Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'before-merge'

Browse Source
This commit is contained in:
makefu 2015-09-27 19:41:01 +02:00
commit bc2bd6e2f6
30 changed files with 956 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Makefile
View File

@ -2,7 +2,7 @@
# usage: # usage:
# make system=foo # make system=foo
# make systems='foo bar' # make systems='foo bar'
# make eval system=foo get=config.networking.extraHosts [filter=json] # make eval get=tv.wu.config.time.timeZone [filter=json]
# #
.ONESHELL: .ONESHELL:
@ -10,20 +10,19 @@
ifdef systems ifdef systems
$(systems): $(systems):
@
parallel \ parallel \
--line-buffer \ --line-buffer \
-j0 \ -j0 \
--no-notice \ --no-notice \
--tagstring {} \ --tagstring {} \
-q make systems= system={} ::: $(systems) -q make -s systems= system={} ::: $(systems)
else ifdef system else ifdef system
.PHONY: deploy .PHONY: deploy infest
deploy:;@ deploy infest:;@
make eval system=$(system) get=config.krebs.build.script filter=json | sh export get=$$LOGNAME.${system}.config.krebs.build.scripts.$@
export filter=json
.PHONY: infest make -s eval | sh
infest:;@
make eval system=$(system) get=config.krebs.build.infest filter=json | sh
.PHONY: eval .PHONY: eval
eval: eval:
@ -41,7 +40,7 @@ endif
-A "$$get" \ -A "$$get" \
'<stockholm>' \ '<stockholm>' \
--argstr user-name "$$LOGNAME" \ --argstr user-name "$$LOGNAME" \
--argstr system-name "$$system" \ --argstr host-name "$$HOSTNAME" \
| filter | filter
else else
$(error unbound variable: system[s]) $(error unbound variable: system[s])

83
default.nix
View File

@ -1,26 +1,81 @@
{ user-name, system-name }: { user-name, host-name }:
let let
lib = import <nixpkgs/lib>;
eval = import <nixpkgs/nixos/lib/eval-config.nix> { krebs-modules-path = ./krebs/3modules;
krebs-pkgs-path = ./krebs/5pkgs;
user-modules-path = ./. + "/${user-name}/3modules";
user-pkgs-path = ./. + "/${user-name}/5pkgs";
out =
(lib.mapAttrs (k: v: mk-namespace (./. + "/${k}"))
(lib.filterAttrs
(k: v: !lib.hasPrefix "." k && v == "directory")
(builtins.readDir ./.)));
eval = path: import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem; system = builtins.currentSystem;
modules = map (p: ./. + "/${p}") [ modules = [
"${user-name}/1systems/${system-name}.nix" ({ config, ... }:
"${user-name}/3modules" with import ./krebs/4lib { inherit lib; };
"krebs/3modules" {
options.krebs.exec.host = mkOption {
type = types.host;
default = config.krebs.hosts.${host-name};
};
options.krebs.exec.user = mkOption {
type = types.user;
default = config.krebs.users.${user-name};
};
}
)
path
krebs-modules-path
user-modules-path
] ++ [ ] ++ [
({ lib, pkgs, ... }: { ({ config, lib, pkgs, ... }@args: {
_module.args.pkgs = _module.args.pkgs =
(import ./krebs/5pkgs { inherit lib pkgs; }) // (import krebs-pkgs-path args) //
(import (./. + "/${user-name}/5pkgs") { inherit lib pkgs; }); (import user-pkgs-path args);
}) })
]; ];
}; };
in mk-namespace = path: mapNixDir mk-system (path + "/1systems");
{ mk-system = path: rec {
inherit (eval) config options; inherit (eval path) config options;
system = config.system.build.toplevel;
fetch = import ./krebs/0tools/fetch.nix { inherit config lib; };
};
system = eval.config.system.build.toplevel; mapNixDir = f: path: lib.mapAttrs (_: f) (nixDir path);
}
nixDir = path:
builtins.listToAttrs
(catMaybes
(lib.mapAttrsToList
(k: v: {
directory =
let p = path + "/${k}/default.nix"; in
if builtins.pathExists p
then Just (lib.nameValuePair k p)
else Nothing;
regular =
let p = path + "/${k}"; in
if lib.hasSuffix ".nix" p
then Just (lib.nameValuePair (lib.removeSuffix ".nix" k) p)
else Nothing;
}.${v} or Nothing)
(builtins.readDir path)));
# TODO move to lib
Just = x: { type = "maybe"; value = x; };
Nothing = { type = "maybe"; };
isMaybe = x: builtins.typeOf x == "set" && x.type or false == "maybe";
isJust = x: isMaybe x && builtins.hasAttr "value" x;
fromJust = x: assert isJust x; x.value;
catMaybes = xs: map fromJust (builtins.filter isJust xs);
in out

269
krebs/3modules/build/default.nix Normal file
View File

@ -0,0 +1,269 @@
{ config, lib, ... }:
with import ../../4lib { inherit lib; };
let
target = config.krebs.build // { user.name = "root"; };
out = {
# TODO deprecate krebs.build.host
options.krebs.build.host = mkOption {
type = types.host;
};
# TODO make krebs.build.profile shell safe
options.krebs.build.profile = mkOption {
type = types.str;
default = "/nix/var/nix/profiles/system";
};
# TODO make krebs.build.target.host :: host
options.krebs.build.target = mkOption {
type = with types; nullOr str;
default = null;
};
# TODO deprecate krebs.build.user
options.krebs.build.user = mkOption {
type = types.user;
};
options.krebs.build.scripts.deploy = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
(${config.krebs.build.scripts._source})
${ssh-target ''
${config.krebs.build.scripts._nix-env}
${config.krebs.build.profile}/bin/switch-to-configuration switch
''}
echo OK
'';
};
options.krebs.build.scripts.infest = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \
-o 'HostName ${target.host.infest.addr}' \
-o 'Port ${toString target.host.infest.port}' \
"
ssh() {
eval "$RSYNC_RSH \"\$@\""
}
${ssh-target ''
${readFile ./infest/prepare.sh}
${readFile ./infest/install-nix.sh}
''}
(${config.krebs.build.scripts._source})
${ssh-target ''
export PATH; PATH=/root/.nix-profile/bin:$PATH
src=$(type -p nixos-install)
cat_src() {
sed < "$src" "$(
sed < "$src" -n '
/^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
/^nixpkgs=/=
/^NIX_PATH=/,/^$/{/./=}
' \
| sed 's:$:s/^/#krebs#/:'
)"
}
# Location to insert config.krebs.build.scripts._nix-env
i=$(sed -n '/^echo "building the system configuration/=' "$src")
{
cat_src | sed -n "1,$i{p}"
cat ${doc config.krebs.build.scripts._nix-env}
cat_src | sed -n "$i,\''${$i!p}"
} > nixos-install
chmod +x nixos-install
# Wrap inserted config.krebs.build.scripts._nix-env into chroot.
nix_env=$(cat_src | sed -n '
s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
')
echo nix-env is $nix_env
sed -i '
s:^nix-env:chroot $mountPoint '"$nix_env"':
' nixos-install
./nixos-install
${readFile ./infest/finalize.sh}
''}
'';
};
options.krebs.build.scripts._nix-env = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
NIX_PATH=${config.krebs.build.source.NIX_PATH} \
nix-env \
-f '<stockholm>' \
-Q \
--argstr user-name ${config.krebs.exec.user.name} \
--argstr host-name ${target.host.name} \
--profile ${config.krebs.build.profile} \
--set \
-A ${lib.escapeShellArg (lib.concatStringsSep "." [
config.krebs.build.user.name
config.krebs.build.host.name
"system"
])}
'';
};
options.krebs.build.scripts._source = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
${
lib.concatStringsSep "\n"
(lib.mapAttrsToList
(name: { scripts, url, ... }: "(${scripts._source})")
(config.krebs.build.source.dir //
config.krebs.build.source.git))
}
'';
};
options.krebs.build.source.NIX_PATH = mkOption {
type = types.str;
default =
lib.concatStringsSep ":"
(lib.mapAttrsToList (name: _: "${name}=/root/${name}")
(config.krebs.build.source.dir //
config.krebs.build.source.git));
};
options.krebs.build.source.dir = mkOption {
type =
let
exec = config.krebs.exec;
in
types.attrsOf (types.submodule ({ config, ... }:
let
url = "file://${config.host.name}${config.path}";
can-link = config.host.name == target.host.name;
can-push = config.host.name == exec.host.name;
push-method = ''
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--exclude tmp \
--rsync-path='mkdir -p ${config.target-path} && rsync' \
--delete-excluded \
-vrLptgoD \
${config.path}/ \
${target.user.name}@${target.host.name}:${config.target-path}
'';
in
{
options = {
host = mkOption {
type = types.host;
description = ''
define the host where the directory is stored on.
XXX: currently it is just used to check if rsync is working,
becomes part of url
'';
};
path = mkOption {
type = types.str;
};
scripts._source = mkOption {
type = types.str;
default =
#if can-link then link-method else
if can-push then push-method else
throw "cannot source ${url}";
};
target-path = mkOption {
type = types.str;
default = "/root/${config._module.args.name}";
};
url = mkOption {
type = types.str;
default = "file://${config.host.name}${config.path}";
};
};
}
));
default = {};
};
options.krebs.build.source.git = mkOption {
type =
let
target = config.krebs.build // { user.name = "root"; };
in
with types; attrsOf (submodule ({ config, ... }:
{
options = {
url = mkOption {
type = types.str; # TODO must be shell safe
};
rev = mkOption {
type = types.str;
};
scripts._source = mkOption {
type = types.str;
default = ssh-target ''
mkdir -p ${config.target-path}
cd ${config.target-path}
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin ${config.url}
elif test "$cur_url" != ${config.url}; then
git remote set-url origin ${config.url}
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then
git fetch origin
git checkout ${config.rev} -- .
git checkout -q ${config.rev}
git submodule init
git submodule update
fi
git clean -dxf
'';
};
target-path = mkOption {
type = types.str;
default = "/root/${config._module.args.name}";
};
};
}
));
default = {};
};
};
doc = s:
let b = "EOF${hashString "sha256" s}"; in
''
<<\${b}
${s}
${b}
'';
ssh-target = script:
"ssh root@${target.host.name} -T ${doc ''
set -efu
${script}
''}";
in out

2
krebs/4lib/infest/4finalize → krebs/3modules/build/infest/finalize.sh
View File

@ -7,7 +7,7 @@ set -eux
umount /mnt || [ $? -eq 32 ] umount /mnt || [ $? -eq 32 ]
umount /boot || [ $? -eq 32 ] umount /boot || [ $? -eq 32 ]
PATH=$(for i in /nix/store/*coreutils*/bin; do :; done; echo $i) PATH=$(set +f; for i in /nix/store/*coreutils*/bin; do :; done; echo $i)
export PATH export PATH
mkdir /oldshit mkdir /oldshit

8
krebs/4lib/infest/2install-nix → krebs/3modules/build/infest/install-nix.sh
View File

@ -2,9 +2,9 @@
set -efu set -efu
nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2 nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2
nix_sha256="504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4" nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4
install-nix() {( install_nix() {(
# install nix on host (cf. https://nixos.org/nix/install) # install nix on host (cf. https://nixos.org/nix/install)
if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then
@ -23,7 +23,7 @@ install-nix() {(
$nix_src_dir/install $nix_src_dir/install
fi fi
#TODO: make this general or move to 1prepare #TODO: make this general or move to prepare
if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then
mkdir -p /mnt/nix mkdir -p /mnt/nix
mount --bind /nix /mnt/nix mount --bind /nix /mnt/nix
@ -54,4 +54,4 @@ install-nix() {(
fi fi
)} )}
install-nix "$@" install_nix "$@"

0
krebs/4lib/infest/1prepare → krebs/3modules/build/infest/prepare.sh
View File

263
krebs/3modules/default.nix
View File

@ -6,6 +6,7 @@ let
out = { out = {
imports = [ imports = [
./build
./exim-retiolum.nix ./exim-retiolum.nix
./exim-smarthost.nix ./exim-smarthost.nix
./github-hosts-sync.nix ./github-hosts-sync.nix
@ -22,225 +23,6 @@ let
api = { api = {
enable = mkEnableOption "krebs"; enable = mkEnableOption "krebs";
build = mkOption {
type = types.submodule ({ config, ... }: {
options = {
target = mkOption {
type = with types; nullOr str;
default = null;
};
deps = mkOption {
type = with types; attrsOf (submodule {
options = {
url = mkOption {
type = str;
};
rev = mkOption {
type = nullOr str;
default = null;
};
};
});
default = {};
};
script = mkOption {
type = types.str;
default = ''
#! /bin/sh
set -efux
target=${escapeShellArg cfg.build.target}
push(){(
src=$1/
dst=$target:$2
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--rsync-path="mkdir -p \"$2\" && rsync" \
--delete-excluded \
-vrLptgoD \
"$src" "$dst"
)}
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev == null) ''
push ${toString (map escapeShellArg [
"${url}"
"/root/src/${name}"
])}
'') config.deps)}
exec ssh -S none "$target" /bin/sh <<\EOF
set -efux
fetch(){(
url=$1
rev=$2
dst=$3
mkdir -p "$dst"
cd "$dst"
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin "$url"
elif test "$cur_url" != "$url"; then
git remote set-url origin "$url"
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then
git fetch origin
git checkout "$rev" -- .
git checkout -q "$rev"
git submodule init
git submodule update
fi
git clean -dxf
)}
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev != null) ''
fetch ${toString (map escapeShellArg [
url
rev
"/root/src/${name}"
])}
'') config.deps)}
echo build system...
profile=/nix/var/nix/profiles/system
NIX_PATH=/root/src \
nix-env \
-Q \
-p "$profile" \
-f '<stockholm>' \
--set \
-A system \
--argstr user-name ${escapeShellArg cfg.build.user.name} \
--argstr system-name ${escapeShellArg cfg.build.host.name}
exec "$profile"/bin/switch-to-configuration switch
EOF
'';
};
infest = mkOption {
type = types.str;
default = ''
#! /bin/sh
set -efux
target=${escapeShellArg cfg.build.target}
push(){(
src=$1/
dst=$target:/mnt$2
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--rsync-path="mkdir -p \"/mnt$2\" && rsync" \
--delete-excluded \
-vrLptgoD \
"$src" "$dst"
)}
cat krebs/4lib/infest/1prepare | ssh "$target"
cat krebs/4lib/infest/2install-nix | ssh "$target"
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev == null) ''
push ${toString (map escapeShellArg [
"${url}"
"/root/src/${name}"
])}
'') config.deps)}
ssh -S none "$target" /bin/sh <<\EOF
set -efux
fetch(){(
url=$1
rev=$2
dst=$3
mkdir -p "$dst"
cd "$dst"
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin "$url"
elif test "$cur_url" != "$url"; then
git remote set-url origin "$url"
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then
git fetch origin
git checkout "$rev" -- .
git checkout -q "$rev"
git submodule init
git submodule update
fi
git clean -dxf
)}
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev != null) ''
fetch ${toString (map escapeShellArg [
url
rev
"/mnt/root/src/${name}"
])}
'') config.deps)}
export PATH=/root/.nix-profile/bin:/root/.nix-profile/sbin:$PATH
sed < "$(type -p nixos-install)" > nixos-install '
/^echo "building the system configuration..."/,/--set -A system/{
s/.*/# &/
s@.*--set -A system.*@&\n${concatStringsSep " " [
"NIX_PATH=/mnt/root/src/"
"nix-env"
"-Q"
"-p /nix/var/nix/profiles/system"
"-f \"<stockholm>\""
"--set"
"-A system"
"--argstr user-name ${escapeShellArg cfg.build.user.name}"
"--argstr system-name ${escapeShellArg cfg.build.host.name}"
]}@
}
'
sed -i 's/^nixpkgs=.*$/#&/' nixos-install
chmod +x nixos-install
echo {} > /root/dummy.nix
echo build system...
profile=/nix/var/nix/profiles/system
NIXOS_CONFIG=/root/dummy.nix \
./nixos-install -I /root/src/
#nl -bp nixos-install
EOF
cat krebs/4lib/infest/4finalize | ssh "$target"
'';
};
host = mkOption {
type = types.host;
};
user = mkOption {
type = types.user;
};
};
});
# Define defaul value, so unset values of the submodule get reported.
default = {};
};
dns = { dns = {
providers = mkOption { providers = mkOption {
# TODO with types; tree dns.label dns.provider, so we can merge. # TODO with types; tree dns.label dns.provider, so we can merge.
@ -537,8 +319,8 @@ let
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
mediengewitter IN A ${elemAt nets.internet.addrs4 0} mediengewitter IN A ${head nets.internet.addrs4}
flap IN A ${elemAt nets.internet.addrs4 0}''; flap IN A ${head nets.internet.addrs4}'';
}; };
nets = { nets = {
internet = { internet = {
@ -575,13 +357,13 @@ let
IN MX 10 mx42 IN MX 10 mx42
euer IN MX 1 aspmx.l.google.com. euer IN MX 1 aspmx.l.google.com.
io IN NS pigstarter.krebsco.de. io IN NS pigstarter.krebsco.de.
pigstarter IN A ${elemAt nets.internet.addrs4 0} pigstarter IN A ${head nets.internet.addrs4}
conf IN A ${elemAt nets.internet.addrs4 0} conf IN A ${head nets.internet.addrs4}
gold IN A ${elemAt nets.internet.addrs4 0} gold IN A ${head nets.internet.addrs4}
graph IN A ${elemAt nets.internet.addrs4 0} graph IN A ${head nets.internet.addrs4}
tinc IN A ${elemAt nets.internet.addrs4 0} tinc IN A ${head nets.internet.addrs4}
boot IN A ${elemAt nets.internet.addrs4 0} boot IN A ${head nets.internet.addrs4}
mx42 IN A ${elemAt nets.internet.addrs4 0}''; mx42 IN A ${head nets.internet.addrs4}'';
}; };
nets = { nets = {
internet = { internet = {
@ -615,7 +397,7 @@ let
dc = "makefu"; #dc = "cac"; dc = "makefu"; #dc = "cac";
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
wry IN A ${elemAt nets.internet.addrs4 0} wry IN A ${head nets.internet.addrs4}
''; '';
}; };
nets = rec { nets = rec {
@ -627,11 +409,10 @@ let
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = [""]; addrs4 = ["10.243.29.169"];
addrs6 = [""]; addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"];
aliases = [ aliases = [
"wry.retiolum" "wry.retiolum"
"cgit.cd.retiolum"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -657,10 +438,10 @@ let
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
omo IN A ${elemAt nets.internet.addrs4 0} omo IN A ${head nets.internet.addrs4}
euer IN A ${elemAt nets.internet.addrs4 0} euer IN A ${head nets.internet.addrs4}
gum IN A ${elemAt nets.internet.addrs4 0} gum IN A ${head nets.internet.addrs4}
paste IN A ${elemAt nets.internet.addrs4 0}''; paste IN A ${head nets.internet.addrs4}'';
}; };
nets = { nets = {
internet = { internet = {
@ -747,12 +528,13 @@ let
}; };
}; };
}; };
mkdir = { mkdir = rec {
cores = 1; cores = 1;
dc = "tv"; #dc = "cac"; dc = "tv"; #dc = "cac";
infest.addr = head nets.internet.addrs4;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["162.248.167.241"]; addrs4 = ["104.233.84.102"];
aliases = [ aliases = [
"mkdir.internet" "mkdir.internet"
]; ];
@ -803,12 +585,13 @@ let
}; };
secure = true; secure = true;
}; };
rmdir = { rmdir = rec {
cores = 1; cores = 1;
dc = "tv"; #dc = "cac"; dc = "tv"; #dc = "cac";
infest.addr = head nets.internet.addrs4;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["167.88.44.94"]; addrs4 = ["104.233.84.70"];
aliases = [ aliases = [
"rmdir.internet" "rmdir.internet"
]; ];

2
krebs/3modules/github-hosts-sync.nix
View File

@ -22,7 +22,7 @@ let
}; };
ssh-identity-file = mkOption { ssh-identity-file = mkOption {
type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
}; };
}; };

2
krebs/3modules/retiolum.nix
View File

@ -75,7 +75,7 @@ let
# TODO if it's types.path then it gets copied to /nix/store with # TODO if it's types.path then it gets copied to /nix/store with
# bad unsafe permissions... # bad unsafe permissions...
type = types.str; type = types.str;
default = "/root/src/secrets/retiolum.rsa_key.priv"; default = toString <secrets/retiolum.rsa_key.priv>;
description = '' description = ''
Generate file with <literal>tincd -K</literal>. Generate file with <literal>tincd -K</literal>.
This file must exist on the local system. The default points to This file must exist on the local system. The default points to

9
krebs/4lib/infest/3install-nix-tools
View File

@ -1,9 +0,0 @@
#! /bin/sh
set -efu
install-nix-tools() {(
)}
install-nix-tools "$@"

10
krebs/4lib/types.nix
View File

@ -27,6 +27,16 @@ types // rec {
type = with types; attrsOf string; type = with types; attrsOf string;
}; };
infest = {
addr = mkOption {
type = str;
};
port = mkOption {
type = int;
default = 22;
};
};
secure = mkOption { secure = mkOption {
type = bool; type = bool;
default = false; default = false;

6
krebs/5pkgs/cac/default.nix
View File

@ -1,12 +1,12 @@
{ stdenv, fetchgit, coreutils, curl, gnused, inotifyTools, jq, ncurses, sshpass, ... }: { stdenv, fetchgit, coreutils, curl, gnused, inotifyTools, jq, ncurses, sshpass, ... }:
stdenv.mkDerivation { stdenv.mkDerivation {
name = "cac"; name = "cac-1.0.0";
src = fetchgit { src = fetchgit {
url = http://cgit.cd.retiolum/cac; url = http://cgit.cd.retiolum/cac;
rev = "f4589158572ab35969b9bccf801ea07e115705e1"; rev = "14de1d3c78385e3f8b6d694f5d799eb1b613159e";
sha256 = "9d761cd1d7ff68507392cbfd6c3f6000ddff9cc540293da2b3c4ee902321fb27"; sha256 = "9b2a3d47345d6f8f27d9764c4f2f2acff17d3dde145dd0e674e4183e9312fec3";
}; };
phases = [ phases = [

1
krebs/5pkgs/default.nix
View File

@ -11,6 +11,7 @@ rec {
charybdis = callPackage ./charybdis {}; charybdis = callPackage ./charybdis {};
dic = callPackage ./dic {}; dic = callPackage ./dic {};
genid = callPackage ./genid {}; genid = callPackage ./genid {};
get = callPackage ./get {};
github-hosts-sync = callPackage ./github-hosts-sync {}; github-hosts-sync = callPackage ./github-hosts-sync {};
github-known_hosts = callPackage ./github-known_hosts {}; github-known_hosts = callPackage ./github-known_hosts {};
hashPassword = callPackage ./hashPassword {}; hashPassword = callPackage ./hashPassword {};

37
krebs/5pkgs/get/default.nix Normal file
View File

@ -0,0 +1,37 @@
{ coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }:
stdenv.mkDerivation {
name = "get-1.1.1";
src = fetchgit {
url = http://cgit.cd.retiolum/get;
rev = "e64826a4f5f74cbaa895e538b97d0e523e9709f9";
sha256 = "4d1aa07bba52f697cf7aa7ad1b02b9ff41598dfea83c578e77b8d81e3e8830d2";
};
phases = [
"unpackPhase"
"installPhase"
];
installPhase =
let
path = stdenv.lib.makeSearchPath "bin" [
coreutils
gnugrep
gnused
jq
nix
];
in
''
mkdir -p $out/bin
sed \
'1s,.*,&\nPATH=${path},' \
< ./get \
> $out/bin/get
chmod +x $out/bin/get
'';
}

2
lass/2configs/base.nix
View File

@ -6,6 +6,7 @@ with lib;
../3modules/iptables.nix ../3modules/iptables.nix
../2configs/vim.nix ../2configs/vim.nix
../2configs/zsh.nix ../2configs/zsh.nix
../2configs/mc.nix
{ {
users.extraUsers = users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; }) mapAttrs (_: h: { hashedPassword = h; })
@ -53,6 +54,7 @@ with lib;
#why is this on in the first place? #why is this on in the first place?
services.ntp.enable = false; services.ntp.enable = false;
services.nscd.enable = false;
boot.tmpOnTmpfs = true; boot.tmpOnTmpfs = true;
# see tmpfiles.d(5) # see tmpfiles.d(5)

346
lass/2configs/mc.nix Normal file
View File

@ -0,0 +1,346 @@
{ config, pkgs, ... }:
let
mcExt = pkgs.writeText "mc.ext" ''
# gitfs changeset
regex/^\[git\]
Open=%cd %p/changesetfs://
View=%cd %p/patchsetfs://
### Archives ###
# .tgz, .tpz, .tar.gz, .tar.z, .tar.Z, .ipk, .gem
regex/\.t([gp]?z|ar\.g?[zZ])$|\.ipk$|\.gem$
Open=%cd %p/utar://
shell/.tar.bz
# Open=%cd %p/utar://
regex/\.t(ar\.bz2|bz2?|b2)$
Open=%cd %p/utar://
# .tar.lzma, .tlz
regex/\.t(ar\.lzma|lz)$
Open=%cd %p/utar://
# .tar.xz, .txz
regex/\.t(ar\.xz|xz)$
Open=%cd %p/utar://
# .tar.F - used in QNX
shell/.tar.F
# Open=%cd %p/utar://
# .qpr/.qpk - QNX Neutrino package installer files
regex/\.qp[rk]$
Open=%cd %p/utar://
# tar
shell/i/.tar
Open=%cd %p/utar://
# lha
type/^LHa\ .*archive
Open=%cd %p/ulha://
# arj
regex/i/\.a(rj|[0-9][0-9])$
Open=%cd %p/uarj://
# cab
shell/i/.cab
Open=%cd %p/ucab://
# ha
shell/i/.ha
Open=%cd %p/uha://
# rar
regex/i/\.r(ar|[0-9][0-9])$
Open=%cd %p/urar://
# ALZip
shell/i/.alz
Open=%cd %p/ualz://
# cpio
shell/.cpio.Z
Open=%cd %p/ucpio://
shell/.cpio.xz
Open=%cd %p/ucpio://
shell/.cpio.gz
Open=%cd %p/ucpio://
shell/i/.cpio
Open=%cd %p/ucpio://
# 7zip archives (they are not man pages)
shell/i/.7z
Open=%cd %p/u7z://
# patch
regex/\.(diff|patch)(\.bz2)$
Open=%cd %p/patchfs://
regex/\.(diff|patch)(\.(gz|Z))$
Open=%cd %p/patchfs://
# ls-lR
regex/(^|\.)ls-?lR(\.gz|Z|bz2)$
Open=%cd %p/lslR://
# trpm
shell/.trpm
Open=%cd %p/trpm://
# RPM packages (SuSE uses *.spm for source packages)
regex/\.(src\.rpm|spm)$
Open=%cd %p/rpm://
shell/.rpm
Open=%cd %p/rpm://
# deb
regex/\.u?deb$
Open=%cd %p/deb://
# dpkg
shell/.debd
Open=%cd %p/debd://
# apt
shell/.deba
Open=%cd %p/deba://
# ISO9660
shell/i/.iso
Open=%cd %p/iso9660://
regex/\.(diff|patch)$
Open=%cd %p/patchfs://
# ar library
regex/\.s?a$
Open=%cd %p/uar://
# gplib
shell/i/.lib
Open=%cd %p/ulib://
# Mailboxes
type/^ASCII\ mail\ text
Open=%cd %p/mailfs://
### Sources ###
# C/C++
regex/i/\.(c|cc|cpp)$
Include=editor
# C/C++ header
regex/i/\.(h|hh|hpp)$
Include=editor
# Fortran
shell/i/.f
Include=editor
# Assembler
regex/i/\.(s|asm)$
Include=editor
include/editor
Open=%var{EDITOR:vim} %f
### Images ###
type/^GIF
Include=image
type/^JPEG
Include=image
type/^PC\ bitmap
Include=image
type/^PNG
Include=image
type/^JNG
Include=image
type/^MNG
Include=image
type/^TIFF
Include=image
type/^PBM
Include=image
type/^PGM
Include=image
type/^PPM
Include=image
type/^Netpbm
Include=image
shell/.ico
Include=image
include/image
Open=sxiv %f
View=sxiv %f
### Sound files ###
regex/i/\.(wav|snd|voc|au|smp|aiff|snd|m4a|ape|aac|wv)$
Include=audio
regex/i/\.(mod|s3m|xm|it|mtm|669|stm|ult|far)$
Include=audio
shell/i/.waw22
Include=audio
shell/i/.mp3
Include=audio
regex/i/\.og[gax]$
Include=audio
regex/i/\.(spx|flac)$
Include=audio
regex/i/\.(midi?|rmid?)$
Include=audio
shell/i/.wma
Include=audio
include/audio
Open=mpv %f
View=mpv %f
### Video ###
shell/i/.avi
Include=video
regex/i/\.as[fx]$
Include=video
shell/i/.divx
Include=video
shell/i/.mkv
Include=video
regex/i/\.(mov|qt)$
Include=video
regex/i/\.(mp4|m4v|mpe?g)$
Include=video
# MPEG-2 TS container + H.264 codec
shell/i/.mts
Include=video
shell/i/.ts
Include=video
shell/i/.vob
Include=video
shell/i/.wmv
Include=video
regex/i/\.fl[icv]$
Include=video
shell/i/.ogv
Include=video
# WebM
shell/i/.webm
Include=video
type/WebM
Include=video
include/video
Open=mpv %f
View=mpv %f
### Documents ###
# PDF
type/^PDF
Open=zathura %f
View=zathura %f
### Miscellaneous ###
# Makefile
regex/[Mm]akefile$
Open=make -f %f %{Enter parameters}
### Plain compressed files ###
# ace
shell/i/.ace
Open=%cd %p/uace://
Extract=unace x %f
# arc
shell/i/.arc
Open=%cd %p/uarc://
Extract=arc x %f '*'
Extract (with flags)=I=%{Enter any Arc flags:}; if test -n "$I"; then arc x $I %f; fi
# zip
shell/i/.zip
Open=%cd %p/uzip://
# zip
type/i/^zip\ archive
Open=%cd %p/uzip://
# jar(zip)
type/i/^Java\ Jar\ file\ data\ \(zip\)
Open=%cd %p/uzip://
# zoo
shell/i/.zoo
Open=%cd %p/uzoo://
### Default ###
# Default target for anything not described above
default/*
Open=vim %f
View=vim %f
'';
in {
environment.systemPackages = [
(pkgs.lib.overrideDerivation pkgs.mc (original : {
postInstall = ''
rm -f $out/etc/mc/mc.ext
ln -s ${mcExt} $out/etc/mc/mc.ext
cp $out/share/mc/skins/nicedark.ini $out/share/mc/skins/default.ini
'';
}))
];
}

19
makefu/1systems/pornocauster.nix
View File

@ -9,6 +9,9 @@
../2configs/base.nix ../2configs/base.nix
../2configs/main-laptop.nix #< base-gui ../2configs/main-laptop.nix #< base-gui
# configures sources
../2configs/base-sources.nix
# Krebs # Krebs
../2configs/tinc-basic-retiolum.nix ../2configs/tinc-basic-retiolum.nix
#../2configs/disable_v6.nix #../2configs/disable_v6.nix
@ -18,34 +21,30 @@
# applications # applications
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/virtualization.nix #../2configs/virtualization.nix
../2configs/virtualization-virtualbox.nix
../2configs/wwan.nix ../2configs/wwan.nix
# services # services
../2configs/git/brain-retiolum.nix ../2configs/git/brain-retiolum.nix
# ../2configs/Reaktor/simpleExtend.nix ../2configs/tor.nix
# hardware specifics are in here # hardware specifics are in here
../2configs/hw/tp-x220.nix ../2configs/hw/tp-x220.nix
# mount points # mount points
../2configs/fs/sda-crypto-root-home.nix ../2configs/fs/sda-crypto-root-home.nix
]; ];
krebs.Reaktor.enable = true;
krebs.Reaktor.debug = true;
krebs.Reaktor.nickname = "makefu|r";
krebs.build.host = config.krebs.hosts.pornocauster; krebs.build.host = config.krebs.hosts.pornocauster;
krebs.build.user = config.krebs.users.makefu; krebs.build.user = config.krebs.users.makefu;
krebs.build.target = "root@pornocauster"; krebs.build.target = "root@pornocauster";
#krebs.Reaktor.nickname = "makefu|r";
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
25 25
]; ];
krebs.build.deps = {
nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
#url = https://github.com/makefu/nixpkgs;
rev = "03921972268934d900cc32dad253ff383926771c";
};
};
} }

19
makefu/2configs/base-sources.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
#url = https://github.com/makefu/nixpkgs;
rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
};
dir.secrets = {
host = config.krebs.hosts.pornocauster;
path = "/home/makefu/secrets/${config.krebs.build.host.name}/";
};
dir.stockholm = {
host = config.krebs.hosts.pornocauster;
path = toString ../.. ;
};
};
}

9
makefu/2configs/base.nix
View File

@ -37,15 +37,6 @@ with lib;
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
#nix.maxJobs = 1; #nix.maxJobs = 1;
krebs.build.deps = {
secrets = {
url = "/home/makefu/secrets/${config.krebs.build.host.name}";
};
stockholm = {
url = toString ../..;
};
};
services.openssh.enable = true; services.openssh.enable = true;
nix.useChroot = true; nix.useChroot = true;

68
tv/1systems/cd.nix
View File

@ -8,16 +8,18 @@ with lib;
krebs.build.target = "root@cd.internet"; krebs.build.target = "root@cd.internet";
krebs.build.deps = { krebs.build.source = {
nixpkgs = { git.nixpkgs = {
url = https://github.com/4z3/nixpkgs; url = https://github.com/4z3/nixpkgs;
rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692 rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692
}; };
secrets = { dir.secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}"; host = config.krebs.hosts.wu;
path = "/home/tv/secrets/cd";
}; };
stockholm = { dir.stockholm = {
url = toString ../..; host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
}; };
}; };
@ -26,6 +28,7 @@ with lib;
../2configs/CAC-CentOS-7-64bit.nix ../2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix ../2configs/base.nix
#../2configs/consul-server.nix #../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix ../2configs/git.nix
{ {
imports = [ ../2configs/charybdis.nix ]; imports = [ ../2configs/charybdis.nix ];
@ -40,59 +43,6 @@ with lib;
hosts = [ "jabber.viljetic.de" ]; hosts = [ "jabber.viljetic.de" ];
}; };
} }
{
krebs.exim-smarthost = {
enable = true;
primary_hostname = "${config.networking.hostName}.retiolum";
sender_domains = [
"shackspace.de"
"viljetic.de"
];
relay_from_hosts = [
"10.243.13.37"
];
internet-aliases = with config.krebs.users; [
{ from = "tomislav@viljetic.de"; to = tv.mail; }
# (mindestens) lisp-stammtisch und elli haben die:
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
{ from = "mirko@viljetic.de"; to = mv.mail; }
# TODO killme (wo wird die benutzt?)
{ from = "tv@cd.retiolum"; to = tv.mail; }
# TODO lists@smtp.retiolum [consul]
{ from = "postmaster@krebsco.de"; to = tv.mail; }
{ from = "spam@krebsco.de";
to = pkgs.lib.concatStringsSep "," [
tv.mail
"lass@mors.retiolum"
makefu.mail
];
}
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "tv"; }
{ from = "mirko"; to = "mv"; }
];
};
}
{ {
krebs.github-hosts-sync.enable = true; krebs.github-hosts-sync.enable = true;
tv.iptables.input-internet-accept-new-tcp = tv.iptables.input-internet-accept-new-tcp =

42
tv/1systems/mkdir.nix
View File

@ -2,22 +2,37 @@
with lib; with lib;
let
# TODO merge with lass
getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
in
{ {
krebs.build.host = config.krebs.hosts.mkdir; krebs.build.host = config.krebs.hosts.mkdir;
krebs.build.user = config.krebs.users.tv; krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@mkdir.internet"; krebs.build.target = "root@${primary-addr4}";
krebs.build.deps = { krebs.build.source = {
nixpkgs = { git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
}; };
secrets = { dir.secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}"; host = config.krebs.hosts.wu;
path = "/home/tv/secrets/mkdir";
}; };
stockholm = { dir.stockholm = {
url = toString ../..; host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
}; };
}; };
@ -56,11 +71,18 @@ with lib;
networking.interfaces.enp2s1.ip4 = [ networking.interfaces.enp2s1.ip4 = [
{ {
address = "162.248.167.241"; # TODO address = primary-addr4;
prefixLength = 24; prefixLength = 24;
} }
#{
# address = secondary-addr4;
# prefixLength = 24;
#}
]; ];
networking.defaultGateway = "162.248.167.1";
# TODO define gateway in krebs/3modules/default.nix
networking.defaultGateway = getDefaultGateway primary-addr4;
networking.nameservers = [ networking.nameservers = [
"8.8.8.8" "8.8.8.8"
]; ];

15
tv/1systems/nomic.nix
View File

@ -8,16 +8,18 @@ with lib;
krebs.build.target = "root@nomic.gg23"; krebs.build.target = "root@nomic.gg23";
krebs.build.deps = { krebs.build.source = {
nixpkgs = { git.nixpkgs = {
url = https://github.com/4z3/nixpkgs; url = https://github.com/4z3/nixpkgs;
rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692 rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692
}; };
secrets = { dir.secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}"; host = config.krebs.hosts.wu;
path = "/home/tv/secrets/nomic";
}; };
stockholm = { dir.stockholm = {
url = toString ../..; host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
}; };
}; };
@ -112,6 +114,7 @@ with lib;
exit 23 exit 23
esac esac
'') '')
gnupg
ntp # ntpate ntp # ntpate
rxvt_unicode.terminfo rxvt_unicode.terminfo
tmux tmux

35
tv/1systems/rmdir.nix
View File

@ -2,22 +2,37 @@
with lib; with lib;
let
# TODO merge with lass
getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
in
{ {
krebs.build.host = config.krebs.hosts.rmdir; krebs.build.host = config.krebs.hosts.rmdir;
krebs.build.user = config.krebs.users.tv; krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@rmdir.internet"; krebs.build.target = "root@rmdir.internet";
krebs.build.deps = { krebs.build.source = {
nixpkgs = { git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
}; };
secrets = { dir.secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}"; host = config.krebs.hosts.wu;
path = "/home/tv/secrets/rmdir";
}; };
stockholm = { dir.stockholm = {
url = toString ../..; host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
}; };
}; };
@ -57,11 +72,13 @@ with lib;
networking.interfaces.enp2s1.ip4 = [ networking.interfaces.enp2s1.ip4 = [
{ {
address = "167.88.44.94"; address = primary-addr4;
prefixLength = 24; prefixLength = 24;
} }
]; ];
networking.defaultGateway = "167.88.44.1"; # TODO define gateway in krebs/3modules/default.nix
networking.defaultGateway = getDefaultGateway primary-addr4;
networking.nameservers = [ networking.nameservers = [
"8.8.8.8" "8.8.8.8"
]; ];

23
tv/1systems/wu.nix
View File

@ -8,16 +8,18 @@ with lib;
krebs.build.target = "root@wu"; krebs.build.target = "root@wu";
krebs.build.deps = { krebs.build.source = {
nixpkgs = { git.nixpkgs = {
url = https://github.com/4z3/nixpkgs; url = https://github.com/NixOS/nixpkgs;
rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692 rev = "bd84ebaa1e0359f41350e053ed24592b169b5714";
}; };
secrets = { dir.secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}"; host = config.krebs.hosts.wu;
path = "/home/tv/secrets/wu";
}; };
stockholm = { dir.stockholm = {
url = toString ../..; host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
}; };
}; };
@ -71,6 +73,7 @@ with lib;
cac cac
dic dic
file file
get
gitAndTools.qgit gitAndTools.qgit
gnupg21 gnupg21
haskellPackages.hledger haskellPackages.hledger
@ -213,7 +216,6 @@ with lib;
extraGroups = [ extraGroups = [
"audio" "audio"
"video" "video"
"bumblebee"
]; ];
}; };
@ -254,7 +256,6 @@ with lib;
extraGroups = [ extraGroups = [
"audio" "audio"
"video" "video"
"bumblebee"
]; ];
}; };
@ -263,7 +264,6 @@ with lib;
extraGroups = [ extraGroups = [
"audio" "audio"
"video" "video"
"bumblebee"
]; ];
}; };
@ -331,6 +331,7 @@ with lib;
}; };
"/home" = { "/home" = {
device = "/dev/mapper/home"; device = "/dev/mapper/home";
fsType = "btrfs";
options = "defaults,noatime,ssd,compress=lzo"; options = "defaults,noatime,ssd,compress=lzo";
}; };
"/boot" = { "/boot" = {

3
tv/2configs/base.nix
View File

@ -15,9 +15,10 @@ in
imports = [ imports = [
{ {
# TODO never put hashedPassword into the store
users.extraUsers = users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; }) mapAttrs (_: h: { hashedPassword = h; })
(import /root/src/secrets/hashedPasswords.nix); (import <secrets/hashedPasswords.nix>);
} }
{ {
users.defaultUserShell = "/run/current-system/sw/bin/bash"; users.defaultUserShell = "/run/current-system/sw/bin/bash";

4
tv/2configs/charybdis.nix
View File

@ -21,7 +21,7 @@ let
}; };
dhParams = mkOption { dhParams = mkOption {
type = types.str; type = types.str;
default = "/root/src/secrets/charybdis.dh.pem"; default = toString <secrets/charybdis.dh.pem>;
}; };
motd = mkOption { motd = mkOption {
type = types.str; type = types.str;
@ -32,7 +32,7 @@ let
}; };
sslKey = mkOption { sslKey = mkOption {
type = types.str; type = types.str;
default = "/root/src/secrets/charybdis.key.pem"; default = toString <secrets/charybdis.key.pem>;
}; };
}; };

55
tv/2configs/exim-smarthost.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, pkgs, ... }:
{
krebs.exim-smarthost = {
enable = true;
primary_hostname = "${config.networking.hostName}.retiolum";
sender_domains = [
"shackspace.de"
"viljetic.de"
];
relay_from_hosts = [
"10.243.13.37"
];
internet-aliases = with config.krebs.users; [
{ from = "tomislav@viljetic.de"; to = tv.mail; }
# (mindestens) lisp-stammtisch und elli haben die:
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
{ from = "mirko@viljetic.de"; to = mv.mail; }
# TODO killme (wo wird die benutzt?)
{ from = "tv@cd.retiolum"; to = tv.mail; }
# TODO lists@smtp.retiolum [consul]
{ from = "postmaster@krebsco.de"; to = tv.mail; }
{ from = "spam@krebsco.de";
to = pkgs.lib.concatStringsSep "," [
tv.mail
"lass@mors.retiolum"
makefu.mail
];
}
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "tv"; }
{ from = "mirko"; to = "mv"; }
];
};
}

4
tv/2configs/git.nix
View File

@ -26,6 +26,7 @@ let
cgserver = {}; cgserver = {};
crude-mail-setup = {}; crude-mail-setup = {};
dot-xmonad = {}; dot-xmonad = {};
get = {};
hack = {}; hack = {};
load-env = {}; load-env = {};
make-snapshot = {}; make-snapshot = {};
@ -50,7 +51,8 @@ let
collaborators = with config.krebs.users; [ lass makefu ]; collaborators = with config.krebs.users; [ lass makefu ];
}; };
} // } //
import /root/src/secrets/repos.nix { inherit config lib pkgs; } # TODO don't put secrets/repos.nix into the store
import <secrets/repos.nix> { inherit config lib pkgs; }
); );
make-public-repo = name: { desc ? null, ... }: { make-public-repo = name: { desc ? null, ... }: {

2
tv/3modules/consul.nix
View File

@ -29,7 +29,7 @@ let
}; };
encrypt-file = mkOption { encrypt-file = mkOption {
type = types.str; # TODO path (but not just into store) type = types.str; # TODO path (but not just into store)
default = "/root/src/secrets/consul-encrypt.json"; default = toString <secrets/consul-encrypt.json>;
}; };
data-dir = mkOption { data-dir = mkOption {
type = types.str; # TODO path (but not just into store) type = types.str; # TODO path (but not just into store)

2
tv/3modules/ejabberd.nix
View File

@ -15,7 +15,7 @@ let
certFile = mkOption { certFile = mkOption {
type = types.str; type = types.str;
default = "/root/src/secrets/ejabberd.pem"; default = toString <secrets/ejabberd.pem>;
}; };
hosts = mkOption { hosts = mkOption {