Merge remote-tracking branch 'pnp/master'

Zhosts/tsp

@@ -1,4 +1,4 @@
-Subnet = 10.243.0.211
+Subnet = 10.243.0.212
 Subnet = 42:f9f1:0000:0000:0000:0000:0000:0002
 
 -----BEGIN RSA PUBLIC KEY-----

Zpubkeys/makefu_tsp.ssh.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1srWa67fcsw3r64eqgIuHbMbrj6Ywd9AwzCM+2dfXqYQZblchzH4Q4oydjdFOnV9LaA1LfNcWEjV/gVQKA2/xLSyXSDwzTxQDyOAZaqseKVg1F0a7wAF20+LiegQj6KXE29wcTW1RjcPncmagTBv5/vYbo1eDLKZjwGpEnG0+s+TRftrAhrgtbsuwR1GWWYACxk1CbxbcV+nIZ1RF9E1Fngbl4C4WjXDvsASi8s24utCd/XxgKwKcSFv7EWNfXlNzlETdTqyNVdhA7anc3N7d/TGrQuzCdtrvBFq4WbD3IRhSk79PXaB3L6xJ7LS8DyOSzfPyiJPK65Zw5s4BC07Z makefu@tsp

krebs/3modules/default.nix

@@ -165,7 +165,7 @@ let
     { krebs = tv-imp; }
     {
       krebs.dns.providers = {
-        de.krebsco = "ovh";
+        de.krebsco = "zones";
         internet = "hosts";
         retiolum = "hosts";
       };
@@ -308,11 +308,11 @@ let
         };
       };
       tsp = {
-        cores = 4;
+        cores = 2;
         dc = "makefu"; #x200
         nets = {
           retiolum = {
-            addrs4 = ["10.243.0.211"];
+            addrs4 = ["10.243.0.212"];
             addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"];
             aliases = [
               "tsp.retiolum"
@@ -335,6 +335,43 @@ let
           };
         };
       };
+      pigstarter = {
+        cores = 1;
+        dc = "makefu"; #x200
+        nets = {
+          internet = {
+            addrs4 = ["192.40.56.122"];
+            addrs6 = ["2604:2880::841f:72c"];
+            aliases = [
+              "pigstarter.internet"
+            ];
+            zones = [
+              { "pigstarter.krebsco.de" = "A";}
+              { "io.krebsco.de" = "NS";}
+              { "io.krebsco.de" = "A";}
+              { "mx42.krebsco.de" = "MX";}
+              { "mx42.krebsco.de" = "A";}
+            ];
+          };
+          retiolum = {
+            addrs4 = ["10.243.0.153"];
+            addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"];
+            aliases = [
+              "pigstarter.retiolum"
+            ];
+            tinc.pubkey = ''
+              -----BEGIN RSA PUBLIC KEY-----
+              MIIBCgKCAQEA/efJuJRLUIZROe3QE8WYTD/zyNGRh9I2/yw+5It9HSNVDMIOV1FZ
+              9PaspsC+YQSBUQRN8SJ95G4RM6TIn/+ei7LiUYsf1Ik+uEOpP5EPthXqvdJEeswv
+              3QFwbpBeOMNdvmGvQLeR1uJKVyf39iep1wWGOSO1sLtUA+skUuN38QKc1BPASzFG
+              4ATM6rd2Tkt8+9hCeoePJdLr3pXat9BBuQIxImgx7m5EP02SH1ndb2wttQeAi9cE
+              DdJadpzOcEgFatzXP3SoKVV9loRHz5HhV4WtAqBIkDvgjj2j+NnXolAUY25Ix+kv
+              sfqfIw5aNLoIX4kDhuDEVBIyoc7/ofSbkQIDAQAB
+              -----END RSA PUBLIC KEY-----
+              '';
+          };
+        };
+      };
     };
     users = addNames {
       makefu = {

krebs/4lib/types.nix

@@ -20,6 +20,7 @@ types // rec {
         type = attrsOf net;
         apply = x: assert hasAttr "retiolum" x; x;
       };
+
       secure = mkOption {
         type = bool;
         default = false;
@@ -73,6 +74,11 @@ types // rec {
         }));
         default = null;
       };
+      zones = mkOption {
+        default = [];
+        # TODO: string is either MX, NS, A or AAAA
+        type = with types; listOf (attrsOf str);
+      };
     };
   });
 

makefu/1systems/pnp.nix

@@ -10,6 +10,9 @@
       <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
       ../2configs/base.nix
       ../2configs/cgit-retiolum.nix
+      ../2configs/graphite-standalone.nix
+      ../2configs/vm-single-partition.nix
+      ../2configs/tinc-basic-retiolum.nix
     ];
   krebs.build.host = config.krebs.hosts.pnp;
   krebs.build.user = config.krebs.users.makefu;
@@ -20,45 +23,14 @@
       url = https://github.com/NixOS/nixpkgs;
       rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
     };
-    secrets = {
-      url = "/home/makefu/secrets/${config.krebs.build.host.name}";
-    };
-    stockholm = {
-      url = toString ../..;
-    };
   };
 
-  boot.loader.grub.enable = true;
+  networking.firewall.allowedTCPPorts = [
-  boot.loader.grub.version = 2;
+  # nginx runs on 80
-  boot.loader.grub.device = "/dev/vda";
+  # graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp
-
+    80
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ];
+    8080 2003
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-  hardware.enableAllFirmware = true;
-  hardware.cpu.amd.updateMicrocode = true;
-
-# networking.firewall is enabled by default
-  networking.firewall.allowedTCPPorts = [ 80 ];
-  networking.firewall.rejectPackets = true;
-  networking.firewall.allowPing = true;
-
-  fileSystems."/" =
-  { device = "/dev/disk/by-label/nixos";
-    fsType = "ext4";
-  };
-  krebs.retiolum = {
-    enable = true;
-    hosts = ../../Zhosts;
-    connectTo = [
-      "gum"
-      "pigstarter"
-      "fastpoke"
   ];
-  };
+  networking.firewall.allowedUDPPorts = [ 2003 ];
 
-# $ nix-env -qaP | grep wget
-    environment.systemPackages = with pkgs; [
-      jq
-    ];
 }

makefu/1systems/tsp.nix

@@ -1,7 +1,6 @@
-# Edit this configuration file to define what should be installed on
+#
-# your system.  Help is available in the configuration.nix(5) man page
+#
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+#
-
 { config, pkgs, ... }:
 
 {
@@ -9,82 +8,23 @@
     [ # Include the results of the hardware scan.
       ../2configs/base.nix
       ../2configs/base-gui.nix
+      ../2configs/tinc-basic-retiolum.nix
+      ../2configs/sda-crypto-root.nix
+      # hardware specifics are in here
+      ../2configs/tp-x200.nix
     ];
-  services.xserver = {
+  # not working in vm
-    videoDriver = "intel";
-  };
   krebs.build.host = config.krebs.hosts.tsp;
   krebs.build.user = config.krebs.users.makefu;
   krebs.build.target = "root@tsp";
 
   krebs.build.deps = {
     nixpkgs = {
-      url = https://github.com/NixOS/nixpkgs;
+      #url = https://github.com/NixOS/nixpkgs;
-      rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+      # rev=$(curl https://nixos.org/channels/nixos-unstable/git-revision -L)
-    };
+      url = https://github.com/makefu/nixpkgs;
-    # TODO generalize in base.nix
+      rev = "8b8b65da24f13f9317504e8bcba476f9161613fe";
-    secrets = {
-      url = "/home/makefu/secrets/${config.krebs.build.host.name}";
-    };
-    # TODO generalize in base.nix
-    stockholm = {
-      url = toString ../..;
     };
   };
 
-  krebs.retiolum = {
-    enable = true;
-    hosts = ../../Zhosts;
-    connectTo = [
-      "gum"
-      "pigstarter"
-      "fastpoke"
-    ];
-  };
-
-  boot = {
-    #x200 specifics
-    kernelModules = [ "tp_smapi" "msr" ];
-    extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
-
-    loader.grub.enable =true;
-    loader.grub.version =2;
-    loader.grub.device = "/dev/sda";
-
-    # crypto boot
-    # TODO: use UUID
-    initrd.luks.devices = [ { name = "luksroot"; device= "/dev/sda2";}];
-    initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ];
-    initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
-  };
-  fileSystems = {
-    "/" = {
-      device = "/dev/mapper/luksroot";
-      fsType = "ext4";
-    };
-    "/boot" = {
-      device = "/dev/disk/by-label/nixboot";
-      fsType = "ext4";
-    };
-  };
-
-  # hardware specifics
-  networking.wireless.enable = true;
-
-  hardware.enableAllFirmware = true;
-  nixpkgs.config.allowUnfree = true;
-
-  # TODO: generalize to numCPU + 1
-  nix.maxJobs = 3;
-
-
-  networking.firewall.rejectPackets = true;
-  networking.firewall.allowPing = true;
-
-
-  # $ nix-env -qaP | grep wget
-  environment.systemPackages = with pkgs; [
-    vim
-    jq
-  ];
 }

makefu/2configs/base-gui.nix

@@ -1,23 +1,57 @@
 { config, lib, pkgs, ... }:
-
+##
+# of course this name is a lie - it prepares a GUI environment close to my
+# current configuration.
+#
+# autologin with mainUser into awesome
+##
+#
 with lib;
+let
+  mainUser = config.krebs.build.user.name;
+in
 {
   imports = [ ];
-  services.xserver.enable = true;
+  services.xserver = {
-  services.xserver.layout = "us";
-
-# use awesome, direct boot into
-  services.xserver.displayManager.auto.enable =true;
-  services.xserver.displayManager.auto.user =config.krebs.users.makefu;
-  services.xserver.windowManager.awesome.enable = true;
-
-  security.setuidPrograms = [ "slock" ];
-
-# use pulseaudio
-  environment.systemPackages = [ pkgs.slock ];
-  hardware.pulseaudio = {
     enable = true;
-    systemWide = true;
+    layout = "us";
+    xkbVariant = "altgr-intl";
+    xkbOptions = "ctrl:nocaps";
+
+    windowManager = {
+      awesome.enable = true;
+      awesome.luaModules = [ pkgs.luaPackages.vicious ];
+      default = "awesome";
     };
 
+    displayManager.auto.enable = true;
+    displayManager.auto.user = mainUser;
+    desktopManager.xterm.enable = false;
+  };
+
+## FONTS
+# TODO: somewhere else?
+
+  i18n.consoleFont = "Lat2-Terminus16";
+
+  fonts = {
+    enableCoreFonts = true;
+    enableFontDir = true;
+    enableGhostscriptFonts = false;
+    fonts = [ pkgs.terminus_font ];
+  };
+
+  environment.systemPackages = with pkgs;[
+    xlockmore
+    rxvt_unicode-with-plugins
+    vlc
+    firefox
+    chromium
+  ];
+  # TODO: use mainUser
+  users.extraUsers.makefu.extraGroups = [ "audio" ];
+  hardware.pulseaudio = {
+    enable = true;
+  #  systemWide = true;
+  };
 }

makefu/2configs/base.nix

@@ -2,11 +2,18 @@
 
 with lib;
 {
-  imports = [ ];
+  imports = [
+    {
+      users.extraUsers =
+        mapAttrs (_: h: { hashedPassword = h; })
+                 (import /root/src/secrets/hashedPasswords.nix);
+    }
+    ./vim.nix
+  ];
   krebs.enable = true;
   krebs.search-domain = "retiolum";
 
-  networking.hostName = config.krebs.build.host.name;
+
   users.extraUsers = {
     root = {
         openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
@@ -24,12 +31,29 @@ with lib;
     };
   };
 
+  networking.hostName = config.krebs.build.host.name;
+  nix.maxJobs = config.krebs.build.host.cores + 1;
+  #nix.maxJobs = 1;
+
+  krebs.build.deps = {
+    secrets = {
+      url = "/home/makefu/secrets/${config.krebs.build.host.name}";
+    };
+    stockholm = {
+      url = toString ../..;
+    };
+  };
+
   services.openssh.enable = true;
   nix.useChroot = true;
 
-  users.mutableUsers = true;
+  users.mutableUsers = false;
 
   boot.tmpOnTmpfs = true;
+
+  networking.firewall.rejectPackets = true;
+  networking.firewall.allowPing = true;
+
   systemd.tmpfiles.rules = [
     "d /tmp 1777 root root - -"
   ];

makefu/2configs/cgit-retiolum.nix

@@ -52,11 +52,7 @@ let
 
   # TODO: get the list of all krebsministers
   krebsminister = with config.krebs.users; [ lass tv uriel ];
-
+  all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ];
-  #all-makefu =  with config.krebs.users; [ makefu ];
-
-
-  all-makefu = with config.krebs.users; [ makefu makefu-omo ];
 
   priv-rules = repo: set-owners repo all-makefu;
 
@@ -69,6 +65,10 @@ in {
         name = "makefu-omo" ;
         pubkey= with builtins; readFile ../../Zpubkeys/makefu_omo.ssh.pub;
     };
+    krebs.users.makefu-tsp = {
+        name = "makefu-tsp" ;
+        pubkey= with builtins; readFile ../../Zpubkeys/makefu_tsp.ssh.pub;
+    };
   }];
   krebs.git = {
     enable = true;

makefu/2configs/graphite-standalone.nix

@@ -5,6 +5,7 @@
 with lib;
 {
   imports = [ ];
+
   services.graphite = {
     web = {
       enable = true;

makefu/2configs/sda-crypto-root.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+# sda:  bootloader grub2
+# sda1: boot ext4 (label nixboot)
+# sda2: cryptoluks -> ext4
+with lib;
+{
+  boot = {
+    loader.grub.enable =true;
+    loader.grub.version =2;
+    loader.grub.device = "/dev/sda";
+
+    initrd.luks.devices = [ { name = "luksroot"; device= "/dev/sda2";}];
+    initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ];
+    initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/luksroot";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-label/nixboot";
+      fsType = "ext4";
+    };
+  };
+}

makefu/2configs/tinc-basic-retiolum.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  krebs.retiolum = {
+    enable = true;
+    hosts = ../../Zhosts;
+    connectTo = [
+      "gum"
+      "pigstarter"
+      "fastpoke"
+    ];
+  };
+}

makefu/2configs/tp-x200.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  #services.xserver = {
+  #  videoDriver = "intel";
+  #};
+
+  boot = {
+    kernelModules = [ "tp_smapi" "msr" ];
+    extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
+
+  };
+
+  networking.wireless.enable = true;
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  hardware.trackpoint.enable = true;
+  hardware.trackpoint.sensitivity = 255;
+  hardware.trackpoint.speed = 255;
+  services.xserver.displayManager.sessionCommands = ''
+    xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 1
+    xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 2
+    xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 200
+  '';
+}

makefu/2configs/vim.nix

@@ -0,0 +1,119 @@
+{ config, pkgs, ... }:
+
+let
+  customPlugins.vim-better-whitespace = pkgs.vimUtils.buildVimPlugin {
+    name = "vim-better-whitespace";
+    src = pkgs.fetchFromGitHub {
+      owner = "ntpeters";
+      repo = "vim-better-whitespace";
+      rev = "984c8da518799a6bfb8214e1acdcfd10f5f1eed7";
+      sha256 = "10l01a8xaivz6n01x6hzfx7gd0igd0wcf9ril0sllqzbq7yx2bbk";
+    };
+  };
+
+in {
+
+  environment.systemPackages = [
+    pkgs.python27Full # required for youcompleteme
+    (pkgs.vim_configurable.customize {
+      name = "vim";
+
+    vimrcConfig.customRC = ''
+      set nocompatible
+      syntax on
+
+      filetype off
+      filetype plugin indent on
+
+      colorscheme darkblue
+      set background=dark
+
+      set number
+      set relativenumber
+      set mouse=a
+      set ignorecase
+      set incsearch
+      set wildignore=*.o,*.obj,*.bak,*.exe,*.os
+      set textwidth=79
+      set shiftwidth=2
+      set expandtab
+      set softtabstop=2
+      set shiftround
+      set smarttab
+      set tabstop=2
+      set et
+      set autoindent
+      set backspace=indent,eol,start
+
+
+      inoremap <F1> <ESC>
+      nnoremap <F1> <ESC>
+      vnoremap <F1> <ESC>
+
+      nnoremap <F5> :UndotreeToggle<CR>
+      set undodir  =~/.vim/undo
+      set undofile
+      "maximum number of changes that can be undone
+      set undolevels=1000000
+      "maximum number lines to save for undo on a buffer reload
+      set undoreload=10000000
+
+      nnoremap <F2> :set invpaste paste?<CR>
+      set pastetoggle=<F2>
+      set showmode
+
+      set showmatch
+      set matchtime=3
+      set hlsearch
+
+      autocmd ColorScheme * highlight ExtraWhitespace ctermbg=red guibg=red
+
+
+      " save on focus lost
+      au FocusLost * :wa
+
+      autocmd BufRead *.json set filetype=json
+      au  BufNewFile,BufRead *.mustache set syntax=mustache
+
+      cnoremap SudoWrite w !sudo tee > /dev/null %
+
+      " create Backup/tmp/undo dirs
+      set backupdir=~/.vim/backup
+      set directory=~/.vim/tmp
+
+      function! InitBackupDir()
+        let l:parent = $HOME    . '/.vim/'
+        let l:backup = l:parent . 'backup/'
+        let l:tmpdir = l:parent . 'tmp/'
+        let l:undodir= l:parent . 'undo/'
+
+
+        if !isdirectory(l:parent)
+          call mkdir(l:parent)
+        endif
+        if !isdirectory(l:backup)
+          call mkdir(l:backup)
+        endif
+        if !isdirectory(l:tmpdir)
+          call mkdir(l:tmpdir)
+        endif
+        if !isdirectory(l:undodir)
+          call mkdir(l:undodir)
+        endif
+      endfunction
+      call InitBackupDir()
+
+
+    '';
+
+      vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
+      vimrcConfig.vam.pluginDictionaries = [
+        { names = [ "undotree"
+          "YouCompleteMe"
+          "vim-better-whitespace" ]; }
+        { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
+      ];
+
+    })
+  ];
+}

makefu/2configs/vm-single-partition.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+# vda1 ext4 (label nixos) -> only root partition
+with lib;
+{
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+  hardware.cpu.amd.updateMicrocode = true;
+
+
+}