From ef365a763e5ff4fab039443b7756f27da701b81e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 19 Jul 2015 22:51:39 +0200 Subject: 2 lass.desktop-base: remove german keyboard layout --- 2configs/lass/desktop-base.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/2configs/lass/desktop-base.nix b/2configs/lass/desktop-base.nix index ee7a94b..9b98e4a 100644 --- a/2configs/lass/desktop-base.nix +++ b/2configs/lass/desktop-base.nix @@ -55,11 +55,9 @@ in { displayManager.auto.enable = true; displayManager.auto.user = mainUser.name; - layout = "us,de"; + layout = "us"; xkbModel = "evdev"; - xkbVariant = "altgr-intl,nodeadkeys"; - xkbOptions = "grp:caps_toggle"; - + xkbVariant = "altgr-intl"; }; } -- cgit v1.3.1 From 5b5e76e21099213758a6b3872b24015f8e33d409 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 18:57:58 +0200 Subject: 1&2 lass: move userconfig to base.nix --- 1systems/lass/mors.nix | 15 --------------- 1systems/lass/uriel.nix | 33 ++++++++++----------------------- 2configs/lass/base.nix | 26 ++++++++++++++++++++++++-- 3 files changed, 34 insertions(+), 40 deletions(-) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 940dc4f..7e70be8 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -168,21 +168,6 @@ ''; }; - users.extraUsers = { - #main user - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - extraGroups = [ "wheel" "audio" ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index 25745d0..a5a0833 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -1,5 +1,6 @@ { config, pkgs, ... }: +with builtins; { imports = [ ../../2configs/lass/desktop-base.nix @@ -30,6 +31,15 @@ enable = true; }; } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/uriel.ssh.pub + ]; + }; + }; + } ]; networking.hostName = "uriel"; @@ -87,29 +97,6 @@ ''; }; - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" "audio" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 5e5b8a7..26e6cae 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -3,14 +3,36 @@ with lib; { imports = [ - ./sshkeys.nix ../../3modules/lass/iptables.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } - + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } ]; nix.useChroot = true; -- cgit v1.3.1 From 188b97682a03e1c786b3404b0c5009e20294f22b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:02:31 +0200 Subject: 2 lass: remove gitolite from base.nix --- 2configs/lass/base.nix | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 26e6cae..a0d3c3a 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -99,11 +99,11 @@ with lib; "sendmail" ]; - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; services.openssh = { enable = true; @@ -132,27 +132,4 @@ with lib; }; }; - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; } -- cgit v1.3.1 From b0db57b8da61b86a4e1cc2cec56053790f26aec1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:04:40 +0200 Subject: lass: add cloudkrebs system --- 0make/lass/cloudkrebs.makefile | 4 ++++ 1systems/lass/cloudkrebs.nix | 43 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 0make/lass/cloudkrebs.makefile create mode 100644 1systems/lass/cloudkrebs.nix diff --git a/0make/lass/cloudkrebs.makefile b/0make/lass/cloudkrebs.makefile new file mode 100644 index 0000000..baf7660 --- /dev/null +++ b/0make/lass/cloudkrebs.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cloudkrebs +nixpkgs_url := https://github.com/Lassulus/nixpkgs +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b +secrets_dir := /home/lass/secrets/cloudkrebs diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix new file mode 100644 index 0000000..dc27aff --- /dev/null +++ b/1systems/lass/cloudkrebs.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/lass/base.nix + { + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "gum" + "pigstarter" + ]; + }; + } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } + ]; + + networking.hostName = "cloudkrebs"; + +} -- cgit v1.3.1 From 9a81802d3427d767c81ba62368da3ad22e0da75c Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:14:15 +0200 Subject: 2 lass.git-repos: change irc-server to cd --- 2configs/lass/git-repos.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix index c0c305b..b4f446a 100644 --- a/2configs/lass/git-repos.nix +++ b/2configs/lass/git-repos.nix @@ -39,7 +39,7 @@ let post-receive = git.irc-announce { nick = config.networking.hostName; # TODO make this the default channel = "#retiolum"; - server = "ire.retiolum"; + server = "cd.retiolum"; }; }; }; @@ -63,7 +63,7 @@ let post-receive = git.irc-announce { nick = config.networking.hostName; # TODO make this the default channel = "#retiolum"; - server = "ire.retiolum"; + server = "cd.retiolum"; }; }; public = true; -- cgit v1.3.1 From 83de7be89610ef2c408bc00b178b60a57e36e163 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:11:56 +0200 Subject: 1&2 lass: move exim/retiolum to retiolum.nix --- 1systems/lass/cloudkrebs.nix | 13 +------------ 1systems/lass/mors.nix | 14 +------------- 1systems/lass/uriel.nix | 14 +------------- 2configs/lass/retiolum.nix | 29 +++++++++++++++++++++++++++++ 4 files changed, 32 insertions(+), 38 deletions(-) create mode 100644 2configs/lass/retiolum.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index dc27aff..53e23db 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -5,6 +5,7 @@ ../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/lass/base.nix + ../../2configs/lass/retiolum.nix { networking.interfaces.enp2s1.ip4 = [ { @@ -18,18 +19,6 @@ ]; } - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 7e70be8..dacf766 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -20,19 +20,7 @@ ../../2configs/lass/chromium-patched.nix ../../2configs/lass/git-repos.nix ../../2configs/tv/synaptics.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } + ../../2configs/lass/retiolum.nix { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index a5a0833..7a5da23 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -12,19 +12,7 @@ with builtins; ../../2configs/lass/bird.nix ../../2configs/lass/git-repos.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } + ../../2configs/lass/retiolum.nix { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix new file mode 100644 index 0000000..d1389ad --- /dev/null +++ b/2configs/lass/retiolum.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../3modules/tv/retiolum.nix + ../../2configs/tv/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} -- cgit v1.3.1 From fbea2ae05c574cd11f1aebaeb40cca8d4b536908 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:17:40 +0200 Subject: 1&2 lass: move vim.nix import to base.nix --- 1systems/lass/mors.nix | 1 - 1systems/lass/uriel.nix | 1 - 2configs/lass/base.nix | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index dacf766..3007380 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -8,7 +8,6 @@ ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/virtualbox.nix ../../2configs/lass/elster.nix ../../2configs/lass/urxvt.nix diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index 7a5da23..a6f5a82 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -7,7 +7,6 @@ with builtins; ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix ../../2configs/lass/git-repos.nix diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index a0d3c3a..35631ff 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -4,6 +4,7 @@ with lib; { imports = [ ../../3modules/lass/iptables.nix + ../../2configs/lass/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) -- cgit v1.3.1 From cbd8d5e8db94c41b8fca33d23419c88ad109a551 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:18:45 +0200 Subject: 3 lass.iptables: fix precedence sort order --- 3modules/lass/iptables.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index c97b9f7..8c6ad3f 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -106,7 +106,7 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; in #TODO: double check should be unneccessary, refactor! -- cgit v1.3.1 From 493184a2f4b7d0f0cf407731e11e6cb9565f5aa8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:19:24 +0200 Subject: 2 lass.base: use precedence in iptables config --- 2configs/lass/base.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 35631ff..b24e6a9 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -125,10 +125,10 @@ with lib; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } ]; }; }; -- cgit v1.3.1 From 88d8137c63c0742028145b1fe39728a55879ed96 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:19:46 +0200 Subject: 2 lass.base: add nmap to defaultPackages --- 2configs/lass/base.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index b24e6a9..494cafa 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -53,6 +53,8 @@ with lib; ''; environment.systemPackages = with pkgs; [ + nmap + git most rxvt_unicode.terminfo -- cgit v1.3.1 From 264a24c5346b926366b5e5716c26af64de398572 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:20:44 +0200 Subject: 1 lass.cloudkrebs: move config to fastpoke-pages --- 1systems/lass/cloudkrebs.nix | 1 + 2configs/lass/fastpoke-pages.nix | 103 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 2configs/lass/fastpoke-pages.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index 53e23db..8b3e415 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -6,6 +6,7 @@ ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix + ../../2configs/lass/fastpoke-pages.nix { networking.interfaces.enp2s1.ip4 = [ { diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix new file mode 100644 index 0000000..2fd9a86 --- /dev/null +++ b/2configs/lass/fastpoke-pages.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ + ../../3modules/tv/nginx.nix + ../../3modules/lass/iptables.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + #createStaticPage = domain: + # { + # irc.nginx.servers."${domain}" = { + # server-names = [ + # "${domain}" + # "www.${domain}" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/${domain}; + # '') + # ]; + # }; + # networking.extraHosts = '' + # 10.243.206.102 ${domain} + # ''; + # }; + + #map createStaticPage [ + # "habsys.de" + # "pixelpocket.de" + # "karlaskop.de" + # "ubikmedia.de" + # "apanowicz.de" + # "aidsballs.de" + #]; + + tv.nginx = { + enable = true; + servers = { + + "habsys.de" = { + server-names = [ + "habsys.de" + "www.habsys.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/habsys.de; + '') + ]; + }; + + "karlaskop.de" = { + server-names = [ + "karlaskop.de" + "www.karlaskop.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/karlaskop.de; + '') + ]; + }; + + "pixelpocket.de" = { + server-names = [ + "pixelpocket.de" + "www.karlaskop.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/karlaskop.de; + '') + ]; + }; + + }; + }; + + networking.extraHosts = '' + 10.243.206.102 habsys.de karlaskop.de pixelpocket.de ubikmedia.de apanowicz.de + 10.243.206.102 aidsballs.de + ''; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} -- cgit v1.3.1 From 4864ecc2aa04d4a200ff65dd7c775fb4fb4582af Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 13:14:32 +0200 Subject: 1 lass.cloudkrebs: add identity --- 1systems/lass/cloudkrebs.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index 8b3e415..57b1910 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -7,6 +7,10 @@ ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix ../../2configs/lass/fastpoke-pages.nix + ../../2configs/lass/identity.nix + { + tv.identity.self = config.tv.identity.hosts.cloudkrebs; + } { networking.interfaces.enp2s1.ip4 = [ { -- cgit v1.3.1 From 42deb3899c73a09c7b8ba1cc589e95d4fa60c73e Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 13:15:38 +0200 Subject: 3 tv.identity: add cloudkrebs domains --- 3modules/tv/identity.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix index 584b271..9a83908 100644 --- a/3modules/tv/identity.nix +++ b/3modules/tv/identity.nix @@ -55,6 +55,12 @@ let retiolum = "hosts"; de.viljetic = "regfish"; de.krebsco = "ovh"; + de.habsys = "hosts"; + de.pixelpocket = "hosts"; + de.karlaskop = "hosts"; + de.ubikmedia = "hosts"; + de.apanowicz = "hosts"; + de.aidsballs = "hosts"; }; # splitByProvider : [alias] -> set providername [alias] -- cgit v1.3.1 From 977b84a5cfd26248d6fa6cba255c94053347668c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 13:16:30 +0200 Subject: 2 lass.identity: add with cloudkrebs --- 2configs/lass/identity.nix | 48 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 2configs/lass/identity.nix diff --git a/2configs/lass/identity.nix b/2configs/lass/identity.nix new file mode 100644 index 0000000..bfaad14 --- /dev/null +++ b/2configs/lass/identity.nix @@ -0,0 +1,48 @@ +{ config, ... }: + +{ + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + search = "retiolum"; + hosts = { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + }; +} -- cgit v1.3.1 From 09031485dcea56d5207f7c668c5cec6830a588d5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 24 Jul 2015 14:00:28 +0200 Subject: 2 lass.fastpoke-pages: use functions for static --- 2configs/lass/fastpoke-pages.nix | 121 ++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 60 deletions(-) diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix index 2fd9a86..4db4847 100644 --- a/2configs/lass/fastpoke-pages.nix +++ b/2configs/lass/fastpoke-pages.nix @@ -1,10 +1,37 @@ { config, lib, pkgs, ... }: with lib; -{ + +let + createStaticPage = domain: + { + tv.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/${domain}; + '') + ]; + }; + #networking.extraHosts = '' + # 10.243.206.102 ${domain} + #''; + }; + +in { imports = [ ../../3modules/tv/nginx.nix ../../3modules/lass/iptables.nix + ] ++ map createStaticPage [ + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" ]; lass.iptables = { @@ -15,72 +42,46 @@ with lib; }; }; - #createStaticPage = domain: - # { - # irc.nginx.servers."${domain}" = { - # server-names = [ - # "${domain}" - # "www.${domain}" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/${domain}; - # '') - # ]; - # }; - # networking.extraHosts = '' - # 10.243.206.102 ${domain} - # ''; - # }; - - #map createStaticPage [ - # "habsys.de" - # "pixelpocket.de" - # "karlaskop.de" - # "ubikmedia.de" - # "apanowicz.de" - # "aidsballs.de" - #]; tv.nginx = { enable = true; servers = { - "habsys.de" = { - server-names = [ - "habsys.de" - "www.habsys.de" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/habsys.de; - '') - ]; - }; + #"habsys.de" = { + # server-names = [ + # "habsys.de" + # "www.habsys.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/habsys.de; + # '') + # ]; + #}; - "karlaskop.de" = { - server-names = [ - "karlaskop.de" - "www.karlaskop.de" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/karlaskop.de; - '') - ]; - }; + #"karlaskop.de" = { + # server-names = [ + # "karlaskop.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; - "pixelpocket.de" = { - server-names = [ - "pixelpocket.de" - "www.karlaskop.de" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/karlaskop.de; - '') - ]; - }; + #"pixelpocket.de" = { + # server-names = [ + # "pixelpocket.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; }; }; -- cgit v1.3.1 From 834c1b855a6ac002ba495ae638770ec51f870c2b Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:54:29 +0200 Subject: 1 lass: get identity from krebs --- 1systems/lass/cloudkrebs.nix | 12 ++---------- 1systems/lass/mors.nix | 9 +++------ 1systems/lass/uriel.nix | 9 +++------ 3 files changed, 8 insertions(+), 22 deletions(-) diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index 57b1910..ba32ae5 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -7,10 +7,6 @@ ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix ../../2configs/lass/fastpoke-pages.nix - ../../2configs/lass/identity.nix - { - tv.identity.self = config.tv.identity.hosts.cloudkrebs; - } { networking.interfaces.enp2s1.ip4 = [ { @@ -24,14 +20,10 @@ ]; } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } ]; + krebs.enable = true; + krebs.build.host = config.krebs.hosts.cloudkrebs; networking.hostName = "cloudkrebs"; } diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 3007380..882cb9f 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -20,14 +20,11 @@ ../../2configs/lass/git-repos.nix ../../2configs/tv/synaptics.nix ../../2configs/lass/retiolum.nix - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } ]; + krebs.enable = true; + krebs.build.host = config.krebs.hosts.mors; + networking.hostName = "mors"; networking.wireless.enable = true; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index a6f5a82..d8858b4 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -12,12 +12,6 @@ with builtins; ../../2configs/lass/git-repos.nix ../../2configs/lass/chromium-patched.nix ../../2configs/lass/retiolum.nix - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } { users.extraUsers = { root = { @@ -29,7 +23,10 @@ with builtins; } ]; + krebs.enable = true; + krebs.build.host = config.krebs.hosts.uriel; networking.hostName = "uriel"; + networking.wireless.enable = true; nix.maxJobs = 2; -- cgit v1.3.1 From 2dab7034acbe74f09ec2df0ceec61255308a7488 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:55:16 +0200 Subject: 2 lass.fastpoke-pages: tv.nginx -> krebs.nginx --- 2configs/lass/fastpoke-pages.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix index 4db4847..3d6fcf2 100644 --- a/2configs/lass/fastpoke-pages.nix +++ b/2configs/lass/fastpoke-pages.nix @@ -5,7 +5,7 @@ with lib; let createStaticPage = domain: { - tv.nginx.servers."${domain}" = { + krebs.nginx.servers."${domain}" = { server-names = [ "${domain}" "www.${domain}" @@ -23,7 +23,6 @@ let in { imports = [ - ../../3modules/tv/nginx.nix ../../3modules/lass/iptables.nix ] ++ map createStaticPage [ "habsys.de" @@ -43,7 +42,7 @@ in { }; - tv.nginx = { + krebs.nginx = { enable = true; servers = { -- cgit v1.3.1 From 0274aa54df9f38f3f13e311e76c896fd0b16231c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:56:46 +0200 Subject: 2 lass.retiolum: tv.retiolum -> krebs.retiolum --- 2configs/lass/retiolum.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix index d1389ad..767a1ce 100644 --- a/2configs/lass/retiolum.nix +++ b/2configs/lass/retiolum.nix @@ -3,7 +3,6 @@ { imports = [ ../../3modules/lass/iptables.nix - ../../3modules/tv/retiolum.nix ../../2configs/tv/exim-retiolum.nix ]; @@ -17,7 +16,7 @@ }; }; - tv.retiolum = { + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ -- cgit v1.3.1 From 7748e373162b3b802a56507dd86796e779cc3dd7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:57:46 +0200 Subject: 1 lass: use new-repos.nix --- 1systems/lass/cloudkrebs.nix | 1 + 1systems/lass/mors.nix | 2 +- 1systems/lass/uriel.nix | 2 +- 2configs/lass/new-repos.nix | 77 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 2configs/lass/new-repos.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index ba32ae5..2c755d8 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -7,6 +7,7 @@ ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix ../../2configs/lass/fastpoke-pages.nix + ../../2configs/lass/new-repos.nix { networking.interfaces.enp2s1.ip4 = [ { diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 882cb9f..ee2184a 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -17,7 +17,7 @@ ../../2configs/lass/binary-caches.nix ../../2configs/lass/ircd.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/git-repos.nix + ../../2configs/lass/new-repos.nix ../../2configs/tv/synaptics.nix ../../2configs/lass/retiolum.nix ]; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index d8858b4..4fe8cf2 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -9,7 +9,7 @@ with builtins; ../../2configs/lass/pass.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix - ../../2configs/lass/git-repos.nix + ../../2configs/lass/new-repos.nix ../../2configs/lass/chromium-patched.nix ../../2configs/lass/retiolum.nix { diff --git a/2configs/lass/new-repos.nix b/2configs/lass/new-repos.nix new file mode 100644 index 0000000..2c73f95 --- /dev/null +++ b/2configs/lass/new-repos.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out -- cgit v1.3.1 From eefd319a49fd03cdd06c32a17f617f26a0ef3a38 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:59:00 +0200 Subject: 3 krebs: add lass's hosts domain --- 3modules/krebs/default.nix | 91 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 33c1088..5251f97 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -66,6 +66,11 @@ let retiolum = "hosts"; de.viljetic = "regfish"; de.krebsco = "ovh"; + de.habsys = "hosts"; + de.pixelpocket = "hosts"; + de.karlaskop = "hosts"; + de.ubikmedia = "hosts"; + de.apanowicz = "hosts"; }; # splitByProvider : [alias] -> listset providername alias @@ -93,6 +98,92 @@ let lass-imp = { hosts = addNames { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + uriel = { + cores = 1; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.81.176"]; + addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + aliases = [ + "uriel.retiolum" + "cgit.uriel.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR + duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb + MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME + m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx + uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo + u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mors = { + cores = 2; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.2"]; + addrs6 = ["42:0:0:0:0:0:0:dea7"]; + aliases = [ + "mors.retiolum" + "cgit.mors.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; users = addNames { lass = { -- cgit v1.3.1 From 79d90aa53fe1e360b146748f82e9e092029473af Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:59:22 +0200 Subject: 1 lass.mors: open tcp 8000 --- 1systems/lass/mors.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index ee2184a..e854dd5 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -186,4 +186,12 @@ services.mongodb = { enable = true; }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } + ]; + }; + }; } -- cgit v1.3.1 From 30643ec9a11125e65013de8b7da1ad20634e9332 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:59:47 +0200 Subject: 2 lass.fastpoke-pages: dont write /etc/hosts --- 2configs/lass/fastpoke-pages.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix index 3d6fcf2..74e92cc 100644 --- a/2configs/lass/fastpoke-pages.nix +++ b/2configs/lass/fastpoke-pages.nix @@ -30,7 +30,6 @@ in { "karlaskop.de" "ubikmedia.de" "apanowicz.de" - "aidsballs.de" ]; lass.iptables = { @@ -85,11 +84,6 @@ in { }; }; - networking.extraHosts = '' - 10.243.206.102 habsys.de karlaskop.de pixelpocket.de ubikmedia.de apanowicz.de - 10.243.206.102 aidsballs.de - ''; - #services.postgresql = { # enable = true; #}; -- cgit v1.3.1 From 87b491245a9b8a2e6091e5bf21a3b51da1e908e1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 14:00:37 +0200 Subject: 2 lass.git-repos: delete --- 2configs/lass/git-repos.nix | 140 -------------------------------------------- 1 file changed, 140 deletions(-) delete mode 100644 2configs/lass/git-repos.nix diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix deleted file mode 100644 index b4f446a..0000000 --- a/2configs/lass/git-repos.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - - x-repos = [ - (krebs-private "brain") - - (public "painload") - (public "shitment") - (public "wai-middleware-time") - (public "web-routes-wai-custom") - - (secret "pass") - - (tv-lass "emse-drywall") - (tv-lass "emse-hsdb") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); - - rules = concatMap ({ rules, ... }: rules) x-repos; - - krebs-private = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - secret = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - tv-lass = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ../../3modules/lass/iptables.nix - ]; - - tv.git = { - enable = true; - inherit repos rules users; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - }; - -} -- cgit v1.3.1 From 3f1b07fe4a5fbbe20aaae3d13713889292bdc0ea Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 14:01:00 +0200 Subject: 3 lass: init default.nix --- 3modules/lass/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 3modules/lass/default.nix diff --git a/3modules/lass/default.nix b/3modules/lass/default.nix new file mode 100644 index 0000000..d4e231e --- /dev/null +++ b/3modules/lass/default.nix @@ -0,0 +1,8 @@ +_: + +{ + imports = [ + ./xresources.nix + ./iptables.nix + ]; +} -- cgit v1.3.1 From 36566b511d6cca0e17013bcbdfb05885117b375a Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 17:03:20 +0200 Subject: lass: move krebs config to base --- 1systems/lass/mors.nix | 1 - 2configs/lass/base.nix | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index e854dd5..8cda1ea 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -22,7 +22,6 @@ ../../2configs/lass/retiolum.nix ]; - krebs.enable = true; krebs.build.host = config.krebs.hosts.mors; networking.hostName = "mors"; diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 494cafa..8d4a9c8 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -36,6 +36,11 @@ with lib; } ]; + krebs = { + enable = true; + search-domain = "retiolum"; + }; + nix.useChroot = true; users.mutableUsers = false; -- cgit v1.3.1 From 7673c84204bd5bae0426b79c62e95dfccf846756 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 27 Jul 2015 16:26:50 +0200 Subject: krebs.build.script: update system profile --- 3modules/krebs/default.nix | 100 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 5251f97..c71b70a 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -22,6 +22,106 @@ let build = mkOption { type = types.submodule { options = { + target = mkOption { + type = with types; nullOr str; + default = null; + }; + deps = mkOption { + type = with types; attrsOf (submodule { + options = { + url = mkOption { + type = str; + }; + rev = mkOption { + type = nullOr str; + default = null; + }; + }; + }); + default = {}; + }; + script = mkOption { + type = types.str; + default = '' + #! /bin/sh + set -efux + + target=${escapeShellArg cfg.build.target} + + push(){( + src=$1/ + dst=$target:$2 + rsync \ + --exclude .git \ + --exclude .graveyard \ + --exclude old \ + --rsync-path="mkdir -p \"$dst\" && rsync" \ + --usermap=\*:0 \ + --groupmap=\*:0 \ + --delete-excluded \ + -vrLptgoD \ + "$src" "$dst" + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev == null) '' + push ${toString (map escapeShellArg [ + "${url}" + "/root/src/${name}" + ])} + '') config.deps)} + + exec ssh -S none "$target" /bin/sh <<\EOF + set -efux + fetch(){( + url=$1 + rev=$2 + dst=$3 + mkdir -p "$dst" + cd "$dst" + if ! test -e .git; then + git init + fi + if ! cur_url=$(git config remote.origin.url 2>/dev/null); then + git remote add origin "$url" + elif test "$cur_url" != "$url"; then + git remote set-url origin "$url" + fi + if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then + git fetch origin + git checkout "$rev" -- . + git checkout -q "$rev" + git submodule init + git submodule update + fi + git clean -dxf + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev != null) '' + fetch ${toString (map escapeShellArg [ + url + rev + "/root/src/${name}" + ])} + '') config.deps)} + + echo build system... + profile=/nix/var/nix/profiles/system + NIX_PATH=/root/src \ + nix-env \ + -Q \ + -p "$profile" \ + -f '' \ + --set \ + -A system \ + --argstr user-name ${escapeShellArg cfg.build.user.name} \ + --argstr system-name ${escapeShellArg cfg.build.host.name} + + exec "$profile"/bin/switch-to-configuration switch + EOF + ''; + }; host = mkOption { type = types.host; }; -- cgit v1.3.1 From aa3a158c25d436643144b24d47a10e2e6d0660eb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 20:28:21 +0200 Subject: lass: port everything to stockholm --- 1systems/lass/cloudkrebs.nix | 30 ------ 1systems/lass/mors.nix | 196 ------------------------------------- 1systems/lass/uriel.nix | 166 ------------------------------- 2configs/lass/base.nix | 143 --------------------------- 2configs/lass/binary-caches.nix | 13 --- 2configs/lass/bird.nix | 13 --- 2configs/lass/bitcoin.nix | 17 ---- 2configs/lass/browsers.nix | 67 ------------- 2configs/lass/chromium-patched.nix | 48 --------- 2configs/lass/desktop-base.nix | 63 ------------ 2configs/lass/elster.nix | 20 ---- 2configs/lass/fastpoke-pages.nix | 97 ------------------ 2configs/lass/games.nix | 25 ----- 2configs/lass/gitolite-base.nix | 173 -------------------------------- 2configs/lass/identity.nix | 48 --------- 2configs/lass/ircd.nix | 92 ----------------- 2configs/lass/mors/repos.nix | 87 ---------------- 2configs/lass/mors/retiolum.nix | 21 ---- 2configs/lass/new-repos.nix | 77 --------------- 2configs/lass/pass.nix | 10 -- 2configs/lass/programs.nix | 24 ----- 2configs/lass/retiolum.nix | 28 ------ 2configs/lass/sshkeys.nix | 11 --- 2configs/lass/steam.nix | 30 ------ 2configs/lass/texlive.nix | 7 -- 2configs/lass/urxvt.nix | 40 -------- 2configs/lass/vim.nix | 118 ---------------------- 2configs/lass/virtualbox.nix | 22 ----- 2configs/lass/wine.nix | 23 ----- 3modules/lass/default.nix | 8 -- 3modules/lass/iptables.nix | 187 ----------------------------------- 3modules/lass/sshkeys.nix | 26 ----- 3modules/lass/urxvtd.nix | 55 ----------- 3modules/lass/xresources.nix | 57 ----------- 34 files changed, 2042 deletions(-) delete mode 100644 1systems/lass/cloudkrebs.nix delete mode 100644 1systems/lass/mors.nix delete mode 100644 1systems/lass/uriel.nix delete mode 100644 2configs/lass/base.nix delete mode 100644 2configs/lass/binary-caches.nix delete mode 100644 2configs/lass/bird.nix delete mode 100644 2configs/lass/bitcoin.nix delete mode 100644 2configs/lass/browsers.nix delete mode 100644 2configs/lass/chromium-patched.nix delete mode 100644 2configs/lass/desktop-base.nix delete mode 100644 2configs/lass/elster.nix delete mode 100644 2configs/lass/fastpoke-pages.nix delete mode 100644 2configs/lass/games.nix delete mode 100644 2configs/lass/gitolite-base.nix delete mode 100644 2configs/lass/identity.nix delete mode 100644 2configs/lass/ircd.nix delete mode 100644 2configs/lass/mors/repos.nix delete mode 100644 2configs/lass/mors/retiolum.nix delete mode 100644 2configs/lass/new-repos.nix delete mode 100644 2configs/lass/pass.nix delete mode 100644 2configs/lass/programs.nix delete mode 100644 2configs/lass/retiolum.nix delete mode 100644 2configs/lass/sshkeys.nix delete mode 100644 2configs/lass/steam.nix delete mode 100644 2configs/lass/texlive.nix delete mode 100644 2configs/lass/urxvt.nix delete mode 100644 2configs/lass/vim.nix delete mode 100644 2configs/lass/virtualbox.nix delete mode 100644 2configs/lass/wine.nix delete mode 100644 3modules/lass/default.nix delete mode 100644 3modules/lass/iptables.nix delete mode 100644 3modules/lass/sshkeys.nix delete mode 100644 3modules/lass/urxvtd.nix delete mode 100644 3modules/lass/xresources.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix deleted file mode 100644 index 2c755d8..0000000 --- a/1systems/lass/cloudkrebs.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../../2configs/tv/CAC-Developer-2.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/lass/base.nix - ../../2configs/lass/retiolum.nix - ../../2configs/lass/fastpoke-pages.nix - ../../2configs/lass/new-repos.nix - { - networking.interfaces.enp2s1.ip4 = [ - { - address = "104.167.113.104"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.167.113.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - - } - ]; - - krebs.enable = true; - krebs.build.host = config.krebs.hosts.cloudkrebs; - networking.hostName = "cloudkrebs"; - -} diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix deleted file mode 100644 index 8cda1ea..0000000 --- a/1systems/lass/mors.nix +++ /dev/null @@ -1,196 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/new-repos.nix - ../../2configs/tv/synaptics.nix - ../../2configs/lass/retiolum.nix - ]; - - krebs.build.host = config.krebs.hosts.mors; - - networking.hostName = "mors"; - networking.wireless.enable = true; - - networking.extraHosts = '' - ''; - - nix.maxJobs = 4; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/big/nix"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - - "/mnt/loot" = { - device = "/dev/big/loot"; - fsType = "ext4"; - }; - - "/home" = { - device = "/dev/big/home"; - fsType = "ext4"; - }; - - "/home/lass" = { - device = "/dev/big/home-lass"; - fsType = "ext4"; - }; - - "/mnt/backups" = { - device = "/dev/big/backups"; - fsType = "ext4"; - }; - - "/home/games/.local/share/Steam" = { - device = "/dev/big/steam"; - fsType = "ext4"; - }; - - "/home/virtual/virtual" = { - device = "/dev/big/virtual"; - fsType = "ext4"; - }; - - "/mnt/public" = { - device = "/dev/big/public"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" - ''; - - #TODO activationScripts seem broken, fix them! - #activationScripts - #split up and move into base - system.activationScripts.powertopTunables = '' - #Enable Audio codec power management - echo '1' > '/sys/module/snd_hda_intel/parameters/power_save' - #VM writeback timeout - echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs' - #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] - echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' - #Autosuspend for USB device Biometric Coprocessor - echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' - - #Runtime PMs - echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' - ''; - - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - #system.activationScripts.trackpoint = '' - # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' - # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' - #''; - - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; - - environment.systemPackages = with pkgs; [ - ]; - - #TODO: fix this shit - ##fprint stuff - ##sudo fprintd-enroll $USER to save fingerprints - #services.fprintd.enable = true; - #security.pam.services.sudo.fprintAuth = true; - - users.extraGroups = { - loot = { - members = [ - config.users.extraUsers.mainUser.name - "firefox" - "chromium" - "google" - "virtual" - ]; - }; - }; - - networking.firewall = { - allowPing = true; - allowedTCPPorts = [ - 8000 - ]; - allowedUDPPorts = [ - 67 - ]; - }; - - services.mongodb = { - enable = true; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } - ]; - }; - }; -} diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix deleted file mode 100644 index 4fe8cf2..0000000 --- a/1systems/lass/uriel.nix +++ /dev/null @@ -1,166 +0,0 @@ -{ config, pkgs, ... }: - -with builtins; -{ - imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/bird.nix - ../../2configs/lass/new-repos.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/retiolum.nix - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/uriel.ssh.pub - ]; - }; - }; - } - ]; - - krebs.enable = true; - krebs.build.host = config.krebs.hosts.uriel; - networking.hostName = "uriel"; - - networking.wireless.enable = true; - nix.maxJobs = 2; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.gummiboot.enable = true; - loader.gummiboot.timeout = 5; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - extraModprobeConfig = '' - ''; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - #services.xserver = { - #}; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; - - environment.systemPackages = with pkgs; [ - ]; - - #for google hangout - - users.extraUsers.google.extraGroups = [ "audio" "video" ]; - - - #users.extraGroups = { - # loot = { - # members = [ - # "lass" - # "firefox" - # "chromium" - # "google" - # ]; - # }; - #}; - # - # iptables - # - #networking.firewall.enable = false; - #system.activationScripts.iptables = - # let - # log = false; - # when = c: f: if c then f else ""; - # in - # '' - # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - # ipXtables() { ip4tables "$@"; ip6tables "$@"; } - - # # - # # nat - # # - - # # reset tables - # ipXtables -t nat -F - # ipXtables -t nat -X - - # # - # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # # - # # filter - # # - - # # reset tables - # ipXtables -P INPUT DROP - # ipXtables -P FORWARD DROP - # ipXtables -F - # ipXtables -X - - # # create custom chains - # ipXtables -N Retiolum - - # # INPUT - # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # ipXtables -A INPUT -j ACCEPT -i lo - # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - # ipXtables -A INPUT -j Retiolum -i retiolum - # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # # FORWARD - # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # # Retiolum - # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - - # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - # ip6tables -A Retiolum -j REJECT - - # ''; -} diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix deleted file mode 100644 index 8d4a9c8..0000000 --- a/2configs/lass/base.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/lass/vim.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import /root/src/secrets/hashedPasswords.nix); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/lass.ssh.pub - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - "audio" - "wheel" - ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/lass.ssh.pub - ]; - }; - }; - } - ]; - - krebs = { - enable = true; - search-domain = "retiolum"; - }; - - nix.useChroot = true; - - users.mutableUsers = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - PAGER=most - ''; - - environment.systemPackages = with pkgs; [ - nmap - - git - most - rxvt_unicode.terminfo - - #network - iptables - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - security.setuidPrograms = [ - "sendmail" - ]; - - #services.gitolite = { - # enable = true; - # dataDir = "/home/gitolite"; - # adminPubkey = config.sshKeys.lass.pub; - #}; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - lass.iptables = { - enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - ]; - }; - }; - -} diff --git a/2configs/lass/binary-caches.nix b/2configs/lass/binary-caches.nix deleted file mode 100644 index c272752..0000000 --- a/2configs/lass/binary-caches.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - nix.sshServe.enable = true; - nix.sshServe.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" - ]; - nix.binaryCaches = [ - #"scp://nix-ssh@mors" - #"scp://nix-ssh@uriel" - ]; -} diff --git a/2configs/lass/bird.nix b/2configs/lass/bird.nix deleted file mode 100644 index 3fc265c..0000000 --- a/2configs/lass/bird.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - config.services.bird = { - enable = true; - config = '' - router id 192.168.122.1; - protocol device { - scan time 10; - } - ''; - }; -} diff --git a/2configs/lass/bitcoin.nix b/2configs/lass/bitcoin.nix deleted file mode 100644 index d3bccbf..0000000 --- a/2configs/lass/bitcoin.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - electrum - ]; - - users.extraUsers = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - useDefaultShell = true; - createHome = true; - }; - }; -} diff --git a/2configs/lass/browsers.nix b/2configs/lass/browsers.nix deleted file mode 100644 index 8aecea9..0000000 --- a/2configs/lass/browsers.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - - nixpkgs.config.packageOverrides = pkgs : { - chromium = pkgs.chromium.override { - pulseSupport = true; - }; - }; - - environment.systemPackages = with pkgs; [ - firefox - ]; - - users.extraUsers = { - firefox = { - name = "firefox"; - description = "user for running firefox"; - home = "/home/firefox"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - chromium = { - name = "chromium"; - description = "user for running chromium"; - home = "/home/chromium"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - facebook = { - name = "facebook"; - description = "user for running facebook in chromium"; - home = "/home/facebook"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - google = { - name = "google"; - description = "user for running google+/gmail in chromium"; - home = "/home/google"; - useDefaultShell = true; - createHome = true; - }; - flash = { - name = "flash"; - description = "user for running flash stuff"; - home = "/home/flash"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(firefox) NOPASSWD: ALL - ${mainUser.name} ALL=(chromium) NOPASSWD: ALL - ${mainUser.name} ALL=(facebook) NOPASSWD: ALL - ${mainUser.name} ALL=(google) NOPASSWD: ALL - ${mainUser.name} ALL=(flash) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/chromium-patched.nix b/2configs/lass/chromium-patched.nix deleted file mode 100644 index 7151817..0000000 --- a/2configs/lass/chromium-patched.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -#settings to test: -# - #"ForceEphemeralProfiles": true, -let - masterPolicy = pkgs.writeText "master.json" '' - { - "PasswordManagerEnabled": false, - "DefaultGeolocationSetting": 2, - "RestoreOnStartup": 1, - "AutoFillEnabled": false, - "BackgroundModeEnabled": false, - "DefaultBrowserSettingEnabled": false, - "SafeBrowsingEnabled": false, - "ExtensionInstallForcelist": [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", - "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" - ] - } - ''; - - master_preferences = pkgs.writeText "master_preferences" '' - { - "browser": { - "custom_chrome_frame": true - }, - - "extensions": { - "theme": { - "id": "", - "use_system": true - } - } - } - ''; -in { - environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; - - environment.systemPackages = [ - #pkgs.chromium - (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { - buildCommand = attrs.buildCommand + '' - touch $out/TEST123 - ''; - })) - ]; -} diff --git a/2configs/lass/desktop-base.nix b/2configs/lass/desktop-base.nix deleted file mode 100644 index 9b98e4a..0000000 --- a/2configs/lass/desktop-base.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; -in { - imports = [ - ./base.nix - ]; - - time.timeZone = "Europe/Berlin"; - - virtualisation.libvirtd.enable = true; - - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - - programs.ssh.startAgent = false; - - security.setuidPrograms = [ "slock" ]; - - services.printing = { - enable = true; - drivers = [ pkgs.foomatic_filters ]; - }; - - environment.systemPackages = with pkgs; [ - - powertop - - #window manager stuff - haskellPackages.xmobar - haskellPackages.yeganesh - dmenu2 - xlibs.fontschumachermisc - ]; - - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - - services.xserver = { - enable = true; - - windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ - X11-xshape - ]; - windowManager.xmonad.enable = true; - windowManager.xmonad.enableContribAndExtras = true; - windowManager.default = "xmonad"; - desktopManager.default = "none"; - desktopManager.xterm.enable = false; - displayManager.slim.enable = true; - displayManager.auto.enable = true; - displayManager.auto.user = mainUser.name; - - layout = "us"; - xkbModel = "evdev"; - xkbVariant = "altgr-intl"; - }; - -} diff --git a/2configs/lass/elster.nix b/2configs/lass/elster.nix deleted file mode 100644 index 1edd018..0000000 --- a/2configs/lass/elster.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - users.extraUsers = { - elster = { - name = "elster"; - description = "user for running elster-online"; - home = "/home/elster"; - useDefaultShell = true; - extraGroups = []; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(elster) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix deleted file mode 100644 index 74e92cc..0000000 --- a/2configs/lass/fastpoke-pages.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - }; - -in { - imports = [ - ../../3modules/lass/iptables.nix - ] ++ map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} diff --git a/2configs/lass/games.nix b/2configs/lass/games.nix deleted file mode 100644 index 6043a87..0000000 --- a/2configs/lass/games.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - environment.systemPackages = with pkgs; [ - dwarf_fortress - ]; - - users.extraUsers = { - games = { - name = "games"; - description = "user playing games"; - home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; - createHome = true; - useDefaultShell = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(games) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/gitolite-base.nix b/2configs/lass/gitolite-base.nix deleted file mode 100644 index b476299..0000000 --- a/2configs/lass/gitolite-base.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, ... }: - -{ - services.gitolite = { - mutable = false; - keys = { - lass = config.sshKeys.lass.pub; - uriel = config.sshKeys.uriel.pub; - }; - rc = '' - %RC = ( - UMASK => 0077, - GIT_CONFIG_KEYS => "", - LOG_EXTRA => 1, - ROLES => { - READERS => 1, - WRITERS => 1, - }, - LOCAL_CODE => "$ENV{HOME}/.gitolite", - ENABLE => [ - 'help', - 'desc', - 'info', - 'perms', - 'writable', - 'ssh-authkeys', - 'git-config', - 'daemon', - 'gitweb', - 'repo-specific-hooks', - ], - ); - 1; - ''; - - repoSpecificHooks = { - irc-announce = '' - #! /bin/sh - set -euf - - config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" - if test -f "$config_file"; then - . "$config_file" - fi - - # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update - # any relevant gitolite LOCAL_CODE! - # CAVEAT we hope that IRC_NICK is unique - IRC_NICK="''${IRC_NICK-gl$GL_TID}" - IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" - IRC_SERVER="''${IRC_SERVER-ire.retiolum}" - IRC_PORT="''${IRC_PORT-6667}" - - # for privmsg_cat below - export IRC_CHANNEL - - # collect users that are mentioned in the gitolite configuration - interested_users="$(perl -e ' - do "gl-conf"; - print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); - ')" - - # CAVEAT beware of real TABs in grep pattern! - # CAVEAT there will never be more than 42 relevant log entries! - tab=$(printf '\x09') - log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" - - update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" - - # (debug output) - env | sed 's/^/env: /' - echo "$log" | sed 's/^/log: /' - - # see http://gitolite.com/gitolite/dev-notes.html#lff - reponame=$(echo "$update_log" | cut -f 4) - username=$(echo "$update_log" | cut -f 5) - ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') - old_sha=$(echo "$update_log" | cut -f 8) - new_sha=$(echo "$update_log" | cut -f 9) - - # check if new branch is created - if test $old_sha = 0000000000000000000000000000000000000000; then - # TODO what should we really show? - old_sha=$new_sha^ - fi - - # - git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" - commit_count=$(echo "$git_log" | wc -l) - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - # - # - # - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - echo "$interested_users" \ - | tr ' ' '\n' \ - | grep -v "^$GL_USER" \ - | sed 's/$/: poke/' \ - | privmsg_cat \ - | cat2 - - printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ - "$reponame" \ - "$username" \ - "$commit_count" \ - "$(test $commit_count = 1 || echo s)" \ - "$(hostname)" \ - "$ref_name" \ - | privmsg_cat \ - | cat2 - - echo "$git_log" \ - | sed 's/^/\x0314/;s/ /\x03 /' \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - }; - customFiles = [ - { - path = ".gitolite/conf/irc-announce.conf"; - file = '' - IRC_NICK="$(hostname)$GL_TID" - case "$GL_REPO" in - brain|painload|services|load-env|config) - IRC_CHANNEL='#retiolum' - ;; - *) - IRC_CHANNEL='&testing' - ;; - esac - ''; - } - ]; - }; -} diff --git a/2configs/lass/identity.nix b/2configs/lass/identity.nix deleted file mode 100644 index bfaad14..0000000 --- a/2configs/lass/identity.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, ... }: - -{ - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - search = "retiolum"; - hosts = { - cloudkrebs = { - cores = 1; - dc = "lass"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["104.167.113.104"]; - aliases = [ - "cloudkrebs.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.206.102"]; - addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; - aliases = [ - "cloudkrebs.retiolum" - "cgit.cloudkrebs.retiolum" - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - "aidsballs.de" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA - OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF - QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v - 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC - sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO - TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - }; - }; -} diff --git a/2configs/lass/ircd.nix b/2configs/lass/ircd.nix deleted file mode 100644 index f71b769..0000000 --- a/2configs/lass/ircd.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ config, pkgs, ... }: - -{ - config.services.charybdis = { - enable = true; - config = '' - serverinfo { - name = "ire.irc.retiolum"; - sid = "4z3"; - description = "miep!"; - network_name = "irc.retiolum"; - network_desc = "Retiolum IRC Network"; - hub = yes; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 10000; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - sslport = 9999; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 200; - number_per_ip = 200; - number_per_ip_global = 500; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 9000; - max_number = 10000; - sendq = 400 kbytes; - }; - - exempt { - ip = "127.0.0.1"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = exceed_limit; - }; - - channel { - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 15; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - general { - #maybe we want ident someday? - disable_auth = yes; - }; - ''; - }; -} diff --git a/2configs/lass/mors/repos.nix b/2configs/lass/mors/repos.nix deleted file mode 100644 index 1f7f334..0000000 --- a/2configs/lass/mors/repos.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ ... }: - -{ - imports = [ - ../lass/gitolite-base.nix - ../common/krebs-keys.nix - ../common/krebs-repos.nix - ]; - - services.gitolite = { - repos = { - - config = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - pass = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - load-env = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-drywall = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-hsdb = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - brain = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - #hooks.post-receive = irc-announce; - }; - - painload = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - services = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - xmonad-config = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - }; - }; -} diff --git a/2configs/lass/mors/retiolum.nix b/2configs/lass/mors/retiolum.nix deleted file mode 100644 index 1148bee..0000000 --- a/2configs/lass/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = ; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/2configs/lass/new-repos.nix b/2configs/lass/new-repos.nix deleted file mode 100644 index 2c73f95..0000000 --- a/2configs/lass/new-repos.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../4lib/tv { inherit lib pkgs; }; -let - - out = { - krebs.git = { - enable = true; - root-title = "public repositories at ${config.krebs.build.host.name}"; - root-desc = "keep calm and engage"; - inherit repos rules; - }; - }; - - repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( - public-repos // - optionalAttrs config.krebs.build.host.secure restricted-repos - ); - - rules = concatMap make-rules (attrValues repos); - - public-repos = mapAttrs make-public-repo { - painload = {}; - stockholm = { - desc = "take all the computers hostage, they'll love you!"; - }; - wai-middleware-time = {}; - web-routes-wai-custom = {}; - }; - - restricted-repos = mapAttrs make-restricted-repo ( - { - brain = { - collaborators = with config.krebs.users; [ tv makefu ]; - }; - } // - import /root/src/secrets/repos.nix { inherit config lib pkgs; } - ); - - make-public-repo = name: { desc ? null, ... }: { - inherit name desc; - public = true; - hooks = { - post-receive = git.irc-announce { - # TODO make nick = config.krebs.build.host.name the default - nick = config.krebs.build.host.name; - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - }; - - make-restricted-repo = name: { desc ? null, ... }: { - inherit name desc; - public = false; - }; - - make-rules = - with git // config.krebs.users; - repo: - singleton { - user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } ++ - optional repo.public { - user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } ++ - optional (length (repo.collaborators or []) > 0) { - user = repo.collaborators; - repo = [ repo ]; - perm = fetch; - }; - -in out diff --git a/2configs/lass/pass.nix b/2configs/lass/pass.nix deleted file mode 100644 index 33eca0a..0000000 --- a/2configs/lass/pass.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - pass - gnupg1 - ]; - - services.xserver.startGnuPGAgent = true; -} diff --git a/2configs/lass/programs.nix b/2configs/lass/programs.nix deleted file mode 100644 index 41d241b..0000000 --- a/2configs/lass/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -## TODO sort and split up -{ - environment.systemPackages = with pkgs; [ - aria2 - gnupg1compat - htop - i3lock - mc - mosh - mpv - pass - pavucontrol - pv - pwgen - python34Packages.livestreamer - remmina - silver-searcher - wget - xsel - youtube-dl - ]; -} diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix deleted file mode 100644 index 767a1ce..0000000 --- a/2configs/lass/retiolum.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: - -{ - imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/tv/exim-retiolum.nix - ]; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } - { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } - ]; - }; - }; - - krebs.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "cloudkrebs" - "pigstarter" - ]; - }; -} diff --git a/2configs/lass/sshkeys.nix b/2configs/lass/sshkeys.nix deleted file mode 100644 index 114a259..0000000 --- a/2configs/lass/sshkeys.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: - -{ - imports = [ - ../../3modules/lass/sshkeys.nix - ]; - - config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; - - config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; -} diff --git a/2configs/lass/steam.nix b/2configs/lass/steam.nix deleted file mode 100644 index 7d088fc..0000000 --- a/2configs/lass/steam.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: - -{ - - imports = [ - ./games.nix - ]; - # - # Steam stuff - # source: https://nixos.org/wiki/Talk:Steam - # - ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - - nixpkgs.config.steam.java = true; - environment.systemPackages = with pkgs; [ - steam - ]; - networking.firewall = { - allowedUDPPorts = [ - 27031 - 27036 - ]; - allowedTCPPorts = [ - 27036 - 27037 - ]; - }; - -} diff --git a/2configs/lass/texlive.nix b/2configs/lass/texlive.nix deleted file mode 100644 index 295df31..0000000 --- a/2configs/lass/texlive.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - (pkgs.texLiveAggregationFun { paths = [ pkgs.texLive pkgs.texLiveFull ]; }) - ]; -} diff --git a/2configs/lass/urxvt.nix b/2configs/lass/urxvt.nix deleted file mode 100644 index a2074ba..0000000 --- a/2configs/lass/urxvt.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (config.users.extraUsers) mainUser; - -in - -{ - imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix - ]; - - services.urxvtd = { - enable = true; - users = [ mainUser.name ]; - urxvtPackage = pkgs.rxvt_unicode_with-plugins; - }; - services.xresources.enable = true; - services.xresources.resources.urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* - URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* - URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select - URxvt.url-select.launcher: browser-select - URxvt.url-select.underline: true - URxvt.keysym.M-u: perl:url-select:select_next - URxvt.keysym.M-Escape: perl:keyboard-select:activate - URxvt.keysym.M-s: perl:keyboard-select:search - - URxvt.intensityStyles: false - - URxvt*background: #000000 - URxvt*foreground: #ffffff - - !change unreadable blue - URxvt*color4: #268bd2 - ''; -} diff --git a/2configs/lass/vim.nix b/2configs/lass/vim.nix deleted file mode 100644 index 3fe45e1..0000000 --- a/2configs/lass/vim.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ config, pkgs, ... }: - -let - customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { - name = "Mustang2"; - src = pkgs.fetchFromGitHub { - owner = "croaker"; - repo = "mustang-vim"; - rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; - sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; - }; - }; - -in { - - environment.systemPackages = [ - (pkgs.vim_configurable.customize { - name = "vim"; - - vimrcConfig.customRC = '' - set nocompatible - set t_Co=16 - syntax on - " TODO autoload colorscheme file - set background=dark - colorscheme mustang - filetype off - filetype plugin indent on - - imap - - set mouse=a - set ruler - set showmatch - set backspace=2 - set visualbell - set encoding=utf8 - set showcmd - set wildmenu - - set title - set titleold= - set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} - - set autoindent - - set ttyfast - - set pastetoggle= - - - " Force Saving Files that Require Root Permission - command! W silent w !sudo tee "%" >/dev/null - - nnoremap :q - vnoremap < >gv - - nmap q :buffer - - "Tabwidth - set ts=2 sts=2 sw=2 et - - " create Backup/tmp/undo dirs - function! InitBackupDir() - let l:parent = $HOME . '/.vim/' - let l:backup = l:parent . 'backups/' - let l:tmpdir = l:parent . 'tmp/' - let l:undodi = l:parent . 'undo/' - - if !isdirectory(l:parent) - call mkdir(l:parent) - endif - if !isdirectory(l:backup) - call mkdir(l:backup) - endif - if !isdirectory(l:tmpdir) - call mkdir(l:tmpdir) - endif - if !isdirectory(l:undodi) - call mkdir(l:undodi) - endif - endfunction - call InitBackupDir() - - " Backups & Files - set backup - set backupdir=~/.vim/backups - set directory=~/.vim/tmp// - set viminfo='20,<1000,s100,h,n~/.vim/tmp/info - set undodir=$HOME/.vim/undo - set undofile - - " highlight whitespaces - highlight ExtraWhitespace ctermbg=red guibg=red - match ExtraWhitespace /\s\+$/ - autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ - autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@ iptablesAttrSet` -> str - #todo: differentiate by iptables-version - buildTables = v: ts: - let - - declareChain = t: cn: - #TODO: find out what to do whit these count numbers - ":${cn} ${t."${cn}".policy} [0:0]"; - - buildChain = tn: cn: - let - sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; - - in - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules - ) - else - "" - ; - - - buildRule = tn: cn: rule: - #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. - "${rule.predicate} -j ${rule.target}"; - - buildTable = tn: - "*${tn}\n" + - concatStringsSep "\n" ([] - ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") - ) + - #this looks dirty, find a better way to do this (maybe optionalString) - concatStringsSep "" ([] - ++ map (buildChain tn) (attrNames ts."${tn}") - ) + - "\nCOMMIT"; - in - concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) - ); - -#===== - - rules4 = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - writeText "lass-iptables-rules${toString iptables-version}" '' - ${buildTables iptables-version tables} - ''; - - startScript = writeScript "lass-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} - ''; - -in -out - diff --git a/3modules/lass/sshkeys.nix b/3modules/lass/sshkeys.nix deleted file mode 100644 index 5f1c606..0000000 --- a/3modules/lass/sshkeys.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - sshKeys = mkOption { - type = types.attrsOf (types.submodule ( - { config, ... }: - { - options = { - pub = mkOption { - type = types.str; - description = "Public part of the ssh key."; - }; - - priv = mkOption { - type = types.str; - description = "Private part of the ssh key."; - }; - }; - })); - description = "collection of ssh-keys"; - }; - }; -} diff --git a/3modules/lass/urxvtd.nix b/3modules/lass/urxvtd.nix deleted file mode 100644 index 469616a..0000000 --- a/3modules/lass/urxvtd.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -let -in - -with builtins; -with lib; - -{ - options = { - services.urxvtd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable urxvtd per user"; - }; - users = mkOption { - type = types.listOf types.string; - default = []; - description = "users to run urxvtd for"; - }; - urxvtPackage = mkOption { - type = types.package; - default = pkgs.rxvt_unicode; - description = "urxvt package to use"; - }; - }; - }; - - config = - let - cfg = config.services.urxvtd; - users = cfg.users; - urxvt = cfg.urxvtPackage; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - path = [ pkgs.xlibs.xrdb ]; - environment = { - DISPLAY = ":0"; - URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; - }; - serviceConfig = { - Restart = "always"; - User = user; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - in - mkIf cfg.enable { - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); - }; -} diff --git a/3modules/lass/xresources.nix b/3modules/lass/xresources.nix deleted file mode 100644 index 15c5b8b..0000000 --- a/3modules/lass/xresources.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: -#prefix with Attribute Name -#ex: urxvt - -# -# -with builtins; -with lib; - - -let - - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; - inherit (pkgs) writeScript; - -in - -{ - - options = { - services.xresources.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the automatic loading of Xresources definitions at display-manager start; - ''; - }; - - services.xresources.resources = mkOption { - default = {}; - type = types.attrsOf types.str; - example = { - urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - ''; - }; - description = '' - Xresources definitions. - ''; - }; - }; - - config = - let - cfg = config.services.xresources; - xres = concatStringsSep "\n" (attrValues cfg.resources); - - in mkIf cfg.enable { - services.xserver.displayManager.sessionCommands = '' - echo ${shell-escape xres} | xrdb -merge - ''; - }; - -} -- cgit v1.3.1 From 1922e43bcc16e110c03c638099a9279e1d2c89a1 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 28 Jul 2015 21:38:22 +0200 Subject: */krebs -> krebs/* --- 3modules/krebs/default.nix | 407 ----------------------------- 3modules/krebs/git.nix | 490 ----------------------------------- 3modules/krebs/github-hosts-sync.nix | 83 ------ 3modules/krebs/nginx.nix | 72 ----- 3modules/krebs/retiolum.nix | 226 ---------------- 3modules/krebs/urlwatch.nix | 138 ---------- 4lib/krebs/default.nix | 18 -- 4lib/krebs/dns.nix | 31 --- 4lib/krebs/listset.nix | 11 - 4lib/krebs/tree.nix | 13 - 4lib/krebs/types.nix | 109 -------- Zpkgs/krebs/default.nix | 14 - Zpkgs/krebs/dic.nix | 36 --- Zpkgs/krebs/genid.nix | 22 -- Zpkgs/krebs/github-hosts-sync.nix | 40 --- Zpkgs/krebs/github-known_hosts.nix | 13 - Zpkgs/krebs/hashPassword.nix | 16 -- tv/4lib/default.nix | 2 +- tv/5pkgs/default.nix | 4 +- 19 files changed, 3 insertions(+), 1742 deletions(-) delete mode 100644 3modules/krebs/default.nix delete mode 100644 3modules/krebs/git.nix delete mode 100644 3modules/krebs/github-hosts-sync.nix delete mode 100644 3modules/krebs/nginx.nix delete mode 100644 3modules/krebs/retiolum.nix delete mode 100644 3modules/krebs/urlwatch.nix delete mode 100644 4lib/krebs/default.nix delete mode 100644 4lib/krebs/dns.nix delete mode 100644 4lib/krebs/listset.nix delete mode 100644 4lib/krebs/tree.nix delete mode 100644 4lib/krebs/types.nix delete mode 100644 Zpkgs/krebs/default.nix delete mode 100644 Zpkgs/krebs/dic.nix delete mode 100644 Zpkgs/krebs/genid.nix delete mode 100644 Zpkgs/krebs/github-hosts-sync.nix delete mode 100644 Zpkgs/krebs/github-known_hosts.nix delete mode 100644 Zpkgs/krebs/hashPassword.nix diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix deleted file mode 100644 index 9e25df0..0000000 --- a/3modules/krebs/default.nix +++ /dev/null @@ -1,407 +0,0 @@ -{ config, lib, ... }: - -with import ../../4lib/krebs { inherit lib; }; -let - cfg = config.krebs; - - out = { - imports = [ - ./github-hosts-sync.nix - ./git.nix - ./nginx.nix - ./retiolum.nix - ./urlwatch.nix - ]; - options.krebs = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs"; - - build = mkOption { - type = types.submodule ({ config, ... }: { - options = { - target = mkOption { - type = with types; nullOr str; - default = null; - }; - deps = mkOption { - type = with types; attrsOf (submodule { - options = { - url = mkOption { - type = str; - }; - rev = mkOption { - type = nullOr str; - default = null; - }; - }; - }); - default = {}; - }; - script = mkOption { - type = types.str; - default = '' - #! /bin/sh - set -efux - - target=${escapeShellArg cfg.build.target} - - push(){( - src=$1/ - dst=$target:$2 - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --rsync-path="mkdir -p \"$dst\" && rsync" \ - --usermap=\*:0 \ - --groupmap=\*:0 \ - --delete-excluded \ - -vrLptgoD \ - "$src" "$dst" - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev == null) '' - push ${toString (map escapeShellArg [ - "${url}" - "/root/src/${name}" - ])} - '') config.deps)} - - exec ssh -S none "$target" /bin/sh <<\EOF - set -efux - fetch(){( - url=$1 - rev=$2 - dst=$3 - mkdir -p "$dst" - cd "$dst" - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin "$url" - elif test "$cur_url" != "$url"; then - git remote set-url origin "$url" - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then - git fetch origin - git checkout "$rev" -- . - git checkout -q "$rev" - git submodule init - git submodule update - fi - git clean -dxf - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev != null) '' - fetch ${toString (map escapeShellArg [ - url - rev - "/root/src/${name}" - ])} - '') config.deps)} - - echo build system... - profile=/nix/var/nix/profiles/system - NIX_PATH=/root/src \ - nix-env \ - -Q \ - -p "$profile" \ - -f '' \ - --set \ - -A system \ - --argstr user-name ${escapeShellArg cfg.build.user.name} \ - --argstr system-name ${escapeShellArg cfg.build.host.name} - - exec "$profile"/bin/switch-to-configuration switch - EOF - ''; - }; - host = mkOption { - type = types.host; - }; - user = mkOption { - type = types.user; - }; - }; - }); - # Define defaul value, so unset values of the submodule get reported. - default = {}; - }; - - dns = { - providers = mkOption { - # TODO with types; tree dns.label dns.provider, so we can merge. - # Currently providers can only be merged if aliases occur just once. - type = with types; attrsOf unspecified; - }; - }; - - hosts = mkOption { - type = with types; attrsOf host; - }; - - users = mkOption { - type = with types; attrsOf user; - }; - - # XXX is there a better place to define search-domain? - # TODO search-domains :: listOf hostname - search-domain = mkOption { - type = types.hostname; - default = "retiolum"; - }; - }; - - imp = mkMerge [ - { krebs = lass-imp; } - { krebs = makefu-imp; } - { krebs = tv-imp; } - { - krebs.dns.providers = { - de.krebsco = "ovh"; - internet = "hosts"; - retiolum = "hosts"; - }; - - # XXX This overlaps with krebs.retiolum - networking.extraHosts = concatStringsSep "\n" (flatten ( - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - providers = dns.split-by-provider net.aliases cfg.dns.providers; - longs = providers.hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) cfg.hosts - )); - } - ]; - - lass-imp = { - hosts = addNames { - }; - users = addNames { - lass = { - pubkey = readFile ../../Zpubkeys/lass.ssh.pub; - }; - uriel = { - pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; - }; - }; - }; - - makefu-imp = { - hosts = addNames { - pnp = { - cores = 1; - dc = "makefu"; #vm on 'omo' - nets = { - retiolum = { - addrs4 = ["10.243.0.210"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; - aliases = [ - "pnp.retiolum" - "cgit.pnp.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g - Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V - pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR - SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T - TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr - Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - }; - users = addNames { - makefu = { - mail = "root@euer.krebsco.de"; - pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; - }; - }; - }; - - tv-imp = { - dns.providers = { - de.viljetic = "regfish"; - }; - hosts = addNames { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - }; - users = addNames { - mv = { - mail = "mv@cd.retiolum"; - pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; - }; - tv = { - mail = "tv@wu.retiolum"; - pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; - }; - }; - }; - -in -out diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix deleted file mode 100644 index 6046451..0000000 --- a/3modules/krebs/git.nix +++ /dev/null @@ -1,490 +0,0 @@ -{ config, pkgs, lib, ... }: - -# TODO unify logging of shell scripts to user and journal -# TODO move all scripts to ${etcDir}, so ControlMaster connections -# immediately pick up new authenticators -# TODO when authorized_keys changes, then restart ssh -# (or kill already connected users somehow) - -with import ../../4lib/krebs { inherit lib; }; -let - cfg = config.krebs.git; - - out = { - # TODO don't import krebs.nginx here - imports = [ - ../../3modules/krebs/nginx.nix - ]; - options.krebs.git = api; - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.cgit cgit-imp) - git-imp - ]); - }; - - api = { - enable = mkEnableOption "krebs.git"; - - cgit = mkOption { - type = types.bool; - default = true; - description = '' - Enable cgit. - Cgit is an attempt to create a fast web interface for the git version - control system, using a built in cache to decrease pressure on the - git server. - cgit in this module is being served via fastcgi nginx.This module - deploys a http://cgit. nginx configuration and enables nginx - if not yet enabled. - ''; - }; - dataDir = mkOption { - type = types.str; - default = "/var/lib/git"; - description = "Directory used to store repositories."; - }; - etcDir = mkOption { - type = types.str; - default = "/etc/git"; - }; - repos = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository description. - ''; - }; - section = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository section. - ''; - }; - name = mkOption { - type = types.str; - description = '' - Repository name. - ''; - }; - hooks = mkOption { - type = types.attrsOf types.str; - default = {}; - description = '' - Repository-specific hooks. - ''; - }; - public = mkOption { - type = types.bool; - default = false; - description = '' - Allow everybody to read the repository via HTTP if cgit enabled. - ''; - # TODO allow every configured user to fetch the repository via SSH. - }; - }; - })); - - default = {}; - - example = literalExample '' - { - testing = { - name = "testing"; - hooks.post-update = ''' - #! /bin/sh - set -euf - echo post-update hook: $* >&2 - '''; - }; - testing2 = { name = "testing2"; }; - } - ''; - - description = '' - Repositories. - ''; - }; - root-desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed below the heading on the repository index page. - Default value: "a fast webinterface for the git dscm". - ''; - }; - root-title = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed as heading on the repository index page. - Default value: "Git Repository Browser". - ''; - }; - rules = mkOption { - type = types.unspecified; - }; - }; - - git-imp = { - system.activationScripts.git-init = "${init-script}"; - - # TODO maybe put all scripts here and then use PATH? - environment.etc."${etc-base}".source = - scriptFarm "git-ssh-authorizers" { - authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (map getName perm.allow-commands) - ]) cfg.rules); - - authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (ensureList perm.allow-receive-ref) - (map getName perm.allow-receive-modes) - ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); - }; - - users.extraUsers = singleton { - description = "Git repository hosting user"; - name = "git"; - shell = "/bin/sh"; - openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - config.krebs.users; - uid = 129318403; # genid git - }; - }; - - cgit-imp = { - users.extraUsers = lib.singleton { - inherit (fcgitwrap-user) group name uid; - home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); - }; - - users.extraGroups = lib.singleton { - inherit (fcgitwrap-group) gid name; - }; - - services.fcgiwrap = { - enable = true; - user = fcgitwrap-user.name; - group = fcgitwrap-user.group; - # socketAddress = "/run/fcgiwrap.sock" (default) - # socketType = "unix" (default) - }; - - environment.etc."cgitrc".text = '' - css=/static/cgit.css - logo=/static/cgit.png - - # if you do not want that webcrawler (like google) index your site - robots=noindex, nofollow - - virtual-root=/ - - # TODO make this nicer (and/or somewhere else) - cache-root=/tmp/cgit - - cache-size=1000 - enable-commit-graph=1 - enable-index-links=1 - enable-index-owner=0 - enable-log-filecount=1 - enable-log-linecount=1 - enable-remote-branches=1 - - ${optionalString (cfg.root-title != null) "root-title=${cfg.root-title}"} - ${optionalString (cfg.root-desc != null) "root-desc=${cfg.root-desc}"} - - snapshots=0 - max-stats=year - - ${concatMapStringsSep "\n" (repo: '' - repo.url=${repo.name} - repo.path=${cfg.dataDir}/${repo.name} - ${optionalString (repo.section != null) "repo.section=${repo.section}"} - ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} - '') (filter isPublicRepo (attrValues cfg.repos))} - ''; - - system.activationScripts.cgit = '' - mkdir -m 0700 -p /tmp/cgit - chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit - ''; - - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; - }; - }; - - fcgitwrap-user = { - name = "fcgiwrap"; - uid = 2867890860; # genid fcgiwrap - group = "fcgiwrap"; - }; - - fcgitwrap-group = { - name = fcgitwrap-user.name; - gid = fcgitwrap-user.uid; - }; - - - ensureList = x: - if typeOf x == "list" then x else [x]; - - getName = x: x.name; - - isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: - # TODO assert name - # TODO assert pubkey - let - options = concatStringsSep "," [ - ''command="exec ${git-ssh-command} ${name}"'' - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ]; - in - "${options} ${pubkey}"; - - # [case-pattern] -> shell-script - # Create a shell script that succeeds (exit 0) when all its arguments - # match the case patterns (in the given order). - makeAuthorizeScript = - let - # TODO escape - to-pattern = x: concatStringsSep "|" (ensureList x); - go = i: ps: - if ps == [] - then "exit 0" - else '' - case ''$${toString i} in ${to-pattern (head ps)}) - ${go (i + 1) (tail ps)} - esac''; - in - patterns: '' - #! /bin/sh - set -euf - ${concatStringsSep "\n" (map (go 1) patterns)} - exit -1 - ''; - - reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); - - # TODO makeGitHooks that uses runCommand instead of scriptFarm? - scriptFarm = - farm-name: scripts: - let - makeScript = script-name: script-string: { - name = script-name; - path = pkgs.writeScript "${farm-name}_${script-name}" script-string; - }; - in - pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts); - - - git-ssh-command = pkgs.writeScript "git-ssh-command" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - git - gnugrep - gnused - systemd - ])} - - abort() { - echo "error: $1" >&2 - systemd-cat -p err -t git echo "error: $1" - exit -1 - } - - GIT_SSH_USER=$1 - - systemd-cat -p info -t git echo \ - "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" - - # References: The Base Definitions volume of - # POSIX.1‐2013, Section 3.278, Portable Filename Character Set - portable_filename_bre="^[A-Za-z0-9._-]\\+$" - - command=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read command') - - GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read reponame') - - ${cfg.etcDir}/authorize-command \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ - || abort 'access denied' - - repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO - - systemd-cat -p info -t git \ - echo "authorized exec $command $repodir" - - export GIT_SSH_USER - export GIT_SSH_REPO - exec "$command" "$repodir" - ''; - - init-script = pkgs.writeScript "git-init" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - gawk - git - gnugrep - gnused - ])} - - dataDir=${escapeShellArg cfg.dataDir} - mkdir -p "$dataDir" - - # Notice how the presence of hooks symlinks determine whether - # we manage a repositry or not. - - # Make sure that no existing repository has hooks. We can delete - # symlinks because we assume we created them. - find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete - bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) - if echo "$bad_hooks" | grep -q .; then - printf 'error: unknown hooks:\n%s\n' \ - "$(echo "$bad_hooks" | sed 's/^/ /')" \ - >&2 - exit -1 - fi - - # Initialize repositories. - ${concatMapStringsSep "\n" (repo: - let - hooks = scriptFarm "git-hooks" (makeHooks repo); - in - '' - reponame=${escapeShellArg repo.name} - repodir=$dataDir/$reponame - mode=${toString (if isPublicRepo repo then 0711 else 0700)} - if ! test -d "$repodir"; then - mkdir -m "$mode" "$repodir" - git init --bare --template=/var/empty "$repodir" - chown -R git:nogroup "$repodir" - fi - ln -s ${hooks} "$repodir/hooks" - '' - ) (attrValues cfg.repos)} - - # Warn about repositories that exist but aren't mentioned in the - # current configuration (and thus didn't receive a hooks symlink). - unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ - -type d \! -exec test -e '{}/hooks' \; -print) - if echo "$unknown_repos" | grep -q .; then - printf 'warning: stale repositories:\n%s\n' \ - "$(echo "$unknown_repos" | sed 's/^/ /')" \ - >&2 - fi - ''; - - makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { - pre-receive = '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils # env - git - systemd - ])} - - accept() { - #systemd-cat -p info -t git echo "authorized $1" - accept_string="''${accept_string+$accept_string - }authorized $1" - } - reject() { - #systemd-cat -p err -t git echo "denied $1" - #echo 'access denied' >&2 - #exit_code=-1 - reject_string="''${reject_string+$reject_string - }access denied: $1" - } - - empty=0000000000000000000000000000000000000000 - - accept_string= - reject_string= - while read oldrev newrev ref; do - - if [ $oldrev = $empty ]; then - receive_mode=create - elif [ $newrev = $empty ]; then - receive_mode=delete - elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then - receive_mode=fast-forward - else - receive_mode=non-fast-forward - fi - - if ${cfg.etcDir}/authorize-push \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then - accept "$receive_mode $ref" - else - reject "$receive_mode $ref" - fi - done - - if [ -n "$reject_string" ]; then - systemd-cat -p err -t git echo "$reject_string" - exit -1 - fi - - systemd-cat -p info -t git echo "$accept_string" - - ${optionalString (hasAttr "post-receive" repo.hooks) '' - # custom post-receive hook - ${repo.hooks.post-receive}''} - ''; - }; - - etc-base = - assert (hasPrefix "/etc/" cfg.etcDir); - removePrefix "/etc/" cfg.etcDir; - -in -out diff --git a/3modules/krebs/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix deleted file mode 100644 index c3b56ef..0000000 --- a/3modules/krebs/github-hosts-sync.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.github-hosts-sync; - - out = { - options.krebs.github-hosts-sync = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; - dataDir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/github-hosts-sync"; - }; - ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} - default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; - }; - }; - - imp = { - systemd.services.github-hosts-sync = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - port = toString cfg.port; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "github-hosts-sync"; - User = user.name; - Restart = "always"; - ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' - #! /bin/sh - set -euf - - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ - ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" - - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts - ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - home = cfg.dataDir; - }; - }; - - user = { - name = "github-hosts-sync"; - uid = 3220554646; # genid github-hosts-sync - }; - - Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; -in -out diff --git a/3modules/krebs/nginx.nix b/3modules/krebs/nginx.nix deleted file mode 100644 index 702e8a7..0000000 --- a/3modules/krebs/nginx.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - servers = mkOption { - type = with types; attrsOf optionSet; - options = singleton { - server-names = mkOption { - type = with types; listOf str; - # TODO use identity - default = [ - "${config.networking.hostName}" - "${config.networking.hostName}.retiolum" - ]; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - }; - }; - default = {}; - }; - }; - - imp = { - services.nginx = { - enable = true; - httpConfig = '' - include ${pkgs.nginx}/conf/mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - server { - listen 80 default_server; - server_name _; - return 404; - } - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - - indent = replaceChars ["\n"] ["\n "]; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, locations, ... }: '' - server { - listen 80; - server_name ${toString server-names}; - ${indent (concatStrings (map to-location locations))} - } - ''; - -in -out diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix deleted file mode 100644 index 481d656..0000000 --- a/3modules/krebs/retiolum.nix +++ /dev/null @@ -1,226 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.retiolum; - - out = { - options.krebs.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.retiolum"; - - name = mkOption { - type = types.str; - default = config.networking.hostName; - # Description stolen from tinc.conf(5). - description = '' - This is the name which identifies this tinc daemon. It must - be unique for the virtual private network this daemon will - connect to. The Name may only consist of alphanumeric and - underscore characters. If Name starts with a $, then the - contents of the environment variable that follows will be - used. In that case, invalid characters will be converted to - underscores. If Name is $HOST, but no such environment - variable exist, the hostname will be read using the - gethostnname() system call This is the name which identifies - the this tinc daemon. - ''; - }; - - generateEtcHosts = mkOption { - type = types.str; - default = "both"; - description = '' - If set to short, long, or both, - then generate entries in /etc/hosts from subnets. - ''; - }; - - network = mkOption { - type = types.str; - default = "retiolum"; - description = '' - The tinc network name. - It is used to generate long host entries, - and name the TUN device. - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - type = with types; either package path; - default = ../../Zhosts; - description = '' - If a path is given, then it will be used to generate an ad-hoc package. - ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = '' - Generate file with tincd -K. - This file must exist on the local system. The default points to - . - ''; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "gum" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - ''; - }; - - }; - - imp = { - environment.systemPackages = [ tinc hosts iproute ]; - - networking.extraHosts = retiolumExtraHosts; - - systemd.services.retiolum = { - description = "Tinc daemon for Retiolum"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - serviceConfig = { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; - SyslogIdentifier = "retiolum"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "retiolum"; - uid = 301281149; # genid retiolum - }; - - tinc = cfg.tincPackage; - - hosts = getAttr (typeOf cfg.hosts) { - package = cfg.hosts; - path = pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 \ - | xargs -0 cp --target-directory $out - ''; - }; - }; - - iproute = cfg.iproutePackage; - - retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" - { } - '' - generate() { - (cd ${hosts} - printf \'\' - for i in `ls`; do - names=$(hostnames $i) - for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do - names="$names $(hostnames $j)" - done - sed -En ' - s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p - ' $i - done | sort - printf \'\' - ) - } - - case ${cfg.generateEtcHosts} in - short) - hostnames() { echo "$1"; } - generate - ;; - long) - hostnames() { echo "$1.${cfg.network}"; } - generate - ;; - both) - hostnames() { echo "$1.${cfg.network} $1"; } - generate - ;; - *) - echo '""' - ;; - esac > $out - ''); - - - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${hosts} $out/hosts - - cat > $out/tinc.conf < $out/tinc-up < changes 2>&1 || : - - if test -s changes; then - date=$(date -R) - subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ - | tr \\n \ ) - { - echo "Date: $date" - echo "From: $from" - echo "Subject: $subject" - echo "To: $mailto" - echo - cat changes - } | /var/setuid-wrappers/sendmail -t - fi - ''; - }; - }; - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "urlwatch"; - uid = 3467631196; # genid urlwatch - }; -in -out diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix deleted file mode 100644 index b675853..0000000 --- a/4lib/krebs/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -builtins // lib // rec { - - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - types = import ./types.nix { inherit lib; }; - - dns = import ./dns.nix { inherit lib; }; - listset = import ./listset.nix { inherit lib; }; - tree = import ./tree.nix { inherit lib; }; -} diff --git a/4lib/krebs/dns.nix b/4lib/krebs/dns.nix deleted file mode 100644 index b2cf3c2..0000000 --- a/4lib/krebs/dns.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ lib, ... }: - -let - listset = import ./listset.nix { inherit lib; }; -in - -with builtins; -with lib; - -rec { - # label = string - - # TODO does it make sense to have alias = list label? - - # split-by-provider : - # [[label]] -> tree label provider -> listset provider alias - split-by-provider = as: providers: - foldl (m: a: listset.insert (provider-of a providers) a m) {} as; - - # provider-of : alias -> tree label provider -> provider - # Note that we cannot use tree.get here, because path can be longer - # than the tree depth. - provider-of = a: - let - go = path: tree: - if typeOf tree == "string" - then tree - else go (tail path) tree.${head path}; - in - go (reverseList (splitString "." a)); -} diff --git a/4lib/krebs/listset.nix b/4lib/krebs/listset.nix deleted file mode 100644 index 3aae22f..0000000 --- a/4lib/krebs/listset.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ lib, ... }: - -with lib; - -rec { - # listset k v = set k [v] - - # insert : k -> v -> listset k v -> listset k v - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; -} diff --git a/4lib/krebs/tree.nix b/4lib/krebs/tree.nix deleted file mode 100644 index 1cd83b3..0000000 --- a/4lib/krebs/tree.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with lib; - -rec { - # tree k v = set k (either v (tree k v)) - - # get : [k] -> tree k v -> v - get = path: tree: - if length path > 0 - then get (tail path) tree.${head path} # TODO check if elem exists - else tree; -} diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix deleted file mode 100644 index 92410dd..0000000 --- a/4lib/krebs/types.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ lib, ... }: - -with lib; -with types; - -types // rec { - - host = submodule { - options = { - name = mkOption { - type = label; - }; - dc = mkOption { - type = label; - }; - cores = mkOption { - type = positive; - }; - nets = mkOption { - type = attrsOf net; - apply = x: assert hasAttr "retiolum" x; x; - }; - secure = mkOption { - type = bool; - default = false; - description = '' - If true, then the host is capable of keeping secret information. - - TODO define minimum requirements for secure hosts - ''; - }; - }; - }; - - net = submodule ({ config, ... }: { - options = { - via = mkOption { - type = nullOr net; - default = null; - }; - addrs = mkOption { - type = listOf addr; - apply = _: config.addrs4 ++ config.addrs6; - }; - addrs4 = mkOption { - type = listOf addr4; - default = []; - }; - addrs6 = mkOption { - type = listOf addr6; - default = []; - }; - aliases = mkOption { - # TODO nonEmptyListOf hostname - type = listOf hostname; - }; - tinc = mkOption { - type = let net-config = config; in nullOr (submodule ({ config, ... }: { - options = { - config = mkOption { - type = str; - apply = _: '' - ${optionalString (net-config.via != null) - (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} - ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} - ${config.pubkey} - ''; - }; - pubkey = mkOption { - type = str; - }; - }; - })); - default = null; - }; - }; - }); - - positive = mkOptionType { - name = "positive integer"; - check = x: isInt x && x > 0; - merge = mergeOneOption; - }; - - user = submodule { - options = { - mail = mkOption { - type = str; # TODO retiolum mail address - }; - name = mkOption { - type = str; # TODO - }; - pubkey = mkOption { - type = str; - }; - pubkeys = mkOption { - type = attrsOf str; - default = {}; - }; - }; - }; - - # TODO - addr = str; - addr4 = str; - addr6 = str; - hostname = str; - label = str; -} diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix deleted file mode 100644 index 231fda7..0000000 --- a/Zpkgs/krebs/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, ... }: - -let - inherit (pkgs) callPackage; -in - -pkgs // -{ - dic = callPackage ./dic.nix {}; - genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; - hashPassword = callPackage ./hashPassword.nix {}; -} diff --git a/Zpkgs/krebs/dic.nix b/Zpkgs/krebs/dic.nix deleted file mode 100644 index 571773d..0000000 --- a/Zpkgs/krebs/dic.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ stdenv, fetchgit, coreutils, curl, gnused, gnugrep, ... }: - -stdenv.mkDerivation { - name = "dic"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - path = stdenv.lib.makeSearchPath "bin" [ - coreutils - curl - gnused - gnugrep - ]; - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n PATH=${path}; export PATH,' \ - < ./util/bin/dic \ - > $out/bin/dic - - chmod +x $out/bin/dic - ''; -} diff --git a/Zpkgs/krebs/genid.nix b/Zpkgs/krebs/genid.nix deleted file mode 100644 index c75bec3..0000000 --- a/Zpkgs/krebs/genid.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ lib, pkgs, ... }: - -pkgs.writeScriptBin "genid" '' - #! /bin/sh - # usage: genid NAME - set -euf - - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ - bc - coreutils - ])} - - name=$1 - hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F) - echo " - min=2^24 # bigger than nobody and nogroup, see - # and some spare for stuff like lxd. - max=2^32 # see 2^(8*sizeof(uid_t)) - ibase=16 - ($hash + min) % max - " | bc -'' diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix deleted file mode 100644 index d69b2b1..0000000 --- a/Zpkgs/krebs/github-hosts-sync.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchgit, pkgs, ... }: - -stdenv.mkDerivation { - name = "github-hosts-sync"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; - path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - git - gnugrep - gnused - openssh - socat - ]); - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ - < ./retiolum/scripts/github_hosts_sync/hosts-sync \ - > $out/bin/github-hosts-sync - - chmod +x $out/bin/github-hosts-sync - ''; -} diff --git a/Zpkgs/krebs/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix deleted file mode 100644 index 302fdd8..0000000 --- a/Zpkgs/krebs/github-known_hosts.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -let - github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); -in - -toFile "github-known_hosts" - (concatMapStrings - (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") - (range 0 255)) diff --git a/Zpkgs/krebs/hashPassword.nix b/Zpkgs/krebs/hashPassword.nix deleted file mode 100644 index a10340c..0000000 --- a/Zpkgs/krebs/hashPassword.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, pkgs, ... }: - -pkgs.writeScriptBin "hashPassword" '' - #! /bin/sh - # usage: hashPassword - set -euf - - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ - coreutils - mkpasswd - openssl - ])} - - salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16) - exec mkpasswd -m sha-512 -S "$salt" -'' diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix index e0a295f..352689a 100644 --- a/tv/4lib/default.nix +++ b/tv/4lib/default.nix @@ -1,7 +1,7 @@ { lib, pkgs, ... }: let - krebs = import ../../4lib/krebs { inherit lib; }; + krebs = import ../../krebs/4lib { inherit lib; }; in with krebs; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 50625f8..7b5d10a 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -2,10 +2,10 @@ let inherit (pkgs) callPackage; - krebs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in -krebs // { +kpkgs // { charybdis = callPackage ./charybdis {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/cd000000.lock: No such file or directory (2)