From 00bc48d90f95bf9d5de2da6b6c82bca7d78b87f2 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Aug 2015 23:12:38 +0200 Subject: [PATCH 01/36] add host tsp (traveling salesman problem) --- Zhosts/tsp | 16 +++++++ krebs/3modules/default.nix | 28 +++++++++++ makefu/1systems/tsp.nix | 90 ++++++++++++++++++++++++++++++++++++ makefu/2configs/base-gui.nix | 23 +++++++++ 4 files changed, 157 insertions(+) create mode 100644 Zhosts/tsp create mode 100644 makefu/1systems/tsp.nix create mode 100644 makefu/2configs/base-gui.nix diff --git a/Zhosts/tsp b/Zhosts/tsp new file mode 100644 index 000000000..6c2b450d8 --- /dev/null +++ b/Zhosts/tsp @@ -0,0 +1,16 @@ +Subnet = 10.243.0.211 +Subnet = 42:f9f1:0000:0000:0000:0000:0000:0002 + +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi +HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3 +mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+ +n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG +R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr +Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi +aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo +ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE +KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v +XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ +teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 668d66ccf..fb25f8178 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -306,6 +306,34 @@ let }; }; }; + tsp = { + cores = 4; + dc = "makefu"; #x200 + nets = { + retiolum = { + addrs4 = ["10.243.0.211"]; + addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"]; + aliases = [ + "tsp.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi + HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3 + mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+ + n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG + R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr + Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi + aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo + ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE + KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v + XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ + teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; }; users = addNames { makefu = { diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix new file mode 100644 index 000000000..3de2d300c --- /dev/null +++ b/makefu/1systems/tsp.nix @@ -0,0 +1,90 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../2configs/base.nix + ../2configs/base-gui.nix + ]; + services.xserver = { + videoDriver = "intel"; + }; + krebs.build.host = config.krebs.hosts.tsp; + krebs.build.user = config.krebs.users.makefu; + krebs.build.target = "root@tsp"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + }; + # TODO generalize in base.nix + secrets = { + url = "/home/makefu/secrets/${config.krebs.build.host.name}"; + }; + # TODO generalize in base.nix + stockholm = { + url = toString ../..; + }; + }; + + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + "fastpoke" + ]; + }; + + boot = { + #x200 specifics + kernelModules = [ "tp_smapi" "msr" ]; + extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; + + loader.grub.enable =true; + loader.grub.version =2; + loader.grub.device = "/dev/sda"; + + # crypto boot + # TODO: use UUID + initrd.luks.devices = [ { name = "luksroot"; device= "/dev/sda2";}]; + initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/luksroot"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-label/nixboot"; + fsType = "ext4"; + }; + }; + + # hardware specifics + networking.wireless.enable = true; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + # TODO: generalize to numCPU + 1 + nix.maxJobs = 3; + + + networking.firewall.rejectPackets = true; + networking.firewall.allowPing = true; + + + # $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + vim + jq + ]; +} diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix new file mode 100644 index 000000000..5f977251f --- /dev/null +++ b/makefu/2configs/base-gui.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ ]; + services.xserver.enable = true; + services.xserver.layout = "us"; + +# use awesome, direct boot into + services.xserver.displayManager.auto.enable =true; + services.xserver.displayManager.auto.user =config.krebs.users.makefu; + services.xserver.windowManager.awesome.enable = true; + + security.setuidPrograms = [ "slock" ]; + +# use pulseaudio + environment.systemPackages = [ pkgs.slock ]; + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + +} From 7d75cf113fc2ed694e100cd1e6e0f040ef870f19 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 4 Aug 2015 14:55:06 +0200 Subject: [PATCH 02/36] fix mkdir /root/root@/secret previously /root/root@/secret folder was created on the destination host but /root/secret/ is required. This commit fixes this behavior and creates the correct folder for bootstrapping --- krebs/3modules/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index fb25f8178..e677ba5ea 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -55,7 +55,7 @@ let --exclude .git \ --exclude .graveyard \ --exclude old \ - --rsync-path="mkdir -p \"$dst\" && rsync" \ + --rsync-path="mkdir -p \"$2\" && rsync" \ --usermap=\*:0 \ --groupmap=\*:0 \ --delete-excluded \ From a385b9a4ec7751276c81e09b51427b22a344c9a3 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 4 Aug 2015 16:13:50 +0200 Subject: [PATCH 03/36] add minimal graphite installation to pnp --- makefu/2configs/graphite-standalone.nix | 33 +++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 makefu/2configs/graphite-standalone.nix diff --git a/makefu/2configs/graphite-standalone.nix b/makefu/2configs/graphite-standalone.nix new file mode 100644 index 000000000..50c623ab9 --- /dev/null +++ b/makefu/2configs/graphite-standalone.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) +with lib; +{ + imports = [ ]; + services.graphite = { + web = { + enable = true; + host = "0.0.0.0"; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 50 + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [default] + pattern = .* + retentions = 60s:30d,300s:1y + ''; + }; + }; +} From b3c25831d1ac80578222cc7d0e8f3559f92f34c1 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 5 Aug 2015 14:56:38 +0200 Subject: [PATCH 04/36] add graphite to pnp --- makefu/1systems/pnp.nix | 10 ++++++++-- makefu/2configs/graphite-web.nix | 24 ++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 makefu/2configs/graphite-web.nix diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index 549658983..a8df522f2 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -10,6 +10,7 @@ ../2configs/base.nix ../2configs/cgit-retiolum.nix + ../2configs/graphite-standalone.nix ]; krebs.build.host = config.krebs.hosts.pnp; krebs.build.user = config.krebs.users.makefu; @@ -38,8 +39,13 @@ hardware.enableAllFirmware = true; hardware.cpu.amd.updateMicrocode = true; -# networking.firewall is enabled by default - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [ + # nginx runs on 80 + 80 + # graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp + 8080 2003 + ]; + networking.firewall.allowedUDPPorts = [ 2003 ]; networking.firewall.rejectPackets = true; networking.firewall.allowPing = true; diff --git a/makefu/2configs/graphite-web.nix b/makefu/2configs/graphite-web.nix new file mode 100644 index 000000000..daa1d49a3 --- /dev/null +++ b/makefu/2configs/graphite-web.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ ]; + services.graphite = { + web = { + enable = true; + host = "0.0.0.0"; + }; + carbon = { + enableCache = true; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [default] + pattern = .* + retentions = 60s:30d,300s:1y + ''; + }; + }; +} From dd8c918c876f923b7ca5d9446b03c0b01f82b531 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 5 Aug 2015 15:11:52 +0200 Subject: [PATCH 05/36] test vicious for awesome on tsp --- makefu/1systems/tsp.nix | 13 ++++++++----- makefu/2configs/base-gui.nix | 21 ++++++++++++++++----- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 3de2d300c..d67a5c076 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -10,17 +10,20 @@ ../2configs/base.nix ../2configs/base-gui.nix ]; - services.xserver = { - videoDriver = "intel"; - }; + # not working in vm + #services.xserver = { + # videoDriver = "intel"; + #}; krebs.build.host = config.krebs.hosts.tsp; krebs.build.user = config.krebs.users.makefu; krebs.build.target = "root@tsp"; krebs.build.deps = { nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + #url = https://github.com/NixOS/nixpkgs; + url = https://github.com/makefu/nixpkgs; + #rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + rev = "08275910ba86ed9bd7a2608e6a1e5285faf24cb2"; }; # TODO generalize in base.nix secrets = { diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index 5f977251f..056005f75 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -3,13 +3,24 @@ with lib; { imports = [ ]; - services.xserver.enable = true; - services.xserver.layout = "us"; + services.xserver = { + enable = true; + layout = "us"; # use awesome, direct boot into - services.xserver.displayManager.auto.enable =true; - services.xserver.displayManager.auto.user =config.krebs.users.makefu; - services.xserver.windowManager.awesome.enable = true; + displayManager.auto.enable = true; +# TODO: use config.krebs.users.makefu ... or not + displayManager.auto.user = "makefu"; + + windowManager = { + awesome.enable = true; + awesome.luaModules = [ pkgs.luaPackages.vicious ]; + default = "awesome"; + }; + + desktopManager.xterm.enable = false; + desktopManager.default = "none"; + }; security.setuidPrograms = [ "slock" ]; From 662f22a1ddd32d33157d3807756b0742e7d21752 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 5 Aug 2015 15:24:50 +0200 Subject: [PATCH 06/36] make eval: don't use $json anymore --- Makefile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ca828fd2b..54656e9e1 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ deploy:;@ eval: @ ifeq ($(filter),json) - extraArgs=--json + extraArgs='--json --strict' filter() { jq -r .; } else filter() { cat; } @@ -33,8 +33,6 @@ endif NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ nix-instantiate \ $${extraArgs-} \ - $${json+--json} \ - $${json+--strict} \ --eval \ -A "$$get" \ '' \ From eeb7a84e988c0fa41113643505d2965b0f81ffb9 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 5 Aug 2015 16:54:15 +0200 Subject: [PATCH 07/36] use unstable nixpkgs release --- makefu/1systems/tsp.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index d67a5c076..2d3fd9225 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -23,7 +23,8 @@ #url = https://github.com/NixOS/nixpkgs; url = https://github.com/makefu/nixpkgs; #rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - rev = "08275910ba86ed9bd7a2608e6a1e5285faf24cb2"; + #rev = "08275910ba86ed9bd7a2608e6a1e5285faf24cb2"; + rev = "53d79a8074e7a4465515e67ea565dc73cbc14c5c"; }; # TODO generalize in base.nix secrets = { From 2499c472a08783d1cc1105c9b4c48b04f8062b5b Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 5 Aug 2015 16:55:10 +0200 Subject: [PATCH 08/36] fix ip of tsp (211 is already in use) --- krebs/3modules/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e677ba5ea..4644e59eb 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -311,7 +311,7 @@ let dc = "makefu"; #x200 nets = { retiolum = { - addrs4 = ["10.243.0.211"]; + addrs4 = ["10.243.0.212"]; addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"]; aliases = [ "tsp.retiolum" From 01681b908f58e988f028054dd10de44579ca24ff Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 00:11:26 +0200 Subject: [PATCH 09/36] tv 2 git: add public repo: cac --- tv/2configs/git.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index ecb98cef2..8d662494c 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -20,6 +20,9 @@ let rules = concatMap make-rules (attrValues repos); public-repos = mapAttrs make-public-repo { + cac = { + desc = "CloudAtCost command line interface"; + }; cgserver = {}; crude-mail-setup = {}; dot-xmonad = {}; From a982edd25d442e443bc67159064eeb080ed3339c Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 00:21:40 +0200 Subject: [PATCH 10/36] krebs pkgs cac: init at 07ef31c --- krebs/5pkgs/cac.nix | 36 ++++++++++++++++++++++++++++++++++++ krebs/5pkgs/default.nix | 1 + tv/1systems/wu.nix | 1 + 3 files changed, 38 insertions(+) create mode 100644 krebs/5pkgs/cac.nix diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix new file mode 100644 index 000000000..3322e1a13 --- /dev/null +++ b/krebs/5pkgs/cac.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchgit, coreutils, curl, gnused, jq, ... }: + +stdenv.mkDerivation { + name = "cac"; + + src = fetchgit { + url = http://cgit.cd.retiolum/cac; + rev = "07ef31c50613634e88a31233d1fcd2ec3e52bfe8"; + sha256 = "4e94709a3f580a53983ca418fa0b470817ac917aa1b2d095f2420afd36ea9158"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + path = stdenv.lib.makeSearchPath "bin" [ + coreutils + curl + gnused + jq + ]; + in + '' + mkdir -p $out/bin + + sed \ + 's,^\( true) \)\(cac "$@";;\)$,\1 PATH=${path} \2,' \ + < ./cac \ + > $out/bin/cac + + chmod +x $out/bin/cac + ''; +} diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 231fda797..5de84f66c 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -6,6 +6,7 @@ in pkgs // { + cac = callPackage ./cac.nix {}; dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; github-hosts-sync = callPackage ./github-hosts-sync.nix {}; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 27691ec56..ae6ef1327 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -91,6 +91,7 @@ in sxiv texLive tmux + tvpkgs.cac tvpkgs.dic zathura From 7d9f1a321dfc8a27f7dbf65ba9ddf00202d3b53e Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 00:56:28 +0200 Subject: [PATCH 11/36] krebs pkgs cac: add missing dep: sshpass --- krebs/5pkgs/cac.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix index 3322e1a13..336f96b92 100644 --- a/krebs/5pkgs/cac.nix +++ b/krebs/5pkgs/cac.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchgit, coreutils, curl, gnused, jq, ... }: +{ stdenv, fetchgit, coreutils, curl, gnused, jq, sshpass, ... }: stdenv.mkDerivation { name = "cac"; @@ -21,6 +21,7 @@ stdenv.mkDerivation { curl gnused jq + sshpass ]; in '' From c98cbf2169f6399bab88f936db0a21bd46cefd65 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 00:59:34 +0200 Subject: [PATCH 12/36] krebs pkgs cac: 07ef31c -> 0fc9cbe --- krebs/5pkgs/cac.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix index 336f96b92..cce88920d 100644 --- a/krebs/5pkgs/cac.nix +++ b/krebs/5pkgs/cac.nix @@ -5,8 +5,8 @@ stdenv.mkDerivation { src = fetchgit { url = http://cgit.cd.retiolum/cac; - rev = "07ef31c50613634e88a31233d1fcd2ec3e52bfe8"; - sha256 = "4e94709a3f580a53983ca418fa0b470817ac917aa1b2d095f2420afd36ea9158"; + rev = "0fc9cbeba4060380f698f51bb74081e2fcefadf3"; + sha256 = "9759c78aa9aa04ab82486d0f24264bff1081513bc07cac0f8b3c0bdf52260fb3"; }; phases = [ From 3e7220b417c398479e13617bd85d5c2c316c6bcd Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 01:01:43 +0200 Subject: [PATCH 13/36] krebs pkgs cac: add missing dep: ncurses --- krebs/5pkgs/cac.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix index cce88920d..223d1ccf9 100644 --- a/krebs/5pkgs/cac.nix +++ b/krebs/5pkgs/cac.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchgit, coreutils, curl, gnused, jq, sshpass, ... }: +{ stdenv, fetchgit, coreutils, curl, gnused, jq, ncurses, sshpass, ... }: stdenv.mkDerivation { name = "cac"; @@ -21,6 +21,7 @@ stdenv.mkDerivation { curl gnused jq + ncurses sshpass ]; in From 1692022c670e96a78b0d452d1ecbd6cb81961391 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 01:02:49 +0200 Subject: [PATCH 14/36] krebs pkgs cac: leak $PATH for $PAGER --- krebs/5pkgs/cac.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix index 223d1ccf9..49a5bd276 100644 --- a/krebs/5pkgs/cac.nix +++ b/krebs/5pkgs/cac.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation { mkdir -p $out/bin sed \ - 's,^\( true) \)\(cac "$@";;\)$,\1 PATH=${path} \2,' \ + 's,^\( true) \)\(cac "$@";;\)$,\1 PATH=${path}${PATH+:$PATH} \2,' \ < ./cac \ > $out/bin/cac From 90e0d14b3ec91cebb0119974c54a9bc9cdc6d70c Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 6 Aug 2015 19:39:18 +0200 Subject: [PATCH 15/36] krebs pkgs cac: 0fc9cbe -> f458915 --- krebs/5pkgs/cac.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix index 49a5bd276..eff523048 100644 --- a/krebs/5pkgs/cac.nix +++ b/krebs/5pkgs/cac.nix @@ -5,8 +5,8 @@ stdenv.mkDerivation { src = fetchgit { url = http://cgit.cd.retiolum/cac; - rev = "0fc9cbeba4060380f698f51bb74081e2fcefadf3"; - sha256 = "9759c78aa9aa04ab82486d0f24264bff1081513bc07cac0f8b3c0bdf52260fb3"; + rev = "f4589158572ab35969b9bccf801ea07e115705e1"; + sha256 = "9d761cd1d7ff68507392cbfd6c3f6000ddff9cc540293da2b3c4ee902321fb27"; }; phases = [ From 91a112c24294154be3b812e2b52e1c651d336aff Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 7 Aug 2015 12:10:02 +0200 Subject: [PATCH 16/36] refactor tsp --- makefu/1systems/tsp.nix | 51 +++-------------------------- makefu/2configs/base-gui.nix | 26 ++++++++++----- makefu/2configs/base.nix | 14 +++++++- makefu/2configs/sda-crypto-root.nix | 27 +++++++++++++++ makefu/2configs/tp-x200.nix | 23 +++++++++++++ 5 files changed, 84 insertions(+), 57 deletions(-) create mode 100644 makefu/2configs/sda-crypto-root.nix create mode 100644 makefu/2configs/tp-x200.nix diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 2d3fd9225..3979b70b9 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -9,11 +9,10 @@ [ # Include the results of the hardware scan. ../2configs/base.nix ../2configs/base-gui.nix + ../2configs/tp-x200.nix + ../2configs/sda-crypto-root.nix ]; # not working in vm - #services.xserver = { - # videoDriver = "intel"; - #}; krebs.build.host = config.krebs.hosts.tsp; krebs.build.user = config.krebs.users.makefu; krebs.build.target = "root@tsp"; @@ -21,18 +20,9 @@ krebs.build.deps = { nixpkgs = { #url = https://github.com/NixOS/nixpkgs; + # rev=$(curl https://nixos.org/channels/nixos-unstable/git-revision -L) url = https://github.com/makefu/nixpkgs; - #rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - #rev = "08275910ba86ed9bd7a2608e6a1e5285faf24cb2"; - rev = "53d79a8074e7a4465515e67ea565dc73cbc14c5c"; - }; - # TODO generalize in base.nix - secrets = { - url = "/home/makefu/secrets/${config.krebs.build.host.name}"; - }; - # TODO generalize in base.nix - stockholm = { - url = toString ../..; + rev = "8b8b65da24f13f9317504e8bcba476f9161613fe"; }; }; @@ -46,40 +36,7 @@ ]; }; - boot = { - #x200 specifics - kernelModules = [ "tp_smapi" "msr" ]; - extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; - - loader.grub.enable =true; - loader.grub.version =2; - loader.grub.device = "/dev/sda"; - - # crypto boot - # TODO: use UUID - initrd.luks.devices = [ { name = "luksroot"; device= "/dev/sda2";}]; - initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - }; - fileSystems = { - "/" = { - device = "/dev/mapper/luksroot"; - fsType = "ext4"; - }; - "/boot" = { - device = "/dev/disk/by-label/nixboot"; - fsType = "ext4"; - }; - }; - # hardware specifics - networking.wireless.enable = true; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - # TODO: generalize to numCPU + 1 - nix.maxJobs = 3; networking.firewall.rejectPackets = true; diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index 056005f75..7f329c6ce 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -1,31 +1,39 @@ { config, lib, pkgs, ... }: - +## +# of course this name is a lie - it prepares a GUI environment close to my +# current configuration. +# +# autologin with mainUser into awesome +## +# with lib; +let + mainUser = config.krebs.build.user.name; +in { imports = [ ]; services.xserver = { enable = true; layout = "us"; -# use awesome, direct boot into - displayManager.auto.enable = true; -# TODO: use config.krebs.users.makefu ... or not - displayManager.auto.user = "makefu"; - windowManager = { awesome.enable = true; awesome.luaModules = [ pkgs.luaPackages.vicious ]; default = "awesome"; }; + displayManager.auto.enable = true; + displayManager.auto.user = mainUser; desktopManager.xterm.enable = false; - desktopManager.default = "none"; }; security.setuidPrograms = [ "slock" ]; -# use pulseaudio - environment.systemPackages = [ pkgs.slock ]; + environment.systemPackages = [ + pkgs.slock + pkgs.rxvt_unicode-with-plugins + ]; + hardware.pulseaudio = { enable = true; systemWide = true; diff --git a/makefu/2configs/base.nix b/makefu/2configs/base.nix index 8dfb2ef27..792cccc71 100644 --- a/makefu/2configs/base.nix +++ b/makefu/2configs/base.nix @@ -6,7 +6,7 @@ with lib; krebs.enable = true; krebs.search-domain = "retiolum"; - networking.hostName = config.krebs.build.host.name; + users.extraUsers = { root = { openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; @@ -24,6 +24,18 @@ with lib; }; }; + networking.hostName = config.krebs.build.host.name; + nix.maxJobs = config.krebs.build.host.cores + 1; + + krebs.build.deps = { + secrets = { + url = "/home/makefu/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + services.openssh.enable = true; nix.useChroot = true; diff --git a/makefu/2configs/sda-crypto-root.nix b/makefu/2configs/sda-crypto-root.nix new file mode 100644 index 000000000..0d979a0b8 --- /dev/null +++ b/makefu/2configs/sda-crypto-root.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +# sda: bootloader grub2 +# sda1: boot ext4 (label nixboot) +# sda2: cryptoluks -> ext4 +with lib; +{ + boot = { + loader.grub.enable =true; + loader.grub.version =2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device= "/dev/sda2";}]; + initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/luksroot"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-label/nixboot"; + fsType = "ext4"; + }; + }; +} diff --git a/makefu/2configs/tp-x200.nix b/makefu/2configs/tp-x200.nix new file mode 100644 index 000000000..64d3f85a1 --- /dev/null +++ b/makefu/2configs/tp-x200.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + #services.xserver = { + # videoDriver = "intel"; + #}; + + boot = { + kernelModules = [ "tp_smapi" "msr" ]; + extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; + + }; + + networking.wireless.enable = true; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + hardware.trackpoint.enable = true; + hardware.trackpoint.sensitivity = 255; + hardware.trackpoint.speed = 255; +} From 4d460eb95f398797df4d502be496a79481bdd809 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 7 Aug 2015 12:53:02 +0200 Subject: [PATCH 17/36] refactor pnp --- makefu/1systems/pnp.nix | 45 +++++-------------------- makefu/2configs/graphite-standalone.nix | 1 + makefu/2configs/graphite-web.nix | 24 ------------- makefu/2configs/tinc-basic-retiolum.nix | 14 ++++++++ makefu/2configs/vm-single-partition.nix | 20 +++++++++++ 5 files changed, 44 insertions(+), 60 deletions(-) delete mode 100644 makefu/2configs/graphite-web.nix create mode 100644 makefu/2configs/tinc-basic-retiolum.nix create mode 100644 makefu/2configs/vm-single-partition.nix diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index a8df522f2..bc4c679b7 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -11,6 +11,8 @@ ../2configs/base.nix ../2configs/cgit-retiolum.nix ../2configs/graphite-standalone.nix + ../2configs/vm-single-partition.nix + ../2configs/tinc-basic-retiolum.nix ]; krebs.build.host = config.krebs.hosts.pnp; krebs.build.user = config.krebs.users.makefu; @@ -21,50 +23,21 @@ url = https://github.com/NixOS/nixpkgs; rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; }; - secrets = { - url = "/home/makefu/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; }; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/vda"; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; - networking.firewall.allowedTCPPorts = [ # nginx runs on 80 - 80 # graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp - 8080 2003 - ]; + 80 + 8080 2003 + ]; networking.firewall.allowedUDPPorts = [ 2003 ]; + networking.firewall.rejectPackets = true; networking.firewall.allowPing = true; - fileSystems."/" = - { device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - krebs.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "gum" - "pigstarter" - "fastpoke" - ]; - }; - # $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - jq - ]; + environment.systemPackages = with pkgs; [ + jq + ]; } diff --git a/makefu/2configs/graphite-standalone.nix b/makefu/2configs/graphite-standalone.nix index 50c623ab9..8b70c11c8 100644 --- a/makefu/2configs/graphite-standalone.nix +++ b/makefu/2configs/graphite-standalone.nix @@ -5,6 +5,7 @@ with lib; { imports = [ ]; + services.graphite = { web = { enable = true; diff --git a/makefu/2configs/graphite-web.nix b/makefu/2configs/graphite-web.nix deleted file mode 100644 index daa1d49a3..000000000 --- a/makefu/2configs/graphite-web.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ ]; - services.graphite = { - web = { - enable = true; - host = "0.0.0.0"; - }; - carbon = { - enableCache = true; - storageSchemas = '' - [carbon] - pattern = ^carbon\. - retentions = 60:90d - - [default] - pattern = .* - retentions = 60s:30d,300s:1y - ''; - }; - }; -} diff --git a/makefu/2configs/tinc-basic-retiolum.nix b/makefu/2configs/tinc-basic-retiolum.nix new file mode 100644 index 000000000..cb1991bd6 --- /dev/null +++ b/makefu/2configs/tinc-basic-retiolum.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + "fastpoke" + ]; + }; +} diff --git a/makefu/2configs/vm-single-partition.nix b/makefu/2configs/vm-single-partition.nix new file mode 100644 index 000000000..78a5e7175 --- /dev/null +++ b/makefu/2configs/vm-single-partition.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +# vda1 ext4 (label nixos) -> only root partition +with lib; +{ + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + hardware.cpu.amd.updateMicrocode = true; + + +} From fad2a76defb18108a271633392344dbb49bb769b Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 7 Aug 2015 12:53:38 +0200 Subject: [PATCH 18/36] begin customization of gui --- makefu/1systems/tsp.nix | 19 +++---------------- makefu/2configs/base-gui.nix | 6 +++--- 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 3979b70b9..da7466d75 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -9,8 +9,10 @@ [ # Include the results of the hardware scan. ../2configs/base.nix ../2configs/base-gui.nix - ../2configs/tp-x200.nix + ../2configs/tinc-basic-retiolum.nix ../2configs/sda-crypto-root.nix + # hardware specifics are in here + ../2configs/tp-x200.nix ]; # not working in vm krebs.build.host = config.krebs.hosts.tsp; @@ -26,24 +28,9 @@ }; }; - krebs.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "gum" - "pigstarter" - "fastpoke" - ]; - }; - - # hardware specifics - - networking.firewall.rejectPackets = true; networking.firewall.allowPing = true; - - # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ vim jq diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index 7f329c6ce..c4755c217 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -15,6 +15,8 @@ in services.xserver = { enable = true; layout = "us"; + xkbVariant = "altgr-intl"; + xkbOptions = "ctrl:nocaps"; windowManager = { awesome.enable = true; @@ -27,10 +29,8 @@ in desktopManager.xterm.enable = false; }; - security.setuidPrograms = [ "slock" ]; - environment.systemPackages = [ - pkgs.slock + pkgs.xlockmore pkgs.rxvt_unicode-with-plugins ]; From 7bb85d74f8dbf8751344f9248b9365b4543bf20f Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 7 Aug 2015 13:51:49 +0200 Subject: [PATCH 19/36] makefu/2configs:add hashedPasswords --- makefu/2configs/base.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/base.nix b/makefu/2configs/base.nix index 792cccc71..2e18acf7c 100644 --- a/makefu/2configs/base.nix +++ b/makefu/2configs/base.nix @@ -2,7 +2,13 @@ with lib; { - imports = [ ]; + imports = [ + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import /root/src/secrets/hashedPasswords.nix); + } + ]; krebs.enable = true; krebs.search-domain = "retiolum"; @@ -39,7 +45,7 @@ with lib; services.openssh.enable = true; nix.useChroot = true; - users.mutableUsers = true; + users.mutableUsers = false; boot.tmpOnTmpfs = true; systemd.tmpfiles.rules = [ From a919ddb3878c59f1306d8d22f46b603aceb90e27 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 7 Aug 2015 15:50:06 +0200 Subject: [PATCH 20/36] makefu:include vim.nix --- makefu/2configs/base.nix | 2 + makefu/2configs/vim.nix | 119 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 makefu/2configs/vim.nix diff --git a/makefu/2configs/base.nix b/makefu/2configs/base.nix index 2e18acf7c..25d92d63d 100644 --- a/makefu/2configs/base.nix +++ b/makefu/2configs/base.nix @@ -8,6 +8,7 @@ with lib; mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } + ./vim.nix ]; krebs.enable = true; krebs.search-domain = "retiolum"; @@ -32,6 +33,7 @@ with lib; networking.hostName = config.krebs.build.host.name; nix.maxJobs = config.krebs.build.host.cores + 1; + #nix.maxJobs = 1; krebs.build.deps = { secrets = { diff --git a/makefu/2configs/vim.nix b/makefu/2configs/vim.nix new file mode 100644 index 000000000..b71d95148 --- /dev/null +++ b/makefu/2configs/vim.nix @@ -0,0 +1,119 @@ +{ config, pkgs, ... }: + +let + customPlugins.vim-better-whitespace = pkgs.vimUtils.buildVimPlugin { + name = "vim-better-whitespace"; + src = pkgs.fetchFromGitHub { + owner = "ntpeters"; + repo = "vim-better-whitespace"; + rev = "984c8da518799a6bfb8214e1acdcfd10f5f1eed7"; + sha256 = "10l01a8xaivz6n01x6hzfx7gd0igd0wcf9ril0sllqzbq7yx2bbk"; + }; + }; + +in { + + environment.systemPackages = [ + pkgs.python27Full # required for youcompleteme + (pkgs.vim_configurable.customize { + name = "vim"; + + vimrcConfig.customRC = '' + set nocompatible + syntax on + + filetype off + filetype plugin indent on + + colorscheme darkblue + set background=dark + + set number + set relativenumber + set mouse=a + set ignorecase + set incsearch + set wildignore=*.o,*.obj,*.bak,*.exe,*.os + set textwidth=79 + set shiftwidth=2 + set expandtab + set softtabstop=2 + set shiftround + set smarttab + set tabstop=2 + set et + set autoindent + set backspace=indent,eol,start + + + inoremap + nnoremap + vnoremap + + nnoremap :UndotreeToggle + set undodir =~/.vim/undo + set undofile + "maximum number of changes that can be undone + set undolevels=1000000 + "maximum number lines to save for undo on a buffer reload + set undoreload=10000000 + + nnoremap :set invpaste paste? + set pastetoggle= + set showmode + + set showmatch + set matchtime=3 + set hlsearch + + autocmd ColorScheme * highlight ExtraWhitespace ctermbg=red guibg=red + + + " save on focus lost + au FocusLost * :wa + + autocmd BufRead *.json set filetype=json + au BufNewFile,BufRead *.mustache set syntax=mustache + + cnoremap SudoWrite w !sudo tee > /dev/null % + + " create Backup/tmp/undo dirs + set backupdir=~/.vim/backup + set directory=~/.vim/tmp + + function! InitBackupDir() + let l:parent = $HOME . '/.vim/' + let l:backup = l:parent . 'backup/' + let l:tmpdir = l:parent . 'tmp/' + let l:undodir= l:parent . 'undo/' + + + if !isdirectory(l:parent) + call mkdir(l:parent) + endif + if !isdirectory(l:backup) + call mkdir(l:backup) + endif + if !isdirectory(l:tmpdir) + call mkdir(l:tmpdir) + endif + if !isdirectory(l:undodir) + call mkdir(l:undodir) + endif + endfunction + call InitBackupDir() + + + ''; + + vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; + vimrcConfig.vam.pluginDictionaries = [ + { names = [ "undotree" + "YouCompleteMe" + "vim-better-whitespace" ]; } + { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } + ]; + + }) + ]; +} From 4fc382180ffcbe2326ac559de158fefff6370ab5 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 9 Aug 2015 14:53:24 +0200 Subject: [PATCH 21/36] makefu: fix tsp ip, add font in base-gui --- Zhosts/tsp | 2 +- makefu/2configs/base-gui.nix | 22 ++++++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/Zhosts/tsp b/Zhosts/tsp index 6c2b450d8..314abb3f5 100644 --- a/Zhosts/tsp +++ b/Zhosts/tsp @@ -1,4 +1,4 @@ -Subnet = 10.243.0.211 +Subnet = 10.243.0.212 Subnet = 42:f9f1:0000:0000:0000:0000:0000:0002 -----BEGIN RSA PUBLIC KEY----- diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index c4755c217..6cfd0e50c 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -29,14 +29,28 @@ in desktopManager.xterm.enable = false; }; - environment.systemPackages = [ - pkgs.xlockmore - pkgs.rxvt_unicode-with-plugins +## FONTS +# TODO: somewhere else? + + i18n.consoleFont = "Lat2-Terminus16"; + + fonts = { + enableCoreFonts = true; + enableFontDir = true; + enableGhostscriptFonts = false; + fonts = [ pkgs.terminus_font ]; + }; + + environment.systemPackages = with pkgs;[ + xlockmore + rxvt_unicode-with-plugins + vlc + firefox + chromium ]; hardware.pulseaudio = { enable = true; systemWide = true; }; - } From 23da0b49331d5eba92c776ebcd1864b04e3ff8cf Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 9 Aug 2015 15:13:01 +0200 Subject: [PATCH 22/36] tsp can push stockholm in cgit --- Zpubkeys/makefu_tsp.ssh.pub | 1 + makefu/2configs/cgit-retiolum.nix | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 Zpubkeys/makefu_tsp.ssh.pub diff --git a/Zpubkeys/makefu_tsp.ssh.pub b/Zpubkeys/makefu_tsp.ssh.pub new file mode 100644 index 000000000..9a9c9b6f8 --- /dev/null +++ b/Zpubkeys/makefu_tsp.ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1srWa67fcsw3r64eqgIuHbMbrj6Ywd9AwzCM+2dfXqYQZblchzH4Q4oydjdFOnV9LaA1LfNcWEjV/gVQKA2/xLSyXSDwzTxQDyOAZaqseKVg1F0a7wAF20+LiegQj6KXE29wcTW1RjcPncmagTBv5/vYbo1eDLKZjwGpEnG0+s+TRftrAhrgtbsuwR1GWWYACxk1CbxbcV+nIZ1RF9E1Fngbl4C4WjXDvsASi8s24utCd/XxgKwKcSFv7EWNfXlNzlETdTqyNVdhA7anc3N7d/TGrQuzCdtrvBFq4WbD3IRhSk79PXaB3L6xJ7LS8DyOSzfPyiJPK65Zw5s4BC07Z makefu@tsp diff --git a/makefu/2configs/cgit-retiolum.nix b/makefu/2configs/cgit-retiolum.nix index 7dfb181c5..d352f5792 100644 --- a/makefu/2configs/cgit-retiolum.nix +++ b/makefu/2configs/cgit-retiolum.nix @@ -52,11 +52,7 @@ let # TODO: get the list of all krebsministers krebsminister = with config.krebs.users; [ lass tv uriel ]; - - #all-makefu = with config.krebs.users; [ makefu ]; - - - all-makefu = with config.krebs.users; [ makefu makefu-omo ]; + all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ]; priv-rules = repo: set-owners repo all-makefu; @@ -69,6 +65,10 @@ in { name = "makefu-omo" ; pubkey= with builtins; readFile ../../Zpubkeys/makefu_omo.ssh.pub; }; + krebs.users.makefu-tsp = { + name = "makefu-tsp" ; + pubkey= with builtins; readFile ../../Zpubkeys/makefu_tsp.ssh.pub; + }; }]; krebs.git = { enable = true; From 8b302ea8866fb6f0703f34540f31cf5871440e53 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 9 Aug 2015 13:17:37 +0000 Subject: [PATCH 23/36] makefu: x200 - add middle mouse scroll --- makefu/2configs/tp-x200.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/makefu/2configs/tp-x200.nix b/makefu/2configs/tp-x200.nix index 64d3f85a1..25a2537e8 100644 --- a/makefu/2configs/tp-x200.nix +++ b/makefu/2configs/tp-x200.nix @@ -20,4 +20,9 @@ with lib; hardware.trackpoint.enable = true; hardware.trackpoint.sensitivity = 255; hardware.trackpoint.speed = 255; + services.xserver.displayManager.sessionCommands = '' + xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 1 + xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 2 + xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 200 + ''; } From 450d9e71ff0afc99511b840bed77a979795a988a Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 10 Aug 2015 17:49:55 +0000 Subject: [PATCH 24/36] makefu:base-gui audio working on earplugs --- makefu/2configs/base-gui.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index 6cfd0e50c..4e5558a1f 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -48,9 +48,10 @@ in firefox chromium ]; - + # TODO: use mainUser + users.extraUsers.makefu.extraGroups = [ "audio" ]; hardware.pulseaudio = { enable = true; - systemWide = true; + # systemWide = true; }; } From 7a378d230d4c75f77f04943b73ad4c883d6750b9 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 11 Aug 2015 19:00:22 +0000 Subject: [PATCH 25/36] makefu: move more stuff into base.nix --- makefu/1systems/pnp.nix | 7 ------- makefu/1systems/tsp.nix | 14 +++----------- makefu/2configs/base.nix | 4 ++++ 3 files changed, 7 insertions(+), 18 deletions(-) diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index bc4c679b7..6693dc066 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -33,11 +33,4 @@ ]; networking.firewall.allowedUDPPorts = [ 2003 ]; - networking.firewall.rejectPackets = true; - networking.firewall.allowPing = true; - -# $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - jq - ]; } diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index da7466d75..f19dbfea6 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -1,7 +1,6 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - +# +# +# { config, pkgs, ... }: { @@ -28,11 +27,4 @@ }; }; - networking.firewall.rejectPackets = true; - networking.firewall.allowPing = true; - - environment.systemPackages = with pkgs; [ - vim - jq - ]; } diff --git a/makefu/2configs/base.nix b/makefu/2configs/base.nix index 25d92d63d..906c74f7d 100644 --- a/makefu/2configs/base.nix +++ b/makefu/2configs/base.nix @@ -50,6 +50,10 @@ with lib; users.mutableUsers = false; boot.tmpOnTmpfs = true; + + networking.firewall.rejectPackets = true; + networking.firewall.allowPing = true; + systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" ]; From 0862e949f6b736c76b601acd3b17262521175c31 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 12 Aug 2015 16:58:21 +0200 Subject: [PATCH 26/36] tsp: 2 cores --- krebs/3modules/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 4644e59eb..a533fcf64 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -307,7 +307,7 @@ let }; }; tsp = { - cores = 4; + cores = 2; dc = "makefu"; #x200 nets = { retiolum = { From 7c578b1cad5d33c4a2773459ef62a8a72c585972 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 13 Aug 2015 11:46:09 +0200 Subject: [PATCH 27/36] {tv 2 => krebs 3}/exim-retiolum --- krebs/3modules/default.nix | 1 + krebs/3modules/exim-retiolum.nix | 142 +++++++++++++++++++++++++++++++ tv/1systems/nomic.nix | 4 +- tv/1systems/wu.nix | 4 +- tv/2configs/exim-retiolum.nix | 126 --------------------------- 5 files changed, 149 insertions(+), 128 deletions(-) create mode 100644 krebs/3modules/exim-retiolum.nix delete mode 100644 tv/2configs/exim-retiolum.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e677ba5ea..fd795a036 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./exim-retiolum.nix ./github-hosts-sync.nix ./git.nix ./nginx.nix diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix new file mode 100644 index 000000000..09372f074 --- /dev/null +++ b/krebs/3modules/exim-retiolum.nix @@ -0,0 +1,142 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.exim-retiolum; + + out = { + options.krebs.exim-retiolum = api; + config = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.krebs.retiolum.enable; + mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.exim-retiolum"; + }; + + imp = { + services.exim = { + enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; + }; + + # TODO get the hostname from somewhere else. + retiolumHostname = "${config.networking.hostName}.retiolum"; +in +out diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index b9a10cb4f..896c1ad29 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -25,7 +25,6 @@ with lib; ../2configs/AO753.nix ../2configs/base.nix ../2configs/consul-server.nix - ../2configs/exim-retiolum.nix ../2configs/git.nix { tv.iptables = { @@ -38,6 +37,9 @@ with lib; ]; }; } + { + krebs.exim-retiolum = true; + } { krebs.nginx = { enable = true; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index ae6ef1327..a5cbde3ec 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -29,7 +29,6 @@ in ../2configs/w110er.nix ../2configs/base.nix ../2configs/consul-client.nix - ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix ../2configs/xserver.nix @@ -165,6 +164,9 @@ in ]; }; } + { + krebs.exim-retiolum = true; + } { krebs.nginx = { enable = true; diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix deleted file mode 100644 index 851a0c625..000000000 --- a/tv/2configs/exim-retiolum.nix +++ /dev/null @@ -1,126 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.exim = - # This configuration makes only sense for retiolum-enabled hosts. - # TODO modular configuration - assert config.krebs.retiolum.enable; - let - # TODO get the hostname from config.krebs.retiolum. - retiolumHostname = "${config.networking.hostName}.retiolum"; - in - { enable = true; - config = '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 - - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data - - host_lookup = * - rfc1413_hosts = * - rfc1413_query_timeout = 5s - - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false - - begin acl - - acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require verify = recipient - - accept - - - acl_check_data: - accept - - - begin routers - - retiolum: - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = remote_smtp - route_list = ^.* $0 byname - no_more - - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more - - local_user: - # debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user - - - begin transports - - remote_smtp: - driver = smtp - - home_maildir: - driver = appendfile - maildir_format - directory = $home/Maildir - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - # group = mail - # mode = 0660 - - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - - begin rewrite - - begin authenticators - ''; - }; -} From ab2d3f96be09e4a77f33b7ce2f3b96dbc9b57c39 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Aug 2015 12:02:26 +0200 Subject: [PATCH 28/36] services: add pigstarter --- krebs/3modules/default.nix | 39 +++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index a533fcf64..8573c5a05 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -164,7 +164,7 @@ let { krebs = tv-imp; } { krebs.dns.providers = { - de.krebsco = "ovh"; + de.krebsco = "zones"; internet = "hosts"; retiolum = "hosts"; }; @@ -334,6 +334,43 @@ let }; }; }; + pigstarter = { + cores = 1; + dc = "makefu"; #x200 + nets = { + internet = { + addrs4 = ["192.40.56.122"]; + addrs6 = ["2604:2880::841f:72c"]; + aliases = [ + "pigstarter.internet" + ]; + zones = [ + { "pigstarter.krebsco.de" = "A";} + { "io.krebsco.de" = "NS";} + { "io.krebsco.de" = "A";} + { "mx42.krebsco.de" = "MX";} + { "mx42.krebsco.de" = "A";} + ]; + }; + retiolum = { + addrs4 = ["10.243.0.153"]; + addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"]; + aliases = [ + "pigstarter.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA/efJuJRLUIZROe3QE8WYTD/zyNGRh9I2/yw+5It9HSNVDMIOV1FZ + 9PaspsC+YQSBUQRN8SJ95G4RM6TIn/+ei7LiUYsf1Ik+uEOpP5EPthXqvdJEeswv + 3QFwbpBeOMNdvmGvQLeR1uJKVyf39iep1wWGOSO1sLtUA+skUuN38QKc1BPASzFG + 4ATM6rd2Tkt8+9hCeoePJdLr3pXat9BBuQIxImgx7m5EP02SH1ndb2wttQeAi9cE + DdJadpzOcEgFatzXP3SoKVV9loRHz5HhV4WtAqBIkDvgjj2j+NnXolAUY25Ix+kv + sfqfIw5aNLoIX4kDhuDEVBIyoc7/ofSbkQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; }; users = addNames { makefu = { From 6c2c01b5cbf0a6b6a4db46ad4f0623772a5b7c15 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 13 Aug 2015 11:46:09 +0200 Subject: [PATCH 29/36] {tv 2 => krebs 3}/exim-retiolum --- krebs/3modules/default.nix | 1 + krebs/3modules/exim-retiolum.nix | 143 +++++++++++++++++++++++++++++++ tv/1systems/nomic.nix | 4 +- tv/1systems/wu.nix | 4 +- tv/2configs/exim-retiolum.nix | 126 --------------------------- 5 files changed, 150 insertions(+), 128 deletions(-) create mode 100644 krebs/3modules/exim-retiolum.nix delete mode 100644 tv/2configs/exim-retiolum.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e677ba5ea..fd795a036 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./exim-retiolum.nix ./github-hosts-sync.nix ./git.nix ./nginx.nix diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix new file mode 100644 index 000000000..71c091917 --- /dev/null +++ b/krebs/3modules/exim-retiolum.nix @@ -0,0 +1,143 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.exim-retiolum; + + out = { + options.krebs.exim-retiolum = api; + config = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + mkIf cfg.enable ( + #assert config.krebs.retiolum.enable; + imp); + }; + + api = { + enable = mkEnableOption "krebs.exim-retiolum"; + }; + + imp = { + services.exim = { + enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; + }; + + # TODO get the hostname from somewhere else. + retiolumHostname = "${config.networking.hostName}.retiolum"; +in +out diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index b9a10cb4f..896c1ad29 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -25,7 +25,6 @@ with lib; ../2configs/AO753.nix ../2configs/base.nix ../2configs/consul-server.nix - ../2configs/exim-retiolum.nix ../2configs/git.nix { tv.iptables = { @@ -38,6 +37,9 @@ with lib; ]; }; } + { + krebs.exim-retiolum = true; + } { krebs.nginx = { enable = true; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index ae6ef1327..a5cbde3ec 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -29,7 +29,6 @@ in ../2configs/w110er.nix ../2configs/base.nix ../2configs/consul-client.nix - ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix ../2configs/xserver.nix @@ -165,6 +164,9 @@ in ]; }; } + { + krebs.exim-retiolum = true; + } { krebs.nginx = { enable = true; diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix deleted file mode 100644 index 851a0c625..000000000 --- a/tv/2configs/exim-retiolum.nix +++ /dev/null @@ -1,126 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.exim = - # This configuration makes only sense for retiolum-enabled hosts. - # TODO modular configuration - assert config.krebs.retiolum.enable; - let - # TODO get the hostname from config.krebs.retiolum. - retiolumHostname = "${config.networking.hostName}.retiolum"; - in - { enable = true; - config = '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 - - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data - - host_lookup = * - rfc1413_hosts = * - rfc1413_query_timeout = 5s - - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false - - begin acl - - acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require verify = recipient - - accept - - - acl_check_data: - accept - - - begin routers - - retiolum: - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = remote_smtp - route_list = ^.* $0 byname - no_more - - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more - - local_user: - # debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user - - - begin transports - - remote_smtp: - driver = smtp - - home_maildir: - driver = appendfile - maildir_format - directory = $home/Maildir - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - # group = mail - # mode = 0660 - - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - - begin rewrite - - begin authenticators - ''; - }; -} From 647550f3e747a024044bda9f49a6bac5669dd60b Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Aug 2015 12:03:59 +0200 Subject: [PATCH 30/36] types: add zones --- krebs/4lib/types.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 92410dd58..975c36b08 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -20,6 +20,7 @@ types // rec { type = attrsOf net; apply = x: assert hasAttr "retiolum" x; x; }; + secure = mkOption { type = bool; default = false; @@ -73,6 +74,11 @@ types // rec { })); default = null; }; + zones = mkOption { + default = []; + # TODO: string is either MX, NS, A or AAAA + type = with types; listOf (attrsOf str); + }; }; }); From 6b9a70d2d0d4e773d60251acec2ab882c8dd56d7 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Aug 2015 12:03:59 +0200 Subject: [PATCH 31/36] types: add zones --- krebs/4lib/types.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 92410dd58..975c36b08 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -20,6 +20,7 @@ types // rec { type = attrsOf net; apply = x: assert hasAttr "retiolum" x; x; }; + secure = mkOption { type = bool; default = false; @@ -73,6 +74,11 @@ types // rec { })); default = null; }; + zones = mkOption { + default = []; + # TODO: string is either MX, NS, A or AAAA + type = with types; listOf (attrsOf str); + }; }; }); From 9f92ba455c4b13f4d960bae65cd577c9aad30dc4 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 13 Aug 2015 12:08:36 +0200 Subject: [PATCH 32/36] krebs.exim-retiolum: assert krebs.retiolum.enable --- krebs/3modules/exim-retiolum.nix | 182 +++++++++++++++---------------- 1 file changed, 91 insertions(+), 91 deletions(-) diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 71c091917..e1315d8c8 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -8,11 +8,7 @@ let out = { options.krebs.exim-retiolum = api; config = - # This configuration makes only sense for retiolum-enabled hosts. - # TODO modular configuration - mkIf cfg.enable ( - #assert config.krebs.retiolum.enable; - imp); + mkIf cfg.enable imp; }; api = { @@ -20,121 +16,125 @@ let }; imp = { - services.exim = { - enable = true; - config = '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.krebs.retiolum.enable; + { + enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data - host_lookup = * - rfc1413_hosts = * - rfc1413_query_timeout = 5s + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false - begin acl + begin acl - acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - accept local_parts = postmaster - domains = +local_domains + accept local_parts = postmaster + domains = +local_domains - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify - #require verify = sender + #require verify = sender - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify - accept authenticated = * - control = submission - control = dkim_disable_verify + accept authenticated = * + control = submission + control = dkim_disable_verify - require message = relay not permitted - domains = +local_domains : +relay_to_domains + require message = relay not permitted + domains = +local_domains : +relay_to_domains - require verify = recipient + require verify = recipient - accept + accept - acl_check_data: - accept + acl_check_data: + accept - begin routers + begin routers - retiolum: - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = remote_smtp - route_list = ^.* $0 byname - no_more + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more - local_user: - # debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user - begin transports + begin transports - remote_smtp: - driver = smtp + remote_smtp: + driver = smtp - home_maildir: - driver = appendfile - maildir_format - directory = $home/Maildir - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - # group = mail - # mode = 0660 + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - begin rewrite + begin rewrite - begin authenticators - ''; - }; + begin authenticators + ''; + }; }; # TODO get the hostname from somewhere else. From 978d5cc9f07ccfcca2cc53cb45ccb5ee0c801869 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Aug 2015 17:15:09 +0200 Subject: [PATCH 33/36] makefu/tsp: add exim --- makefu/1systems/tsp.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index f19dbfea6..6e93df51e 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -18,6 +18,13 @@ krebs.build.user = config.krebs.users.makefu; krebs.build.target = "root@tsp"; + krebs.exim-retiolum.enable = true; + networking.firewall.allowedTCPPorts = [ + # nginx runs on 80 + # graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp + 25 + ]; + krebs.build.deps = { nixpkgs = { #url = https://github.com/NixOS/nixpkgs; From bdc58a02f93661796d8816818c0792cbab65f7c1 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Aug 2015 17:45:43 +0200 Subject: [PATCH 34/36] krebs: add pigstarter,mail --- krebs/3modules/default.nix | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 467cc4459..35ccd278d 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -335,9 +335,37 @@ let }; }; }; + pornocauster = { + cores = 2; + dc = "makefu"; #x220 + nets = { + retiolum = { + addrs4 = ["10.243.0.91"]; + addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"]; + aliases = [ + "pornocauster.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi + HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3 + mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+ + n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG + R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr + Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi + aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo + ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE + KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v + XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ + teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; pigstarter = { cores = 1; - dc = "makefu"; #x200 + dc = "frontrange"; #vps nets = { internet = { addrs4 = ["192.40.56.122"]; @@ -375,7 +403,7 @@ let }; users = addNames { makefu = { - mail = "root@euer.krebsco.de"; + mail = "root@tsp.retiolum"; pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; }; }; From d230db96d9b7403da64887b6ceebcacc564c268b Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Aug 2015 20:28:21 +0000 Subject: [PATCH 35/36] krebs: add extraZones --- krebs/3modules/default.nix | 56 ++++++++++++++++++++++++++++++++------ krebs/4lib/types.nix | 11 ++++---- 2 files changed, 53 insertions(+), 14 deletions(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 35ccd278d..d77d00c05 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -184,7 +184,42 @@ let ) host.nets ) cfg.hosts )); - } + + # krebs.hosts.bob = rec { + # addrs4 = "10.0.0.1"; + # extraZones = { + # # extraZones + # "krebsco.de" = '' + # krebsco.de. IN MX 10 mx1 + # mx1 IN A ${addrs4} + # ''; + # "dickbutt.de" = '' + # dickbutt.de. IN NS ns + # ns IN A ${addrs4} + # '' + # } + # } + # krebs.hosts.khan = rec { + # addrs4 = "10.0.0.2"; + # extraZones = { + # "krebsco.de" = '' + # khan.krebsco.de IN A ${addrs4} + # }; + # } + # + # => + # "zone/krebsco.de".text = '' + # krebsco.de. IN MX 10 mx1 + # mx1 IN A 10.0.0.1 + # khan.krebsco.de IN A 10.0.0.2 + # ''; + + + environment.etc = mapAttrs' + (name: value: + nameValuePair (("zones/" + name)) ({ text=value;})) + cfg.hosts.pigstarter.extraZones; + } ]; lass-imp = { @@ -363,9 +398,19 @@ let }; }; }; - pigstarter = { + pigstarter = rec { cores = 1; dc = "frontrange"; #vps + + extraZones = { + "de.krebsco" = '' + pigstarter.krebsco.de IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN NS io + io IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN MX 10 mx42 + mx42 IN A ${elemAt nets.internet.addrs4 0} + ''; + }; nets = { internet = { addrs4 = ["192.40.56.122"]; @@ -373,13 +418,6 @@ let aliases = [ "pigstarter.internet" ]; - zones = [ - { "pigstarter.krebsco.de" = "A";} - { "io.krebsco.de" = "NS";} - { "io.krebsco.de" = "A";} - { "mx42.krebsco.de" = "MX";} - { "mx42.krebsco.de" = "A";} - ]; }; retiolum = { addrs4 = ["10.243.0.153"]; diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 975c36b08..f767d20fe 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -21,6 +21,12 @@ types // rec { apply = x: assert hasAttr "retiolum" x; x; }; + extraZones = mkOption { + default = {}; + # TODO: string is either MX, NS, A or AAAA + type = with types; attrsOf string; + }; + secure = mkOption { type = bool; default = false; @@ -74,11 +80,6 @@ types // rec { })); default = null; }; - zones = mkOption { - default = []; - # TODO: string is either MX, NS, A or AAAA - type = with types; listOf (attrsOf str); - }; }; }); From db4b55527d527158bd4e7f93128668e646f2cf1f Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 13 Aug 2015 22:31:40 +0200 Subject: [PATCH 36/36] krebs/3: add cd extraZones --- krebs/3modules/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index d77d00c05..9ad9c9f91 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -455,6 +455,13 @@ let cd = { cores = 2; dc = "tv"; #dc = "cac"; + extraZones = { + "de.krebsco" = '' + mx23 IN A ${elemAt nets.internet.addrs4 0} + cd IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN MX 5 mx23 + ''; + }; nets = rec { internet = { addrs4 = ["162.219.7.216"];