Merge branch 'master' of prism:stockholm

jeschli/1systems/bln/config.nix

@@ -36,9 +36,9 @@
     }
   ];
 
-  networking.hostName = "BLN02NB0154"; # Define your hostname.
+  networking.hostName = lib.mkForce "BLN02NB0154"; # Define your hostname.
   networking.networkmanager.enable = true;
-   #networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
   # Select internationalisation properties.
   # i18n = {
@@ -54,7 +54,11 @@
   # List packages installed in system profile. To search by name, run:
   # $ nix-env -qaP | grep wget
   nixpkgs.config.allowUnfree = true;
-  environment.shellAliases = { n = "nix-shell"; };
+  environment.shellAliases = { 
+    n = "nix-shell"; 
+    gd = "cd /home/markus/go/src/gitlab.dcso.lolcat"; 
+    gh = "cd /home/markus/go/src/github.com"; 
+  };
   environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
   environment.systemPackages = with pkgs; [
   # system helper
@@ -62,6 +66,7 @@
     copyq
     dmenu
     git
+    tig
     i3lock
     keepass
     networkmanagerapplet
@@ -72,6 +77,8 @@
     rxvt_unicode
   # editors
     emacs
+  # databases
+    sqlite
   # internet 
     thunderbird
     hipchat
@@ -91,6 +98,7 @@
     jetbrains.pycharm-professional
     jetbrains.webstorm
     jetbrains.goland
+    jetbrains.datagrip
     texlive.combined.scheme-full
     pandoc
     redis

jeschli/1systems/brauerei/config.nix

@@ -96,7 +96,7 @@
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;
-  # services.xserver.layout = "us";
+  services.xserver.layout = "us";
   # services.xserver.xkbOptions = "eurosign:e";
 
   # Enable touchpad support.

jeschli/1systems/enklave/config.nix

@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/jeschli>
+    <stockholm/jeschli/2configs/retiolum.nix>
+    <stockholm/jeschli/2configs/os-templates/CentOS-7-64bit.nix>
+    {
+      networking.dhcpcd.allowInterfaces = [
+        "enp*"
+        "eth*"
+        "ens*"
+      ];
+    }
+    {
+      services.openssh.enable = true;
+    }
+    {
+      sound.enable = false;
+    }
+    {
+      users.extraUsers = {
+        root.initialPassword = "pfeife123";
+        root.openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
+        ];
+        jeschli = {
+          name = "jeschli";
+          uid = 1000;
+          home = "/home/jeschli";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+          ];
+          openssh.authorizedKeys.keys = [
+"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
+          ];
+        };
+      };
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.enklave;
+}

jeschli/1systems/enklave/source.nix

@@ -0,0 +1,3 @@
+import <stockholm/jeschli/source.nix> {
+  name = "enklave";
+}

jeschli/1systems/reagenzglas/config.nix

@@ -29,7 +29,6 @@
     allowDiscards = true;
     }
   ];
-  networking.hostName = "reaganzglas"; # Define your hostname.
 #  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
   networking.networkmanager.enable = true;
   # Select internationalisation properties.

jeschli/2configs/default.nix

@@ -4,6 +4,7 @@ with import <stockholm/lib>;
   imports = [
     ./vim.nix
     ./retiolum.nix
+    <stockholm/lass/2configs/security-workarounds.nix>
     {
       environment.variables = {
         NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
@@ -63,4 +64,5 @@ with import <stockholm/lib>;
   ];
 
   krebs.enable = true;
+  networking.hostName = config.krebs.build.host.name;
 }

jeschli/2configs/os-templates/CentOS-7-64bit.nix

@@ -0,0 +1,16 @@
+_:
+
+{
+  imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
+
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
+
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
+}

jeschli/2configs/retiolum.nix

@@ -9,6 +9,7 @@
       "gum"
       "ni"
       "dishfire"
+      "enklave"
     ];
   };
 
@@ -16,6 +17,9 @@
     tinc = pkgs.tinc_pre;
   };
 
+  networking.firewall.allowedTCPPorts = [ 655 ];
+  networking.firewall.allowedUDPPorts = [ 655 ];
+
   environment.systemPackages = [
     pkgs.tinc
   ];

jeschli/2configs/urxvt.nix

@@ -28,7 +28,7 @@ with import <stockholm/lib>;
   
   URxvt*scrollBar:                      false
   URxvt*urgentOnBell:                   true
-  URxvt*font: xft:DejaVu Sans Mono:pixelsize=20
+  URxvt*font: xft:DejaVu Sans Mono:pixelsize=12
   URXvt*faceSize: 12
   '';
 }

jeschli/source.nix

@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "f9390d6";
+        ref = "0653b73";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;

krebs/1systems/hotdog/config.nix

@@ -20,10 +20,5 @@
 
   boot.isContainer = true;
   networking.useDHCP = false;
-  krebs.repo-sync.repos.stockholm.timerConfig = {
-    OnBootSec = "5min";
-    OnUnitInactiveSec = "2min";
-    RandomizedDelaySec = "2min";
-  };
   krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
 }

krebs/1systems/wolf/config.nix

@@ -10,7 +10,6 @@ in
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
     <stockholm/krebs/2configs/collectd-base.nix>
     <stockholm/krebs/2configs/stats/wolf-client.nix>
-    <stockholm/krebs/2configs/save-diskspace.nix>
 
     <stockholm/krebs/2configs/graphite.nix>
     <stockholm/krebs/2configs/buildbot-krebs.nix>

krebs/2configs/buildbot-all.nix

@@ -1,10 +1,6 @@
 with import <stockholm/lib>;
 { lib, config, pkgs, ... }:
 {
-  imports = [
-    <stockholm/krebs/2configs/repo-sync.nix>
-  ];
-
   networking.firewall.allowedTCPPorts = [ 80 8010 9989 ];
   krebs.ci.enable = true;
   krebs.ci.treeStableTimer = 1;

krebs/2configs/ircd.nix

@@ -12,10 +12,10 @@
     '';
     config = ''
       serverinfo {
-        name = "${config.krebs.build.host.name}.irc.retiolum";
+        name = "${config.krebs.build.host.name}.irc.r";
         sid = "1as";
         description = "miep!";
-        network_name = "irc.retiolum";
+        network_name = "irc.r";
         hub = yes;
 
         vhost = "0.0.0.0";

krebs/3modules/buildbot/slave.nix

@@ -161,7 +161,7 @@ let
         ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
           set -efux
           #remove garbage from old versions
-          rm -r ${workdir}
+          rm -rf ${workdir}
           mkdir -p ${workdir}/info
           cp ${buildbot-slave-init} ${workdir}/buildbot.tac
           echo ${contact} > ${workdir}/info/admin

krebs/3modules/jeschli/default.nix

@@ -118,6 +118,52 @@ with import <stockholm/lib>;
         };
       };
     };
+    enklave = {
+      nets = rec {
+        internet = {
+          ip4.addr = "88.198.164.182";
+          aliases = [
+            "enklave.i"
+          ];
+        };
+        retiolum = {
+          via = internet;
+          ip4.addr = "10.243.27.30";
+          ip6.addr = "42::30";
+          aliases = [
+            "enklave.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIID8gKCA+kAt8zRg/g0jRmqXn6rVul/tdjWtLPcu0aTjNJ5OYZh50i7WqWllGVz
+            +FfJicuq/Xd1l5qrgUN7MD+Wrfeov+G9lzSgacfPhXMujutXxX3JwW/9f7UN+yoN
+            Sw29Zj+NWb45HyI5WVwMQ332KbKjNcWdTRe+O39oE6bZWg54oEeZOad2UJ7/83sB
+            yNEV/B7bJ0+X9HR8XCKrHI/RkjixNauMDlquGzoVyqLKIWwUnBl9CwtNBCYHbvYD
+            G1rWeCewd9Z6KsqcKSePfa4mn5eOluWcXmbrD/sx8oII40oNUs3kI7a2HExB2Yle
+            P9Q5MQrXRZfI3bdrh1aHieBodZLtosHPNuJIpo8ZaCX88WLhGR3nhJa1vvM1vNwd
+            TSSAdobdZUcuIQJKnVxwP4rXQAKPkN2+ddy+tXCGvfFAsdGKDbgPy4FgT+Ed28vg
+            3W0fef/3sDNGPY1VAa58/pLz9Un3kNJKUjt00tWamo8daU/3mxZs83nIqDHLq86l
+            1+wCl37l+KHe7pUVZ3smoezPRCMoUThmc7VzupbQG+piiSSyiYQi0CuBusa44t76
+            1lMr3pOdRBBAoetZ745ZZVx8s+eYk+C1BmQbLJAfzQ9sbH3LAwXpuAH70mtrFqWl
+            C3LF89/5mZRbFxALZv9cVx3LqIZDjwpKlwPWorZwo14L+eAagdPCcnVNo6ZcVow2
+            mAdNnf7C33fvRsU+rUEIZVPsBHZfAv+f0jqQ65TMvl32VZ0FlxxahSZSj64n8iwr
+            Z+DOxKA9OcAaTrHQReYLpWUfNceVDLfOmQLeih8hNgClgqPgYJP/OtN+ox3NP6ZX
+            +Gkx9HO7a+agtyJxjh3NYbT/NkRW8HcjW8KgRN7jlE9sQi5/FoxKQOUdHmLTvjdk
+            YJXqdPWMYHj2xt4A8x2nzl/si6lwDsod+zdY5RGSdYhoybEOs4wZZIuArmm8GP+C
+            IbtgutknAuqvm2FOxyWCbLFTimgqC5BgrNUsXFJJLsHQ3bWFJtVpJlSa5Y0iypCP
+            Yr/cefbDrGfs3eCy7FlYDIkCcH06FPm1LTs6USisrtKFObRQN+zPSPln9FysNmpH
+            h0YUhrWdTO+wN78K5gc4ALPNUlyqmH61h8jS2qSdrRZLcZWIi4K4banG6EJcWRvV
+            kaVxghY1i/Z9x43bZRpBPvpM462IDx08vYX9AcFmF7JfjAXPwJO/EqZVsY1YPDzO
+            vdXWrtTORO8R8Pjq3X952yNqgHBcJQh7Q9TBcj+XBtkidOSnTt3Sp/RumsucUW19
+            0wMempDPiCOAadLmR4cW5XL1ednXurkd+5gHCmB1Sl7FueP5dgLB/mhXjmITE3zH
+            aQIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+
+
   };
   users = {
     jeschli = {

krebs/3modules/makefu/default.nix

@@ -541,6 +541,7 @@ with import <stockholm/lib>;
           graph             IN A      ${nets.internet.ip4.addr}
           ghook             IN A      ${nets.internet.ip4.addr}
           dockerhub         IN A      ${nets.internet.ip4.addr}
+          photostore        IN A      ${nets.internet.ip4.addr}
           io                IN NS     gum.krebsco.de.
         '';
       };

krebs/3modules/nin/default.nix

@@ -14,7 +14,6 @@ with import <stockholm/lib>;
           ip4.addr = "10.243.132.96";
           ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
           aliases = [
-            "hiawatha.retiolum"
             "hiawatha.r"
           ];
           tinc.pubkey = ''
@@ -39,7 +38,6 @@ with import <stockholm/lib>;
           ip4.addr = "10.243.134.66";
           ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379";
           aliases = [
-            "axon.retiolum"
             "axon.r"
           ];
           tinc.pubkey = ''
@@ -80,10 +78,8 @@ with import <stockholm/lib>;
           ip4.addr = "10.243.132.55";
           ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357";
           aliases = [
-            "onondaga.retiolum"
             "onondaga.r"
             "cgit.onondaga.r"
-            "cgit.onondaga.retiolum"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -104,11 +100,11 @@ with import <stockholm/lib>;
   };
   users = {
     nin = {
-      mail = "nin@axon.retiolum";
+      mail = "nin@axon.r";
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon";
     };
     nin_h = {
-      mail = "nin@hiawatha.retiolum";
+      mail = "nin@hiawatha.r";
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
     };
   };

krebs/3modules/tv/default.nix

@@ -122,6 +122,7 @@ with import <stockholm/lib>;
           cgit        60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
           cgit.ni     60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
           krebsco.de. 60 IN MX 5 ni
+          krebsco.de. 60 IN TXT v=spf1 mx -all
         '';
       };
       nets = {
@@ -201,24 +202,6 @@ with import <stockholm/lib>;
         };
       };
     };
-    schnabeldrucker = {
-      external = true;
-      nets = {
-        gg23 = {
-          ip4.addr = "10.23.1.21";
-          aliases = ["schnabeldrucker.gg23"];
-        };
-      };
-    };
-    schnabelscanner = {
-      external = true;
-      nets = {
-        gg23 = {
-          ip4.addr = "10.23.1.22";
-          aliases = ["schnabelscanner.gg23"];
-        };
-      };
-    };
     wu = {
       ci = true;
       cores = 4;

krebs/4lib/infest/prepare.sh

@@ -21,6 +21,10 @@ prepare() {(
         esac
         ;;
       debian)
+        if grep -Fq Hetzner /etc/motd; then
+          prepare_hetzner_rescue "$@"
+          exit
+        fi
         case $VERSION_ID in
           7)
             prepare_debian "$@"
@@ -72,7 +76,7 @@ prepare_debian() {
   type bzip2 2>/dev/null || apt-get install bzip2
   type git   2>/dev/null || apt-get install git
   type rsync 2>/dev/null || apt-get install rsync
-  type curl 2>/dev/null || apt-get install curl
+  type curl  2>/dev/null || apt-get install curl
   prepare_common
 }
 
@@ -90,10 +94,33 @@ prepare_nixos_iso() {
 
   mkdir -p bin
   rm -f bin/nixos-install
-  cp "$(type -p nixos-install)" bin/nixos-install
+  cp "$(_which nixos-install)" bin/nixos-install
   sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
 }
 
+prepare_hetzner_rescue() {
+  _which() (
+    which "$1"
+  )
+  mountpoint /mnt
+
+  type bzip2 2>/dev/null || apt-get install bzip2
+  type git   2>/dev/null || apt-get install git
+  type rsync 2>/dev/null || apt-get install rsync
+  type curl  2>/dev/null || apt-get install curl
+
+  mkdir -p /mnt/"$target_path"
+  mkdir -p "$target_path"
+
+  if ! mountpoint "$target_path"; then
+    mount --rbind /mnt/"$target_path" "$target_path"
+  fi
+
+  _prepare_nix_users
+  _prepare_nix
+  _prepare_nixos_install
+}
+
 get_nixos_install() {
   echo "installing nixos-install" 2>&1
   c=$(mktemp)
@@ -107,24 +134,13 @@ EOF
   nix-env -i -A config.system.build.nixos-install -f "<nixpkgs/nixos>"
   rm -v $c
 }
-prepare_common() {(
 
-  if ! getent group nixbld >/dev/null; then
+prepare_common() {(
-    groupadd -g 30000 -r nixbld
+  _which() (
-  fi
+    type -p "$1"
-  for i in `seq 1 10`; do
+  )
-    if ! getent passwd nixbld$i 2>/dev/null; then
+
-      useradd \
+  _prepare_nix_users
-        -d /var/empty \
-        -g 30000 \
-        -G 30000 \
-        -l \
-        -M \
-        -s /sbin/nologin \
-        -u $(expr 30000 + $i) \
-        nixbld$i
-    fi
-  done
 
   #
   # mount install directory
@@ -173,10 +189,12 @@ prepare_common() {(
     mount --bind /nix /mnt/nix
   fi
 
-  #
+  _prepare_nix
-  # install nix
-  #
 
+  _prepare_nixos_install
+)}
+
+_prepare_nix() {
   # install nix on host (cf. https://nixos.org/nix/install)
   if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then
     (
@@ -201,17 +219,40 @@ prepare_common() {(
   if ! mountpoint "$target_path"; then
     mount --rbind /mnt/"$target_path" "$target_path"
   fi
+}
 
+_prepare_nix_users() {
+  if ! getent group nixbld >/dev/null; then
+    groupadd -g 30000 -r nixbld
+  fi
+  for i in `seq 1 10`; do
+    if ! getent passwd nixbld$i 2>/dev/null; then
+      useradd \
+        -d /var/empty \
+        -g 30000 \
+        -G 30000 \
+        -l \
+        -M \
+        -s /sbin/nologin \
+        -u $(expr 30000 + $i) \
+        nixbld$i
+    fi
+  done
+}
+
+
+_prepare_nixos_install() {
   get_nixos_install
+
   mkdir -p bin
   rm -f bin/nixos-install
-  cp "$(type -p nixos-install)" bin/nixos-install
+  cp "$(_which nixos-install)" bin/nixos-install
   sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
 
   if ! grep -q '^PATH.*#krebs' .bashrc; then
     echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc
     echo 'PATH=$HOME/bin:$PATH #krebs' >> .bashrc
   fi
-)}
+}
 
 prepare "$@"

krebs/5pkgs/simple/internetarchive/default.nix

@@ -1,38 +1,39 @@
-{ pkgs, fetchFromGitHub, ... }:
+{ stdenv, pkgs, ... }:
 with pkgs.python3Packages;
 buildPythonPackage rec {
   pname = "internetarchive";
   version = "1.7.3";
   name = "${pname}-${version}";
-  propagatedBuildInputs = [
-    requests
-      jsonpatch
-      docopt
-      clint
-      six
-      schema
-      backports_csv
-  ];
-
-# check only works when cloned from git repo
-  doCheck = false;
-  checkInputs = [
-    pytest
-      responses
-  ];
-
-  prePatch = ''
-    sed -i "s/'schema.*'/'schema>=0.4.0'/" setup.py
-    '';
 
   src = fetchPypi {
     inherit pname version;
     sha256 = "0x3saklabdx7qrr11h5bjfd75hfbih7pw5gvl2784zvvvrqrz45g";
   };
 
+  propagatedBuildInputs = [
+    requests
+    jsonpatch
+    docopt
+    clint
+    six
+    schema
+    backports_csv
+  ];
+
+  # check only works when cloned from git repo
+  doCheck = false;
+
+  checkInputs = [
+    pytest
+    responses
+  ];
+
+  prePatch = ''
+    sed -i "s/'schema.*'/'schema>=0.4.0'/" setup.py
+  '';
+
   meta = with stdenv.lib; {
     description = "python library and cli for uploading files to internet archive";
     license = licenses.agpl3;
   };
-
 }

krebs/5pkgs/simple/stockholm/default.nix

@@ -92,6 +92,17 @@
         -I "$target_path"
   '');
 
+  cmds.get-version = pkgs.writeDash "get-version" ''
+    set -efu
+    hostname=''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}
+    version=git.$(${pkgs.git}/bin/git describe --always --dirty)
+    case $version in (*-dirty)
+      version=$version@$hostname
+    esac
+    date=$(${pkgs.coreutils}/bin/date +%y.%m)
+    echo "$date.$version"
+  '';
+
   cmds.install = pkgs.withGetopt {
     force-populate = { default = /* sh */ "false"; switch = true; };
     quiet = { default = /* sh */ "false"; switch = true; };
@@ -205,7 +216,7 @@
   init.env = pkgs.writeText "init.env" /* sh */ ''
 
     export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
-    export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${shell.get-version})}"
+    export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${cmds.get-version})}"
 
     export quiet
     export system
@@ -274,16 +285,6 @@
     fi
   '';
 
-  shell.get-version = pkgs.writeDash "stockholm.get-version" ''
-    set -efu
-    version=git.$(${pkgs.git}/bin/git describe --always --dirty)
-    case $version in (*-dirty)
-      version=$version@$HOSTNAME
-    esac
-    date=$(${pkgs.coreutils}/bin/date +%y.%m)
-    echo "$date.$version"
-  '';
-
 in
 
   pkgs.writeOut "stockholm" (lib.mapAttrs' (name: link:

krebs/source.nix

@@ -17,6 +17,6 @@ in
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/NixOS/nixpkgs;
-      ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
+      ref = "0b30c1dd4c638e318957fc6a9198cf2429e38cb5"; # nixos-17.09 @ 2018-01-04
     };
   }

lass/1systems/daedalus/config.nix

@@ -41,6 +41,7 @@ with import <stockholm/lib>;
         skype
         wine
       ];
+      nixpkgs.config.firefox.enableAdobeFlash = true;
       services.xserver.enable = true;
       services.xserver.displayManager.lightdm.enable = true;
       services.xserver.desktopManager.plasma5.enable = true;

lass/1systems/dishfire/config.nix

@@ -43,6 +43,7 @@
       networking.dhcpcd.allowInterfaces = [
         "enp*"
         "eth*"
+        "ens*"
       ];
     }
     {

lass/1systems/mors/config.nix

@@ -70,10 +70,6 @@ with import <stockholm/lib>;
         pkgs.ovh-zone
       ];
     }
-    {
-      #ps vita stuff
-      boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
-    }
     {
       services.tor = {
         enable = true;

lass/1systems/prism/config.nix

@@ -184,14 +184,17 @@ in {
     }
     {
       #hotdog
+      systemd.services."container@hotdog".reloadIfChanged = mkForce false;
       containers.hotdog = {
         config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
           environment.systemPackages = [ pkgs.git ];
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
           ];
         };
+        autoStart = true;
         enableTun = true;
         privateNetwork = true;
         hostAddress = "10.233.2.1";
@@ -200,8 +203,10 @@ in {
     }
     {
       #kaepsele
+      systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
       containers.kaepsele = {
         config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
           environment.systemPackages = [ pkgs.git ];
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
@@ -209,6 +214,7 @@ in {
             tv.pubkey
           ];
         };
+        autoStart = true;
         enableTun = true;
         privateNetwork = true;
         hostAddress = "10.233.2.3";
@@ -217,8 +223,10 @@ in {
     }
     {
       #onondaga
+      systemd.services."container@onondaga".reloadIfChanged = mkForce false;
       containers.onondaga = {
         config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
           environment.systemPackages = [ pkgs.git ];
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
@@ -226,6 +234,7 @@ in {
             config.krebs.users.nin.pubkey
           ];
         };
+        autoStart = true;
         enableTun = true;
         privateNetwork = true;
         hostAddress = "10.233.2.5";
@@ -302,6 +311,13 @@ in {
         }
       ];
     }
+    {
+      krebs.repo-sync.repos.stockholm.timerConfig = {
+        OnBootSec = "5min";
+        OnUnitInactiveSec = "2min";
+        RandomizedDelaySec = "2min";
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

lass/2configs/IM.nix

@@ -20,6 +20,17 @@ let
   '';
 in {
 
+  services.bitlbee = {
+    enable = true;
+    portNumber = 6666;
+    plugins = [
+      pkgs.bitlbee-facebook
+      pkgs.bitlbee-steam
+      pkgs.bitlbee-discord
+    ];
+    libpurple_plugins = [ pkgs.telegram-purple ];
+  };
+
   users.extraUsers.chat = {
     home = "/home/chat";
     uid = genid "chat";
@@ -46,6 +57,10 @@ in {
 
     restartIfChanged = false;
 
+    path = [
+      pkgs.rxvt_unicode.terminfo
+    ];
+
     serviceConfig = {
       User = "chat";
       RemainAfterExit = true;

lass/2configs/bepasty.nix

@@ -23,7 +23,10 @@ in {
     servers = {
       "paste.r" = {
         nginx = {
-          serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+          serverAliases = [
+            "paste.${config.krebs.build.host.name}"
+            "paste.r"
+          ];
         };
         defaultPermissions = "admin,list,create,read,delete";
         secretKey = secKey;

lass/2configs/dns-stuff.nix

@@ -11,24 +11,6 @@ with import <stockholm/lib>;
       key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
     };
   };
-  services.dnsmasq = {
+  services.resolved.enable = true;
-    enable = true;
+  services.resolved.fallbackDns = [ "127.1.0.1" ];
-    resolveLocalQueries = false;
-    extraConfig = ''
-      server=127.1.0.1
-      #no-resolv
-      cache-size=1000
-      min-cache-ttl=3600
-      bind-dynamic
-      all-servers
-      dnssec
-      trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
-      rebind-domain-ok=/onion/
-      server=/.onion/127.0.0.1#9053
-      port=53
-    '';
-  };
-  networking.extraResolvconfConf = ''
-    name_servers='127.0.0.1'
-  '';
 }

lass/2configs/rebuild-on-boot.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  systemd.services.rebuild-on-boot = {
+    wantedBy = [ "multi-user.target" ];
+    environment = {
+      NIX_REMOTE = "daemon";
+      HOME = "/var/empty";
+    };
+    serviceConfig = {
+      ExecStart = pkgs.writeScript "rebuild" ''
+        #!${pkgs.bash}/bin/bash
+        (/run/current-system/sw/bin/nixos-rebuild -I /var/src switch) &
+      '';
+      ExecStop = "${pkgs.coreutils}/bin/sleep 10";
+    };
+  };
+}

lass/2configs/security-workarounds.nix

@@ -5,4 +5,6 @@ with import <stockholm/lib>;
   boot.extraModprobeConfig = ''
     install dccp /run/current-system/sw/bin/false
   '';
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 }

lass/source.nix

@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "3aec59c";
+        ref = "d202e30";
       };
       secrets = getAttr builder {
         buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;

makefu/1systems/filepimp/config.nix

@@ -71,7 +71,10 @@ in {
     '') allDisks);
   fileSystems = let
     xfsmount = name: dev:
-      { "/media/${name}" = { device = dev; fsType = "xfs"; }; };
+      { "/media/${name}" = {
+        device = dev; fsType = "xfs";
+        options = [ "nofail" ];
+      }; };
   in
   # (xfsmount "j0" (part1 jDisk0)) //
     (xfsmount "j1" (part1 jDisk1)) //

makefu/1systems/gum/config.nix

@@ -67,7 +67,7 @@ in {
       <stockholm/makefu/2configs/nginx/public_html.nix>
       <stockholm/makefu/2configs/nginx/update.connector.one.nix>
 
-      <stockholm/makefu/2configs/deployment/mycube.connector.one.nix>
+      <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
       <stockholm/makefu/2configs/deployment/graphs.nix>
       <stockholm/makefu/2configs/deployment/owncloud.nix>
       <stockholm/makefu/2configs/deployment/boot-euer.nix>
@@ -108,16 +108,35 @@ in {
       #  };
       #}
       { # wireguard server
-        networking.firewall.allowedUDPPorts = [ 51820 ];
+
+        # TODO: networking.nat
+
+        # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+        # conf.all.proxy_arp =1
+        networking.firewall = {
+          allowedUDPPorts = [ 51820 ];
+          extraCommands = ''
+            iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+          '';
+        };
+
         networking.wireguard.interfaces.wg0 = {
           ips = [ "10.244.0.1/24" ];
+          listenPort = 51820;
           privateKeyFile = (toString <secrets>) + "/wireguard.key";
           allowedIPsAsRoutes = true;
-          peers = [{
+          peers = [
-            # allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          {
+            # x
             allowedIPs = [ "10.244.0.2/32" ];
             publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
-          }];
+          }
+          {
+            # vbob
+            allowedIPs = [ "10.244.0.3/32" ];
+            publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+          }
+          ];
         };
       }
 

makefu/1systems/omo/config.nix

@@ -143,7 +143,10 @@ in {
   ];
   fileSystems = let
     cryptMount = name:
-      { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
+      { "/media/${name}" = {
+        device = "/dev/mapper/${name}"; fsType = "xfs";
+        options = [ "nofail" ];
+      };};
   in   cryptMount "crypt0"
     // cryptMount "crypt1"
     // cryptMount "crypt2"

makefu/1systems/vbob/config.nix

@@ -7,7 +7,8 @@
       <stockholm/makefu>
       {
         imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
-        boot.loader.grub.device = "/dev/vda";
+        boot.loader.grub.device = "/dev/sda";
+        virtualisation.virtualbox.guest.enable = true;
       }
       # {
       #   imports = [
@@ -49,6 +50,27 @@
 
       # environment
       <stockholm/makefu/2configs/tinc/retiolum.nix>
+      (let
+        gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr;
+        gateway = "10.0.2.2";
+      in {
+        # make sure the route to gum gets added after the network is online
+        systemd.services.wireguard-wg0.after = [ "network-online.target" ];
+        networking.wireguard.interfaces.wg0 = {
+          ips = [ "10.244.0.3/24" ];
+          privateKeyFile = (toString <secrets>) + "/wireguard.key";
+          # explicit route via eth0 to gum
+          preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"];
+          peers = [
+          { # gum
+            endpoint = "${gum-ip}:51820";
+            allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ];
+            publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
+            persistentKeepalive = 25;
+          }
+          ];
+        };
+      })
 
     ];
   networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
@@ -90,5 +112,5 @@
     8010
   ];
 
-
+  systemd.services."serial-getty@ttyS0".enable = true;
 }

makefu/2configs/bepasty-dual.nix

@@ -28,7 +28,10 @@ in {
     servers = {
       "paste.r" = {
         nginx = {
-          serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+          serverAliases = [
+            "paste.${config.krebs.build.host.name}"
+            "paste.r"
+          ];
         };
         defaultPermissions = "admin,list,create,read,delete";
         secretKeyFile = secKey;

makefu/2configs/collectd/collectd-base.nix

@@ -10,7 +10,7 @@ let
       ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/"
       Import "collectd_connect_time"
       <Module collectd_connect_time>
-        target "wry.retiolum" "localhost" "google.com"
+        target "wry.r" "localhost" "google.com"
         interval 30
       </Module>
     </Plugin>
@@ -19,7 +19,7 @@ let
     LoadPlugin write_graphite
     <Plugin "write_graphite">
       <Carbon>
-        Host "heidi.retiolum"
+        Host "heidi.r"
         Port "2003"
         Prefix "retiolum."
         EscapeCharacter "_"

makefu/2configs/default.nix

@@ -11,6 +11,9 @@ with import <stockholm/lib>;
     ./vim.nix
     ./binary-cache/nixos.nix
   ];
+
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+
   programs.command-not-found.enable = false;
   nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
   krebs = {

makefu/2configs/deployment/photostore.krebsco.de.nix

@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+# more than just nginx config but not enough to become a module
+with import <stockholm/lib>;
+let
+  wsgi-sock = "${workdir}/uwsgi-photostore.sock";
+  workdir = config.services.uwsgi.runDir;
+in {
+
+  services.uwsgi = {
+    enable = true;
+    user = "nginx";
+    runDir = "/var/lib/photostore";
+    plugins = [ "python3" ];
+    instance = {
+      type = "emperor";
+      vassals = {
+        cameraupload-server = {
+          type = "normal";
+          pythonPackages = self: with self; [ pkgs.cameraupload-server ];
+          socket = wsgi-sock;
+        };
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = mkDefault true;
+    virtualHosts."photostore.krebsco.de" = {
+        locations = {
+          "/".extraConfig = ''
+          uwsgi_pass                  unix://${wsgi-sock};
+          uwsgi_param UWSGI_CHDIR     ${workdir};
+          uwsgi_param UWSGI_MODULE    cuserver.main;
+          uwsgi_param UWSGI_CALLABLE  app;
+          include                     ${pkgs.nginx}/conf/uwsgi_params;
+        '';
+      };
+    };
+  };
+}

makefu/2configs/nginx/euer.wiki.nix

@@ -76,7 +76,7 @@ in {
     virtualHosts = {
       "${ext-dom}" = {
         #serverAliases = [
-        #  "wiki.makefu.retiolum"
+        #  "wiki.makefu.r"
         #  "wiki.makefu"
         #];
         forceSSL = true;

makefu/2configs/tools/all.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./android-pentest.nix
+    ./consoles.nix
     ./core.nix
     ./core-gui.nix
     ./dev.nix

makefu/2configs/tools/consoles.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  users.users.makefu.packages = with pkgs; [
+    opl-utils
+    hdl-dump
+    bin2iso
+    cue2pops
+  ];
+}

makefu/2configs/tools/dev.nix

@@ -21,6 +21,9 @@
     gen-oath-safe
     cdrtools
     stockholm
+    # nix related
+    nix-repl
+    nix-index
     # git-related
     tig
   ];

makefu/2configs/tools/mobility.nix

@@ -5,5 +5,5 @@
     mosh
   ];
 
-  boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
+  # boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
 }

makefu/5pkgs/bin2iso/default.nix

@@ -0,0 +1,28 @@
+{ stdenv, lib, pkgs, fetchurl }:
+stdenv.mkDerivation rec {
+  pname = "bin2iso";
+  version = "1.9b";
+  _dlver = builtins.replaceStrings ["."] [""] version;
+  name = "${pname}-${version}";
+
+  src = fetchurl {
+    url = "http://users.eastlink.ca/~doiron/${pname}/linux/${pname}${_dlver}_linux.c";
+    sha256 = "0gg4hbzlm83nnbccy79dnxbwpn7lxl3fb87ka36mlclikvknm2hy";
+  };
+
+  unpackPhase = "true";
+
+  buildPhase =''
+    gcc -Wall -o $pname $src
+  '';
+
+  installPhase = ''
+    install -Dm755 $pname $out/bin/$pname
+  '';
+
+  meta = {
+    homepage = http://users.eastlink.ca/~doiron/bin2iso/ ;
+    description = "converts bin+cue to iso";
+    license = lib.licenses.gpl3;
+  };
+}

makefu/5pkgs/cameraupload-server/default.nix

@@ -0,0 +1,23 @@
+{ lib, pkgs, fetchFromGitHub, ... }:
+
+with pkgs.python3Packages;buildPythonPackage rec {
+  name = "cameraupload-server-${version}";
+  version = "0.2.4";
+
+  propagatedBuildInputs = [
+    flask
+  ];
+
+  src = fetchFromGitHub {
+    owner = "makefu";
+    repo = "cameraupload-server";
+    rev = "c98c8ec";
+    sha256 = "0ssgvjm0z399l62wkgjk8c75mvhgn5z7g1dkb78r8vrih9428bb8";
+  };
+
+  meta = {
+    homepage = https://github.com/makefu/cameraupload-server;
+    description = "server side for cameraupload_full";
+    license = lib.licenses.asl20;
+  };
+}

makefu/5pkgs/cue2pops/default.nix

@@ -0,0 +1,24 @@
+{ stdenv, lib, pkgs, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "cue2pops";
+  version = "2";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "makefu";
+    repo = "cue2pops-linux";
+    rev = "541863a";
+    sha256 = "05w84726g3k33rz0wwb9v77g7xh4cnhy9sxlpilf775nli9bynrk";
+  };
+
+  installPhase = ''
+    install -Dm755 $pname $out/bin/$pname
+  '';
+
+  meta = {
+    homepage = http://users.eastlink.ca/~doiron/bin2iso/ ;
+    description = "converts bin+cue to iso";
+    license = lib.licenses.gpl3;
+  };
+}

makefu/5pkgs/gen-oath-safe/default.nix

@@ -1,7 +1,6 @@
 { coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
 
-builtins.trace "Warning: HTOP mode of gen-oath-safe is currently broken"
+stdenv.mkDerivation {
-  stdenv.mkDerivation {
   name = "gen-oath-safe-2017-06-30";
   src = fetchFromGitHub {
     owner = "mcepl";
@@ -24,7 +23,7 @@ builtins.trace "Warning: HTOP mode of gen-oath-safe is currently broken"
         coreutils
         openssl
         qrencode
-        #yubikey-manager
+        yubikey-manager
         libcaca
         python
       ];

makefu/5pkgs/hdl-dump/default.nix

@@ -0,0 +1,33 @@
+{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, upx, wine }:
+stdenv.mkDerivation rec {
+  pname = "hdl-dump";
+  version = "75df8d7";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "AKuHAK";
+    repo = "hdl-dump";
+    rev = version;
+    sha256 = "10jjr6p5yn0c182x17m7q68jmf8gizcny7wjxw7z5yh0fv5s48z4";
+  };
+
+  buildInputs = [ upx wine ];
+
+  makeFlags = [ "RELEASE=yes" ];
+
+  # uses wine, currently broken
+  #postBuild = ''
+  #  make -C gui
+  #'';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp hdl_dump $out/bin
+  '';
+
+  meta = {
+    homepage = https://github.com/AKuHAK/hdl-dump ;
+    description = "copy isos to psx hdd";
+    license = lib.licenses.gpl2;
+  };
+}

makefu/5pkgs/opl-utils/default.nix

@@ -0,0 +1,27 @@
+{ stdenv, lib, pkgs, fetchFromGitHub }:
+stdenv.mkDerivation rec {
+  pname = "opl-utils";
+  version = "881c0d2";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "ifcaro";
+    repo = "open-ps2-loader";
+    rev = version;
+    sha256 = "1c2hgbyp5hymyq60mrk7g0m3gi00wqx165pdwwwb740q0qig07d1";
+  };
+
+
+  preBuild = "cd pc/";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp */bin/* $out/bin
+  '';
+
+  meta = {
+    homepage = https://github.com/ifcaro/Open-PS2-Loader;
+    description = "open-ps2-loader utils (opl2iso,iso2opl,genvmc)";
+    license = lib.licenses.afl3;
+  };
+}

makefu/source.nix

@@ -13,8 +13,9 @@ let
               then "buildbot"
               else "makefu";
   _file = <stockholm> + "/makefu/1systems/${name}/source.nix";
-  ref = "3874de4"; # unstable @ 2017-12-08
+  ref = "0f19bee"; # nixos-17.09 @ 2018-01-05
                    # + do_sqlite3 ruby: 55a952be5b5
+                   # + signal: 0f19beef3
 
 in
   evalSource (toString _file) [

mv/source.nix

@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
       nixpkgs.git = {
         # nixos-17.09
-        ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
+        ref = mkDefault "0653b73bf61f3a23d28c38ab7e9c69a318d433de";
         url = https://github.com/NixOS/nixpkgs;
       };
       secrets.file = getAttr builder {

tv/1systems/wu/config.nix

@@ -44,12 +44,6 @@ with import <stockholm/lib>;
     };
   };
 
-  krebs.nixpkgs.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name;
-  hardware.bumblebee.enable = true;
-  hardware.bumblebee.group = "video";
-  hardware.enableRedistributableFirmware= true;
-  hardware.opengl.driSupport32Bit = true;
-
   services.printing.enable = true;
 
   services.udev.extraRules = ''

tv/2configs/default.nix

@@ -1,6 +1,8 @@
 with import <stockholm/lib>;
 { config, pkgs, ... }: {
 
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
   boot.tmpOnTmpfs = true;
 
   krebs.enable = true;

tv/2configs/hw/w110er.nix

@@ -1,8 +1,20 @@
+with import <stockholm/lib>;
 { pkgs, ... }:
 
 {
   imports = [
     ../smartd.nix
+    {
+      # nvidia doesn't build despite
+      #  https://github.com/NixOS/nixpkgs/issues/33284
+      #hardware.bumblebee.enable = true;
+      #hardware.bumblebee.group = "video";
+      #hardware.enableRedistributableFirmware= true;
+      #krebs.nixpkgs.allowUnfreePredicate = pkg:
+      #  hasPrefix "nvidia-x11-" pkg.name ||
+      #  hasPrefix "nvidia-persistenced-" pkg.name ||
+      #  hasPrefix "nvidia-settings-" pkg.name;
+    }
   ];
 
   boot.extraModprobeConfig = ''
@@ -15,6 +27,7 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  hardware.opengl.driSupport32Bit = true;
   hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
 
   networking.wireless.enable = true;
@@ -41,4 +54,8 @@
         echo auto > $i/power/control # defaults to 'on'
       done)
   '';
+
+  services.xserver = {
+    videoDriver = "intel";
+  };
 }

tv/2configs/vim.nix

@@ -233,7 +233,7 @@ let {
           lua = {};
           sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
           sh.extraStart = concatStringsSep ''\|'' [
-            ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
+            ''write\(A\|Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
             ''[a-z]*Phase[ \t\r\n]*=''
           ];
           yaml = {};

tv/source.nix

@@ -1,8 +1,10 @@
 with import <stockholm/lib>;
-host@{ name, secure ? false, override ? {} }: let
+{ name
-  builder = if getEnv "dummy_secrets" == "true"
+, dummy_secrets ? getEnv "dummy_secrets" == "true"
-              then "buildbot"
+, override ? {}
-              else "tv";
+, secure ? false
+}@host: let
+  builder = if dummy_secrets then "buildbot" else "tv";
   _file = <stockholm> + "/tv/1systems/${name}/source.nix";
 in
   evalSource (toString _file) [