Merge remote-tracking branch 'gum/master'

krebs/3modules/makefu/default.nix

@@ -270,8 +270,8 @@ with config.krebs.lib;
             '';
         };
       };
-      ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
+      #ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+      #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
     };
     wbob = rec {
       cores = 1;
@@ -409,6 +409,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
           ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
           aliases = [
             "heidi.r"
+            "heidi.retiolum"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -424,6 +425,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
       };
     };
 
+
     soundflower = rec {
       cores = 1;
       nets = {
@@ -594,7 +596,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
         };
       };
     };
-
+  } // { # hosts only maintained in stockholm, not owned by me
+    tpsw = {
+      cores = 2;
+      owner = config.krebs.users.ciko; # main laptop
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.183.236";
+          ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c";
+          aliases = [ "tpsw.r" "tpsw.retiolum" ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAvwYPFAINwV0EH0myFpNzRjVbqXdAmJP616C5JvODklhZWJxFxlKJ
+            Poczl57j2Z+4bonkTrJmsNtSaQLPKYH4H1qfo/lwz7nqEpPi3Xp4Fgts23w36eML
+            WBvbw0fQO9R8zZJIIdRkJ2qqlhZiTlor1Gtlm8Z1RmpKkhL9O6Yzj94VhGLhABVl
+            OsaF2M3PgXJMiLry67jzbAs3+mVaT3iBTzWOaOyREjKQEUg9B9IDxrmZMSWqdXZM
+            0wfzaCjS40jD73m7tqi7W3tXzAUP4mEeUqkC+NC2Zgm/lJ5B1KPx7AyNqtRLsBLd
+            pIdJs6ng63WV1fyHYUWMYqZk9zB/tQ0b0wIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
   };
   users = rec {
     makefu = {
@@ -615,6 +638,9 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
       inherit (makefu) mail pgp;
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob";
     };
+    ciko = {
+      mail = "wieczorek.stefan@googlemail.com";
+    };
     exco = {
       mail = "dickbutt@excogitation.de";
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de";

makefu/1systems/pornocauster.nix

@@ -26,6 +26,7 @@
       # services
       ../2configs/git/brain-retiolum.nix
       ../2configs/tor.nix
+      ../2configs/steam.nix
       # ../2configs/buildbot-standalone.nix
 
       # hardware specifics are in here
@@ -35,23 +36,36 @@
       # ../2configs/mediawiki.nix
       #../2configs/wordpress.nix
       ../2configs/nginx/public_html.nix
+
+      # temporary modules
+      # ../2configs/temp/share-samba.nix
+      # ../2configs/temp/elkstack.nix
+      # ../2configs/temp/sabnzbd.nix
     ];
+
   krebs.nginx = {
     default404 = false;
     servers.default.listen = [ "80 default_server" ];
     servers.default.server-names = [ "_" ];
   };
-  krebs.retiolum.enable = true;
-  # steam
-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
+
+  environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
+
+  virtualisation.docker.enable = true;
 
   # configure pulseAudio to provide a HDMI sink as well
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    25
-    80
-  ];
+  networking.firewall.allowedTCPPorts = [ 80 ];
+  networking.firewall.allowedUDPPorts = [ 665 ];
 
   krebs.build.host = config.krebs.hosts.pornocauster;
+
+  krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
+  krebs.retiolum = {
+    enable = true;
+    connectTo = [ "omo" "gum" "prism" ];
+  };
+  networking.extraHosts = ''
+    192.168.1.11 omo.local
+  '';
 }

makefu/2configs/default.nix

@@ -22,7 +22,7 @@ with config.krebs.lib;
       source =  mapAttrs (_: mkDefault) {
         nixpkgs = {
           url = https://github.com/nixos/nixpkgs;
-          rev = "40c586b7ce2c559374df435f46d673baf711c543"; # unstable @ 2016-02-27, tested on wry
+          rev = "63b9785"; # stable @ 2016-06-01
         };
         secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/";
         stockholm = "/home/makefu/stockholm";
@@ -75,7 +75,7 @@ with config.krebs.lib;
   systemd.tmpfiles.rules = [
     "d /tmp 1777 root root - -"
   ];
-
+  nix.nixPath = [ "/var/src" ];
   environment.variables = {
     NIX_PATH = mkForce "/var/src";
     EDITOR = mkForce "vim";
@@ -126,6 +126,7 @@ with config.krebs.lib;
   nixpkgs.config.packageOverrides = pkgs: {
     nano = pkgs.runCommand "empty" {} "mkdir -p $out";
     tinc = pkgs.tinc_pre;
+    gnupg1compat = super.gnupg1compat.override { gnupg = self.gnupg21; };
   };
 
   services.cron.enable = false;

makefu/2configs/exim-retiolum.nix

@@ -2,9 +2,10 @@
 
 with config.krebs.lib;
 {
+  networking.firewall.allowedTCPPorts = [ 25 ];
+
   krebs.exim-retiolum.enable = true;
   environment.systemPackages = with pkgs; [
     msmtp
   ];
-
 }

makefu/2configs/git/cgit-retiolum.nix

@@ -15,6 +15,9 @@ let
     tinc_graphs = {
       desc = "Tinc Advanced Graph Generation";
     };
+    stockholm-init = {
+      desc = "Build new Stockholm hosts";
+    };
     cac-api = { };
     init-stockholm = {
       desc = "Init stuff for stockholm";

makefu/2configs/omo-share.nix

@@ -69,15 +69,15 @@ in {
         browseable = "yes";
         "guest ok" = "yes";
       };
-      usenet-rw = {
-        path = "/media/crypt0/usenet";
+      crypt0-rw = {
+        path = "/media/crypt0/";
         "read only" = "no";
         browseable = "yes";
         "guest ok" = "no";
         "valid users" = "makefu";
       };
-      emu-rw = {
-        path = "/media/crypt1/emu";
+      crypt1-rw = {
+        path = "/media/crypt1/";
         "read only" = "no";
         browseable = "yes";
         "guest ok" = "no";

makefu/2configs/steam.nix

@@ -0,0 +1,6 @@
+{pkgs, ...}:
+{
+  environment.systemPackages = [ pkgs.steam ];
+  hardware.opengl.driSupport32Bit = true;
+  hardware.pulseaudio.support32Bit = true;
+}

makefu/2configs/temp-share-samba.nix

@@ -0,0 +1,28 @@
+{config, ... }:{
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/var/empty";
+  };
+  services.samba = {
+    enable = true;
+    shares = {
+      share-home = {
+        path = "/home/share/";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}

makefu/5pkgs/default.nix

@@ -13,6 +13,7 @@ in
     nodemcu-uploader = callPackage ./nodemcu-uploader {};
     tw-upload-plugin = callPackage ./tw-upload-plugin {};
     inherit (callPackage ./devpi {}) devpi-web devpi-server;
+    skytraq-logger = callPackage ./skytraq-logger/ {};
     taskserver = callPackage ./taskserver {};
   };
 }

makefu/5pkgs/skytraq-logger/default.nix

@@ -0,0 +1,31 @@
+{ stdenv, lib, pkgs, fetchFromGitHub, ... }:
+stdenv.mkDerivation rec {
+  name = "skytraq-datalogger-${version}";
+  version = "4966a8";
+  src = fetchFromGitHub {
+    owner = "makefu";
+    repo = "skytraq-datalogger";
+    rev = version ;
+    sha256 = "1qaszrs7638kc9x4qq4m1yxqmk8jw7wajywvdk4wc2i007p89v3y";
+  };
+  buildFlags = "CC=gcc";
+  makeFlags = "PREFIX=bin/ DESTDIR=$(out)";
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+  #patchPhase = ''
+  #  sed -i -e 's#/usr/bin/gcc#gcc#' -e Makefile
+  #'';
+
+  buildInputs = with pkgs;[
+    curl
+    gnugrep
+  ];
+
+  meta = {
+    homepage = http://github.com/makefu/skytraq-datalogger;
+    description = "datalogger for skytraq";
+    license = lib.licenses.gpl2;
+  };
+}

makefu/5pkgs/skytraq-logger/result

@@ -0,0 +1 @@
+/nix/store/xpwdwpw2nkgi16yhpxin2kivaz7z588h-skytraq-datalogger-4966a8

tv/2configs/xserver/default.nix

@@ -1,135 +1,126 @@
-{ config, lib, pkgs, ... }@args:
-
+{ config, pkgs, ... }@args:
 with config.krebs.lib;
-
 let
   # TODO krebs.build.user
   user = config.users.users.tv;
+in {
 
-  out = {
-    services.xserver.display = 11;
-    services.xserver.tty = 11;
+  environment.systemPackages = [
+    pkgs.ff
+    pkgs.gitAndTools.qgit
+    pkgs.mpv
+    pkgs.sxiv
+    pkgs.xsel
+    pkgs.zathura
+  ];
 
-    services.xserver.synaptics = {
+  fonts.fonts = [
+    pkgs.xlibs.fontschumachermisc
+  ];
+
+  # TODO dedicated group, i.e. with a single user [per-user-setuid]
+  # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
+  krebs.setuid.slock = {
+    filename = "${pkgs.slock}/bin/slock";
+    group = "wheel";
+    envp = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+      USER = user.name;
+    };
+  };
+
+  services.xserver = {
+    enable = true;
+    display = 11;
+    tty = 11;
+
+    synaptics = {
       enable = true;
       twoFingerScroll = true;
       accelFactor = "0.035";
     };
+  };
 
-    fonts.fonts = [
-      pkgs.xlibs.fontschumachermisc
+  systemd.services.display-manager.enable = false;
+
+  systemd.services.xmonad = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "xserver.service" ];
+    environment = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+
+      XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+        ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+        ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+        ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
+        ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+        wait
+      '';
+
+      XMONAD_STATE = "/tmp/xmonad.state";
+
+      # XXX JSON is close enough :)
+      XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+        "Dashboard" # we start here
+        "23"
+        "cr"
+        "ff"
+        "hack"
+        "im"
+        "mail"
+        "stockholm"
+        "za" "zh" "zj" "zs"
+      ]);
+    };
+    serviceConfig = {
+      SyslogIdentifier = "xmonad";
+      ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
+      ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
+      User = user.name;
+      WorkingDirectory = user.home;
+    };
+  };
+
+  systemd.services.xserver = {
+    after = [
+      "systemd-udev-settle.service"
+      "local-fs.target"
+      "acpid.service"
     ];
-
-    systemd.services.urxvtd = {
-      wantedBy = [ "multi-user.target" ];
-      reloadIfChanged = true;
-      serviceConfig = {
-        ExecReload = need-reload "urxvtd.service";
-        ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
-        Restart = "always";
-        RestartSec = "2s";
-        StartLimitBurst = 0;
-        User = user.name;
-      };
+    reloadIfChanged = true;
+    environment = {
+      XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
+      XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
+      LD_LIBRARY_PATH = concatStringsSep ":" (
+        [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
+        ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
     };
-
-    environment.systemPackages = [
-      pkgs.ff
-      pkgs.gitAndTools.qgit
-      pkgs.mpv
-      pkgs.sxiv
-      pkgs.xsel
-      pkgs.zathura
-    ];
-
-    # TODO dedicated group, i.e. with a single user
-    # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
-    krebs.setuid.slock = {
-      filename = "${pkgs.slock}/bin/slock";
-      group = "wheel";
-      envp = {
-        DISPLAY = ":${toString config.services.xserver.display}";
-        USER = user.name;
-      };
-    };
-
-    systemd.services.display-manager.enable = false;
-
-    services.xserver.enable = true;
-
-    systemd.services.xmonad = {
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "xserver.service" ];
-      environment = xmonad-environment;
-      serviceConfig = {
-        ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
-        ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
-        User = user.name;
-        WorkingDirectory = user.home;
-      };
-    };
-
-    systemd.services.xserver = {
-      after = [
-        "systemd-udev-settle.service"
-        "local-fs.target"
-        "acpid.service"
+    serviceConfig = {
+      SyslogIdentifier = "xserver";
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+      ExecStart = toString [
+        "${pkgs.xorg.xorgserver}/bin/X"
+        ":${toString config.services.xserver.display}"
+        "vt${toString config.services.xserver.tty}"
+        "-config ${import ./xserver.conf.nix args}"
+        "-logfile /dev/null -logverbose 0 -verbose 3"
+        "-nolisten tcp"
+        "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
       ];
-      reloadIfChanged = true;
-      environment = xserver-environment;
-      serviceConfig = {
-        ExecReload = need-reload "xserver.service";
-        ExecStart = toString [
-          "${pkgs.xorg.xorgserver}/bin/X"
-          ":${toString config.services.xserver.display}"
-          "vt${toString config.services.xserver.tty}"
-          "-config ${import ./xserver.conf.nix args}"
-          "-logfile /var/log/X.${toString config.services.xserver.display}.log"
-          "-nolisten tcp"
-          "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
-        ];
-      };
     };
   };
 
-  xmonad-environment = {
-    DISPLAY = ":${toString config.services.xserver.display}";
-
-    XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
-      ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
-      ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
-      ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
-      ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
-      wait
-    '';
-
-    XMONAD_STATE = "/tmp/xmonad.state";
-
-    # XXX JSON is close enough :)
-    XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
-      "Dashboard" # we start here
-      "23"
-      "cr"
-      "ff"
-      "hack"
-      "im"
-      "mail"
-      "stockholm"
-      "za" "zh" "zj" "zs"
-    ]);
+  systemd.services.urxvtd = {
+    wantedBy = [ "multi-user.target" ];
+    reloadIfChanged = true;
+    serviceConfig = {
+      SyslogIdentifier = "urxvtd";
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+      ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+      Restart = "always";
+      RestartSec = "2s";
+      StartLimitBurst = 0;
+      User = user.name;
+    };
   };
-
-  xserver-environment = {
-    XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
-    XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
-    LD_LIBRARY_PATH = concatStringsSep ":" (
-      [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
-      ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
-  };
-
-  need-reload = s: toString [
-    "${pkgs.writeDashBin "need-reload" ''echo "$*"''}/bin/need-reload"
-    (shell.escape s)
-  ];
-
-in out
+}

tv/5pkgs/ff/default.nix

@@ -1,8 +1,12 @@
 { pkgs, ... }:
 
-pkgs.writeScriptBin "ff" ''
- #! ${pkgs.bash}/bin/bash
- exec sudo -u ff -i <<EOF
+# TODO use krebs.setuid
+# This requires that we can create setuid executables that can only be accessed
+# by a single user. [per-user-setuid]
+
+# using bash for %q
+pkgs.writeBashBin "ff" ''
+ exec /var/setuid-wrappers/sudo -u ff -i <<EOF
  exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
  EOF
 ''