Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'cd/master'

Browse Source
This commit is contained in:
lassulus 2016-07-07 23:33:18 +02:00
commit f4b2262c7e
9 changed files with 310 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
krebs/3modules/tv/default.nix
View File

@ -358,6 +358,37 @@ with config.krebs.lib;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
};
zu = {
cores = 4;
nets = {
#gg23 = {
# ip4.addr = "";
# aliases = ["zu.gg23"];
# ssh.port = 11423;
#};
retiolum = {
ip4.addr = "10.243.13.40";
ip6.addr = "42:0:0:0:0:0:0:1340";
aliases = [
"zu.r"
"zu.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d
idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u
BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a
OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj
/NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk
b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu";
};
};
users = {
mv = {

60
tv/1systems/cd.nix
View File

@ -44,20 +44,50 @@ with config.krebs.lib;
"cgit.cd.viljetic.de"
];
# TODO make public_html also available to cd, cd.retiolum (AKA default)
krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de";
locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'');
};
krebs.nginx.servers.viljetic = {
krebs.nginx.servers."https://viljetic.de" = {
server-names = singleton "viljetic.de";
# TODO directly set root (instead via location)
locations = singleton (nameValuePair "/" ''
root ${pkgs.viljetic-pages};
'');
listen = mkForce []; # disable default
ssl = {
enable = true;
certificate = "/var/lib/acme/viljetic.de/fullchain.pem";
certificate_key = "/var/lib/acme/viljetic.de/key.pem";
};
locations = [
(nameValuePair "/" ''
root ${pkgs.viljetic-pages};
'')
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
};
tv.iptables.input-internet-accept-tcp = singleton "http";
krebs.nginx.servers."http://viljetic.de" = {
server-names = singleton "viljetic.de";
locations = [
(nameValuePair "/.well-known/acme-challenge/" ''
root /var/lib/acme/challenges/viljetic.de/;
'')
(nameValuePair "/" ''
return 301 https://viljetic.de$request_uri;
'')
];
};
security.acme = {
certs."viljetic.de" = {
email = "tomislav@viljetic.de";
webroot = "/var/lib/acme/challenges/viljetic.de";
plugins = [
"account_key.json"
"key.pem"
"fullchain.pem"
];
user = "nginx";
};
};
tv.iptables.input-internet-accept-tcp = [
"http"
"https"
];
}
];
@ -78,13 +108,7 @@ with config.krebs.lib;
iotop
iptables
nethogs
ntp # ntpate
rxvt_unicode.terminfo
tcpdump
];
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
}

5
tv/1systems/mu.nix
View File

@ -157,11 +157,6 @@ with config.krebs.lib;
];
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?

1
tv/1systems/nomic.nix
View File

@ -60,7 +60,6 @@ with config.krebs.lib;
esac
'')
gnupg
ntp # ntpate
rxvt_unicode.terminfo
tmux
];

6
tv/1systems/wu.nix
View File

@ -29,7 +29,6 @@ with config.krebs.lib;
# root
cryptsetup
ntp # ntpate
# tv
bc
@ -164,11 +163,6 @@ with config.krebs.lib;
services.printing.enable = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?

6
tv/1systems/xu.nix
View File

@ -41,7 +41,6 @@ with config.krebs.lib;
# root
cryptsetup
ntp # ntpate
# tv
bc
@ -176,11 +175,6 @@ with config.krebs.lib;
services.printing.enable = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?

229
tv/1systems/zu.nix Normal file
View File

@ -0,0 +1,229 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
{
krebs.build.host = config.krebs.hosts.zu;
imports = [
{
options.tv.test.sercret-file = mkOption {
type = types.secret-file;
default = {};
};
}
../.
../2configs/hw/x220.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/mail-client.nix
../2configs/man.nix
../2configs/nginx/public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
../2configs/wu-binary-cache/client.nix
../2configs/xserver
{
environment.systemPackages = with pkgs; [
# stockholm
gnumake
hashPassword
haskellPackages.lentil
parallel
(pkgs.writeBashBin "im" ''
export PATH=${makeSearchPath "bin" (with pkgs; [
tmux
gnugrep
weechat
])}
if tmux list-sessions -F\#S | grep -q '^im''$'; then
exec tmux attach -t im
else
exec tmux new -s im weechat
fi
'')
# root
cryptsetup
# tv
bc
bind # dig
cac-api
dic
file
gnupg1compat
haskellPackages.hledger
htop
jq
mkpasswd
netcat
nix-repl
nmap
p7zip
pass
q
qrencode
# XXX fails at systemd.services.dbus.unitConfig
#texlive
tmux
#ack
#apache-httpd
#ascii
#emacs
#es
#esniper
#gcc
#gptfdisk
#graphviz
#haskellPackages.cabal2nix
#haskellPackages.ghc
#haskellPackages.shake
#hdparm
#i7z
#iftop
#imagemagick
#inotifyTools
#iodine
#iotop
#lshw
#lsof
#minicom
#mtools
#ncmpc
#nethogs
#nix-prefetch-scripts #cvs bug
#openssl
#openswan
#parted
#perl
#powertop
#ppp
#proot
#pythonPackages.arandr
#pythonPackages.youtube-dl
#racket
#rxvt_unicode-with-plugins
#scrot
#sec
#silver-searcher
#sloccount
#smartmontools
#socat
#sshpass
#strongswan
#sysdig
#sysstat
#tcpdump
#tlsdate
#unetbootin
#utillinuxCurses
#wvdial
#xdotool
#xkill
#xl2tpd
#xsel
unison
];
}
];
boot.initrd.luks = {
cryptoModules = [ "aes" "sha512" "xts" ];
devices = [
{ name = "zuca"; device = "/dev/sda2"; }
];
};
fileSystems = {
"/" = {
device = "/dev/mapper/zuvga-root";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/zuvga-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
};
nixpkgs.config.chromium.enablePepperFlash = true;
#hardware.bumblebee.enable = true;
#hardware.bumblebee.group = "video";
hardware.enableAllFirmware = true;
#hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
ethtool
tinc_pre
iptables
#jack2
gptfdisk
];
security.setuidPrograms = [
"sendmail" # for cron
];
services.printing.enable = true;
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
];
#services.bitlbee.enable = true;
#services.tor.client.enable = true;
#services.tor.enable = true;
#services.virtualboxHost.enable = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
#/*
#{ host api.doraemon.sg.zalora.net | awk '{print$4" api.zalora.sg"}';
# host bob.live.sg.zalora.net | awk '{print$4" bob.zalora.sg"}';
# host www.live.sg.zalora.net | awk '{print$4" www.zalora.sg costa.zalora.sg"}'; }
#*/
# networking.extraHosts = optionalString (1 == 1) ''
#54.255.133.72 api.zalora.sg
#52.77.12.194 bob.zalora.sg
#52.74.232.49 www.zalora.sg costa.zalora.sg
# '';
#services.elasticsearch.enable = true;
#services.kibana.enable = true;
#services.logstash.enable = true;
environment.etc."ssh/ssh_config".text = mkForce ''
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${optionalString config.programs.ssh.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''}
ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"}
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
#PubkeyAcceptedKeyTypes +ssh-dss
${config.programs.ssh.extraConfig}
'';
}

8
tv/2configs/default.nix
View File

@ -153,6 +153,7 @@ with config.krebs.lib;
services.cron.enable = false;
services.nscd.enable = false;
services.ntp.enable = false;
services.timesyncd.enable = true;
}
{
@ -168,6 +169,13 @@ with config.krebs.lib;
tv.iptables.accept-echo-request = "internet";
}
{
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
}
{
services.openssh = {
enable = true;

4
tv/2configs/nginx/default.nix
View File

@ -4,10 +4,6 @@ with config.krebs.lib;
{
krebs.nginx = {
extraConfig = ''
events {
}
'';
servers.default.locations = [
(nameValuePair "= /etc/os-release" ''
default_type text/plain;