Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'cd/master'

Browse Source
This commit is contained in:
tv 2015-11-07 09:48:06 +01:00
commit 8ad05d0f40
13 changed files with 111 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
default.nix
View File

@ -32,7 +32,10 @@ let stockholm = {
upath = lib.nspath current-user-name;
base-module = { config, ... }: {
imports = map (f: f "3modules") [ kpath upath ];
imports = builtins.filter builtins.pathExists (lib.concatLists [
(map (f: f "2configs") [ upath ])
(map (f: f "3modules") [ kpath upath ])
]);
krebs.current.enable = true;
krebs.current.host = config.krebs.hosts.${current-host-name};

5
krebs/3modules/build.nix
View File

@ -29,10 +29,13 @@ let
};
options.krebs.build.source.dir = mkOption {
type = types.attrsOf (types.submodule ({ config, ... }: {
type = let
default-host = config.krebs.current.host;
in types.attrsOf (types.submodule ({ config, ... }: {
options = {
host = mkOption {
type = types.host;
default = default-host;
};
path = mkOption {
type = types.str;

1
krebs/3modules/default.nix
View File

@ -15,6 +15,7 @@ let
./git.nix
./iptables.nix
./nginx.nix
./per-user.nix
./Reaktor.nix
./retiolum-bootstrap.nix
./realwallpaper.nix

35
krebs/3modules/per-user.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.krebs.per-user;
out = {
options.krebs.per-user = api;
config = imp;
};
api = mkOption {
type = with types; attrsOf (submodule {
options = {
packages = mkOption {
type = listOf path;
default = [];
};
};
});
default = {};
};
imp = {
environment = {
etc = flip mapAttrs' cfg (name: { packages, ... }: {
name = "per-user/${name}";
value.source = pkgs.symlinkJoin "per-user.${name}" packages;
});
profiles = ["/etc/per-user/$LOGNAME"];
};
};
in out

3
tv/1systems/cd.nix
View File

@ -14,11 +14,9 @@ with lib;
rev = "c44a593aa43bba6a0708f6f36065a514a5110613";
};
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/cd";
};
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
@ -26,7 +24,6 @@ with lib;
imports = [
../2configs/hw/CAC-Developer-2.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
#../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix

17
tv/1systems/mkdir.nix
View File

@ -17,29 +17,12 @@ in
{
krebs.build.host = config.krebs.hosts.mkdir;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@${primary-addr4}";
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "c44a593aa43bba6a0708f6f36065a514a5110613";
};
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/mkdir";
};
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
imports = [
../2configs/hw/CAC-Developer-1.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix

17
tv/1systems/nomic.nix
View File

@ -4,28 +4,11 @@ with lib;
{
krebs.build.host = config.krebs.hosts.nomic;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@nomic.gg23";
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "c44a593aa43bba6a0708f6f36065a514a5110613";
};
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/nomic";
};
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
imports = [
../2configs/hw/AO753.nix
../2configs/base.nix
#../2configs/consul-server.nix
../2configs/git.nix
{

17
tv/1systems/rmdir.nix
View File

@ -17,29 +17,12 @@ in
{
krebs.build.host = config.krebs.hosts.rmdir;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@rmdir.internet";
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "c44a593aa43bba6a0708f6f36065a514a5110613";
};
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/rmdir";
};
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
imports = [
../2configs/hw/CAC-Developer-1.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix

32
tv/1systems/wu.nix
View File

@ -4,34 +4,14 @@ with lib;
{
krebs.build.host = config.krebs.hosts.wu;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@wu";
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "c44a593aa43bba6a0708f6f36065a514a5110613";
target-path = "/var/src/nixpkgs";
};
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/wu";
};
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
target-path = "/var/src/stockholm";
};
};
imports = [
../2configs/hw/w110er.nix
../2configs/base.nix
#../2configs/consul-client.nix
../2configs/git.nix
../2configs/mail-client.nix
../2configs/xserver
../2configs/z.nix
{
environment.systemPackages = with pkgs; [
@ -287,16 +267,6 @@ with lib;
onion = {
uid = 6660010;
};
zalora = {
uid = 1000301;
extraGroups = [
"audio"
# TODO remove vboxusers when hardening is active
"vboxusers"
"video"
];
};
};
security.sudo.extraConfig =

30
tv/1systems/xu.nix
View File

@ -4,32 +4,14 @@ with lib;
{
krebs.build.host = config.krebs.hosts.xu;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@xu";
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "c44a593aa43bba6a0708f6f36065a514a5110613";
};
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/xu";
};
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
imports = [
../2configs/hw/x220.nix
../2configs/base.nix
#../2configs/consul-client.nix
../2configs/git.nix
../2configs/mail-client.nix
../2configs/xserver
../2configs/z.nix
{
environment.systemPackages = with pkgs; [
@ -286,16 +268,6 @@ with lib;
onion = {
uid = 6660010;
};
zalora = {
uid = 1000301;
extraGroups = [
"audio"
# TODO remove vboxusers when hardening is active
"vboxusers"
"video"
];
};
};
security.sudo.extraConfig =

26
tv/2configs/base.nix → tv/2configs/default.nix
View File

@ -1,11 +1,29 @@
{ config, lib, pkgs, ... }:
with builtins;
with lib;
{
krebs.enable = true;
krebs.build = {
user = config.krebs.users.tv;
target = mkDefault "root@${config.krebs.build.host.name}";
source = {
git.nixpkgs = {
url = mkDefault https://github.com/NixOS/nixpkgs;
rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613";
target-path = mkDefault "/var/src/nixpkgs";
};
dir.secrets = {
path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}";
};
dir.stockholm = {
path = mkDefault "/home/tv/stockholm";
target-path = mkDefault "/var/src/stockholm";
};
};
};
networking.hostName = config.krebs.build.host.name;
imports = [
@ -22,6 +40,9 @@ with lib;
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
}
{
users.groups.subusers.gid = 1093178926; # genid subusers
}
{
users.defaultUserShell = "/run/current-system/sw/bin/bash";
users.mutableUsers = false;
@ -31,6 +52,7 @@ with lib;
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
config.krebs.users.tv_xu.pubkey
];
};
tv = {
@ -69,6 +91,8 @@ with lib;
nix.useChroot = true;
}
{
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
environment.systemPackages = with pkgs; [
rxvt_unicode.terminfo
];

8
tv/2configs/xserver/default.nix
View File

@ -70,14 +70,6 @@ let
ExecStart = "${xserver}/bin/xserver";
};
};
programs.bash.interactiveShellInit = ''
case ''${XMONAD_SPAWN_WORKSPACE-} in
za|zh|zj|zs)
exec sudo -u zalora -i
;;
esac
'';
};
xmonad-environment = {

40
tv/2configs/z.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
with lib;
{
krebs.per-user.z.packages = [
(pkgs.writeScriptBin "cr" ''
#! /bin/sh
set -efu
export LC_TIME=de_DE.utf8
exec ${pkgs.chromium}/bin/chromium \
--ssl-version-min=tls1 \
--disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \
--disk-cache-size=50000000 \
"%@"
'')
];
programs.bash.interactiveShellInit = ''
case ''${XMONAD_SPAWN_WORKSPACE-} in
za|zh|zj|zs)
exec sudo -u z -i
;;
esac
'';
security.sudo.extraConfig = "tv ALL=(z) NOPASSWD: ALL";
users.users.z = {
extraGroups = [
"audio"
"vboxusers"
"video"
];
group = "subusers";
home = "/home/z";
uid = 3043726074; # genid z
useDefaultShell = true;
};
}