
||||
nix.daemonCPUSchedPolicy = "batch";
|
||||
nix.daemonIOSchedPriority = 1;
|
||||
} else {
|
||||
nix.daemonIONiceLevel = 1;
|
||||
nix.daemonNiceLevel = 1;
|
||||
})
|
||||
];
|
||||
|
||||
boot.loader.grub = {
|
||||
device = "/dev/sda";
|
||||
splashImage = null;
|
||||
};
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ahci"
|
||||
];
|
||||
|
||||
boot.kernelModules = [
|
||||
"kvm-intel"
|
||||
"wl"
|
||||
];
|
||||
|
||||
boot.extraModulePackages = [
|
||||
config.boot.kernelPackages.broadcom_sta
|
||||
];
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleHibernateKey=ignore
|
||||
HandleLidSwitch=ignore
|
||||
HandlePowerKey=ignore
|
||||
HandleSuspendKey=ignore
|
||||
'';
|
||||
|
||||
krebs.nixpkgs.allowUnfreePredicate = pkg: packageName pkg == "broadcom-sta";
|
||||
|
||||
tv.hw.screens.primary.width = 1366;
|
||||
tv.hw.screens.primary.height = 768;
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,48 +0,0 @@
|
||||
{ pkgs, ... }: {
|
||||
|
||||
imports = [
|
||||
../smartd.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ];
|
||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
boot.kernelModules = [
|
||||
"amd-pstate"
|
||||
"kvm-amd"
|
||||
];
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
boot.kernelParams = [
|
||||
"amd_pstate=passive"
|
||||
];
|
||||
|
||||
hardware.bluetooth.enable = true;
|
||||
|
||||
hardware.cpu.amd.updateMicrocode = true;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
hardware.opengl.enable = true;
|
||||
hardware.opengl.extraPackages = [
|
||||
pkgs.amdvlk
|
||||
pkgs.rocm-opencl-icd
|
||||
pkgs.rocm-opencl-runtime
|
||||
];
|
||||
|
||||
networking.wireless.enable = true;
|
||||
networking.wireless.interfaces = [
|
||||
"wlp1s0"
|
||||
];
|
||||
networking.interfaces.wlp1s0.useDHCP = true;
|
||||
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
|
||||
services.illum.enable = true;
|
||||
|
||||
services.logind.extraConfig = /* ini */ ''
|
||||
HandlePowerKey=ignore
|
||||
'';
|
||||
|
||||
tv.lidControl.enable = true;
|
||||
|
||||
tv.hw.screens.primary.width = 2560;
|
||||
tv.hw.screens.primary.height = 1600;
|
||||
}
|
@ -1,89 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
imports = [
|
||||
../smartd.nix
|
||||
{
|
||||
boot.extraModulePackages = [
|
||||
config.boot.kernelPackages.acpi_call
|
||||
];
|
||||
|
||||
boot.kernelModules = [
|
||||
"acpi_call"
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.tpacpi-bat
|
||||
];
|
||||
}
|
||||
|
||||
# fix jumpy touchpad
|
||||
# https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_X220#X220_Touchpad_cursor_jump/imprecise
|
||||
{
|
||||
services.udev.extraHwdb = /* sh */ ''
|
||||
touchpad:i8042:*
|
||||
LIBINPUT_MODEL_LENOVO_X220_TOUCHPAD_FW81=1
|
||||
'';
|
||||
}
|
||||
|
||||
{
|
||||
nix.settings.cores = 2;
|
||||
nix.settings.max-jobs = 2;
|
||||
}
|
||||
(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then {
|
||||
nix.daemonCPUSchedPolicy = "batch";
|
||||
nix.daemonIOSchedPriority = 1;
|
||||
} else {
|
||||
nix.daemonIONiceLevel = 1;
|
||||
nix.daemonNiceLevel = 1;
|
||||
})
|
||||
];
|
||||
|
||||
boot.extraModulePackages = [
|
||||
config.boot.kernelPackages.tp_smapi
|
||||
];
|
||||
|
||||
boot.kernelModules = [ "tp_smapi" ];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# Required for Centrino.
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
|
||||
|
||||
hardware.trackpoint = {
|
||||
enable = true;
|
||||
sensitivity = 220;
|
||||
speed = 0;
|
||||
emulateWheel = true;
|
||||
};
|
||||
|
||||
# Conflicts with TLP, but gets enabled by DEs.
|
||||
services.power-profiles-daemon.enable = false;
|
||||
|
||||
services.tlp.enable = true;
|
||||
services.tlp.settings = {
|
||||
START_CHARGE_THRESH_BAT0 = 80;
|
||||
};
|
||||
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleHibernateKey=ignore
|
||||
HandleLidSwitch=ignore
|
||||
HandlePowerKey=ignore
|
||||
HandleSuspendKey=ignore
|
||||
'';
|
||||
|
||||
# because extraConfig is not extra enough:
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
services.logind.lidSwitchExternalPower = "ignore";
|
||||
|
||||
services.xserver = {
|
||||
videoDriver = "intel";
|
||||
};
|
||||
|
||||
tv.hw.screens.primary.width = lib.mkDefault 1366;
|
||||
tv.hw.screens.primary.height = lib.mkDefault 768;
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
services.nginx.virtualHosts."ni.r" = {
|
||||
locations."/image" = {
|
||||
extraConfig = /* nginx */ ''
|
||||
client_max_body_size 20M;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port};
|
||||
proxy_pass_header Server;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
krebs.htgen.imgur = {
|
||||
port = 7771;
|
||||
scriptFile = "${pkgs.htgen-imgur}/bin/htgen-imgur";
|
||||
};
|
||||
}
|
@ -1,17 +0,0 @@
|
||||
{ config, ... }: {
|
||||
boot.initrd.availableKernelModules = [
|
||||
"e1000e"
|
||||
];
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
port = 11423;
|
||||
authorizedKeys = [
|
||||
config.krebs.users.tv.pubkey
|
||||
];
|
||||
ignoreEmptyHostKeys = true;
|
||||
};
|
||||
boot.initrd.secrets = {
|
||||
"/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key";
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,9 +0,0 @@
|
||||
{ pkgs, ... }: {
|
||||
environment.systemPackages = [
|
||||
pkgs.haskellPackages.much
|
||||
pkgs.msmtp
|
||||
pkgs.notmuch
|
||||
pkgs.qprint
|
||||
pkgs.w3m
|
||||
];
|
||||
}
|
@ -1,13 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
#environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
|
||||
# ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
|
||||
# s:^NROFF\t.*:& -Wbreak:
|
||||
# '
|
||||
#'';
|
||||
environment.systemPackages = [
|
||||
pkgs.man-pages
|
||||
pkgs.posix_man_pages
|
||||
pkgs.xorg.xorgdocs
|
||||
];
|
||||
}
|
@ -1,68 +0,0 @@
|
||||
{
|
||||
krebs = {
|
||||
dns.providers.hkw = "hosts";
|
||||
hosts = {
|
||||
au = {
|
||||
nets.hkw = {
|
||||
ip4 = {
|
||||
addr = "10.23.1.39";
|
||||
prefix = "10.23.1.0/24";
|
||||
};
|
||||
aliases = [
|
||||
"au.hkw"
|
||||
];
|
||||
ssh.port = 11423;
|
||||
};
|
||||
};
|
||||
nomic = {
|
||||
nets.hkw = {
|
||||
ip4 = {
|
||||
addr = "10.23.1.110";
|
||||
prefix = "10.23.1.0/24";
|
||||
};
|
||||
aliases = [
|
||||
"nomic.hkw"
|
||||
];
|
||||
ssh.port = 11423;
|
||||
};
|
||||
};
|
||||
ok = {
|
||||
external = true;
|
||||
nets.hkw = {
|
||||
ip4 = {
|
||||
addr = "10.23.1.1";
|
||||
prefix = "10.23.1.0/24";
|
||||
};
|
||||
aliases = [
|
||||
"ok.hkw"
|
||||
];
|
||||
};
|
||||
};
|
||||
xu = {
|
||||
nets.hkw = {
|
||||
ip4 = {
|
||||
addr = "10.23.1.38";
|
||||
prefix = "10.23.1.0/24";
|
||||
};
|
||||
aliases = [
|
||||
"xu.hkw"
|
||||
"cache.xu.hkw"
|
||||
];
|
||||
ssh.port = 11423;
|
||||
};
|
||||
};
|
||||
zu = {
|
||||
nets.hkw = {
|
||||
ip4 = {
|
||||
addr = "10.23.1.40";
|
||||
prefix = "10.23.1.0/24";
|
||||
};
|
||||
aliases = [
|
||||
"zu.hkw"
|
||||
];
|
||||
ssh.port = 11423;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,4 +0,0 @@
|
||||
{
|
||||
# often hangs
|
||||
systemd.services.systemd-networkd-wait-online.enable = false;
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: {
|
||||
services.nginx = {
|
||||
enableReload = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts.${toJSON ""} = {
|
||||
default = true;
|
||||
extraConfig = ''
|
||||
error_page 400 =444 /;
|
||||
return 444;
|
||||
'';
|
||||
rejectSSL = true;
|
||||
};
|
||||
};
|
||||
tv.iptables = {
|
||||
input-retiolum-accept-tcp = singleton "http";
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,18 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.default = {
|
||||
serverAliases = [
|
||||
"localhost"
|
||||
"${config.krebs.build.host.name}"
|
||||
"${config.krebs.build.host.name}.hkw"
|
||||
"${config.krebs.build.host.name}.r"
|
||||
];
|
||||
locations."~ ^/~([a-z]+)(?:/(.*))?\$" = {
|
||||
alias = "/srv/$1/public_html/$2";
|
||||
};
|
||||
};
|
||||
};
|
||||
tv.iptables.input-internet-accept-tcp = singleton "http";
|
||||
}
|
@ -1,9 +0,0 @@
|
||||
{ pkgs, ... }: {
|
||||
nix.settings.auto-optimise-store = true;
|
||||
|
||||
# TODO check if both are required:
|
||||
nix.settings.extra-sandbox-paths = [
|
||||
"/etc/protocols"
|
||||
pkgs.iana-etc.outPath
|
||||
];
|
||||
}
|
@ -1,31 +0,0 @@
|
||||
tv Root CA
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFGzCCAwOgAwIBAgIUbLFkDA1OgKbej/FQiJZ4gpGPg/4wDQYJKoZIhvcNAQEL
|
||||
BQAwFTETMBEGA1UEAwwKdHYgUm9vdCBDQTAeFw0xOTA0MjEwNzI1MTdaFw0yOTA0
|
||||
MTgwNzI1MTdaMBUxEzARBgNVBAMMCnR2IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
|
||||
AQUAA4ICDwAwggIKAoICAQDEVpZo1PLayK2AULwNtRY/2RIs/h+Uz1k/I7AY5o7H
|
||||
HTD6pxNH3DZS82Y89nAHDVEnotK26TW6N1O2fBHUxH2GXVD+MaA/D9ngbNTJa7DW
|
||||
2EThezOyesAbXk7dkoHh4Bouj5L7Ronka5+IREFmb3mHmcXLuR/sot9Pwr9A7Lwm
|
||||
55Avv+VwMFnqVMXiCYQsDL7Mxf7Vm79+kXShpfDhNmHhyZc/xPjVk7lttSEp0LCq
|
||||
hhJjte3xDGbk7OThTSxoqP+K4Ek7NGatCcm4AUZlDl1kLN2QKudYqj0VRQpfE+4Q
|
||||
jMAAtttc/10MV0e08pRK0FvJsDsi70YZrHnDP6hIBrRNjC8iB/8rz2pjnYzgriUt
|
||||
HHEDr26234VB5Zqhsi8pmXA16FVkoKlucADXXKEcR/3VreTvZLdSsP3OrDdSCwhi
|
||||
H2W/7tshDPp+I9Q9fGNixry7PODbud1h/wLsq3Geg/U6VkDdl7uDNMB/O7LvlFaC
|
||||
7jkHv/xFLqV1Xx9+yFMdJTKLf9jnIIjeINfV4VcJZDrtgGpnC6cYD5DNLA4j7Mny
|
||||
EnBV9IRhmKiZLvUZP62dPhqIfSSPNxXV2+rT5ZfaXCuVe79R5npgJzF7/qslvnZ6
|
||||
0mjZfQdJiXY+/oT9zPUxTroFx7Qtda15aIVwXR+1cMRY/Hg/uBQyp7yWsvwhPYwH
|
||||
awIDAQABo2MwYTAdBgNVHQ4EFgQUWYjGpR7J/UqggxQV87hBQ8ZT0qkwHwYDVR0j
|
||||
BBgwFoAUWYjGpR7J/UqggxQV87hBQ8ZT0qkwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
|
||||
HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAA++eAA7KLEd4n05n8w95sJ7
|
||||
cxqQSkVxV3ASnEUQRwVGo3CqEKcNufbCTG7KKGQFUi2Xd3/SWgnEiSZZWo06azbV
|
||||
vlquG+9ilwnrnqfjlbUEjLMHDzukrEeIiRuFY7gZv6S2o4WkW/M9IPkP34+PRjip
|
||||
AJ8kFcy7wLPaeH7OagslAVUcf68lMm+8W4U1g0HZaY2zXFgdRrIO1dXKlJ22Wh4X
|
||||
fcblHjkASAGi+BK+xRJ9G7s3sie2wPyk+WKKv0Z+WheKf+L+TPBg2sJ+d25gW+gG
|
||||
XNJSQOzCqSfHrCtcW1xkGgifog28/ymN03ggn8oMBUebOp+ayLkbPQDaj6te3y1v
|
||||
YE0cfkzQ0T6sSzPzoOrwBEuSX8cLWTpzO2Zgqbf36UtHjgxi58vY46p7MjAInxAf
|
||||
j+k67rF7qWH38drg4nfGjNgiEdeJw9dtDFdmso+ZiWipUyGF4VYh+Q6JnXDMF0+A
|
||||
wXcYWa7ckXvVOLVpHJfrLDYTXznGnk2u4ToVNEk1j/klMRn96lxfFg04iv8fz8m6
|
||||
/Y8g0G1uIT5Mq9l68oZUoEkUHZabPNhYOiYtg4t5v/T3AIV8nm2A5jZYj0am26xT
|
||||
iqF/tqL3alWXs9OHP7FNdrVWtwO8vcspYcd4mOHdAC/dmhq+77BowR5Lldx9T+mR
|
||||
QT8jW9PXL0IH0wKMBXxf
|
||||
-----END CERTIFICATE-----
|
@ -1,68 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
|
||||
certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source;
|
||||
|
||||
in {
|
||||
|
||||
environment.etc."pki/nssdb".source =
|
||||
pkgs.runCommand "system-wide-nssdb" {
|
||||
inherit certFile;
|
||||
buildInputs = [
|
||||
pkgs.jq
|
||||
pkgs.nssTools
|
||||
];
|
||||
parseInfoScript = /* jq */ ''
|
||||
${toJSON certFile} as $certFile |
|
||||
|
||||
split("\t-----END CERTIFICATE-----\n")[] |
|
||||
select(test("\t-----BEGIN CERTIFICATE-----\n")) |
|
||||
. + "\t-----END CERTIFICATE-----\n" |
|
||||
|
||||
sub("^([0-9]+\t\n)*";"") |
|
||||
|
||||
(match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber |
|
||||
|
||||
gsub("(?m)^[0-9]+\t";"") |
|
||||
|
||||
match("^([^\n]+)\n(.*)";"m").captures | map(.string) |
|
||||
|
||||
# Line numbers are added to the names to ensure uniqueness.
|
||||
"\(.[0]) (\($certFile):\($lineNumber))" as $name |
|
||||
.[1] as $cert |
|
||||
|
||||
{ $name, $cert }
|
||||
'';
|
||||
passAsFile = [
|
||||
"parseInfoScript"
|
||||
];
|
||||
} /* sh */ ''
|
||||
mkdir nssdb
|
||||
|
||||
nl -ba -w1 "$certFile" |
|
||||
jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson
|
||||
|
||||
exec < certinfo.ndjson
|
||||
while read -r certinfo; do
|
||||
name=$(printf %s "$certinfo" | jq -er .name)
|
||||
cert=$(printf %s "$certinfo" | jq -er .cert)
|
||||
|
||||
printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C
|
||||
done
|
||||
|
||||
mv nssdb "$out"
|
||||
'';
|
||||
|
||||
environment.variables = flip genAttrs (_: toString certFile) [
|
||||
"CURL_CA_BUNDLE"
|
||||
"GIT_SSL_CAINFO"
|
||||
"SSL_CERT_FILE"
|
||||
];
|
||||
|
||||
security.pki.certificateFiles =
|
||||
mapAttrsToList
|
||||
(name: const (./certs + "/${name}"))
|
||||
(filterAttrs (const (eq "regular"))
|
||||
(readDir ./certs));
|
||||
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,86 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg = {
|
||||
pin = "@${config.krebs.secret.directory}/o2.pin";
|
||||
ttys.ppp = "/dev/ttyACM0";
|
||||
ttys.com = "/dev/ttyACM1";
|
||||
};
|
||||
in {
|
||||
assertions = [
|
||||
{
|
||||
assertion =
|
||||
config.networking.resolvconf.enable ||
|
||||
config.networking.useNetworkd;
|
||||
message = "ppp configuration needs resolvconf or networkd";
|
||||
}
|
||||
];
|
||||
environment.etc."ppp/ip-up".source = pkgs.writeDash "ppp.ip-up" ''
|
||||
${pkgs.openresolv}/bin/resolvconf -a "$IFNAME" < /etc/ppp/resolv.conf
|
||||
'';
|
||||
environment.etc."ppp/ip-down".source = pkgs.writeDash "ppp.ip-down" ''
|
||||
${pkgs.openresolv}/bin/resolvconf -fd "$IFNAME"
|
||||
'';
|
||||
environment.etc."ppp/peers/o2".text = /* sh */ ''
|
||||
${cfg.ttys.ppp}
|
||||
921600
|
||||
crtscts
|
||||
defaultroute
|
||||
holdoff 10
|
||||
lock
|
||||
maxfail 0
|
||||
noauth
|
||||
nodetach
|
||||
noipdefault
|
||||
passive
|
||||
persist
|
||||
usepeerdns
|
||||
connect "${pkgs.ppp}/bin/chat ''${DEBUG+-v} -Ss -f ${pkgs.writeText "o2.chat" /* sh */ ''
|
||||
ABORT "BUSY"
|
||||
ABORT "NO CARRIER"
|
||||
REPORT CONNECT
|
||||
"*EMRDY: 1"
|
||||
ATZ OK
|
||||
AT+CFUN=1 OK
|
||||
${cfg.pin} TIMEOUT 2 ERROR-AT-OK
|
||||
AT+CGDCONT=1,\042IP\042,\042internet\042 OK
|
||||
ATDT*99***1# CONNECT
|
||||
''}"
|
||||
'';
|
||||
users.users.root.packages = [
|
||||
(pkgs.writeDashBin "connect" ''
|
||||
# usage:
|
||||
# connect wlan
|
||||
# connect wwan [PEERNAME]
|
||||
set -efu
|
||||
rfkill_wlan=/sys/class/rfkill/rfkill2
|
||||
rfkill_wwan=/sys/class/rfkill/rfkill1
|
||||
case $1 in
|
||||
wlan)
|
||||
${pkgs.procps}/bin/pkill pppd || :
|
||||
echo 0 > "$rfkill_wwan"/state
|
||||
echo 1 > "$rfkill_wlan"/state
|
||||
;;
|
||||
wwan)
|
||||
name=''${2-o2}
|
||||
echo 0 > "$rfkill_wlan"/state
|
||||
echo 1 > "$rfkill_wwan"/state
|
||||
${pkgs.ppp}/bin/pppd call "$name" updetach
|
||||
;;
|
||||
*)
|
||||
echo "$0: error: bad arguments: $*" >&2
|
||||
exit 1
|
||||
esac
|
||||
'')
|
||||
(pkgs.writeDashBin "modem-send" ''
|
||||
# usage: modem-send ATCOMMAND
|
||||
set -efu
|
||||
tty=${lib.shell.escape cfg.ttys.com}
|
||||
exec <"$tty"
|
||||
printf '%s\r\n' "$1" >"$tty"
|
||||
${pkgs.gnused}/bin/sed -E '
|
||||
/^OK\r?$/q
|
||||
/^ERROR\r?$/q
|
||||
'
|
||||
'')
|
||||
];
|
||||
}
|
@ -1,120 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
pkg = pkgs.pulseaudio;
|
||||
runDir = "/run/pulse";
|
||||
|
||||
pkgs_i686 = pkgs.pkgsi686Linux;
|
||||
|
||||
support32Bit =
|
||||
pkgs.stdenv.isx86_64 &&
|
||||
pkgs_i686.alsaLib != null &&
|
||||
pkgs_i686.libpulseaudio != null;
|
||||
|
||||
alsaConf = pkgs.writeText "asound.conf" ''
|
||||
ctl_type.pulse {
|
||||
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
|
||||
${optionalString support32Bit
|
||||
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;"}
|
||||
}
|
||||
pcm_type.pulse {
|
||||
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
|
||||
${optionalString support32Bit
|
||||
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;"}
|
||||
}
|
||||
ctl.!default {
|
||||
type pulse
|
||||
}
|
||||
pcm.!default {
|
||||
type pulse
|
||||
}
|
||||
'';
|
||||
|
||||
clientConf = pkgs.writeText "client.conf" ''
|
||||
autospawn=no
|
||||
default-server = unix:${runDir}/socket
|
||||
'';
|
||||
|
||||
configFile = pkgs.writeText "default.pa" ''
|
||||
.include ${pkg}/etc/pulse/default.pa
|
||||
load-module ${toString [
|
||||
"module-native-protocol-unix"
|
||||
"auth-anonymous=1"
|
||||
"socket=${runDir}/socket"
|
||||
]}
|
||||
${lib.optionalString (config.krebs.build.host.name == "au") ''
|
||||
load-module ${toString [
|
||||
"module-native-protocol-tcp"
|
||||
"auth-ip-acl=127.0.0.1;10.23.1.0/24"
|
||||
]}
|
||||
''}
|
||||
${lib.optionalString (config.krebs.build.host.name != "au") ''
|
||||
load-module ${toString [
|
||||
"module-tunnel-sink-new"
|
||||
"server=au.hkw"
|
||||
"sink_name=au"
|
||||
"channels=2"
|
||||
"rate=44100"
|
||||
]}
|
||||
''}
|
||||
'';
|
||||
in
|
||||
|
||||
{
|
||||
environment = {
|
||||
etc = {
|
||||
"asound.conf".source = alsaConf;
|
||||
# XXX mkForce is not strong enough (and neither is mkOverride) to create
|
||||
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
|
||||
#"pulse/client.conf" = mkForce { source = clientConf; };
|
||||
#"pulse/client.conf".source = mkForce clientConf;
|
||||
"pulse/default.pa".source = configFile;
|
||||
};
|
||||
systemPackages = [
|
||||
pkg
|
||||
] ++ optionals config.services.xserver.enable [
|
||||
pkgs.pavucontrol
|
||||
];
|
||||
};
|
||||
|
||||
hardware.pulseaudio = {
|
||||
inherit support32Bit;
|
||||
};
|
||||
|
||||
# Allow PulseAudio to get realtime priority using rtkit.
|
||||
security.rtkit.enable = true;
|
||||
|
||||
system.activationScripts.pulseaudio-hack = ''
|
||||
ln -fns ${clientConf} /etc/pulse/client.conf
|
||||
'';
|
||||
|
||||
systemd.services.pulse = {
|
||||
wantedBy = [ "sound.target" ];
|
||||
before = [ "sound.target" ];
|
||||
environment = {
|
||||
PULSE_RUNTIME_PATH = "${runDir}/home";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkg}/bin/pulseaudio --exit-idle-time=-1";
|
||||
ExecStartPre = pkgs.writeDash "pulse-start" ''
|
||||
install -o pulse -g pulse -m 0750 -d ${runDir}
|
||||
install -o pulse -g pulse -m 0700 -d ${runDir}/home
|
||||
'';
|
||||
PermissionsStartOnly = "true";
|
||||
User = "pulse";
|
||||
};
|
||||
};
|
||||
|
||||
# TODO assert that pulse is the only user with "audio" in group/extraGroups
|
||||
# otherwise the audio device can be hijacked while the pulse service restarts
|
||||
# (e.g. when mpv is running) and then the service will fail.
|
||||
users = {
|
||||
groups.pulse.gid = config.users.users.pulse.uid;
|
||||
users.pulse = {
|
||||
uid = genid_uint31 "pulse";
|
||||
group = "pulse";
|
||||
extraGroups = [ "audio" ];
|
||||
home = "${runDir}/home";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,40 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
krebs.repo-sync.enable = true;
|
||||
krebs.repo-sync.repos.wiki.branches.hotdog = {
|
||||
origin.url = "http://cgit.hotdog.r/wiki";
|
||||
mirror.url = "git@${config.krebs.build.host.name}.r:wiki";
|
||||
};
|
||||
krebs.git.repos.wiki = {
|
||||
public = true;
|
||||
name = "wiki";
|
||||
cgit.desc = toString [
|
||||
"mirror of"
|
||||
config.krebs.repo-sync.repos.wiki.branches.hotdog.origin.url
|
||||
];
|
||||
cgit.section = "7. mirrors";
|
||||
hooks.post-receive = /* sh */ ''
|
||||
${pkgs.git-hooks.irc-announce {
|
||||
channel = "#xxx";
|
||||
nick = config.krebs.build.host.name;
|
||||
server = "irc.r";
|
||||
}}
|
||||
${pkgs.cgit-clear-cache.override {
|
||||
inherit (config.krebs.git.cgit.settings) cache-root;
|
||||
}}/bin/cgit-clear-cache
|
||||
'';
|
||||
};
|
||||
krebs.git.rules = lib.singleton {
|
||||
user = lib.singleton config.krebs.users.repo-sync;
|
||||
repo = lib.singleton config.krebs.git.repos.wiki;
|
||||
perm = lib.git.push "refs/*" [
|
||||
lib.git.create
|
||||
lib.git.delete
|
||||
lib.git.merge
|
||||
lib.git.non-fast-forward
|
||||
];
|
||||
};
|
||||
krebs.users.${config.krebs.repo-sync.user.name}.pubkey = {
|
||||
ni = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINK9U0Ob9/O0kxg3trhZY/vDnbqfN+R5cASGiClRr4IM";
|
||||
}.${config.krebs.build.host.name};
|
||||
}
|
@ -1,27 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
krebs.tinc.retiolum = {
|
||||
enable = true;
|
||||
connectTo = filter (ne config.krebs.build.host.name) [
|
||||
"ni"
|
||||
"prism"
|
||||
"eve"
|
||||
];
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
'';
|
||||
tincPackage = pkgs.tinc_pre;
|
||||
tincUp = lib.mkIf config.systemd.network.enable "";
|
||||
};
|
||||
systemd.network.networks.retiolum = {
|
||||
matchConfig.Name = "retiolum";
|
||||
address = let
|
||||
inherit (config.krebs.build.host.nets.retiolum) ip4 ip6;
|
||||
in [
|
||||
"${ip4.addr}/${toString ip4.prefixLength}"
|
||||
"${ip6.addr}/${toString ip6.prefixLength}"
|
||||
];
|
||||
};
|
||||
tv.iptables.input-internet-accept-tcp = singleton "tinc";
|
||||
tv.iptables.input-internet-accept-udp = singleton "tinc";
|
||||
}
|
@ -1,17 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.smartd = {
|
||||
enable = true;
|
||||
devices = [
|
||||
{
|
||||
device = "DEVICESCAN";
|
||||
options = toString [
|
||||
"-a"
|
||||
"-m ${config.krebs.users.tv.mail}"
|
||||
"-s (O/../.././09|S/../.././04|L/../../6/05)"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
# Override NixOS's "Allow DSA keys for now."
|
||||
environment.etc."ssh/ssh_config".text = mkForce ''
|
||||
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
|
||||
|
||||
${optionalString config.programs.ssh.setXAuthLocation ''
|
||||
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
|
||||
''}
|
||||
|
||||
ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"}
|
||||
|
||||
${config.programs.ssh.extraConfig}
|
||||
'';
|
||||
|
||||
programs.ssh = {
|
||||
extraConfig = ''
|
||||
UseRoaming no
|
||||
'';
|
||||
startAgent = false;
|
||||
};
|
||||
}
|
@ -1,27 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: let
|
||||
cfg.host = config.krebs.build.host;
|
||||
nets =
|
||||
optional (cfg.host.nets?retiolum) cfg.host.nets.retiolum ++
|
||||
optional (cfg.host.nets?wiregrill) cfg.host.nets.wiregrill;
|
||||
in {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
};
|
||||
tv.iptables.input-internet-accept-tcp = singleton "ssh";
|
||||
tv.iptables.extra.nat.OUTPUT = [
|
||||
"-o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22"
|
||||
];
|
||||
tv.iptables.extra4.nat.PREROUTING =
|
||||
map
|
||||
(net: "-d ${net.ip4.addr} -p tcp --dport 22 -j ACCEPT")
|
||||
(filter (net: net.ip4 != null) nets);
|
||||
tv.iptables.extra6.nat.PREROUTING =
|
||||
map
|
||||
(net: "-d ${net.ip6.addr} -p tcp --dport 22 -j ACCEPT")
|
||||
(filter (net: net.ip6 != null) nets);
|
||||
tv.iptables.extra.nat.PREROUTING = [
|
||||
"-p tcp --dport 22 -j REDIRECT --to-ports 0"
|
||||
"-p tcp --dport 11423 -j REDIRECT --to-ports 22"
|
||||
];
|
||||
}
|
@ -1,117 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
exec = filename: args: url: {
|
||||
inherit url;
|
||||
filter = singleton {
|
||||
system =
|
||||
concatMapStringsSep " " shell.escape ([filename] ++ toList args);
|
||||
};
|
||||
};
|
||||
json = json' ["."];
|
||||
json' = exec "${pkgs.jq}/bin/jq";
|
||||
urigrep' = exec (pkgs.writeDash "urigrep" ''
|
||||
${pkgs.urix}/bin/urix | ${pkgs.gnugrep}/bin/grep -E "$1"
|
||||
'');
|
||||
xml = xml' ["--format" "-"];
|
||||
xml' = exec "${pkgs.libxml2}/bin/xmllint";
|
||||
in {
|
||||
krebs.urlwatch = {
|
||||
enable = true;
|
||||
mailto = config.krebs.users.tv.mail;
|
||||
onCalendar = "*-*-* 05:00:00";
|
||||
urls = [
|
||||
## nixpkgs maintenance
|
||||
|
||||
# 2014-07-29 when one of the following urls change
|
||||
# then we have to update the package
|
||||
|
||||
http://www.exim.org/
|
||||
|
||||
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
|
||||
{
|
||||
url = https://thp.io/2008/urlwatch/;
|
||||
# workaround: ('Received response with content-encoding: gzip, but
|
||||
# failed to decode it.', error('Error -3 while decompressing data:
|
||||
# incorrect header check',))
|
||||
ignore_cached = true;
|
||||
}
|
||||
|
||||
# 2015-02-18
|
||||
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
|
||||
http://www.fourmilab.ch/webtools/qprint/
|
||||
|
||||
# 2014-09-24 ref https://github.com/4z3/xintmap
|
||||
http://www.mathstat.dal.ca/~selinger/quipper/
|
||||
|
||||
## 2014-10-17
|
||||
## TODO update ~/src/login/default.nix
|
||||
#http://hackage.haskell.org/package/bcrypt
|
||||
#http://hackage.haskell.org/package/cron
|
||||
#http://hackage.haskell.org/package/hyphenation
|
||||
#http://hackage.haskell.org/package/iso8601-time
|
||||
#http://hackage.haskell.org/package/ixset-typed
|
||||
#http://hackage.haskell.org/package/system-command
|
||||
#http://hackage.haskell.org/package/transformers
|
||||
#http://hackage.haskell.org/package/web-routes-wai
|
||||
#http://hackage.haskell.org/package/web-page
|
||||
|
||||
# ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
|
||||
(json https://api.github.com/meta)
|
||||
|
||||
# ref <nixpkgs/pkgs/tools/security/ssh-audit>
|
||||
(json https://api.github.com/repos/arthepsy/ssh-audit/tags)
|
||||
|
||||
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
|
||||
(json https://api.github.com/repos/ioerror/tlsdate/tags)
|
||||
|
||||
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
|
||||
(json https://api.github.com/repos/simple-evcorr/sec/tags)
|
||||
|
||||
# <stockholm/tv/2configs/xserver/xserver.conf.nix>
|
||||
# is derived from `configFile` in:
|
||||
https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix
|
||||
|
||||
https://www.rabbitmq.com/changelog.html
|
||||
|
||||
(urigrep' ["software-resources"] https://semiconductor.samsung.com/consumer-storage/support/tools/)
|
||||
];
|
||||
hooksFile = toFile "hooks.py" ''
|
||||
import subprocess
|
||||
import urlwatch
|
||||
|
||||
class SystemFilter(urlwatch.filters.FilterBase):
|
||||
"""Filter for piping data through an external process"""
|
||||
|
||||
__kind__ = 'system'
|
||||
|
||||
__supported_subfilters__ = {
|
||||
'command': 'shell command line to tranform data',
|
||||
}
|
||||
|
||||
__default_subfilter__ = 'command'
|
||||
|
||||
def filter(self, data, subfilter=None):
|
||||
if 'command' not in subfilter:
|
||||
raise ValueError('{} filter needs a command'.format(self.__kind__))
|
||||
|
||||
proc = subprocess.Popen(
|
||||
subfilter['command'],
|
||||
shell=True,
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
)
|
||||
|
||||
(stdout, stderr) = proc.communicate(data.encode())
|
||||
|
||||
if proc.returncode != 0:
|
||||
raise RuntimeError(
|
||||
"system filter returned non-zero exit status %d; stderr:\n"
|
||||
% proc.returncode
|
||||
+ stderr.decode()
|
||||
)
|
||||
|
||||
return stdout.decode()
|
||||
'';
|
||||
};
|
||||
}
|
@ -1,183 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let {
|
||||
body = {
|
||||
environment.systemPackages = [
|
||||
vim-wrapper
|
||||
];
|
||||
|
||||
environment.etc.vimrc.source = vimrc;
|
||||
|
||||
environment.variables.EDITOR = mkForce "vim";
|
||||
environment.variables.VIMINIT = ":so /etc/vimrc";
|
||||
};
|
||||
|
||||
base-plugins = [
|
||||
pkgs.tv.vimPlugins.file-line
|
||||
pkgs.tv.vimPlugins.hack
|
||||
pkgs.vimPlugins.undotree
|
||||
(pkgs.tv.vim.makePlugin (pkgs.write "vim-tv-base" {
|
||||
"/ftplugin/haskell.vim".text = ''
|
||||
if exists("g:vim_tv_ftplugin_haskell_loaded")
|
||||
finish
|
||||
endif
|
||||
let g:vim_tv_ftplugin_haskell_loaded = 1
|
||||
|
||||
setlocal iskeyword+='
|
||||
'';
|
||||
}))
|
||||
];
|
||||
|
||||
extra-plugins = [
|
||||
pkgs.tv.vimPlugins.elixir
|
||||
pkgs.tv.vimPlugins.fzf
|
||||
pkgs.tv.vimPlugins.jq
|
||||
pkgs.tv.vimPlugins.nix
|
||||
pkgs.tv.vimPlugins.showsyntax
|
||||
pkgs.tv.vimPlugins.tv
|
||||
pkgs.tv.vimPlugins.vim
|
||||
pkgs.vimPlugins.fzfWrapper
|
||||
pkgs.vimPlugins.vim-nftables
|
||||
];
|
||||
|
||||
dirs = {
|
||||
backupdir = "$HOME/.cache/vim/backup";
|
||||
swapdir = "$HOME/.cache/vim/swap";
|
||||
undodir = "$HOME/.cache/vim/undo";
|
||||
};
|
||||
files = {
|
||||
viminfo = "$HOME/.cache/vim/info";
|
||||
};
|
||||
|
||||
need-dirs = let
|
||||
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
|
||||
in assert out != ""; out;
|
||||
alldirs = attrValues dirs ++ map dirOf (attrValues files);
|
||||
in unique (sort lessThan alldirs);
|
||||
|
||||
vim-wrapper = pkgs.symlinkJoin {
|
||||
name = "vim";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "vim" ''
|
||||
set -efu
|
||||
export FZF_DEFAULT_COMMAND='${pkgs.ripgrep}/bin/rg --files'
|
||||
export PATH=$PATH:${makeBinPath [
|
||||
pkgs.fzf
|
||||
pkgs.ripgrep
|
||||
]}
|
||||
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString need-dirs})
|
||||
exec ${pkgs.vim}/bin/vim "$@"
|
||||
'')
|
||||
pkgs.vim
|
||||
];
|
||||
};
|
||||
|
||||
vimrc = pkgs.writeText "vimrc" /* vim */ ''
|
||||
vim9script
|
||||
|
||||
set nocompatible
|
||||
|
||||
set autoindent
|
||||
set backspace=indent,eol,start
|
||||
set backup
|
||||
set backupdir=${dirs.backupdir}/
|
||||
set directory=${dirs.swapdir}//
|
||||
set hlsearch
|
||||
set incsearch
|
||||
set mouse=a
|
||||
set noruler
|
||||
set pastetoggle=<INS>
|
||||
set runtimepath=${pkgs.tv.vim.makeRuntimePath base-plugins},$VIMRUNTIME
|
||||
set shortmess+=I
|
||||
set showcmd
|
||||
set showmatch
|
||||
set timeoutlen=0
|
||||
set ttimeoutlen=0
|
||||
set ttymouse=sgr
|
||||
set undodir=${dirs.undodir}
|
||||
set undofile
|
||||
set undolevels=1000000
|
||||
set undoreload=1000000
|
||||
set viminfo='20,<1000,s100,h,n${files.viminfo}
|
||||
set visualbell
|
||||
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
|
||||
set wildmenu
|
||||
set wildmode=longest,full
|
||||
|
||||
set runtimepath^=${pkgs.tv.vim.makeRuntimePath extra-plugins}
|
||||
syntax on
|
||||
|
||||
set et ts=2 sts=2 sw=2
|
||||
|
||||
filetype plugin indent on
|
||||
|
||||
set t_Co=256
|
||||
colorscheme hack
|
||||
|
||||
au Syntax * syn match Garbage containedin=ALL /\s\+$/
|
||||
\ | syn match TabStop containedin=ALL /\t\+/
|
||||
\ | syn keyword Todo containedin=ALL TODO
|
||||
|
||||
au BufRead,BufNewFile *.nix set ft=nix
|
||||
|
||||
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
|
||||
|
||||
cnoremap <C-A> <Home>
|
||||
|
||||
noremap <C-c> :q<cr>
|
||||
|
||||
nnoremap <esc>[5^ :tabp<cr>
|
||||
nnoremap <esc>[6^ :tabn<cr>
|
||||
nnoremap <esc>[5@ :tabm -1<cr>
|
||||
nnoremap <esc>[6@ :tabm +1<cr>
|
||||
|
||||
nnoremap <f1> :tabp<cr>
|
||||
nnoremap <f2> :tabn<cr>
|
||||
imap <f1> <esc><f1>
|
||||
imap <f2> <esc><f2>
|
||||
|
||||
nnoremap <S-f1> :tabm -1<cr>
|
||||
nnoremap <S-f2> :tabm +1<cr>
|
||||
imap <S-f1> <esc><S-f1>
|
||||
imap <S-f2> <esc><S-f2>
|
||||
|
||||
noremap <f3> :ShowSyntax<cr>
|
||||
|
||||
# <C-{Up,Down,Right,Left}>
|
||||
noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
|
||||
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
|
||||
noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
|
||||
noremap <esc>Od <nop> | noremap! <esc>Od <nop>
|
||||
# <[C]S-{Up,Down,Right,Left}>
|
||||
noremap <esc>[a <nop> | noremap! <esc>[a <nop>
|
||||
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
|
||||
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
|
||||
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
|
||||
vnoremap u <nop>
|
||||
|
||||
# fzf
|
||||
nnoremap <esc>q :Buffers<cr>
|
||||
nnoremap <esc>f :Files<cr>
|
||||
nnoremap <esc>w :Rg<cr>
|
||||
|
||||
# edit alternate buffer
|
||||
# For some reason neither putting <ctrl>6 nor <ctrl>^ works here...
|
||||
nnoremap <esc>a
|
||||
|
||||
if $TOUCHSCREEN == "1"
|
||||
nnoremap <ScrollWheelUp> <C-y>
|
||||
nnoremap <ScrollWheelDown> <C-e>
|
||||
nnoremap <C-ScrollWheelUp> 3<C-y>
|
||||
nnoremap <C-ScrollWheelDown> 3<C-e>
|
||||
nnoremap <S-ScrollWheelUp> 3<C-y>
|
||||
nnoremap <S-ScrollWheelDown> 3<C-e>
|
||||
nnoremap <C-S-ScrollWheelUp> <PageUp>
|
||||
nnoremap <C-S-ScrollWheelDown> <PageDown>
|
||||
endif
|
||||
|
||||
# remember last position
|
||||
autocmd BufReadPost *
|
||||
\ if line("'\"") > 0 && line("'\"") <= line("$") |
|
||||
\ exe "normal! g`\"" |
|
||||
\ endif
|
||||
'';
|
||||
}
|
@ -1,24 +0,0 @@
|
||||
{ config, pkgs, ... }: {
|
||||
users.users.tv.packages = [
|
||||
(pkgs.writers.writeDashBin "weechat-client" ''
|
||||
set -efu
|
||||
exec ${pkgs.tmux}/bin/tmux attach -t weechat
|
||||
'')
|
||||
];
|
||||
systemd.services.weechat = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment = {
|
||||
TERM = "rxvt-unicode-256color";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.tmux}/bin/tmux new -d -s weechat ${pkgs.weechat}/bin/weechat";
|
||||
OOMScoreAdjust = -1000;
|
||||
Restart = "always";
|
||||
RestartSec = "100ms";
|
||||
Type = "forking";
|
||||
StartLimitBurst = 0;
|
||||
User = "tv";
|
||||
WorkingDirectory = "/home/tv";
|
||||
};
|
||||
};
|
||||
}
|
@ -1,37 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg = {
|
||||
enable = cfg.net != null;
|
||||
net = config.krebs.build.host.nets.wiregrill or null;
|
||||
};
|
||||
toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}";
|
||||
in
|
||||
mkIf cfg.enable {
|
||||
networking.wireguard.interfaces.wiregrill = {
|
||||
ips =
|
||||
optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
|
||||
optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
|
||||
listenPort = 51820;
|
||||
privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
|
||||
allowedIPsAsRoutes = true;
|
||||
peers = mapAttrsToList
|
||||
(_: host: {
|
||||
allowedIPs = host.nets.wiregrill.wireguard.subnets;
|
||||
endpoint =
|
||||
mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
|
||||
persistentKeepalive = mkIf (host.nets.wiregrill.via != null) 61;
|
||||
publicKey =
|
||||
replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey;
|
||||
})
|
||||
(filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
|
||||
};
|
||||
systemd.network.networks.wiregrill = {
|
||||
matchConfig.Name = "wiregrill";
|
||||
address =
|
||||
optional (cfg.net.ip4 != null) (toCidrNotation cfg.net.ip4) ++
|
||||
optional (cfg.net.ip6 != null) (toCidrNotation cfg.net.ip6);
|
||||
};
|
||||
tv.iptables.extra.filter.INPUT = [
|
||||
"-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT"
|
||||
];
|
||||
}
|
@ -1,11 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
|
||||
|
||||
systemd.tmpfiles.rules = let
|
||||
forUsers = flip map users;
|
||||
isUser = { name, group, ... }:
|
||||
name == "root" || hasSuffix "users" group;
|
||||
users = filter isUser (mapAttrsToList (_: id) config.users.users);
|
||||
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
|
||||
}
|
@ -1,28 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
with import ./lib;
|
||||
|
||||
pkgs.writeText "Xmodmap" ''
|
||||
!keycode 66 = Caps_Lock
|
||||
!remove Lock = Caps_Lock
|
||||
clear Lock
|
||||
|
||||
! caps lock
|
||||
keycode 66 = Mode_switch
|
||||
|
||||
keycode 13 = 4 dollar EuroSign cent
|
||||
keycode 30 = u U udiaeresis Udiaeresis
|
||||
keycode 32 = o O odiaeresis Odiaeresis
|
||||
keycode 38 = a A adiaeresis Adiaeresis
|
||||
keycode 39 = s S ssharp
|
||||
|
||||
keycode 33 = p P Greek_pi Greek_PI
|
||||
keycode 40 = d D Greek_delta Greek_DELTA
|
||||
keycode 46 = l L Greek_lambda Greek_LAMBDA
|
||||
|
||||
keycode 54 = c C cacute Cacute
|
||||
|
||||
! BULLET OPERATOR
|
||||
keycode 17 = 8 asterisk U2219
|
||||
keycode 27 = r R r U211D
|
||||
''
|
@ -1,167 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }@args: let
|
||||
cfg = {
|
||||
cacheDir = cfg.dataDir;
|
||||
configDir = "/var/empty";
|
||||
dataDir = "/run/xdg/${cfg.user.name}/xmonad";
|
||||
user = config.krebs.build.user;
|
||||
xmonad.pkg = pkgs.haskellPackages.xmonad-tv.overrideAttrs (_: {
|
||||
au = {
|
||||
XMONAD_BUILD_SCREEN_WIDTH = 1920;
|
||||
XMONAD_BUILD_TERM_FONT_WIDTH = 10;
|
||||
XMONAD_BUILD_TERM_FONT = "xft:Input Mono:size=12:style=Regular";
|
||||
XMONAD_BUILD_TERM_PADDING = 2;
|
||||
};
|
||||
}.${config.krebs.build.host.name} or {
|
||||
XMONAD_BUILD_SCREEN_WIDTH = 1366;
|
||||
XMONAD_BUILD_TERM_FONT_WIDTH = 6;
|
||||
XMONAD_BUILD_TERM_FONT = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
|
||||
XMONAD_BUILD_TERM_PADDING = 2;
|
||||
});
|
||||
};
|
||||
in {
|
||||
|
||||
imports = [
|
||||
./sxiv.nix
|
||||
./urxvt.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.ff
|
||||
pkgs.font-size
|
||||
pkgs.gitAndTools.qgit
|
||||
pkgs.mpv
|
||||
pkgs.xdotool
|
||||
pkgs.xsel
|
||||
pkgs.zathura
|
||||
];
|
||||
|
||||
fonts.fonts = [
|
||||
pkgs.xorg.fontschumachermisc
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
|
||||
# Don't install feh into systemPackages
|
||||
# refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
|
||||
desktopManager.session = mkForce [];
|
||||
|
||||
displayManager.lightdm.enable = mkForce false;
|
||||
displayManager.job.execCmd = mkForce "derp";
|
||||
|
||||
enable = true;
|
||||
display = mkForce 11;
|
||||
tty = mkForce 11;
|
||||
};
|
||||
|
||||
systemd.services.display-manager.enable = false;
|
||||
|
||||
systemd.services.xmonad = let
|
||||
xmonad = "${cfg.xmonad.pkg}/bin/xmonad";
|
||||
xmonad-start = pkgs.writeDash "xmonad-start" ''
|
||||
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CACHE_DIR"
|
||||
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CONFIG_DIR"
|
||||
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_DATA_DIR"
|
||||
|
||||
f=$HOME/.dbus/session-bus/$(${pkgs.coreutils}/bin/cat /etc/machine-id)-${
|
||||
toString config.services.xserver.display
|
||||
}
|
||||
if test -e "$f" &&
|
||||
. "$f" &&
|
||||
${pkgs.coreutils}/bin/kill -0 "$DBUS_SESSION_BUS_PID"
|
||||
then
|
||||
export DBUS_SESSION_BUS_ADDRESS
|
||||
else
|
||||
eval "$(${pkgs.dbus.lib}/bin/dbus-launch --sh-syntax)"
|
||||
fi
|
||||
|
||||
exec ${xmonad}
|
||||
'';
|
||||
xmonad-ready = pkgs.writeDash "xmonad-ready" ''
|
||||
${pkgs.systemd}/bin/systemd-notify --ready
|
||||
{
|
||||
${pkgs.xorg.xhost}/bin/xhost +SI:localuser:${cfg.user.name}
|
||||
${pkgs.xorg.xhost}/bin/xhost -LOCAL:
|
||||
} &
|
||||
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
|
||||
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
|
||||
wait
|
||||
'';
|
||||
in {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
requires = [ "xserver.service" ];
|
||||
environment = {
|
||||
DISPLAY = ":${toString config.services.xserver.display}";
|
||||
FZMENU_FZF_DEFAULT_OPTS = toString [
|
||||
"--color=dark,border:126,bg+:090"
|
||||
"--inline-info"
|
||||
];
|
||||
XMONAD_CACHE_DIR = cfg.cacheDir;
|
||||
XMONAD_CONFIG_DIR = cfg.configDir;
|
||||
XMONAD_DATA_DIR = cfg.dataDir;
|
||||
XMONAD_STARTUP_HOOK = xmonad-ready;
|
||||
XMONAD_WORKSPACES0_FILE = pkgs.writeJSON "xmonad-workspaces0.json" [
|
||||
"Dashboard" # we start here
|
||||
"23"
|
||||
"cr"
|
||||
"ff"
|
||||
"hack"
|
||||
"im"
|
||||
"mail"
|
||||
"stockholm"
|
||||
"za" "zh" "zj" "zs"
|
||||
];
|
||||
};
|
||||
path = [
|
||||
config.tv.slock.package
|
||||
pkgs.flameshot-once-tv
|
||||
pkgs.pulseaudio.out
|
||||
pkgs.rxvt_unicode
|
||||
pkgs.xcalib
|
||||
"/run/wrappers" # for su
|
||||
];
|
||||
serviceConfig = {
|
||||
ExecStart = "@${xmonad-start} xmonad-${currentSystem}";
|
||||
ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown";
|
||||
SyslogIdentifier = "xmonad";
|
||||
User = cfg.user.name;
|
||||
WorkingDirectory = cfg.user.home;
|
||||
|
||||
NotifyAccess = "all";
|
||||
Type = "notify";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.xserver = {
|
||||
after = [
|
||||
"acpid.service"
|
||||
"local-fs.target"
|
||||
"systemd-udev-settle.service"
|
||||
];
|
||||
wants = [
|
||||
"systemd-udev-settle.service"
|
||||
];
|
||||
restartIfChanged = false;
|
||||
environment = {
|
||||
LD_LIBRARY_PATH = concatStringsSep ":" ([ "/run/opengl-driver/lib" ]
|
||||
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
|
||||
};
|
||||
serviceConfig = {
|
||||
SyslogIdentifier = "xserver";
|
||||
ExecStart = toString [
|
||||
"${pkgs.xorg.xorgserver}/bin/X"
|
||||
":${toString config.services.xserver.display}"
|
||||
"vt${toString config.services.xserver.tty}"
|
||||
"-config ${import ./xserver.conf.nix args}"
|
||||
"-logfile /dev/null -logverbose 0 -verbose 3"
|
||||
"-nolisten tcp"
|
||||
"-xkbdir ${config.services.xserver.xkbDir}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
tv.slock = {
|
||||
enable = true;
|
||||
user = cfg.user;
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,12 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg.user = config.krebs.build.user;
|
||||
in {
|
||||
tv.Xresources = {
|
||||
"Sxiv.foreground" = "#232323";
|
||||
"Sxiv.background" = "#424242";
|
||||
};
|
||||
users.users.${cfg.user.name}.packages = [
|
||||
pkgs.sxiv
|
||||
];
|
||||
}
|
@ -1,73 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg.user = config.krebs.build.user;
|
||||
in {
|
||||
systemd.services.urxvtd = {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
restartIfChanged = false;
|
||||
serviceConfig = {
|
||||
SyslogIdentifier = "urxvtd";
|
||||
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
||||
Restart = "always";
|
||||
RestartSec = "2s";
|
||||
StartLimitBurst = 0;
|
||||
User = cfg.user.name;
|
||||
};
|
||||
};
|
||||
tv.Xresources = {
|
||||
"URxvt*cutchars" = ''"\\`\"'&()*,;<=>?@[]^{|}‘’"'';
|
||||
"URxvt*eightBitInput" = "false";
|
||||
"URxvt*font" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
|
||||
"URxvt*boldFont" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
|
||||
"URxvt*scrollBar" = "false";
|
||||
"URxvt*background" = "#050505";
|
||||
"URxvt*foreground" = "#d0d7d0";
|
||||
"URxvt*cursorColor" = "#f042b0";
|
||||
"URxvt*cursorColor2" = "#f0b000";
|
||||
"URxvt*cursorBlink" = "off";
|
||||
"URxvt*jumpScroll" = "true";
|
||||
"URxvt*allowSendEvents" = "false";
|
||||
"URxvt*charClass" = "33:48,37-38:48,45-47:48,61:48,63-64:48";
|
||||
"URxvt*cutNewline" = "False";
|
||||
"URxvt*cutToBeginningOfLine" = "False";
|
||||
|
||||
"URxvt*color0" = "#232342";
|
||||
"URxvt*color3" = "#c07000";
|
||||
"URxvt*color4" = "#4040c0";
|
||||
"URxvt*color7" = "#c0c0c0";
|
||||
"URxvt*color8" = "#707070";
|
||||
"URxvt*color9" = "#ff6060";
|
||||
"URxvt*color10" = "#70ff70";
|
||||
"URxvt*color11" = "#ffff70";
|
||||
"URxvt*color12" = "#7070ff";
|
||||
"URxvt*color13" = "#ff50ff";
|
||||
"URxvt*color14" = "#70ffff";
|
||||
"URxvt*color15" = "#ffffff";
|
||||
|
||||
"URxvt*iso14755" = "False";
|
||||
|
||||
"URxvt*urgentOnBell" = "True";
|
||||
"URxvt*visualBell" = "True";
|
||||
|
||||
# ref https://github.com/muennich/urxvt-perls
|
||||
"URxvt*perl-ext" = "default,url-select";
|
||||
"URxvt*keysym.M-u" = "perl:url-select:select_next";
|
||||
"URxvt*url-select.launcher" =
|
||||
"/etc/profiles/per-user/${cfg.user.name}/bin/ff -new-tab";
|
||||
"URxvt*url-select.underline" = "true";
|
||||
"URxvt*colorUL" = "#4682B4";
|
||||
"URxvt.perl-lib" = "${pkgs.urxvt_perls}/lib/urxvt/perl";
|
||||
"URxvt*saveLines" = "10000";
|
||||
"URxvt*modifier" = "mod1";
|
||||
|
||||
"root-urxvt*background" = "#230000";
|
||||
"root-urxvt*foreground" = "#e0c0c0";
|
||||
"root-urxvt*BorderColor" = "#400000";
|
||||
"root-urxvt*color0" = "#800000";
|
||||
|
||||
"fzmenu-urxvt*background" = "rgb:42/23/42";
|
||||
"fzmenu-urxvt*externalBorder" = "1";
|
||||
"fzmenu-urxvt*geometry" = "70x9";
|
||||
"fzmenu-urxvt*internalBorder" = "1";
|
||||
};
|
||||
}
|
@ -1,14 +0,0 @@
|
||||
{ pkgs, ... }: {
|
||||
|
||||
services.acpid.enable = true;
|
||||
services.acpid.handlers.xkiller = {
|
||||
action = /* sh */ ''
|
||||
event=($1)
|
||||
if test "''${event[2]}" = 00000080; then
|
||||
${pkgs.systemd}/bin/systemd-cat -t xkiller ${pkgs.xkiller}
|
||||
fi
|
||||
'';
|
||||
event = "button/prog1";
|
||||
};
|
||||
|
||||
}
|
@ -1,39 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.xserver;
|
||||
in
|
||||
|
||||
pkgs.stdenv.mkDerivation {
|
||||
name = "xserver.conf";
|
||||
|
||||
fontPath = optionalString (cfg.fontPath != null)
|
||||
''FontPath "${toString cfg.fontPath}"'';
|
||||
|
||||
inherit (cfg) config;
|
||||
|
||||
buildCommand =
|
||||
''
|
||||
echo 'Section "Files"' >> $out
|
||||
echo $fontPath >> $out
|
||||
|
||||
for i in ${toString config.fonts.fonts}; do
|
||||
if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
|
||||
for j in $(find $i -name fonts.dir); do
|
||||
echo " FontPath \"$(dirname $j)\"" >> $out
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
for i in $(find ${toString cfg.modules} -type d); do
|
||||
if test $(echo $i/*.so* | wc -w) -ne 0; then
|
||||
echo " ModulePath \"$i\"" >> $out
|
||||
fi
|
||||
done
|
||||
|
||||
echo 'EndSection' >> $out
|
||||
|
||||
echo "$config" >> $out
|
||||
'';
|
||||
}
|
@ -1,5 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./urxvtd.nix
|
||||
];
|
||||
}
|
@ -1,15 +0,0 @@
|
||||
{ pkgs, ... }: {
|
||||
systemd.user.sockets.urxvtd = {
|
||||
wantedBy = [ "sockets.target" ];
|
||||
socketConfig.ListenStream = "%t/urxvtd";
|
||||
};
|
||||
systemd.user.services.urxvtd = {
|
||||
restartIfChanged = false;
|
||||
environment = {
|
||||
RXVT_SOCKET = "%t/urxvtd";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
||||
};
|
||||
};
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg = {
|
||||
enable = config.services.xserver.enable && config.tv.Xresources != {};
|
||||
user = config.krebs.build.user;
|
||||
};
|
||||
in {
|
||||
options.tv.Xresources = mkOption {
|
||||
default = {};
|
||||
type = types.attrsOf types.str;
|
||||
};
|
||||
config = {
|
||||
nixpkgs.overlays = singleton (self: super: {
|
||||
tv = super.tv or {} // {
|
||||
Xresources =
|
||||
self.writeText "Xresources"
|
||||
(concatStrings (mapAttrsToList (name: value: /* xdefaults */ ''
|
||||
${name}: ${value}
|
||||
'') config.tv.Xresources));
|
||||
};
|
||||
});
|
||||
systemd.services.${if cfg.enable then "Xresources" else null} = {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
after = [ "xmonad.service" ];
|
||||
environment = {
|
||||
DISPLAY = ":${toString config.services.xserver.display}";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.xorg.xrdb}/bin/xrdb ${pkgs.tv.Xresources}";
|
||||
RemainAfterExit = true;
|
||||
SyslogIdentifier = "Xresources";
|
||||
Type = "oneshot";
|
||||
User = cfg.user.name;
|
||||
WorkingDirectory = cfg.user.home;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,519 +0,0 @@
|
||||
{ config, ... }: with import ./lib; let
|
||||
cfg = config.tv.charybdis;
|
||||
in toFile "charybdis.conf" ''
|
||||
/* doc/example.conf - brief example configuration file
|
||||
*
|
||||
* Copyright (C) 2000-2002 Hybrid Development Team
|
||||
* Copyright (C) 2002-2005 ircd-ratbox development team
|
||||
* Copyright (C) 2005-2006 charybdis development team
|
||||
*
|
||||
* $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $
|
||||
*
|
||||
* See reference.conf for more information.
|
||||
*/
|
||||
|
||||
/* Extensions */
|
||||
#loadmodule "extensions/chm_operonly_compat.so";
|
||||
#loadmodule "extensions/chm_quietunreg_compat.so";
|
||||
#loadmodule "extensions/chm_sslonly_compat.so";
|
||||
#loadmodule "extensions/createauthonly.so";
|
||||
#loadmodule "extensions/extb_account.so";
|
||||
#loadmodule "extensions/extb_canjoin.so";
|
||||
#loadmodule "extensions/extb_channel.so";
|
||||
#loadmodule "extensions/extb_extgecos.so";
|
||||
#loadmodule "extensions/extb_oper.so";
|
||||
#loadmodule "extensions/extb_realname.so";
|
||||
#loadmodule "extensions/extb_server.so";
|
||||
#loadmodule "extensions/extb_ssl.so";
|
||||
#loadmodule "extensions/hurt.so";
|
||||
#loadmodule "extensions/m_findforwards.so";
|
||||
#loadmodule "extensions/m_identify.so";
|
||||
#loadmodule "extensions/no_oper_invis.so";
|
||||
#loadmodule "extensions/sno_farconnect.so";
|
||||
#loadmodule "extensions/sno_globalkline.so";
|
||||
#loadmodule "extensions/sno_globaloper.so";
|
||||
#loadmodule "extensions/sno_whois.so";
|
||||
loadmodule "extensions/override.so";
|
||||
|
||||
/*
|
||||
* IP cloaking extensions: use ip_cloaking_4.0
|
||||
* if you're linking 3.2 and later, otherwise use
|
||||
* ip_cloaking.so, for compatibility with older 3.x
|
||||
* releases.
|
||||
*/
|
||||
|
||||
#loadmodule "extensions/ip_cloaking_4.0.so";
|
||||
#loadmodule "extensions/ip_cloaking.so";
|
||||
|
||||
serverinfo {
|
||||
name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)};
|
||||
sid = "4z3";
|
||||
description = "miep!";
|
||||
network_name = "irc.r";
|
||||
#network_desc = "Retiolum IRC Network";
|
||||
hub = yes;
|
||||
|
||||
/* On multi-homed hosts you may need the following. These define
|
||||
* the addresses we connect from to other servers. */
|
||||
/* for IPv4 */
|
||||
vhost = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
|
||||
/* for IPv6 */
|
||||
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
|
||||
|
||||
/* ssl_private_key: our ssl private key */
|
||||
ssl_private_key = "/tmp/credentials/ssl_private_key";
|
||||
|
||||
/* ssl_cert: certificate for our ssl server */
|
||||
ssl_cert = ${toJSON cfg.ssl_cert};
|
||||
|
||||
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
|
||||
ssl_dh_params = "/tmp/credentials/ssl_dh_params";
|
||||
|
||||
/* ssld_count: number of ssld processes you want to start, if you
|
||||
* have a really busy server, using N-1 where N is the number of
|
||||
* cpu/cpu cores you have might be useful. A number greater than one
|
||||
* can also be useful in case of bugs in ssld and because ssld needs
|
||||
* two file descriptors per SSL connection.
|
||||
*/
|
||||
ssld_count = 1;
|
||||
|
||||
/* default max clients: the default maximum number of clients
|
||||
* allowed to connect. This can be changed once ircd has started by
|
||||
* issuing:
|
||||
* /quote set maxclients <limit>
|
||||
*/
|
||||
default_max_clients = 1024;
|
||||
|
||||
/* nicklen: enforced nickname length (for this server only; must not
|
||||
* be longer than the maximum length set while building).
|
||||
*/
|
||||
nicklen = 30;
|
||||
};
|
||||
|
||||
admin {
|
||||
name = "tv";
|
||||
description = "peer";
|
||||
};
|
||||
|
||||
log {
|
||||
fname_userlog = "/dev/stderr";
|
||||
fname_fuserlog = "/dev/stderr";
|
||||
fname_operlog = "/dev/stderr";
|
||||
fname_foperlog = "/dev/stderr";
|
||||
fname_serverlog = "/dev/stderr";
|
||||
fname_klinelog = "/dev/stderr";
|
||||
fname_killlog = "/dev/stderr";
|
||||
fname_operspylog = "/dev/stderr";
|
||||
fname_ioerrorlog = "/dev/stderr";
|
||||
};
|
||||
|
||||
/* class {} blocks MUST be specified before anything that uses them. That
|
||||
* means they must be defined before auth {} and before connect {}.
|
||||
*/
|
||||
|
||||
class "krebs" {
|
||||
ping_time = 2 minutes;
|
||||
number_per_ident = 10;
|
||||
number_per_ip = 2048;
|
||||
number_per_ip_global = 4096;
|
||||
cidr_ipv4_bitlen = 24;
|
||||
cidr_ipv6_bitlen = 64;
|
||||
number_per_cidr = 65536;
|
||||
max_number = 3000;
|
||||
sendq = 1 megabyte;
|
||||
};
|
||||
|
||||
class "users" {
|
||||
ping_time = 2 minutes;
|
||||
number_per_ident = 10;
|
||||
number_per_ip = 1024;
|
||||
number_per_ip_global = 4096;
|
||||
cidr_ipv4_bitlen = 24;
|
||||
cidr_ipv6_bitlen = 64;
|
||||
number_per_cidr = 65536;
|
||||
max_number = 3000;
|
||||
sendq = 400 kbytes;
|
||||
};
|
||||
|
||||
class "opers" {
|
||||
ping_time = 5 minutes;
|
||||
number_per_ip = 10;
|
||||
max_number = 1000;
|
||||
sendq = 1 megabyte;
|
||||
};
|
||||
|
||||
class "server" {
|
||||
ping_time = 5 minutes;
|
||||
connectfreq = 5 minutes;
|
||||
max_number = 1;
|
||||
sendq = 4 megabytes;
|
||||
};
|
||||
|
||||
listen {
|
||||
/* defer_accept: wait for clients to send IRC handshake data before
|
||||
* accepting them. if you intend to use software which depends on the
|
||||
* server replying first, such as BOPM, you should disable this feature.
|
||||
* otherwise, you probably want to leave it on.
|
||||
*/
|
||||
defer_accept = yes;
|
||||
|
||||
/* If you want to listen on a specific IP only, specify host.
|
||||
* host definitions apply only to the following port line.
|
||||
*/
|
||||
#host = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
|
||||
port = ${toString cfg.port};
|
||||
sslport = ${toString cfg.sslport};
|
||||
};
|
||||
|
||||
/* auth {}: allow users to connect to the ircd (OLD I:)
|
||||
* auth {} blocks MUST be specified in order of precedence. The first one
|
||||
* that matches a user will be used. So place spoofs first, then specials,
|
||||
* then general access, then restricted.
|
||||
*/
|
||||
auth {
|
||||
/* user: the user@host allowed to connect. Multiple IPv4/IPv6 user
|
||||
* lines are permitted per auth block. This is matched against the
|
||||
* hostname and IP address (using :: shortening for IPv6 and
|
||||
* prepending a 0 if it starts with a colon) and can also use CIDR
|
||||
* masks.
|
||||
*/
|
||||
user = "*@10.243.0.0/16";
|
||||
user = "*@42::/16";
|
||||
|
||||
/* password: an optional password that is required to use this block.
|
||||
* By default this is not encrypted, specify the flag "encrypted" in
|
||||
* flags = ...; below if it is.
|
||||
*/
|
||||
#password = "letmein";
|
||||
|
||||
/* spoof: fake the users user@host to be be this. You may either
|
||||
* specify a host or a user@host to spoof to. This is free-form,
|
||||
* just do everyone a favour and dont abuse it. (OLD I: = flag)
|
||||
*/
|
||||
#spoof = "I.still.hate.packets";
|
||||
|
||||
/* Possible flags in auth:
|
||||
*
|
||||
* encrypted | password is encrypted with mkpasswd
|
||||
* spoof_notice | give a notice when spoofing hosts
|
||||
* exceed_limit (old > flag) | allow user to exceed class user limits
|
||||
* kline_exempt (old ^ flag) | exempt this user from k/g/xlines&dnsbls
|
||||
* dnsbl_exempt | exempt this user from dnsbls
|
||||
* spambot_exempt | exempt this user from spambot checks
|
||||
* shide_exempt | exempt this user from serverhiding
|
||||
* jupe_exempt | exempt this user from generating
|
||||
* warnings joining juped channels
|
||||
* resv_exempt | exempt this user from resvs
|
||||
* flood_exempt | exempt this user from flood limits
|
||||
* USE WITH CAUTION.
|
||||
* no_tilde (old - flag) | don't prefix ~ to username if no ident
|
||||
* need_ident (old + flag) | require ident for user in this class
|
||||
* need_ssl | require SSL/TLS for user in this class
|
||||
* need_sasl | require SASL id for user in this class
|
||||
*/
|
||||
flags = kline_exempt, exceed_limit, flood_exempt;
|
||||
|
||||
/* class: the class the user is placed in */
|
||||
class = "krebs";
|
||||
};
|
||||
|
||||
auth {
|
||||
user = "*@*";
|
||||
class = "users";
|
||||
};
|
||||
|
||||
/* privset {} blocks MUST be specified before anything that uses them. That
|
||||
* means they must be defined before operator {}.
|
||||
*/
|
||||
privset "local_op" {
|
||||
privs = oper:local_kill, oper:operwall;
|
||||
};
|
||||
|
||||
privset "server_bot" {
|
||||
extends = "local_op";
|
||||
privs = oper:kline, oper:remoteban, snomask:nick_changes;
|
||||
};
|
||||
|
||||
privset "global_op" {
|
||||
extends = "local_op";
|
||||
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
|
||||
oper:resv, oper:mass_notice, oper:remoteban;
|
||||
};
|
||||
|
||||
privset "admin" {
|
||||
extends = "global_op";
|
||||
privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override;
|
||||
};
|
||||
|
||||
privset "aids" {
|
||||
privs = oper:override, oper:rehash;
|
||||
};
|
||||
|
||||
operator "aids" {
|
||||
user = "*@10.243.*";
|
||||
privset = "aids";
|
||||
flags = ~encrypted;
|
||||
password = "balls";
|
||||
};
|
||||
|
||||
operator "god" {
|
||||
/* name: the name of the oper must go above */
|
||||
|
||||
/* user: the user@host required for this operator. CIDR *is*
|
||||
* supported now. auth{} spoofs work here, other spoofs do not.
|
||||
* multiple user="" lines are supported.
|
||||
*/
|
||||
user = "*god@127.0.0.1";
|
||||
|
||||
/* password: the password required to oper. Unless ~encrypted is
|
||||
* contained in flags = ...; this will need to be encrypted using
|
||||
* mkpasswd, MD5 is supported
|
||||
*/
|
||||
password = "5";
|
||||
|
||||
/* rsa key: the public key for this oper when using Challenge.
|
||||
* A password should not be defined when this is used, see
|
||||
* doc/challenge.txt for more information.
|
||||
*/
|
||||
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
|
||||
|
||||
/* umodes: the specific umodes this oper gets when they oper.
|
||||
* If this is specified an oper will not be given oper_umodes
|
||||
* These are described above oper_only_umodes in general {};
|
||||
*/
|
||||
#umodes = locops, servnotice, operwall, wallop;
|
||||
|
||||
/* fingerprint: if specified, the oper's client certificate
|
||||
* fingerprint will be checked against the specified fingerprint
|
||||
* below.
|
||||
*/
|
||||
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
|
||||
|
||||
/* snomask: specific server notice mask on oper up.
|
||||
* If this is specified an oper will not be given oper_snomask.
|
||||
*/
|
||||
snomask = "+Zbfkrsuy";
|
||||
|
||||
/* flags: misc options for the operator. You may prefix an option
|
||||
* with ~ to disable it, e.g. ~encrypted.
|
||||
*
|
||||
* Default flags are encrypted.
|
||||
*
|
||||
* Available options:
|
||||
*
|
||||
* encrypted: the password above is encrypted [DEFAULT]
|
||||
* need_ssl: must be using SSL/TLS to oper up
|
||||
*/
|
||||
flags = encrypted;
|
||||
|
||||
/* privset: privileges set to grant */
|
||||
privset = "admin";
|
||||
};
|
||||
|
||||
service {
|
||||
name = "services.int";
|
||||
};
|
||||
|
||||
cluster {
|
||||
name = "*";
|
||||
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
|
||||
};
|
||||
|
||||
shared {
|
||||
oper = "*@*", "*";
|
||||
flags = all, rehash;
|
||||
};
|
||||
|
||||
/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
|
||||
exempt {
|
||||
ip = "127.0.0.1";
|
||||
};
|
||||
|
||||
channel {
|
||||
use_invex = yes;
|
||||
use_except = yes;
|
||||
use_forward = yes;
|
||||
use_knock = yes;
|
||||
knock_delay = 5 minutes;
|
||||
knock_delay_channel = 1 minute;
|
||||
max_chans_per_user = 15;
|
||||
max_bans = 100;
|
||||
max_bans_large = 500;
|
||||
default_split_user_count = 0;
|
||||
default_split_server_count = 0;
|
||||
no_create_on_split = no;
|
||||
no_join_on_split = no;
|
||||
burst_topicwho = yes;
|
||||
kick_on_split_riding = no;
|
||||
only_ascii_channels = no;
|
||||
resv_forcepart = yes;
|
||||
channel_target_change = yes;
|
||||
disable_local_channels = no;
|
||||
};
|
||||
|
||||
serverhide {
|
||||
flatten_links = yes;
|
||||
links_delay = 5 minutes;
|
||||
hidden = no;
|
||||
disable_hidden = no;
|
||||
};
|
||||
|
||||
/* These are the blacklist settings.
|
||||
* You can have multiple combinations of host and rejection reasons.
|
||||
* They are used in pairs of one host/rejection reason.
|
||||
*
|
||||
* These settings should be adequate for most networks, and are (presently)
|
||||
* required for use on StaticBox.
|
||||
*
|
||||
* Word to the wise: Do not use blacklists like SPEWS for blocking IRC
|
||||
* connections.
|
||||
*
|
||||
* As of charybdis 2.2, you can do some keyword substitution on the rejection
|
||||
* reason. The available keyword substitutions are:
|
||||
*
|
||||
* ''${ip} - the user's IP
|
||||
* ''${host} - the user's canonical hostname
|
||||
* ''${dnsbl-host} - the dnsbl hostname the lookup was done against
|
||||
* ''${nick} - the user's nickname
|
||||
* ''${network-name} - the name of the network
|
||||
*
|
||||
* As of charybdis 3.4, a type parameter is supported, which specifies the
|
||||
* address families the blacklist supports. IPv4 and IPv6 are supported.
|
||||
* IPv4 is currently the default as few blacklists support IPv6 operation
|
||||
* as of this writing.
|
||||
*
|
||||
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
|
||||
* contacted, via email, at admins@2mbit.com before using these BLs.
|
||||
* See <http://www.ahbl.org/services.php> for more information.
|
||||
*/
|
||||
blacklist {
|
||||
host = "rbl.efnetrbl.org";
|
||||
type = ipv4;
|
||||
reject_reason = "''${nick}, your IP (''${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=''${ip}";
|
||||
|
||||
# host = "ircbl.ahbl.org";
|
||||
# type = ipv4;
|
||||
# reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for having an open proxy. In order to protect ''${network-name} from abuse, we are not allowing connections with open proxies to connect.";
|
||||
#
|
||||
# host = "tor.ahbl.org";
|
||||
# type = ipv4;
|
||||
# reject_reason = "''${nick}, your IP (''${ip}) is listed as a TOR exit node. In order to protect ''${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
|
||||
#
|
||||
/* Example of a blacklist that supports both IPv4 and IPv6 */
|
||||
# host = "foobl.blacklist.invalid";
|
||||
# type = ipv4, ipv6;
|
||||
# reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for some reason. In order to protect ''${network-name} from abuse, we are not allowing connections listed in ''${dnsbl-host} to connect";
|
||||
};
|
||||
|
||||
alias "NickServ" {
|
||||
target = "NickServ";
|
||||
};
|
||||
|
||||
alias "ChanServ" {
|
||||
target = "ChanServ";
|
||||
};
|
||||
|
||||
alias "OperServ" {
|
||||
target = "OperServ";
|
||||
};
|
||||
|
||||
alias "MemoServ" {
|
||||
target = "MemoServ";
|
||||
};
|
||||
|
||||
alias "NS" {
|
||||
target = "NickServ";
|
||||
};
|
||||
|
||||
alias "CS" {
|
||||
target = "ChanServ";
|
||||
};
|
||||
|
||||
alias "OS" {
|
||||
target = "OperServ";
|
||||
};
|
||||
|
||||
alias "MS" {
|
||||
target = "MemoServ";
|
||||
};
|
||||
|
||||
general {
|
||||
hide_error_messages = opers;
|
||||
hide_spoof_ips = yes;
|
||||
|
||||
/*
|
||||
* default_umodes: umodes to enable on connect.
|
||||
* If you have enabled the new ip_cloaking_4.0 module, and you want
|
||||
* to make use of it, add +x to this option, i.e.:
|
||||
* default_umodes = "+ix";
|
||||
*
|
||||
* If you have enabled the old ip_cloaking module, and you want
|
||||
* to make use of it, add +h to this option, i.e.:
|
||||
* default_umodes = "+ih";
|
||||
*/
|
||||
default_umodes = "+i";
|
||||
|
||||
default_operstring = "is an IRC Operator";
|
||||
default_adminstring = "is a Server Administrator";
|
||||
servicestring = "is a Network Service";
|
||||
disable_fake_channels = no;
|
||||
tkline_expire_notices = no;
|
||||
default_floodcount = 1000;
|
||||
failed_oper_notice = yes;
|
||||
dots_in_ident=2;
|
||||
min_nonwildcard = 4;
|
||||
min_nonwildcard_simple = 3;
|
||||
max_accept = 100;
|
||||
max_monitor = 100;
|
||||
anti_nick_flood = yes;
|
||||
max_nick_time = 20 seconds;
|
||||
max_nick_changes = 5;
|
||||
anti_spam_exit_message_time = 5 minutes;
|
||||
ts_warn_delta = 30 seconds;
|
||||
ts_max_delta = 5 minutes;
|
||||
client_exit = yes;
|
||||
collision_fnc = yes;
|
||||
resv_fnc = yes;
|
||||
global_snotices = yes;
|
||||
dline_with_reason = yes;
|
||||
kline_delay = 0 seconds;
|
||||
kline_with_reason = yes;
|
||||
kline_reason = "K-Lined";
|
||||
identify_service = "NickServ@services.int";
|
||||
identify_command = "IDENTIFY";
|
||||
non_redundant_klines = yes;
|
||||
warn_no_nline = yes;
|
||||
use_propagated_bans = yes;
|
||||
stats_e_disabled = no;
|
||||
stats_c_oper_only=no;
|
||||
stats_h_oper_only=no;
|
||||
client_flood_max_lines = 16000;
|
||||
client_flood_burst_rate = 32000;
|
||||
client_flood_burst_max = 32000;
|
||||
client_flood_message_num = 32000;
|
||||
client_flood_message_time = 32000;
|
||||
use_whois_actually = no;
|
||||
oper_only_umodes = operwall, locops, servnotice;
|
||||
oper_umodes = locops, servnotice, operwall, wallop;
|
||||
oper_snomask = "+s";
|
||||
burst_away = yes;
|
||||
nick_delay = 0 seconds; # 15 minutes if you want to enable this
|
||||
reject_ban_time = 1 minute;
|
||||
reject_after_count = 3;
|
||||
reject_duration = 5 minutes;
|
||||
throttle_duration = 1;
|
||||
throttle_count = 1000;
|
||||
max_ratelimit_tokens = 30;
|
||||
away_interval = 30;
|
||||
disable_auth = yes;
|
||||
};
|
||||
|
||||
modules {
|
||||
path = "modules";
|
||||
path = "modules/autoload";
|
||||
};
|
||||
|
||||
exempt {
|
||||
ip = "10.243.0.0/16";
|
||||
};
|
||||
''
|
@ -1,81 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }@args: let
|
||||
cfg = config.tv.charybdis;
|
||||
in {
|
||||
options.tv.charybdis = {
|
||||
enable = mkEnableOption "tv.charybdis";
|
||||
motd = mkOption {
|
||||
type = types.str;
|
||||
default = "/join #retiolum";
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 6667;
|
||||
};
|
||||
ssl_cert = mkOption {
|
||||
type = types.path;
|
||||
};
|
||||
ssl_dh_params = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = "${config.krebs.secret.directory}/charybdis.dh.pem";
|
||||
};
|
||||
ssl_private_key = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = "${config.krebs.secret.directory}/charybdis.key.pem";
|
||||
};
|
||||
sslport = mkOption {
|
||||
type = types.int;
|
||||
default = 6697;
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.user;
|
||||
default = {
|
||||
name = "charybdis";
|
||||
home = "/var/lib/charybdis";
|
||||
};
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
environment.etc."charybdis-ircd.motd".text = cfg.motd;
|
||||
|
||||
krebs.systemd.services.charybdis = {};
|
||||
|
||||
systemd.services.charybdis = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
environment = {
|
||||
BANDB_DBPATH = "${cfg.user.home}/ban.db";
|
||||
};
|
||||
serviceConfig = {
|
||||
SyslogIdentifier = "charybdis";
|
||||
User = cfg.user.name;
|
||||
PrivateTmp = true;
|
||||
Restart = "always";
|
||||
ExecStartPre = [
|
||||
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
|
||||
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
|
||||
];
|
||||
ExecStart = toString [
|
||||
"${pkgs.charybdis}/bin/charybdis"
|
||||
"-configfile ${import ./config.nix args}"
|
||||
"-foreground"
|
||||
"-logfile /dev/stderr"
|
||||
];
|
||||
LoadCredential = [
|
||||
"ssl_dh_params:${cfg.ssl_dh_params}"
|
||||
"ssl_private_key:${cfg.ssl_private_key}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.users.${cfg.user.name} = {
|
||||
inherit (cfg.user) home name uid;
|
||||
createHome = true;
|
||||
group = cfg.user.name;
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.${cfg.user.name} = {};
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,8 +0,0 @@
|
||||
with import ./lib;
|
||||
{
|
||||
imports =
|
||||
map
|
||||
(name: ./. + "/${name}")
|
||||
(attrNames
|
||||
(filterAttrs isNixDirEntry (readDir ./.)));
|
||||
}
|
@ -1,58 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: let
|
||||
cfg = config.tv.dnsmasq;
|
||||
in {
|
||||
|
||||
options.tv.dnsmasq = {
|
||||
enable = mkEnableOption "tv.dnsmasq";
|
||||
dhcp-range = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
interface = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
prefixLength = mkOption {
|
||||
type = types.addCheck types.int (x: x >= 0 && x <= 32);
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{
|
||||
networking.dhcpcd.denyInterfaces = [ cfg.interface ];
|
||||
services.dnsmasq.resolveLocalQueries = false;
|
||||
networking.interfaces.${cfg.interface} = {
|
||||
ipv4.addresses = singleton {
|
||||
address = cfg.address;
|
||||
prefixLength = cfg.prefixLength;
|
||||
};
|
||||
};
|
||||
services.dnsmasq.enable = true;
|
||||
services.dnsmasq.extraConfig = ''
|
||||
bind-interfaces
|
||||
dhcp-range=${cfg.dhcp-range}
|
||||
listen-address=${cfg.address}
|
||||
'';
|
||||
tv.iptables.extra.filter.INPUT = [
|
||||
"-i ${cfg.interface} -p tcp -m tcp --dport bootps -j ACCEPT"
|
||||
"-i ${cfg.interface} -p udp -m udp --dport bootps -j ACCEPT"
|
||||
"-i ${cfg.interface} -p tcp -m tcp --dport domain -j ACCEPT"
|
||||
"-i ${cfg.interface} -p udp -m udp --dport domain -j ACCEPT"
|
||||
];
|
||||
}
|
||||
{
|
||||
# enable forwarding
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||
tv.iptables.extra.filter.FORWARD = [
|
||||
"-m state --state RELATED,ESTABLISHED -j ACCEPT"
|
||||
"-i ${cfg.interface} -j ACCEPT"
|
||||
];
|
||||
tv.iptables.extra.nat.POSTROUTING = [
|
||||
"-j MASQUERADE"
|
||||
];
|
||||
}
|
||||
]);
|
||||
|
||||
}
|
@ -1,275 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg = config.tv.ejabberd;
|
||||
|
||||
gen-dhparam = pkgs.writeDash "gen-dhparam" ''
|
||||
set -efu
|
||||
path=$1
|
||||
bits=2048
|
||||
# TODO regenerate dhfile after some time?
|
||||
if ! test -e "$path"; then
|
||||
${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
|
||||
fi
|
||||
'';
|
||||
|
||||
settingsFormat = pkgs.formats.json {};
|
||||
|
||||
in {
|
||||
options.tv.ejabberd = {
|
||||
enable = mkEnableOption "tv.ejabberd";
|
||||
certfiles = mkOption {
|
||||
type = types.listOf types.absolute-pathname;
|
||||
default = [
|
||||
"${config.krebs.secret.directory}/ejabberd.pem"
|
||||
];
|
||||
};
|
||||
configFile = mkOption {
|
||||
type = types.either types.package types.absolute-pathname;
|
||||
default = settingsFormat.generate "ejabberd.yaml" cfg.settings;
|
||||
};
|
||||
ciphers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384"
|
||||
"ECDHE-RSA-AES256-GCM-SHA384"
|
||||
"ECDHE-ECDSA-CHACHA20-POLY1305"
|
||||
"ECDHE-RSA-CHACHA20-POLY1305"
|
||||
"ECDHE-ECDSA-AES128-GCM-SHA256"
|
||||
"ECDHE-RSA-AES128-GCM-SHA256"
|
||||
"ECDHE-ECDSA-AES256-SHA384"
|
||||
"ECDHE-RSA-AES256-SHA384"
|
||||
"ECDHE-ECDSA-AES128-SHA256"
|
||||
"ECDHE-RSA-AES128-SHA256"
|
||||
];
|
||||
};
|
||||
credentials.certfiles = mkOption {
|
||||
internal = true;
|
||||
readOnly = true;
|
||||
default =
|
||||
imap
|
||||
(i: const "/tmp/credentials/certfile${toJSON i}")
|
||||
cfg.certfiles;
|
||||
};
|
||||
hosts = mkOption {
|
||||
type = with types; listOf str;
|
||||
};
|
||||
pkgs.ejabberd = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.symlinkJoin {
|
||||
name = "ejabberd-wrapper";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "ejabberdctl" ''
|
||||
exec ${pkgs.ejabberd}/bin/ejabberdctl \
|
||||
--config /etc/ejabberd/ejabberd.yaml \
|
||||
--ctl-config /etc/ejabberd/ejabberdctl.cfg \
|
||||
--logs ${cfg.stateDir} \
|
||||
--spool ${cfg.stateDir} \
|
||||
"$@"
|
||||
'')
|
||||
pkgs.ejabberd
|
||||
];
|
||||
};
|
||||
};
|
||||
protocol_options = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
"no_sslv2"
|
||||
"no_sslv3"
|
||||
"no_tlsv1"
|
||||
"no_tlsv1_10"
|
||||
];
|
||||
};
|
||||
registration_watchers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
config.krebs.users.tv.mail
|
||||
];
|
||||
};
|
||||
settings = mkOption {
|
||||
type = settingsFormat.type;
|
||||
default = {};
|
||||
};
|
||||
stateDir = mkOption {
|
||||
type =
|
||||
types.addCheck
|
||||
types.absolute-pathname
|
||||
(path:
|
||||
hasPrefix "/var/lib/" path &&
|
||||
types.filename.check (removePrefix "/var/lib/" path)
|
||||
);
|
||||
default = "/var/lib/ejabberd";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
environment.etc."ejabberd/ejabberd.yaml".source = cfg.configFile;
|
||||
environment.etc."ejabberd/ejabberdctl.cfg".source =
|
||||
builtins.toFile "ejabberdctl.cfg" /* sh */ ''
|
||||
ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
|
||||
'';
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.symlinkJoin {
|
||||
name = "ejabberd-sudo-wrapper";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "ejabberdctl" ''
|
||||
exec ${pkgs.systemd}/bin/systemd-run \
|
||||
--unit=ejabberdctl \
|
||||
--property=StateDirectory=ejabberd \
|
||||
--property=User=ejabberd \
|
||||
--collect \
|
||||
--pipe \
|
||||
--quiet \
|
||||
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
|
||||
'')
|
||||
cfg.pkgs.ejabberd
|
||||
];
|
||||
})
|
||||
];
|
||||
|
||||
krebs.systemd.services.ejabberd.restartIfCredentialsChange = true;
|
||||
|
||||
systemd.services.ejabberd = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
reloadTriggers = [
|
||||
config.environment.etc."ejabberd/ejabberd.yaml".source
|
||||
config.environment.etc."ejabberd/ejabberdctl.cfg".source
|
||||
];
|
||||
serviceConfig = {
|
||||
ExecStartPre = [
|
||||
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
|
||||
"${gen-dhparam} ${cfg.stateDir}/dhfile"
|
||||
];
|
||||
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
|
||||
ExecStop = [
|
||||
"${cfg.pkgs.ejabberd}/bin/ejabberdctl stop"
|
||||
"${cfg.pkgs.ejabberd}/bin/ejabberdctl stopped"
|
||||
];
|
||||
ExecReload = "${cfg.pkgs.ejabberd}/bin/ejabberdctl reload_config";
|
||||
LoadCredential =
|
||||
zipListsWith
|
||||
(dst: src: "${baseNameOf dst}:${src}")
|
||||
cfg.credentials.certfiles
|
||||
cfg.certfiles;
|
||||
LimitNOFILE = 65536;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
SyslogIdentifier = "ejabberd";
|
||||
StateDirectory = "ejabberd";
|
||||
User = "ejabberd";
|
||||
DynamicUser = true;
|
||||
TimeoutSec = 60;
|
||||
RestartSec = 5;
|
||||
Restart = "on-failure";
|
||||
Type = "notify";
|
||||
NotifyAccess = "all";
|
||||
WatchdogSec = 30;
|
||||
};
|
||||
};
|
||||
|
||||
# preset config values
|
||||
tv.ejabberd.settings = {
|
||||
access_rules = {
|
||||
announce = mkDefault [{ allow = "admin"; }];
|
||||
local = mkDefault [{ allow = "local"; }];
|
||||
configure = mkDefault [{ allow = "admin"; }];
|
||||
register = mkDefault ["allow"];
|
||||
s2s = mkDefault ["allow"];
|
||||
trusted_network = mkDefault [{ allow = "loopback"; }];
|
||||
};
|
||||
|
||||
acl = {
|
||||
local.user_regexp = mkDefault "";
|
||||
loopback.ip = mkDefault [
|
||||
"127.0.0.0/8"
|
||||
"::1/128"
|
||||
"::FFFF:127.0.0.1/128"
|
||||
];
|
||||
};
|
||||
|
||||
certfiles = mkDefault cfg.credentials.certfiles;
|
||||
|
||||
hosts = mkDefault cfg.hosts;
|
||||
|
||||
language = mkDefault "en";
|
||||
|
||||
listen = mkDefault [
|
||||
{
|
||||
port = 5222;
|
||||
ip = "::";
|
||||
module = "ejabberd_c2s";
|
||||
shaper = "c2s_shaper";
|
||||
ciphers = concatStringsSep ":" cfg.ciphers;
|
||||
protocol_options = cfg.protocol_options;
|
||||
starttls = true;
|
||||
starttls_required = true;
|
||||
tls = false;
|
||||
tls_compression = false;
|
||||
max_stanza_size = 65536;
|
||||
}
|
||||
{
|
||||
port = 5269;
|
||||
ip = "::";
|
||||
module = "ejabberd_s2s_in";
|
||||
shaper = "s2s_shaper";
|
||||
dhfile = "${cfg.stateDir}/dhfile";
|
||||
max_stanza_size = 131072;
|
||||
}
|
||||
];
|
||||
|
||||
loglevel = mkDefault "4";
|
||||
|
||||
modules = {
|
||||
mod_adhoc = mkDefault {};
|
||||
mod_admin_extra = mkDefault {};
|
||||
mod_announce.access = mkDefault "announce";
|
||||
mod_caps = mkDefault {};
|
||||
mod_carboncopy = mkDefault {};
|
||||
mod_client_state = mkDefault {};
|
||||
mod_configure = mkDefault {};
|
||||
mod_disco = mkDefault {};
|
||||
mod_echo = mkDefault {};
|
||||
mod_bosh = mkDefault {};
|
||||
mod_last = mkDefault {};
|
||||
mod_offline.access_max_user_messages = mkDefault "max_user_offline_messages";
|
||||
mod_ping = mkDefault {};
|
||||
mod_privacy = mkDefault {};
|
||||
mod_private = mkDefault {};
|
||||
mod_register = {
|
||||
access_from = mkDefault "deny";
|
||||
access = mkDefault "register";
|
||||
ip_access = mkDefault "trusted_network";
|
||||
registration_watchers = mkDefault cfg.registration_watchers;
|
||||
};
|
||||
mod_roster = mkDefault {};
|
||||
mod_shared_roster = mkDefault {};
|
||||
mod_stats = mkDefault {};
|
||||
mod_time = mkDefault {};
|
||||
mod_vcard.search = mkDefault false;
|
||||
mod_version = mkDefault {};
|
||||
mod_http_api = mkDefault {};
|
||||
};
|
||||
|
||||
s2s_access = mkDefault "s2s";
|
||||
s2s_ciphers = concatStringsSep ":" cfg.ciphers;
|
||||
s2s_dhfile = mkDefault "${cfg.stateDir}/dhfile";
|
||||
s2s_protocol_options = mkDefault cfg.protocol_options;
|
||||
s2s_tls_compression = mkDefault false;
|
||||
s2s_use_starttls = mkDefault "required";
|
||||
|
||||
shaper_rules = {
|
||||
max_user_offline_messages = mkDefault [
|
||||
{ "5000" = "admin"; }
|
||||
100
|
||||
];
|
||||
max_user_sessions = mkDefault 10;
|
||||
c2s_shaper = mkDefault [
|
||||
{ "none" = "admin"; }
|
||||
"normal"
|
||||
];
|
||||
s2s_shaper = mkDefault "fast";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,4 +0,0 @@
|
||||
with import ./lib;
|
||||
{
|
||||
options.tv.focus.enable = mkEnableOption "tv.focus";
|
||||
}
|
@ -1,9 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: {
|
||||
options.tv.hosts = mkOption {
|
||||
type = types.attrsOf types.host;
|
||||
default =
|
||||
filterAttrs (_: host: host.owner.name == "tv")
|
||||
config.krebs.hosts;
|
||||
};
|
||||
}
|
@ -1,16 +0,0 @@
|
||||
with import ./lib;
|
||||
let
|
||||
local.types.screen = lib.types.submodule {
|
||||
options.width = lib.mkOption {
|
||||
type = lib.types.uint;
|
||||
};
|
||||
options.height = lib.mkOption {
|
||||
type = lib.types.uint;
|
||||
};
|
||||
};
|
||||
in {
|
||||
options.tv.hw.screens = lib.mkOption {
|
||||
type = lib.types.attrsOf local.types.screen;
|
||||
default = {};
|
||||
};
|
||||
}
|
@ -1,110 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let
|
||||
im = config.tv.im;
|
||||
in {
|
||||
options = {
|
||||
tv.im.client.enable = lib.mkEnableOption "tv.im.client" // {
|
||||
default = config.krebs.build.host.name == im.client.host.name;
|
||||
};
|
||||
tv.im.client.term = lib.mkOption {
|
||||
default = "rxvt-unicode-256color";
|
||||
type = lib.types.filename;
|
||||
};
|
||||
tv.im.client.useIPv6 = lib.mkEnableOption "tv.im.client.useIPv6" // {
|
||||
default = true;
|
||||
};
|
||||
tv.im.client.host = lib.mkOption {
|
||||
default = config.krebs.hosts.xu;
|
||||
type = lib.types.host;
|
||||
};
|
||||
tv.im.client.user = lib.mkOption {
|
||||
default = config.krebs.users.tv;
|
||||
type = lib.types.user;
|
||||
};
|
||||
|
||||
tv.im.server.enable = lib.mkEnableOption "tv.im.server" // {
|
||||
default = config.krebs.build.host.name == im.server.host.name;
|
||||
};
|
||||
tv.im.server.host = lib.mkOption {
|
||||
default = config.krebs.hosts.nomic;
|
||||
type = lib.types.host;
|
||||
};
|
||||
tv.im.server.mosh.enable = lib.mkEnableOption "tv.im.server.mosh" // {
|
||||
default = true;
|
||||
};
|
||||
tv.im.server.weechat.relay.enable =
|
||||
lib.mkEnableOption "tv.im.server.weechat.relay";
|
||||
tv.im.server.user = lib.mkOption {
|
||||
default = config.krebs.users.tv;
|
||||
type = lib.types.user;
|
||||
};
|
||||
};
|
||||
imports = [
|
||||
(lib.mkIf im.client.enable {
|
||||
users.users.${im.client.user.name}.packages = [
|
||||
(pkgs.writeDashBin "im" ''
|
||||
${if im.server.mosh.enable then /* sh */ ''
|
||||
exec ${pkgs.mosh}/bin/mosh \
|
||||
${lib.optionalString im.client.useIPv6 "-6"} \
|
||||
${im.server.user.name}@${lib.head im.server.host.nets.retiolum.aliases} \
|
||||
env TERM=${im.client.term} im
|
||||
'' else /* sh */ ''
|
||||
exec ${pkgs.openssh}/bin/ssh \
|
||||
${lib.optionalString im.client.useIPv6 "-6"} \
|
||||
${im.server.user.name}@${lib.head im.server.host.nets.retiolum.aliases} \
|
||||
-t \
|
||||
im
|
||||
''}
|
||||
'')
|
||||
];
|
||||
})
|
||||
(lib.mkIf im.server.enable {
|
||||
services.bitlbee = {
|
||||
enable = true;
|
||||
plugins = [
|
||||
pkgs.bitlbee-facebook
|
||||
];
|
||||
};
|
||||
users.users.${im.server.user.name}.packages = [
|
||||
pkgs.mosh
|
||||
(pkgs.writeDashBin "im" ''
|
||||
export PATH=${lib.makeSearchPath "bin" [
|
||||
pkgs.tmux
|
||||
pkgs.gnugrep
|
||||
pkgs.weechat-tv
|
||||
]}
|
||||
if tmux list-sessions -F\#S | grep -q '^im''$'; then
|
||||
exec tmux attach -t im
|
||||
else
|
||||
exec tmux new -s im weechat
|
||||
fi
|
||||
'')
|
||||
];
|
||||
})
|
||||
(lib.mkIf im.server.mosh.enable {
|
||||
krebs.setuid.utempter = {
|
||||
filename = "${pkgs.libutempter}/lib/utempter/utempter";
|
||||
owner = "nobody";
|
||||
group = "utmp";
|
||||
mode = "2111";
|
||||
};
|
||||
tv.iptables.extra4.filter.Retiolum = [
|
||||
"-s ${im.client.host.nets.retiolum.ip4.addr} -p udp --dport 60000:61000 -j ACCEPT"
|
||||
];
|
||||
tv.iptables.extra6.filter.Retiolum = [
|
||||
"-s ${im.client.host.nets.retiolum.ip6.addr} -p udp --dport 60000:61000 -j ACCEPT"
|
||||
];
|
||||
})
|
||||
(lib.mkIf im.server.weechat.relay.enable {
|
||||
krebs.iana-etc.services = {
|
||||
"9001".tcp.name = "weechat-ssl";
|
||||
};
|
||||
tv.iptables.extra4.filter.Retiolum = [
|
||||
"-s ${im.client.host.nets.retiolum.ip4.addr} -p tcp -m tcp --dport 9001 -j ACCEPT"
|
||||
];
|
||||
tv.iptables.extra6.filter.Retiolum = [
|
||||
"-s ${im.client.host.nets.retiolum.ip6.addr} -p tcp -m tcp --dport 9001 -j ACCEPT"
|
||||
];
|
||||
})
|
||||
];
|
||||
}
|
@ -1,208 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: let {
|
||||
cfg = config.tv.iptables;
|
||||
|
||||
body = {
|
||||
options.tv.iptables = api;
|
||||
config = lib.mkIf cfg.enable imp;
|
||||
};
|
||||
|
||||
extraTypes = {
|
||||
rules = types.submodule {
|
||||
options = {
|
||||
nat.OUTPUT = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
nat.PREROUTING = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
nat.POSTROUTING = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
filter.FORWARD = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
filter.INPUT = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
filter.Retiolum = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
filter.Wiregrill = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
api = {
|
||||
enable = mkEnableOption "tv.iptables";
|
||||
|
||||
accept-echo-request = mkOption {
|
||||
type = with types; nullOr (enum ["internet" "retiolum"]);
|
||||
default = "retiolum";
|
||||
};
|
||||
|
||||
input-internet-accept-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-internet-accept-udp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-retiolum-accept-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-retiolum-accept-udp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-wiregrill-accept-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-wiregrill-accept-udp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
extra = mkOption {
|
||||
default = {};
|
||||
type = extraTypes.rules;
|
||||
};
|
||||
|
||||
extra4 = mkOption {
|
||||
default = {};
|
||||
type = extraTypes.rules;
|
||||
};
|
||||
|
||||
extra6 = mkOption {
|
||||
default = {};
|
||||
type = extraTypes.rules;
|
||||
};
|
||||
};
|
||||
|
||||
imp = {
|
||||
networking.firewall.enable = false;
|
||||
|
||||
systemd.services.tv-iptables = {
|
||||
wantedBy = [ "sysinit.target" ];
|
||||
wants = [ "network-pre.target" ];
|
||||
before = [ "network-pre.target" ];
|
||||
after = [ "systemd-modules-load.service" ];
|
||||
|
||||
path = with pkgs; [
|
||||
iptables
|
||||
];
|
||||
|
||||
restartIfChanged = true;
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
RemainAfterExit = true;
|
||||
Restart = "always";
|
||||
SyslogIdentifier = "tv-iptables_start";
|
||||
ExecStart = pkgs.writeDash "tv-iptables_start" ''
|
||||
set -euf
|
||||
iptables-restore < ${rules 4}
|
||||
ip6tables-restore < ${rules 6}
|
||||
'';
|
||||
};
|
||||
|
||||
unitConfig.DefaultDependencies = false;
|
||||
};
|
||||
};
|
||||
|
||||
formatTable = table:
|
||||
(concatStringsSep "\n"
|
||||
(mapAttrsToList
|
||||
(chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
|
||||
table));
|
||||
|
||||
rules = iptables-version: let
|
||||
accept-echo-request = {
|
||||
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
|
||||
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
|
||||
}."ip${toString iptables-version}tables";
|
||||
accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
|
||||
accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
|
||||
in
|
||||
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
${formatTable cfg."extra${toString iptables-version}".nat}
|
||||
${formatTable cfg.extra.nat}
|
||||
COMMIT
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:Retiolum - [0:0]
|
||||
:Wiregrill - [0:0]
|
||||
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
|
||||
++ [
|
||||
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
|
||||
"-i lo -j ACCEPT"
|
||||
]
|
||||
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
|
||||
++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
|
||||
++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
|
||||
++ ["-i retiolum -j Retiolum"]
|
||||
++ ["-i wiregrill -j Wiregrill"]
|
||||
)}
|
||||
${formatTable cfg.extra.filter}
|
||||
${formatTable cfg."extra${toString iptables-version}".filter}
|
||||
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
|
||||
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
|
||||
++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
|
||||
++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
|
||||
++ {
|
||||
ip4tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
"-p udp -j REJECT --reject-with icmp-port-unreachable"
|
||||
"-j REJECT --reject-with icmp-proto-unreachable"
|
||||
];
|
||||
ip6tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
|
||||
"-j REJECT"
|
||||
];
|
||||
}."ip${toString iptables-version}tables"
|
||||
)}
|
||||
${concatMapStringsSep "\n" (rule: "-A Wiregrill ${rule}") ([]
|
||||
++ optional (cfg.accept-echo-request == "wiregrill") accept-echo-request
|
||||
++ map accept-tcp (unique (map toString cfg.input-wiregrill-accept-tcp))
|
||||
++ map accept-udp (unique (map toString cfg.input-wiregrill-accept-udp))
|
||||
++ {
|
||||
ip4tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
"-p udp -j REJECT --reject-with icmp-port-unreachable"
|
||||
"-j REJECT --reject-with icmp-proto-unreachable"
|
||||
];
|
||||
ip6tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
|
||||
"-j REJECT"
|
||||
];
|
||||
}."ip${toString iptables-version}tables"
|
||||
)}
|
||||
COMMIT
|
||||
'';
|
||||
}
|
@ -1 +0,0 @@
|
||||
../lib
|
@ -1,45 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, pkgs, ... }: {
|
||||
options = {
|
||||
tv.lidControl.enable = mkEnableOption "tv.lidControl";
|
||||
};
|
||||
config = let
|
||||
cfg = config.tv.lidControl;
|
||||
in mkIf cfg.enable {
|
||||
services.acpid.enable = true;
|
||||
services.acpid.lidEventCommands = /* sh */ ''
|
||||
set -- $1
|
||||
|
||||
# usage: vt_is_xserver NUMBER
|
||||
vt_is_xserver() {
|
||||
${pkgs.iproute}/bin/ss -lp src unix:/tmp/.X11-unix/X* |
|
||||
${pkgs.gnused}/bin/sed -n 's|.*/tmp/.X11-unix/X\([0-9]\+\)\>.*|\1|p' |
|
||||
${pkgs.gnugrep}/bin/grep -Fqx "$1"
|
||||
}
|
||||
|
||||
console=$(${pkgs.kbd}/bin/fgconsole)
|
||||
|
||||
if vt_is_xserver "$console"; then
|
||||
# usage: run_on_display COMMAND [ARG...]
|
||||
run_on_display() {
|
||||
owner=$(${pkgs.coreutils}/bin/stat -c %u /tmp/.X11-unix/X$console)
|
||||
${pkgs.systemd}/bin/systemd-run -GPq \
|
||||
-E DISPLAY=:$console \
|
||||
--uid=$owner \
|
||||
"$@"
|
||||
}
|
||||
case $3 in
|
||||
open)
|
||||
run_on_display ${pkgs.xorg.xset}/bin/xset dpms force on
|
||||
;;
|
||||
close)
|
||||
run_on_display ${pkgs.xorg.xset}/bin/xset dpms force off
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
'';
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
services.logind.lidSwitchExternalPower = "ignore";
|
||||
};
|
||||
}
|
@ -1,29 +0,0 @@
|
||||
with import ./lib;
|
||||
{ config, ... }: {
|
||||
options.org.freedesktop.machine1.host-shell.access = lib.mkOption {
|
||||
default = {};
|
||||
type =
|
||||
lib.types.addCheck
|
||||
(lib.types.attrsOf (lib.types.attrsOf lib.types.bool))
|
||||
(x:
|
||||
lib.all
|
||||
lib.types.username.check
|
||||
(lib.concatLists
|
||||
(lib.mapAttrsToList
|
||||
(name: value: [name] ++ lib.attrNames value)
|
||||
x)));
|
||||
};
|
||||
config.security.polkit.extraConfig = let
|
||||
cfg = config.org.freedesktop.machine1.host-shell;
|
||||
enable = cfg.access != {};
|
||||
in lib.optionalString enable /* js */ ''
|
||||
polkit.addRule(function () {
|
||||
var access = ${lib.toJSON cfg.access};
|
||||
return function(action, subject) {
|
||||
if (action.id === "org.freedesktop.machine1.host-shell"
|
||||
&& (access[subject.user]||{})[action.lookup("user")])
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
}());
|
||||
'';
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user