delete mb

This commit is contained in:
lassulus 2019-11-24 18:15:14 +01:00
parent 1144633bd0
commit 5fa963b6bc
24 changed files with 0 additions and 2315 deletions

View File

@ -103,7 +103,6 @@ let
{ krebs = import ./krebs { inherit config; }; } { krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; } { krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; } { krebs = import ./makefu { inherit config; }; }
{ krebs = import ./mb { inherit config; }; }
{ krebs = import ./nin { inherit config; }; } { krebs = import ./nin { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./tv { inherit config; }; } { krebs = import ./tv { inherit config; }; }

View File

@ -1,151 +0,0 @@
with import <stockholm/lib>;
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host {
ci = true;
owner = config.krebs.users.mb;
};
in {
hosts = mapAttrs hostDefaults {
orange = {
nets = {
retiolum = {
ip4.addr = "10.243.42.23";
aliases = [
"orange.r"
"or4ng3.r"
"0r4n93.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7P0CkmC5HWnTdgGFzmA
zQuJzHSkSjcGgSkIt0pvqU6xi8P/d4eJlmeXeGTpH62JfM1xhEMpxMVd/4NOON2u
IlWnfu5bB763145IJwE0HmZziWjQXWRPAZMqYdQ5f2Pvmxv1yr3uBNzr8UlV6BjD
FXn8sCvikXttYzts9szlz5+pkY09qfiz48+DMzRBNO6JzXYQ9kPyS+TIXlGpN4Jp
C1TRF38eF2DTEZ58Yx8Z99dGrXVuqlSe77fehTQGxCckTpaZ0HS3XfZNa/cas8JY
/0RzH2n2AndnPirISDZ7r4ZIFuKAaivqaEkM8v7llI77URVB9ZJb/IqCrBzueAbt
V/5ts2HpfBAUhw0RoiH8ql+IQZsuSOpRUC2gUN8460V4SQkVtDcsVTENiD+NM5Mg
ImBv041CsW/rSJOilT2r/rWDN8RFnz/RrAQn+L31KXr81kg1TOLxO0ybs/eMJM3r
RnHFZPiiKdqPlA60g0AnzKXPR2JTszHIgHHoRUW16I1WJeuAJNjg0JDQ0JM7pZ27
JEaCc7uR12TPiuExKaNEaxKZVY1J0hzxOzF2MFIbAMVz/3K2ycvvuLxKojqIAXxA
D+UtcOfJ62k2WnLXOEIZqFU0J2bvhxYUZOFS55wIn1UJF7hemD/LUFHBiWnuhwHk
TAEl8M851t+Zp3hZeJzgx2kCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
rofl = {
nets = {
retiolum = {
ip4.addr = "10.243.42.43";
aliases = [
"rofl.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnysdVVwxkmSroNUleYZm
xdaIB9EdZYCo2xj3WyhsD2lWMpj51FzSH6Y052Vy1V1TCuIXIwjidpmMohBvflG8
txKCaBGQOZbVqRgzyCDXsNisbr05ayYuHcRrXTpn5ask4HN0Vtx2uJOn8YmOxA0D
VhyEnf8xWu+vi8dwDqRVR17QnPBYqgenzIBmAuRngvNqg6WZg+E9X2e1Dco/PMzb
VW0AgC2+zFCl4+G7dEW7uhsI6IJLy4LsJuEN4TlvWAf7tfdFEnBzTfODW8quGdts
1Yzah4svPNNt9F1ZhOR/1bDsfVoOjI76BgB0G+ZZPQAGV1zxgn8DXSKi/tJTLNu1
vj/n9sUJfXMYQdTAOkABghCyEDFUspPKCffQqUXUcJbLKY9fNssGGBeanMsobUQC
Ch9z7kIJ52JDcP/D58z9Yf62P5ENqXzeVPCcodIOey1EizOu/FH3jVo52we1M5sp
1iM4hMc3ZINUBI9AA1nLWWlB3lBnErAXrhmMMHjcO4nO7/M0YU+EalkDB5eIhqiH
QJx7VnOE2UZYU9Y0vVNSWfYocU12aABK98T7lr5Tde4dI1J81sk2MUZcbNHger3f
NxpvNzOBpeC5xvq/ENCRR7MDf/59xWW5P5N7PbGprLQAi8cfdSoIEhSPz17Taq1f
3aAAePgBsZvRQozxXZfqp58CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
p1nk = {
nets = {
retiolum = {
ip4.addr = "10.243.42.42";
aliases = [
"p1nk.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5YVML71oW3iJrzZKuX48
AKrGitO5zNvsAHOI8BVsGfZTyxAAZgG4OaDX45kr27K39NcBU43LdDD0I1yjNvGe
zAoL5MIiCPD/QR1kAvLmgpMUSqOVvrk+uoGLVt6dOGvxlOiG1AAaN0gA8Q0B/jZV
4tZlBpZ7MX9xeK10wqVT56msN69P3EzKQn1uoVRrBxEnNvI1iqmmkgMLcrFVJFBQ
888Uuw9Hx5MO7ES/ATe8mt0zReUGvn91jYVVsPpmAopWnjCol271gflY0RomFXKy
XaIuvbeF+3otF0+MNqJfm4IsAKJjvl92pjVX0f0eBCSPCYR7D1EtgQrqflLkZKZ8
jBGDlgpsFWt/Omz1BYcuGZU/djM4+SNxr4YRYMi3lMix3s2PmHvm304I7eEEBlC9
qy1jq/sLaf8mHJrF6Htl7W5WS/Famkwv/VreI92iHrhsmIDiX7OIbXzYDCxT/PQa
6uCm/3jIbcHG/ZHZ12H6thkafK0Aoe009+p1n+5Y7V2oNvYe3KzZTnCN5t6z1QHZ
V5iypsd6lNDzlodjleTgGK8FmHGRPRdq1wb3eOLE8mWZj7ygDT50FwaC8FzAcHgC
bLN/zlHvCbYmk9IJhktO3B6wtMrZl60+XCpb5rTulM94RirifFYsnTIDJApI11yb
3AYi5dQXHjab/lvj6917xa0CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
gr33n = {
nets = {
retiolum = {
ip4.addr = "10.243.42.123";
aliases = [
"gr33n.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvcqecLfk8TlGFF7JJpv8
kjLFNgoNfu9FYRMNG4GSxWL5w+49n6b+GC5ciOC+RJ+N56jfB9JYE0MtbuOmkY5M
JUphuvgOCNhTbBJsjnmG9n02evpxZn9HWypNC3oQCvY2K7vHpIxGKR5PyTVKPO0P
OOYKAbCLD9F2bmuLaBQ/dFXFQxfu3tjvJI9mYDWBpSkh1mYeMZLw2xxnRZLs0bEO
ZWdzxCh9UM/mgb4WYuNED9+sz7MSsaMPAqquarFCguUxhjp6rElGFcNWjXaxA5zt
JGS6VompUViVSHjSaQ5/3VRKoIQjr4NOFYQqLpmB5S2OpiggV6I9OpB7QUGlvcYd
I3j+1AeK11HuEyPqSwxjNCCrI12bSIo3685BPHbl+AMhWGhzrCkAGcOCbAefreXQ
5v4SaKUIDlCYhN+vyNdlu2jvqQlxfJrPAfBt+jJBK6gMcAEKc7P/Oj4B9Fsl331X
s0kWH5G9t6OhO/Of8/kb2/P+YEbM6zi1QQdZAOr6Cg0y4cMt9zxLWknaM4yEDAXH
oSM33PTv9DOvBjfxRXqOHqOHRq5ayqZdIFgfLUlPTdbWRkhNzjG8f7k7p32m20A6
Kal+OF//I2c9E9vKFzyepyTcnwi3B8+cFJ74+XYaNApdwHSb1BU/+c3O9RJExZGV
jtTSbSJHU5esECtAuXy1XH8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
sunsh1n3 = {
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.42.142";
aliases = [
"sunsh1n3.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo2VCqp6mUbyo3n+1XpKf
QavpgRYQyv9wAZzYSYHjxThuLmNb/wERPbWJFMZfAGuku0blKWJISSgFWd9YL7dU
pZQZxfqo/9xnS/r0xIKrKSsBiTZt7JZmTQzj1ri11TIO0S1QPjIP5HsxlZZAw0nz
idEDlKmgWs74FPdezlXqvJyEUKDqL/ZQBtdhZZIDMkSJnCdBzXxKwv+uLVE46ZBf
4HrtQjcj+dyVMogMIoseAgf5lS6V3pyCM7/NHZFxrIxoIAxSsUoB59i2EbK6aUK5
yuiWHI6ZHToxN2K/0SX96hzxcwrUmdk49tTHBY0Zhn2ku6NjQPU3LuxgIwrSaSJD
/KWh6XkqR7EsCVN0AIsLvFelI2ckSyNyAlnYbMAHDt7GwHlNp4Lsy+x4ZQ6m0xTY
Z+/jt6sfoMiulPcwWEpqNCCf5A65lF77DldQhH3qYrdQ756n/kOqSfQtPCnVNYXy
LlN5rKCOgxKxxtKkwMUif2OM9RPHpM7wS09Rvek6zpL9ymhU5THF7UylLKxKGjYj
6dTooyRVQRJdrwIYLrJIy0MfGyYiGAJxf/C0KOOZnJPCW2b51+bo5Zh+BhKZYN8H
C2DEGc8+4h5hX1TAaUfTpfVm3mMTh8H2m9N8Pdl5ji+A0m0IwHDLQyaoskcxSjvU
9IxYLfkSD6AJqasnHlz0L08CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
};
users = {
mb = {
mail = "mb0@codemonkey.cc";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCHAdKGHP/De/GLEsPo5RBfbaiiitMw4Y/akOekJbImswT6Np2lzqno/WBJcfVs3D39wgPKNld4P/QZc5IwxC26q/PnBFu93KES0GqnlAqUNE63IOJ8UzNdyEqWggnRiLrBU+ZgyFZvmqp6NoSO4YEGEK4RZRMJM/GcAuQMj/nGjx2AHwPGZCkIRgz8/ctBOzX1/knZd3cOnNowH1wlqUKX6UcEzJdAVDQijHF1wl0Ri8tJKq9u8s/fw+1PSOpOHaeF1BALsXSKgeJDqUCTnZW5mAVUWJ86LvvyfCP4In9lhhLisbDm2cD96QaVvJyV6HfmegdSxZ1Phh+9Qz+3WhDJRedBTSKWfK/9j7VWSb+z/KV37q72W25ZfFMSay58LmCqn3v5fGt9qj4nlPw0By4baGLiGlA7xyvkJfdt8ZVPps5d2g6UprTbSA79lYN4qtWKq2Z9t317xch7Lix6EunQcoTkJ6QXEbDrAIk3zvkWr/CtpwEhNcSdWvQsua42dkD2oOI2F2IgFyYgOx9Iba2yj8A0TD2iqfYVhsJIYuk12QfeaR7ovQ6DhHlUxyQzeF6h0Y+I4AN6Sq/Mmj/cxfQoIaAEybUQMX+7KjFceIszT3JbGlz7DCxi7DMmNYuc7LELMRG3jNAOk+fW8u42Bhgc44tzvAondojerUGqCbUDw== mb0@codemonkey.cc";
};
};
}

View File

@ -1,144 +0,0 @@
{ config, pkgs, callPackage, ... }: let
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
<stockholm/mb>
];
krebs.build.host = config.krebs.hosts.gr33n;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
fileSystems."/mnt/public" = {
device = "//192.168.0.4/public";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
};
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
};
time.timeZone = "Europe/Berlin";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.packageOverrides = super: {
openvpn = super.openvpn.override {
pkcs11Support = true;
useSystemd = false;
};
};
environment.shellAliases = {
ll = "ls -alh";
ls = "ls --color=tty";
};
environment.systemPackages = with pkgs; [
curl
fish
git
htop
nmap
ranger
tcpdump
tmux
traceroute
tree
vim
wcalc
wget
xz
zbackup
];
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
sound.enable = false;
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
services.codimd = {
enable = true;
workDir = "/storage/codimd";
configuration = {
port = 1337;
host = "0.0.0.0";
db = {
dialect = "sqlite";
storage = "/storage/codimd/db.codimd.sqlite";
};
};
};
networking.wireless.enable = false;
networking.networkmanager.enable = false;
krebs.iptables.enable = true;
networking.enableIPv6 = false;
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color green) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
nix.buildCores = 4;
system.autoUpgrade.enable = false;
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
system.stateVersion = "19.03";
}

View File

@ -1,37 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.mdadmConf = ''
ARRAY /dev/md0 level=raid6 num-devices=4 metadata=1.2 name=gr33n:0 UUID=5b715fd9:0be6bfa6:19f07db4:c16836d6
devices=/dev/sda1,/dev/sdb1,/dev/sdc1,/dev/sdd1
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a9f2c19b-f60f-450c-87f1-146a54c4198b";
fsType = "ext4";
};
fileSystems."/storage" =
{ device = "/dev/disk/by-label/storage";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/93EB-BCA3";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

View File

@ -1,238 +0,0 @@
{ config, pkgs, callPackage, ... }: let
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
<stockholm/mb>
<stockholm/mb/2configs/nvim.nix>
];
krebs.build.host = config.krebs.hosts.orange;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices = [
{
name = "root";
device = "/dev/disk/by-uuid/09a36f91-a713-4b82-8b41-4e7a6acc4acf";
preLVM = true;
allowDiscards = true;
}
];
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
fileSystems."/mnt/public" = {
device = "//192.168.0.4/public";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
};
# Select internationalisation properties.
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
};
time.timeZone = "Europe/Berlin";
nixpkgs.config.packageOverrides = super: {
openvpn = super.openvpn.override { pkcs11Support = true; useSystemd = false; };
};
nixpkgs.config.allowUnfree = true;
fonts = {
enableCoreFonts = true;
enableGhostscriptFonts = true;
fonts = with pkgs; [
anonymousPro
corefonts
dejavu_fonts
envypn-font
fira
gentium
gohufont
inconsolata
liberation_ttf
powerline-fonts
source-code-pro
terminus_font
ttf_bitstream_vera
ubuntu_font_family
unifont
unstable.cherry
xorg.fontbitstream100dpi
xorg.fontbitstream75dpi
xorg.fontbitstreamtype1
];
};
environment.systemPackages = with pkgs; [
adapta-gtk-theme
aircrackng
ag
arandr
binutils
chromium
cifs-utils
curl
evince
exfat
feh
file
firefox
freetype
gimp
git
gnupg
graphite2
hicolor_icon_theme
htop
i3lock
jq
keepassx2
kvm
lxappearance
man-pages
moc
mpv
mpvc
mupdf
ncdu
nmap
openvpn
pass
p7zip
powertop
ranger
rofi
sshfs
tcpdump
tmux
traceroute
tree
unstable.alacritty
unstable.ponyc
unstable.sublime3
unstable.youtube-dl
virt-viewer
virtmanager
vulnix
wcalc
wget
xz
zbackup
];
environment.variables = {
EDITOR = ["nvim"];
};
environment.shellAliases = {
ll = "ls -alh";
ls = "ls --color=tty";
};
virtualisation.libvirtd.enable = true;
#virtualisation.kvmgt.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.pulseaudio.support32Bit = true;
nixpkgs.config.pulseaudio = true;
services.xserver = {
enable = true;
layout = "de";
xkbVariant = "nodeadkeys";
libinput.enable = true;
desktopManager = {
default = "xfce";
xterm.enable = false;
xfce = {
enable = true;
noDesktop = true;
enableXfwm = false;
};
};
windowManager.ratpoison.enable = true;
};
services.openssh.enable = true;
#services.openssh.permitRootLogin = "yes";
services.openssh.passwordAuthentication = false;
networking.wireless.enable = false;
networking.networkmanager.enable = false;
krebs.iptables.enable = true;
#networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
networking.enableIPv6 = false;
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color yellow) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
nix.maxJobs = 4;
nix.buildCores = 4;
system.autoUpgrade.enable = false;
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
system.stateVersion = "19.03";
}

View File

@ -1,28 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b1d32c54-35f8-4bf1-9fd2-82adc760af01";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/BF9B-03A2";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
}

View File

@ -1,227 +0,0 @@
{ config, pkgs, callPackage, ... }: let
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
<stockholm/mb>
<stockholm/mb/2configs/nvim.nix>
];
krebs.build.host = config.krebs.hosts.p1nk;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices = [
{
name = "root";
device = "/dev/disk/by-uuid/0392257b-f6cf-484d-8c46-e20aab4fddb7";
preLVM = true;
allowDiscards = true;
}
];
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
fileSystems."/mnt/public" = {
device = "//192.168.0.4/public";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
};
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
};
time.timeZone = "Europe/Berlin";
fonts = {
enableCoreFonts = true;
enableGhostscriptFonts = true;
fonts = with pkgs; [
anonymousPro
corefonts
dejavu_fonts
envypn-font
fira
gentium
gohufont
inconsolata
liberation_ttf
powerline-fonts
source-code-pro
terminus_font
ttf_bitstream_vera
ubuntu_font_family
unifont
unstable.cherry
xorg.fontbitstream100dpi
xorg.fontbitstream75dpi
xorg.fontbitstreamtype1
];
};
nixpkgs.config.packageOverrides = super: {
openvpn = super.openvpn.override { pkcs11Support = true; useSystemd = false; };
};
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
adapta-gtk-theme
aircrackng
ag
arandr
binutils
chromium
cifs-utils
curl
evince
exfat
feh
file
firefox
freetype
gimp
git
gnupg
graphite2
hicolor_icon_theme
htop
i3lock
jq
keepassx2
kvm
lxappearance
man-pages
moc
mpv
mpvc
mupdf
ncdu
nmap
openvpn
pass
p7zip
powertop
ranger
rofi
sshfs
tcpdump
tmux
traceroute
tree
unstable.alacritty
unstable.ponyc
unstable.sublime3
youtube-dl
virt-viewer
virtmanager
vulnix
wcalc
wget
xz
zbackup
];
environment.shellAliases = {
ll = "ls -alh";
ls = "ls --color=tty";
};
virtualisation.libvirtd.enable = true;
virtualisation.kvmgt.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.pulseaudio.support32Bit = true;
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "nodeadkeys";
libinput.enable = true;
desktopManager = {
default = "xfce";
xterm.enable = false;
xfce = {
enable = true;
noDesktop = true;
enableXfwm = false;
};
};
windowManager.ratpoison.enable = true;
windowManager.pekwm.enable = true;
};
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
krebs.iptables.enable = true;
networking.networkmanager.enable = false;
networking.wireless.enable = true;
networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
networking.enableIPv6 = false;
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color magenta) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
nix.maxJobs = 4;
nix.buildCores = 4;
system.autoUpgrade.enable = false;
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
system.stateVersion = "19.03";
}

View File

@ -1,29 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4cc2add6-ed19-4685-bbd9-b992bd8d51fb";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/9F87-AEAA";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

View File

@ -1,103 +0,0 @@
{ config, pkgs, callPackage, ... }: let
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
in {
imports =
[ # Include the results of the hardware scan.
<stockholm/mb/2configs/google-compute-config.nix>
<stockholm/mb>
];
krebs.build.host = config.krebs.hosts.rofl;
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
};
time.timeZone = "Europe/Berlin";
nixpkgs.config.allowUnfree = true;
environment.shellAliases = {
ll = "ls -alh";
ls = "ls --color=tty";
};
environment.systemPackages = with pkgs; [
curl
fish
git
htop
nmap
ranger
tcpdump
tmux
traceroute
tree
vim
xz
zbackup
];
sound.enable = false;
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
networking.wireless.enable = false;
networking.networkmanager.enable = false;
krebs.iptables.enable = true;
networking.enableIPv6 = false;
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color green) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
system.autoUpgrade.enable = false;
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
system.stateVersion = "19.03";
}

View File

@ -1,181 +0,0 @@
{ config, pkgs, ... }: let
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
<stockholm/mb>
];
krebs.build.host = config.krebs.hosts.sunsh1n3;
boot.kernelPackages = pkgs.linuxPackages_latest;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
boot.initrd.luks.devices = [
{
name = "root";
device = "/dev/disk/by-uuid/5354ba31-c7de-4b55-8f86-a2a437dfbb21";
preLVM = true;
allowDiscards = true;
}
];
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
};
time.timeZone = "Europe/Berlin";
nixpkgs.config.packageOverrides = super : {
openvpn = super.openvpn.override { pkcs11Support = true; useSystemd = true ; };
};
nixpkgs.config.allowUnfree = true;
fonts = {
enableCoreFonts = true;
enableGhostscriptFonts = true;
fonts = with pkgs; [
anonymousPro
corefonts
dejavu_fonts
envypn-font
fira
gentium
gohufont
inconsolata
liberation_ttf
powerline-fonts
source-code-pro
terminus_font
ttf_bitstream_vera
ubuntu_font_family
unifont
unstable.cherry
xorg.fontbitstream100dpi
xorg.fontbitstream75dpi
xorg.fontbitstreamtype1
];
};
environment.systemPackages = with pkgs; [
wget vim git curl fish
ag
chromium
firefox
gimp
p7zip
htop
mpv
mpvc
nmap
ntfs3g
keepassx2
sshfs
#unstable.skrooge
skrooge
unstable.alacritty
tmux
tree
wcalc
virtmanager
virt-viewer
(wine.override { wineBuild = "wineWow"; })
xz
zbackup
];
virtualisation.libvirtd.enable = true;
virtualisation.kvmgt.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
programs.dconf.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
krebs.iptables.enable = true;
#networking.wireless.enable = true;
networking.networkmanager.enable = true;
networking.enableIPv6 = false;
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.pulseaudio.support32Bit = true;
nixpkgs.config.pulseaudio = true;
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "nodeadkeys";
services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color yellow) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
nix.buildCores = 4;
system.stateVersion = "19.09";
}

View File

@ -1,29 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a3257922-d2d4-45ae-87cc-cc38d32e0774";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/60A6-4DAB";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

View File

@ -1,222 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }:
{
imports = [
{
users.users = {
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.mb.pubkey
];
};
mb = {
name = "mb";
uid = 1337;
home = "/home/mb";
group = "users";
createHome = true;
shell = "/run/current-system/sw/bin/fish";
extraGroups = [
"audio"
"video"
"fuse"
"wheel"
"kvm"
"qemu-libvirtd"
"libvirtd"
];
openssh.authorizedKeys.keys = [
config.krebs.users.mb.pubkey
];
};
xo = {
name = "xo";
uid = 2323;
home = "/home/xo";
group = "users";
createHome = true;
shell = "/run/current-system/sw/bin/fish";
extraGroups = [
"audio"
"video"
"fuse"
"wheel"
"kvm"
"qemu-libvirtd"
"libvirtd"
];
openssh.authorizedKeys.keys = [
config.krebs.users.mb.pubkey
];
};
};
}
{
environment.variables = {
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
}
(let ca-bundle = "/etc/ssl/certs/ca-bundle.crt"; in {
environment.variables = {
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
})
];
networking.hostName = config.krebs.build.host.name;
krebs = {
enable = true;
build.user = config.krebs.users.mb;
};
users.mutableUsers = true;
services.timesyncd.enable = mkForce true;
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -"
];
# multiple-definition-problem when defining environment.variables.EDITOR
environment.extraInit = ''
EDITOR=vim
'';
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
#stockholm
git
git-preview
gnumake
jq
parallel
proot
populate
#style
most
rxvt_unicode.terminfo
#monitoring tools
htop
iotop
#network
iptables
iftop
tcpdump
#stuff for dl
aria2
#neat utils
fish
file
kpaste
krebspaste
mosh
pciutils
psmisc
tmux
untilport
usbutils
#unpack stuff
p7zip
(pkgs.writeDashBin "sshn" ''
${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
'')
];
services.openssh = {
enable = true;
permitRootLogin = "yes";
passwordAuthentication = false;
hostKeys = [
# XXX bits here make no science
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color yellow) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
krebs.iptables = {
enable = true;
tables = {
nat.PREROUTING.rules = [
{ predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
];
nat.OUTPUT.rules = [
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
];
};
};
}

View File

@ -1,231 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
gce = pkgs.google-compute-engine;
in
{
imports = [
./headless.nix
./qemu-guest.nix
];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
};
boot.growPartition = true;
boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
boot.initrd.kernelModules = [ "virtio_scsi" ];
boot.kernelModules = [ "virtio_pci" "virtio_net" ];
# Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
boot.loader.grub.device = "/dev/sda";
boot.loader.timeout = 0;
# Don't put old configurations in the GRUB menu. The user has no
# way to select them anyway.
boot.loader.grub.configurationLimit = 0;
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
#services.openssh.enable = true;
#services.openssh.permitRootLogin = "prohibit-password";
#services.openssh.passwordAuthentication = mkDefault false;
# Use GCE udev rules for dynamic disk volumes
services.udev.packages = [ gce ];
# Force getting the hostname from Google Compute.
networking.hostName = mkDefault "";
# Always include cryptsetup so that NixOps can use it.
environment.systemPackages = [ pkgs.cryptsetup ];
# Make sure GCE image does not replace host key that NixOps sets
environment.etc."default/instance_configs.cfg".text = lib.mkDefault ''
[InstanceSetup]
set_host_keys = false
'';
# Rely on GCP's firewall instead
networking.firewall.enable = mkDefault false;
# Configure default metadata hostnames
networking.extraHosts = ''
169.254.169.254 metadata.google.internal metadata
'';
networking.timeServers = [ "metadata.google.internal" ];
networking.usePredictableInterfaceNames = false;
# GC has 1460 MTU
networking.interfaces.eth0.mtu = 1460;
security.googleOsLogin.enable = true;
systemd.services.google-clock-skew-daemon = {
description = "Google Compute Engine Clock Skew Daemon";
after = [
"network.target"
"google-instance-setup.service"
"google-network-setup.service"
];
requires = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
};
};
systemd.services.google-instance-setup = {
description = "Google Compute Engine Instance Setup";
after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"];
before = ["sshd.service"];
wants = ["local-fs.target" "network-online.target" "network.target"];
wantedBy = [ "sshd.service" "multi-user.target" ];
path = with pkgs; [ ethtool openssh ];
serviceConfig = {
ExecStart = "${gce}/bin/google_instance_setup --debug";
Type = "oneshot";
};
};
systemd.services.google-network-daemon = {
description = "Google Compute Engine Network Daemon";
after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"];
wants = ["local-fs.target" "network-online.target" "network.target"];
requires = ["network.target"];
partOf = ["network.target"];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ iproute ];
serviceConfig = {
ExecStart = "${gce}/bin/google_network_daemon --debug";
};
};
systemd.services.google-shutdown-scripts = {
description = "Google Compute Engine Shutdown Scripts";
after = [
"local-fs.target"
"network-online.target"
"network.target"
"rsyslog.service"
"systemd-resolved.service"
"google-instance-setup.service"
"google-network-daemon.service"
];
wants = [ "local-fs.target" "network-online.target" "network.target"];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.coreutils}/bin/true";
ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
Type = "oneshot";
RemainAfterExit = true;
TimeoutStopSec = "infinity";
};
};
systemd.services.google-startup-scripts = {
description = "Google Compute Engine Startup Scripts";
after = [
"local-fs.target"
"network-online.target"
"network.target"
"rsyslog.service"
"google-instance-setup.service"
"google-network-daemon.service"
];
wants = ["local-fs.target" "network-online.target" "network.target"];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
KillMode = "process";
Type = "oneshot";
};
};
# Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
boot.kernel.sysctl = {
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
"net.ipv4.tcp_syncookies" = mkDefault "1";
# ignores source-routed packets
"net.ipv4.conf.all.accept_source_route" = mkDefault "0";
# ignores source-routed packets
"net.ipv4.conf.default.accept_source_route" = mkDefault "0";
# ignores ICMP redirects
"net.ipv4.conf.all.accept_redirects" = mkDefault "0";
# ignores ICMP redirects
"net.ipv4.conf.default.accept_redirects" = mkDefault "0";
# ignores ICMP redirects from non-GW hosts
"net.ipv4.conf.all.secure_redirects" = mkDefault "1";
# ignores ICMP redirects from non-GW hosts
"net.ipv4.conf.default.secure_redirects" = mkDefault "1";
# don't allow traffic between networks or act as a router
"net.ipv4.ip_forward" = mkDefault "0";
# don't allow traffic between networks or act as a router
"net.ipv4.conf.all.send_redirects" = mkDefault "0";
# don't allow traffic between networks or act as a router
"net.ipv4.conf.default.send_redirects" = mkDefault "0";
# reverse path filtering - IP spoofing protection
"net.ipv4.conf.all.rp_filter" = mkDefault "1";
# reverse path filtering - IP spoofing protection
"net.ipv4.conf.default.rp_filter" = mkDefault "1";
# ignores ICMP broadcasts to avoid participating in Smurf attacks
"net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
# ignores bad ICMP errors
"net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
# logs spoofed, source-routed, and redirect packets
"net.ipv4.conf.all.log_martians" = mkDefault "1";
# log spoofed, source-routed, and redirect packets
"net.ipv4.conf.default.log_martians" = mkDefault "1";
# implements RFC 1337 fix
"net.ipv4.tcp_rfc1337" = mkDefault "1";
# randomizes addresses of mmap base, heap, stack and VDSO page
"kernel.randomize_va_space" = mkDefault "2";
# Reboot the machine soon after a kernel panic.
"kernel.panic" = mkDefault "10";
## Not part of the original config
# provides protection from ToCToU races
"fs.protected_hardlinks" = mkDefault "1";
# provides protection from ToCToU races
"fs.protected_symlinks" = mkDefault "1";
# makes locating kernel addresses more difficult
"kernel.kptr_restrict" = mkDefault "1";
# set ptrace protections
"kernel.yama.ptrace_scope" = mkOverride 500 "1";
# set perf only available to root
"kernel.perf_event_paranoid" = mkDefault "2";
};
}

View File

@ -1,25 +0,0 @@
# Common configuration for headless machines (e.g., Amazon EC2
# instances).
{ lib, ... }:
with lib;
{
boot.vesa = false;
# Don't start a tty on the serial consoles.
systemd.services."serial-getty@ttyS0".enable = false;
systemd.services."serial-getty@hvc0".enable = false;
systemd.services."getty@tty1".enable = false;
systemd.services."autovt@".enable = false;
# Since we can't manually respond to a panic, just reboot.
boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ];
# Don't allow emergency mode, because we don't have a console.
systemd.enableEmergencyMode = false;
# Being headless, we don't need a GRUB splash image.
boot.loader.grub.splashImage = null;
}

View File

@ -1,446 +0,0 @@
"*****************************************************************************
"" Functions
"*****************************************************************************
function! GetBufferList()
redir =>buflist
silent! ls!
redir END
return buflist
endfunction
function! ToggleList(bufname, pfx)
let buflist = GetBufferList()
for bufnum in map(filter(split(buflist, '\n'), 'v:val =~ "'.a:bufname.'"'), 'str2nr(matchstr(v:val, "\\d\\+"))')
if bufwinnr(bufnum) != -1
exec(a:pfx.'close')
return
endif
endfor
if a:pfx == 'l' && len(getloclist(0)) == 0
echohl ErrorMsg
echo "Location List is Empty."
return
endif
let winnr = winnr()
exec(a:pfx.'open')
if winnr() != winnr
wincmd p
endif
endfunction
"*****************************************************************************
"" Basic Setup
"*****************************************************************************"
" General
let no_buffers_menu=1
syntax on
set ruler
set number
set mousemodel=popup
set t_Co=256
set guioptions=egmrti
set gfn=Monospace\ 10
" TODO: Testing if this works against automatically setting paste mode
" Issue: https://github.com/neovim/neovim/issues/7994
au InsertLeave * set nopaste
" undofile - This allows you to use undos after exiting and restarting
" This, like swap and backups, uses .vim-undo first, then ~/.vim/undo
" :help undo-persistence
if exists("+undofile")
if isdirectory($HOME . '/.vim/undo') == 0
:silent !mkdir -p ~/.vim/undo > /dev/null 2>&1
endif
set undodir=./.vim-undo//
set undodir+=~/.vim/undo//
set undofile
endif
" Encoding
set encoding=utf-8
set fileencoding=utf-8
set fileencodings=utf-8
set bomb
set binary
" Fix backspace indent
set backspace=indent,eol,start
" Tabs. May be overriten by autocmd rules
set tabstop=4
set softtabstop=0
set shiftwidth=4
set expandtab
" Map leader to ,
let mapleader=','
" Enable hidden buffers
set hidden
" Searching
set hlsearch
set incsearch
set ignorecase
set smartcase
" Directories for swp files
set nobackup
set noswapfile
set fileformats=unix,dos,mac
" File overview
set wildmode=list:longest,list:full
set wildignore+=*.o,*.obj,.git,*.rbc,*.pyc,__pycache__
" Shell to emulate
if exists('$SHELL')
set shell=$SHELL
else
set shell=/bin/bash
endif
" Set color scheme
colorscheme molokai
"Show always Status bar
set laststatus=2
" Use modeline overrides
set modeline
set modelines=10
" Set terminal title
set title
set titleold="Terminal"
set titlestring=%F
" search will center on the line it's found in.
nnoremap n nzzzv
nnoremap N Nzzzv
"*****************************************************************************
"" Abbreviations
"*****************************************************************************
" no one is really happy until you have this shortcuts
cnoreabbrev W! w!
cnoreabbrev Q! q!
cnoreabbrev Qall! qall!
cnoreabbrev Wq wq
cnoreabbrev Wa wa
cnoreabbrev wQ wq
cnoreabbrev WQ wq
cnoreabbrev W w
cnoreabbrev Q q
cnoreabbrev Qall qall
" NERDTree configuration
let g:NERDTreeChDirMode=2
let g:NERDTreeIgnore=['\.rbc$', '\~$', '\.pyc$', '\.db$', '\.sqlite$', '__pycache__']
let g:NERDTreeSortOrder=['^__\.py$', '\/$', '*', '\.swp$', '\.bak$', '\~$']
let g:NERDTreeShowBookmarks=1
let g:nerdtree_tabs_focus_on_files=1
let g:NERDTreeMapOpenInTabSilent = '<RightMouse>'
let g:NERDTreeWinSize = 50
set wildignore+=*/tmp/*,*.so,*.swp,*.zip,*.pyc,*.db,*.sqlite
nnoremap <silent> <F1> :NERDTreeFind<CR>
nnoremap <silent> <F2> :NERDTreeToggle<CR>
" open terminal emulation
nnoremap <silent> <leader>sh :terminal<CR>:startinsert<CR>
"*****************************************************************************
"" Autocmd Rules
"*****************************************************************************
"" The PC is fast enough, do syntax highlight syncing from start unless 200 lines
augroup vimrc-sync-fromstart
autocmd!
autocmd BufEnter * :syntax sync maxlines=200
augroup END
" Nasm filetype
augroup nasm
autocmd!
autocmd BufRead,BufNewFile *.nasm set ft=nasm
augroup END
" Binary filetype
augroup Binary
au!
au BufReadPre *.bin,*.exe,*.elf let &bin=1
au BufReadPost *.bin,*.exe,*.elf if &bin | %!xxd
au BufReadPost *.bin,*.exe,*.elf set ft=xxd | endif
au BufWritePre *.bin,*.exe,*.elf if &bin | %!xxd -r
au BufWritePre *.bin,*.exe,*.elf endif
au BufWritePost *.bin,*.exe,*.elf if &bin | %!xxd
au BufWritePost *.bin,*.exe,*.elf set nomod | endif
augroup END
" Binary filetype
augroup fasm
au!
au BufReadPost *.fasm set ft=fasm
augroup END
augroup deoplete-update
autocmd!
autocmd VimEnter * UpdateRemotePlugin
augroup END
"" Remember cursor position
augroup vimrc-remember-cursor-position
autocmd!
autocmd BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g`\"" | endif
augroup END
"" txt
" augroup vimrc-wrapping
" autocmd!
" autocmd BufRead,BufNewFile *.txt call s:setupWrapping()
" augroup END
"" make/cmake
augroup vimrc-make-cmake
autocmd!
autocmd FileType make setlocal noexpandtab
autocmd BufNewFile,BufRead CMakeLists.txt setlocal filetype=cmake
augroup END
set autoread
"*****************************************************************************
"" Mappings
"*****************************************************************************
" Split
noremap <Leader>h :<C-u>split<CR>
noremap <Leader>v :<C-u>vsplit<CR>
" Git
noremap <Leader>ga :Gwrite<CR>
noremap <Leader>gc :Gcommit<CR>
noremap <Leader>gsh :Gpush<CR>
noremap <Leader>gll :Gpull<CR>
noremap <Leader>gs :Gstatus<CR>
noremap <Leader>gb :Gblame<CR>
noremap <Leader>gd :Gvdiff<CR>
noremap <Leader>gr :Gremove<CR>
" Tabs
nnoremap <Tab> gt
nnoremap <S-Tab> gT
nnoremap <silent> <S-t> :tabnew<CR>
" Set working directory
nnoremap <leader>. :lcd %:p:h<CR>
" Opens an edit command with the path of the currently edited file filled in
noremap <Leader>e :e <C-R>=expand("%:p:h") . "/" <CR>
" Opens a tab edit command with the path of the currently edited file filled
noremap <Leader>te :tabe <C-R>=expand("%:p:h") . "/" <CR>
" Tagbar
nmap <silent> <F3> :TagbarToggle<CR>
let g:tagbar_autofocus = 1
" Copy/Paste/Cut
set clipboard^=unnamed,unnamedplus
noremap YY "+y<CR>
noremap <leader>p "+gP<CR>
noremap XX "+x<CR>
" Enable mouse for vim
set mouse=a
" Buffer nav
noremap <leader>z :bp<CR>
noremap <leader>q :bp<CR>
noremap <leader>x :bn<CR>
noremap <leader>w :bn<CR>
" Close buffer
noremap <leader>c :bd<CR>
" Clean search (highlight)
nnoremap <silent> <leader><space> :noh<cr>
" Switching windows
noremap <C-j> <C-w>j
noremap <C-k> <C-w>k
noremap <C-l> <C-w>l
noremap <C-h> <C-w>h
" Vmap for maintain Visual Mode after shifting > and <
vmap < <gv
vmap > >gv
" Move visual block
vnoremap J :m '>+1<CR>gv=gv
vnoremap K :m '<-2<CR>gv=gv
" Open current line on GitHub
nnoremap <Leader>o :.Gbrowse<CR>
" Save on strg+s if not in paste mode
nmap <c-s> :w<CR>
vmap <c-s> <Esc><c-s>gv
imap <c-s> <Esc><c-s>
" Quit on strg+q in normal mode
nnoremap <c-q> :q<cr>
" Strg+d to replace word under cursor
nnoremap <c-d> :%s/\<<C-r><C-w>\>//g<Left><Left>
" Strg+f ro find word under cursor
nnoremap <c-f> :/<C-r><C-w><Left><Left>
" Remove unneccessary spaces
nnoremap <silent> <F5> :let _s=@/ <Bar> :%s/\s\+$//e <Bar> :let @/=_s <Bar> :nohl <Bar> :unlet _s <CR>
" Reindent whole file with F6
map <F6> mzgg=G`z
" Toggle location list
nmap <silent> <F4> :call ToggleList("Quickfix List", 'c')<CR>
" Replacing text in visual mode doesn't copy it anymore
xmap p <Plug>ReplaceWithRegisterVisual
xmap <MiddleMouse> <Plug>ReplaceWithRegisterVisual
" ALE mappings
nmap <Leader>i <Plug>(ale_hover)
nmap <Leader>d <Plug>(ale_go_to_definition_in_tab)
nmap <Leader>rf <Plug>(ale_find_references)
nmap <silent><F7> <Plug>(ale_fix)
" Vim-Go mappings
au FileType go nmap <Leader>i :GoDoc<cr>
au FileType go nmap <Leader>d :GoDef<cr>
au FileType go nmap <Leader>rf :GoReferrers<cr>
"" Opens an edit command with the path of the currently edited file filled in
noremap <Leader>e :e <C-R>=expand("%:p:h") . "/" <CR>
" Use tab for navigatin in autocompletion window
inoremap <expr> <Tab> pumvisible() ? "\<C-n>" : "\<Tab>"
inoremap <expr> <S-Tab> pumvisible() ? "\<C-p>" : "\<S-Tab>"
"*****************************************************************************
"" Plugin settings
"*****************************************************************************
" vim-airline
set statusline+=%{fugitive#statusline()}
let g:airline_theme = 'powerlineish'
let g:airline#extensions#syntastic#enabled = 1
let g:airline#extensions#branch#enabled = 1
let g:airline#extensions#tabline#enabled = 1
let g:airline#extensions#tagbar#enabled = 1
let g:airline_skip_empty_sections = 1
let g:airline#extensions#ale#enabled = 1
" show indent lines
let g:indent_guides_enable_on_vim_startup = 1
let g:indent_guides_auto_colors = 0
hi IndentGuidesOdd ctermbg=235
hi IndentGuidesEven ctermbg=235
let g:indent_guides_guide_size = 1
let g:indent_guides_start_level = 2
" Enable autocompletion
let g:deoplete#enable_at_startup = 1
set completeopt-=preview
" Ale no preview on hover
let g:ale_close_preview_on_insert = 0
let g:ale_cursor_detail = 0
" Ale skip if file size over 2G
let g:ale_maximum_file_size = "2147483648"
" Ale to loclist and quickfix
let g:ale_set_quickfix = 1
" let g:ale_set_loclist = 1
" Ale language server
let g:ale_linters = {
\ 'python': ['pyls'],
\ 'c': ['cquery'],
\ 'cpp': ['cquery'],
\ 'xml': ['xmllint']
\ }
" ALE fixers
let g:ale_fixers = { '*': ['remove_trailing_lines', 'trim_whitespace'] }
let g:ale_fixers.python = ['black']
let g:ale_fixers.go = ['gofmt']
let g:ale_fixers.c = ['clang-format']
let g:ale_fixers.cpp = ['clang-format']
let g:ale_fixers.json = ['jq']
let g:ale_fixers.xml = ['xmllint']
let g:ale_completion_enabled = 1
let g:ale_sign_error = ''
let g:ale_sign_warning = '⚠'
let g:ale_lint_on_insert_leave = 1
" Vim-Go Settings
let g:go_auto_sameids = 1
let g:go_fmt_command = "goimports"
let g:go_auto_type_info = 1
" Disable syntastic for langserver supported languages
let g:syntastic_mode_map = {
\ "mode": "active",
\ "passive_filetypes": ["go", "python", "c", "cpp", "xml" ]
\ }
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 2
let g:syntastic_aggregate_errors = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
let g:syntastic_error_symbol='✗'
let g:syntastic_warning_symbol='⚠'
let g:syntastic_style_error_symbol = '✗'
let g:syntastic_style_warning_symbol = '⚠'
"*****************************************************************************
"" Shortcuts overview
"*****************************************************************************
" Shortcuts overview
" F1 --> Filetree find
" F2 --> Filetree toggle
" F3 --> Function overview
" F4 --> Toggle error bar
" F5 --> Remove trailing whitespaces
" F6 --> Reindent whole file
" F7 --> Format and lint file
" ,i --> Information about function
" ,d --> Jump to definition
" ,r --> Rename in all occurences
" ,rf --> Find references of function/variable
" ,e --> Change current file
" ,te --> Open file in new tab
" strg+f --> Find current selected word
" strg+d --> Replace current selected word
" strg+s --> Save file
" strg+q --> Close current file
" space+, --> Stop highlighting words after search

View File

@ -1,70 +0,0 @@
{ pkgs, config, ... }: let
#unstable = import <nixos-unstable> { };
in
{
environment.variables = {
EDITOR = ["nvim"];
};
nixpkgs.config.packageOverrides = pkgs: with pkgs;{
neovim_custom = neovim.override {
configure = {
customRC = builtins.readFile ./neovimrc;
packages.myVimPackage = with pkgs.vimPlugins;
{
# loaded on launch
start = [
nerdtree # file manager
commentary # comment stuff out based on language
fugitive # full git integration
vim-airline-themes # lean & mean status/tabline
vim-airline # status bar
gitgutter # git diff in the gutter (sign column)
vim-trailing-whitespace # trailing whitspaces in red
tagbar # F3 function overview
syntastic # Fallback to singlethreaded but huge syntax support
ReplaceWithRegister # For better copying/replacing
polyglot # Language pack
vim-indent-guides # for displaying indent levels
ale # threaded language client
vim-go # go linting
deoplete-go # go autocompletion completion
deoplete-nvim # general autocompletion
molokai # color scheme
];
# manually loadable by calling `:packadd $plugin-name`
opt = [];
};
};
};
};
environment.systemPackages = with pkgs; [
ctags
neovim_custom
jq # For fixing json files
xxd # .bin files will be displayed with xxd
shellcheck # Shell linting
ansible-lint # Ansible linting
unzip # To vim into unzipped files
nodePackages.jsonlint # json linting
#python36Packages.python-language-server # python linting
#python36Packages.pyls-mypy # Python static type checker
#python36Packages.black # Python code formatter
#python37Packages.yamllint # For linting yaml files
#python37Packages.libxml2 # For fixing yaml files
cquery # C/C++ support
clang-tools # C++ fixer
];
fonts = {
fonts = with pkgs; [
font-awesome_5
];
};
}

View File

@ -1,19 +0,0 @@
# Common configuration for virtual machines running under QEMU (using
# virtio).
{ ... }:
{
boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
boot.initrd.postDeviceCommands =
''
# Set the system time from the hardware clock to work around a
# bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
# to the *boot time* of the host).
hwclock -s
'';
security.rngd.enable = false;
}

View File

@ -1,33 +0,0 @@
{ config, pkgs, ... }:
{
krebs.iptables = {
tables = {
filter.INPUT.rules = let
tincport = toString config.krebs.build.host.nets.retiolum.tinc.port;
in [
{ predicate = "-p tcp --dport ${tincport}"; target = "ACCEPT"; }
{ predicate = "-p udp --dport ${tincport}"; target = "ACCEPT"; }
];
};
};
krebs.tinc.retiolum = {
enableLegacy = true;
enable = true;
connectTo = [
"prism"
"gum"
"ni"
];
};
nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre;
};
environment.systemPackages = [
pkgs.tinc
];
}

View File

@ -1,4 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
this is a private key
-----END RSA PRIVATE KEY-----

View File

@ -1,6 +0,0 @@
_:
{
imports = [
./hosts.nix
];
}

View File

@ -1,12 +0,0 @@
{ config, ... }:
with import <stockholm/lib>;
{
options.mb.hosts = mkOption {
type = types.attrsOf types.host;
default =
filterAttrs (_: host: host.owner.name == "mb" && host.ci)
config.krebs.hosts;
};
}

View File

@ -1,11 +0,0 @@
with import <stockholm/lib>;
self: super:
# Import files and subdirectories like they are overlays.
foldl' mergeAttrs {}
(map
(name: import (./. + "/${name}") self super)
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir ./.))))

View File

@ -1,14 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
../krebs
./2configs
./3modules
];
nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
krebs.tinc.retiolum.privkey = {
source-path = toString <secrets> + "/${config.krebs.tinc.retiolum.netname}.rsa";
path = "${config.krebs.tinc.retiolum.user.home}/tinc.rsa_key.priv";
owner = config.krebs.tinc.retiolum.user;
};
}

View File

@ -1,54 +0,0 @@
{ name }: let
inherit (import ../krebs/krops.nix { inherit name; })
krebs-source
lib
pkgs
;
host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
else
{}
;
source = { test }: lib.evalSource ([
(krebs-source { test = test; })
{
nixos-config.symlink = "stockholm/mb/1systems/${name}/configuration.nix";
nixpkgs-unstable.git = {
url = "https://github.com/nixos/nixpkgs-channels";
ref = "nixos-unstable";
};
secrets = if test then {
file = toString ./2configs/tests/dummy-secrets;
} else {
pass = {
dir = "${lib.getEnv "HOME"}/.password-store";
name = "hosts/${name}";
};
};
}
] ++ (lib.optional (! test) host-source));
in {
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; };
inherit target;
};
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
populate = { target, force ? false }: pkgs.populate {
inherit force;
source = source { test = false; };
target = lib.mkTarget target;
};
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
test = { target }: pkgs.krops.writeTest "${name}-test" {
force = true;
inherit target;
source = source { test = true; };
};
}