Merge remote-tracking branch 'prism/master'

This commit is contained in:
tv 2016-06-30 16:31:05 +02:00
commit d81b068113
98 changed files with 1918 additions and 632 deletions

View File

@ -1,4 +1,4 @@
arg@{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (pkgs) writeText; inherit (pkgs) writeText;

View File

@ -91,6 +91,7 @@ with config.krebs.lib;
"prism.retiolum" "prism.retiolum"
"prism.r" "prism.r"
"cgit.prism.retiolum" "cgit.prism.retiolum"
"cache.prism.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -107,36 +108,17 @@ with config.krebs.lib;
ssh.privkey.path = <secrets/ssh.id_rsa>; ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q=="; ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q==";
}; };
fastpoke = { domsen-nas = {
nets = rec { nets = rec {
internet = { internet = {
ip4.addr = "193.22.164.36";
aliases = [ aliases = [
"fastpoke.internet" "domsen-nas.internet"
]; ];
}; ip4.addr = "87.138.180.167";
retiolum = { ssh.port = 2223;
via = internet;
ip4.addr = "10.243.253.152";
ip6.addr = "42:422a:194f:ff3b:e196:2f82:5cf5:bc00";
aliases = [
"fastpoke.retiolum"
"fastpoke.r"
"cgit.fastpoke.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs4p5xsQYx06v+OkUbc09K6voFAbkvO66QdFoM71E10XyCeLP6iuq
DaIOFN4GrPR36pgyjqtJ+62G9uR+WsB/y14eio1p1ivDWgcpt5soOZAH5zVRRD9O
FBDlgVNwIJ6stMHy6OenEKWsfEiZRN3XstnqAqyykzjddglth1tJntn6kbZehzNQ
ezfIyN4XgaX2fhSu+UnAyLcV8wWnF9cMABjz7eKcSmRJgtG4ZiuDkbgiiEew7+pB
EPqOVQ80lJvzQKgO4PmVoAjD9A+AHnmLJNPDQQi8nIVilGCT60IX+XT1rt85Zpdy
rEaeriw/qsVJnberAhDAdQYYuM1ai2H5swIDAQAB
-----END RSA PUBLIC KEY-----
'';
}; };
}; };
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRyEogeejET/UlqYYzrla3W2xG771oLK8uTFsVlVQFes4/c++Pp3KryJ/+avb/FQGlUb5YTO2SViZyAPTyw3Anv/8wxryB6ExDcfiiPL9D4Kgk559Gc1C+8vJu3Se3zB9huefllhdwsVkeFrInyWRarH3LNSbBq1TH2Rw/T4wyDVILu/QFxyqECdNzi6sufQ/92rEi3oDqlMbS8f45nbVm9CJpdn7ATwLW1PoBrrYkGll3P7ggOmR45rgldTVCLq3rIrIooiOaOhY1Leq+/sBeDa7fVeRFxFaLGYb9KFjQ4x2kL+3dDv0r726wKhrMQX75g/+Hqkv2di4/AGETI71b"; ssh.pubkey = "ssh-dss AAAAB3NzaC1kc3MAAAEBAPH5Hcrc2QzIi7KQLf17N+aUuFfwb7uKxuojzmO3kyb3nMdn3s+rfTCJLWTJeHCeKb6yMpDF1XGXZwVN+omWV8CsA9tivOHYzZws3b0QB/JENjYmhHbNkKijm6EWXSyvsJ2RuFj0PC8+cv77ZFx7VTnrwZk6Excv7v51j+qo5BejLL1ZybISld/n3kQWE+GJqBYJ9zp/25XEl7macH02o58lRhfqygunDlKm4yiq34pfkA7FS4eHNzcXGvmtQlAHeDts1APbKq8OAoYoyCo0gjK9nbAwbfm0yqM51+eIo3H6xLWjSBdMI9guqndNJWps9PpKHa3bvM1xFB3vfoQZ6m8AAAAVAKf8ZCwMgP4ZpqwwNw4vIn1AuLnfAAABAQCVfUrpUWFvf/TXPucJde4CuAmtoMOrjpepAiXK7N9dwGyq/PbVxr4tnJ/RTyNGOFmBroc6/n0MnxR0qmkQPJNtM/Yz+kk+BCgwsyu2uenVOIX/eJFuQPQYiUdktTcgAyChMp99WF4yfKKgv1CDdMkpFi8xgBEN03s1sOKCRNwJ5rlpTNqh9LatuRyzWOIjNd7atkEYIQK92idJgqSmleo+UhJFfoOGjYlRbsnRVbvfqh7GVd7SSydhKhdb2eZjj2J8eMBwHNl1FLtqt02cnFW3FQDdXPbYYakN25z3F3sex/CPuBGJ0HRGq+y/Ynj/m99TPq9vLkzSUQPR4MmQ5feoAAABAG5L9ffMc/8T9dTeF7FEPlS54ka73M+pNY/5ehMykrrS9CVjFmvpeclnxkBpvjt3G5IlvkSsjUEE6kMk7mW9EV+USL0TTU/LavxXD8fLCSiIwResfLDRxjixjxVI1ouZeKNQ6B3tPOWOEIKR5nPlc7iy435nS77/NM3yBFH0KGdepr+3ZmdgWAjDLKjQhNyCz4Joc1IH1Vf5Ccvb6rsaJ91ajiq29iI2ZpLXXIQsS1ZYzO1Gr9xBTNgmzEmeLqFMcxDSJ+rLMF4VDjRdL2zz5BSmv/Ffj2nICMgv/gj3zzuk7zcMpnbvGyA3W8VWb6IjJDvww4rJ21Q2gHBC5XCohJs=";
}; };
cloudkrebs = { cloudkrebs = {
cores = 1; cores = 1;
@ -314,5 +296,13 @@ with config.krebs.lib;
fritz = { fritz = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
}; };
prism-repo-sync = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR9oL/OPHjjKjQ+IyRqWpgrXdZrKKAwFKIte8gYml6C";
mail = "lass@prism.r";
};
mors-repo-sync = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h";
mail = "lass@mors.r";
};
}; };
} }

View File

@ -48,6 +48,12 @@ with config.krebs.lib;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
siem = {
ip4.addr = "10.8.10.2";
aliases = [
"darth.siem"
];
};
}; };
}; };
tsp = { tsp = {
@ -98,6 +104,12 @@ with config.krebs.lib;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
siem = {
ip4.addr = "10.8.10.4";
aliases = [
"arch.siem"
];
};
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster";
@ -184,6 +196,8 @@ with config.krebs.lib;
internet = { internet = {
ip4.addr = "104.233.87.86"; ip4.addr = "104.233.87.86";
aliases = [ aliases = [
"wry.i"
"paste.i"
"wry.internet" "wry.internet"
"paste.internet" "paste.internet"
]; ];
@ -194,10 +208,10 @@ with config.krebs.lib;
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad"; ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [ aliases = [
"graphs.wry.retiolum" "graphs.wry.retiolum"
"graphs.retiolum" "graphs.r" "graphs.retiolum"
"paste.wry.retiolum" "paste.wry.retiolum"
"paste.retiolum" "paste.r" "paste.retiolum"
"wry.retiolum" "wry.r" "wry.retiolum"
"wiki.makefu.retiolum" "wiki.makefu.retiolum"
"wiki.wry.retiolum" "wiki.wry.retiolum"
"blog.makefu.retiolum" "blog.makefu.retiolum"
@ -232,15 +246,16 @@ with config.krebs.lib;
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [ aliases = [
"filepimp.retiolum" "filepimp.retiolum"
"filepimp.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY MIIBCgKCAQEA43w+A1TMOfugZ/CVwilJn4c36wWSjihaeVe7suZD0DSscKBcbkGg
BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3 3dTCSTnu6Qb9sYd2mKebKXLreO6nhEEoFGsRU0yw/1h8gl7mWYEdTifPfvM5EWwS
i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7 wkN9dJ5njwIUSRyWH7QTsLkiRJVFN2UxEwrhAbo1FJ7yuhRgAKqKJSN4yPVViZwR
09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS oHyyobvm/i2J+XSiDI9MRo74vNjnDLvO7R6ErIrhOPP1bD9fx3u+UYUfgS0iCO3X
u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa UN0duBz/faRcl6IRytZOuHaIp30eJ4850ZK8RPz/Dqqj+USMFq60i0oMsuAi/ljB
OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB 8b+eQBt6OXu4MSntxoR8Ja7ht+EOTDnBOwIDAQAB
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
@ -339,6 +354,42 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
}; };
shoney = rec {
cores = 1;
nets = {
siem = {
ip4.addr = "10.8.10.1";
aliases = [
"sjump.siem"
"graphs.siem"
];
};
internet = {
ip4.addr = "64.137.234.215";
aliases = [
"shoney.i"
];
};
retiolum = {
ip4.addr = "10.243.205.131";
ip6.addr = "42:490d:cd82:d2bb:56d5:abd1:b88b:e8b4";
aliases = [
"shoney.retiolum"
"shoney.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsYXzbotmODJqos+Ilve8WyO2qBti6eMDSOP59Aqb18h8A5b4tCTL
ygDo2xLLzRaINQAxfdaKcdMOWSEkiy1j/pBYs1tfqv4mT6BO+1t8LXz82D+YcT+4
okGXklZ/H5L+T9cynbpKIwzTrw0DuOUhzs/WRFJU60B4cJ0Tl3IQs5ePX1SevVht
M5n1ob47SCHxEuC+ZLNdLc6KRumcp3Ozk6Yxj3lZ0tqyngxY1C+1kTJwRyw9A7vO
+DAH8t1YusYi7ICHcYt5J1p0ZGizcs8oEnZLBy4D+bJX86g7zbix1lZ37LxDCpQ5
uCoAYFes7QqLVDYhucZ5ElRWdATM2mBtZwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
# non-stockholm # non-stockholm
@ -426,6 +477,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
}; };
lariat = rec {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.64.7";
aliases = [
"lariat.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqiDzxADQYY8cWBH+R5aKSoxaFHLvPvVMgB7R1Y6QVTqD5YUCuINX
eBLFV9idHnHzdZU+xo/c8EFQf0hvyP0z3bcXaiw+RlpEYdK6tuaypJ3870toqWmA
269H8ufA3DA0hxlY7dwnhg8Rb7KGIlNN8fy4RMGe73PupF5aAmiDiEhPalv4E0qJ
unmk5y1OHQFPxYm++yLo5SVFlcO89jDtGpvg5papp8JvtxTkrshby1lXf/sph3Cv
d1z6h7S+HgT+BMwTZY5dIrwYAcob/t1sRmWsY62P1n02RbiJFm27wg0t/ZcfsI2o
yBjRTiK5ACJaIdpM99/902gJsuJASPGB2QIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
soundflower = rec { soundflower = rec {
cores = 1; cores = 1;
nets = { nets = {
@ -568,6 +641,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
}; };
}; };
} // { # hosts only maintained in stockholm, not owned by me
muhbaasu = rec { muhbaasu = rec {
cores = 1; cores = 1;
nets = { nets = {
@ -596,7 +670,6 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
}; };
}; };
}; };
} // { # hosts only maintained in stockholm, not owned by me
tpsw = { tpsw = {
cores = 2; cores = 2;
owner = config.krebs.users.ciko; # main laptop owner = config.krebs.users.ciko; # main laptop

View File

@ -11,14 +11,14 @@ let
api = { api = {
enable = mkEnableOption "repo-sync"; enable = mkEnableOption "repo-sync";
config = mkOption { repos = mkOption {
type = with types;attrsOf (attrsOf (attrsOf str)); type = with types;attrsOf (attrsOf (attrsOf (attrsOf str)));
example = literalExample '' example = literalExample ''
# see `repo-sync --help` # see `repo-sync --help`
# `ref` provides sane defaults and can be omitted # `ref` provides sane defaults and can be omitted
# attrset will be converted to json and be used as config # attrset will be converted to json and be used as config
{ { repo = {
makefu = { makefu = {
origin = { origin = {
url = http://github.com/makefu/repo ; url = http://github.com/makefu/repo ;
@ -44,6 +44,7 @@ let
}; };
}; };
}; };
};
''; '';
}; };
timerConfig = mkOption { timerConfig = mkOption {
@ -56,53 +57,75 @@ let
type = types.str; type = types.str;
default = "/var/lib/repo-sync"; default = "/var/lib/repo-sync";
}; };
user = mkOption {
type = types.user;
default = {
name = "repo-sync";
home = cfg.stateDir;
};
};
privateKeyFile = mkOption { privateKeyFile = mkOption {
type = types.str; type = types.secret-file;
description = '' default = {
used by repo-sync to identify with ssh service path = "${cfg.stateDir}/ssh.priv";
owner = cfg.user;
source-path = toString <secrets> + "/repo-sync.ssh.key";
};
};
unitConfig = mkOption {
type = types.attrsOf types.str;
description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit";
example = literalExample ''
# do not start when running on umts
{ ConditionPathExists = "!/var/run/ppp0.pid"; }
''; '';
default = toString <secrets/wolf-repo-sync.rsa_key.priv>; default = {};
}; };
}; };
repo-sync-config = pkgs.writeText "repo-sync-config.json"
(builtins.toJSON cfg.config);
imp = { imp = {
users.users.repo-sync = { krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
name = "repo-sync"; users.users.${cfg.user.name} = {
uid = genid "repo-sync"; inherit (cfg.user) home name uid;
description = "repo-sync user";
home = cfg.stateDir;
createHome = true; createHome = true;
description = "repo-sync user";
}; };
systemd.timers.repo-sync = { systemd.timers = mapAttrs' (name: repo:
nameValuePair "repo-sync-${name}" {
description = "repo-sync timer"; description = "repo-sync timer";
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = cfg.timerConfig; timerConfig = cfg.timerConfig;
}; }
systemd.services.repo-sync = { ) cfg.repos;
description = "repo-sync";
after = [ "network.target" ];
path = with pkgs; [ ]; systemd.services = mapAttrs' (name: repo:
let
repo-sync-config = pkgs.writeText "repo-sync-config-${name}.json"
(builtins.toJSON repo);
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
after = [ "network.target" "secret.service" ];
environment = { environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv"; GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv";
REPONAME = "${name}.git";
}; };
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
PermissionsStartOnly = true; PermissionsStartOnly = true;
ExecStartPre = pkgs.writeDash "prepare-repo-sync-user" ''
cp -v ${shell.escape cfg.privateKeyFile} ${cfg.stateDir}/ssh.priv
chown repo-sync ${cfg.stateDir}/ssh.priv
'';
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}"; ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
WorkingDirectory = cfg.stateDir; WorkingDirectory = cfg.stateDir;
User = "repo-sync"; User = "repo-sync";
}; };
}; unitConfig = cfg.unitConfig;
}
) cfg.repos;
}; };
in out in out

View File

@ -20,6 +20,18 @@ let
default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat"; default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat";
}; };
hostsPath = mkOption {
type = types.str;
description = "Path to Hosts directory";
default = "${config.krebs.retiolum.hostsPackage}";
};
network = mkOption {
type = types.str;
description = "Tinc Network to use";
default = "retiolum";
};
nginx = { nginx = {
enable = mkEnableOption "enable tinc_graphs to be served with nginx"; enable = mkEnableOption "enable tinc_graphs to be served with nginx";
@ -85,7 +97,8 @@ let
EXTERNAL_FOLDER = external_dir; EXTERNAL_FOLDER = external_dir;
INTERNAL_FOLDER = internal_dir; INTERNAL_FOLDER = internal_dir;
GEODB = cfg.geodbPath; GEODB = cfg.geodbPath;
TINC_HOSTPATH = config.krebs.retiolum.hostsPackage; TINC_HOSTPATH = cfg.hostsPath;
TINC_NETWORK = cfg.network;
}; };
restartIfChanged = true; restartIfChanged = true;
@ -103,7 +116,7 @@ let
cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}" cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}"
fi fi
''; '';
ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs"; ExecStart = ''${pkgs.tinc_graphs}/bin/all-the-graphs "${cfg.network}"'';
ExecStartPost = pkgs.writeDash "tinc_graphs-post" '' ExecStartPost = pkgs.writeDash "tinc_graphs-post" ''
# TODO: this may break if workingDir is set to something stupid # TODO: this may break if workingDir is set to something stupid
@ -121,8 +134,9 @@ let
uid = genid "tinc_graphs"; uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs"; home = "/var/spool/tinc_graphs";
}; };
krebs.nginx = mkIf cfg.nginx.enable {
krebs.nginx.servers = mkIf cfg.nginx.enable { enable = mkDefault true;
servers = {
tinc_graphs_complete = mkMerge [ cfg.nginx.complete { tinc_graphs_complete = mkMerge [ cfg.nginx.complete {
locations = [ locations = [
(nameValuePair "/" '' (nameValuePair "/" ''
@ -141,6 +155,7 @@ let
}]; }];
}; };
}; };
};
in in
out out

View File

@ -3,6 +3,9 @@
python3Packages.buildPythonPackage rec { python3Packages.buildPythonPackage rec {
name = "Reaktor-${version}"; name = "Reaktor-${version}";
version = "0.5.1"; version = "0.5.1";
doCheck = false;
propagatedBuildInputs = with pkgs;[ propagatedBuildInputs = with pkgs;[
python3Packages.docopt python3Packages.docopt
python3Packages.requests2 python3Packages.requests2

View File

@ -38,13 +38,13 @@ with config.krebs.lib;
ReaktorPlugins = callPackage ./Reaktor/plugins.nix {}; ReaktorPlugins = callPackage ./Reaktor/plugins.nix {};
#buildbot = callPackage <nixpkgs/pkgs/development/tools/build-managers/buildbot> { buildbot = callPackage <nixpkgs/pkgs/development/tools/build-managers/buildbot> {
# inherit (pkgs.pythonPackages) twisted jinja2; inherit (pkgs.pythonPackages) twisted jinja2;
# dateutil = pkgs.pythonPackages.dateutil_1_5; dateutil = pkgs.pythonPackages.dateutil_1_5;
# sqlalchemy_migrate_0_7 = pkgs.pythonPackages.sqlalchemy_migrate_func (pkgs.pythonPackages.sqlalchemy7.override { sqlalchemy_migrate_0_7 = pkgs.pythonPackages.sqlalchemy_migrate_func (pkgs.pythonPackages.sqlalchemy7.override {
# doCheck = false; doCheck = false;
# }); });
#}; };
# XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d # XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d
symlinkJoin = { name, paths, ... }@args: let symlinkJoin = { name, paths, ... }@args: let

View File

@ -8,13 +8,14 @@ let
}; };
# TODO irc-announce should return a derivation # TODO irc-announce should return a derivation
irc-announce = { nick, channel, server, port ? 6667, verbose ? false }: '' irc-announce = { nick, channel, server, port ? 6667, verbose ? false, branches ? [] }: ''
#! /bin/sh #! /bin/sh
set -euf set -euf
export PATH=${makeBinPath (with pkgs; [ export PATH=${makeBinPath (with pkgs; [
coreutils coreutils
git git
gnugrep
gnused gnused
])} ])}
@ -54,6 +55,12 @@ let
h=$(echo $ref | sed 's:^refs/heads/::') h=$(echo $ref | sed 's:^refs/heads/::')
${optionalString (branches != []) ''
if ! (echo "$h" | grep -qE "${concatStringsSep "|" branches}"); then
echo "we are not serving this branch: $h"
exit 0
fi
''}
# empty_tree=$(git hash-object -t tree /dev/null) # empty_tree=$(git hash-object -t tree /dev/null)
empty_tree=4b825dc6 empty_tree=4b825dc6

View File

@ -13,7 +13,6 @@ in {
../2configs/retiolum.nix ../2configs/retiolum.nix
../2configs/git.nix ../2configs/git.nix
../2configs/realwallpaper.nix ../2configs/realwallpaper.nix
../2configs/realwallpaper-server.nix
../2configs/privoxy-retiolum.nix ../2configs/privoxy-retiolum.nix
{ {
networking.interfaces.enp2s1.ip4 = [ networking.interfaces.enp2s1.ip4 = [

View File

@ -5,7 +5,7 @@
../. ../.
<nixpkgs/nixos/modules/profiles/qemu-guest.nix> <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/default.nix ../2configs/default.nix
../2configs/exim-retiolum.nix #../2configs/exim-retiolum.nix
../2configs/git.nix ../2configs/git.nix
{ {
boot.loader.grub = { boot.loader.grub = {
@ -63,6 +63,35 @@
{ predicate = "-p tcp --dport https"; target = "ACCEPT"; } { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
]; ];
} }
{
#TODO: abstract & move to own file
krebs.exim-smarthost = {
enable = true;
relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
config.krebs.hosts.mors
config.krebs.hosts.uriel
config.krebs.hosts.helios
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "lass"; }
];
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
];
}
]; ];
krebs.build.host = config.krebs.hosts.dishfire; krebs.build.host = config.krebs.hosts.dishfire;

View File

@ -11,7 +11,7 @@ in {
../2configs/default.nix ../2configs/default.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/retiolum.nix ../2configs/retiolum.nix
../2configs/realwallpaper-server.nix ../2configs/realwallpaper.nix
../2configs/privoxy-retiolum.nix ../2configs/privoxy-retiolum.nix
../2configs/git.nix ../2configs/git.nix
#../2configs/redis.nix #../2configs/redis.nix

View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../. ../.
../2configs/hw/tp-x220.nix
../2configs/baseX.nix ../2configs/baseX.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/programs.nix ../2configs/programs.nix
@ -14,22 +15,18 @@
../2configs/elster.nix ../2configs/elster.nix
../2configs/steam.nix ../2configs/steam.nix
../2configs/wine.nix ../2configs/wine.nix
#../2configs/texlive.nix
../2configs/binary-caches.nix
#../2configs/ircd.nix
../2configs/chromium-patched.nix ../2configs/chromium-patched.nix
../2configs/git.nix ../2configs/git.nix
#../2configs/wordpress.nix
../2configs/bitlbee.nix ../2configs/bitlbee.nix
#../2configs/firefoxPatched.nix
../2configs/skype.nix ../2configs/skype.nix
../2configs/teamviewer.nix ../2configs/teamviewer.nix
../2configs/libvirt.nix ../2configs/libvirt.nix
../2configs/fetchWallpaper.nix ../2configs/fetchWallpaper.nix
../2configs/cbase.nix ../2configs/c-base.nix
../2configs/mail.nix ../2configs/mail.nix
../2configs/krebs-pass.nix ../2configs/krebs-pass.nix
#../2configs/buildbot-standalone.nix ../2configs/umts.nix
../2configs/repo-sync.nix
{ {
#risk of rain port #risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
@ -57,17 +54,10 @@
# package = pkgs.postgresql; # package = pkgs.postgresql;
# }; # };
#} #}
{
}
]; ];
krebs.build.host = config.krebs.hosts.mors; krebs.build.host = config.krebs.hosts.mors;
networking.wireless.enable = true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
boot = { boot = {
loader.grub.enable = true; loader.grub.enable = true;
loader.grub.version = 2; loader.grub.version = 2;
@ -77,7 +67,6 @@
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ]; #kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
@ -131,8 +120,8 @@
}; };
services.udev.extraRules = '' services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:85:c9", NAME="et0"
''; '';
#TODO activationScripts seem broken, fix them! #TODO activationScripts seem broken, fix them!
@ -146,7 +135,7 @@
#Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp]
#echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' #echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control'
#Autosuspend for USB device Biometric Coprocessor #Autosuspend for USB device Biometric Coprocessor
echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' #echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control'
#Runtime PMs #Runtime PMs
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
@ -168,22 +157,6 @@
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
''; '';
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.xserver = {
videoDriver = "intel";
vaapiDrivers = [ pkgs.vaapiIntel ];
deviceSection = ''
Option "AccelMethod" "sna"
BusID "PCI:0:2:0"
'';
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
acronym acronym
cac-api cac-api
@ -214,15 +187,11 @@
}; };
}; };
krebs.repo-sync.timerConfig = {
OnCalendar = "00:37";
};
services.mongodb = { services.mongodb = {
enable = true; enable = true;
}; };
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; }
];
};
};
} }

View File

@ -19,6 +19,8 @@ in {
../2configs/privoxy-retiolum.nix ../2configs/privoxy-retiolum.nix
../2configs/radio.nix ../2configs/radio.nix
../2configs/buildbot-standalone.nix ../2configs/buildbot-standalone.nix
../2configs/repo-sync.nix
../2configs/binary-cache/server.nix
{ {
imports = [ imports = [
../2configs/git.nix ../2configs/git.nix
@ -66,8 +68,6 @@ in {
} }
{ {
#boot.loader.gummiboot.enable = true;
#boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = { boot.loader.grub = {
devices = [ devices = [
"/dev/sda" "/dev/sda"
@ -110,10 +110,6 @@ in {
{ {
sound.enable = false; sound.enable = false;
} }
#{
# #workaround for server dying after 6-7h
# boot.kernelPackages = pkgs.linuxPackages_4_2;
#}
{ {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
} }
@ -202,7 +198,7 @@ in {
} }
{ {
imports = [ imports = [
../2configs/realwallpaper-server.nix ../2configs/realwallpaper.nix
]; ];
krebs.nginx.servers."lassul.us".locations = [ krebs.nginx.servers."lassul.us".locations = [
(lib.nameValuePair "/wallpaper.png" '' (lib.nameValuePair "/wallpaper.png" ''

View File

@ -4,7 +4,9 @@ with builtins;
{ {
imports = [ imports = [
../. ../.
../2configs/hw/tp-x220.nix
../2configs/baseX.nix ../2configs/baseX.nix
../2configs/git.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/browsers.nix ../2configs/browsers.nix
../2configs/programs.nix ../2configs/programs.nix
@ -19,34 +21,10 @@ with builtins;
# }; # };
# }; # };
#} #}
{
#x220 config from mors
#TODO: make x220 config file (or look in other user dir)
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.xserver = {
videoDriver = "intel";
vaapiDrivers = [ pkgs.vaapiIntel ];
deviceSection = ''
Option "AccelMethod" "sna"
BusID "PCI:0:2:0"
'';
};
}
]; ];
krebs.build.host = config.krebs.hosts.shodan; krebs.build.host = config.krebs.hosts.shodan;
networking.wireless.enable = true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
boot = { boot = {
loader.grub.enable = true; loader.grub.enable = true;
loader.grub.version = 2; loader.grub.version = 2;
@ -56,7 +34,6 @@ with builtins;
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ]; #kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
@ -67,10 +44,15 @@ with builtins;
"/boot" = { "/boot" = {
device = "/dev/sda1"; device = "/dev/sda1";
}; };
"/home/lass" = {
device = "/dev/pool/home-lass";
fsType = "ext4";
};
}; };
#services.udev.extraRules = '' services.udev.extraRules = ''
# SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
# SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
#''; '';
} }

View File

@ -8,7 +8,13 @@ in {
#./urxvt.nix #./urxvt.nix
./xserver ./xserver
./mpv.nix ./mpv.nix
#./pulse.nix
./power-action.nix
]; ];
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
users.extraUsers.mainUser.extraGroups = [ "audio" ]; users.extraUsers.mainUser.extraGroups = [ "audio" ];
@ -16,11 +22,6 @@ in {
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
programs.ssh.startAgent = false; programs.ssh.startAgent = false;
security.setuidPrograms = [ "slock" ]; security.setuidPrograms = [ "slock" ];
@ -32,6 +33,7 @@ in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
acpi
dmenu dmenu
gitAndTools.qgit gitAndTools.qgit
lm_sensors lm_sensors
@ -44,6 +46,7 @@ in {
sxiv sxiv
xclip xclip
xorg.xbacklight xorg.xbacklight
xorg.xhost
xsel xsel
zathura zathura

View File

@ -0,0 +1,9 @@
{ config, ... }:
{
nix = {
binaryCaches = ["http://cache.prism.r"];
binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
};
}

View File

@ -0,0 +1,30 @@
{ config, lib, pkgs, ...}:
{
# generate private key with:
# nix-store --generate-binary-cache-key my-secret-key my-public-key
services.nix-serve = {
enable = true;
secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
};
systemd.services.nix-serve = {
requires = ["secret.service"];
after = ["secret.service"];
};
krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key";
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
krebs.nginx = {
enable = true;
servers.nix-serve = {
server-names = [ "cache.prism.r" ];
locations = lib.singleton (lib.nameValuePair "/" ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'');
};
};
}

View File

@ -1,13 +0,0 @@
{ config, ... }:
{
nix.sshServe.enable = true;
nix.sshServe.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel"
];
nix.binaryCaches = [
#"scp://nix-ssh@mors"
#"scp://nix-ssh@uriel"
];
}

View File

@ -1,6 +1,14 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
{
krebs.buildbot.master = let with config.krebs.lib;
let
sshWrapper = pkgs.writeDash "ssh-wrapper" ''
${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@"
'';
in {
config.krebs.buildbot.master = let
stockholm-mirror-url = http://cgit.prism/stockholm ; stockholm-mirror-url = http://cgit.prism/stockholm ;
in { in {
slaves = { slaves = {
@ -25,20 +33,38 @@
sched.append(schedulers.SingleBranchScheduler( sched.append(schedulers.SingleBranchScheduler(
## all branches ## all branches
change_filter=util.ChangeFilter(branch_re=".*"), change_filter=util.ChangeFilter(branch_re=".*"),
# treeStableTimer=10, treeStableTimer=10,
name="fast-all-branches", name="fast-all-branches",
builderNames=["fast-tests"])) builderNames=["fast-tests"]))
''; '';
build-scheduler = ''
# build all hosts
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch_re=".*"),
treeStableTimer=10,
name="prism-all-branches",
builderNames=["build-all"]))
'';
}; };
builder_pre = '' builder_pre = ''
# prepare grab_repo step for stockholm # prepare grab_repo step for stockholm
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
env = {"LOGNAME": "lass", "NIX_REMOTE": "daemon"} # TODO: get nixpkgs/stockholm paths from krebs
env_lass = {
"LOGNAME": "lass",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_makefu = {
"LOGNAME": "makefu",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
# prepare nix-shell # prepare nix-shell
# the dependencies which are used by the test script # the dependencies which are used by the test script
deps = [ "gnumake", "jq","nix","rsync" ] deps = [ "gnumake", "jq", "nix", "rsync", "proot" ]
# TODO: --pure , prepare ENV in nix-shell command: # TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE # SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = ["nix-shell", nixshell = ["nix-shell",
@ -51,16 +77,45 @@
factory.addStep(steps.ShellCommand(**kwargs)) factory.addStep(steps.ShellCommand(**kwargs))
''; '';
builder = { builder = {
build-all = ''
f = util.BuildFactory()
f.addStep(grab_repo)
for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]:
addShell(f,name="build-{}".format(i),env=env_lass,
command=nixshell + \
["make \
test \
ssh=${sshWrapper} \
target=build@localhost:${config.users.users.build.home}/testbuild \
method=build \
system={}".format(i)])
for i in [ "pornocauster", "wry" ]:
addShell(f,name="build-{}".format(i),env=env_makefu,
command=nixshell + \
["make \
test \
ssh=${sshWrapper} \
target=build@localhost:${config.users.users.build.home}/testbuild \
method=build \
system={}".format(i)])
bu.append(util.BuilderConfig(name="build-all",
slavenames=slavenames,
factory=f))
'';
fast-tests = '' fast-tests = ''
f = util.BuildFactory() f = util.BuildFactory()
f.addStep(grab_repo) f.addStep(grab_repo)
for i in [ "prism", "mors", "echelon" ]: for i in [ "prism", "mors", "echelon" ]:
addShell(f,name="populate-{}".format(i),env=env, addShell(f,name="populate-{}".format(i),env=env_lass,
command=nixshell + \ command=nixshell + \
["{}( make system={} eval.config.krebs.build.populate \ ["{}( make system={} eval.config.krebs.build.populate \
| jq -er .)".format("!" if "failing" in i else "",i)]) | jq -er .)".format("!" if "failing" in i else "",i)])
addShell(f,name="build-test-minimal",env=env, addShell(f,name="build-test-minimal",env=env_lass,
command=nixshell + \ command=nixshell + \
["nix-instantiate \ ["nix-instantiate \
--show-trace --eval --strict --json \ --show-trace --eval --strict --json \
@ -86,17 +141,17 @@
}; };
}; };
krebs.buildbot.slave = { config.krebs.buildbot.slave = {
enable = true; enable = true;
masterhost = "localhost"; masterhost = "localhost";
username = "testslave"; username = "testslave";
password = "lasspass"; password = "lasspass";
packages = with pkgs;[ git nix gnumake jq rsync ]; packages = with pkgs;[ git nix gnumake jq rsync ];
extraEnviron = { extraEnviron = {
NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; NIX_PATH="nixpkgs=/var/src/nixpkgs";
}; };
}; };
krebs.iptables = { config.krebs.iptables = {
tables = { tables = {
filter.INPUT.rules = [ filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8010"; target = "ACCEPT"; } { predicate = "-p tcp --dport 8010"; target = "ACCEPT"; }
@ -104,4 +159,29 @@
]; ];
}; };
}; };
#ssh workaround for make test
options.lass.build-ssh-privkey = mkOption {
type = types.secret-file;
default = {
path = "${config.users.users.buildbotSlave.home}/ssh.privkey";
owner = { inherit (config.users.users.buildbotSlave ) name uid;};
source-path = toString <secrets> + "/build.ssh.key";
};
};
config.krebs.secret.files = {
build-ssh-privkey = config.lass.build-ssh-privkey;
};
config.users.users = {
build = {
name = "build";
uid = genid "build";
home = "/home/build";
useDefaultShell = true;
createHome = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiV0Xn60aVLHC/jGJknlrcxSvKd/MVeh2tjBpxSBT3II9XQGZhID2Gdh84eAtoWyxGVFQx96zCHSuc7tfE2YP2LhXnwaxHTeDc8nlMsdww53lRkxihZIEV7QHc/3LRcFMkFyxdszeUfhWz8PbJGL2GYT+s6CqoPwwa68zF33U1wrMOAPsf/NdpSN4alsqmjFc2STBjnOd9dXNQn1VEJQqGLG3kR3WkCuwMcTLS5eu0KLwG4i89Twjy+TGp2QsF5K6pNE+ZepwaycRgfYzGcPTn5d6YQXBgcKgHMoSJsK8wqpr0+eFPCDiEA3HDnf76E4mX4t6/9QkMXCLmvs0IO/WP lass@mors"
];
};
};
} }

View File

@ -7,6 +7,9 @@ with config.krebs.lib;
../2configs/zsh.nix ../2configs/zsh.nix
../2configs/mc.nix ../2configs/mc.nix
../2configs/retiolum.nix ../2configs/retiolum.nix
../2configs/nixpkgs.nix
../2configs/binary-cache/client.nix
../2configs/gc.nix
./backups.nix ./backups.nix
{ {
users.extraUsers = users.extraUsers =
@ -52,21 +55,18 @@ with config.krebs.lib;
user = config.krebs.users.lass; user = config.krebs.users.lass;
source = mapAttrs (_: mkDefault) ({ source = mapAttrs (_: mkDefault) ({
nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix";
secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; secrets = if getEnv "dummy_secrets" == "true"
then toString <stockholm/lass/2configs/tests/dummy-secrets>
else "/home/lass/secrets/${config.krebs.build.host.name}";
#secrets-common = "/home/lass/secrets/common"; #secrets-common = "/home/lass/secrets/common";
stockholm = "/home/lass/stockholm"; stockholm = getEnv "PWD";
nixpkgs = {
url = https://github.com/lassulus/nixpkgs;
rev = "f632f8edaf80ffa8bf0b8c9b9064cae3ccbe3894";
dev = "/home/lass/src/nixpkgs";
};
} // optionalAttrs config.krebs.build.host.secure { } // optionalAttrs config.krebs.build.host.secure {
#secrets-master = "/home/lass/secrets/master"; #secrets-master = "/home/lass/secrets/master";
}); });
}; };
}; };
nix.useChroot = true; nix.useSandbox = true;
users.mutableUsers = false; users.mutableUsers = false;
@ -114,8 +114,13 @@ with config.krebs.lib;
#neat utils #neat utils
krebspaste krebspaste
pciutils
psmisc psmisc
q
rs
tmux
untilport untilport
usbutils
#unpack stuff #unpack stuff
p7zip p7zip

View File

@ -21,6 +21,7 @@ in {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey config.krebs.users.lass.pubkey
config.krebs.users.lass-uriel.pubkey config.krebs.users.lass-uriel.pubkey
config.krebs.users.lass-shodan.pubkey
]; ];
}; };

View File

@ -28,6 +28,8 @@ with config.krebs.lib;
{ from = "wordpress@ubikmedia.de"; to = lass.mail; } { from = "wordpress@ubikmedia.de"; to = lass.mail; }
{ from = "finanzamt@lassul.us"; to = lass.mail; } { from = "finanzamt@lassul.us"; to = lass.mail; }
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "netzclub@lassul.us"; to = lass.mail; }
{ from = "nebenan@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

View File

@ -5,7 +5,8 @@ let
in { in {
krebs.fetchWallpaper = { krebs.fetchWallpaper = {
enable = true; enable = true;
url = "cloudkrebs/wallpaper.png"; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/wallpaper.png";
}; };
} }

8
lass/2configs/gc.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, ... }:
with config.krebs.lib;
{
nix.gc = {
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
};
}

View File

@ -29,18 +29,10 @@ let
rules = concatMap make-rules (attrValues repos); rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo { public-repos = mapAttrs make-public-repo {
painload = {};
stockholm = { stockholm = {
cgit.desc = "take all the computers hostage, they'll love you!"; cgit.desc = "take all the computers hostage, they'll love you!";
}; };
wai-middleware-time = {};
web-routes-wai-custom = {};
go = {};
newsbot-js = {};
kimsufi-check = {}; kimsufi-check = {};
realwallpaper = {};
xmonad-stockholm = {};
the_playlist = {};
} // mapAttrs make-public-repo-silent { } // mapAttrs make-public-repo-silent {
the_playlist = {}; the_playlist = {};
}; };
@ -50,8 +42,6 @@ let
brain = { brain = {
collaborators = with config.krebs.users; [ tv makefu ]; collaborators = with config.krebs.users; [ tv makefu ];
}; };
extraction_webinterface = {};
politics-fetching = {};
} // } //
import <secrets/repos.nix> { inherit config lib pkgs; } import <secrets/repos.nix> { inherit config lib pkgs; }
); );
@ -66,6 +56,7 @@ let
channel = "#retiolum"; channel = "#retiolum";
server = "cd.retiolum"; server = "cd.retiolum";
verbose = config.krebs.build.host.name == "prism"; verbose = config.krebs.build.host.name == "prism";
branches = [ "master" ];
}; };
}; };
}; };
@ -84,7 +75,7 @@ let
with git // config.krebs.users; with git // config.krebs.users;
repo: repo:
singleton { singleton {
user = [ lass lass-helios lass-uriel ]; user = [ lass lass-uriel ];
repo = [ repo ]; repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ]; perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++ } ++

View File

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
{
networking.wireless.enable = lib.mkDefault true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.tlp.enable = true;
services.tlp.extraConfig = ''
# BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
#START_CHARGE_THRESH_BAT0=80
STOP_CHARGE_THRESH_BAT0=95
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
boot = {
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
};
hardware.opengl.extraPackages = [
pkgs.vaapiIntel
pkgs.vaapiVdpau
];
services.xserver = {
videoDriver = "intel";
deviceSection = ''
Option "AccelMethod" "sna"
'';
};
security.rngd.enable = true;
}

View File

@ -10,8 +10,9 @@ let
account default: prism account default: prism
''; '';
msmtp = pkgs.writeDashBin "msmtp" '' msmtp = pkgs.writeBashBin "msmtp" ''
exec ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@ ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
''; '';
muttrc = pkgs.writeText "muttrc" '' muttrc = pkgs.writeText "muttrc" ''
@ -42,7 +43,7 @@ let
set nm_record = yes set nm_record = yes
set nm_record_tags = "-inbox me archive" set nm_record_tags = "-inbox me archive"
set virtual_spoolfile=yes # enable virtual folders set virtual_spoolfile=yes # enable virtual folders
set sendmail="msmtp" # enables parsing of outgoing mail set sendmail="${msmtp}/bin/msmtp" # enables parsing of outgoing mail
set use_from=yes set use_from=yes
set envelope_from=yes set envelope_from=yes

View File

@ -41,7 +41,6 @@ let
cryptogon|http://www.cryptogon.com/?feed=rss2|#news cryptogon|http://www.cryptogon.com/?feed=rss2|#news
csm|http://rss.csmonitor.com/feeds/csm|#news csm|http://rss.csmonitor.com/feeds/csm|#news
csm_world|http://rss.csmonitor.com/feeds/world|#news csm_world|http://rss.csmonitor.com/feeds/world|#news
cyberguerrilla|https://www.cyberguerrilla.org/a/2012/?feed=rss2|#news
danisch|http://www.danisch.de/blog/feed/|#news danisch|http://www.danisch.de/blog/feed/|#news
dod|http://www.defense.gov/news/afps2.xml|#news dod|http://www.defense.gov/news/afps2.xml|#news
dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#news dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#news
@ -102,7 +101,7 @@ let
npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#news npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#news
npr_pol|http://www.npr.org/rss/rss.php?id=1012|#news npr_pol|http://www.npr.org/rss/rss.php?id=1012|#news
npr_world|http://www.npr.org/rss/rss.php?id=1004|#news npr_world|http://www.npr.org/rss/rss.php?id=1004|#news
nsa|http://www.nsa.gov/rss.shtml|#news #bullerei nsa|https://www.nsa.gov/rss.xml|#news #bullerei
nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#news nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#news
painload|https://github.com/krebscode/painload/commits/master.atom|#news painload|https://github.com/krebscode/painload/commits/master.atom|#news
phys|http://phys.org/rss-feed/|#news phys|http://phys.org/rss-feed/|#news

View File

@ -0,0 +1,8 @@
{ ... }:
{
krebs.build.source.nixpkgs = {
url = https://github.com/lassulus/nixpkgs;
rev = "c78f9ad2f91019648bdcf5a911f86ea3a397d290";
};
}

View File

@ -0,0 +1,41 @@
{ config, pkgs, ... }:
let
suspend = pkgs.writeDash "suspend" ''
${pkgs.systemd}/bin/systemctl suspend
'';
speak = text:
pkgs.writeDash "speak" ''
${pkgs.espeak}/bin/espeak -v +whisper -s 110 "${text}"
'';
in {
lass.power-action = {
enable = true;
plans.low-battery = {
upperLimit = 30;
lowerLimit = 25;
charging = false;
action = pkgs.writeDash "warn-low-battery" ''
${speak "power level low"}
'';
};
plans.suspend = {
upperLimit = 10;
lowerLimit = 0;
charging = false;
action = pkgs.writeDash "suspend-wrapper" ''
/var/setuid-wrappers/sudo ${suspend}
'';
};
};
users.users.power-action.extraGroups = [
"audio"
];
security.sudo.extraConfig = ''
${config.lass.power-action.user.name} ALL= (root) NOPASSWD: ${suspend}
'';
}

96
lass/2configs/pulse.nix Normal file
View File

@ -0,0 +1,96 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
pkg = pkgs.pulseaudioLight;
runDir = "/run/pulse";
alsaConf = pkgs.writeText "asound.conf" ''
ctl_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
}
pcm_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
}
ctl.!default {
type pulse
}
pcm.!default {
type pulse
}
'';
clientConf = pkgs.writeText "client.conf" ''
autospawn=no
default-server = unix:${runDir}/socket
'';
daemonConf = pkgs.writeText "daemon.conf" ''
exit-idle-time=0
flat-volumes = no
default-fragments = 4
default-fragment-size-msec = 25
'';
configFile = pkgs.writeText "default.pa" ''
.include ${pkg}/etc/pulse/default.pa
load-module ${toString [
"module-native-protocol-unix"
"auth-anonymous=1"
"socket=${runDir}/socket"
]}
'';
in
{
environment = {
etc = {
"asound.conf".source = alsaConf;
# XXX mkForce is not strong enough (and neither is mkOverride) to create
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
#"pulse/client.conf" = mkForce { source = clientConf; };
#"pulse/client.conf".source = mkForce clientConf;
"pulse/default.pa".source = configFile;
"pulse/daemon.pa".source = daemonConf;
};
systemPackages = [
pkg
] ++ optionals config.services.xserver.enable [
pkgs.pavucontrol
];
};
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
system.activationScripts.pulseaudio-hack = ''
ln -fns ${clientConf} /etc/pulse/client.conf
'';
systemd.services.pulse = {
wantedBy = [ "sound.target" ];
before = [ "sound.target" ];
environment = {
PULSE_RUNTIME_PATH = "${runDir}/home";
};
serviceConfig = {
ExecStart = "${pkg}/bin/pulseaudio";
ExecStartPre = pkgs.writeDash "pulse-start" ''
install -o pulse -g audio -m 0750 -d ${runDir}
install -o pulse -g audio -m 0700 -d ${runDir}/home
'';
PermissionsStartOnly = "true";
User = "pulse";
};
};
users = {
groups.pulse.gid = config.users.users.pulse.uid;
users.pulse = {
uid = genid "pulse";
group = "pulse";
extraGroups = [ "audio" ];
home = "${runDir}/home";
};
};
}

View File

@ -11,7 +11,7 @@ let
source-password = import <secrets/icecast-source-pw>; source-password = import <secrets/icecast-source-pw>;
add_random = pkgs.writeDashBin "add_random" '' add_random = pkgs.writeDashBin "add_random" ''
mpc add "$(mpc ls | shuf -n1)" ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)"
''; '';
skip_track = pkgs.writeDashBin "skip_track" '' skip_track = pkgs.writeDashBin "skip_track" ''
@ -52,13 +52,8 @@ in {
print_current print_current
ncmpcpp ncmpcpp
mpc_cli mpc_cli
tmux
]; ];
security.sudo.extraConfig = ''
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
'';
services.mpd = { services.mpd = {
enable = true; enable = true;
group = "radio"; group = "radio";
@ -67,7 +62,7 @@ in {
audio_output { audio_output {
type "shout" type "shout"
encoding "ogg" encoding "ogg"
name "my cool stream" name "the_playlist"
host "localhost" host "localhost"
port "8000" port "8000"
mount "/radio.ogg" mount "/radio.ogg"
@ -84,7 +79,7 @@ in {
# Optional Parameters # Optional Parameters
user "source" user "source"
# description "here is my long description" # description "here is my long description"
# genre "jazz" genre "good music"
} # end of audio_output } # end of audio_output
''; '';
@ -114,7 +109,7 @@ in {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = "*:*"; OnCalendar = "*:0/1";
}; };
}; };
@ -123,8 +118,8 @@ in {
LIMIT=$1 #in secconds LIMIT=$1 #in secconds
timeLeft () { timeLeft () {
playlistDuration=$(mpc --format '%time%' playlist | awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}') playlistDuration=$(${pkgs.mpc_cli}/bin/mpc --format '%time%' playlist | ${pkgs.gawk}/bin/awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}')
currentTime=$(mpc status | awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }') currentTime=$(${pkgs.mpc_cli}/bin/mpc status | ${pkgs.gawk}/bin/awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
expr ''${playlistDuration:-0} - ''${currentTime:-0} expr ''${playlistDuration:-0} - ''${currentTime:-0}
} }
@ -136,16 +131,10 @@ in {
description = "radio playlist autoadder"; description = "radio playlist autoadder";
after = [ "network.target" ]; after = [ "network.target" ];
path = with pkgs; [
gawk
mpc_cli
];
restartIfChanged = true; restartIfChanged = true;
serviceConfig = { serviceConfig = {
Restart = "always"; ExecStart = "${autoAdd} 150";
ExecStart = "${autoAdd} 100";
}; };
}; };

View File

@ -1,32 +0,0 @@
{ config, lib, ... }:
let
hostname = config.krebs.build.host.name;
inherit (lib)
nameValuePair
;
in {
imports = [
./realwallpaper.nix
];
krebs.nginx.servers.wallpaper = {
server-names = [
hostname
];
locations = [
(nameValuePair "/wallpaper.png" ''
root /tmp/;
'')
];
};
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
};
}

View File

@ -1,5 +1,30 @@
{ config, ... }: { config, lib, ... }:
{ let
hostname = config.krebs.build.host.name;
inherit (lib)
nameValuePair
;
in {
krebs.realwallpaper.enable = true; krebs.realwallpaper.enable = true;
krebs.nginx.servers.wallpaper = {
server-names = [
hostname
];
locations = [
(nameValuePair "/wallpaper.png" ''
root /tmp/;
'')
];
};
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
};
} }

106
lass/2configs/repo-sync.nix Normal file
View File

@ -0,0 +1,106 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
mirror = "git@${config.networking.hostName}:";
defineRepo = name: announce: let
repo = {
public = true;
name = mkDefault "${name}";
cgit.desc = mkDefault "mirror for ${name}";
hooks = mkIf announce (mkDefault {
post-receive = pkgs.git-hooks.irc-announce {
nick = config.networking.hostName;
verbose = false;
channel = "#retiolum";
server = "cd.retiolum";
branches = [ "newest" ];
};
});
};
in {
rules = with git; singleton {
user = with config.krebs.users; [
config.krebs.users."${config.networking.hostName}-repo-sync"
lass
lass-shodan
];
repo = [ repo ];
perm = push ''refs/*'' [ non-fast-forward create delete merge ];
};
repos."${name}" = repo;
};
sync-retiolum = name:
{
krebs.repo-sync.repos.${name} = {
makefu = {
origin.url = "http://cgit.gum/${name}";
mirror.url = "${mirror}${name}";
};
tv = {
origin.url = "http://cgit.cd/${name}";
mirror.url = "${mirror}${name}";
};
lassulus = {
origin.url = "http://cgit.prism/${name}";
mirror.url = "${mirror}${name}";
};
"@latest" = {
mirror.url = "${mirror}${name}";
mirror.ref = "heads/newest";
};
};
krebs.git = defineRepo name (config.networking.hostName == "prism");
};
sync-remote = name: url:
{
krebs.repo-sync.repos.${name} = {
remote = {
origin.url = url;
mirror.url = "${mirror}${name}";
};
};
krebs.git = defineRepo name (config.networking.hostName == "prism");
};
sync-remote-silent = name: url:
{
krebs.repo-sync.repos.${name} = {
remote = {
origin.url = url;
mirror.url = "${mirror}${name}";
};
};
krebs.git = defineRepo name false;
};
in {
krebs.repo-sync = {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
};
imports = [
(sync-remote "array" "https://github.com/makefu/array")
(sync-remote "email-header" "https://github.com/4z3/email-header")
(sync-remote "mycube-flask" "https://github.com/makefu/mycube-flask")
(sync-remote "reaktor-titlebot" "https://github.com/makefu/reaktor-titlebot")
(sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
(sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
(sync-retiolum "go")
(sync-retiolum "much")
(sync-retiolum "newsbot-js")
(sync-retiolum "painload")
(sync-retiolum "realwallpaper")
(sync-retiolum "stockholm")
(sync-retiolum "wai-middleware-time")
(sync-retiolum "web-routes-wai-custom")
(sync-retiolum "xmonad-stockholm")
];
}

View File

@ -0,0 +1 @@
{}

View File

@ -0,0 +1 @@
"blabla"

View File

@ -0,0 +1 @@
"blabla"

View File

@ -0,0 +1,3 @@
-----BEGIN RSA PRIVATE KEY-----
this is a private key
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1 @@
blabla123

View File

@ -0,0 +1 @@
key-name:blabla123

View File

@ -0,0 +1 @@
_: {}

View File

@ -0,0 +1,4 @@
-----BEGIN RSA PRIVATE KEY-----
this is a private key
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,3 @@
-----BEGIN OPENSSH PRIVATE KEY-----
private key bla
-----END OPENSSH PRIVATE KEY-----

View File

@ -0,0 +1,3 @@
-----BEGIN RSA PRIVATE KEY-----
private key bla
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1 @@
"krebskrebs123"

62
lass/2configs/umts.nix Normal file
View File

@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
nixpkgs-1509 = import (pkgs.fetchFromGitHub {
owner = "NixOS"; repo = "nixpkgs-channels";
rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
# TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
systemctl stop wpa_supplicant
systemctl start umts
trap "systemctl stop umts && systemctl start wpa_supplicant;trap - INT TERM EXIT;exit" INT TERM EXIT
echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
journalctl -xfu umts
'';
wvdial-defaults = ''
Modem = ${modem-device}
Init1 = AT+CFUN=1
Init2 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Baud = 460800
phone= *99#
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0
'';
out = {
environment.shellAliases = {
umts = "sudo ${umts-bin}/bin/umts";
};
security.sudo.extraConfig = ''
lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
'';
environment.wvdial.dialerDefaults = wvdial-defaults;
systemd.services.umts = {
description = "UMTS wvdial Service";
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "10s";
ExecStart = "${wvdial}/bin/wvdial -n";
};
};
};
in out

View File

@ -1,158 +1,351 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
with config.krebs.lib;
let let
customPlugins = { out = {
mustang2 = pkgs.vimUtils.buildVimPlugin {
name = "Mustang2";
src = pkgs.fetchFromGitHub {
owner = "croaker";
repo = "mustang-vim";
rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5";
sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67";
};
};
unimpaired = pkgs.vimUtils.buildVimPlugin {
name = "unimpaired-vim";
src = pkgs.fetchFromGitHub {
owner = "tpope";
repo = "vim-unimpaired";
rev = "11dc568dbfd7a56866a4354c737515769f08e9fe";
sha256 = "1an941j5ckas8l3vkfhchdzjwcray16229rhv3a1d4pbxifwshi8";
};
};
brogrammer = pkgs.vimUtils.buildVimPlugin {
name = "brogrammer";
src = pkgs.fetchFromGitHub {
owner = "marciomazza";
repo = "vim-brogrammer-theme";
rev = "3e412d8e8909d8d89eb5a4cbe955b5bc0833a3c3";
sha256 = "0am1qk8ls74z5ipgf9viacayq08y9i9vd7sxxiivwgsjh2ancbv6";
};
};
file-line = pkgs.vimUtils.buildVimPlugin {
name = "file-line";
src = pkgs.fetchFromGitHub {
owner = "bogado";
repo = "file-line";
rev = "f9ffa1879ad84ce4a386110446f395bc1795b72a";
sha256 = "173n47w9zd01rcyrrmm194v79xq7d1ggzr19n1lsxrqfgr2c1rvk";
};
};
};
in {
environment.systemPackages = [ environment.systemPackages = [
(pkgs.vim_configurable.customize { vim
name = "vim"; ];
vimrcConfig.customRC = '' environment.etc.vimrc.source = vimrc;
set nocompatible
set t_Co=16 environment.variables.EDITOR = mkForce "vim";
syntax on environment.variables.VIMINIT = ":so /etc/vimrc";
" TODO autoload colorscheme file };
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
pkgs.vimPlugins.Gundo
pkgs.vimPlugins.Syntastic
pkgs.vimPlugins.undotree
(pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
rev = "refs/tags/1.0";
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
})
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "hack";
in {
name = "vim-color-${name}-1.0.2";
destination = "/colors/${name}.vim";
text = /* vim */ ''
set background=dark set background=dark
colorscheme brogrammer hi clear
filetype off if exists("syntax_on")
filetype plugin indent on syntax clear
endif
imap <F1> <nop> let colors_name = ${toJSON name}
set mouse=a hi Normal ctermbg=235
set ruler hi Comment ctermfg=242
set showmatch hi Constant ctermfg=062
set backspace=2 hi Identifier ctermfg=068
set visualbell hi Function ctermfg=041
set encoding=utf8 hi Statement ctermfg=167
set showcmd hi PreProc ctermfg=167
set wildmenu hi Type ctermfg=041
hi Delimiter ctermfg=251
hi Special ctermfg=062
set title hi Garbage ctermbg=088
set titleold= hi TabStop ctermbg=016
set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} hi Todo ctermfg=174 ctermbg=NONE
hi NixCode ctermfg=148
hi NixData ctermfg=149
hi NixQuote ctermfg=150
hi diffNewFile ctermfg=207
hi diffFile ctermfg=207
hi diffLine ctermfg=207
hi diffSubname ctermfg=207
hi diffAdded ctermfg=010
hi diffRemoved ctermfg=009
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "vim";
in {
name = "vim-syntax-${name}-1.0.0";
destination = "/syntax/${name}.vim";
text = /* vim */ ''
${concatMapStringsSep "\n" (s: /* vim */ ''
syn keyword vimColor${s} ${s}
\ containedin=ALLBUT,vimComment,vimLineComment
hi vimColor${s} ctermfg=${s}
'') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "showsyntax";
in {
name = "vim-plugin-${name}-1.0.0";
destination = "/plugin/${name}.vim";
text = /* vim */ ''
if exists('g:loaded_showsyntax')
finish
endif
let g:loaded_showsyntax = 0
fu! ShowSyntax()
let id = synID(line("."), col("."), 1)
let name = synIDattr(id, "name")
let transName = synIDattr(synIDtrans(id),"name")
if name != transName
let name .= " (" . transName . ")"
endif
echo "Syntax: " . name
endfu
command! -n=0 -bar ShowSyntax :call ShowSyntax()
'';
})))
];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
swapdir = "$HOME/.cache/vim/swap";
undodir = "$HOME/.cache/vim/undo";
};
files = {
viminfo = "$HOME/.cache/vim/info";
};
mkdirs = let
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
in assert out != ""; out;
alldirs = attrValues dirs ++ map dirOf (attrValues files);
in unique (sort lessThan alldirs);
vim = pkgs.writeDashBin "vim" ''
set -efu
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
exec ${pkgs.neovim}/bin/nvim "$@"
'';
vimrc = pkgs.writeText "vimrc" ''
set nocompatible
set autoindent set autoindent
set backspace=indent,eol,start
set ttyfast set backup
set backupdir=${dirs.backupdir}/
set directory=${dirs.swapdir}//
set hlsearch
set incsearch
set mouse=a
set noruler
set pastetoggle=<INS> set pastetoggle=<INS>
set runtimepath=${extra-runtimepath},$VIMRUNTIME
set shortmess+=I
set showcmd
set showmatch
set ttimeoutlen=0
set undodir=${dirs.undodir}
set undofile
set undolevels=1000000
set undoreload=1000000
set viminfo='20,<1000,s100,h,n${files.viminfo}
set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu
set wildmode=longest,full
set et ts=2 sts=2 sw=2
" Force Saving Files that Require Root Permission filetype plugin indent on
command! W silent w !sudo tee "%" >/dev/null
nnoremap <C-c> :q<Return> set t_Co=256
colorscheme hack
syntax on
au Syntax * syn match Garbage containedin=ALL /\s\+$/
\ | syn match TabStop containedin=ALL /\t\+/
\ | syn keyword Todo containedin=ALL TODO
au BufRead,BufNewFile *.hs so ${hs.vim}
au BufRead,BufNewFile *.nix so ${nix.vim}
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
"Syntastic config
let g:syntastic_python_checkers=['flake8']
nmap <esc>q :buffer
nmap <M-q> :buffer
cnoremap <C-A> <Home>
noremap <C-c> :q<cr>
vnoremap < <gv vnoremap < <gv
vnoremap > >gv vnoremap > >gv
nmap <esc>q :buffer nnoremap <esc>[5^ :tabp<cr>
nnoremap <esc>[6^ :tabn<cr>
nnoremap <esc>[5@ :tabm -1<cr>
nnoremap <esc>[6@ :tabm +1<cr>
nnoremap <f1> :tabp<cr>
nnoremap <f2> :tabn<cr>
inoremap <f1> <esc>:tabp<cr>
inoremap <f2> <esc>:tabn<cr>
"Tabwidth " <C-{Up,Down,Right,Left>
set ts=2 sts=2 sw=2 et noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
" create Backup/tmp/undo dirs noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
function! InitBackupDir() noremap <esc>Od <nop> | noremap! <esc>Od <nop>
let l:parent = $HOME . '/.vim/' " <[C]S-{Up,Down,Right,Left>
let l:backup = l:parent . 'backups/' noremap <esc>[a <nop> | noremap! <esc>[a <nop>
let l:tmpdir = l:parent . 'tmp/' noremap <esc>[b <nop> | noremap! <esc>[b <nop>
let l:undodi = l:parent . 'undo/' noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
if !isdirectory(l:parent) vnoremap u <nop>
call mkdir(l:parent)
endif
if !isdirectory(l:backup)
call mkdir(l:backup)
endif
if !isdirectory(l:tmpdir)
call mkdir(l:tmpdir)
endif
if !isdirectory(l:undodi)
call mkdir(l:undodi)
endif
endfunction
call InitBackupDir()
" Backups & Files
set backup
set backupdir=~/.vim/backups
set directory=~/.vim/tmp//
set viminfo='20,<1000,s100,h,n~/.vim/tmp/info
set undodir=$HOME/.vim/undo
set undofile
" highlight whitespaces
highlight ExtraWhitespace ctermbg=red guibg=red
match ExtraWhitespace /\s\+$/
autocmd BufWinEnter * match ExtraWhitespace /\s\+$/
autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/
autocmd InsertLeave * match ExtraWhitespace /\s\+$/
autocmd BufWinLeave * call clearmatches()
"ft specific stuff
autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et
autocmd BufRead *.hs set ts=4 sts=4 sw=4 et
"esc timeout
set timeoutlen=1000 ttimeoutlen=0
"foldfunctions
inoremap <F9> <C-O>za
nnoremap <F9> za
onoremap <F9> <C-C>za
vnoremap <F9> zf
''; '';
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; hs.vim = pkgs.writeText "hs.vim" ''
vimrcConfig.vam.pluginDictionaries = [ syn region String start=+\[[[:alnum:]]*|+ end=+|]+
{ names = [
"brogrammer"
"file-line"
"Gundo"
]; }
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
];
}) hi link ConId Identifier
hi link VarId Identifier
hi link hsDelimiter Delimiter
'';
nix.vim = pkgs.writeText "nix.vim" ''
setf nix
" Ref <nix/src/libexpr/lexer.l>
syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
syn match NixINT /\<[0-9]\+\>/
syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
syn region NixSTRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
syn region NixIND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
syn match NixOther /[():/;=.,?\[\]]/
syn match NixCommentMatch /\(^\|\s\)#.*/
syn region NixCommentRegion start="/\*" end="\*/"
hi link NixCode Statement
hi link NixData Constant
hi link NixComment Comment
hi link NixCommentMatch NixComment
hi link NixCommentRegion NixComment
hi link NixID NixCode
hi link NixINT NixData
hi link NixPATH NixData
hi link NixHPATH NixData
hi link NixSPATH NixData
hi link NixURI NixData
hi link NixSTRING NixData
hi link NixIND_STRING NixData
hi link NixEnter NixCode
hi link NixOther NixCode
hi link NixQuote NixData
syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
syn cluster nix_ind_strings contains=NixIND_STRING
syn cluster nix_strings contains=NixSTRING
${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
startAlts = filter isString [
''/\* ${lang} \*/''
extraStart
]; ];
} sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
in /* vim */ ''
syn include @nix_${lang}_syntax syntax/${lang}.vim
unlet b:current_syntax
syn match nix_${lang}_sigil
\ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
\ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
\ transparent
syn region nix_${lang}_region_STRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn region nix_${lang}_region_IND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn cluster nix_ind_strings
\ add=nix_${lang}_region_IND_STRING
syn cluster nix_strings
\ add=nix_${lang}_region_STRING
syn cluster nix_has_dollar_curly
\ add=@nix_${lang}_syntax
'') {
c = {};
cabal = {};
haskell = {};
sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
vim.extraStart =
''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
})}
" Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
syn clear shVarAssign
syn region nixINSIDE_DOLLAR_CURLY
\ matchgroup=NixEnter
\ start="[$]{"
\ end="}"
\ contains=TOP
\ containedin=@nix_has_dollar_curly
\ transparent
syn region nix_inside_curly
\ matchgroup=NixEnter
\ start="{"
\ end="}"
\ contains=TOP
\ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
\ transparent
syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /\\./he=s+1
\ containedin=@nix_strings
\ contained
syn sync fromstart
let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,'
'';
in
out

View File

@ -11,9 +11,9 @@ let
serveWordpress; serveWordpress;
msmtprc = pkgs.writeText "msmtprc" '' msmtprc = pkgs.writeText "msmtprc" ''
account prism account localhost
host localhost host localhost
account default: prism account default: localhost
''; '';
sendmail = pkgs.writeDash "msmtp" '' sendmail = pkgs.writeDash "msmtp" ''
@ -23,23 +23,55 @@ let
in { in {
imports = [ imports = [
./sqlBackup.nix ./sqlBackup.nix
(ssl [ "reich-gebaeudereinigung.de" ]) (ssl [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(servePage [ "reich-gebaeudereinigung.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(ssl [ "karlaskop.de" ]) (ssl [ "karlaskop.de" "www.karlaskop.de" ])
(servePage [ "karlaskop.de" ]) (servePage [ "karlaskop.de" "www.karlaskop.de" ])
(ssl [ "makeup.apanowicz.de" ]) (ssl [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(servePage [ "makeup.apanowicz.de" ]) (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ]) (ssl [ "pixelpocket.de" "www.pixelpocket.de" ])
(servePage [ "pixelpocket.de" ]) (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ]) (ssl [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" ]) (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
(ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ]) (ssl [
(serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ]) "ubikmedia.de"
"aldona.ubikmedia.de"
"apanowicz.de"
"nirwanabluete.de"
"aldonasiech.com"
"360gradvideo.tv"
"ubikmedia.eu"
"facts.cloud"
"www.ubikmedia.de"
"www.aldona.ubikmedia.de"
"www.apanowicz.de"
"www.nirwanabluete.de"
"www.aldonasiech.com"
"www.360gradvideo.tv"
"www.ubikmedia.eu"
"www.facts.cloud"
])
(serveWordpress [
"ubikmedia.de"
"apanowicz.de"
"nirwanabluete.de"
"aldonasiech.com"
"360gradvideo.tv"
"ubikmedia.eu"
"facts.cloud"
"*.ubikmedia.de"
"www.apanowicz.de"
"www.nirwanabluete.de"
"www.aldonasiech.com"
"www.360gradvideo.tv"
"www.ubikmedia.eu"
"www.facts.cloud"
])
]; ];
lass.mysqlBackup.config.all.databases = [ lass.mysqlBackup.config.all.databases = [
@ -47,6 +79,27 @@ in {
"o_ubikmedia_de" "o_ubikmedia_de"
]; ];
krebs.backup.plans = {
prism-sql-domsen = {
method = "push";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; };
startAt = "00:01";
};
prism-http-domsen = {
method = "push";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; };
startAt = "00:10";
};
prism-o-ubikmedia-domsen = {
method = "push";
src = { host = config.krebs.hosts.prism; path = "/srv/o.ubikmedia.de-data"; };
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; };
startAt = "00:30";
};
};
users.users.domsen = { users.users.domsen = {
uid = genid "domsen"; uid = genid "domsen";
description = "maintenance acc for domsen"; description = "maintenance acc for domsen";
@ -56,18 +109,18 @@ in {
createHome = true; createHome = true;
}; };
#services.phpfpm.phpOptions = '' services.phpfpm.phpOptions = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
# sendmail_path = ${sendmail} -t
#'';
services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
options = ''
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
sendmail_path = ${sendmail} -t -i" sendmail_path = ${sendmail} -t
'';
} ''
cat ${pkgs.php}/etc/php-recommended.ini > $out
echo "$options" >> $out
''; '';
#services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
# options = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
# sendmail_path = "${sendmail} -t -i"
# '';
#} ''
# cat ${pkgs.php}/etc/php-recommended.ini > $out
# echo "$options" >> $out
#'';
} }

View File

@ -1,10 +1,10 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with lib;
let let
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
genid genid
head head
nameValuePair
; ;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
ssl ssl
@ -12,6 +12,16 @@ let
serveWordpress serveWordpress
; ;
msmtprc = pkgs.writeText "msmtprc" ''
account localhost
host localhost
account default: localhost
'';
sendmail = pkgs.writeDash "msmtp" ''
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
'';
in { in {
imports = [ imports = [
./sqlBackup.nix ./sqlBackup.nix
@ -48,7 +58,34 @@ in {
"ttf_kleinaspach_de" "ttf_kleinaspach_de"
]; ];
#password protect some dirs
krebs.nginx.servers."biostase.de".locations = [
(nameValuePair "/old_biostase.de" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
'')
(nameValuePair "/mysqldumper" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
'')
];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey config.krebs.users.fritz.pubkey
]; ];
services.phpfpm.phpOptions = ''
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
sendmail_path = ${sendmail} -t
'';
#services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
# options = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
# sendmail_path = "${sendmail} -t -i"
# '';
#} ''
# cat ${pkgs.php}/etc/php-recommended.ini > $out
# echo "$options" >> $out
#'';
} }

View File

@ -5,7 +5,6 @@ let
in { in {
krebs.per-user.chat.packages = with pkgs; [ krebs.per-user.chat.packages = with pkgs; [
mosh mosh
tmux
weechat weechat
]; ];

View File

@ -1,59 +0,0 @@
{ config, pkgs, ... }:
{
containers.wordpress = {
privateNetwork = true;
hostAddress = "192.168.101.1";
localAddress = "192.168.101.2";
config = {
imports = [
../../krebs/3modules/iptables.nix
];
krebs.iptables = {
enable = true;
tables = {
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
};
};
environment.systemPackages = with pkgs; [
iptables
];
services.postgresql = {
enable = true;
package = pkgs.postgresql;
};
services.httpd = {
enable = true;
adminAddr = "root@apanowicz.de";
extraModules = [
{ name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; }
];
virtualHosts = [
{
hostName = "wordpress";
serverAliases = [ "wordpress" "www.wordpress" ];
extraSubservices = [
{
serviceName = "wordpress";
}
];
}
];
};
};
};
}

View File

@ -19,9 +19,48 @@ pkgs.writeText "Xresources" ''
URxvt.intensityStyles: false URxvt.intensityStyles: false
URxvt*background: #000000 URxvt*background: #050505
URxvt*foreground: #ffffff ! URxvt*background: #041204
!URxvt.depth: 32
!URxvt*background: rgba:0500/0500/0500/cccc
! URxvt*background: #080810
URxvt*foreground: #d0d7d0
! URxvt*background: black
! URxvt*foreground: white
! URxvt*background: rgb:00/00/40
! URxvt*foreground: rgb:a0/a0/d0
! XTerm*cursorColor: rgb:00/00/60
URxvt*cursorColor: #f042b0
URxvt*cursorColor2: #f0b000
URxvt*cursorBlink: off
! URxvt*cursorUnderline: true
! URxvt*highlightColor: #232323
! URxvt*highlightTextColor: #b0ffb0
URxvt*.pointerBlank: true
URxvt*.pointerBlankDelay: 987654321
URxvt*.pointerColor: #f042b0
URxvt*.pointerColor2: #050505
! URxvt*color0: #000000
! URxvt*color1: #c00000
! URxvt*color2: #80c070
URxvt*color3: #c07000
! URxvt*color4: #0000c0
URxvt*color4: #4040c0
! URxvt*color5: #c000c0
! URxvt*color6: #008080
URxvt*color7: #c0c0c0
URxvt*color8: #707070
URxvt*color9: #ff6060
URxvt*color10: #70ff70
URxvt*color11: #ffff70
URxvt*color12: #7070ff
URxvt*color13: #ff50ff
URxvt*color14: #70ffff
URxvt*color15: #ffffff
!change unreadable blue
URxvt*color4: #268bd2
'' ''

View File

@ -7,9 +7,6 @@
zsh-newuser-install() { :; } zsh-newuser-install() { :; }
''; '';
interactiveShellInit = '' interactiveShellInit = ''
HISTFILE=~/.histfile
HISTSIZE=1000000
SAVEHIST=100000
#unsetopt nomatch #unsetopt nomatch
setopt autocd extendedglob setopt autocd extendedglob
bindkey -e bindkey -e
@ -92,6 +89,11 @@
esac esac
''; '';
promptInit = '' promptInit = ''
# TODO: figure out why we need to set this here
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
SAVEHIST=$HISTSIZE
autoload -U promptinit autoload -U promptinit
promptinit promptinit

View File

@ -4,6 +4,7 @@ _:
./ejabberd ./ejabberd
./folderPerms.nix ./folderPerms.nix
./mysql-backup.nix ./mysql-backup.nix
./power-action.nix
./urxvtd.nix ./urxvtd.nix
./wordpress_nginx.nix ./wordpress_nginx.nix
./xresources.nix ./xresources.nix

View File

@ -0,0 +1,93 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
cfg = config.lass.power-action;
out = {
options.lass.power-action = api;
config = lib.mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "power-action";
user = mkOption {
type = types.user;
default = {
name = "power-action";
};
};
startAt = mkOption {
type = types.str;
default = "*:0/1";
};
plans = mkOption {
type = with types; attrsOf (submodule {
options = {
charging = mkOption {
type = nullOr bool;
default = null;
description = ''
check for charging status.
null = don't care
true = only if system is charging
false = only if system is discharging
'';
};
upperLimit = mkOption {
type = int;
};
lowerLimit = mkOption {
type = int;
};
action = mkOption {
type = path;
};
};
});
};
};
imp = {
systemd.services.power-action = {
serviceConfig = rec {
ExecStart = startScript;
User = cfg.user.name;
};
startAt = cfg.startAt;
};
users.users.${cfg.user.name} = {
inherit (cfg.user) name uid;
};
};
startScript = pkgs.writeDash "power-action" ''
set -euf
power="$(${powerlvl})"
state="$(${state})"
${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)}
'';
charging_check = plan:
if (plan.charging == null) then "" else
if plan.charging
then ''&& [ "$state" = "true" ]''
else ''&& ! [ "$state" = "true" ]''
;
writeRule = _: plan:
"if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
powerlvl = pkgs.writeDash "powerlvl" ''
cat /sys/class/power_supply/BAT0/capacity
'';
state = pkgs.writeDash "state" ''
if [ "$(cat /sys/class/power_supply/BAT0/status)" = "Discharging" ]
then echo "false"
else echo "true"
fi
'';
in out

View File

@ -3,6 +3,9 @@
{ {
nixpkgs.config.packageOverrides = rec { nixpkgs.config.packageOverrides = rec {
acronym = pkgs.callPackage ./acronym/default.nix {}; acronym = pkgs.callPackage ./acronym/default.nix {};
ejabberd = pkgs.callPackage ./ejabberd {
erlang = pkgs.erlangR16;
};
firefoxPlugins = { firefoxPlugins = {
noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {}; noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {}; ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
@ -10,11 +13,11 @@
}; };
mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {}; mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {};
mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {}; mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {};
q = pkgs.callPackage ./q {};
rs = pkgs.callPackage ./rs/default.nix {};
untilport = pkgs.callPackage ./untilport/default.nix {}; untilport = pkgs.callPackage ./untilport/default.nix {};
urban = pkgs.callPackage ./urban/default.nix {}; urban = pkgs.callPackage ./urban/default.nix {};
xmonad-lass = xmonad-lass = import ./xmonad-lass.nix { inherit pkgs; };
let src = pkgs.writeNixFromCabal "xmonad-lass.nix" ./xmonad-lass; in
pkgs.haskellPackages.callPackage src {};
yt-next = pkgs.callPackage ./yt-next/default.nix {}; yt-next = pkgs.callPackage ./yt-next/default.nix {};
}; };
} }

185
lass/5pkgs/q/default.nix Normal file
View File

@ -0,0 +1,185 @@
{ pkgs, ... }:
let
q-cal = let
# XXX 23 is the longest line of cal's output
pad = ''{
${pkgs.gnused}/bin/sed '
# rtrim
s/ *$//
# delete last empty line
''${/^$/d}
' \
| ${pkgs.gawk}/bin/awk '{printf "%-23s\n", $0}' \
| ${pkgs.gnused}/bin/sed '
# colorize header
1,2s/.*/&/
# colorize week number
s/^[ 1-9][0-9]/&/
'
}'';
in ''
${pkgs.coreutils}/bin/paste \
<(${pkgs.utillinux}/bin/cal -mw \
$(${pkgs.coreutils}/bin/date +'%m %Y' -d 'last month') \
| ${pad}
) \
<(${pkgs.utillinux}/bin/cal -mw \
| ${pkgs.gnused}/bin/sed '
# colorize day of month
s/\(^\| \)'"$(${pkgs.coreutils}/bin/date +%e)"'\>/&/
' \
| ${pad}
) \
<(${pkgs.utillinux}/bin/cal -mw \
$(${pkgs.coreutils}/bin/date +'%m %Y' -d 'next month') \
| ${pad}
) \
| ${pkgs.gnused}/bin/sed 's/\t/ /g'
'';
q-isodate = ''
${pkgs.coreutils}/bin/date \
'+%Y-%m-%dT%H:%M:%S%:z'
'';
q-gitdir = ''
if test -d .git; then
#git status --porcelain
branch=$(
${pkgs.git}/bin/git branch \
| ${pkgs.gnused}/bin/sed -rn 's/^\* (.*)/\1/p'
)
echo "± $LOGNAME@''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}:$PWD .git $branch"
fi
'';
q-power_supply = ''
for uevent in /sys/class/power_supply/*/uevent; do
if test -f $uevent; then
eval "$(${pkgs.gnused}/bin/sed -n '
s/^\([A-Z_]\+=\)\(.*\)/\1'\'''\2'\'''/p
' $uevent)"
if test "x''${POWER_SUPPLY_CHARGE_NOW-}" = x; then
continue
fi
charge_percentage=$(echo "
scale=2
$POWER_SUPPLY_CHARGE_NOW / $POWER_SUPPLY_CHARGE_FULL
" | ${pkgs.bc}/bin/bc)
lfc=$POWER_SUPPLY_CHARGE_FULL
rc=$POWER_SUPPLY_CHARGE_NOW
#rc=2800
N=78; N=76
N=10
n=$(echo $N-1 | ${pkgs.bc}/bin/bc)
centi=$(echo "$rc*100/$lfc" | ${pkgs.bc}/bin/bc)
deci=$(echo "$rc*$N/$lfc" | ${pkgs.bc}/bin/bc)
energy_evel=$(
echo -n ' ' # TRIGRAM FOR THUNDER
if test $centi -ge 42; then echo -n ''
elif test $centi -ge 23; then echo -n ''
elif test $centi -ge 11; then echo -n ''
else echo -n ''; fi
for i in $(${pkgs.coreutils}/bin/seq 1 $deci); do
echo -n
done
echo -n ''
for i in $(${pkgs.coreutils}/bin/seq $deci $n); do
echo -n
done
echo '' $rc #/ $lfc
)
echo "$energy_evel $charge_percentage"
fi
done
'';
q-virtualization = ''
echo "VT: $(${pkgs.systemd}/bin/systemd-detect-virt)"
'';
q-wireless = ''
for dev in $(
${pkgs.iw}/bin/iw dev \
| ${pkgs.gnused}/bin/sed -n 's/^\s*Interface\s\+\([0-9a-z]\+\)$/\1/p'
); do
inet=$(${pkgs.iproute}/bin/ip addr show $dev \
| ${pkgs.gnused}/bin/sed -n '
s/.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p
') \
|| unset inet
ssid=$(${pkgs.iw}/bin/iw dev $dev link \
| ${pkgs.gnused}/bin/sed -n '
s/.*\tSSID: \(.*\)/\1/p
') \
|| unset ssid
echo "$dev''${inet+ $inet}''${ssid+ $ssid}"
done
'';
q-online = ''
if ${pkgs.curl.bin}/bin/curl -s google.com >/dev/null; then
echo 'online'
else
echo offline
fi
'';
q-thermal_zone = ''
for i in /sys/class/thermal/thermal_zone*; do
type=$(${pkgs.coreutils}/bin/cat $i/type)
temp=$(${pkgs.coreutils}/bin/cat $i/temp)
printf '%s %s°C\n' $type $(echo $temp / 1000 | ${pkgs.bc}/bin/bc)
done
'';
q-todo = ''
TODO_file=$HOME/TODO
if test -e "$TODO_file"; then
${pkgs.coreutils}/bin/cat "$TODO_file" \
| ${pkgs.gawk}/bin/gawk -v now=$(${pkgs.coreutils}/bin/date +%s) '
BEGIN { print "remind=0" }
/^[0-9]/{
x = $1
gsub(".", "\\\\&", x)
rest = substr($0, index($0, " "))
rest = $0
sub(" *", "", rest)
gsub(".", "\\\\&", rest)
print "test $(${pkgs.coreutils}/bin/date +%s -d"x") -lt "now" && \
echo \"\x1b[38;5;208m\""rest esc "\"\x1b[m\" && \
(( remind++ ))"
}
END { print "test $remind = 0 && echo \"nothing to remind\"" }
' \
| {
# bash needed for (( ... ))
${pkgs.bash}/bin/bash
}
else
echo "$TODO_file: no such file or directory"
fi
'';
in
# bash needed for <(...)
pkgs.writeBashBin "q" ''
set -eu
export PATH=/var/empty
${q-cal}
echo
${q-isodate}
(${q-gitdir}) &
(${q-power_supply}) &
(${q-virtualization}) &
(${q-wireless}) &
(${q-online}) &
(${q-thermal_zone}) &
wait
${q-todo}
''

View File

@ -0,0 +1,6 @@
{ pkgs, ... }:
#TODO: get tab-completion working again
pkgs.writeBashBin "rs" ''
rsync -vaP --append-verify "$@"
''

View File

@ -1,3 +1,15 @@
{ pkgs, ... }:
pkgs.writeHaskell "xmonad-lass" {
executables.xmonad = {
extra-depends = [
"containers"
"unix"
"X11"
"xmonad"
"xmonad-contrib"
"xmonad-stockholm"
];
text = ''
{-# LANGUAGE DeriveDataTypeable #-} -- for XS {-# LANGUAGE DeriveDataTypeable #-} -- for XS
{-# LANGUAGE FlexibleContexts #-} -- for xmonad' {-# LANGUAGE FlexibleContexts #-} -- for xmonad'
{-# LANGUAGE LambdaCase #-} {-# LANGUAGE LambdaCase #-}
@ -147,3 +159,8 @@ gridConfig = def
, gs_navigate = navNSearch , gs_navigate = navNSearch
, gs_font = myFont , gs_font = myFont
} }
'';
};
}

View File

@ -1 +0,0 @@
/shell.nix

View File

@ -1,6 +0,0 @@
.PHONY: ghci
ghci: shell.nix
nix-shell --command 'exec ghci -Wall'
shell.nix: xmonad.cabal
cabal2nix --shell . > $@

View File

@ -1,17 +0,0 @@
Author: lass
Build-Type: Simple
Cabal-Version: >= 1.2
License: MIT
Name: xmonad-lass
Version: 0
Executable xmonad
Build-Depends:
base,
containers,
unix,
xmonad,
xmonad-contrib,
xmonad-stockholm
GHC-Options: -Wall -O3 -threaded -rtsopts
Main-Is: Main.hs

View File

@ -17,19 +17,31 @@ in {
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/virtualization.nix ../2configs/virtualization.nix
]; ];
services.tinc.networks.siem = {
networking.firewall.allowedUDPPorts = [ 80 655 67 ]; name = "sdarth";
networking.firewall.allowedTCPPorts = [ 80 655 ]; extraConfig = "ConnectTo = sjump";
networking.firewall.checkReversePath = false; };
#networking.firewall.enable = false; #networking.firewall.enable = false;
# virtualisation.nova.enableSingleNode = true;
krebs.retiolum.enable = true; krebs.retiolum.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ]; boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
networking.wireless.enable = true; networking = {
wireless.enable = true;
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedUDPPorts = [ 80 655 1655 67 ];
allowedTCPPorts = [ 80 655 1655 ];
};
# fallback connection to the internal virtual network
interfaces.virbr3.ip4 = [{
address = "10.8.8.2";
prefixLength = 24;
}];
};
# TODO smartd omo darth gum all-in-one # TODO smartd omo darth gum all-in-one
services.smartd.devices = builtins.map (x: { device = x; }) allDisks; services.smartd.devices = builtins.map (x: { device = x; }) allDisks;

View File

@ -5,9 +5,10 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
byid = dev: "/dev/disk/by-id/" + dev; byid = dev: "/dev/disk/by-id/" + dev;
keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3"; rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
primaryInterface = "enp1s0";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey # cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
@ -15,14 +16,14 @@ let
# omo Chassis: # omo Chassis:
# __FRONT_ # __FRONT_
# |* d2 | # |* d0 |
# | | # | |
# |* d3 | # |* d3 |
# | | # | |
# |* d0 | # |* d3 |
# | | # | |
# |* d1 |
# |* | # |* |
# |* d2 |
# | * r0 | # | * r0 |
# |_______| # |_______|
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
@ -38,27 +39,31 @@ in {
[ [
../. ../.
# TODO: unlock home partition via ssh # TODO: unlock home partition via ssh
../2configs/fs/single-partition-ext4.nix ../2configs/fs/sda-crypto-root.nix
../2configs/zsh-user.nix ../2configs/zsh-user.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix ../2configs/smart-monitor.nix
../2configs/mail-client.nix ../2configs/mail-client.nix
../2configs/share-user-sftp.nix #../2configs/graphite-standalone.nix
../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix
../2configs/omo-share.nix ../2configs/omo-share.nix
## as long as pyload is not in nixpkgs:
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
]; ];
krebs.retiolum.enable = true; krebs.retiolum.enable = true;
networking.firewall.trustedInterfaces = [ "enp3s0" ]; networking.firewall.trustedInterfaces = [ primaryInterface ];
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
# tcp:80 - nginx for sharing files # tcp:80 - nginx for sharing files
# tcp:655 udp:655 - tinc # tcp:655 udp:655 - tinc
# tcp:8111 - graphite # tcp:8111 - graphite
# tcp:8112 - pyload
# tcp:9090 - sabnzbd # tcp:9090 - sabnzbd
# tcp:9200 - elasticsearch # tcp:9200 - elasticsearch
# tcp:5601 - kibana # tcp:5601 - kibana
networking.firewall.allowedUDPPorts = [ 655 ]; networking.firewall.allowedUDPPorts = [ 655 ];
networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ]; networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ];
# services.openssh.allowSFTP = false; # services.openssh.allowSFTP = false;
@ -66,6 +71,9 @@ in {
services.sabnzbd.enable = true; services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
virtualisation.docker.enable = true;
# HDD Array stuff # HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks; services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
@ -76,15 +84,11 @@ in {
disks = map toMapper [ 0 1 ]; disks = map toMapper [ 0 1 ];
parity = toMapper 2; parity = toMapper 2;
}; };
fileSystems = let fileSystems = let
cryptMount = name: cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in { in cryptMount "crypt0"
"/home" = {
device = "/dev/mapper/home";
fsType = "ext4";
};
} // cryptMount "crypt0"
// cryptMount "crypt1" // cryptMount "crypt1"
// cryptMount "crypt2"; // cryptMount "crypt2";
@ -101,15 +105,16 @@ in {
usbkey = name: device: { usbkey = name: device: {
inherit name device keyFile; inherit name device keyFile;
keyFileSize = 4096; keyFileSize = 4096;
allowDiscards = true;
}; };
in [ in [
(usbkey "home" homePartition) (usbkey "luksroot" rootPartition)
(usbkey "crypt0" cryptDisk0) (usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1) (usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2) (usbkey "crypt2" cryptDisk2)
]; ];
}; };
loader.grub.device = rootDisk; loader.grub.device = lib.mkForce rootDisk;
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"ahci" "ahci"
@ -121,12 +126,12 @@ in {
"usbhid" "usbhid"
]; ];
kernelModules = [ "kvm-amd" ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true; zramSwap.enable = true;

View File

@ -31,6 +31,7 @@
# hardware specifics are in here # hardware specifics are in here
../2configs/hw/tp-x220.nix ../2configs/hw/tp-x220.nix
../2configs/hw/rtl8812au.nix
# mount points # mount points
../2configs/fs/sda-crypto-root-home.nix ../2configs/fs/sda-crypto-root-home.nix
# ../2configs/mediawiki.nix # ../2configs/mediawiki.nix
@ -43,6 +44,14 @@
# ../2configs/temp/sabnzbd.nix # ../2configs/temp/sabnzbd.nix
]; ];
services.tinc.networks.siem = {
name = "makefu";
extraConfig = ''
ConnectTo = sdarth
ConnectTo = sjump
'';
};
krebs.nginx = { krebs.nginx = {
default404 = false; default404 = false;
servers.default.listen = [ "80 default_server" ]; servers.default.listen = [ "80 default_server" ];
@ -59,7 +68,6 @@
networking.firewall.allowedUDPPorts = [ 665 ]; networking.firewall.allowedUDPPorts = [ 665 ];
krebs.build.host = config.krebs.hosts.pornocauster; krebs.build.host = config.krebs.hosts.pornocauster;
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
krebs.retiolum = { krebs.retiolum = {
enable = true; enable = true;
@ -68,4 +76,6 @@
networking.extraHosts = '' networking.extraHosts = ''
192.168.1.11 omo.local 192.168.1.11 omo.local
''; '';
# hard dependency because otherwise the device will not be unlocked
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
} }

View File

@ -0,0 +1,54 @@
{ config, pkgs, ... }:
let
tinc-siem-ip = "10.8.10.1";
ip = "64.137.234.215";
alt-ip = "64.137.234.210";
extra-ip = "64.137.234.114"; #currently unused
gw = "64.137.234.1";
in {
imports = [
../.
../2configs/save-diskspace.nix
../2configs/hw/CAC.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
];
services.tinc.networks.siem.name = "sjump";
krebs = {
enable = true;
retiolum.enable = true;
build.host = config.krebs.hosts.shoney;
nginx.enable = true;
tinc_graphs = {
enable = true;
network = "siem";
hostsPath = "/etc/tinc/siem/hosts";
nginx = {
enable = true;
# TODO: remove hard-coded hostname
complete = {
listen = [ "${tinc-siem-ip}:80" ];
server-names = [ "graphs.siem" ];
};
};
};
};
networking = {
interfaces.enp2s1.ip4 = [
{ address = ip; prefixLength = 24; }
{ address = alt-ip; prefixLength = 24; }
];
defaultGateway = gw;
nameservers = [ "8.8.8.8" ];
firewall = {
trustedInterfaces = [ "tinc.siem" ];
allowedUDPPorts = [ 655 1655 ];
allowedTCPPorts = [ 655 1655 ];
};
};
}

View File

@ -9,9 +9,9 @@ in {
imports = [ imports = [
../. ../.
# TODO: copy this config or move to krebs # TODO: copy this config or move to krebs
../../tv/2configs/hw/CAC.nix ../2configs/hw/CAC.nix
../../tv/2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/headless.nix ../2configs/save-diskspace.nix
../2configs/bepasty-dual.nix ../2configs/bepasty-dual.nix
@ -27,8 +27,7 @@ in {
../2configs/collectd/collectd-base.nix ../2configs/collectd/collectd-base.nix
]; ];
krebs.retiolum.enable = true; krebs.retiolum.enable = true;
services.nixosManual.enable = false;
programs.man.enable = false;
krebs.build.host = config.krebs.hosts.wry; krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor = { krebs.Reaktor = {
@ -83,9 +82,5 @@ in {
nameservers = [ "8.8.8.8" ]; nameservers = [ "8.8.8.8" ];
}; };
# small machine - do not forget to gc every day
nix.gc.automatic = true;
nix.gc.dates = "03:10";
environment.systemPackages = [ ]; environment.systemPackages = [ ];
} }

View File

@ -16,6 +16,8 @@ with config.krebs.lib;
nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
krebs = { krebs = {
enable = true; enable = true;
dns.providers.siem = "hosts";
search-domain = "retiolum"; search-domain = "retiolum";
build = { build = {
user = config.krebs.users.makefu; user = config.krebs.users.makefu;
@ -24,7 +26,9 @@ with config.krebs.lib;
url = https://github.com/nixos/nixpkgs; url = https://github.com/nixos/nixpkgs;
rev = "63b9785"; # stable @ 2016-06-01 rev = "63b9785"; # stable @ 2016-06-01
}; };
secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/"; secrets = if getEnv "dummy_secrets" == "true"
then toString <stockholm/makefu/6tests/data/secrets>
else "/home/makefu/secrets/${config.krebs.build.host.name}";
stockholm = "/home/makefu/stockholm"; stockholm = "/home/makefu/stockholm";
# Defaults for all stockholm users? # Defaults for all stockholm users?
@ -154,6 +158,15 @@ with config.krebs.lib;
"net.ipv6.conf.default.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2;
}; };
system.activationScripts.nix-defexpr = ''
(set -euf
for i in /home/makefu /root/;do
f="$i/.nix-defexpr"
rm -fr "$f"
ln -s /var/src/nixpkgs "$f"
done)
'';
i18n = { i18n = {
consoleKeyMap = "us"; consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8"; defaultLocale = "en_US.UTF-8";

View File

@ -0,0 +1,20 @@
_:
{
boot.loader.grub = {
device = "/dev/sda";
};
fileSystems = {
"/" = {
device = "/dev/centos/root";
fsType = "xfs";
};
"/boot" = {
device = "/dev/sda1";
fsType = "xfs";
};
};
swapDevices = [
{ device = "/dev/centos/swap"; }
];
}

View File

@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
# sda: bootloader grub2 # sda: bootloader grub2
# sda1: boot ext4 (label nixboot) # sda1: boot ext4 (label nixboot) - must be unlocked on boot if required:
# boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
# sda2: cryptoluks -> ext4 # sda2: cryptoluks -> ext4
with config.krebs.lib; with config.krebs.lib;
{ {
boot = { boot = {
loader.grub.enable = true; loader.grub.enable = true;
loader.grub.version = 2; loader.grub.version = 2;
loader.grub.device = "/dev/sda"; loader.grub.device = lib.mkDefault "/dev/sda";
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ]; initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
}; };

View File

@ -0,0 +1,13 @@
_:
{
boot.initrd.availableKernelModules = [
"ata_piix"
"vmw_pvscsi"
];
boot.loader.grub.splashImage = null;
nix = {
daemonIONiceLevel = 1;
daemonNiceLevel = 1;
};
sound.enable = false;
}

View File

@ -0,0 +1,6 @@
_: {
# add fingerprint with fprintd-enroll
services.fprintd.enable = true;
security.pam.services.login.fprintAuth = true;
security.pam.services.xscreensaver.fprintAuth = true;
}

View File

@ -5,7 +5,7 @@ with config.krebs.lib;
imports = [ ./tp-x2x0.nix ]; imports = [ ./tp-x2x0.nix ];
boot = { boot = {
kernelModules = [ "kvm-intel" "acpi_call" ]; kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
}; };
@ -28,7 +28,7 @@ with config.krebs.lib;
# enable HDMI output switching with pulseaudio # enable HDMI output switching with pulseaudio
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" '' hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"} ${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"}
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI" load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"
''; '';

View File

@ -22,7 +22,8 @@ with config.krebs.lib;
services.tlp.enable = true; services.tlp.enable = true;
services.tlp.extraConfig = '' services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80 # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
#START_CHARGE_THRESH_BAT0=80
STOP_CHARGE_THRESH_BAT0=95 STOP_CHARGE_THRESH_BAT0=95
CPU_SCALING_GOVERNOR_ON_AC=performance CPU_SCALING_GOVERNOR_ON_AC=performance

View File

@ -0,0 +1,9 @@
_:
# TODO: do not check out nixpkgs master but fetch revision from github
{
services.nixosManual.enable = false;
programs.man.enable = false;
services.journald.extraConfig = "SystemMaxUse=50M";
nix.gc.automatic = true;
nix.gc.dates = "03:10";
}

View File

@ -3,6 +3,14 @@
with config.krebs.lib; with config.krebs.lib;
let let
nixpkgs-1509 = import (pkgs.fetchFromGitHub {
owner = "NixOS"; repo = "nixpkgs-channels";
rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
# TODO: currently it is only netzclub # TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" '' umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh #!/bin/sh
@ -62,7 +70,7 @@ let
Type = "simple"; Type = "simple";
Restart = "always"; Restart = "always";
RestartSec = "10s"; RestartSec = "10s";
ExecStart = "${pkgs.wvdial}/bin/wvdial -n"; ExecStart = "${wvdial}/bin/wvdial -n";
}; };
}; };
}; };

View File

@ -0,0 +1,19 @@
{ pkgs, ... }:
pkgs.python3Packages.buildPythonPackage rec {
name = "bintray-upload-${version}";
version = "0.1.2";
src = pkgs.fetchFromGitHub {
owner = "makefu";
repo = "bintray-upload";
rev = "4e76724";
sha256 = "1401saisk98n5wgw73nwh8hb484vayw5c6dlypxc1fp4ybym4zi9";
};
propagatedBuildInputs = with pkgs.python3Packages; [ requests2 ];
meta = {
description = "Simple BinTray utility for uploading packages";
license = pkgs.stdenv.lib.licenses.asl20;
};
}

View File

@ -13,7 +13,8 @@ in
nodemcu-uploader = callPackage ./nodemcu-uploader {}; nodemcu-uploader = callPackage ./nodemcu-uploader {};
tw-upload-plugin = callPackage ./tw-upload-plugin {}; tw-upload-plugin = callPackage ./tw-upload-plugin {};
inherit (callPackage ./devpi {}) devpi-web devpi-server; inherit (callPackage ./devpi {}) devpi-web devpi-server;
skytraq-logger = callPackage ./skytraq-logger/ {}; skytraq-logger = callPackage ./skytraq-logger {};
taskserver = callPackage ./taskserver {}; taskserver = callPackage ./taskserver {};
bintray-upload = callPackage ./bintray-upload {};
}; };
} }

View File

@ -0,0 +1 @@
"derp"

View File

@ -0,0 +1 @@
{}

View File

@ -0,0 +1 @@
"derp"

View File

View File

View File

@ -22,7 +22,7 @@ in
# local discovery in shackspace # local discovery in shackspace
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
krebs.retiolum.extraConfig = "TCPOnly = yes";
services.grafana = { services.grafana = {
enable = true; enable = true;
addr = "0.0.0.0"; addr = "0.0.0.0";
@ -37,7 +37,7 @@ in
networking = { networking = {
firewall.enable = false; firewall.enable = false;
interfaces.eth0.ip4 = [{ interfaces.enp0s3.ip4 = [{
address = shack-ip; address = shack-ip;
prefixLength = 20; prefixLength = 20;
}]; }];

View File

@ -26,7 +26,7 @@
stockholm_repo, stockholm_repo,
workdir='stockholm-poller', branches=True, workdir='stockholm-poller', branches=True,
project='stockholm', project='stockholm',
pollinterval=120)) pollinterval=60))
''; '';
scheduler = { scheduler = {
force-scheduler = '' force-scheduler = ''
@ -43,7 +43,7 @@
sched.append(schedulers.SingleBranchScheduler( sched.append(schedulers.SingleBranchScheduler(
## all branches ## all branches
change_filter=util.ChangeFilter(branch_re=".*"), change_filter=util.ChangeFilter(branch_re=".*"),
# treeStableTimer=10, treeStableTimer=10,
name="fast-all-branches", name="fast-all-branches",
builderNames=["fast-tests"])) builderNames=["fast-tests"]))
''; '';