diff options
author | tv <tv@krebsco.de> | 2015-07-11 19:44:49 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2015-07-11 19:44:49 +0200 |
commit | 6f9301194a1ddb8beda2aa11b8330a347dfb42cd (patch) | |
tree | 22ddca93839a9cb9efb03fcc807dc12b1b9ea8a8 /1systems | |
parent | 153422f74b1ed5cae37c9424514a9e9d1f79acb4 (diff) | |
parent | 9de9a311a39c563dfb965abeb372cfa00fff7855 (diff) |
Merge branch 'next'
Diffstat (limited to '1systems')
-rw-r--r-- | 1systems/tv/cd.nix | 98 | ||||
-rw-r--r-- | 1systems/tv/mkdir.nix | 76 | ||||
-rw-r--r-- | 1systems/tv/nomic.nix | 111 | ||||
-rw-r--r-- | 1systems/tv/rmdir.nix | 77 | ||||
-rw-r--r-- | 1systems/tv/wu.nix | 388 |
5 files changed, 750 insertions, 0 deletions
diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix new file mode 100644 index 0000000..e2ce9bb --- /dev/null +++ b/1systems/tv/cd.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-smarthost.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/ejabberd.nix ]; + tv.ejabberd = { + enable = true; + hosts = [ "jabber.viljetic.de" ]; + }; + } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.cd; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.hostName = "cd"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + users.extraUsers = { + mv = { + uid = 1338; + group = "users"; + home = "/home/mv"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/mv_vod.ssh.pub + ]; + }; + }; +} diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix new file mode 100644 index 0000000..e4e8987 --- /dev/null +++ b/1systems/tv/mkdir.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/CAC-Developer-1.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-smarthost.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.mkdir; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "cd" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.hostName = "mkdir"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.248.167.241"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.248.167.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; +} diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix new file mode 100644 index 0000000..1696c50 --- /dev/null +++ b/1systems/tv/nomic.nix @@ -0,0 +1,111 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/AO753.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-retiolum.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.nomic; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + imports = [ ../../3modules/tv/nginx.nix ]; + tv.nginx = { + enable = true; + retiolum-locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha1" "xts" ]; + devices = [ + { + name = "luks1"; + device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4"; + } + ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; + fsType = "ext4"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; + fsType = "btrfs"; + }; + + swapDevices = [ ]; + + nix = { + buildCores = 2; + maxJobs = 2; + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + + # TODO base + boot.tmpOnTmpfs = true; + + environment.systemPackages = with pkgs; [ + (writeScriptBin "play" '' + #! /bin/sh + set -euf + mpv() { exec ${mpv}/bin/mpv "$@"; } + case $1 in + deepmix) mpv http://deepmix.ru/deepmix128.pls;; + groovesalad) mpv http://somafm.com/play/groovesalad;; + ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;; + *) + echo "$0: bad argument: $*" >&2 + exit 23 + esac + '') + rxvt_unicode.terminfo + tmux + ]; + + networking.hostName = "nomic"; +} diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix new file mode 100644 index 0000000..14817c9 --- /dev/null +++ b/1systems/tv/rmdir.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/CAC-Developer-1.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-smarthost.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.rmdir; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "cd" + "mkdir" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.hostName = "rmdir"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "167.88.44.94"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "167.88.44.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; +} diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix new file mode 100644 index 0000000..2645b8c --- /dev/null +++ b/1systems/tv/wu.nix @@ -0,0 +1,388 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/w110er.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-client.nix + ../../2configs/tv/exim-retiolum.nix + ../../2configs/tv/git-public.nix + # TODO git-private.nix + ../../2configs/tv/xserver.nix + ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.wu; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + imports = [ ../../3modules/tv/nginx.nix ]; + tv.nginx = { + enable = true; + retiolum-locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + { + imports = [ ../../3modules/tv/urlwatch.nix ]; + tv.urlwatch = { + enable = true; + mailto = "tv@wu.retiolum"; # TODO + onCalendar = "*-*-* 05:00:00"; + urls = [ + ## nixpkgs maintenance + + # 2014-07-29 when one of the following urls change + # then we have to update the package + + # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix + http://simple-evcorr.sourceforge.net/ + + # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix + https://thp.io/2008/urlwatch/ + + # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix + https://api.github.com/repos/ioerror/tlsdate/tags + + # 2015-02-18 + # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix + http://www.fourmilab.ch/webtools/qprint/ + + # 2014-09-24 ref https://github.com/4z3/xintmap + http://www.mathstat.dal.ca/~selinger/quipper/ + + # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 + # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix + http://nixos.org/releases/nixops/ + + ## other + + https://nixos.org/channels/nixos-unstable/git-revision + + ## 2014-10-17 + ## TODO update ~/src/login/default.nix + #http://hackage.haskell.org/package/bcrypt + #http://hackage.haskell.org/package/cron + #http://hackage.haskell.org/package/hyphenation + #http://hackage.haskell.org/package/iso8601-time + #http://hackage.haskell.org/package/ixset-typed + #http://hackage.haskell.org/package/system-command + #http://hackage.haskell.org/package/transformers + #http://hackage.haskell.org/package/web-routes-wai + #http://hackage.haskell.org/package/web-page + ]; + }; + } + { + users.extraGroups = { + tv-sub.gid = 1337; + }; + + users.extraUsers = + mapAttrs (name: user: user // { + inherit name; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + }) { + ff = { + uid = 13378001; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + ]; + }; + + cr = { + uid = 13378002; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + vimb = { + uid = 13378003; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + fa = { + uid = 2300001; + group = "tv-sub"; + }; + + rl = { + uid = 2300002; + group = "tv-sub"; + }; + + tief = { + uid = 2300702; + group = "tv-sub"; + }; + + btc-bitcoind = { + uid = 2301001; + group = "tv-sub"; + }; + + btc-electrum = { + uid = 2301002; + group = "tv-sub"; + }; + + ltc-litecoind = { + uid = 2301101; + group = "tv-sub"; + }; + + eth = { + uid = 2302001; + group = "tv-sub"; + }; + + emse-hsdb = { + uid = 4200101; + group = "tv-sub"; + }; + + wine = { + uid = 13370400; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + # dwarffortress + df = { + uid = 13370401; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined + FTL = { + uid = 13370402; + #group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + freeciv = { + uid = 13370403; + group = "tv-sub"; + }; + + xr = { + uid = 13370061; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + ]; + }; + + "23" = { + uid = 13370023; + group = "tv-sub"; + }; + + electrum = { + uid = 13370102; + group = "tv-sub"; + }; + + Reaktor = { + uid = 4230010; + group = "tv-sub"; + }; + + gitolite = { + uid = 7700; + }; + + skype = { + uid = 6660001; + group = "tv-sub"; + extraGroups = [ + "audio" + ]; + }; + + onion = { + uid = 6660010; + group = "tv-sub"; + }; + + zalora = { + uid = 1000301; + group = "tv-sub"; + extraGroups = [ + "audio" + # TODO remove vboxusers when hardening is active + "vboxusers" + "video" + ]; + }; + }; + + security.sudo.extraConfig = + let + inherit (import ../../4lib/tv { inherit lib pkgs; }) + isSuffixOf; + + hasMaster = { group ? "", ... }: + isSuffixOf "-sub" group; + + masterOf = user : removeSuffix "-sub" user.group; + in + concatStringsSep "\n" + (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL") + (filter hasMaster (attrValues config.users.extraUsers))); + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/vg840-wuroot"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/home" = { + device = "/dev/mapper/home"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + nixpkgs.config.firefox.enableAdobeFlash = true; + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.bumblebee.enable = true; + hardware.bumblebee.group = "video"; + hardware.enableAllFirmware = true; + hardware.opengl.driSupport32Bit = true; + hardware.pulseaudio.enable = true; + + networking.hostName = "wu"; + + environment.systemPackages = with pkgs; [ + xlibs.fontschumachermisc + slock + ethtool + #firefoxWrapper # with plugins + #chromiumDevWrapper + tinc + iptables + #jack2 + ]; + + security.setuidPrograms = [ + "sendmail" # for cron + "slock" + ]; + + services.printing.enable = true; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + virtualisation.libvirtd.enable = true; + + networking.extraHosts = '' + 192.168.1.1 wrt.gg23 wrt + 192.168.1.11 mors.gg23 + 192.168.1.12 uriel.gg23 + 192.168.1.23 raspi.gg23 raspi + 192.168.1.37 wu.gg23 + 192.168.1.110 nomic.gg23 + 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker + ''; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + services.bitlbee.enable = true; + services.tor.client.enable = true; + services.tor.enable = true; + services.virtualboxHost.enable = true; + + # TODO w110er if xserver is enabled + services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; +} |