Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'prism/master'

Browse Source
This commit is contained in:
tv 2019-06-25 19:21:20 +02:00
commit 8c667f09c0
43 changed files with 835 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
jeschli/1systems/bolide/config.nix
View File

@ -2,15 +2,15 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
<stockholm/jeschli>
<home-manager/nixos>
<stockholm/jeschli/2configs/urxvt.nix>
<stockholm/jeschli/2configs/emacs.nix>
# <stockholm/jeschli/2configs/emacs.nix>
];
krebs.build.host = config.krebs.hosts.bolide;
@ -29,7 +29,8 @@
allowDiscards = true;
} ];
# networking.hostName = "bolide"; # Define your hostname.
networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true;
# Select internationalisation properties.
# i18n = {
@ -52,6 +53,8 @@
};
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
home-manager
wget vim
# system helper
ag
@ -92,6 +95,22 @@
zathura
];
home-manager.useUserPackages = true;
home-manager.users.jeschli = {
home.stateVersion = "19.03";
};
home-manager.users.jeschli.home.file = {
".emacs.d" = {
source = pkgs.fetchFromGitHub {
owner = "jeschli";
repo = "emacs.d";
rev = "8ed6c40";
sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0";
};
recursive = true;
};
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.bash.enableCompletion = true;
@ -103,36 +122,37 @@
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
services.xserver = {
# Enable the X11 windowing system.
services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.xmonad.enableContribAndExtras = true;
# Enable touchpad support.
# services.xserver.libinput.enable = true;
desktopManager = {
xfce.enable = true;
gnome3.enable = true;
};
# # Don't install feh into systemPackages
# # refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
# desktopManager.session = lib.mkForce [];
#
# enable = true;
# display = 11;
# tty = 11;
#
# dpi = 96;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
videoDrivers = [ "nvidia" ];
};
services.xserver.windowManager.i3.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.extraUsers.jeschli = {
isNormalUser = true;
extraGroups = ["docker" "vboxusers" "audio"];
uid = 1000;
};
hardware.pulseaudio.enable = true;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you

1
jeschli/1systems/bolide/hardware-configuration.nix
View File

@ -29,4 +29,5 @@
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.pulseaudio.enable = true;
}

171
jeschli/1systems/bolide/home.nix Normal file
View File

@ -0,0 +1,171 @@
{ pkgs, ... }:
{
home.file = {
".emacs.d" = {
source = pkgs.fetchFromGitHub {
owner = "jeschli";
repo = "emacs.d";
rev = "8ed6c40";
sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0";
};
recursive = true;
};
".config/i3/config".text = ''
set $mod Mod4
font pango:monospace 8
floating_modifier $mod
bindsym $mod+Return exec i3-sensible-terminal
bindsym $mod+Shift+q kill
bindsym $mod+d exec rofi -modi drun#run -combi-modi drun#run -show combi -show-icons -display-combi run
bindsym $mod+x exec rofi -modi window -show window -auto-select
# switch to last used window
bindsym $mod+Tab exec rofi -show window& sleep 0.15 && xdotool key Down
# change focus
bindsym $mod+j focus left
bindsym $mod+k focus down
bindsym $mod+l focus up
bindsym $mod+semicolon focus right
# alternatively, you can use the cursor keys:
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
# Resizing windows by 10 in i3 using keyboard only
bindsym $mod+Ctrl+Shift+Right resize shrink width 10 px or 10 ppt
bindsym $mod+Ctrl+Shift+Up resize grow height 10 px or 10 ppt
bindsym $mod+Ctrl+Shift+Down resize shrink height 10 px or 10 ppt
bindsym $mod+Ctrl+Shift+Left resize grow width 10 px or 10 ppt
# move focused window
bindsym $mod+Shift+j move left
bindsym $mod+Shift+k move down
bindsym $mod+Shift+l move up
bindsym $mod+Shift+semicolon move right
# alternatively, you can use the cursor keys:
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
# split in horizontal orientation
bindsym $mod+h split h
# split in vertical orientation
bindsym $mod+v split v
# enter fullscreen mode for the focused container
bindsym $mod+f fullscreen toggle
# change container layout (stacked, tabbed, toggle split)
bindsym $mod+s layout stacking
bindsym $mod+w layout tabbed
bindsym $mod+e layout toggle split
# toggle tiling / floating
bindsym $mod+Shift+space floating toggle
# change focus between tiling / floating windows
bindsym $mod+space focus mode_toggle
# focus the parent container
bindsym $mod+a focus parent
# focus the child container
#bindsym $mod+d focus child
# Define names for default workspaces for which we configure key bindings later on.
# We use variables to avoid repeating the names in multiple places.
set $ws1 "1"
set $ws2 "2"
set $ws3 "3"
set $ws4 "4"
set $ws5 "5"
set $ws6 "6"
set $ws7 "7"
set $ws8 "8"
set $ws9 "9"
set $ws10 "10"
# switch to workspace
bindsym $mod+1 workspace $ws1
bindsym $mod+2 workspace $ws2
bindsym $mod+3 workspace $ws3
bindsym $mod+4 workspace $ws4
bindsym $mod+5 workspace $ws5
bindsym $mod+6 workspace $ws6
bindsym $mod+7 workspace $ws7
bindsym $mod+8 workspace $ws8
bindsym $mod+9 workspace $ws9
bindsym $mod+0 workspace $ws10
# move focused container to workspace
bindsym $mod+Shift+1 move container to workspace $ws1
bindsym $mod+Shift+2 move container to workspace $ws2
bindsym $mod+Shift+3 move container to workspace $ws3
bindsym $mod+Shift+4 move container to workspace $ws4
bindsym $mod+Shift+5 move container to workspace $ws5
bindsym $mod+Shift+6 move container to workspace $ws6
bindsym $mod+Shift+7 move container to workspace $ws7
bindsym $mod+Shift+8 move container to workspace $ws8
bindsym $mod+Shift+9 move container to workspace $ws9
bindsym $mod+Shift+0 move container to workspace $ws10
# reload the configuration file
bindsym $mod+Shift+c reload
# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
bindsym $mod+Shift+r restart
# exit i3 (logs you out of your X session)
bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'"
bindsym $mod+p exec i3-sensible-pager
# resize window (you can also use the mouse for that)
mode "resize" {
# These bindings trigger as soon as you enter the resize mode
# Pressing left will shrink the windows width.
# Pressing right will grow the windows width.
# Pressing up will shrink the windows height.
# Pressing down will grow the windows height.
bindsym j resize shrink width 10 px or 10 ppt
bindsym k resize grow height 10 px or 10 ppt
bindsym l resize shrink height 10 px or 10 ppt
bindsym semicolon resize grow width 10 px or 10 ppt
# same bindings, but for the arrow keys
bindsym Left resize shrink width 10 px or 10 ppt
bindsym Down resize grow height 10 px or 10 ppt
bindsym Up resize shrink height 10 px or 10 ppt
bindsym Right resize grow width 10 px or 10 ppt
# back to normal: Enter or Escape or $mod+r
bindsym Return mode "default"
bindsym Escape mode "default"
bindsym $mod+r mode "default"
}
bindsym $mod+r mode "resize"
# Start i3bar to display a workspace bar (plus the system information i3status
# finds out, if available)
bar {
position top
status_command i3status
}
'';
};
}

37
jeschli/1systems/brauerei/config.nix
View File

@ -1,19 +1,17 @@
{ config, pkgs, lib, ... }:
let
xmonad-jeschli = pkgs.callPackage <stockholm/jeschli/5pkgs/simple/xmonad-jeschli> { inherit config; };
mainUser = config.krebs.build.user.name;
in
{
imports = [
<stockholm/jeschli>
./hardware-configuration.nix
<home-manager/nixos>
<stockholm/jeschli/2configs/urxvt.nix>
# <stockholm/jeschli/2configs/emacs.nix>
# <stockholm/jeschli/2configs/xdg.nix>
# <stockholm/jeschli/2configs/xserver>
<stockholm/jeschli/2configs/steam.nix>
<stockholm/jeschli/2configs/virtualbox.nix>
];
];
krebs.build.host = config.krebs.hosts.brauerei;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
@ -54,7 +52,10 @@ in
copyq
curl
dmenu
rofi
xdotool
git
gnupg
i3lock
keepass
networkmanagerapplet
@ -92,9 +93,11 @@ in
})
# dev tools
gnumake
jetbrains.clion
jetbrains.goland
jetbrains.pycharm-professional
jetbrains.webstorm
vscode
# document viewer
evince
zathura
@ -105,7 +108,6 @@ in
cargo
rustracer
rustup
vscode
# orga tools
taskwarrior
# xorg
@ -120,6 +122,24 @@ in
# programs.mtr.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
home-manager.useUserPackages = true;
home-manager.users.jeschli = {
home.stateVersion = "19.03";
};
# home-manager.enable = true;
home-manager.users.jeschli.home.file = {
".emacs.d" = {
source = pkgs.fetchFromGitHub {
owner = "jeschli";
repo = "emacs.d";
rev = "8ed6c40";
sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0";
};
recursive = true;
};
};
# List services that you want to enable:
# Enable the OpenSSH daemon.
@ -155,6 +175,11 @@ in
extraGroups = ["docker" "vboxusers" "audio"];
uid = 1000;
};
users.extraUsers.blafoo = {
isNormalUser = true;
extraGroups = ["audio"];
uid = 1002;
};
users.extraUsers.jamie = {
isNormalUser = true;
uid = 1001; # TODO genid

2
jeschli/1systems/enklave/config.nix
View File

@ -49,7 +49,7 @@
listenPort = 53589;
organisations.lass.users = [ "jeschli" ];
};
networking.firewall.allowedTCPPorts = [ 53589 ];
networking.firewall.allowedTCPPorts = [ 53589 8001 ];
}
];

4
jeschli/2configs/default.nix
View File

@ -2,7 +2,7 @@
with import <stockholm/lib>;
{
imports = [
./vim.nix
# ./vim.nix
./retiolum.nix
./zsh.nix
<stockholm/lass/2configs/security-workarounds.nix>
@ -56,7 +56,7 @@ with import <stockholm/lib>;
usbutils
# logify
goify
vim
#unpack stuff
p7zip
unzip

2
jeschli/2configs/git.nix
View File

@ -60,7 +60,7 @@ let
with git // config.krebs.users;
repo:
singleton {
user = [ jeschli jeschli-brauerei];
user = [ jeschli jeschli-brauerei jeschli-bolide];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++

9
jeschli/2configs/home-manager/default.nix Normal file
View File

@ -0,0 +1,9 @@
{
imports = [
<home-manager/nixos>
];
home-manager.useUserPackages = true;
home-manager.users.jeschli = {
home.stateVersion = "19.03";
};
}

6
jeschli/krops.nix
View File

@ -15,6 +15,12 @@
file = "${lib.getEnv "HOME"}/secrets/${name}";
};
}
{
home-manager.git = {
url = https://github.com/rycee/home-manager;
ref = "2ccbf43";
};
}
];
in {

0
krebs/0tests/data/secrets/shackspace-gitlab-ci Normal file
View File

91
krebs/1systems/wolf/config.nix
View File

@ -11,83 +11,44 @@ in
<stockholm/krebs>
<stockholm/krebs/2configs>
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
<stockholm/krebs/2configs/collectd-base.nix>
<stockholm/krebs/2configs/stats/wolf-client.nix>
<stockholm/krebs/2configs/graphite.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
# handle the worlddomination map via coap
<stockholm/krebs/2configs/shack/worlddomination.nix>
# drivedroid.shack for shackphone
<stockholm/krebs/2configs/shack/drivedroid.nix>
# <stockholm/krebs/2configs/shack/nix-cacher.nix>
<stockholm/krebs/2configs/shack/mqtt_sub.nix>
# Say if muell will be collected
<stockholm/krebs/2configs/shack/muell_caller.nix>
<stockholm/krebs/2configs/shack/radioactive.nix>
<stockholm/krebs/2configs/shack/share.nix>
<stockholm/krebs/2configs/shack/mobile.mpd.nix>
{
systemd.services.telegraf.path = [ pkgs.net_snmp ]; # for snmptranslate
systemd.services.telegraf.environment = {
MIBDIRS = pkgs.fetchgit {
url = "http://git.shackspace.de/makefu/modem-mibs.git";
sha256 =
"1rhrpaascvj5p3dj29hrw79gm39rp0aa787x95m3r2jrcq83ln1k";
}; # extra mibs like ADSL
};
services.telegraf = {
enable = true;
extraConfig = {
inputs = {
snmp = {
agents = [ "10.0.1.3:161" ];
version = 2;
community = "shack";
name = "snmp";
field = [
{
name = "hostname";
oid = "RFC1213-MIB::sysName.0";
is_tag = true;
}
{
name = "load-percent"; #cisco
oid = ".1.3.6.1.4.1.9.9.109.1.1.1.1.4.9";
}
{
name = "uptime";
oid = "DISMAN-EVENT-MIB::sysUpTimeInstance";
}
];
table = [{
name = "snmp";
inherit_tags = [ "hostname" ];
oid = "IF-MIB::ifXTable";
field = [{
name = "ifName";
oid = "IF-MIB::ifName";
is_tag = true;
}];
}];
};
};
outputs = {
influxdb = {
urls = [ "http://${influx-host}:8086" ];
database = "telegraf";
write_consistency = "any";
timeout = "5s";
};
};
};
};
}
# create samba share for anonymous usage with the laser and 3d printer pc
<stockholm/krebs/2configs/shack/share.nix>
# mobile.lounge.mpd.shack
<stockholm/krebs/2configs/shack/mobile.mpd.nix>
# connect to git.shackspace.de as group runner for rz
<stockholm/krebs/2configs/shack/gitlab-runner.nix>
# Statistics collection and visualization
<stockholm/krebs/2configs/graphite.nix>
## Collect data from mqtt.shack and store in graphite database
<stockholm/krebs/2configs/shack/mqtt_sub.nix>
## Collect radioactive data and put into graphite
<stockholm/krebs/2configs/shack/radioactive.nix>
## Collect local statistics via collectd and send to collectd
<stockholm/krebs/2configs/stats/wolf-client.nix>
## write collectd statistics to wolf.shack
<stockholm/krebs/2configs/collectd-base.nix>
{ services.influxdb.enable = true; }
<stockholm/krebs/2configs/shack/netbox.nix>
];
# use your own binary cache, fallback use cache.nixos.org (which is used by
# apt-cacher-ng in first place)
services.influxdb.enable = true;
# local discovery in shackspace
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
@ -156,10 +117,10 @@ in
# fallout of ipv6calypse
networking.extraHosts = ''
hass.shack 10.42.2.191
heidi.shack 10.42.2.135
'';
users.extraUsers.root.openssh.authorizedKeys.keys = [
config.krebs.users."0x4a6f".pubkey
config.krebs.users.ulrich.pubkey
config.krebs.users.raute.pubkey
config.krebs.users.makefu-omo.pubkey

21
krebs/2configs/shack/gitlab-runner.nix Normal file
View File

@ -0,0 +1,21 @@
{ pkgs, ... }:
let
runner-src = builtins.fetchTarball {
url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/master/nixos-gitlab-runner-master.tar.gz";
sha256 = "1s0fy5ny2ygcfvx35xws8xz5ih4z4kdfqlq3r6byxpylw7r52fyi";
};
in
{
systemd.services.gitlab-runner.path = [
"/run/wrappers" # /run/wrappers/bin/su
"/" # /bin/sh
];
imports = [
"${runner-src}/gitlab-runner.nix"
];
services.gitlab-runner2.enable = true;
## registrationConfigurationFile contains:
# CI_SERVER_URL=<CI server URL>
# REGISTRATION_TOKEN=<registration secret>
services.gitlab-runner2.registrationConfigFile = <secrets/shackspace-gitlab-ci>;
}

39
krebs/2configs/shack/netbox.nix Normal file
View File

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.docker-compose ];
virtualisation.docker.enable = true;
services.nginx = {
enable = true;
virtualHosts."netbox.shack".locations."/".proxyPass = "http://localhost:18080";
};
# we store the netbox config there:
# state = [ "/var/lib/netbox" ];
systemd.services.backup-netbox = {
after = [ "netbox-docker-compose.service" ];
startAt = "daily";
path = with pkgs; [ docker-compose docker gzip coreutils ];
script = ''
cd /var/lib/netbox
mkdir -p backup
docker-compose exec -T -upostgres postgres pg_dumpall \
| gzip > backup/netdata_$(date -Iseconds).dump.gz
'';
};
systemd.services.netbox-docker-compose = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "docker.service" ];
environment.VERSION = "v2.5.13";
serviceConfig = {
WorkingDirectory = "/var/lib/netbox";
# TODO: grep -q NAPALM_SECRET env/netbox.env
# TODO: grep -q NAPALM_SECRET netbox-netprod-importer/switches.yml
ExecStartPre = "${pkgs.docker-compose}/bin/docker-compose pull";
ExecStart = "${pkgs.docker-compose}/bin/docker-compose up";
Restart = "always";
RestartSec = "10";
StartLimitIntervalSec = 60;
StartLimitBurst = 3;
};
};
}

37
krebs/3modules/external/default.nix vendored
View File

@ -43,6 +43,31 @@ in {
};
};
};
wilde = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.4";
aliases = [ "wilde.r" ];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
dpdkm = {
owner = config.krebs.users.Mic92;
nets = rec {
@ -241,6 +266,13 @@ in {
};
};
};
rilke = {
owner = config.krebs.users.kmein;
nets.wiregrill = {
aliases = [ "rilke.w" ];
wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
};
};
rock = {
owner = config.krebs.users.Mic92;
nets = {
@ -487,10 +519,13 @@ in {
mail = "shackspace.de@myvdr.de";
pubkey = ssh-for "ulrich";
};
"0x4a6f" = {
mail = "0x4a6f@shackspace.de";
pubkey = ssh-for "0x4a6f";
};
miaoski = {
};
filly = {
};
};
}

6
krebs/3modules/external/palo.nix vendored
View File

@ -34,7 +34,10 @@ in {
retiolum = {
ip4.addr = "10.243.23.3";
tinc.port = 720;
aliases = [ "kruck.r" ];
aliases = [
"kruck.r"
"video.kruck.r"
];
tinc.pubkey = tinc-for "palo";
};
};
@ -49,6 +52,7 @@ in {
tinc.pubkey = tinc-for "palo";
};
};
syncthing.id = "FLY7DHI-TJLEQBJ-JZNC4YV-NBX53Z2-ZBRWADL-BKSFXYZ-L4FMDVH-MOSEVAQ";
};
workhorse = {
owner = config.krebs.users.palo;

1
krebs/3modules/external/ssh/0x4a6f.pub vendored Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMoQSUz0wcV8tnTKsYO3sO6XG6EHap8R63ihfMHkxPS

1
krebs/3modules/lass/default.nix
View File

@ -35,6 +35,7 @@ in {
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}

24
krebs/3modules/makefu/default.nix
View File

@ -143,11 +143,19 @@ in {
ci = true;
cores = 4;
nets = {
lan = {
ip4.addr = "192.168.8.11";
aliases = [
"wbob.lan"
"log.wbob.lan"
];
};
retiolum = {
ip4.addr = "10.243.214.15";
aliases = [
"wbob.r"
"hydra.wbob.r"
"log.wbob.r"
];
};
};
@ -182,6 +190,7 @@ in {
wiki.euer IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
mediengewitter IN CNAME over.dose.io.
'';
};
cores = 8;
@ -196,13 +205,13 @@ in {
};
wiregrill = {
via = internet;
ip4.addr = "10.244.245.1";
ip6.addr = w6 "1";
wireguard = {
subnets = [
(krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
wireguard.port = 51821;
wireguard.subnets = [
(krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
];
};
"10.244.245.0/24" # required for routing directly to gum via rockit
];
};
retiolum = {
via = internet;
@ -247,7 +256,6 @@ in {
cores = 1;
extraZones = {
"krebsco.de" = ''
mediengewitter IN A ${nets.internet.ip4.addr}
flap IN A ${nets.internet.ip4.addr}
'';
};
@ -281,6 +289,10 @@ in {
};
};
};
rockit = rec { # router@home
cores = 1;
nets.wiregrill.ip4.addr = "10.244.245.2";
};
senderechner = rec {
cores = 2;

2
krebs/3modules/makefu/wiregrill/gum.pub
View File

@ -1 +1 @@
yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=
A7UPKSUaCZaJ9hXv6X4jvcZ+5X+PlS1EmCwxlLBAKH0=

1
krebs/3modules/makefu/wiregrill/rockit.pub Normal file
View File

@ -0,0 +1 @@
YmvTL4c13WS6f88ZAz2m/2deL2pnPXI0Ay3edCPE1Qc=

54
krebs/3modules/mb/default.nix
View File

@ -3,7 +3,6 @@ with import <stockholm/lib>;
hostDefaults = hostName: host: flip recursiveUpdate host {
ci = true;
monitoring = true;
owner = config.krebs.users.mb;
};
@ -63,6 +62,59 @@ in {
};
};
};
gr33n = {
nets = {
retiolum = {
ip4.addr = "10.243.42.123";
aliases = [
"gr33n.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvcqecLfk8TlGFF7JJpv8
kjLFNgoNfu9FYRMNG4GSxWL5w+49n6b+GC5ciOC+RJ+N56jfB9JYE0MtbuOmkY5M
JUphuvgOCNhTbBJsjnmG9n02evpxZn9HWypNC3oQCvY2K7vHpIxGKR5PyTVKPO0P
OOYKAbCLD9F2bmuLaBQ/dFXFQxfu3tjvJI9mYDWBpSkh1mYeMZLw2xxnRZLs0bEO
ZWdzxCh9UM/mgb4WYuNED9+sz7MSsaMPAqquarFCguUxhjp6rElGFcNWjXaxA5zt
JGS6VompUViVSHjSaQ5/3VRKoIQjr4NOFYQqLpmB5S2OpiggV6I9OpB7QUGlvcYd
I3j+1AeK11HuEyPqSwxjNCCrI12bSIo3685BPHbl+AMhWGhzrCkAGcOCbAefreXQ
5v4SaKUIDlCYhN+vyNdlu2jvqQlxfJrPAfBt+jJBK6gMcAEKc7P/Oj4B9Fsl331X
s0kWH5G9t6OhO/Of8/kb2/P+YEbM6zi1QQdZAOr6Cg0y4cMt9zxLWknaM4yEDAXH
oSM33PTv9DOvBjfxRXqOHqOHRq5ayqZdIFgfLUlPTdbWRkhNzjG8f7k7p32m20A6
Kal+OF//I2c9E9vKFzyepyTcnwi3B8+cFJ74+XYaNApdwHSb1BU/+c3O9RJExZGV
jtTSbSJHU5esECtAuXy1XH8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
sunsh1n3 = {
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.42.142";
aliases = [
"sunsh1n3.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo2VCqp6mUbyo3n+1XpKf
QavpgRYQyv9wAZzYSYHjxThuLmNb/wERPbWJFMZfAGuku0blKWJISSgFWd9YL7dU
pZQZxfqo/9xnS/r0xIKrKSsBiTZt7JZmTQzj1ri11TIO0S1QPjIP5HsxlZZAw0nz
idEDlKmgWs74FPdezlXqvJyEUKDqL/ZQBtdhZZIDMkSJnCdBzXxKwv+uLVE46ZBf
4HrtQjcj+dyVMogMIoseAgf5lS6V3pyCM7/NHZFxrIxoIAxSsUoB59i2EbK6aUK5
yuiWHI6ZHToxN2K/0SX96hzxcwrUmdk49tTHBY0Zhn2ku6NjQPU3LuxgIwrSaSJD
/KWh6XkqR7EsCVN0AIsLvFelI2ckSyNyAlnYbMAHDt7GwHlNp4Lsy+x4ZQ6m0xTY
Z+/jt6sfoMiulPcwWEpqNCCf5A65lF77DldQhH3qYrdQ756n/kOqSfQtPCnVNYXy
LlN5rKCOgxKxxtKkwMUif2OM9RPHpM7wS09Rvek6zpL9ymhU5THF7UylLKxKGjYj
6dTooyRVQRJdrwIYLrJIy0MfGyYiGAJxf/C0KOOZnJPCW2b51+bo5Zh+BhKZYN8H
C2DEGc8+4h5hX1TAaUfTpfVm3mMTh8H2m9N8Pdl5ji+A0m0IwHDLQyaoskcxSjvU
9IxYLfkSD6AJqasnHlz0L08CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
};
users = {
mb = {

45
krebs/3modules/syncthing.nix
View File

@ -24,7 +24,7 @@ let
getApiKey = pkgs.writeDash "getAPIKey" ''
${pkgs.libxml2}/bin/xmllint \
--xpath 'string(configuration/gui/apikey)'\
${scfg.dataDir}/config.xml
${scfg.configDir}/config.xml
'';
updateConfig = pkgs.writeDash "merge-syncthing-config" ''
@ -47,14 +47,20 @@ let
}
old_config=$(_curl /system/config)
patch=${shell.escape (toJSON {
new_config=${shell.escape (toJSON {
inherit devices folders;
})}
new_config=$(${pkgs.jq}/bin/jq -en \
--argjson old_config "$old_config" \
--argjson patch "$patch" \
--argjson new_config "$new_config" \
'
$old_config * $patch
$old_config * $new_config
${optionalString (!kcfg.overridePeers) ''
* { devices: $old_config.devices }
''}
${optionalString (!kcfg.overrideFolders) ''
* { folders: $old_config.folders }
''}
'
)
echo $new_config | _curl /system/config -d @-
@ -68,11 +74,6 @@ in
enable = mkEnableOption "syncthing-init";
id = mkOption {
type = types.str;
default = config.krebs.build.host.name;
};
cert = mkOption {
type = types.nullOr types.absolute-pathname;
default = null;
@ -83,6 +84,13 @@ in
default = null;
};
overridePeers = mkOption {
type = types.bool;
default = true;
description = ''
Whether to delete the peers which are not configured via the peers option
'';
};
peers = mkOption {
default = {};
type = types.attrsOf (types.submodule ({
@ -103,6 +111,13 @@ in
}));
};
overrideFolders = mkOption {
type = types.bool;
default = true;
description = ''
Whether to delete the folders which are not configured via the peers option
'';
};
folders = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
@ -163,14 +178,14 @@ in
systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
preStart = ''
${optionalString (kcfg.cert != null) ''
cp ${toString kcfg.cert} ${scfg.dataDir}/cert.pem
chown ${scfg.user}:${scfg.group} ${scfg.dataDir}/cert.pem
chmod 400 ${scfg.dataDir}/cert.pem
cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem
chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem
chmod 400 ${scfg.configDir}/cert.pem
''}
${optionalString (kcfg.key != null) ''
cp ${toString kcfg.key} ${scfg.dataDir}/key.pem
chown ${scfg.user}:${scfg.group} ${scfg.dataDir}/key.pem
chmod 400 ${scfg.dataDir}/key.pem
cp ${toString kcfg.key} ${scfg.configDir}/key.pem
chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem
chmod 400 ${scfg.configDir}/key.pem
''}
'';
};

3
krebs/5pkgs/haskell/xmonad-stockholm.nix
View File

@ -1,5 +1,4 @@
{ mkDerivation, base, containers, fetchgit, filepath, stdenv, unix, X11, X11-xft
, X11-xshape, xmonad, xmonad-contrib
{ mkDerivation, base, containers, fetchgit, filepath, stdenv, unix, X11, X11-xft , X11-xshape, xmonad, xmonad-contrib
}:
mkDerivation rec {
pname = "xmonad-stockholm";

2
krebs/krops.nix
View File

@ -50,7 +50,7 @@
{
nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
secrets = if test then {
file = toString <stockholm/krebs/0tests/data/secrets>;
file = toString ./0tests/data/secrets;
} else {
pass = {
dir = "${lib.getEnv "HOME"}/brain";

6
krebs/nixpkgs.json
View File

@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "cf3e277dd0bd710af0df667e9364f4bd80c72713",
"date": "2019-04-24T23:55:21+02:00",
"sha256": "1abyadl3sxf67yi65758hq6hf2j07afgp1fmkk7kd94dadx6r6f4",
"rev": "d77e3bd661354ea775a8cacc97bb59ddde513c09",
"date": "2019-06-18T23:08:17+02:00",
"sha256": "1m82zs00n6nc0pkdpmd9amm013qxwksjfhzcm6gck3p469q7n866",
"fetchSubmodules": false
}

2
lass/1systems/daedalus/config.nix
View File

@ -57,6 +57,8 @@ with import <stockholm/lib>;
{
krebs.per-user.bitcoin.packages = [
pkgs.electrum
pkgs.electron-cash
pkgs.altcoins.litecoin
];
users.extraUsers = {
bitcoin = {

31
lass/1systems/mors/config.nix
View File

@ -49,14 +49,31 @@ with import <stockholm/lib>;
];
}
{
krebs.syncthing.folders."the_playlist" = {
path = "/home/lass/tmp/the_playlist";
peers = [ "mors" "phone" "prism" ];
krebs.syncthing = {
peers.schasch.addresses = [ "schasch.r:22000" ];
folders = {
the_playlist = {
path = "/home/lass/tmp/the_playlist";
peers = [ "mors" "phone" "prism" ];
};
free_music = {
id = "mu9mn-zgvsw";
path = "/home/lass/tmp/free_music";
peers = [ "mors" "schasch" ];
};
};
};
krebs.permown."/home/lass/tmp/the_playlist" = {
owner = "lass";
group = "syncthing";
umask = "0007";
krebs.permown = {
"/home/lass/tmp/free_music" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
"/home/lass/tmp/the_playlist" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
};
}
{

2
lass/1systems/mors/physical.nix
View File

@ -22,7 +22,7 @@
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0"
SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0"
'';

15
lass/1systems/prism/config.nix
View File

@ -195,6 +195,7 @@ with import <stockholm/lib>;
};
}
<stockholm/lass/2configs/minecraft.nix>
<stockholm/lass/2configs/codimd.nix>
{
services.taskserver = {
enable = true;
@ -382,7 +383,7 @@ with import <stockholm/lib>;
'';
fileSystems."/export/download" = {
device = "/var/lib/containers/yellow/var/download";
device = "/var/lib/containers/yellow/var/download/finished";
options = [ "bind" ];
};
services.nfs.server = {
@ -395,6 +396,12 @@ with import <stockholm/lib>;
statdPort = 4000;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
@ -456,4 +463,10 @@ with import <stockholm/lib>;
enable = true;
freeMemThreshold = 5;
};
# prism rsa hack
services.openssh.hostKeys = [{
path = toString <secrets> + "ssh.id_rsa";
type = "rsa";
}];
}

1
lass/2configs/browsers.nix
View File

@ -66,7 +66,6 @@ in {
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
"dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
"liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold
];
};

28
lass/2configs/codimd.nix Normal file
View File

@ -0,0 +1,28 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
services.nginx.virtualHosts.codimd = {
enableACME = true;
addSSL = true;
serverName = "codi.lassul.us";
locations."/".extraConfig = ''
client_max_body_size 4G;
proxy_set_header Host $host;
proxy_pass http://localhost:3091;
'';
};
services.codimd = {
enable = true;
configuration = {
db = {
dialect = "sqlite";
storage = "/var/lib/codimd/db.codimd.sqlite";
useCDN = false;
};
port = 3091;
};
};
}

3
lass/2configs/exim-smarthost.nix
View File

@ -103,6 +103,9 @@ with import <stockholm/lib>;
{ from = "lobsters@lassul.us"; to = lass.mail; }
{ from = "fysitech@lassul.us"; to = lass.mail; }
{ from = "threema@lassul.us"; to = lass.mail; }
{ from = "ubisoft@lassul.us"; to = lass.mail; }
{ from = "kottezeller@lassul.us"; to = lass.mail; }
{ from = "pie@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

2
lass/2configs/network-manager.nix
View File

@ -15,6 +15,8 @@
};
};
networking.networkmanager = {
ethernet.macAddress = "random";
wifi.macAddress = "random";
enable = true;
unmanaged = [
"docker*"

22
lass/2configs/radio.nix
View File

@ -97,12 +97,17 @@ in {
services.icecast = {
enable = true;
hostname = "config.krebs.build.host.name";
hostname = "radio.lassul.us";
admin.password = admin-password;
extraConf = ''
<authentication>
<source-password>${source-password}</source-password>
</authentication>
<mount>
<mount-name>/radio.mp3</mount-name>
<password>${source-password}</password>
</mount>
<mount>
<mount-name>/radio.ogg</mount-name>
<password>${source-password}</password>
</mount>
'';
};
@ -194,8 +199,8 @@ in {
workdir = config.krebs.reaktor2.the_playlist.stateDir;
hooks.PRIVMSG = [
{
activate = "match";
pattern = ''!([^ ]+)(?:\s*(.*))?'';
#activate = "match";
pattern = "^\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$";
command = 1;
arguments = [2];
commands = {
@ -218,6 +223,11 @@ in {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
'';
locations."/recent".extraConfig = ''

4
lass/2configs/retiolum.nix
View File

@ -20,8 +20,10 @@
"prism"
"gum"
"ni"
"dishfire"
];
extraConfig = ''
LocalDiscovery = yes
'';
};
nixpkgs.config.packageOverrides = pkgs: {

11
lass/2configs/syncthing.nix
View File

@ -1,5 +1,7 @@
{ config, pkgs, ... }: with import <stockholm/lib>; let
peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts;
own_peers = filterAttrs (n: v: v.owner.name == "lass") all_peers;
mk_peers = mapAttrs (n: v: { id = v.syncthing.id; });
in {
services.syncthing = {
enable = true;
@ -14,8 +16,8 @@ in {
enable = true;
cert = toString <secrets/syncthing.cert>;
key = toString <secrets/syncthing.key>;
peers = peers;
folders."/home/lass/sync".peers = attrNames peers;
peers = mk_peers all_peers;
folders."/home/lass/sync".peers = attrNames (filterAttrs (n: v: n != "phone") own_peers);
};
system.activationScripts.syncthing-home = ''
@ -23,8 +25,9 @@ in {
'';
krebs.permown."/home/lass/sync" = {
file-mode = "u+rw,g+rw";
owner = "lass";
group = "syncthing";
umask = "0007";
umask = "0002";
};
}

13
lass/2configs/vim.nix
View File

@ -11,6 +11,9 @@ let
(hiPrio (pkgs.python3.withPackages (ps: [
ps.python-language-server
ps.pyls-isort
ps.pyflakes
ps.flake8
ps.yapf
])))
];
@ -72,10 +75,6 @@ let
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
"Syntastic config
"let g:syntastic_python_checkers=['flake8']
"let g:syntastic_python_flake8_post_args='--ignore=E501'
nnoremap <F5> :call LanguageClient_contextMenu()<CR>
set hidden
let g:LanguageClient_serverCommands = {
@ -83,7 +82,10 @@ let
\ 'go': ['~/go/bin/go-langserver']
\ }
let g:LanguageClient_diagnosticsDisplay = { 2: { "signText": "W" } }
let g:LanguageClient_diagnosticsDisplay = {
\ 1: { "signText": "E" },
\ 2: { "signText": "W" }
\ }
nmap <esc>q :buffer
nmap <M-q> :buffer
@ -126,7 +128,6 @@ let
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
pkgs.vimPlugins.ack-vim
pkgs.vimPlugins.Gundo
#pkgs.vimPlugins.Syntastic
pkgs.vimPlugins.undotree
pkgs.vimPlugins.vim-go
pkgs.vimPlugins.fzf-vim

47
lass/2configs/websites/domsen.nix
View File

@ -26,6 +26,7 @@ in {
./default.nix
./sqlBackup.nix
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(servePage [ "jarugadesign.de" "www.jarugadesign.de" ])
(servePage [
"freemonkey.art"
"www.freemonkey.art"
@ -93,6 +94,7 @@ in {
hostName = "o.xanf.org";
config = {
adminpassFile = toString <secrets> + "/nextcloud_pw";
overwriteProtocol = "https";
};
https = true;
nginx.enable = true;
@ -141,6 +143,7 @@ in {
{ from = "akayguen@freemonkey.art"; to ="akayguen"; }
{ from = "bui@freemonkey.art"; to ="bui"; }
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
{ from = "hallo@jarugadesign.de"; to ="kasia"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
@ -150,6 +153,7 @@ in {
"ubikmedia.eu"
"ubikmedia.de"
"alewis.de"
"jarugadesign.de"
];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem";
@ -234,7 +238,18 @@ in {
createHome = true;
};
krebs.on-failure.plans.restic-backups-domsen = {};
users.users.kasia = {
uid = genid_uint31 "kasia";
home = "/home/kasia";
useDefaultShell = true;
createHome = true;
};
krebs.on-failure.plans.restic-backups-domsen = {
journalctl = {
lines = 1000;
};
};
services.restic.backups.domsen = {
initialize = true;
extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
@ -247,11 +262,41 @@ in {
"/home/ms/Mail"
"/home/klabusterbeere/Mail"
"/home/jms/Mail"
"/home/kasia/Mail"
"/home/bruno/Mail"
"/home/akayguen/Mail"
"/backups/sql_dumps"
];
};
boot.kernel.sysctl."fs.inotify.max_user_watches" = "1048576";
krebs.permown = {
"/srv/http/ubikmedia.de" = {
owner = "domsen";
group = "nginx";
umask = "0007";
};
"/srv/http/o.ubikmedia.de" = {
owner = "domsen";
group = "nginx";
umask = "0007";
};
"/srv/http/freemonkey.art" = {
owner = "domsen";
group = "nginx";
umask = "0002";
};
"/srv/http/jarugadesign.de" = {
owner = "domsen";
group = "nginx";
umask = "0002";
};
"/srv/http/reich-gebaeudereinigung.de" = {
owner = "domsen";
group = "nginx";
umask = "0002";
};
};
}

130
mb/1systems/gr33n/configuration.nix Normal file
View File

@ -0,0 +1,130 @@
{ config, pkgs, callPackage, ... }: let
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
<stockholm/mb>
];
krebs.build.host = config.krebs.hosts.gr33n;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
fileSystems."/mnt/public" = {
device = "//192.168.0.4/public";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
};
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
};
time.timeZone = "Europe/Berlin";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.packageOverrides = super: {
openvpn = super.openvpn.override {
pkcs11Support = true;
useSystemd = false;
};
};
environment.shellAliases = {
ll = "ls -alh";
ls = "ls --color=tty";
};
environment.systemPackages = with pkgs; [
curl
fish
git
htop
nmap
ranger
tcpdump
tmux
traceroute
tree
vim
wcalc
wget
xz
];
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
sound.enable = false;
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
networking.wireless.enable = false;
networking.networkmanager.enable = false;
krebs.iptables.enable = true;
networking.enableIPv6 = false;
programs.fish = {
enable = true;
shellInit = ''
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
if begin
set -q SSH_AGENT_PID
and kill -0 $SSH_AGENT_PID
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
end
echo "ssh-agent running on pid $SSH_AGENT_PID"
else
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
end
set -l identity $HOME/.ssh/id_rsa
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
ssh-add -l | grep -q $fingerprint
or ssh-add $identity
end
'';
promptInit = ''
function fish_prompt --description 'Write out the prompt'
set -l color_cwd
set -l suffix
set -l nix_shell_info (
if test "$IN_NIX_SHELL" != ""
echo -n " <nix-shell>"
end
)
switch "$USER"
case root toor
if set -q fish_color_cwd_root
set color_cwd $fish_color_cwd_root
else
set color_cwd $fish_color_cwd
end
set suffix '#'
case '*'
set color_cwd $fish_color_cwd
set suffix '>'
end
echo -n -s "$USER" @ (set_color green) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
end
'';
};
nix.buildCores = 4;
system.autoUpgrade.enable = false;
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
system.stateVersion = "19.03";
}

37
mb/1systems/gr33n/hardware-configuration.nix Normal file
View File

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.mdadmConf = ''
ARRAY /dev/md0 level=raid6 num-devices=4 metadata=1.2 name=gr33n:0 UUID=5b715fd9:0be6bfa6:19f07db4:c16836d6
devices=/dev/sda1,/dev/sdb1,/dev/sdc1,/dev/sdd1
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a9f2c19b-f60f-450c-87f1-146a54c4198b";
fsType = "ext4";
};
fileSystems."/storage" =
{ device = "/dev/disk/by-label/storage";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/93EB-BCA3";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

9
mb/1systems/orange/configuration.nix
View File

@ -27,15 +27,13 @@ in {
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
fileSystems."/mnt/public" = {
device = "//192.168.88.252/public";
device = "//192.168.0.4/public";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
};
#networking.hostName = "0r4n93";
networking.wireless.enable = false;
# Select internationalisation properties.
i18n = {
@ -132,7 +130,6 @@ in {
vulnix
wcalc
wget
wireshark-gtk
xz
];
@ -151,6 +148,8 @@ in {
sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.pulseaudio.support32Bit = true;
nixpkgs.config.pulseaudio = true;
services.xserver = {
enable = true;
@ -173,7 +172,9 @@ in {
#services.openssh.permitRootLogin = "yes";
services.openssh.passwordAuthentication = false;
networking.wireless.enable = false;
networking.networkmanager.enable = false;
krebs.iptables.enable = true;
#networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
networking.enableIPv6 = false;

8
mb/1systems/p1nk/configuration.nix
View File

@ -22,14 +22,13 @@ in {
];
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
fileSystems."/mnt/public" = {
device = "//192.168.88.252/public";
device = "//192.168.0.4/public";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
};
networking.wireless.enable = true;
i18n = {
consoleFont = "Lat2-Terminus16";
@ -143,11 +142,12 @@ in {
sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.pulseaudio.support32Bit = true;
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "neo";
xkbOptions = "nodeadkeys";
libinput.enable = true;
desktopManager = {
default = "xfce";
@ -164,7 +164,9 @@ in {
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
krebs.iptables.enable = true;
networking.networkmanager.enable = false;
networking.wireless.enable = true;
networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
networking.enableIPv6 = false;

3
mb/2configs/default.nix
View File

@ -49,7 +49,7 @@ with import <stockholm/lib>;
build.user = config.krebs.users.mb;
};
users.mutableUsers = false;
users.mutableUsers = true;
services.timesyncd.enable = mkForce true;
@ -67,6 +67,7 @@ with import <stockholm/lib>;
environment.systemPackages = with pkgs; [
#stockholm
git
git-preview
gnumake
jq
parallel