Merge remote-tracking branch 'prism/master'

This commit is contained in:
tv 2016-06-30 16:31:05 +02:00
commit d81b068113
98 changed files with 1918 additions and 632 deletions

View File

@ -1,4 +1,4 @@
arg@{ config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
inherit (pkgs) writeText;

View File

@ -91,6 +91,7 @@ with config.krebs.lib;
"prism.retiolum"
"prism.r"
"cgit.prism.retiolum"
"cache.prism.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -107,36 +108,17 @@ with config.krebs.lib;
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q==";
};
fastpoke = {
domsen-nas = {
nets = rec {
internet = {
ip4.addr = "193.22.164.36";
aliases = [
"fastpoke.internet"
"domsen-nas.internet"
];
};
retiolum = {
via = internet;
ip4.addr = "10.243.253.152";
ip6.addr = "42:422a:194f:ff3b:e196:2f82:5cf5:bc00";
aliases = [
"fastpoke.retiolum"
"fastpoke.r"
"cgit.fastpoke.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs4p5xsQYx06v+OkUbc09K6voFAbkvO66QdFoM71E10XyCeLP6iuq
DaIOFN4GrPR36pgyjqtJ+62G9uR+WsB/y14eio1p1ivDWgcpt5soOZAH5zVRRD9O
FBDlgVNwIJ6stMHy6OenEKWsfEiZRN3XstnqAqyykzjddglth1tJntn6kbZehzNQ
ezfIyN4XgaX2fhSu+UnAyLcV8wWnF9cMABjz7eKcSmRJgtG4ZiuDkbgiiEew7+pB
EPqOVQ80lJvzQKgO4PmVoAjD9A+AHnmLJNPDQQi8nIVilGCT60IX+XT1rt85Zpdy
rEaeriw/qsVJnberAhDAdQYYuM1ai2H5swIDAQAB
-----END RSA PUBLIC KEY-----
'';
ip4.addr = "87.138.180.167";
ssh.port = 2223;
};
};
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRyEogeejET/UlqYYzrla3W2xG771oLK8uTFsVlVQFes4/c++Pp3KryJ/+avb/FQGlUb5YTO2SViZyAPTyw3Anv/8wxryB6ExDcfiiPL9D4Kgk559Gc1C+8vJu3Se3zB9huefllhdwsVkeFrInyWRarH3LNSbBq1TH2Rw/T4wyDVILu/QFxyqECdNzi6sufQ/92rEi3oDqlMbS8f45nbVm9CJpdn7ATwLW1PoBrrYkGll3P7ggOmR45rgldTVCLq3rIrIooiOaOhY1Leq+/sBeDa7fVeRFxFaLGYb9KFjQ4x2kL+3dDv0r726wKhrMQX75g/+Hqkv2di4/AGETI71b";
ssh.pubkey = "ssh-dss AAAAB3NzaC1kc3MAAAEBAPH5Hcrc2QzIi7KQLf17N+aUuFfwb7uKxuojzmO3kyb3nMdn3s+rfTCJLWTJeHCeKb6yMpDF1XGXZwVN+omWV8CsA9tivOHYzZws3b0QB/JENjYmhHbNkKijm6EWXSyvsJ2RuFj0PC8+cv77ZFx7VTnrwZk6Excv7v51j+qo5BejLL1ZybISld/n3kQWE+GJqBYJ9zp/25XEl7macH02o58lRhfqygunDlKm4yiq34pfkA7FS4eHNzcXGvmtQlAHeDts1APbKq8OAoYoyCo0gjK9nbAwbfm0yqM51+eIo3H6xLWjSBdMI9guqndNJWps9PpKHa3bvM1xFB3vfoQZ6m8AAAAVAKf8ZCwMgP4ZpqwwNw4vIn1AuLnfAAABAQCVfUrpUWFvf/TXPucJde4CuAmtoMOrjpepAiXK7N9dwGyq/PbVxr4tnJ/RTyNGOFmBroc6/n0MnxR0qmkQPJNtM/Yz+kk+BCgwsyu2uenVOIX/eJFuQPQYiUdktTcgAyChMp99WF4yfKKgv1CDdMkpFi8xgBEN03s1sOKCRNwJ5rlpTNqh9LatuRyzWOIjNd7atkEYIQK92idJgqSmleo+UhJFfoOGjYlRbsnRVbvfqh7GVd7SSydhKhdb2eZjj2J8eMBwHNl1FLtqt02cnFW3FQDdXPbYYakN25z3F3sex/CPuBGJ0HRGq+y/Ynj/m99TPq9vLkzSUQPR4MmQ5feoAAABAG5L9ffMc/8T9dTeF7FEPlS54ka73M+pNY/5ehMykrrS9CVjFmvpeclnxkBpvjt3G5IlvkSsjUEE6kMk7mW9EV+USL0TTU/LavxXD8fLCSiIwResfLDRxjixjxVI1ouZeKNQ6B3tPOWOEIKR5nPlc7iy435nS77/NM3yBFH0KGdepr+3ZmdgWAjDLKjQhNyCz4Joc1IH1Vf5Ccvb6rsaJ91ajiq29iI2ZpLXXIQsS1ZYzO1Gr9xBTNgmzEmeLqFMcxDSJ+rLMF4VDjRdL2zz5BSmv/Ffj2nICMgv/gj3zzuk7zcMpnbvGyA3W8VWb6IjJDvww4rJ21Q2gHBC5XCohJs=";
};
cloudkrebs = {
cores = 1;
@ -314,5 +296,13 @@ with config.krebs.lib;
fritz = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
};
prism-repo-sync = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR9oL/OPHjjKjQ+IyRqWpgrXdZrKKAwFKIte8gYml6C";
mail = "lass@prism.r";
};
mors-repo-sync = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h";
mail = "lass@mors.r";
};
};
}

View File

@ -48,6 +48,12 @@ with config.krebs.lib;
-----END RSA PUBLIC KEY-----
'';
};
siem = {
ip4.addr = "10.8.10.2";
aliases = [
"darth.siem"
];
};
};
};
tsp = {
@ -98,6 +104,12 @@ with config.krebs.lib;
-----END RSA PUBLIC KEY-----
'';
};
siem = {
ip4.addr = "10.8.10.4";
aliases = [
"arch.siem"
];
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster";
@ -184,6 +196,8 @@ with config.krebs.lib;
internet = {
ip4.addr = "104.233.87.86";
aliases = [
"wry.i"
"paste.i"
"wry.internet"
"paste.internet"
];
@ -194,10 +208,10 @@ with config.krebs.lib;
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [
"graphs.wry.retiolum"
"graphs.retiolum"
"graphs.r" "graphs.retiolum"
"paste.wry.retiolum"
"paste.retiolum"
"wry.retiolum"
"paste.r" "paste.retiolum"
"wry.r" "wry.retiolum"
"wiki.makefu.retiolum"
"wiki.wry.retiolum"
"blog.makefu.retiolum"
@ -232,15 +246,16 @@ with config.krebs.lib;
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [
"filepimp.retiolum"
"filepimp.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
MIIBCgKCAQEA43w+A1TMOfugZ/CVwilJn4c36wWSjihaeVe7suZD0DSscKBcbkGg
3dTCSTnu6Qb9sYd2mKebKXLreO6nhEEoFGsRU0yw/1h8gl7mWYEdTifPfvM5EWwS
wkN9dJ5njwIUSRyWH7QTsLkiRJVFN2UxEwrhAbo1FJ7yuhRgAKqKJSN4yPVViZwR
oHyyobvm/i2J+XSiDI9MRo74vNjnDLvO7R6ErIrhOPP1bD9fx3u+UYUfgS0iCO3X
UN0duBz/faRcl6IRytZOuHaIp30eJ4850ZK8RPz/Dqqj+USMFq60i0oMsuAi/ljB
8b+eQBt6OXu4MSntxoR8Ja7ht+EOTDnBOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
@ -339,6 +354,42 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
};
shoney = rec {
cores = 1;
nets = {
siem = {
ip4.addr = "10.8.10.1";
aliases = [
"sjump.siem"
"graphs.siem"
];
};
internet = {
ip4.addr = "64.137.234.215";
aliases = [
"shoney.i"
];
};
retiolum = {
ip4.addr = "10.243.205.131";
ip6.addr = "42:490d:cd82:d2bb:56d5:abd1:b88b:e8b4";
aliases = [
"shoney.retiolum"
"shoney.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsYXzbotmODJqos+Ilve8WyO2qBti6eMDSOP59Aqb18h8A5b4tCTL
ygDo2xLLzRaINQAxfdaKcdMOWSEkiy1j/pBYs1tfqv4mT6BO+1t8LXz82D+YcT+4
okGXklZ/H5L+T9cynbpKIwzTrw0DuOUhzs/WRFJU60B4cJ0Tl3IQs5ePX1SevVht
M5n1ob47SCHxEuC+ZLNdLc6KRumcp3Ozk6Yxj3lZ0tqyngxY1C+1kTJwRyw9A7vO
+DAH8t1YusYi7ICHcYt5J1p0ZGizcs8oEnZLBy4D+bJX86g7zbix1lZ37LxDCpQ5
uCoAYFes7QqLVDYhucZ5ElRWdATM2mBtZwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
# non-stockholm
@ -426,6 +477,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
lariat = rec {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.64.7";
aliases = [
"lariat.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqiDzxADQYY8cWBH+R5aKSoxaFHLvPvVMgB7R1Y6QVTqD5YUCuINX
eBLFV9idHnHzdZU+xo/c8EFQf0hvyP0z3bcXaiw+RlpEYdK6tuaypJ3870toqWmA
269H8ufA3DA0hxlY7dwnhg8Rb7KGIlNN8fy4RMGe73PupF5aAmiDiEhPalv4E0qJ
unmk5y1OHQFPxYm++yLo5SVFlcO89jDtGpvg5papp8JvtxTkrshby1lXf/sph3Cv
d1z6h7S+HgT+BMwTZY5dIrwYAcob/t1sRmWsY62P1n02RbiJFm27wg0t/ZcfsI2o
yBjRTiK5ACJaIdpM99/902gJsuJASPGB2QIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
soundflower = rec {
cores = 1;
nets = {
@ -568,6 +641,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
} // { # hosts only maintained in stockholm, not owned by me
muhbaasu = rec {
cores = 1;
nets = {
@ -596,7 +670,6 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
};
} // { # hosts only maintained in stockholm, not owned by me
tpsw = {
cores = 2;
owner = config.krebs.users.ciko; # main laptop

View File

@ -11,14 +11,14 @@ let
api = {
enable = mkEnableOption "repo-sync";
config = mkOption {
type = with types;attrsOf (attrsOf (attrsOf str));
repos = mkOption {
type = with types;attrsOf (attrsOf (attrsOf (attrsOf str)));
example = literalExample ''
# see `repo-sync --help`
# `ref` provides sane defaults and can be omitted
# attrset will be converted to json and be used as config
{
{ repo = {
makefu = {
origin = {
url = http://github.com/makefu/repo ;
@ -44,6 +44,7 @@ let
};
};
};
};
'';
};
timerConfig = mkOption {
@ -56,53 +57,75 @@ let
type = types.str;
default = "/var/lib/repo-sync";
};
user = mkOption {
type = types.user;
default = {
name = "repo-sync";
home = cfg.stateDir;
};
};
privateKeyFile = mkOption {
type = types.str;
description = ''
used by repo-sync to identify with ssh service
type = types.secret-file;
default = {
path = "${cfg.stateDir}/ssh.priv";
owner = cfg.user;
source-path = toString <secrets> + "/repo-sync.ssh.key";
};
};
unitConfig = mkOption {
type = types.attrsOf types.str;
description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit";
example = literalExample ''
# do not start when running on umts
{ ConditionPathExists = "!/var/run/ppp0.pid"; }
'';
default = toString <secrets/wolf-repo-sync.rsa_key.priv>;
default = {};
};
};
repo-sync-config = pkgs.writeText "repo-sync-config.json"
(builtins.toJSON cfg.config);
imp = {
users.users.repo-sync = {
name = "repo-sync";
uid = genid "repo-sync";
description = "repo-sync user";
home = cfg.stateDir;
krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
description = "repo-sync user";
};
systemd.timers.repo-sync = {
systemd.timers = mapAttrs' (name: repo:
nameValuePair "repo-sync-${name}" {
description = "repo-sync timer";
wantedBy = [ "timers.target" ];
timerConfig = cfg.timerConfig;
};
systemd.services.repo-sync = {
description = "repo-sync";
after = [ "network.target" ];
}
) cfg.repos;
path = with pkgs; [ ];
systemd.services = mapAttrs' (name: repo:
let
repo-sync-config = pkgs.writeText "repo-sync-config-${name}.json"
(builtins.toJSON repo);
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
after = [ "network.target" "secret.service" ];
environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv";
REPONAME = "${name}.git";
};
serviceConfig = {
Type = "simple";
PermissionsStartOnly = true;
ExecStartPre = pkgs.writeDash "prepare-repo-sync-user" ''
cp -v ${shell.escape cfg.privateKeyFile} ${cfg.stateDir}/ssh.priv
chown repo-sync ${cfg.stateDir}/ssh.priv
'';
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
WorkingDirectory = cfg.stateDir;
User = "repo-sync";
};
};
unitConfig = cfg.unitConfig;
}
) cfg.repos;
};
in out

View File

@ -20,6 +20,18 @@ let
default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat";
};
hostsPath = mkOption {
type = types.str;
description = "Path to Hosts directory";
default = "${config.krebs.retiolum.hostsPackage}";
};
network = mkOption {
type = types.str;
description = "Tinc Network to use";
default = "retiolum";
};
nginx = {
enable = mkEnableOption "enable tinc_graphs to be served with nginx";
@ -85,7 +97,8 @@ let
EXTERNAL_FOLDER = external_dir;
INTERNAL_FOLDER = internal_dir;
GEODB = cfg.geodbPath;
TINC_HOSTPATH = config.krebs.retiolum.hostsPackage;
TINC_HOSTPATH = cfg.hostsPath;
TINC_NETWORK = cfg.network;
};
restartIfChanged = true;
@ -103,7 +116,7 @@ let
cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}"
fi
'';
ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
ExecStart = ''${pkgs.tinc_graphs}/bin/all-the-graphs "${cfg.network}"'';
ExecStartPost = pkgs.writeDash "tinc_graphs-post" ''
# TODO: this may break if workingDir is set to something stupid
@ -121,8 +134,9 @@ let
uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs";
};
krebs.nginx.servers = mkIf cfg.nginx.enable {
krebs.nginx = mkIf cfg.nginx.enable {
enable = mkDefault true;
servers = {
tinc_graphs_complete = mkMerge [ cfg.nginx.complete {
locations = [
(nameValuePair "/" ''
@ -141,6 +155,7 @@ let
}];
};
};
};
in
out

View File

@ -3,6 +3,9 @@
python3Packages.buildPythonPackage rec {
name = "Reaktor-${version}";
version = "0.5.1";
doCheck = false;
propagatedBuildInputs = with pkgs;[
python3Packages.docopt
python3Packages.requests2

View File

@ -38,13 +38,13 @@ with config.krebs.lib;
ReaktorPlugins = callPackage ./Reaktor/plugins.nix {};
#buildbot = callPackage <nixpkgs/pkgs/development/tools/build-managers/buildbot> {
# inherit (pkgs.pythonPackages) twisted jinja2;
# dateutil = pkgs.pythonPackages.dateutil_1_5;
# sqlalchemy_migrate_0_7 = pkgs.pythonPackages.sqlalchemy_migrate_func (pkgs.pythonPackages.sqlalchemy7.override {
# doCheck = false;
# });
#};
buildbot = callPackage <nixpkgs/pkgs/development/tools/build-managers/buildbot> {
inherit (pkgs.pythonPackages) twisted jinja2;
dateutil = pkgs.pythonPackages.dateutil_1_5;
sqlalchemy_migrate_0_7 = pkgs.pythonPackages.sqlalchemy_migrate_func (pkgs.pythonPackages.sqlalchemy7.override {
doCheck = false;
});
};
# XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d
symlinkJoin = { name, paths, ... }@args: let

View File

@ -8,13 +8,14 @@ let
};
# TODO irc-announce should return a derivation
irc-announce = { nick, channel, server, port ? 6667, verbose ? false }: ''
irc-announce = { nick, channel, server, port ? 6667, verbose ? false, branches ? [] }: ''
#! /bin/sh
set -euf
export PATH=${makeBinPath (with pkgs; [
coreutils
git
gnugrep
gnused
])}
@ -54,6 +55,12 @@ let
h=$(echo $ref | sed 's:^refs/heads/::')
${optionalString (branches != []) ''
if ! (echo "$h" | grep -qE "${concatStringsSep "|" branches}"); then
echo "we are not serving this branch: $h"
exit 0
fi
''}
# empty_tree=$(git hash-object -t tree /dev/null)
empty_tree=4b825dc6

View File

@ -13,7 +13,6 @@ in {
../2configs/retiolum.nix
../2configs/git.nix
../2configs/realwallpaper.nix
../2configs/realwallpaper-server.nix
../2configs/privoxy-retiolum.nix
{
networking.interfaces.enp2s1.ip4 = [

View File

@ -5,7 +5,7 @@
../.
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/default.nix
../2configs/exim-retiolum.nix
#../2configs/exim-retiolum.nix
../2configs/git.nix
{
boot.loader.grub = {
@ -63,6 +63,35 @@
{ predicate = "-p tcp --dport https"; target = "ACCEPT"; }
];
}
{
#TODO: abstract & move to own file
krebs.exim-smarthost = {
enable = true;
relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
config.krebs.hosts.mors
config.krebs.hosts.uriel
config.krebs.hosts.helios
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "lass"; }
];
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
];
}
];
krebs.build.host = config.krebs.hosts.dishfire;

View File

@ -11,7 +11,7 @@ in {
../2configs/default.nix
../2configs/exim-retiolum.nix
../2configs/retiolum.nix
../2configs/realwallpaper-server.nix
../2configs/realwallpaper.nix
../2configs/privoxy-retiolum.nix
../2configs/git.nix
#../2configs/redis.nix

View File

@ -3,6 +3,7 @@
{
imports = [
../.
../2configs/hw/tp-x220.nix
../2configs/baseX.nix
../2configs/exim-retiolum.nix
../2configs/programs.nix
@ -14,22 +15,18 @@
../2configs/elster.nix
../2configs/steam.nix
../2configs/wine.nix
#../2configs/texlive.nix
../2configs/binary-caches.nix
#../2configs/ircd.nix
../2configs/chromium-patched.nix
../2configs/git.nix
#../2configs/wordpress.nix
../2configs/bitlbee.nix
#../2configs/firefoxPatched.nix
../2configs/skype.nix
../2configs/teamviewer.nix
../2configs/libvirt.nix
../2configs/fetchWallpaper.nix
../2configs/cbase.nix
../2configs/c-base.nix
../2configs/mail.nix
../2configs/krebs-pass.nix
#../2configs/buildbot-standalone.nix
../2configs/umts.nix
../2configs/repo-sync.nix
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@ -57,17 +54,10 @@
# package = pkgs.postgresql;
# };
#}
{
}
];
krebs.build.host = config.krebs.hosts.mors;
networking.wireless.enable = true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
@ -77,7 +67,6 @@
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
};
fileSystems = {
"/" = {
@ -131,8 +120,8 @@
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:85:c9", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
@ -146,7 +135,7 @@
#Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp]
#echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control'
#Autosuspend for USB device Biometric Coprocessor
echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control'
#echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control'
#Runtime PMs
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
@ -168,22 +157,6 @@
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
'';
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.xserver = {
videoDriver = "intel";
vaapiDrivers = [ pkgs.vaapiIntel ];
deviceSection = ''
Option "AccelMethod" "sna"
BusID "PCI:0:2:0"
'';
};
environment.systemPackages = with pkgs; [
acronym
cac-api
@ -214,15 +187,11 @@
};
};
krebs.repo-sync.timerConfig = {
OnCalendar = "00:37";
};
services.mongodb = {
enable = true;
};
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; }
];
};
};
}

View File

@ -19,6 +19,8 @@ in {
../2configs/privoxy-retiolum.nix
../2configs/radio.nix
../2configs/buildbot-standalone.nix
../2configs/repo-sync.nix
../2configs/binary-cache/server.nix
{
imports = [
../2configs/git.nix
@ -66,8 +68,6 @@ in {
}
{
#boot.loader.gummiboot.enable = true;
#boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
devices = [
"/dev/sda"
@ -110,10 +110,6 @@ in {
{
sound.enable = false;
}
#{
# #workaround for server dying after 6-7h
# boot.kernelPackages = pkgs.linuxPackages_4_2;
#}
{
nixpkgs.config.allowUnfree = true;
}
@ -202,7 +198,7 @@ in {
}
{
imports = [
../2configs/realwallpaper-server.nix
../2configs/realwallpaper.nix
];
krebs.nginx.servers."lassul.us".locations = [
(lib.nameValuePair "/wallpaper.png" ''

View File

@ -4,7 +4,9 @@ with builtins;
{
imports = [
../.
../2configs/hw/tp-x220.nix
../2configs/baseX.nix
../2configs/git.nix
../2configs/exim-retiolum.nix
../2configs/browsers.nix
../2configs/programs.nix
@ -19,34 +21,10 @@ with builtins;
# };
# };
#}
{
#x220 config from mors
#TODO: make x220 config file (or look in other user dir)
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.xserver = {
videoDriver = "intel";
vaapiDrivers = [ pkgs.vaapiIntel ];
deviceSection = ''
Option "AccelMethod" "sna"
BusID "PCI:0:2:0"
'';
};
}
];
krebs.build.host = config.krebs.hosts.shodan;
networking.wireless.enable = true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
@ -56,7 +34,6 @@ with builtins;
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
};
fileSystems = {
"/" = {
@ -67,10 +44,15 @@ with builtins;
"/boot" = {
device = "/dev/sda1";
};
"/home/lass" = {
device = "/dev/pool/home-lass";
fsType = "ext4";
};
};
#services.udev.extraRules = ''
# SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0"
# SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
#'';
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
'';
}

View File

@ -8,7 +8,13 @@ in {
#./urxvt.nix
./xserver
./mpv.nix
#./pulse.nix
./power-action.nix
];
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
users.extraUsers.mainUser.extraGroups = [ "audio" ];
@ -16,11 +22,6 @@ in {
virtualisation.libvirtd.enable = true;
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
programs.ssh.startAgent = false;
security.setuidPrograms = [ "slock" ];
@ -32,6 +33,7 @@ in {
environment.systemPackages = with pkgs; [
acpi
dmenu
gitAndTools.qgit
lm_sensors
@ -44,6 +46,7 @@ in {
sxiv
xclip
xorg.xbacklight
xorg.xhost
xsel
zathura

View File

@ -0,0 +1,9 @@
{ config, ... }:
{
nix = {
binaryCaches = ["http://cache.prism.r"];
binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
};
}

View File

@ -0,0 +1,30 @@
{ config, lib, pkgs, ...}:
{
# generate private key with:
# nix-store --generate-binary-cache-key my-secret-key my-public-key
services.nix-serve = {
enable = true;
secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
};
systemd.services.nix-serve = {
requires = ["secret.service"];
after = ["secret.service"];
};
krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key";
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
krebs.nginx = {
enable = true;
servers.nix-serve = {
server-names = [ "cache.prism.r" ];
locations = lib.singleton (lib.nameValuePair "/" ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'');
};
};
}

View File

@ -1,13 +0,0 @@
{ config, ... }:
{
nix.sshServe.enable = true;
nix.sshServe.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel"
];
nix.binaryCaches = [
#"scp://nix-ssh@mors"
#"scp://nix-ssh@uriel"
];
}

View File

@ -1,6 +1,14 @@
{ lib, config, pkgs, ... }:
{
krebs.buildbot.master = let
with config.krebs.lib;
let
sshWrapper = pkgs.writeDash "ssh-wrapper" ''
${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@"
'';
in {
config.krebs.buildbot.master = let
stockholm-mirror-url = http://cgit.prism/stockholm ;
in {
slaves = {
@ -25,20 +33,38 @@
sched.append(schedulers.SingleBranchScheduler(
## all branches
change_filter=util.ChangeFilter(branch_re=".*"),
# treeStableTimer=10,
treeStableTimer=10,
name="fast-all-branches",
builderNames=["fast-tests"]))
'';
build-scheduler = ''
# build all hosts
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch_re=".*"),
treeStableTimer=10,
name="prism-all-branches",
builderNames=["build-all"]))
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
env = {"LOGNAME": "lass", "NIX_REMOTE": "daemon"}
# TODO: get nixpkgs/stockholm paths from krebs
env_lass = {
"LOGNAME": "lass",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_makefu = {
"LOGNAME": "makefu",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
# prepare nix-shell
# the dependencies which are used by the test script
deps = [ "gnumake", "jq","nix","rsync" ]
deps = [ "gnumake", "jq", "nix", "rsync", "proot" ]
# TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = ["nix-shell",
@ -51,16 +77,45 @@
factory.addStep(steps.ShellCommand(**kwargs))
'';
builder = {
build-all = ''
f = util.BuildFactory()
f.addStep(grab_repo)
for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]:
addShell(f,name="build-{}".format(i),env=env_lass,
command=nixshell + \
["make \
test \
ssh=${sshWrapper} \
target=build@localhost:${config.users.users.build.home}/testbuild \
method=build \
system={}".format(i)])
for i in [ "pornocauster", "wry" ]:
addShell(f,name="build-{}".format(i),env=env_makefu,
command=nixshell + \
["make \
test \
ssh=${sshWrapper} \
target=build@localhost:${config.users.users.build.home}/testbuild \
method=build \
system={}".format(i)])
bu.append(util.BuilderConfig(name="build-all",
slavenames=slavenames,
factory=f))
'';
fast-tests = ''
f = util.BuildFactory()
f.addStep(grab_repo)
for i in [ "prism", "mors", "echelon" ]:
addShell(f,name="populate-{}".format(i),env=env,
addShell(f,name="populate-{}".format(i),env=env_lass,
command=nixshell + \
["{}( make system={} eval.config.krebs.build.populate \
| jq -er .)".format("!" if "failing" in i else "",i)])
addShell(f,name="build-test-minimal",env=env,
addShell(f,name="build-test-minimal",env=env_lass,
command=nixshell + \
["nix-instantiate \
--show-trace --eval --strict --json \
@ -86,17 +141,17 @@
};
};
krebs.buildbot.slave = {
config.krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "lasspass";
packages = with pkgs;[ git nix gnumake jq rsync ];
extraEnviron = {
NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix";
NIX_PATH="nixpkgs=/var/src/nixpkgs";
};
};
krebs.iptables = {
config.krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8010"; target = "ACCEPT"; }
@ -104,4 +159,29 @@
];
};
};
#ssh workaround for make test
options.lass.build-ssh-privkey = mkOption {
type = types.secret-file;
default = {
path = "${config.users.users.buildbotSlave.home}/ssh.privkey";
owner = { inherit (config.users.users.buildbotSlave ) name uid;};
source-path = toString <secrets> + "/build.ssh.key";
};
};
config.krebs.secret.files = {
build-ssh-privkey = config.lass.build-ssh-privkey;
};
config.users.users = {
build = {
name = "build";
uid = genid "build";
home = "/home/build";
useDefaultShell = true;
createHome = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiV0Xn60aVLHC/jGJknlrcxSvKd/MVeh2tjBpxSBT3II9XQGZhID2Gdh84eAtoWyxGVFQx96zCHSuc7tfE2YP2LhXnwaxHTeDc8nlMsdww53lRkxihZIEV7QHc/3LRcFMkFyxdszeUfhWz8PbJGL2GYT+s6CqoPwwa68zF33U1wrMOAPsf/NdpSN4alsqmjFc2STBjnOd9dXNQn1VEJQqGLG3kR3WkCuwMcTLS5eu0KLwG4i89Twjy+TGp2QsF5K6pNE+ZepwaycRgfYzGcPTn5d6YQXBgcKgHMoSJsK8wqpr0+eFPCDiEA3HDnf76E4mX4t6/9QkMXCLmvs0IO/WP lass@mors"
];
};
};
}

View File

@ -7,6 +7,9 @@ with config.krebs.lib;
../2configs/zsh.nix
../2configs/mc.nix
../2configs/retiolum.nix
../2configs/nixpkgs.nix
../2configs/binary-cache/client.nix
../2configs/gc.nix
./backups.nix
{
users.extraUsers =
@ -52,21 +55,18 @@ with config.krebs.lib;
user = config.krebs.users.lass;
source = mapAttrs (_: mkDefault) ({
nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix";
secrets = "/home/lass/secrets/${config.krebs.build.host.name}";
secrets = if getEnv "dummy_secrets" == "true"
then toString <stockholm/lass/2configs/tests/dummy-secrets>
else "/home/lass/secrets/${config.krebs.build.host.name}";
#secrets-common = "/home/lass/secrets/common";
stockholm = "/home/lass/stockholm";
nixpkgs = {
url = https://github.com/lassulus/nixpkgs;
rev = "f632f8edaf80ffa8bf0b8c9b9064cae3ccbe3894";
dev = "/home/lass/src/nixpkgs";
};
stockholm = getEnv "PWD";
} // optionalAttrs config.krebs.build.host.secure {
#secrets-master = "/home/lass/secrets/master";
});
};
};
nix.useChroot = true;
nix.useSandbox = true;
users.mutableUsers = false;
@ -114,8 +114,13 @@ with config.krebs.lib;
#neat utils
krebspaste
pciutils
psmisc
q
rs
tmux
untilport
usbutils
#unpack stuff
p7zip

View File

@ -21,6 +21,7 @@ in {
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
config.krebs.users.lass-uriel.pubkey
config.krebs.users.lass-shodan.pubkey
];
};

View File

@ -28,6 +28,8 @@ with config.krebs.lib;
{ from = "wordpress@ubikmedia.de"; to = lass.mail; }
{ from = "finanzamt@lassul.us"; to = lass.mail; }
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "netzclub@lassul.us"; to = lass.mail; }
{ from = "nebenan@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

View File

@ -5,7 +5,8 @@ let
in {
krebs.fetchWallpaper = {
enable = true;
url = "cloudkrebs/wallpaper.png";
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/wallpaper.png";
};
}

8
lass/2configs/gc.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, ... }:
with config.krebs.lib;
{
nix.gc = {
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
};
}

View File

@ -29,18 +29,10 @@ let
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
painload = {};
stockholm = {
cgit.desc = "take all the computers hostage, they'll love you!";
};
wai-middleware-time = {};
web-routes-wai-custom = {};
go = {};
newsbot-js = {};
kimsufi-check = {};
realwallpaper = {};
xmonad-stockholm = {};
the_playlist = {};
} // mapAttrs make-public-repo-silent {
the_playlist = {};
};
@ -50,8 +42,6 @@ let
brain = {
collaborators = with config.krebs.users; [ tv makefu ];
};
extraction_webinterface = {};
politics-fetching = {};
} //
import <secrets/repos.nix> { inherit config lib pkgs; }
);
@ -66,6 +56,7 @@ let
channel = "#retiolum";
server = "cd.retiolum";
verbose = config.krebs.build.host.name == "prism";
branches = [ "master" ];
};
};
};
@ -84,7 +75,7 @@ let
with git // config.krebs.users;
repo:
singleton {
user = [ lass lass-helios lass-uriel ];
user = [ lass lass-uriel ];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++

View File

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
{
networking.wireless.enable = lib.mkDefault true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.tlp.enable = true;
services.tlp.extraConfig = ''
# BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
#START_CHARGE_THRESH_BAT0=80
STOP_CHARGE_THRESH_BAT0=95
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
boot = {
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
};
hardware.opengl.extraPackages = [
pkgs.vaapiIntel
pkgs.vaapiVdpau
];
services.xserver = {
videoDriver = "intel";
deviceSection = ''
Option "AccelMethod" "sna"
'';
};
security.rngd.enable = true;
}

View File

@ -10,8 +10,9 @@ let
account default: prism
'';
msmtp = pkgs.writeDashBin "msmtp" ''
exec ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
msmtp = pkgs.writeBashBin "msmtp" ''
${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
'';
muttrc = pkgs.writeText "muttrc" ''
@ -42,7 +43,7 @@ let
set nm_record = yes
set nm_record_tags = "-inbox me archive"
set virtual_spoolfile=yes # enable virtual folders
set sendmail="msmtp" # enables parsing of outgoing mail
set sendmail="${msmtp}/bin/msmtp" # enables parsing of outgoing mail
set use_from=yes
set envelope_from=yes

View File

@ -41,7 +41,6 @@ let
cryptogon|http://www.cryptogon.com/?feed=rss2|#news
csm|http://rss.csmonitor.com/feeds/csm|#news
csm_world|http://rss.csmonitor.com/feeds/world|#news
cyberguerrilla|https://www.cyberguerrilla.org/a/2012/?feed=rss2|#news
danisch|http://www.danisch.de/blog/feed/|#news
dod|http://www.defense.gov/news/afps2.xml|#news
dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#news
@ -102,7 +101,7 @@ let
npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#news
npr_pol|http://www.npr.org/rss/rss.php?id=1012|#news
npr_world|http://www.npr.org/rss/rss.php?id=1004|#news
nsa|http://www.nsa.gov/rss.shtml|#news #bullerei
nsa|https://www.nsa.gov/rss.xml|#news #bullerei
nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#news
painload|https://github.com/krebscode/painload/commits/master.atom|#news
phys|http://phys.org/rss-feed/|#news

View File

@ -0,0 +1,8 @@
{ ... }:
{
krebs.build.source.nixpkgs = {
url = https://github.com/lassulus/nixpkgs;
rev = "c78f9ad2f91019648bdcf5a911f86ea3a397d290";
};
}

View File

@ -0,0 +1,41 @@
{ config, pkgs, ... }:
let
suspend = pkgs.writeDash "suspend" ''
${pkgs.systemd}/bin/systemctl suspend
'';
speak = text:
pkgs.writeDash "speak" ''
${pkgs.espeak}/bin/espeak -v +whisper -s 110 "${text}"
'';
in {
lass.power-action = {
enable = true;
plans.low-battery = {
upperLimit = 30;
lowerLimit = 25;
charging = false;
action = pkgs.writeDash "warn-low-battery" ''
${speak "power level low"}
'';
};
plans.suspend = {
upperLimit = 10;
lowerLimit = 0;
charging = false;
action = pkgs.writeDash "suspend-wrapper" ''
/var/setuid-wrappers/sudo ${suspend}
'';
};
};
users.users.power-action.extraGroups = [
"audio"
];
security.sudo.extraConfig = ''
${config.lass.power-action.user.name} ALL= (root) NOPASSWD: ${suspend}
'';
}

96
lass/2configs/pulse.nix Normal file
View File

@ -0,0 +1,96 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
pkg = pkgs.pulseaudioLight;
runDir = "/run/pulse";
alsaConf = pkgs.writeText "asound.conf" ''
ctl_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
}
pcm_type.pulse {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
}
ctl.!default {
type pulse
}
pcm.!default {
type pulse
}
'';
clientConf = pkgs.writeText "client.conf" ''
autospawn=no
default-server = unix:${runDir}/socket
'';
daemonConf = pkgs.writeText "daemon.conf" ''
exit-idle-time=0
flat-volumes = no
default-fragments = 4
default-fragment-size-msec = 25
'';
configFile = pkgs.writeText "default.pa" ''
.include ${pkg}/etc/pulse/default.pa
load-module ${toString [
"module-native-protocol-unix"
"auth-anonymous=1"
"socket=${runDir}/socket"
]}
'';
in
{
environment = {
etc = {
"asound.conf".source = alsaConf;
# XXX mkForce is not strong enough (and neither is mkOverride) to create
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
#"pulse/client.conf" = mkForce { source = clientConf; };
#"pulse/client.conf".source = mkForce clientConf;
"pulse/default.pa".source = configFile;
"pulse/daemon.pa".source = daemonConf;
};
systemPackages = [
pkg
] ++ optionals config.services.xserver.enable [
pkgs.pavucontrol
];
};
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
system.activationScripts.pulseaudio-hack = ''
ln -fns ${clientConf} /etc/pulse/client.conf
'';
systemd.services.pulse = {
wantedBy = [ "sound.target" ];
before = [ "sound.target" ];
environment = {
PULSE_RUNTIME_PATH = "${runDir}/home";
};
serviceConfig = {
ExecStart = "${pkg}/bin/pulseaudio";
ExecStartPre = pkgs.writeDash "pulse-start" ''
install -o pulse -g audio -m 0750 -d ${runDir}
install -o pulse -g audio -m 0700 -d ${runDir}/home
'';
PermissionsStartOnly = "true";
User = "pulse";
};
};
users = {
groups.pulse.gid = config.users.users.pulse.uid;
users.pulse = {
uid = genid "pulse";
group = "pulse";
extraGroups = [ "audio" ];
home = "${runDir}/home";
};
};
}

View File

@ -11,7 +11,7 @@ let
source-password = import <secrets/icecast-source-pw>;
add_random = pkgs.writeDashBin "add_random" ''
mpc add "$(mpc ls | shuf -n1)"
${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)"
'';
skip_track = pkgs.writeDashBin "skip_track" ''
@ -52,13 +52,8 @@ in {
print_current
ncmpcpp
mpc_cli
tmux
];
security.sudo.extraConfig = ''
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
'';
services.mpd = {
enable = true;
group = "radio";
@ -67,7 +62,7 @@ in {
audio_output {
type "shout"
encoding "ogg"
name "my cool stream"
name "the_playlist"
host "localhost"
port "8000"
mount "/radio.ogg"
@ -84,7 +79,7 @@ in {
# Optional Parameters
user "source"
# description "here is my long description"
# genre "jazz"
genre "good music"
} # end of audio_output
'';
@ -114,7 +109,7 @@ in {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:*";
OnCalendar = "*:0/1";
};
};
@ -123,8 +118,8 @@ in {
LIMIT=$1 #in secconds
timeLeft () {
playlistDuration=$(mpc --format '%time%' playlist | awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}')
currentTime=$(mpc status | awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
playlistDuration=$(${pkgs.mpc_cli}/bin/mpc --format '%time%' playlist | ${pkgs.gawk}/bin/awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}')
currentTime=$(${pkgs.mpc_cli}/bin/mpc status | ${pkgs.gawk}/bin/awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
expr ''${playlistDuration:-0} - ''${currentTime:-0}
}
@ -136,16 +131,10 @@ in {
description = "radio playlist autoadder";
after = [ "network.target" ];
path = with pkgs; [
gawk
mpc_cli
];
restartIfChanged = true;
serviceConfig = {
Restart = "always";
ExecStart = "${autoAdd} 100";
ExecStart = "${autoAdd} 150";
};
};

View File

@ -1,32 +0,0 @@
{ config, lib, ... }:
let
hostname = config.krebs.build.host.name;
inherit (lib)
nameValuePair
;
in {
imports = [
./realwallpaper.nix
];
krebs.nginx.servers.wallpaper = {
server-names = [
hostname
];
locations = [
(nameValuePair "/wallpaper.png" ''
root /tmp/;
'')
];
};
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
};
}

View File

@ -1,5 +1,30 @@
{ config, ... }:
{ config, lib, ... }:
{
let
hostname = config.krebs.build.host.name;
inherit (lib)
nameValuePair
;
in {
krebs.realwallpaper.enable = true;
krebs.nginx.servers.wallpaper = {
server-names = [
hostname
];
locations = [
(nameValuePair "/wallpaper.png" ''
root /tmp/;
'')
];
};
krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
};
}

106
lass/2configs/repo-sync.nix Normal file
View File

@ -0,0 +1,106 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
mirror = "git@${config.networking.hostName}:";
defineRepo = name: announce: let
repo = {
public = true;
name = mkDefault "${name}";
cgit.desc = mkDefault "mirror for ${name}";
hooks = mkIf announce (mkDefault {
post-receive = pkgs.git-hooks.irc-announce {
nick = config.networking.hostName;
verbose = false;
channel = "#retiolum";
server = "cd.retiolum";
branches = [ "newest" ];
};
});
};
in {
rules = with git; singleton {
user = with config.krebs.users; [
config.krebs.users."${config.networking.hostName}-repo-sync"
lass
lass-shodan
];
repo = [ repo ];
perm = push ''refs/*'' [ non-fast-forward create delete merge ];
};
repos."${name}" = repo;
};
sync-retiolum = name:
{
krebs.repo-sync.repos.${name} = {
makefu = {
origin.url = "http://cgit.gum/${name}";
mirror.url = "${mirror}${name}";
};
tv = {
origin.url = "http://cgit.cd/${name}";
mirror.url = "${mirror}${name}";
};
lassulus = {
origin.url = "http://cgit.prism/${name}";
mirror.url = "${mirror}${name}";
};
"@latest" = {
mirror.url = "${mirror}${name}";
mirror.ref = "heads/newest";
};
};
krebs.git = defineRepo name (config.networking.hostName == "prism");
};
sync-remote = name: url:
{
krebs.repo-sync.repos.${name} = {
remote = {
origin.url = url;
mirror.url = "${mirror}${name}";
};
};
krebs.git = defineRepo name (config.networking.hostName == "prism");
};
sync-remote-silent = name: url:
{
krebs.repo-sync.repos.${name} = {
remote = {
origin.url = url;
mirror.url = "${mirror}${name}";
};
};
krebs.git = defineRepo name false;
};
in {
krebs.repo-sync = {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
};
imports = [
(sync-remote "array" "https://github.com/makefu/array")
(sync-remote "email-header" "https://github.com/4z3/email-header")
(sync-remote "mycube-flask" "https://github.com/makefu/mycube-flask")
(sync-remote "reaktor-titlebot" "https://github.com/makefu/reaktor-titlebot")
(sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
(sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
(sync-retiolum "go")
(sync-retiolum "much")
(sync-retiolum "newsbot-js")
(sync-retiolum "painload")
(sync-retiolum "realwallpaper")
(sync-retiolum "stockholm")
(sync-retiolum "wai-middleware-time")
(sync-retiolum "web-routes-wai-custom")
(sync-retiolum "xmonad-stockholm")
];
}

View File

@ -0,0 +1 @@
{}

View File

@ -0,0 +1 @@
"blabla"

View File

@ -0,0 +1 @@
"blabla"

View File

@ -0,0 +1,3 @@
-----BEGIN RSA PRIVATE KEY-----
this is a private key
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1 @@
blabla123

View File

@ -0,0 +1 @@
key-name:blabla123

View File

@ -0,0 +1 @@
_: {}

View File

@ -0,0 +1,4 @@
-----BEGIN RSA PRIVATE KEY-----
this is a private key
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,3 @@
-----BEGIN OPENSSH PRIVATE KEY-----
private key bla
-----END OPENSSH PRIVATE KEY-----

View File

@ -0,0 +1,3 @@
-----BEGIN RSA PRIVATE KEY-----
private key bla
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1 @@
"krebskrebs123"

62
lass/2configs/umts.nix Normal file
View File

@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
nixpkgs-1509 = import (pkgs.fetchFromGitHub {
owner = "NixOS"; repo = "nixpkgs-channels";
rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
# TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
systemctl stop wpa_supplicant
systemctl start umts
trap "systemctl stop umts && systemctl start wpa_supplicant;trap - INT TERM EXIT;exit" INT TERM EXIT
echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
journalctl -xfu umts
'';
wvdial-defaults = ''
Modem = ${modem-device}
Init1 = AT+CFUN=1
Init2 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Baud = 460800
phone= *99#
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0
'';
out = {
environment.shellAliases = {
umts = "sudo ${umts-bin}/bin/umts";
};
security.sudo.extraConfig = ''
lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
'';
environment.wvdial.dialerDefaults = wvdial-defaults;
systemd.services.umts = {
description = "UMTS wvdial Service";
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "10s";
ExecStart = "${wvdial}/bin/wvdial -n";
};
};
};
in out

View File

@ -1,158 +1,351 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
customPlugins = {
mustang2 = pkgs.vimUtils.buildVimPlugin {
name = "Mustang2";
src = pkgs.fetchFromGitHub {
owner = "croaker";
repo = "mustang-vim";
rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5";
sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67";
};
};
unimpaired = pkgs.vimUtils.buildVimPlugin {
name = "unimpaired-vim";
src = pkgs.fetchFromGitHub {
owner = "tpope";
repo = "vim-unimpaired";
rev = "11dc568dbfd7a56866a4354c737515769f08e9fe";
sha256 = "1an941j5ckas8l3vkfhchdzjwcray16229rhv3a1d4pbxifwshi8";
};
};
brogrammer = pkgs.vimUtils.buildVimPlugin {
name = "brogrammer";
src = pkgs.fetchFromGitHub {
owner = "marciomazza";
repo = "vim-brogrammer-theme";
rev = "3e412d8e8909d8d89eb5a4cbe955b5bc0833a3c3";
sha256 = "0am1qk8ls74z5ipgf9viacayq08y9i9vd7sxxiivwgsjh2ancbv6";
};
};
file-line = pkgs.vimUtils.buildVimPlugin {
name = "file-line";
src = pkgs.fetchFromGitHub {
owner = "bogado";
repo = "file-line";
rev = "f9ffa1879ad84ce4a386110446f395bc1795b72a";
sha256 = "173n47w9zd01rcyrrmm194v79xq7d1ggzr19n1lsxrqfgr2c1rvk";
};
};
};
in {
out = {
environment.systemPackages = [
(pkgs.vim_configurable.customize {
name = "vim";
vim
];
vimrcConfig.customRC = ''
set nocompatible
set t_Co=16
syntax on
" TODO autoload colorscheme file
environment.etc.vimrc.source = vimrc;
environment.variables.EDITOR = mkForce "vim";
environment.variables.VIMINIT = ":so /etc/vimrc";
};
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
pkgs.vimPlugins.Gundo
pkgs.vimPlugins.Syntastic
pkgs.vimPlugins.undotree
(pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
rev = "refs/tags/1.0";
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
})
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "hack";
in {
name = "vim-color-${name}-1.0.2";
destination = "/colors/${name}.vim";
text = /* vim */ ''
set background=dark
colorscheme brogrammer
filetype off
filetype plugin indent on
hi clear
if exists("syntax_on")
syntax clear
endif
imap <F1> <nop>
let colors_name = ${toJSON name}
set mouse=a
set ruler
set showmatch
set backspace=2
set visualbell
set encoding=utf8
set showcmd
set wildmenu
hi Normal ctermbg=235
hi Comment ctermfg=242
hi Constant ctermfg=062
hi Identifier ctermfg=068
hi Function ctermfg=041
hi Statement ctermfg=167
hi PreProc ctermfg=167
hi Type ctermfg=041
hi Delimiter ctermfg=251
hi Special ctermfg=062
set title
set titleold=
set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername}
hi Garbage ctermbg=088
hi TabStop ctermbg=016
hi Todo ctermfg=174 ctermbg=NONE
hi NixCode ctermfg=148
hi NixData ctermfg=149
hi NixQuote ctermfg=150
hi diffNewFile ctermfg=207
hi diffFile ctermfg=207
hi diffLine ctermfg=207
hi diffSubname ctermfg=207
hi diffAdded ctermfg=010
hi diffRemoved ctermfg=009
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "vim";
in {
name = "vim-syntax-${name}-1.0.0";
destination = "/syntax/${name}.vim";
text = /* vim */ ''
${concatMapStringsSep "\n" (s: /* vim */ ''
syn keyword vimColor${s} ${s}
\ containedin=ALLBUT,vimComment,vimLineComment
hi vimColor${s} ctermfg=${s}
'') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "showsyntax";
in {
name = "vim-plugin-${name}-1.0.0";
destination = "/plugin/${name}.vim";
text = /* vim */ ''
if exists('g:loaded_showsyntax')
finish
endif
let g:loaded_showsyntax = 0
fu! ShowSyntax()
let id = synID(line("."), col("."), 1)
let name = synIDattr(id, "name")
let transName = synIDattr(synIDtrans(id),"name")
if name != transName
let name .= " (" . transName . ")"
endif
echo "Syntax: " . name
endfu
command! -n=0 -bar ShowSyntax :call ShowSyntax()
'';
})))
];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
swapdir = "$HOME/.cache/vim/swap";
undodir = "$HOME/.cache/vim/undo";
};
files = {
viminfo = "$HOME/.cache/vim/info";
};
mkdirs = let
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
in assert out != ""; out;
alldirs = attrValues dirs ++ map dirOf (attrValues files);
in unique (sort lessThan alldirs);
vim = pkgs.writeDashBin "vim" ''
set -efu
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
exec ${pkgs.neovim}/bin/nvim "$@"
'';
vimrc = pkgs.writeText "vimrc" ''
set nocompatible
set autoindent
set ttyfast
set backspace=indent,eol,start
set backup
set backupdir=${dirs.backupdir}/
set directory=${dirs.swapdir}//
set hlsearch
set incsearch
set mouse=a
set noruler
set pastetoggle=<INS>
set runtimepath=${extra-runtimepath},$VIMRUNTIME
set shortmess+=I
set showcmd
set showmatch
set ttimeoutlen=0
set undodir=${dirs.undodir}
set undofile
set undolevels=1000000
set undoreload=1000000
set viminfo='20,<1000,s100,h,n${files.viminfo}
set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu
set wildmode=longest,full
set et ts=2 sts=2 sw=2
" Force Saving Files that Require Root Permission
command! W silent w !sudo tee "%" >/dev/null
filetype plugin indent on
nnoremap <C-c> :q<Return>
set t_Co=256
colorscheme hack
syntax on
au Syntax * syn match Garbage containedin=ALL /\s\+$/
\ | syn match TabStop containedin=ALL /\t\+/
\ | syn keyword Todo containedin=ALL TODO
au BufRead,BufNewFile *.hs so ${hs.vim}
au BufRead,BufNewFile *.nix so ${nix.vim}
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
"Syntastic config
let g:syntastic_python_checkers=['flake8']
nmap <esc>q :buffer
nmap <M-q> :buffer
cnoremap <C-A> <Home>
noremap <C-c> :q<cr>
vnoremap < <gv
vnoremap > >gv
nmap <esc>q :buffer
nnoremap <esc>[5^ :tabp<cr>
nnoremap <esc>[6^ :tabn<cr>
nnoremap <esc>[5@ :tabm -1<cr>
nnoremap <esc>[6@ :tabm +1<cr>
nnoremap <f1> :tabp<cr>
nnoremap <f2> :tabn<cr>
inoremap <f1> <esc>:tabp<cr>
inoremap <f2> <esc>:tabn<cr>
"Tabwidth
set ts=2 sts=2 sw=2 et
" create Backup/tmp/undo dirs
function! InitBackupDir()
let l:parent = $HOME . '/.vim/'
let l:backup = l:parent . 'backups/'
let l:tmpdir = l:parent . 'tmp/'
let l:undodi = l:parent . 'undo/'
if !isdirectory(l:parent)
call mkdir(l:parent)
endif
if !isdirectory(l:backup)
call mkdir(l:backup)
endif
if !isdirectory(l:tmpdir)
call mkdir(l:tmpdir)
endif
if !isdirectory(l:undodi)
call mkdir(l:undodi)
endif
endfunction
call InitBackupDir()
" Backups & Files
set backup
set backupdir=~/.vim/backups
set directory=~/.vim/tmp//
set viminfo='20,<1000,s100,h,n~/.vim/tmp/info
set undodir=$HOME/.vim/undo
set undofile
" highlight whitespaces
highlight ExtraWhitespace ctermbg=red guibg=red
match ExtraWhitespace /\s\+$/
autocmd BufWinEnter * match ExtraWhitespace /\s\+$/
autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/
autocmd InsertLeave * match ExtraWhitespace /\s\+$/
autocmd BufWinLeave * call clearmatches()
"ft specific stuff
autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et
autocmd BufRead *.hs set ts=4 sts=4 sw=4 et
"esc timeout
set timeoutlen=1000 ttimeoutlen=0
"foldfunctions
inoremap <F9> <C-O>za
nnoremap <F9> za
onoremap <F9> <C-C>za
vnoremap <F9> zf
" <C-{Up,Down,Right,Left>
noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
noremap <esc>Od <nop> | noremap! <esc>Od <nop>
" <[C]S-{Up,Down,Right,Left>
noremap <esc>[a <nop> | noremap! <esc>[a <nop>
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
vnoremap u <nop>
'';
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
vimrcConfig.vam.pluginDictionaries = [
{ names = [
"brogrammer"
"file-line"
"Gundo"
]; }
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
];
hs.vim = pkgs.writeText "hs.vim" ''
syn region String start=+\[[[:alnum:]]*|+ end=+|]+
})
hi link ConId Identifier
hi link VarId Identifier
hi link hsDelimiter Delimiter
'';
nix.vim = pkgs.writeText "nix.vim" ''
setf nix
" Ref <nix/src/libexpr/lexer.l>
syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
syn match NixINT /\<[0-9]\+\>/
syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
syn region NixSTRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
syn region NixIND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
syn match NixOther /[():/;=.,?\[\]]/
syn match NixCommentMatch /\(^\|\s\)#.*/
syn region NixCommentRegion start="/\*" end="\*/"
hi link NixCode Statement
hi link NixData Constant
hi link NixComment Comment
hi link NixCommentMatch NixComment
hi link NixCommentRegion NixComment
hi link NixID NixCode
hi link NixINT NixData
hi link NixPATH NixData
hi link NixHPATH NixData
hi link NixSPATH NixData
hi link NixURI NixData
hi link NixSTRING NixData
hi link NixIND_STRING NixData
hi link NixEnter NixCode
hi link NixOther NixCode
hi link NixQuote NixData
syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
syn cluster nix_ind_strings contains=NixIND_STRING
syn cluster nix_strings contains=NixSTRING
${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
startAlts = filter isString [
''/\* ${lang} \*/''
extraStart
];
}
sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
in /* vim */ ''
syn include @nix_${lang}_syntax syntax/${lang}.vim
unlet b:current_syntax
syn match nix_${lang}_sigil
\ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
\ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
\ transparent
syn region nix_${lang}_region_STRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn region nix_${lang}_region_IND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn cluster nix_ind_strings
\ add=nix_${lang}_region_IND_STRING
syn cluster nix_strings
\ add=nix_${lang}_region_STRING
syn cluster nix_has_dollar_curly
\ add=@nix_${lang}_syntax
'') {
c = {};
cabal = {};
haskell = {};
sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
vim.extraStart =
''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
})}
" Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
syn clear shVarAssign
syn region nixINSIDE_DOLLAR_CURLY
\ matchgroup=NixEnter
\ start="[$]{"
\ end="}"
\ contains=TOP
\ containedin=@nix_has_dollar_curly
\ transparent
syn region nix_inside_curly
\ matchgroup=NixEnter
\ start="{"
\ end="}"
\ contains=TOP
\ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
\ transparent
syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /\\./he=s+1
\ containedin=@nix_strings
\ contained
syn sync fromstart
let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,'
'';
in
out

View File

@ -11,9 +11,9 @@ let
serveWordpress;
msmtprc = pkgs.writeText "msmtprc" ''
account prism
account localhost
host localhost
account default: prism
account default: localhost
'';
sendmail = pkgs.writeDash "msmtp" ''
@ -23,23 +23,55 @@ let
in {
imports = [
./sqlBackup.nix
(ssl [ "reich-gebaeudereinigung.de" ])
(servePage [ "reich-gebaeudereinigung.de" ])
(ssl [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(ssl [ "karlaskop.de" ])
(servePage [ "karlaskop.de" ])
(ssl [ "karlaskop.de" "www.karlaskop.de" ])
(servePage [ "karlaskop.de" "www.karlaskop.de" ])
(ssl [ "makeup.apanowicz.de" ])
(servePage [ "makeup.apanowicz.de" ])
(ssl [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ])
(servePage [ "pixelpocket.de" ])
(ssl [ "pixelpocket.de" "www.pixelpocket.de" ])
(servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" ])
(ssl [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
(ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ])
(serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ])
(ssl [
"ubikmedia.de"
"aldona.ubikmedia.de"
"apanowicz.de"
"nirwanabluete.de"
"aldonasiech.com"
"360gradvideo.tv"
"ubikmedia.eu"
"facts.cloud"
"www.ubikmedia.de"
"www.aldona.ubikmedia.de"
"www.apanowicz.de"
"www.nirwanabluete.de"
"www.aldonasiech.com"
"www.360gradvideo.tv"
"www.ubikmedia.eu"
"www.facts.cloud"
])
(serveWordpress [
"ubikmedia.de"
"apanowicz.de"
"nirwanabluete.de"
"aldonasiech.com"
"360gradvideo.tv"
"ubikmedia.eu"
"facts.cloud"
"*.ubikmedia.de"
"www.apanowicz.de"
"www.nirwanabluete.de"
"www.aldonasiech.com"
"www.360gradvideo.tv"
"www.ubikmedia.eu"
"www.facts.cloud"
])
];
lass.mysqlBackup.config.all.databases = [
@ -47,6 +79,27 @@ in {
"o_ubikmedia_de"
];
krebs.backup.plans = {
prism-sql-domsen = {
method = "push";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; };
startAt = "00:01";
};
prism-http-domsen = {
method = "push";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; };
startAt = "00:10";
};
prism-o-ubikmedia-domsen = {
method = "push";
src = { host = config.krebs.hosts.prism; path = "/srv/o.ubikmedia.de-data"; };
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; };
startAt = "00:30";
};
};
users.users.domsen = {
uid = genid "domsen";
description = "maintenance acc for domsen";
@ -56,18 +109,18 @@ in {
createHome = true;
};
#services.phpfpm.phpOptions = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
# sendmail_path = ${sendmail} -t
#'';
services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
options = ''
services.phpfpm.phpOptions = ''
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
sendmail_path = ${sendmail} -t -i"
'';
} ''
cat ${pkgs.php}/etc/php-recommended.ini > $out
echo "$options" >> $out
sendmail_path = ${sendmail} -t
'';
#services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
# options = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
# sendmail_path = "${sendmail} -t -i"
# '';
#} ''
# cat ${pkgs.php}/etc/php-recommended.ini > $out
# echo "$options" >> $out
#'';
}

View File

@ -1,10 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
let
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
genid
head
nameValuePair
;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
ssl
@ -12,6 +12,16 @@ let
serveWordpress
;
msmtprc = pkgs.writeText "msmtprc" ''
account localhost
host localhost
account default: localhost
'';
sendmail = pkgs.writeDash "msmtp" ''
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
'';
in {
imports = [
./sqlBackup.nix
@ -48,7 +58,34 @@ in {
"ttf_kleinaspach_de"
];
#password protect some dirs
krebs.nginx.servers."biostase.de".locations = [
(nameValuePair "/old_biostase.de" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
'')
(nameValuePair "/mysqldumper" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
'')
];
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
services.phpfpm.phpOptions = ''
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
sendmail_path = ${sendmail} -t
'';
#services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
# options = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
# sendmail_path = "${sendmail} -t -i"
# '';
#} ''
# cat ${pkgs.php}/etc/php-recommended.ini > $out
# echo "$options" >> $out
#'';
}

View File

@ -5,7 +5,6 @@ let
in {
krebs.per-user.chat.packages = with pkgs; [
mosh
tmux
weechat
];

View File

@ -1,59 +0,0 @@
{ config, pkgs, ... }:
{
containers.wordpress = {
privateNetwork = true;
hostAddress = "192.168.101.1";
localAddress = "192.168.101.2";
config = {
imports = [
../../krebs/3modules/iptables.nix
];
krebs.iptables = {
enable = true;
tables = {
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
};
};
environment.systemPackages = with pkgs; [
iptables
];
services.postgresql = {
enable = true;
package = pkgs.postgresql;
};
services.httpd = {
enable = true;
adminAddr = "root@apanowicz.de";
extraModules = [
{ name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; }
];
virtualHosts = [
{
hostName = "wordpress";
serverAliases = [ "wordpress" "www.wordpress" ];
extraSubservices = [
{
serviceName = "wordpress";
}
];
}
];
};
};
};
}

View File

@ -19,9 +19,48 @@ pkgs.writeText "Xresources" ''
URxvt.intensityStyles: false
URxvt*background: #000000
URxvt*foreground: #ffffff
URxvt*background: #050505
! URxvt*background: #041204
!URxvt.depth: 32
!URxvt*background: rgba:0500/0500/0500/cccc
! URxvt*background: #080810
URxvt*foreground: #d0d7d0
! URxvt*background: black
! URxvt*foreground: white
! URxvt*background: rgb:00/00/40
! URxvt*foreground: rgb:a0/a0/d0
! XTerm*cursorColor: rgb:00/00/60
URxvt*cursorColor: #f042b0
URxvt*cursorColor2: #f0b000
URxvt*cursorBlink: off
! URxvt*cursorUnderline: true
! URxvt*highlightColor: #232323
! URxvt*highlightTextColor: #b0ffb0
URxvt*.pointerBlank: true
URxvt*.pointerBlankDelay: 987654321
URxvt*.pointerColor: #f042b0
URxvt*.pointerColor2: #050505
! URxvt*color0: #000000
! URxvt*color1: #c00000
! URxvt*color2: #80c070
URxvt*color3: #c07000
! URxvt*color4: #0000c0
URxvt*color4: #4040c0
! URxvt*color5: #c000c0
! URxvt*color6: #008080
URxvt*color7: #c0c0c0
URxvt*color8: #707070
URxvt*color9: #ff6060
URxvt*color10: #70ff70
URxvt*color11: #ffff70
URxvt*color12: #7070ff
URxvt*color13: #ff50ff
URxvt*color14: #70ffff
URxvt*color15: #ffffff
!change unreadable blue
URxvt*color4: #268bd2
''

View File

@ -7,9 +7,6 @@
zsh-newuser-install() { :; }
'';
interactiveShellInit = ''
HISTFILE=~/.histfile
HISTSIZE=1000000
SAVEHIST=100000
#unsetopt nomatch
setopt autocd extendedglob
bindkey -e
@ -92,6 +89,11 @@
esac
'';
promptInit = ''
# TODO: figure out why we need to set this here
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
SAVEHIST=$HISTSIZE
autoload -U promptinit
promptinit

View File

@ -4,6 +4,7 @@ _:
./ejabberd
./folderPerms.nix
./mysql-backup.nix
./power-action.nix
./urxvtd.nix
./wordpress_nginx.nix
./xresources.nix

View File

@ -0,0 +1,93 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
cfg = config.lass.power-action;
out = {
options.lass.power-action = api;
config = lib.mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "power-action";
user = mkOption {
type = types.user;
default = {
name = "power-action";
};
};
startAt = mkOption {
type = types.str;
default = "*:0/1";
};
plans = mkOption {
type = with types; attrsOf (submodule {
options = {
charging = mkOption {
type = nullOr bool;
default = null;
description = ''
check for charging status.
null = don't care
true = only if system is charging
false = only if system is discharging
'';
};
upperLimit = mkOption {
type = int;
};
lowerLimit = mkOption {
type = int;
};
action = mkOption {
type = path;
};
};
});
};
};
imp = {
systemd.services.power-action = {
serviceConfig = rec {
ExecStart = startScript;
User = cfg.user.name;
};
startAt = cfg.startAt;
};
users.users.${cfg.user.name} = {
inherit (cfg.user) name uid;
};
};
startScript = pkgs.writeDash "power-action" ''
set -euf
power="$(${powerlvl})"
state="$(${state})"
${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)}
'';
charging_check = plan:
if (plan.charging == null) then "" else
if plan.charging
then ''&& [ "$state" = "true" ]''
else ''&& ! [ "$state" = "true" ]''
;
writeRule = _: plan:
"if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
powerlvl = pkgs.writeDash "powerlvl" ''
cat /sys/class/power_supply/BAT0/capacity
'';
state = pkgs.writeDash "state" ''
if [ "$(cat /sys/class/power_supply/BAT0/status)" = "Discharging" ]
then echo "false"
else echo "true"
fi
'';
in out

View File

@ -3,6 +3,9 @@
{
nixpkgs.config.packageOverrides = rec {
acronym = pkgs.callPackage ./acronym/default.nix {};
ejabberd = pkgs.callPackage ./ejabberd {
erlang = pkgs.erlangR16;
};
firefoxPlugins = {
noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
@ -10,11 +13,11 @@
};
mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {};
mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {};
q = pkgs.callPackage ./q {};
rs = pkgs.callPackage ./rs/default.nix {};
untilport = pkgs.callPackage ./untilport/default.nix {};
urban = pkgs.callPackage ./urban/default.nix {};
xmonad-lass =
let src = pkgs.writeNixFromCabal "xmonad-lass.nix" ./xmonad-lass; in
pkgs.haskellPackages.callPackage src {};
xmonad-lass = import ./xmonad-lass.nix { inherit pkgs; };
yt-next = pkgs.callPackage ./yt-next/default.nix {};
};
}

185
lass/5pkgs/q/default.nix Normal file
View File

@ -0,0 +1,185 @@
{ pkgs, ... }:
let
q-cal = let
# XXX 23 is the longest line of cal's output
pad = ''{
${pkgs.gnused}/bin/sed '
# rtrim
s/ *$//
# delete last empty line
''${/^$/d}
' \
| ${pkgs.gawk}/bin/awk '{printf "%-23s\n", $0}' \
| ${pkgs.gnused}/bin/sed '
# colorize header
1,2s/.*/&/
# colorize week number
s/^[ 1-9][0-9]/&/
'
}'';
in ''
${pkgs.coreutils}/bin/paste \
<(${pkgs.utillinux}/bin/cal -mw \
$(${pkgs.coreutils}/bin/date +'%m %Y' -d 'last month') \
| ${pad}
) \
<(${pkgs.utillinux}/bin/cal -mw \
| ${pkgs.gnused}/bin/sed '
# colorize day of month
s/\(^\| \)'"$(${pkgs.coreutils}/bin/date +%e)"'\>/&/
' \
| ${pad}
) \
<(${pkgs.utillinux}/bin/cal -mw \
$(${pkgs.coreutils}/bin/date +'%m %Y' -d 'next month') \
| ${pad}
) \
| ${pkgs.gnused}/bin/sed 's/\t/ /g'
'';
q-isodate = ''
${pkgs.coreutils}/bin/date \
'+%Y-%m-%dT%H:%M:%S%:z'
'';
q-gitdir = ''
if test -d .git; then
#git status --porcelain
branch=$(
${pkgs.git}/bin/git branch \
| ${pkgs.gnused}/bin/sed -rn 's/^\* (.*)/\1/p'
)
echo "± $LOGNAME@''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}:$PWD .git $branch"
fi
'';
q-power_supply = ''
for uevent in /sys/class/power_supply/*/uevent; do
if test -f $uevent; then
eval "$(${pkgs.gnused}/bin/sed -n '
s/^\([A-Z_]\+=\)\(.*\)/\1'\'''\2'\'''/p
' $uevent)"
if test "x''${POWER_SUPPLY_CHARGE_NOW-}" = x; then
continue
fi
charge_percentage=$(echo "
scale=2
$POWER_SUPPLY_CHARGE_NOW / $POWER_SUPPLY_CHARGE_FULL
" | ${pkgs.bc}/bin/bc)
lfc=$POWER_SUPPLY_CHARGE_FULL
rc=$POWER_SUPPLY_CHARGE_NOW
#rc=2800
N=78; N=76
N=10
n=$(echo $N-1 | ${pkgs.bc}/bin/bc)
centi=$(echo "$rc*100/$lfc" | ${pkgs.bc}/bin/bc)
deci=$(echo "$rc*$N/$lfc" | ${pkgs.bc}/bin/bc)
energy_evel=$(
echo -n ' ' # TRIGRAM FOR THUNDER
if test $centi -ge 42; then echo -n ''
elif test $centi -ge 23; then echo -n ''
elif test $centi -ge 11; then echo -n ''
else echo -n ''; fi
for i in $(${pkgs.coreutils}/bin/seq 1 $deci); do
echo -n
done
echo -n ''
for i in $(${pkgs.coreutils}/bin/seq $deci $n); do
echo -n
done
echo '' $rc #/ $lfc
)
echo "$energy_evel $charge_percentage"
fi
done
'';
q-virtualization = ''
echo "VT: $(${pkgs.systemd}/bin/systemd-detect-virt)"
'';
q-wireless = ''
for dev in $(
${pkgs.iw}/bin/iw dev \
| ${pkgs.gnused}/bin/sed -n 's/^\s*Interface\s\+\([0-9a-z]\+\)$/\1/p'
); do
inet=$(${pkgs.iproute}/bin/ip addr show $dev \
| ${pkgs.gnused}/bin/sed -n '
s/.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p
') \
|| unset inet
ssid=$(${pkgs.iw}/bin/iw dev $dev link \
| ${pkgs.gnused}/bin/sed -n '
s/.*\tSSID: \(.*\)/\1/p
') \
|| unset ssid
echo "$dev''${inet+ $inet}''${ssid+ $ssid}"
done
'';
q-online = ''
if ${pkgs.curl.bin}/bin/curl -s google.com >/dev/null; then
echo 'online'
else
echo offline
fi
'';
q-thermal_zone = ''
for i in /sys/class/thermal/thermal_zone*; do
type=$(${pkgs.coreutils}/bin/cat $i/type)
temp=$(${pkgs.coreutils}/bin/cat $i/temp)
printf '%s %s°C\n' $type $(echo $temp / 1000 | ${pkgs.bc}/bin/bc)
done
'';
q-todo = ''
TODO_file=$HOME/TODO
if test -e "$TODO_file"; then
${pkgs.coreutils}/bin/cat "$TODO_file" \
| ${pkgs.gawk}/bin/gawk -v now=$(${pkgs.coreutils}/bin/date +%s) '
BEGIN { print "remind=0" }
/^[0-9]/{
x = $1
gsub(".", "\\\\&", x)
rest = substr($0, index($0, " "))
rest = $0
sub(" *", "", rest)
gsub(".", "\\\\&", rest)
print "test $(${pkgs.coreutils}/bin/date +%s -d"x") -lt "now" && \
echo \"\x1b[38;5;208m\""rest esc "\"\x1b[m\" && \
(( remind++ ))"
}
END { print "test $remind = 0 && echo \"nothing to remind\"" }
' \
| {
# bash needed for (( ... ))
${pkgs.bash}/bin/bash
}
else
echo "$TODO_file: no such file or directory"
fi
'';
in
# bash needed for <(...)
pkgs.writeBashBin "q" ''
set -eu
export PATH=/var/empty
${q-cal}
echo
${q-isodate}
(${q-gitdir}) &
(${q-power_supply}) &
(${q-virtualization}) &
(${q-wireless}) &
(${q-online}) &
(${q-thermal_zone}) &
wait
${q-todo}
''

View File

@ -0,0 +1,6 @@
{ pkgs, ... }:
#TODO: get tab-completion working again
pkgs.writeBashBin "rs" ''
rsync -vaP --append-verify "$@"
''

View File

@ -1,3 +1,15 @@
{ pkgs, ... }:
pkgs.writeHaskell "xmonad-lass" {
executables.xmonad = {
extra-depends = [
"containers"
"unix"
"X11"
"xmonad"
"xmonad-contrib"
"xmonad-stockholm"
];
text = ''
{-# LANGUAGE DeriveDataTypeable #-} -- for XS
{-# LANGUAGE FlexibleContexts #-} -- for xmonad'
{-# LANGUAGE LambdaCase #-}
@ -147,3 +159,8 @@ gridConfig = def
, gs_navigate = navNSearch
, gs_font = myFont
}
'';
};
}

View File

@ -1 +0,0 @@
/shell.nix

View File

@ -1,6 +0,0 @@
.PHONY: ghci
ghci: shell.nix
nix-shell --command 'exec ghci -Wall'
shell.nix: xmonad.cabal
cabal2nix --shell . > $@

View File

@ -1,17 +0,0 @@
Author: lass
Build-Type: Simple
Cabal-Version: >= 1.2
License: MIT
Name: xmonad-lass
Version: 0
Executable xmonad
Build-Depends:
base,
containers,
unix,
xmonad,
xmonad-contrib,
xmonad-stockholm
GHC-Options: -Wall -O3 -threaded -rtsopts
Main-Is: Main.hs

View File

@ -17,19 +17,31 @@ in {
../2configs/exim-retiolum.nix
../2configs/virtualization.nix
];
networking.firewall.allowedUDPPorts = [ 80 655 67 ];
networking.firewall.allowedTCPPorts = [ 80 655 ];
networking.firewall.checkReversePath = false;
services.tinc.networks.siem = {
name = "sdarth";
extraConfig = "ConnectTo = sjump";
};
#networking.firewall.enable = false;
# virtualisation.nova.enableSingleNode = true;
krebs.retiolum.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
networking.wireless.enable = true;
networking = {
wireless.enable = true;
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedUDPPorts = [ 80 655 1655 67 ];
allowedTCPPorts = [ 80 655 1655 ];
};
# fallback connection to the internal virtual network
interfaces.virbr3.ip4 = [{
address = "10.8.8.2";
prefixLength = 24;
}];
};
# TODO smartd omo darth gum all-in-one
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;

View File

@ -5,9 +5,10 @@
{ config, pkgs, lib, ... }:
let
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
primaryInterface = "enp1s0";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
@ -15,14 +16,14 @@ let
# omo Chassis:
# __FRONT_
# |* d2 |
# |* d0 |
# | |
# |* d3 |
# | |
# |* d0 |
# |* d3 |
# | |
# |* d1 |
# |* |
# |* d2 |
# | * r0 |
# |_______|
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
@ -38,27 +39,31 @@ in {
[
../.
# TODO: unlock home partition via ssh
../2configs/fs/single-partition-ext4.nix
../2configs/fs/sda-crypto-root.nix
../2configs/zsh-user.nix
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
../2configs/share-user-sftp.nix
../2configs/graphite-standalone.nix
#../2configs/graphite-standalone.nix
#../2configs/share-user-sftp.nix
../2configs/omo-share.nix
## as long as pyload is not in nixpkgs:
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
];
krebs.retiolum.enable = true;
networking.firewall.trustedInterfaces = [ "enp3s0" ];
networking.firewall.trustedInterfaces = [ primaryInterface ];
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
# tcp:80 - nginx for sharing files
# tcp:655 udp:655 - tinc
# tcp:8111 - graphite
# tcp:8112 - pyload
# tcp:9090 - sabnzbd
# tcp:9200 - elasticsearch
# tcp:5601 - kibana
networking.firewall.allowedUDPPorts = [ 655 ];
networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ];
networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ];
# services.openssh.allowSFTP = false;
@ -66,6 +71,9 @@ in {
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
virtualisation.docker.enable = true;
# HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
@ -76,15 +84,11 @@ in {
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in {
"/home" = {
device = "/dev/mapper/home";
fsType = "ext4";
};
} // cryptMount "crypt0"
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2";
@ -101,15 +105,16 @@ in {
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
allowDiscards = true;
};
in [
(usbkey "home" homePartition)
(usbkey "luksroot" rootPartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
];
};
loader.grub.device = rootDisk;
loader.grub.device = lib.mkForce rootDisk;
initrd.availableKernelModules = [
"ahci"
@ -121,12 +126,12 @@ in {
"usbhid"
];
kernelModules = [ "kvm-amd" ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;

View File

@ -31,6 +31,7 @@
# hardware specifics are in here
../2configs/hw/tp-x220.nix
../2configs/hw/rtl8812au.nix
# mount points
../2configs/fs/sda-crypto-root-home.nix
# ../2configs/mediawiki.nix
@ -43,6 +44,14 @@
# ../2configs/temp/sabnzbd.nix
];
services.tinc.networks.siem = {
name = "makefu";
extraConfig = ''
ConnectTo = sdarth
ConnectTo = sjump
'';
};
krebs.nginx = {
default404 = false;
servers.default.listen = [ "80 default_server" ];
@ -59,7 +68,6 @@
networking.firewall.allowedUDPPorts = [ 665 ];
krebs.build.host = config.krebs.hosts.pornocauster;
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
krebs.retiolum = {
enable = true;
@ -68,4 +76,6 @@
networking.extraHosts = ''
192.168.1.11 omo.local
'';
# hard dependency because otherwise the device will not be unlocked
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
}

View File

@ -0,0 +1,54 @@
{ config, pkgs, ... }:
let
tinc-siem-ip = "10.8.10.1";
ip = "64.137.234.215";
alt-ip = "64.137.234.210";
extra-ip = "64.137.234.114"; #currently unused
gw = "64.137.234.1";
in {
imports = [
../.
../2configs/save-diskspace.nix
../2configs/hw/CAC.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
];
services.tinc.networks.siem.name = "sjump";
krebs = {
enable = true;
retiolum.enable = true;
build.host = config.krebs.hosts.shoney;
nginx.enable = true;
tinc_graphs = {
enable = true;
network = "siem";
hostsPath = "/etc/tinc/siem/hosts";
nginx = {
enable = true;
# TODO: remove hard-coded hostname
complete = {
listen = [ "${tinc-siem-ip}:80" ];
server-names = [ "graphs.siem" ];
};
};
};
};
networking = {
interfaces.enp2s1.ip4 = [
{ address = ip; prefixLength = 24; }
{ address = alt-ip; prefixLength = 24; }
];
defaultGateway = gw;
nameservers = [ "8.8.8.8" ];
firewall = {
trustedInterfaces = [ "tinc.siem" ];
allowedUDPPorts = [ 655 1655 ];
allowedTCPPorts = [ 655 1655 ];
};
};
}

View File

@ -9,9 +9,9 @@ in {
imports = [
../.
# TODO: copy this config or move to krebs
../../tv/2configs/hw/CAC.nix
../../tv/2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/headless.nix
../2configs/hw/CAC.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/save-diskspace.nix
../2configs/bepasty-dual.nix
@ -27,8 +27,7 @@ in {
../2configs/collectd/collectd-base.nix
];
krebs.retiolum.enable = true;
services.nixosManual.enable = false;
programs.man.enable = false;
krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor = {
@ -83,9 +82,5 @@ in {
nameservers = [ "8.8.8.8" ];
};
# small machine - do not forget to gc every day
nix.gc.automatic = true;
nix.gc.dates = "03:10";
environment.systemPackages = [ ];
}

View File

@ -16,6 +16,8 @@ with config.krebs.lib;
nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
krebs = {
enable = true;
dns.providers.siem = "hosts";
search-domain = "retiolum";
build = {
user = config.krebs.users.makefu;
@ -24,7 +26,9 @@ with config.krebs.lib;
url = https://github.com/nixos/nixpkgs;
rev = "63b9785"; # stable @ 2016-06-01
};
secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/";
secrets = if getEnv "dummy_secrets" == "true"
then toString <stockholm/makefu/6tests/data/secrets>
else "/home/makefu/secrets/${config.krebs.build.host.name}";
stockholm = "/home/makefu/stockholm";
# Defaults for all stockholm users?
@ -154,6 +158,15 @@ with config.krebs.lib;
"net.ipv6.conf.default.use_tempaddr" = 2;
};
system.activationScripts.nix-defexpr = ''
(set -euf
for i in /home/makefu /root/;do
f="$i/.nix-defexpr"
rm -fr "$f"
ln -s /var/src/nixpkgs "$f"
done)
'';
i18n = {
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";

View File

@ -0,0 +1,20 @@
_:
{
boot.loader.grub = {
device = "/dev/sda";
};
fileSystems = {
"/" = {
device = "/dev/centos/root";
fsType = "xfs";
};
"/boot" = {
device = "/dev/sda1";
fsType = "xfs";
};
};
swapDevices = [
{ device = "/dev/centos/swap"; }
];
}

View File

@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }:
# sda: bootloader grub2
# sda1: boot ext4 (label nixboot)
# sda1: boot ext4 (label nixboot) - must be unlocked on boot if required:
# boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
# sda2: cryptoluks -> ext4
with config.krebs.lib;
{
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
loader.grub.device = lib.mkDefault "/dev/sda";
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
};

View File

@ -0,0 +1,13 @@
_:
{
boot.initrd.availableKernelModules = [
"ata_piix"
"vmw_pvscsi"
];
boot.loader.grub.splashImage = null;
nix = {
daemonIONiceLevel = 1;
daemonNiceLevel = 1;
};
sound.enable = false;
}

View File

@ -0,0 +1,6 @@
_: {
# add fingerprint with fprintd-enroll
services.fprintd.enable = true;
security.pam.services.login.fprintAuth = true;
security.pam.services.xscreensaver.fprintAuth = true;
}

View File

@ -5,7 +5,7 @@ with config.krebs.lib;
imports = [ ./tp-x2x0.nix ];
boot = {
kernelModules = [ "kvm-intel" "acpi_call" ];
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
};
@ -28,7 +28,7 @@ with config.krebs.lib;
# enable HDMI output switching with pulseaudio
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"}
${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"}
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"
'';

View File

@ -22,7 +22,8 @@ with config.krebs.lib;
services.tlp.enable = true;
services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80
# BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
#START_CHARGE_THRESH_BAT0=80
STOP_CHARGE_THRESH_BAT0=95
CPU_SCALING_GOVERNOR_ON_AC=performance

View File

@ -0,0 +1,9 @@
_:
# TODO: do not check out nixpkgs master but fetch revision from github
{
services.nixosManual.enable = false;
programs.man.enable = false;
services.journald.extraConfig = "SystemMaxUse=50M";
nix.gc.automatic = true;
nix.gc.dates = "03:10";
}

View File

@ -3,6 +3,14 @@
with config.krebs.lib;
let
nixpkgs-1509 = import (pkgs.fetchFromGitHub {
owner = "NixOS"; repo = "nixpkgs-channels";
rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
# TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
@ -62,7 +70,7 @@ let
Type = "simple";
Restart = "always";
RestartSec = "10s";
ExecStart = "${pkgs.wvdial}/bin/wvdial -n";
ExecStart = "${wvdial}/bin/wvdial -n";
};
};
};

View File

@ -0,0 +1,19 @@
{ pkgs, ... }:
pkgs.python3Packages.buildPythonPackage rec {
name = "bintray-upload-${version}";
version = "0.1.2";
src = pkgs.fetchFromGitHub {
owner = "makefu";
repo = "bintray-upload";
rev = "4e76724";
sha256 = "1401saisk98n5wgw73nwh8hb484vayw5c6dlypxc1fp4ybym4zi9";
};
propagatedBuildInputs = with pkgs.python3Packages; [ requests2 ];
meta = {
description = "Simple BinTray utility for uploading packages";
license = pkgs.stdenv.lib.licenses.asl20;
};
}

View File

@ -13,7 +13,8 @@ in
nodemcu-uploader = callPackage ./nodemcu-uploader {};
tw-upload-plugin = callPackage ./tw-upload-plugin {};
inherit (callPackage ./devpi {}) devpi-web devpi-server;
skytraq-logger = callPackage ./skytraq-logger/ {};
skytraq-logger = callPackage ./skytraq-logger {};
taskserver = callPackage ./taskserver {};
bintray-upload = callPackage ./bintray-upload {};
};
}

View File

@ -0,0 +1 @@
"derp"

View File

@ -0,0 +1 @@
{}

View File

@ -0,0 +1 @@
"derp"

View File

View File

View File

@ -22,7 +22,7 @@ in
# local discovery in shackspace
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
krebs.retiolum.extraConfig = "TCPOnly = yes";
services.grafana = {
enable = true;
addr = "0.0.0.0";
@ -37,7 +37,7 @@ in
networking = {
firewall.enable = false;
interfaces.eth0.ip4 = [{
interfaces.enp0s3.ip4 = [{
address = shack-ip;
prefixLength = 20;
}];

View File

@ -26,7 +26,7 @@
stockholm_repo,
workdir='stockholm-poller', branches=True,
project='stockholm',
pollinterval=120))
pollinterval=60))
'';
scheduler = {
force-scheduler = ''
@ -43,7 +43,7 @@
sched.append(schedulers.SingleBranchScheduler(
## all branches
change_filter=util.ChangeFilter(branch_re=".*"),
# treeStableTimer=10,
treeStableTimer=10,
name="fast-all-branches",
builderNames=["fast-tests"]))
'';