Merge remote-tracking branch 'cloudkrebs/master'

This commit is contained in:
tv 2016-02-08 03:23:28 +01:00
commit 8e93530796
31 changed files with 816 additions and 84 deletions

View File

@ -84,6 +84,7 @@ let
imp = mkMerge [
{ krebs = import ./lass { inherit lib; }; }
{ krebs = import ./makefu { inherit lib; }; }
{ krebs = import ./miefda { inherit lib; }; }
{ krebs = import ./mv { inherit lib; }; }
{ krebs = import ./shared { inherit lib; }; }
{ krebs = import ./tv { inherit lib; }; }

View File

@ -4,6 +4,37 @@ with lib;
{
hosts = {
dishfire = {
cores = 4;
nets = rec {
internet = {
addrs4 = ["144.76.172.188"];
aliases = [
"dishfire.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.133.99"];
addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"];
aliases = [
"dishfire.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs
Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7
uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK
R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd
vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U
HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
};
echelon = {
cores = 2;
nets = rec {
@ -190,32 +221,46 @@ with lib;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD";
};
schnabel-ap = {
helios = {
cores = 2;
nets = {
gg23 = {
addrs4 = ["10.23.1.20"];
aliases = ["schnabel-ap.gg23"];
};
};
};
Reichsfunk-ap = {
nets = {
gg23 = {
addrs4 = ["10.23.1.10"];
aliases = ["Reichsfunk-ap.gg23"];
retiolum = {
addrs4 = ["10.243.0.3"];
addrs6 = ["42:0:0:0:0:0:0:7105"];
aliases = [
"helios.retiolum"
"cgit.helios.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA9SItL2mhQpTl95gjSWRstrDajUnI5YbrVCuaDKfw9gRwMyPNiO/y
Xwv/w4Ri8NCJZLZGkj2vG3X0EfJFBEPTJPTCbF9fP7PqqVs38BD41txLp+NrFxEq
5fmFk65/eg8ujrNQoOSUGmky/BKqQhWjvxdAWuwjN933wJCcNCxyaUwljHLYEK/I
oIJX+spnFmPwmhW9hsOj8K06eHixT13+0W48GG/ZNcV3x5vWxcKUvZ4Qtzz2iMNB
hud5kae7xMUfFAzCeKF/zsjuyt2d/xQg1WgR8MXGNgYhNJFSXz94r/bivNO6H4vP
Pfjndnh8cD46ADo8woS1nQ19WId+sMbipwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWlIxkX41V55Yker8n4gErx2xcKpXFNKthhbP3+bTJ7";
};
};
users = {
lass = {
pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors";
mail = "lass@mors.retiolum";
};
uriel = {
pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
lass-uriel = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel";
mail = "lass@uriel.retiolum";
};
lass-helios = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBOnMtgy5GH6R6tHp2ugy5QTe3gAGxh2CKsstSNSNAJwvWGiaWJkbNmgM8KlCWeq1GJBGa95kU4I2BDO5fJd7J9vqyrTGF1+sx0Nwj/ELKSNVxDoKVYiU09pTqSB3pi46i+E8N49y4/8aRhu4/7O2dSTH7OS3YoZpt2Soas+cYJYhQdZtYQAgPX5LOkTfQvPhGR8AzrrTvOUrHyTWaSBEELVZ088LrFT6ibXHcPhwXX7A5+YMS8LLr3KRstySWzJEmfVOJxuMhQJSH1Xiq4bLilVn9V4AK5pCOnlALSYf48SexsCqzBUKgISuncurIBbXtW9EkNTMX3jSKlSQ7WniGRlmzrBAJCh4VXJUZgXDf8hAaPckIRbLosbTnEAauWcfnIXLfvI+bYkURhfYKsWelM+MS6ihk+P2yr8rNT9w5iUVJGVypOXUp45PrFuPn6ayCpNRJzqPwCCPE7fFagzLs7wibIXlrhCnRALT5HHyExFFcQoGvIq/8o+Oia8mrTimb55IDLwkiYrG6I5DPXFPKsTC0hium9T3I8dC+M7n9GbwnLTUK2kWnoklD3HTab21xJTtbF98nQ94df7doqPFxL/jongeZCGMB+PJ+BdQTtHr7tCY0kN2GXpoHxz/2w8YEWTKHhWIUsD+Utf8pDkKQfCqlm7iR7byxL51gHL9Z3Q== lass@helios";
mail = "lass@helios.retiolum";
};
};
}

View File

@ -0,0 +1,39 @@
{ lib, ... }:
with lib;
{
hosts = {
bobby = {
cores = 4;
nets = {
retiolum = {
addrs4 = ["10.243.111.112"];
addrs6 = ["42:0:0:0:0:0:111:112"];
aliases = [
"bobby.retiolum"
"cgit.bobby.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA+AScnIqFdzGl+iRZTNZ7r91n/r1H4GzDsrAupUvJ4mi7nDN4eP8s
uLvKtJp22RxfuF3Kf4KhHb8LHQ8bLLN/KDaNDXrCNBc69d7vvLsjoY+wfGLJNu4Y
Ad/8J4r3rdb83mTA3IHb47T/70MERPBr2gF84YiG6ZoQrPQuTk4lHxaI83SOhjny
0F0ucS/rBV6Vv9y5/756TKi1cFPSpY4X+qeWc8xWrBGJcJiiqYb8ZX2o/lkAJ5c+
jI/VdybGFVGY9+bp4Jw5xBIo5KGuFnm8+blRmSDDl3joRneKQSx9FAu7RUwoajBu
cEbi1529NReQzIFT6Vt22ymbHftxOiuh4QIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
#ssh.privkey.path = <secrets/ssh.ed25519>;
#ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+7Qa51l0NSkBiaK2s8vQEoeObV3UPZyEzMxfUK/ZAO root@stro";
};
};
users = {
miefda = {
mail = "miefda@miefda.de";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCVdNCks6mrItKHYIwgW3s+NINFhHqZtLPj3l6TJUWd93ZSuuI6P+Z/0m0G9Z4tWWaXWsOCnzMA2WOKcitBbLcaQxVypJfvmfoA5CVlh4/nf8NfvbMFkVIYPehxR7YoejfKOxPOCNC3248RiD8kqa4/5IF8qdqE+mRQUIZJXvN0jZZ+rGnYo5Z544O9JqsV+VjjOgK0Fchpxf/lC8dnBucIce7gUwi5npwsGQZgSDmRobBRFVDZag1abLFNZN2faI8uqzSlU6KRRapYV266Of7j3kmDokMan4szjP1EexmTWm+arwRiz9p0M5oKs6zofez0mOyF5ux02NB3XIhbJc8CfMjeA7PmSg4ZhghjlSjIOR+1mMIDiDVi6PNLw5atzvpyfYtpf5sWpdIpXCS0lyzIgasqW4gbAiWoFPv5A0mw0QI6UqlxQ8Pdm6R7P6yQxyknrxnvFGMQPiqgl21ssSNA9A+YRd4j0nATntzOeD1bxTZkyU4FtW++0hg3Ph6HiHLfPd9w70wPr7b0RITVnBcN2ZqIO+5NIqQYU801FCNXsTuBh0ueTsVTGJYySUGkmkHyH5spLYdr1Z5w+4W+HgbxPk40pyZJ18S0umL49igxR9NsniucFy1/jqqi0TiDIsHx6vsawFT1F2rq9ZtGaRcJL6Yfz0p+uZC5rc/nI+mMlQ== miefda@nixos";
};
};
}

View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors

View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel

View File

@ -0,0 +1,45 @@
{ config, lib, pkgs, ... }:
{
imports = [
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/base.nix
../2configs/git.nix
../2configs/websites/fritz.nix
{
boot.loader.grub = {
device = "/dev/vda";
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"ehci_pci"
"uhci_hcd"
"virtio_pci"
"virtio_blk"
];
fileSystems."/" = {
device = "/dev/mapper/pool-nix";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/vda1";
fsType = "ext4";
};
}
{
networking.dhcpcd.allowInterfaces = [
"enp*"
"eth*"
];
}
{
sound.enable = false;
}
];
krebs.build.host = config.krebs.hosts.dishfire;
}

73
lass/1systems/helios.nix Normal file
View File

@ -0,0 +1,73 @@
{ config, pkgs, ... }:
with builtins;
{
imports = [
../2configs/baseX.nix
../2configs/browsers.nix
../2configs/programs.nix
../2configs/git.nix
#{
# users.extraUsers = {
# root = {
# openssh.authorizedKeys.keys = map readFile [
# ../../krebs/Zpubkeys/uriel.ssh.pub
# ];
# };
# };
#}
];
krebs.build.host = config.krebs.hosts.helios;
networking.wireless.enable = true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
};
fileSystems = {
"/" = {
device = "/dev/pool/nix";
fsType = "ext4";
};
"/boot" = {
device = "/dev/sda1";
};
};
#services.udev.extraRules = ''
# SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0"
# SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
#'';
services.xserver = {
videoDriver = "intel";
vaapiDrivers = [ pkgs.vaapiIntel ];
deviceSection = ''
Option "AccelMethod" "sna"
BusID "PCI:0:2:0"
'';
};
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
accelFactor = "0.035";
additionalOptions = ''
Option "FingerHigh" "60"
Option "FingerLow" "60"
'';
};
}

View File

@ -17,7 +17,6 @@
#../2configs/ircd.nix
../2configs/chromium-patched.nix
../2configs/git.nix
../2configs/retiolum.nix
#../2configs/wordpress.nix
../2configs/bitlbee.nix
../2configs/firefoxPatched.nix
@ -25,6 +24,7 @@
../2configs/teamviewer.nix
../2configs/libvirt.nix
../2configs/fetchWallpaper.nix
../2configs/buildbot-standalone.nix
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@ -32,51 +32,70 @@
];
}
{
#wordpress-test
#imports = singleton (sitesGenerators.createWordpress "testserver.de");
#static-nginx-test
imports = [
../3modules/wordpress_nginx.nix
../3modules/static_nginx.nix
];
lass.wordpress."testserver.de" = {
multiSite = {
"1" = "testserver.de";
"2" = "bla.testserver.de";
};
};
services.mysql = {
lass.staticPage."testserver.de" = {
#sslEnable = true;
#certificate = "${toString <secrets>}/testserver.de/server.cert";
#certificate_key = "${toString <secrets>}/testserver.de/server.pem";
ssl = {
enable = true;
package = pkgs.mariadb;
rootPassword = "<secrets>/mysql_rootPassword";
certificate = "${toString <secrets>}/testserver.de/server.cert";
certificate_key = "${toString <secrets>}/testserver.de/server.pem";
};
};
networking.extraHosts = ''
10.243.0.2 testserver.de
'';
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
}
{
#owncloud-test
#imports = singleton (sitesGenerators.createWordpress "testserver.de");
imports = [
../3modules/owncloud_nginx.nix
];
lass.owncloud."owncloud-test.de" = {
};
#{
# #wordpress-test
# #imports = singleton (sitesGenerators.createWordpress "testserver.de");
# imports = [
# ../3modules/wordpress_nginx.nix
# ];
# lass.wordpress."testserver.de" = {
# multiSite = {
# "1" = "testserver.de";
# "2" = "bla.testserver.de";
# };
# };
# services.mysql = {
# enable = true;
# package = pkgs.mariadb;
# rootPassword = "<secrets>/mysql_rootPassword";
# };
networking.extraHosts = ''
10.243.0.2 owncloud-test.de
'';
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
}
# networking.extraHosts = ''
# 10.243.0.2 testserver.de
# '';
# krebs.iptables.tables.filter.INPUT.rules = [
# { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
# ];
#}
#{
# #owncloud-test
# #imports = singleton (sitesGenerators.createWordpress "testserver.de");
# imports = [
# ../3modules/owncloud_nginx.nix
# ];
# lass.owncloud."owncloud-test.de" = {
# };
# #services.mysql = {
# # enable = true;
# # package = pkgs.mariadb;
# # rootPassword = "<secrets>/mysql_rootPassword";
# #};
# networking.extraHosts = ''
# 10.243.0.2 owncloud-test.de
# '';
# krebs.iptables.tables.filter.INPUT.rules = [
# { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
# ];
#}
];
krebs.build.host = config.krebs.hosts.mors;
@ -207,7 +226,7 @@
};
environment.systemPackages = with pkgs; [
cac
cac-api
sshpass
get
teamspeak_client

View File

@ -13,6 +13,7 @@ with builtins;
../2configs/retiolum.nix
../2configs/bitlbee.nix
../2configs/weechat.nix
../2configs/skype.nix
{
users.extraUsers = {
root = {

View File

@ -17,7 +17,8 @@ with lib;
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
config.krebs.users.uriel.pubkey
config.krebs.users.lass-uriel.pubkey
config.krebs.users.lass-helios.pubkey
];
};
mainUser = {
@ -31,7 +32,7 @@ with lib;
];
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
config.krebs.users.uriel.pubkey
config.krebs.users.lass-uriel.pubkey
];
};
};
@ -47,20 +48,21 @@ with lib;
exim-retiolum.enable = true;
build = {
user = config.krebs.users.lass;
source = {
git.nixpkgs = {
source = mapAttrs (_: mkDefault) ({
nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix";
nixpkgs = symlink:stockholm/nixpkgs;
secrets = "/home/lass/secrets/${config.krebs.build.host.name}";
#secrets-common = "/home/lass/secrets/common";
stockholm = "/home/lass/stockholm";
stockholm-user = "symlink:stockholm/lass";
upstream-nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
rev = "93d8671e2c6d1d25f126ed30e5e6f16764330119";
};
dir.secrets = {
host = config.krebs.hosts.mors;
path = "/home/lass/secrets/${config.krebs.build.host.name}";
};
dir.stockholm = {
host = config.krebs.hosts.mors;
path = "/home/lass/stockholm";
};
rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
dev = "/home/lass/src/nixpkgs";
};
} // optionalAttrs config.krebs.build.host.secure {
#secrets-master = "/home/lass/secrets/master";
});
};
};
@ -89,6 +91,7 @@ with lib;
git
jq
parallel
proot
#style
most
@ -176,4 +179,10 @@ with lib;
noipv4ll
'';
#CVE-2016-0777 and CVE-2016-0778 workaround
#https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
programs.ssh.extraConfig = ''
UseRoaming no
'';
}

View File

@ -31,6 +31,7 @@ in {
environment.systemPackages = with pkgs; [
dmenu
gitAndTools.qgit
mpv
much

View File

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
let
mainUser = config.users.extraUsers.mainUser;
in {
environment.systemPackages = with pkgs; [
electrum
];
@ -14,4 +16,7 @@
createHome = true;
};
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL
'';
}

View File

@ -54,8 +54,6 @@ in {
];
imports = [
../3modules/per-user.nix
] ++ [
( createFirefoxUser "ff" [ "audio" ] [ ] )
( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] )
( createChromiumUser "fb" [ ] [ pkgs.chromium ] )

View File

@ -0,0 +1,78 @@
{ lib, config, pkgs, ... }:
{
#networking.firewall.allowedTCPPorts = [ 8010 9989 ];
krebs.buildbot.master = {
slaves = {
testslave = "lasspass";
};
change_source.stockholm = ''
stockholm_repo = 'http://cgit.mors/stockholm'
cs.append(changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
'';
scheduler = {
force-scheduler = ''
sched.append(schedulers.ForceScheduler(
name="force",
builderNames=["fast-tests"]))
'';
fast-tests-scheduler = ''
# test the master real quick
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
name="fast-master-test",
builderNames=["fast-tests"]))
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
env = {"LOGNAME": "lass", "NIX_REMOTE": "daemon"}
# prepare nix-shell
# the dependencies which are used by the test script
deps = [ "gnumake", "jq","nix","rsync" ]
# TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ]
# prepare addShell function
def addShell(factory,**kwargs):
factory.addStep(steps.ShellCommand(**kwargs))
'';
builder = {
fast-tests = ''
f = util.BuildFactory()
f.addStep(grab_repo)
addShell(f,name="mors-eval",env=env,
command=nixshell + ["make -s eval get=krebs.deploy filter=json system=mors"])
bu.append(util.BuilderConfig(name="fast-tests",
slavenames=slavenames,
factory=f))
'';
};
enable = true;
web.enable = true;
irc = {
enable = true;
nick = "buildbot-lass";
server = "cd.retiolum";
channels = [ "retiolum" ];
allowForce = true;
};
};
krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "lasspass";
packages = with pkgs;[ git nix ];
extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
};
}

View File

@ -69,12 +69,12 @@ let
with git // config.krebs.users;
repo:
singleton {
user = lass;
user = [ lass lass-helios lass-uriel ];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ tv makefu uriel ];
user = [ tv makefu miefda ];
repo = [ repo ];
perm = fetch;
} ++

View File

@ -161,7 +161,7 @@ let
torrentfreak|http://feeds.feedburner.com/Torrentfreak|#news
torr_news|http://feed.torrentfreak.com/Torrentfreak/|#news
travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#news
truther|http://truthernews.wordpress.com/feed/|#news
#truther|http://truthernews.wordpress.com/feed/|#news
un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#news
un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#news
un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#news

View File

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
{
imports = [
../../3modules/static_nginx.nix
../../3modules/owncloud_nginx.nix
../../3modules/wordpress_nginx.nix
];
lass.staticPage = {
"biostase.de" = {};
"gs-maubach.de" = {};
"spielwaren-kern.de" = {};
"societyofsimtech.de" = {};
"ttf-kleinaspach.de" = {};
"edsn.de" = {};
"eab.berkeley.edu" = {};
"habsys.de" = {};
};
#lass.owncloud = {
# "o.ubikmedia.de" = {
# instanceid = "oc8n8ddbftgh";
# };
#};
#services.mysql = {
# enable = true;
# package = pkgs.mariadb;
# rootPassword = toString (<secrets/mysql_rootPassword>);
#};
}

View File

@ -8,5 +8,11 @@
lass.staticPage = {
"wohnprojekt-rhh.de" = {};
};
users.users.laura = {
home = "/srv/http/wohnprojekt-rhh.de";
createHome = true;
useDefaultShell = true;
};
}

View File

@ -44,7 +44,7 @@ let
"slock"
];
systemd.services.display-manager = mkForce {};
systemd.services.display-manager.enable = false;
services.xserver.enable = true;
@ -93,9 +93,11 @@ let
xmonad-start = pkgs.writeScriptBin "xmonad" ''
#! ${pkgs.bash}/bin/bash
set -efu
export PATH; PATH=${makeSearchPath "bin" ([
export PATH; PATH=${makeSearchPath "bin" [
pkgs.alsaUtils
pkgs.pulseaudioLight
pkgs.rxvt_unicode
] ++ config.environment.systemPackages)}:/var/setuid-wrappers
]}:/var/setuid-wrappers
settle() {(
# Use PATH for a clean journal
command=''${1##*/}

View File

@ -46,8 +46,22 @@ let
type = str;
};
ssl = mkOption {
type = bool;
default = false;
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
default = {};
};
};
}));
@ -58,7 +72,7 @@ let
group = config.services.nginx.group;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
@ -102,7 +116,16 @@ let
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
${if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else ""}
'';
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool

View File

@ -21,6 +21,35 @@ let
type = str;
default = "/srv/http/${config.domain}";
};
#sslEnable = mkEnableOption "ssl";
#certificate = mkOption {
# type = str;
#};
#certificate_key = mkOption {
# type = str;
#};
#ciphers = mkOption {
# type = str;
# default = "AES128+EECDH:AES128+EDH";
#};
ssl = mkOption {
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
default = {};
};
};
}));
default = {};
@ -29,8 +58,10 @@ let
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
@ -43,6 +74,17 @@ let
deny all;
'')
];
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
extraConfig = (if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else "");
});
};

View File

@ -53,6 +53,23 @@ let
"1" = "test.testsite.de";
};
};
ssl = mkOption {
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
};
};
}));
default = {};
@ -68,7 +85,7 @@ let
# }
#'';
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
@ -114,7 +131,17 @@ let
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
${if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else ""}
'';
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool

102
miefda/1systems/bobby.nix Normal file
View File

@ -0,0 +1,102 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
../2configs/miefda.nix
../2configs/tlp.nix
../2configs/x220t.nix
../2configs/hardware-configuration.nix
../2configs/tinc-basic-retiolum.nix
../2configs/git.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda";
networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Select internationalisation properties.
i18n = {
# consoleFont = "Lat2-Terminus16";
consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs; [
wget chromium
];
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable the KDE Desktop Environment.
#services.xserver.displayManager.kdm.enable = true;
services.xserver.desktopManager = {
xfce.enable = true;
xterm.enable= false;
};
# Define a user account. Don't forget to set a password with passwd.
users.extraUsers.miefda = {
isNormalUser = true;
initialPassword= "welcome";
uid = 1000;
extraGroups= [
"wheel"
];
};
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
networking.hostName = config.krebs.build.host.name;
krebs = {
enable = true;
search-domain = "retiolum";
build = {
host = config.krebs.hosts.bobby;
user = config.krebs.users.miefda;
source = {
git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
rev = "363c8430f1efad8b03d5feae6b3a4f2fe7b29251";
target-path = "/var/src/nixpkgs";
};
dir.secrets = {
host = config.krebs.hosts.bobby;
path = "/home/miefda/secrets/${config.krebs.build.host.name}";
};
dir.stockholm = {
host = config.krebs.hosts.bobby;
path = "/home/miefda/gits/stockholm";
};
};
};
};
}

87
miefda/2configs/git.nix Normal file
View File

@ -0,0 +1,87 @@
{ config, lib, pkgs, ... }:
with lib;
let
out = {
krebs.git = {
enable = true;
root-title = "public repositories at ${config.krebs.build.host.name}";
root-desc = "keep calm and engage";
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
rules = rules;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
repos =
public-repos //
optionalAttrs config.krebs.build.host.secure restricted-repos;
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
painload = {};
stockholm = {
desc = "take all the computers hostage, they'll love you!";
};
#wai-middleware-time = {};
#web-routes-wai-custom = {};
#go = {};
#newsbot-js = {};
#kimsufi-check = {};
#realwallpaper = {};
};
restricted-repos = mapAttrs make-restricted-repo (
{
brain = {
collaborators = with config.krebs.users; [ tv makefu ];
};
} //
import <secrets/repos.nix> { inherit config lib pkgs; }
);
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
public = true;
hooks = {
post-receive = pkgs.git-hooks.irc-announce {
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
channel = "#retiolum";
server = "cd.retiolum";
verbose = config.krebs.build.host.name == "bobby";
};
};
};
make-restricted-repo = name: { collaborators ? [], desc ? null, ... }: {
inherit name collaborators desc;
public = false;
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = miefda;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ lass tv makefu uriel ];
repo = [ repo ];
perm = fetch;
} ++
optional (length (repo.collaborators or []) > 0) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
};
in out

View File

@ -0,0 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "usb_storage" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4db70ae3-1ff9-43d7-8fcc-83264761a0bb";
fsType = "ext4";
};
swapDevices = [ ];
nix.maxJobs = 4;
}

View File

@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
with lib;
{
#networking.wicd.enable = true;
}

View File

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
with lib;
{
krebs.retiolum = {
enable = true;
connectTo = [
"gum"
"pigstarter"
"prism"
"ire"
];
};
}

25
miefda/2configs/tlp.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
with lib;
{
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 220;
emulateWheel = true;
};
services.tlp.enable = true;
services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80
'';
}

27
miefda/2configs/x220t.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
with lib;
{
services.xserver = {
xkbVariant = "altgr-intl";
videoDriver = "intel";
# vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
deviceSection = ''
Option "AccelMethod" "sna"
'';
};
services.xserver.displayManager.sessionCommands =''
xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1
xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2
xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
# xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 8 200
'';
hardware.bluetooth.enable = true;
}

1
miefda/5pkgs/default.nix Normal file
View File

@ -0,0 +1 @@
_:{}

View File

@ -95,7 +95,7 @@ let
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ lass makefu uriel ];
user = [ lass makefu ];
repo = [ repo ];
perm = fetch;
} ++