Merge branch 'master' of prism.r:stockholm
This commit is contained in:
commit
e45b3492b3
@ -49,6 +49,7 @@ let
|
||||
./rtorrent.nix
|
||||
./secret.nix
|
||||
./setuid.nix
|
||||
./shadow.nix
|
||||
./syncthing.nix
|
||||
./tinc.nix
|
||||
./tinc_graphs.nix
|
||||
@ -102,6 +103,7 @@ let
|
||||
{ krebs = import ./krebs { inherit config; }; }
|
||||
{ krebs = import ./lass { inherit config; }; }
|
||||
{ krebs = import ./makefu { inherit config; }; }
|
||||
{ krebs = import ./mb { inherit config; }; }
|
||||
{ krebs = import ./external/palo.nix { inherit config; }; }
|
||||
{ krebs = import ./tv { inherit config; }; }
|
||||
{
|
||||
|
73
krebs/3modules/mb/default.nix
Normal file
73
krebs/3modules/mb/default.nix
Normal file
@ -0,0 +1,73 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, ... }: let
|
||||
|
||||
hostDefaults = hostName: host: flip recursiveUpdate host {
|
||||
ci = true;
|
||||
monitoring = true;
|
||||
owner = config.krebs.users.mb;
|
||||
};
|
||||
|
||||
in {
|
||||
hosts = mapAttrs hostDefaults {
|
||||
orange = {
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.42.23";
|
||||
aliases = [
|
||||
"orange.r"
|
||||
"or4ng3.r"
|
||||
"0r4n93.r"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7P0CkmC5HWnTdgGFzmA
|
||||
zQuJzHSkSjcGgSkIt0pvqU6xi8P/d4eJlmeXeGTpH62JfM1xhEMpxMVd/4NOON2u
|
||||
IlWnfu5bB763145IJwE0HmZziWjQXWRPAZMqYdQ5f2Pvmxv1yr3uBNzr8UlV6BjD
|
||||
FXn8sCvikXttYzts9szlz5+pkY09qfiz48+DMzRBNO6JzXYQ9kPyS+TIXlGpN4Jp
|
||||
C1TRF38eF2DTEZ58Yx8Z99dGrXVuqlSe77fehTQGxCckTpaZ0HS3XfZNa/cas8JY
|
||||
/0RzH2n2AndnPirISDZ7r4ZIFuKAaivqaEkM8v7llI77URVB9ZJb/IqCrBzueAbt
|
||||
V/5ts2HpfBAUhw0RoiH8ql+IQZsuSOpRUC2gUN8460V4SQkVtDcsVTENiD+NM5Mg
|
||||
ImBv041CsW/rSJOilT2r/rWDN8RFnz/RrAQn+L31KXr81kg1TOLxO0ybs/eMJM3r
|
||||
RnHFZPiiKdqPlA60g0AnzKXPR2JTszHIgHHoRUW16I1WJeuAJNjg0JDQ0JM7pZ27
|
||||
JEaCc7uR12TPiuExKaNEaxKZVY1J0hzxOzF2MFIbAMVz/3K2ycvvuLxKojqIAXxA
|
||||
D+UtcOfJ62k2WnLXOEIZqFU0J2bvhxYUZOFS55wIn1UJF7hemD/LUFHBiWnuhwHk
|
||||
TAEl8M851t+Zp3hZeJzgx2kCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
p1nk = {
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.42.42";
|
||||
aliases = [
|
||||
"p1nk.r"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5YVML71oW3iJrzZKuX48
|
||||
AKrGitO5zNvsAHOI8BVsGfZTyxAAZgG4OaDX45kr27K39NcBU43LdDD0I1yjNvGe
|
||||
zAoL5MIiCPD/QR1kAvLmgpMUSqOVvrk+uoGLVt6dOGvxlOiG1AAaN0gA8Q0B/jZV
|
||||
4tZlBpZ7MX9xeK10wqVT56msN69P3EzKQn1uoVRrBxEnNvI1iqmmkgMLcrFVJFBQ
|
||||
888Uuw9Hx5MO7ES/ATe8mt0zReUGvn91jYVVsPpmAopWnjCol271gflY0RomFXKy
|
||||
XaIuvbeF+3otF0+MNqJfm4IsAKJjvl92pjVX0f0eBCSPCYR7D1EtgQrqflLkZKZ8
|
||||
jBGDlgpsFWt/Omz1BYcuGZU/djM4+SNxr4YRYMi3lMix3s2PmHvm304I7eEEBlC9
|
||||
qy1jq/sLaf8mHJrF6Htl7W5WS/Famkwv/VreI92iHrhsmIDiX7OIbXzYDCxT/PQa
|
||||
6uCm/3jIbcHG/ZHZ12H6thkafK0Aoe009+p1n+5Y7V2oNvYe3KzZTnCN5t6z1QHZ
|
||||
V5iypsd6lNDzlodjleTgGK8FmHGRPRdq1wb3eOLE8mWZj7ygDT50FwaC8FzAcHgC
|
||||
bLN/zlHvCbYmk9IJhktO3B6wtMrZl60+XCpb5rTulM94RirifFYsnTIDJApI11yb
|
||||
3AYi5dQXHjab/lvj6917xa0CAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
users = {
|
||||
mb = {
|
||||
mail = "mb0@codemonkey.cc";
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCHAdKGHP/De/GLEsPo5RBfbaiiitMw4Y/akOekJbImswT6Np2lzqno/WBJcfVs3D39wgPKNld4P/QZc5IwxC26q/PnBFu93KES0GqnlAqUNE63IOJ8UzNdyEqWggnRiLrBU+ZgyFZvmqp6NoSO4YEGEK4RZRMJM/GcAuQMj/nGjx2AHwPGZCkIRgz8/ctBOzX1/knZd3cOnNowH1wlqUKX6UcEzJdAVDQijHF1wl0Ri8tJKq9u8s/fw+1PSOpOHaeF1BALsXSKgeJDqUCTnZW5mAVUWJ86LvvyfCP4In9lhhLisbDm2cD96QaVvJyV6HfmegdSxZ1Phh+9Qz+3WhDJRedBTSKWfK/9j7VWSb+z/KV37q72W25ZfFMSay58LmCqn3v5fGt9qj4nlPw0By4baGLiGlA7xyvkJfdt8ZVPps5d2g6UprTbSA79lYN4qtWKq2Z9t317xch7Lix6EunQcoTkJ6QXEbDrAIk3zvkWr/CtpwEhNcSdWvQsua42dkD2oOI2F2IgFyYgOx9Iba2yj8A0TD2iqfYVhsJIYuk12QfeaR7ovQ6DhHlUxyQzeF6h0Y+I4AN6Sq/Mmj/cxfQoIaAEybUQMX+7KjFceIszT3JbGlz7DCxi7DMmNYuc7LELMRG3jNAOk+fW8u42Bhgc44tzvAondojerUGqCbUDw== mb0@codemonkey.cc";
|
||||
};
|
||||
};
|
||||
}
|
@ -88,7 +88,7 @@ with import <stockholm/lib>;
|
||||
fi
|
||||
done < "$paths"
|
||||
'';
|
||||
PrivateTemp = true;
|
||||
PrivateTmp = true;
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
UMask = plan.umask;
|
||||
|
79
krebs/3modules/shadow.nix
Normal file
79
krebs/3modules/shadow.nix
Normal file
@ -0,0 +1,79 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }: let
|
||||
|
||||
cfg = config.krebs.shadow;
|
||||
|
||||
mergeShadowsJq = pkgs.writeJq "merge-shadows.jq" ''
|
||||
def fields_3_to_9: ["1", "", "", "", "", "", ""];
|
||||
|
||||
def read_value:
|
||||
split(":") |
|
||||
if length == 9 then
|
||||
if .[2:] == fields_3_to_9 then
|
||||
.
|
||||
else
|
||||
error("unrecognized field contents")
|
||||
end
|
||||
elif length == 2 then
|
||||
if .[1] | test("^\\$6\\$") then
|
||||
. + fields_3_to_9
|
||||
else
|
||||
error("unrecognized hashed password")
|
||||
end
|
||||
else
|
||||
error("unexpected field count: expected 9 or 2, got \(length)")
|
||||
end;
|
||||
|
||||
def write_value:
|
||||
join(":");
|
||||
|
||||
split("\n") |
|
||||
map(select(length > 0) | read_value) |
|
||||
|
||||
reverse |
|
||||
unique_by(.[0]) |
|
||||
map(write_value) |
|
||||
sort |
|
||||
|
||||
join("\n")
|
||||
'';
|
||||
|
||||
in {
|
||||
|
||||
options.krebs.shadow = {
|
||||
enable = mkEnableOption "krebs.shadow" // {
|
||||
default = cfg.overridesFile != null;
|
||||
};
|
||||
overridesFile = mkOption {
|
||||
apply = x: if typeOf x == "path" then toString x else x;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing additional shadow entries, used for adding
|
||||
encrypted passwords which should not be placed into the Nix store.
|
||||
|
||||
The overrides file may contain either regular shadow(5) entries like:
|
||||
|
||||
<code><login-name>:<hashed-password>:1::::::</code>
|
||||
|
||||
Or shortened entries only containing login name and password like:
|
||||
|
||||
<code><login-name>:<hashed-password></code>
|
||||
'';
|
||||
type = types.nullOr (types.either types.path types.absolute-pathname);
|
||||
};
|
||||
};
|
||||
|
||||
config = let
|
||||
in mkIf cfg.enable {
|
||||
system.activationScripts.users-tv = stringAfter [ "users" ] /* sh */ ''
|
||||
(
|
||||
set -efu
|
||||
umask 77
|
||||
${pkgs.jq}/bin/jq -Rrs -f ${mergeShadowsJq} \
|
||||
/etc/shadow ${cfg.overridesFile} > /etc/shadow~
|
||||
${pkgs.coreutils}/bin/mv /etc/shadow /etc/shadow-
|
||||
${pkgs.coreutils}/bin/mv /etc/shadow~ /etc/shadow
|
||||
)
|
||||
'';
|
||||
};
|
||||
}
|
@ -4,11 +4,11 @@
|
||||
}:
|
||||
mkDerivation {
|
||||
pname = "flameshot-once";
|
||||
version = "1.1.0";
|
||||
version = "1.2.0";
|
||||
src = fetchgit {
|
||||
url = "https://cgit.krebsco.de/flameshot-once";
|
||||
sha256 = "158ha1yyj3p3mdjjga62j91ml83nhrsg34xbg3dir5cb399j8pxx";
|
||||
rev = "9d688b6ffad14912bd1afe42555747cb3d213d95";
|
||||
sha256 = "01c11dk8ss37awfn9xqsgx668dcrf4kvzfxlq7ycnqsnpbjjvm0a";
|
||||
rev = "cebaefa37095e74ad2253c4e2f9d9ab390f88737";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
isLibrary = false;
|
||||
|
@ -29,7 +29,7 @@ let
|
||||
|
||||
eval = evalModules {
|
||||
modules = singleton {
|
||||
_file = toString ./config.nix;
|
||||
_file = toString ./profile.nix;
|
||||
imports = singleton config;
|
||||
options = {
|
||||
buttons = mkOption {
|
||||
@ -77,6 +77,14 @@ let
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
timeout = mkOption {
|
||||
default = 100;
|
||||
description = ''
|
||||
Maximum time in milliseconds allowed for the flameshot daemon to
|
||||
react.
|
||||
'';
|
||||
type = types.positive;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -125,5 +133,6 @@ in
|
||||
|
||||
pkgs.writeDash "flameshot.profile" ''
|
||||
export FLAMESHOT_CAPTURE_PATH=${cfg.savePath}
|
||||
export FLAMESHOT_ONCE_TIMEOUT=${toString cfg.timeout}
|
||||
export XDG_CONFIG_HOME=${XDG_CONFIG_HOME}
|
||||
''
|
||||
|
@ -1,7 +1,7 @@
|
||||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs-channels",
|
||||
"rev": "8ea36d732567c80b2d11eb029e10400fe85ca786",
|
||||
"date": "2019-04-18T22:37:03+01:00",
|
||||
"sha256": "1d59i55qwqd76n2d0hr1si26q333ydizkd91h8lfczb00xnr5pqn",
|
||||
"rev": "cf3e277dd0bd710af0df667e9364f4bd80c72713",
|
||||
"date": "2019-04-24T23:55:21+02:00",
|
||||
"sha256": "1abyadl3sxf67yi65758hq6hf2j07afgp1fmkk7kd94dadx6r6f4",
|
||||
"fetchSubmodules": false
|
||||
}
|
||||
|
@ -22,18 +22,15 @@
|
||||
environment.systemPackages = [ usershadow ];
|
||||
lass.usershadow.path = "${usershadow}";
|
||||
security.pam.services.sshd.text = ''
|
||||
auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
|
||||
auth required pam_permit.so
|
||||
account required pam_permit.so
|
||||
auth required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||
auth sufficient pam_exec.so quiet expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
|
||||
auth sufficient pam_unix.so likeauth try_first_pass
|
||||
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||
session required pam_permit.so
|
||||
session required pam_loginuid.so
|
||||
'';
|
||||
|
||||
security.pam.services.dovecot2 = {
|
||||
text = ''
|
||||
auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
|
||||
auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
|
||||
auth required pam_permit.so
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
|
232
mb/1systems/orange/configuration.nix
Normal file
232
mb/1systems/orange/configuration.nix
Normal file
@ -0,0 +1,232 @@
|
||||
{ config, pkgs, callPackage, ... }: let
|
||||
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
|
||||
in {
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
<stockholm/mb>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.orange;
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.initrd.luks.devices = [
|
||||
{
|
||||
name = "root";
|
||||
device = "/dev/disk/by-uuid/09a36f91-a713-4b82-8b41-4e7a6acc4acf";
|
||||
preLVM = true;
|
||||
allowDiscards = true;
|
||||
}
|
||||
];
|
||||
|
||||
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
|
||||
fileSystems."/mnt/public" = {
|
||||
device = "//192.168.88.252/public";
|
||||
fsType = "cifs";
|
||||
options = let
|
||||
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
|
||||
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
|
||||
};
|
||||
|
||||
#networking.hostName = "0r4n93";
|
||||
networking.wireless.enable = false;
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n = {
|
||||
consoleFont = "Lat2-Terminus16";
|
||||
consoleKeyMap = "de";
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
nixpkgs.config.packageOverrides = super: {
|
||||
openvpn = super.openvpn.override { pkcs11Support = true; useSystemd = false; };
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
fonts = {
|
||||
enableCoreFonts = true;
|
||||
enableGhostscriptFonts = true;
|
||||
fonts = with pkgs; [
|
||||
anonymousPro
|
||||
corefonts
|
||||
dejavu_fonts
|
||||
envypn-font
|
||||
fira
|
||||
gentium
|
||||
gohufont
|
||||
inconsolata
|
||||
liberation_ttf
|
||||
powerline-fonts
|
||||
source-code-pro
|
||||
terminus_font
|
||||
ttf_bitstream_vera
|
||||
ubuntu_font_family
|
||||
unifont
|
||||
unstable.cherry
|
||||
xorg.fontbitstream100dpi
|
||||
xorg.fontbitstream75dpi
|
||||
xorg.fontbitstreamtype1
|
||||
];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
adapta-gtk-theme
|
||||
aircrackng
|
||||
ag
|
||||
arandr
|
||||
binutils
|
||||
chromium
|
||||
cifs-utils
|
||||
curl
|
||||
evince
|
||||
exfat
|
||||
feh
|
||||
file
|
||||
firefox
|
||||
freetype
|
||||
gimp
|
||||
git
|
||||
gnupg
|
||||
graphite2
|
||||
hicolor_icon_theme
|
||||
htop
|
||||
i3lock
|
||||
jq
|
||||
keepassx2
|
||||
kvm
|
||||
lxappearance
|
||||
man-pages
|
||||
moc
|
||||
mpv
|
||||
mpvc
|
||||
mupdf
|
||||
ncdu
|
||||
nmap
|
||||
openvpn
|
||||
pass
|
||||
p7zip
|
||||
powertop
|
||||
ranger
|
||||
rofi
|
||||
sshfs
|
||||
tcpdump
|
||||
tmux
|
||||
traceroute
|
||||
tree
|
||||
unstable.alacritty
|
||||
unstable.ponyc
|
||||
unstable.sublime3
|
||||
unstable.youtube-dl
|
||||
vim
|
||||
virt-viewer
|
||||
virtmanager
|
||||
vulnix
|
||||
wcalc
|
||||
wget
|
||||
wireshark-gtk
|
||||
xz
|
||||
];
|
||||
|
||||
environment.shellAliases = {
|
||||
ll = "ls -alh";
|
||||
ls = "ls --color=tty";
|
||||
};
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
#virtualisation.kvmgt.enable = true;
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
layout = "de";
|
||||
xkbVariant = "nodeadkeys";
|
||||
libinput.enable = true;
|
||||
desktopManager = {
|
||||
default = "xfce";
|
||||
xterm.enable = false;
|
||||
xfce = {
|
||||
enable = true;
|
||||
noDesktop = true;
|
||||
enableXfwm = false;
|
||||
};
|
||||
};
|
||||
windowManager.ratpoison.enable = true;
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
#services.openssh.permitRootLogin = "yes";
|
||||
services.openssh.passwordAuthentication = false;
|
||||
|
||||
networking.networkmanager.enable = false;
|
||||
#networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
|
||||
networking.enableIPv6 = false;
|
||||
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
shellInit = ''
|
||||
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
|
||||
if begin
|
||||
set -q SSH_AGENT_PID
|
||||
and kill -0 $SSH_AGENT_PID
|
||||
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
|
||||
end
|
||||
echo "ssh-agent running on pid $SSH_AGENT_PID"
|
||||
else
|
||||
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
|
||||
end
|
||||
set -l identity $HOME/.ssh/id_rsa
|
||||
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
|
||||
ssh-add -l | grep -q $fingerprint
|
||||
or ssh-add $identity
|
||||
end
|
||||
'';
|
||||
promptInit = ''
|
||||
function fish_prompt --description 'Write out the prompt'
|
||||
set -l color_cwd
|
||||
set -l suffix
|
||||
set -l nix_shell_info (
|
||||
if test "$IN_NIX_SHELL" != ""
|
||||
echo -n " <nix-shell>"
|
||||
end
|
||||
)
|
||||
switch "$USER"
|
||||
case root toor
|
||||
if set -q fish_color_cwd_root
|
||||
set color_cwd $fish_color_cwd_root
|
||||
else
|
||||
set color_cwd $fish_color_cwd
|
||||
end
|
||||
set suffix '#'
|
||||
case '*'
|
||||
set color_cwd $fish_color_cwd
|
||||
set suffix '>'
|
||||
end
|
||||
|
||||
echo -n -s "$USER" @ (set_color yellow) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
|
||||
end
|
||||
'';
|
||||
};
|
||||
|
||||
nix.maxJobs = 4;
|
||||
nix.buildCores = 4;
|
||||
system.autoUpgrade.enable = false;
|
||||
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
|
||||
system.stateVersion = "19.03";
|
||||
|
||||
}
|
28
mb/1systems/orange/hardware-configuration.nix
Normal file
28
mb/1systems/orange/hardware-configuration.nix
Normal file
@ -0,0 +1,28 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/b1d32c54-35f8-4bf1-9fd2-82adc760af01";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/BF9B-03A2";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
}
|
223
mb/1systems/p1nk/configuration.nix
Normal file
223
mb/1systems/p1nk/configuration.nix
Normal file
@ -0,0 +1,223 @@
|
||||
{ config, pkgs, callPackage, ... }: let
|
||||
unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
|
||||
in {
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
<stockholm/mb>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.p1nk;
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.initrd.luks.devices = [
|
||||
{
|
||||
name = "root";
|
||||
device = "/dev/disk/by-uuid/0392257b-f6cf-484d-8c46-e20aab4fddb7";
|
||||
preLVM = true;
|
||||
allowDiscards = true;
|
||||
}
|
||||
];
|
||||
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
|
||||
fileSystems."/mnt/public" = {
|
||||
device = "//192.168.88.252/public";
|
||||
fsType = "cifs";
|
||||
options = let
|
||||
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
|
||||
in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
|
||||
};
|
||||
|
||||
networking.wireless.enable = true;
|
||||
|
||||
i18n = {
|
||||
consoleFont = "Lat2-Terminus16";
|
||||
consoleKeyMap = "de";
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
fonts = {
|
||||
enableCoreFonts = true;
|
||||
enableGhostscriptFonts = true;
|
||||
fonts = with pkgs; [
|
||||
anonymousPro
|
||||
corefonts
|
||||
dejavu_fonts
|
||||
envypn-font
|
||||
fira
|
||||
gentium
|
||||
gohufont
|
||||
inconsolata
|
||||
liberation_ttf
|
||||
powerline-fonts
|
||||
source-code-pro
|
||||
terminus_font
|
||||
ttf_bitstream_vera
|
||||
ubuntu_font_family
|
||||
unifont
|
||||
unstable.cherry
|
||||
xorg.fontbitstream100dpi
|
||||
xorg.fontbitstream75dpi
|
||||
xorg.fontbitstreamtype1
|
||||
];
|
||||
};
|
||||
|
||||
nixpkgs.config.packageOverrides = super: {
|
||||
openvpn = super.openvpn.override { pkcs11Support = true; useSystemd = false; };
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
adapta-gtk-theme
|
||||
aircrackng
|
||||
ag
|
||||
arandr
|
||||
binutils
|
||||
chromium
|
||||
cifs-utils
|
||||
curl
|
||||
evince
|
||||
exfat
|
||||
feh
|
||||
file
|
||||
firefox
|
||||
freetype
|
||||
gimp
|
||||
git
|
||||
gnupg
|
||||
graphite2
|
||||
hicolor_icon_theme
|
||||
htop
|
||||
i3lock
|
||||
jq
|
||||
keepassx2
|
||||
kvm
|
||||
lxappearance
|
||||
man-pages
|
||||
moc
|
||||
mpv
|
||||
mpvc
|
||||
mupdf
|
||||
ncdu
|
||||
nmap
|
||||
openvpn
|
||||
pass
|
||||
p7zip
|
||||
powertop
|
||||
ranger
|
||||
rofi
|
||||
sshfs
|
||||
tcpdump
|
||||
tmux
|
||||
traceroute
|
||||
tree
|
||||
unstable.alacritty
|
||||
unstable.ponyc
|
||||
unstable.sublime3
|
||||
youtube-dl
|
||||
vim
|
||||
virt-viewer
|
||||
virtmanager
|
||||
vulnix
|
||||
wcalc
|
||||
wget
|
||||
xz
|
||||
];
|
||||
|
||||
environment.shellAliases = {
|
||||
ll = "ls -alh";
|
||||
ls = "ls --color=tty";
|
||||
};
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
virtualisation.kvmgt.enable = true;
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
layout = "de";
|
||||
xkbOptions = "neo";
|
||||
libinput.enable = true;
|
||||
desktopManager = {
|
||||
default = "xfce";
|
||||
xterm.enable = false;
|
||||
xfce = {
|
||||
enable = true;
|
||||
noDesktop = true;
|
||||
enableXfwm = false;
|
||||
};
|
||||
};
|
||||
windowManager.ratpoison.enable = true;
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.passwordAuthentication = false;
|
||||
|
||||
networking.networkmanager.enable = false;
|
||||
networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
|
||||
networking.enableIPv6 = false;
|
||||
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
shellInit = ''
|
||||
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
|
||||
if begin
|
||||
set -q SSH_AGENT_PID
|
||||
and kill -0 $SSH_AGENT_PID
|
||||
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
|
||||
end
|
||||
echo "ssh-agent running on pid $SSH_AGENT_PID"
|
||||
else
|
||||
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
|
||||
end
|
||||
set -l identity $HOME/.ssh/id_rsa
|
||||
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
|
||||
ssh-add -l | grep -q $fingerprint
|
||||
or ssh-add $identity
|
||||
end
|
||||
'';
|
||||
promptInit = ''
|
||||
function fish_prompt --description 'Write out the prompt'
|
||||
set -l color_cwd
|
||||
set -l suffix
|
||||
set -l nix_shell_info (
|
||||
if test "$IN_NIX_SHELL" != ""
|
||||
echo -n " <nix-shell>"
|
||||
end
|
||||
)
|
||||
switch "$USER"
|
||||
case root toor
|
||||
if set -q fish_color_cwd_root
|
||||
set color_cwd $fish_color_cwd_root
|
||||
else
|
||||
set color_cwd $fish_color_cwd
|
||||
end
|
||||
set suffix '#'
|
||||
case '*'
|
||||
set color_cwd $fish_color_cwd
|
||||
set suffix '>'
|
||||
end
|
||||
|
||||
echo -n -s "$USER" @ (set_color magenta) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
|
||||
end
|
||||
'';
|
||||
};
|
||||
|
||||
nix.maxJobs = 4;
|
||||
nix.buildCores = 4;
|
||||
system.autoUpgrade.enable = false;
|
||||
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
|
||||
system.stateVersion = "19.03";
|
||||
|
||||
}
|
29
mb/1systems/p1nk/hardware-configuration.nix
Normal file
29
mb/1systems/p1nk/hardware-configuration.nix
Normal file
@ -0,0 +1,29 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/4cc2add6-ed19-4685-bbd9-b992bd8d51fb";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/9F87-AEAA";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
}
|
198
mb/2configs/default.nix
Normal file
198
mb/2configs/default.nix
Normal file
@ -0,0 +1,198 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
{
|
||||
users.users = {
|
||||
root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.mb.pubkey
|
||||
];
|
||||
};
|
||||
mb = {
|
||||
name = "mb";
|
||||
uid = 1337;
|
||||
home = "/home/mb";
|
||||
group = "users";
|
||||
createHome = true;
|
||||
shell = "/run/current-system/sw/bin/fish";
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"video"
|
||||
"fuse"
|
||||
"wheel"
|
||||
];
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.mb.pubkey
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
environment.variables = {
|
||||
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
|
||||
};
|
||||
}
|
||||
(let ca-bundle = "/etc/ssl/certs/ca-bundle.crt"; in {
|
||||
environment.variables = {
|
||||
CURL_CA_BUNDLE = ca-bundle;
|
||||
GIT_SSL_CAINFO = ca-bundle;
|
||||
SSL_CERT_FILE = ca-bundle;
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
networking.hostName = config.krebs.build.host.name;
|
||||
|
||||
krebs = {
|
||||
enable = true;
|
||||
build.user = config.krebs.users.mb;
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
|
||||
services.timesyncd.enable = mkForce true;
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /tmp 1777 root root - -"
|
||||
];
|
||||
|
||||
# multiple-definition-problem when defining environment.variables.EDITOR
|
||||
environment.extraInit = ''
|
||||
EDITOR=vim
|
||||
'';
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
#stockholm
|
||||
git
|
||||
gnumake
|
||||
jq
|
||||
parallel
|
||||
proot
|
||||
populate
|
||||
|
||||
#style
|
||||
most
|
||||
rxvt_unicode.terminfo
|
||||
|
||||
#monitoring tools
|
||||
htop
|
||||
iotop
|
||||
|
||||
#network
|
||||
iptables
|
||||
iftop
|
||||
tcpdump
|
||||
|
||||
#stuff for dl
|
||||
aria2
|
||||
|
||||
#neat utils
|
||||
fish
|
||||
file
|
||||
kpaste
|
||||
krebspaste
|
||||
mosh
|
||||
pciutils
|
||||
psmisc
|
||||
tmux
|
||||
untilport
|
||||
usbutils
|
||||
|
||||
#unpack stuff
|
||||
p7zip
|
||||
|
||||
(pkgs.writeDashBin "sshn" ''
|
||||
${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
|
||||
'')
|
||||
];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "yes";
|
||||
passwordAuthentication = false;
|
||||
hostKeys = [
|
||||
# XXX bits here make no science
|
||||
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
||||
];
|
||||
};
|
||||
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
shellInit = ''
|
||||
function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
|
||||
if begin
|
||||
set -q SSH_AGENT_PID
|
||||
and kill -0 $SSH_AGENT_PID
|
||||
and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
|
||||
end
|
||||
echo "ssh-agent running on pid $SSH_AGENT_PID"
|
||||
else
|
||||
eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
|
||||
end
|
||||
set -l identity $HOME/.ssh/id_rsa
|
||||
set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
|
||||
ssh-add -l | grep -q $fingerprint
|
||||
or ssh-add $identity
|
||||
end
|
||||
'';
|
||||
promptInit = ''
|
||||
function fish_prompt --description 'Write out the prompt'
|
||||
set -l color_cwd
|
||||
set -l suffix
|
||||
set -l nix_shell_info (
|
||||
if test "$IN_NIX_SHELL" != ""
|
||||
echo -n " <nix-shell>"
|
||||
end
|
||||
)
|
||||
switch "$USER"
|
||||
case root toor
|
||||
if set -q fish_color_cwd_root
|
||||
set color_cwd $fish_color_cwd_root
|
||||
else
|
||||
set color_cwd $fish_color_cwd
|
||||
end
|
||||
set suffix '#'
|
||||
case '*'
|
||||
set color_cwd $fish_color_cwd
|
||||
set suffix '>'
|
||||
end
|
||||
|
||||
echo -n -s "$USER" @ (set_color yellow) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
|
||||
end
|
||||
'';
|
||||
};
|
||||
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=1G
|
||||
RuntimeMaxUse=128M
|
||||
'';
|
||||
|
||||
krebs.iptables = {
|
||||
enable = true;
|
||||
tables = {
|
||||
nat.PREROUTING.rules = [
|
||||
{ predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
|
||||
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
|
||||
];
|
||||
nat.OUTPUT.rules = [
|
||||
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
|
||||
];
|
||||
filter.INPUT.policy = "DROP";
|
||||
filter.FORWARD.policy = "DROP";
|
||||
filter.INPUT.rules = [
|
||||
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
|
||||
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
|
||||
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
|
||||
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; }
|
||||
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
|
||||
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
|
||||
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
|
||||
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
|
||||
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
33
mb/2configs/retiolum.nix
Normal file
33
mb/2configs/retiolum.nix
Normal file
@ -0,0 +1,33 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
krebs.iptables = {
|
||||
tables = {
|
||||
filter.INPUT.rules = let
|
||||
tincport = toString config.krebs.build.host.nets.retiolum.tinc.port;
|
||||
in [
|
||||
{ predicate = "-p tcp --dport ${tincport}"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp --dport ${tincport}"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
krebs.tinc.retiolum = {
|
||||
enableLegacy = true;
|
||||
enable = true;
|
||||
connectTo = [
|
||||
"prism"
|
||||
"gum"
|
||||
"ni"
|
||||
];
|
||||
};
|
||||
|
||||
nixpkgs.config.packageOverrides = pkgs: {
|
||||
tinc = pkgs.tinc_pre;
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.tinc
|
||||
];
|
||||
}
|
4
mb/2configs/tests/dummy-secrets/retiolum.rsa
Normal file
4
mb/2configs/tests/dummy-secrets/retiolum.rsa
Normal file
@ -0,0 +1,4 @@
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
this is a private key
|
||||
-----END RSA PRIVATE KEY-----
|
6
mb/3modules/default.nix
Normal file
6
mb/3modules/default.nix
Normal file
@ -0,0 +1,6 @@
|
||||
_:
|
||||
{
|
||||
imports = [
|
||||
./hosts.nix
|
||||
];
|
||||
}
|
12
mb/3modules/hosts.nix
Normal file
12
mb/3modules/hosts.nix
Normal file
@ -0,0 +1,12 @@
|
||||
{ config, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
|
||||
{
|
||||
options.mb.hosts = mkOption {
|
||||
type = types.attrsOf types.host;
|
||||
default =
|
||||
filterAttrs (_: host: host.owner.name == "mb" && host.ci)
|
||||
config.krebs.hosts;
|
||||
};
|
||||
}
|
11
mb/5pkgs/default.nix
Normal file
11
mb/5pkgs/default.nix
Normal file
@ -0,0 +1,11 @@
|
||||
with import <stockholm/lib>;
|
||||
|
||||
self: super:
|
||||
|
||||
# Import files and subdirectories like they are overlays.
|
||||
foldl' mergeAttrs {}
|
||||
(map
|
||||
(name: import (./. + "/${name}") self super)
|
||||
(filter
|
||||
(name: name != "default.nix" && !hasPrefix "." name)
|
||||
(attrNames (readDir ./.))))
|
14
mb/default.nix
Normal file
14
mb/default.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../krebs
|
||||
./2configs
|
||||
./3modules
|
||||
];
|
||||
nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
|
||||
krebs.tinc.retiolum.privkey = {
|
||||
source-path = toString <secrets> + "/${config.krebs.tinc.retiolum.netname}.rsa";
|
||||
path = "${config.krebs.tinc.retiolum.user.home}/tinc.rsa_key.priv";
|
||||
owner = config.krebs.tinc.retiolum.user;
|
||||
};
|
||||
}
|
54
mb/krops.nix
Normal file
54
mb/krops.nix
Normal file
@ -0,0 +1,54 @@
|
||||
{ name }: let
|
||||
inherit (import ../krebs/krops.nix { inherit name; })
|
||||
krebs-source
|
||||
lib
|
||||
pkgs
|
||||
;
|
||||
|
||||
host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
|
||||
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
|
||||
else
|
||||
{}
|
||||
;
|
||||
|
||||
source = { test }: lib.evalSource ([
|
||||
(krebs-source { test = test; })
|
||||
{
|
||||
nixos-config.symlink = "stockholm/mb/1systems/${name}/configuration.nix";
|
||||
nixpkgs-unstable.git = {
|
||||
url = "https://github.com/nixos/nixpkgs-channels";
|
||||
ref = "nixos-unstable";
|
||||
};
|
||||
secrets = if test then {
|
||||
file = toString ./2configs/tests/dummy-secrets;
|
||||
} else {
|
||||
pass = {
|
||||
dir = "${lib.getEnv "HOME"}/.password-store";
|
||||
name = "hosts/${name}";
|
||||
};
|
||||
};
|
||||
}
|
||||
] ++ (lib.optional (! test) host-source));
|
||||
|
||||
in {
|
||||
|
||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
|
||||
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
|
||||
source = source { test = false; };
|
||||
inherit target;
|
||||
};
|
||||
|
||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
|
||||
populate = { target, force ? false }: pkgs.populate {
|
||||
inherit force;
|
||||
source = source { test = false; };
|
||||
target = lib.mkTarget target;
|
||||
};
|
||||
|
||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
|
||||
test = { target }: pkgs.krops.writeTest "${name}-test" {
|
||||
force = true;
|
||||
inherit target;
|
||||
source = source { test = true; };
|
||||
};
|
||||
}
|
@ -17,6 +17,7 @@ with import <stockholm/lib>;
|
||||
./bash
|
||||
./htop.nix
|
||||
./nginx
|
||||
./pki
|
||||
./ssh.nix
|
||||
./sshd.nix
|
||||
./vim.nix
|
||||
@ -90,15 +91,6 @@ with import <stockholm/lib>;
|
||||
};
|
||||
}
|
||||
|
||||
{
|
||||
environment.variables =
|
||||
flip genAttrs (_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt") [
|
||||
"CURL_CA_BUNDLE"
|
||||
"GIT_SSL_CAINFO"
|
||||
"SSL_CERT_FILE"
|
||||
];
|
||||
}
|
||||
|
||||
{
|
||||
services.cron.enable = false;
|
||||
services.nscd.enable = false;
|
||||
|
@ -8,5 +8,6 @@
|
||||
environment.systemPackages = with pkgs; [
|
||||
manpages
|
||||
posix_man_pages
|
||||
xorg.xorgdocs
|
||||
];
|
||||
}
|
||||
|
31
tv/2configs/pki/certs/tv.crt
Normal file
31
tv/2configs/pki/certs/tv.crt
Normal file
@ -0,0 +1,31 @@
|
||||
tv Root CA
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFGzCCAwOgAwIBAgIUbLFkDA1OgKbej/FQiJZ4gpGPg/4wDQYJKoZIhvcNAQEL
|
||||
BQAwFTETMBEGA1UEAwwKdHYgUm9vdCBDQTAeFw0xOTA0MjEwNzI1MTdaFw0yOTA0
|
||||
MTgwNzI1MTdaMBUxEzARBgNVBAMMCnR2IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
|
||||
AQUAA4ICDwAwggIKAoICAQDEVpZo1PLayK2AULwNtRY/2RIs/h+Uz1k/I7AY5o7H
|
||||
HTD6pxNH3DZS82Y89nAHDVEnotK26TW6N1O2fBHUxH2GXVD+MaA/D9ngbNTJa7DW
|
||||
2EThezOyesAbXk7dkoHh4Bouj5L7Ronka5+IREFmb3mHmcXLuR/sot9Pwr9A7Lwm
|
||||
55Avv+VwMFnqVMXiCYQsDL7Mxf7Vm79+kXShpfDhNmHhyZc/xPjVk7lttSEp0LCq
|
||||
hhJjte3xDGbk7OThTSxoqP+K4Ek7NGatCcm4AUZlDl1kLN2QKudYqj0VRQpfE+4Q
|
||||
jMAAtttc/10MV0e08pRK0FvJsDsi70YZrHnDP6hIBrRNjC8iB/8rz2pjnYzgriUt
|
||||
HHEDr26234VB5Zqhsi8pmXA16FVkoKlucADXXKEcR/3VreTvZLdSsP3OrDdSCwhi
|
||||
H2W/7tshDPp+I9Q9fGNixry7PODbud1h/wLsq3Geg/U6VkDdl7uDNMB/O7LvlFaC
|
||||
7jkHv/xFLqV1Xx9+yFMdJTKLf9jnIIjeINfV4VcJZDrtgGpnC6cYD5DNLA4j7Mny
|
||||
EnBV9IRhmKiZLvUZP62dPhqIfSSPNxXV2+rT5ZfaXCuVe79R5npgJzF7/qslvnZ6
|
||||
0mjZfQdJiXY+/oT9zPUxTroFx7Qtda15aIVwXR+1cMRY/Hg/uBQyp7yWsvwhPYwH
|
||||
awIDAQABo2MwYTAdBgNVHQ4EFgQUWYjGpR7J/UqggxQV87hBQ8ZT0qkwHwYDVR0j
|
||||
BBgwFoAUWYjGpR7J/UqggxQV87hBQ8ZT0qkwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
|
||||
HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAA++eAA7KLEd4n05n8w95sJ7
|
||||
cxqQSkVxV3ASnEUQRwVGo3CqEKcNufbCTG7KKGQFUi2Xd3/SWgnEiSZZWo06azbV
|
||||
vlquG+9ilwnrnqfjlbUEjLMHDzukrEeIiRuFY7gZv6S2o4WkW/M9IPkP34+PRjip
|
||||
AJ8kFcy7wLPaeH7OagslAVUcf68lMm+8W4U1g0HZaY2zXFgdRrIO1dXKlJ22Wh4X
|
||||
fcblHjkASAGi+BK+xRJ9G7s3sie2wPyk+WKKv0Z+WheKf+L+TPBg2sJ+d25gW+gG
|
||||
XNJSQOzCqSfHrCtcW1xkGgifog28/ymN03ggn8oMBUebOp+ayLkbPQDaj6te3y1v
|
||||
YE0cfkzQ0T6sSzPzoOrwBEuSX8cLWTpzO2Zgqbf36UtHjgxi58vY46p7MjAInxAf
|
||||
j+k67rF7qWH38drg4nfGjNgiEdeJw9dtDFdmso+ZiWipUyGF4VYh+Q6JnXDMF0+A
|
||||
wXcYWa7ckXvVOLVpHJfrLDYTXznGnk2u4ToVNEk1j/klMRn96lxfFg04iv8fz8m6
|
||||
/Y8g0G1uIT5Mq9l68oZUoEkUHZabPNhYOiYtg4t5v/T3AIV8nm2A5jZYj0am26xT
|
||||
iqF/tqL3alWXs9OHP7FNdrVWtwO8vcspYcd4mOHdAC/dmhq+77BowR5Lldx9T+mR
|
||||
QT8jW9PXL0IH0wKMBXxf
|
||||
-----END CERTIFICATE-----
|
68
tv/2configs/pki/default.nix
Normal file
68
tv/2configs/pki/default.nix
Normal file
@ -0,0 +1,68 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }: let
|
||||
|
||||
certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source;
|
||||
|
||||
in {
|
||||
|
||||
environment.etc."pki/nssdb".source =
|
||||
pkgs.runCommand "system-wide-nssdb" {
|
||||
inherit certFile;
|
||||
buildInputs = [
|
||||
pkgs.jq
|
||||
pkgs.nssTools
|
||||
];
|
||||
parseInfoScript = /* jq */ ''
|
||||
${toJSON certFile} as $certFile |
|
||||
|
||||
split("\t-----END CERTIFICATE-----\n")[] |
|
||||
select(test("\t-----BEGIN CERTIFICATE-----\n")) |
|
||||
. + "\t-----END CERTIFICATE-----\n" |
|
||||
|
||||
sub("^([0-9]+\t\n)*";"") |
|
||||
|
||||
(match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber |
|
||||
|
||||
gsub("(?m)^[0-9]+\t";"") |
|
||||
|
||||
match("^([^\n]+)\n(.*)";"m").captures | map(.string) |
|
||||
|
||||
# Line numbers are added to the names to ensure uniqueness.
|
||||
"\(.[0]) (\($certFile):\($lineNumber))" as $name |
|
||||
.[1] as $cert |
|
||||
|
||||
{ $name, $cert }
|
||||
'';
|
||||
passAsFile = [
|
||||
"parseInfoScript"
|
||||
];
|
||||
} /* sh */ ''
|
||||
mkdir nssdb
|
||||
|
||||
nl -ba -w1 "$certFile" |
|
||||
jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson
|
||||
|
||||
exec < certinfo.ndjson
|
||||
while read -r certinfo; do
|
||||
name=$(printf %s "$certinfo" | jq -er .name)
|
||||
cert=$(printf %s "$certinfo" | jq -er .cert)
|
||||
|
||||
printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C
|
||||
done
|
||||
|
||||
mv nssdb "$out"
|
||||
'';
|
||||
|
||||
environment.variables = flip genAttrs (_: toString certFile) [
|
||||
"CURL_CA_BUNDLE"
|
||||
"GIT_SSL_CAINFO"
|
||||
"SSL_CERT_FILE"
|
||||
];
|
||||
|
||||
security.pki.certificateFiles =
|
||||
mapAttrsToList
|
||||
(name: const (./certs + "/${name}"))
|
||||
(filterAttrs (const (eq "regular"))
|
||||
(readDir ./certs));
|
||||
|
||||
}
|
@ -1,58 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
|
||||
pkgs.writeText "Xresources" /* xdefaults */ ''
|
||||
URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}‘’"
|
||||
URxvt*eightBitInput: false
|
||||
URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
|
||||
URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
|
||||
URxvt*scrollBar: false
|
||||
URxvt*background: #050505
|
||||
URxvt*foreground: #d0d7d0
|
||||
URxvt*cursorColor: #f042b0
|
||||
URxvt*cursorColor2: #f0b000
|
||||
URxvt*cursorBlink: off
|
||||
URxvt*jumpScroll: true
|
||||
URxvt*allowSendEvents: false
|
||||
URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48
|
||||
URxvt*cutNewline: False
|
||||
URxvt*cutToBeginningOfLine: False
|
||||
|
||||
URxvt*color0: #232342
|
||||
URxvt*color3: #c07000
|
||||
URxvt*color4: #4040c0
|
||||
URxvt*color7: #c0c0c0
|
||||
URxvt*color8: #707070
|
||||
URxvt*color9: #ff6060
|
||||
URxvt*color10: #70ff70
|
||||
URxvt*color11: #ffff70
|
||||
URxvt*color12: #7070ff
|
||||
URxvt*color13: #ff50ff
|
||||
URxvt*color14: #70ffff
|
||||
URxvt*color15: #ffffff
|
||||
|
||||
URxvt*iso14755: False
|
||||
|
||||
URxvt*urgentOnBell: True
|
||||
URxvt*visualBell: True
|
||||
|
||||
! ref https://github.com/muennich/urxvt-perls
|
||||
URxvt*perl-ext: default,url-select
|
||||
URxvt*keysym.M-u: perl:url-select:select_next
|
||||
URxvt*url-select.launcher: /etc/per-user/${config.krebs.build.user.name}/bin/ff -new-tab
|
||||
URxvt*url-select.underline: true
|
||||
URxvt*colorUL: #4682B4
|
||||
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
|
||||
URxvt*saveLines: 10000
|
||||
|
||||
root-urxvt*background: #230000
|
||||
root-urxvt*foreground: #e0c0c0
|
||||
root-urxvt*BorderColor: #400000
|
||||
root-urxvt*color0: #800000
|
||||
|
||||
fzmenu-urxvt*background: rgb:42/23/42
|
||||
fzmenu-urxvt*externalBorder: 1
|
||||
fzmenu-urxvt*geometry: 70x9
|
||||
fzmenu-urxvt*internalBorder: 1
|
||||
''
|
@ -9,12 +9,16 @@ let
|
||||
};
|
||||
in {
|
||||
|
||||
imports = [
|
||||
./sxiv.nix
|
||||
./urxvt.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.ff
|
||||
pkgs.font-size
|
||||
pkgs.gitAndTools.qgit
|
||||
pkgs.mpv
|
||||
pkgs.sxiv
|
||||
pkgs.xdotool
|
||||
pkgs.xsel
|
||||
pkgs.zathura
|
||||
@ -73,7 +77,6 @@ in {
|
||||
${pkgs.xorg.xhost}/bin/xhost -LOCAL:
|
||||
} &
|
||||
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
|
||||
${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
|
||||
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
|
||||
wait
|
||||
'';
|
||||
@ -147,19 +150,6 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.urxvtd = {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
restartIfChanged = false;
|
||||
serviceConfig = {
|
||||
SyslogIdentifier = "urxvtd";
|
||||
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
||||
Restart = "always";
|
||||
RestartSec = "2s";
|
||||
StartLimitBurst = 0;
|
||||
User = cfg.user.name;
|
||||
};
|
||||
};
|
||||
|
||||
tv.slock = {
|
||||
enable = true;
|
||||
user = cfg.user;
|
||||
|
12
tv/2configs/xserver/sxiv.nix
Normal file
12
tv/2configs/xserver/sxiv.nix
Normal file
@ -0,0 +1,12 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg.user = config.krebs.build.user;
|
||||
in {
|
||||
tv.Xresources = {
|
||||
"Sxiv.foreground" = "#232323";
|
||||
"Sxiv.background" = "#424242";
|
||||
};
|
||||
users.users.${cfg.user.name}.packages = [
|
||||
pkgs.sxiv
|
||||
];
|
||||
}
|
73
tv/2configs/xserver/urxvt.nix
Normal file
73
tv/2configs/xserver/urxvt.nix
Normal file
@ -0,0 +1,73 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg.user = config.krebs.build.user;
|
||||
in {
|
||||
systemd.services.urxvtd = {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
restartIfChanged = false;
|
||||
serviceConfig = {
|
||||
SyslogIdentifier = "urxvtd";
|
||||
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
||||
Restart = "always";
|
||||
RestartSec = "2s";
|
||||
StartLimitBurst = 0;
|
||||
User = cfg.user.name;
|
||||
};
|
||||
};
|
||||
tv.Xresources = {
|
||||
"URxvt*cutchars" = ''"\\`\"'&()*,;<=>?@[]^{|}‘’"'';
|
||||
"URxvt*eightBitInput" = "false";
|
||||
"URxvt*font" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
|
||||
"URxvt*boldFont" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
|
||||
"URxvt*scrollBar" = "false";
|
||||
"URxvt*background" = "#050505";
|
||||
"URxvt*foreground" = "#d0d7d0";
|
||||
"URxvt*cursorColor" = "#f042b0";
|
||||
"URxvt*cursorColor2" = "#f0b000";
|
||||
"URxvt*cursorBlink" = "off";
|
||||
"URxvt*jumpScroll" = "true";
|
||||
"URxvt*allowSendEvents" = "false";
|
||||
"URxvt*charClass" = "33:48,37-38:48,45-47:48,61:48,63-64:48";
|
||||
"URxvt*cutNewline" = "False";
|
||||
"URxvt*cutToBeginningOfLine" = "False";
|
||||
|
||||
"URxvt*color0" = "#232342";
|
||||
"URxvt*color3" = "#c07000";
|
||||
"URxvt*color4" = "#4040c0";
|
||||
"URxvt*color7" = "#c0c0c0";
|
||||
"URxvt*color8" = "#707070";
|
||||
"URxvt*color9" = "#ff6060";
|
||||
"URxvt*color10" = "#70ff70";
|
||||
"URxvt*color11" = "#ffff70";
|
||||
"URxvt*color12" = "#7070ff";
|
||||
"URxvt*color13" = "#ff50ff";
|
||||
"URxvt*color14" = "#70ffff";
|
||||
"URxvt*color15" = "#ffffff";
|
||||
|
||||
"URxvt*iso14755" = "False";
|
||||
|
||||
"URxvt*urgentOnBell" = "True";
|
||||
"URxvt*visualBell" = "True";
|
||||
|
||||
# ref https://github.com/muennich/urxvt-perls
|
||||
"URxvt*perl-ext" = "default,url-select";
|
||||
"URxvt*keysym.M-u" = "perl:url-select:select_next";
|
||||
"URxvt*url-select.launcher" =
|
||||
"/etc/profiles/per-user/${cfg.user.name}/bin/ff -new-tab";
|
||||
"URxvt*url-select.underline" = "true";
|
||||
"URxvt*colorUL" = "#4682B4";
|
||||
"URxvt.perl-lib" = "${pkgs.urxvt_perls}/lib/urxvt/perl";
|
||||
"URxvt*saveLines" = "10000";
|
||||
"URxvt*modifier" = "mod1";
|
||||
|
||||
"root-urxvt*background" = "#230000";
|
||||
"root-urxvt*foreground" = "#e0c0c0";
|
||||
"root-urxvt*BorderColor" = "#400000";
|
||||
"root-urxvt*color0" = "#800000";
|
||||
|
||||
"fzmenu-urxvt*background" = "rgb:42/23/42";
|
||||
"fzmenu-urxvt*externalBorder" = "1";
|
||||
"fzmenu-urxvt*geometry" = "70x9";
|
||||
"fzmenu-urxvt*internalBorder" = "1";
|
||||
};
|
||||
}
|
39
tv/3modules/Xresources.nix
Normal file
39
tv/3modules/Xresources.nix
Normal file
@ -0,0 +1,39 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }: let
|
||||
cfg = {
|
||||
enable = config.tv.Xresources != {};
|
||||
user = config.krebs.build.user;
|
||||
};
|
||||
in {
|
||||
options.tv.Xresources = mkOption {
|
||||
default = {};
|
||||
type = types.attrsOf types.str;
|
||||
};
|
||||
config = {
|
||||
nixpkgs.overlays = singleton (self: super: {
|
||||
tv = super.tv or {} // {
|
||||
Xresources =
|
||||
self.writeText "Xresources"
|
||||
(concatStrings (mapAttrsToList (name: value: /* xdefaults */ ''
|
||||
${name}: ${value}
|
||||
'') config.tv.Xresources));
|
||||
};
|
||||
});
|
||||
systemd.services.${if cfg.enable then "Xresources" else null} = {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
after = [ "xserver.service" ];
|
||||
requires = [ "xserver.service" ];
|
||||
environment = {
|
||||
DISPLAY = ":${toString config.services.xserver.display}";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.xorg.xrdb}/bin/xrdb ${pkgs.tv.Xresources}";
|
||||
RemainAfterExit = true;
|
||||
SyslogIdentifier = "Xresources";
|
||||
Type = "oneshot";
|
||||
User = cfg.user.name;
|
||||
WorkingDirectory = cfg.user.home;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -7,5 +7,6 @@
|
||||
./iptables.nix
|
||||
./slock.nix
|
||||
./x0vncserver.nix
|
||||
./Xresources.nix
|
||||
];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user