"rebase"
This commit is contained in:
parent
02261729c0
commit
d629bee954
@ -3,7 +3,7 @@
|
||||
{
|
||||
imports = [
|
||||
../tv/base-cac-CentOS-7-64bit.nix
|
||||
../lass/retiolum-cloudkrebs.nix
|
||||
./retiolum.nix
|
||||
./networking.nix
|
||||
../../secrets/cloudkrebs-pw.nix
|
||||
../lass/sshkeys.nix
|
||||
@ -18,8 +18,10 @@
|
||||
|
||||
nix.maxJobs = 1;
|
||||
|
||||
#activationScripts
|
||||
#split up and move into base
|
||||
#tmpfiles Unknown group 'lock' workaround:
|
||||
users.extraGroups = {
|
||||
lock.gid = 10001;
|
||||
};
|
||||
|
||||
#TODO move into modules
|
||||
users.extraUsers = {
|
||||
|
@ -2,10 +2,10 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../tv/retiolum.nix
|
||||
../tv/retiolum
|
||||
];
|
||||
|
||||
services.retiolum = {
|
||||
tv.retiolum = {
|
||||
enable = true;
|
||||
hosts = ../../hosts;
|
||||
privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv";
|
@ -3,6 +3,7 @@
|
||||
{
|
||||
imports = [
|
||||
./sshkeys.nix
|
||||
./iptables
|
||||
];
|
||||
|
||||
nix.useChroot = true;
|
||||
@ -65,6 +66,10 @@
|
||||
'';
|
||||
};
|
||||
|
||||
security.setuidPrograms = [
|
||||
"sendmail"
|
||||
];
|
||||
|
||||
services.gitolite = {
|
||||
enable = true;
|
||||
dataDir = "/home/gitolite";
|
||||
@ -84,27 +89,41 @@
|
||||
RuntimeMaxUse=128M
|
||||
'';
|
||||
|
||||
networking.firewall = {
|
||||
lass.iptables = {
|
||||
enable = true;
|
||||
|
||||
allowedTCPPorts = [
|
||||
22
|
||||
];
|
||||
|
||||
extraCommands = ''
|
||||
iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
|
||||
iptables -A INPUT -j ACCEPT -i lo
|
||||
iptables -A INPUT -j ACCEPT -p icmp
|
||||
|
||||
#iptables -N Retiolum
|
||||
iptables -A INPUT -j Retiolum -i retiolum
|
||||
iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
|
||||
iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
|
||||
iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
|
||||
iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
|
||||
iptables -A Retiolum -j REJECT
|
||||
'';
|
||||
|
||||
extraStopCommands = "iptables -F";
|
||||
tables = {
|
||||
filter.INPUT.policy = "DROP";
|
||||
filter.FORWARD.policy = "DROP";
|
||||
filter.INPUT.rules = [
|
||||
{ predicate = "-i lo"; target = "ACCEPT"; }
|
||||
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||
{ predicate = "-p icmp"; target = "ACCEPT"; }
|
||||
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
#Networking.firewall = {
|
||||
# enable = true;
|
||||
|
||||
# allowedTCPPorts = [
|
||||
# 22
|
||||
# ];
|
||||
|
||||
# extraCommands = ''
|
||||
# iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
|
||||
# iptables -A INPUT -j ACCEPT -i lo
|
||||
# #http://serverfault.com/questions/84963/why-not-block-icmp
|
||||
# iptables -A INPUT -j ACCEPT -p icmp
|
||||
|
||||
# #TODO: fix Retiolum firewall
|
||||
# #iptables -N RETIOLUM
|
||||
# #iptables -A INPUT -j RETIOLUM -i retiolum
|
||||
# #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
|
||||
# #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset
|
||||
# #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable
|
||||
# #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable
|
||||
# #iptables -A RETIOLUM -j REJECT
|
||||
# '';
|
||||
#};
|
||||
}
|
||||
|
@ -1,6 +1,8 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
let
|
||||
mainUser = config.users.extraUsers.mainUser;
|
||||
in {
|
||||
imports = [
|
||||
./base.nix
|
||||
];
|
||||
@ -34,4 +36,30 @@
|
||||
xlibs.fontschumachermisc
|
||||
];
|
||||
|
||||
fonts.fonts = [
|
||||
pkgs.xlibs.fontschumachermisc
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
|
||||
windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
|
||||
X11-xshape
|
||||
];
|
||||
windowManager.xmonad.enable = true;
|
||||
windowManager.xmonad.enableContribAndExtras = true;
|
||||
windowManager.default = "xmonad";
|
||||
desktopManager.default = "none";
|
||||
desktopManager.xterm.enable = false;
|
||||
displayManager.slim.enable = true;
|
||||
displayManager.auto.enable = true;
|
||||
displayManager.auto.user = mainUser.name;
|
||||
|
||||
layout = "us,de";
|
||||
xkbModel = "evdev";
|
||||
xkbVariant = "altgr-intl,nodeadkeys";
|
||||
xkbOptions = "grp:caps_toggle";
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
119
old/modules/lass/iptables/config.nix
Normal file
119
old/modules/lass/iptables/config.nix
Normal file
@ -0,0 +1,119 @@
|
||||
{ cfg, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (pkgs) writeScript writeText;
|
||||
inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr;
|
||||
|
||||
#===== new api v4
|
||||
|
||||
#buildTable :: iptablesAttrSet` -> str
|
||||
#todo: differentiate by iptables-version
|
||||
buildTables = iptv: ts:
|
||||
let
|
||||
declareChain = t: cn:
|
||||
#TODO: find out what to do whit these count numbers
|
||||
":${cn} ${t."${cn}".policy} [0:0]";
|
||||
|
||||
buildChain = tn: cn:
|
||||
#"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
|
||||
|
||||
#TODO: sort by precedence
|
||||
#TODO: double check should be unneccessary, refactor!
|
||||
if (hasAttr "rules" ts."${tn}"."${cn}") then
|
||||
if (ts."${tn}"."${cn}".rules == null) then
|
||||
""
|
||||
else
|
||||
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
|
||||
++ map buildRule ts."${tn}"."${cn}".rules
|
||||
)
|
||||
else
|
||||
""
|
||||
;
|
||||
|
||||
|
||||
buildRule = rule:
|
||||
#TODO implement rule validation-test here
|
||||
#
|
||||
#target:
|
||||
#target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
|
||||
|
||||
#predicate:
|
||||
#maybe use iptables-test
|
||||
#TODO: howto exit with evaluation error by shellscript?
|
||||
#apperantly not possible from nix because evalatution wouldn't be deterministic.
|
||||
"${rule.predicate} -j ${rule.target}";
|
||||
|
||||
buildTable = tn:
|
||||
"*${tn}\n" +
|
||||
concatStringsSep "\n" ([]
|
||||
++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
|
||||
) +
|
||||
#this looks dirty, find a better way to do this (maybe optionalString)
|
||||
concatStringsSep "" ([]
|
||||
++ map (buildChain tn) (attrNames ts."${tn}")
|
||||
) +
|
||||
"\nCOMMIT";
|
||||
in
|
||||
concatStringsSep "\n" ([]
|
||||
++ map buildTable (attrNames ts)
|
||||
);
|
||||
|
||||
#=====
|
||||
|
||||
rules4 = iptables-version:
|
||||
let
|
||||
#TODO: find out good defaults.
|
||||
tables-defaults = {
|
||||
nat.PREROUTING.policy = "ACCEPT";
|
||||
nat.INPUT.policy = "ACCEPT";
|
||||
nat.OUTPUT.policy = "ACCEPT";
|
||||
nat.POSTROUTING.policy = "ACCEPT";
|
||||
filter.INPUT.policy = "ACCEPT";
|
||||
filter.FORWARD.policy = "ACCEPT";
|
||||
filter.OUTPUT.policy = "ACCEPT";
|
||||
|
||||
#if someone specifies any other rules on this chain, the default rules get lost.
|
||||
#is this wanted beahiviour or a bug?
|
||||
#TODO: implement abstraction of rules
|
||||
filter.INPUT.rules = [
|
||||
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
tables = tables-defaults // cfg.tables;
|
||||
|
||||
in
|
||||
writeText "lass-iptables-rules${toString iptables-version}" ''
|
||||
${buildTables iptables-version tables}
|
||||
'';
|
||||
|
||||
startScript = writeScript "lass-iptables_start" ''
|
||||
#! /bin/sh
|
||||
set -euf
|
||||
iptables-restore < ${rules4 4}
|
||||
ip6tables-restore < ${rules4 6}
|
||||
'';
|
||||
in
|
||||
|
||||
{
|
||||
networking.firewall.enable = false;
|
||||
|
||||
systemd.services.lass-iptables = {
|
||||
description = "lass-iptables";
|
||||
wantedBy = [ "network-pre.target" ];
|
||||
before = [ "network-pre.target" ];
|
||||
after = [ "systemd-modules-load.service" ];
|
||||
|
||||
path = with pkgs; [
|
||||
iptables
|
||||
];
|
||||
|
||||
restartIfChanged = true;
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
RemainAfterExit = true;
|
||||
Restart = "always";
|
||||
ExecStart = "@${startScript} lass-iptables_start";
|
||||
};
|
||||
};
|
||||
}
|
11
old/modules/lass/iptables/default.nix
Normal file
11
old/modules/lass/iptables/default.nix
Normal file
@ -0,0 +1,11 @@
|
||||
arg@{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.lass.iptables;
|
||||
arg' = arg // { inherit cfg; };
|
||||
in
|
||||
|
||||
{
|
||||
options.lass.iptables = import ./options.nix arg';
|
||||
config = lib.mkIf cfg.enable (import ./config.nix arg');
|
||||
}
|
44
old/modules/lass/iptables/options.nix
Normal file
44
old/modules/lass/iptables/options.nix
Normal file
@ -0,0 +1,44 @@
|
||||
{ lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkEnableOption mkOption types;
|
||||
in
|
||||
|
||||
{
|
||||
enable = mkEnableOption "iptables";
|
||||
|
||||
#tables.filter.INPUT = {
|
||||
# policy = "DROP";
|
||||
# rules = [
|
||||
# { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
|
||||
# ];
|
||||
#};
|
||||
#new api
|
||||
tables = mkOption {
|
||||
type = with types; attrsOf (attrsOf (submodule ({
|
||||
options = {
|
||||
policy = mkOption {
|
||||
type = str;
|
||||
default = "-";
|
||||
};
|
||||
rules = mkOption {
|
||||
type = nullOr (listOf (submodule ({
|
||||
options = {
|
||||
predicate = mkOption {
|
||||
type = str;
|
||||
};
|
||||
target = mkOption {
|
||||
type = str;
|
||||
};
|
||||
precedence = mkOption {
|
||||
type = int;
|
||||
default = 0;
|
||||
};
|
||||
};
|
||||
})));
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
})));
|
||||
};
|
||||
}
|
@ -20,7 +20,7 @@
|
||||
#ssl_dh_params = "etc/dh.pem";
|
||||
#ssld_count = 1;
|
||||
|
||||
#default_max_clients = 1024;
|
||||
default_max_clients = 10000;
|
||||
#nicklen = 30;
|
||||
};
|
||||
|
||||
@ -40,21 +40,26 @@
|
||||
sslport = 9999;
|
||||
};
|
||||
|
||||
class "users" {
|
||||
ping_time = 2 minutes;
|
||||
number_per_ident = 200;
|
||||
number_per_ip = 200;
|
||||
number_per_ip_global = 500;
|
||||
cidr_ipv4_bitlen = 24;
|
||||
cidr_ipv6_bitlen = 64;
|
||||
number_per_cidr = 9000;
|
||||
max_number = 10000;
|
||||
sendq = 400 kbytes;
|
||||
};
|
||||
|
||||
exempt {
|
||||
ip = "127.0.0.1";
|
||||
};
|
||||
|
||||
auth {
|
||||
user = "*@*";
|
||||
class = "users";
|
||||
};
|
||||
|
||||
class "users" {
|
||||
ping_time = 2 minutes;
|
||||
number_per_ident = 10;
|
||||
number_per_ip = 10;
|
||||
number_per_ip_global = 50;
|
||||
cidr_ipv4_bitlen = 24;
|
||||
cidr_ipv6_bitlen = 64;
|
||||
number_per_cidr = 200;
|
||||
max_number = 3000;
|
||||
sendq = 400 kbytes;
|
||||
flags = exceed_limit;
|
||||
};
|
||||
|
||||
channel {
|
||||
|
@ -1,21 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../tv/retiolum.nix
|
||||
];
|
||||
|
||||
services.retiolum = {
|
||||
enable = true;
|
||||
hosts = ../../hosts;
|
||||
privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv";
|
||||
connectTo = [
|
||||
"fastpoke"
|
||||
"gum"
|
||||
"ire"
|
||||
];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 655 ];
|
||||
networking.firewall.allowedUDPPorts = [ 655 ];
|
||||
}
|
@ -56,6 +56,8 @@ in {
|
||||
vnoremap < <gv
|
||||
vnoremap > >gv
|
||||
|
||||
nmap <esc>q :buffer
|
||||
|
||||
"Tabwidth
|
||||
set ts=2 sts=2 sw=2 et
|
||||
|
||||
|
@ -1,43 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
mainUser = config.users.extraUsers.mainUser;
|
||||
|
||||
in {
|
||||
services.xserver.enable = true;
|
||||
|
||||
|
||||
#fonts.enableFontConfig = true;
|
||||
#fonts.enableFontDir = true;
|
||||
fonts.fonts = [
|
||||
pkgs.xlibs.fontschumachermisc
|
||||
];
|
||||
#services.xfs.enable = true;
|
||||
#services.xserver.useXFS = "unix/:7100";
|
||||
|
||||
#services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;
|
||||
|
||||
#services.xserver.display = 11;
|
||||
#services.xserver.tty = 11;
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
#services.xserver.multitouch.enable = true;
|
||||
|
||||
services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
|
||||
X11-xshape
|
||||
];
|
||||
services.xserver.windowManager.xmonad.enable = true;
|
||||
services.xserver.windowManager.xmonad.enableContribAndExtras = true;
|
||||
services.xserver.windowManager.default = "xmonad";
|
||||
services.xserver.desktopManager.default = "none";
|
||||
services.xserver.desktopManager.xterm.enable = false;
|
||||
|
||||
services.xserver.displayManager.slim.enable = true;
|
||||
services.xserver.displayManager.auto.enable = true;
|
||||
services.xserver.displayManager.auto.user = mainUser.name;
|
||||
#services.xserver.displayManager.job.logsXsession = true;
|
||||
|
||||
services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
|
||||
|
||||
}
|
@ -5,8 +5,7 @@
|
||||
../lass/xresources.nix
|
||||
../lass/desktop-base.nix
|
||||
../lass/programs.nix
|
||||
../lass/retiolum-mors.nix
|
||||
../lass/xserver-lass.nix
|
||||
./retiolum.nix
|
||||
../tv/synaptics.nix
|
||||
../lass/bitcoin.nix
|
||||
../lass/browsers.nix
|
||||
@ -31,7 +30,7 @@
|
||||
|
||||
nixpkgs = {
|
||||
url = "https://github.com/Lassulus/nixpkgs";
|
||||
rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
|
||||
rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
|
||||
};
|
||||
|
||||
networking.hostName = "mors";
|
||||
@ -110,6 +109,7 @@
|
||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
|
||||
'';
|
||||
|
||||
#TODO activationScripts seem broken, fix them!
|
||||
#activationScripts
|
||||
#split up and move into base
|
||||
system.activationScripts.powertopTunables = ''
|
||||
@ -141,10 +141,18 @@
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
|
||||
'';
|
||||
system.activationScripts.trackpoint = ''
|
||||
echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
|
||||
echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
|
||||
'';
|
||||
|
||||
hardware.trackpoint = {
|
||||
enable = true;
|
||||
sensitivity = 220;
|
||||
speed = 0;
|
||||
emulateWheel = true;
|
||||
};
|
||||
|
||||
#system.activationScripts.trackpoint = ''
|
||||
# echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
|
||||
# echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
|
||||
#'';
|
||||
|
||||
services.xserver = {
|
||||
videoDriver = "intel";
|
||||
@ -201,6 +209,9 @@
|
||||
];
|
||||
};
|
||||
|
||||
services.mongodb = {
|
||||
enable = true;
|
||||
};
|
||||
#services.ircdHybrid = {
|
||||
# enable = true;
|
||||
|
||||
|
@ -1,71 +1,130 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) map readFile;
|
||||
inherit (lib) concatMap listToAttrs;
|
||||
# TODO lib should already include our stuff
|
||||
inherit (import ../../lib { inherit lib pkgs; }) addNames git;
|
||||
|
||||
x-repos = [
|
||||
(krebs-private "brain")
|
||||
|
||||
(public "painload")
|
||||
(public "shitment")
|
||||
(public "wai-middleware-time")
|
||||
(public "web-routes-wai-custom")
|
||||
|
||||
(secret "pass")
|
||||
|
||||
(tv-lass "emse-drywall")
|
||||
(tv-lass "emse-hsdb")
|
||||
];
|
||||
|
||||
users = addNames {
|
||||
tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };
|
||||
lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
|
||||
uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };
|
||||
makefu = { pubkey = "xxx"; };
|
||||
};
|
||||
|
||||
repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos);
|
||||
|
||||
rules = concatMap ({ rules, ... }: rules) x-repos;
|
||||
|
||||
krebs-private = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#retiolum";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv makefu uriel ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
public = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#retiolum";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
public = true;
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv makefu uriel ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
secret = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {};
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ uriel ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
tv-lass = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {};
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
../tv/git
|
||||
];
|
||||
|
||||
services.git =
|
||||
let
|
||||
inherit (builtins) readFile;
|
||||
# TODO lib should already include our stuff
|
||||
inherit (import ../../lib { inherit lib pkgs; }) addNames git;
|
||||
|
||||
krebs-private = name: desc:
|
||||
{
|
||||
inherit desc;
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#retiolum";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
}
|
||||
in rec {
|
||||
enable = true;
|
||||
|
||||
users = addNames {
|
||||
tv = { pubkey = readFile <pubkeys/tv.ssh.pub>; };
|
||||
lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
|
||||
uriel = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
|
||||
makefu = { pubkey = "xxx"; };
|
||||
};
|
||||
|
||||
repos = addNames {
|
||||
shitment = {
|
||||
desc = "shitment repository";
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#retiolum";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
public = true;
|
||||
};
|
||||
testing = {
|
||||
desc = "testing repository";
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#repository";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
public = true;
|
||||
};
|
||||
};
|
||||
|
||||
rules = with git; with users; with repos; [
|
||||
{ user = lass;
|
||||
repo = [ testing shitment ];
|
||||
perm = push master [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv uriel makefu ];
|
||||
repo = [ testing shitment ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
tv.git = {
|
||||
enable = true;
|
||||
inherit repos rules users;
|
||||
};
|
||||
}
|
||||
|
12
old/modules/mors/paths.nix
Normal file
12
old/modules/mors/paths.nix
Normal file
@ -0,0 +1,12 @@
|
||||
{
|
||||
lib.file.url = ../../lib;
|
||||
modules.file.url = ../../modules;
|
||||
nixpkgs.git = {
|
||||
url = https://github.com/Lassulus/nixpkgs;
|
||||
rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
|
||||
cache = ../../tmp/git-cache;
|
||||
};
|
||||
pubkeys.file.url = ../../pubkeys;
|
||||
retiolum-hosts.file.url = ../../hosts;
|
||||
secrets.file.url = ../../secrets;
|
||||
}
|
@ -35,6 +35,15 @@
|
||||
extraConfig = "option hook.post-receive = irc-announce";
|
||||
};
|
||||
|
||||
emse-drywall = {
|
||||
users = {
|
||||
lass = "RW+";
|
||||
uriel = "R";
|
||||
tv = "R";
|
||||
};
|
||||
extraConfig = "option hook.post-receive = irc-announce";
|
||||
};
|
||||
|
||||
emse-hsdb = {
|
||||
users = {
|
||||
lass = "RW+";
|
||||
|
@ -2,12 +2,12 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../tv/retiolum.nix
|
||||
../tv/retiolum
|
||||
];
|
||||
|
||||
services.retiolum = {
|
||||
tv.retiolum = {
|
||||
enable = true;
|
||||
hosts = ../../hosts;
|
||||
hosts = <retiolum-hosts>;
|
||||
privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv";
|
||||
connectTo = [
|
||||
"fastpoke"
|
@ -3,8 +3,7 @@
|
||||
{
|
||||
imports = [
|
||||
../lass/desktop-base.nix
|
||||
../lass/retiolum-uriel.nix
|
||||
../lass/xserver-lass.nix
|
||||
./retiolum.nix
|
||||
../lass/browsers.nix
|
||||
../lass/programs.nix
|
||||
../lass/games.nix
|
||||
@ -18,11 +17,12 @@
|
||||
../lass/bird.nix
|
||||
./repos.nix
|
||||
../lass/chromium-patched.nix
|
||||
./git.nix
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
url = "https://github.com/Lassulus/nixpkgs";
|
||||
rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
|
||||
rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
|
||||
};
|
||||
|
||||
networking.hostName = "uriel";
|
||||
@ -106,6 +106,10 @@
|
||||
environment.systemPackages = with pkgs; [
|
||||
];
|
||||
|
||||
#for google hangout
|
||||
|
||||
users.extraUsers.google.extraGroups = [ "audio" "video" ];
|
||||
|
||||
|
||||
#users.extraGroups = {
|
||||
# loot = {
|
||||
|
130
old/modules/uriel/git.nix
Normal file
130
old/modules/uriel/git.nix
Normal file
@ -0,0 +1,130 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) map readFile;
|
||||
inherit (lib) concatMap listToAttrs;
|
||||
# TODO lib should already include our stuff
|
||||
inherit (import ../../lib { inherit lib pkgs; }) addNames git;
|
||||
|
||||
x-repos = [
|
||||
(krebs-private "brain")
|
||||
|
||||
(public "painload")
|
||||
(public "shitment")
|
||||
(public "wai-middleware-time")
|
||||
(public "web-routes-wai-custom")
|
||||
|
||||
(secret "pass")
|
||||
|
||||
(tv-lass "emse-drywall")
|
||||
(tv-lass "emse-hsdb")
|
||||
];
|
||||
|
||||
users = addNames {
|
||||
tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };
|
||||
lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
|
||||
uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };
|
||||
makefu = { pubkey = "xxx"; };
|
||||
};
|
||||
|
||||
repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos);
|
||||
|
||||
rules = concatMap ({ rules, ... }: rules) x-repos;
|
||||
|
||||
krebs-private = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#retiolum";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv makefu uriel ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
public = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {
|
||||
post-receive = git.irc-announce {
|
||||
nick = config.networking.hostName; # TODO make this the default
|
||||
channel = "#retiolum";
|
||||
server = "ire.retiolum";
|
||||
};
|
||||
};
|
||||
public = true;
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv makefu uriel ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
secret = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {};
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ uriel ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
tv-lass = repo-name:
|
||||
rec {
|
||||
repo = {
|
||||
name = repo-name;
|
||||
hooks = {};
|
||||
};
|
||||
rules = with git; with users; [
|
||||
{ user = lass;
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
}
|
||||
{ user = [ tv ];
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
../tv/git
|
||||
];
|
||||
|
||||
tv.git = {
|
||||
enable = true;
|
||||
inherit repos rules users;
|
||||
};
|
||||
}
|
31
old/modules/uriel/retiolum.nix
Normal file
31
old/modules/uriel/retiolum.nix
Normal file
@ -0,0 +1,31 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../tv/retiolum
|
||||
../lass/iptables
|
||||
];
|
||||
|
||||
tv.retiolum = {
|
||||
enable = true;
|
||||
hosts = ../../hosts;
|
||||
privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv";
|
||||
connectTo = [
|
||||
"fastpoke"
|
||||
"gum"
|
||||
"ire"
|
||||
];
|
||||
};
|
||||
|
||||
#networking.firewall.allowedTCPPorts = [ 655 ];
|
||||
#networking.firewall.allowedUDPPorts = [ 655 ];
|
||||
#lass.iptables = {
|
||||
# #input-internet-accept-new-tcp = [ "tinc" ];
|
||||
# #input-internet-accept-new-udp = [ "tinc" ];
|
||||
# tables.retiolum = {
|
||||
# interfaces = [ "retiolum" "wl0" ];
|
||||
# allowed-tcp = [ "tinc" ];
|
||||
# allowed-udp = [ "tinc" ];
|
||||
# };
|
||||
#};
|
||||
}
|
Loading…
Reference in New Issue
Block a user