diff options
author | lassulus <lass@aidsballs.de> | 2015-07-13 13:39:49 +0200 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2015-07-16 15:47:28 +0200 |
commit | 69e1390f32a4c427540388817ad70e69f461a76e (patch) | |
tree | 049777923f431beab9b3fd0a5e1c3953f4418451 | |
parent | 7b7f7d331dd066ee9c653db611f66305783e8ff5 (diff) |
"rebase"
-rw-r--r-- | old/modules/cloudkrebs/default.nix | 8 | ||||
-rw-r--r-- | old/modules/cloudkrebs/retiolum.nix (renamed from old/modules/lass/retiolum-cloudkrebs.nix) | 4 | ||||
-rw-r--r-- | old/modules/lass/base.nix | 61 | ||||
-rw-r--r-- | old/modules/lass/desktop-base.nix | 30 | ||||
-rw-r--r-- | old/modules/lass/iptables/config.nix | 119 | ||||
-rw-r--r-- | old/modules/lass/iptables/default.nix | 11 | ||||
-rw-r--r-- | old/modules/lass/iptables/options.nix | 44 | ||||
-rw-r--r-- | old/modules/lass/ircd.nix | 27 | ||||
-rw-r--r-- | old/modules/lass/retiolum-uriel.nix | 21 | ||||
-rw-r--r-- | old/modules/lass/vim.nix | 2 | ||||
-rw-r--r-- | old/modules/lass/xserver-lass.nix | 43 | ||||
-rw-r--r-- | old/modules/mors/default.nix | 25 | ||||
-rw-r--r-- | old/modules/mors/git.nix | 161 | ||||
-rw-r--r-- | old/modules/mors/paths.nix | 12 | ||||
-rw-r--r-- | old/modules/mors/repos.nix | 9 | ||||
-rw-r--r-- | old/modules/mors/retiolum.nix (renamed from old/modules/lass/retiolum-mors.nix) | 6 | ||||
-rw-r--r-- | old/modules/uriel/default.nix | 10 | ||||
-rw-r--r-- | old/modules/uriel/git.nix | 130 | ||||
-rw-r--r-- | old/modules/uriel/retiolum.nix | 31 |
19 files changed, 588 insertions, 166 deletions
diff --git a/old/modules/cloudkrebs/default.nix b/old/modules/cloudkrebs/default.nix index 938447e..135b662 100644 --- a/old/modules/cloudkrebs/default.nix +++ b/old/modules/cloudkrebs/default.nix @@ -3,7 +3,7 @@ { imports = [ ../tv/base-cac-CentOS-7-64bit.nix - ../lass/retiolum-cloudkrebs.nix + ./retiolum.nix ./networking.nix ../../secrets/cloudkrebs-pw.nix ../lass/sshkeys.nix @@ -18,8 +18,10 @@ nix.maxJobs = 1; - #activationScripts - #split up and move into base + #tmpfiles Unknown group 'lock' workaround: + users.extraGroups = { + lock.gid = 10001; + }; #TODO move into modules users.extraUsers = { diff --git a/old/modules/lass/retiolum-cloudkrebs.nix b/old/modules/cloudkrebs/retiolum.nix index 1f03527..1caa924 100644 --- a/old/modules/lass/retiolum-cloudkrebs.nix +++ b/old/modules/cloudkrebs/retiolum.nix @@ -2,10 +2,10 @@ { imports = [ - ../tv/retiolum.nix + ../tv/retiolum ]; - services.retiolum = { + tv.retiolum = { enable = true; hosts = ../../hosts; privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv"; diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix index 3a8d879..159372a 100644 --- a/old/modules/lass/base.nix +++ b/old/modules/lass/base.nix @@ -3,6 +3,7 @@ { imports = [ ./sshkeys.nix + ./iptables ]; nix.useChroot = true; @@ -65,6 +66,10 @@ ''; }; + security.setuidPrograms = [ + "sendmail" + ]; + services.gitolite = { enable = true; dataDir = "/home/gitolite"; @@ -84,27 +89,41 @@ RuntimeMaxUse=128M ''; - networking.firewall = { + lass.iptables = { enable = true; - - allowedTCPPorts = [ - 22 - ]; - - extraCommands = '' - iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - iptables -A INPUT -j ACCEPT -i lo - iptables -A INPUT -j ACCEPT -p icmp - - #iptables -N Retiolum - iptables -A INPUT -j Retiolum -i retiolum - iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - iptables -A Retiolum -j REJECT - ''; - - extraStopCommands = "iptables -F"; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-i lo"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { predicate = "-p icmp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + ]; + }; }; + + #Networking.firewall = { + # enable = true; + + # allowedTCPPorts = [ + # 22 + # ]; + + # extraCommands = '' + # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # iptables -A INPUT -j ACCEPT -i lo + # #http://serverfault.com/questions/84963/why-not-block-icmp + # iptables -A INPUT -j ACCEPT -p icmp + + # #TODO: fix Retiolum firewall + # #iptables -N RETIOLUM + # #iptables -A INPUT -j RETIOLUM -i retiolum + # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset + # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable + # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable + # #iptables -A RETIOLUM -j REJECT + # ''; + #}; } diff --git a/old/modules/lass/desktop-base.nix b/old/modules/lass/desktop-base.nix index 9418454..ee7a94b 100644 --- a/old/modules/lass/desktop-base.nix +++ b/old/modules/lass/desktop-base.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: -{ +let + mainUser = config.users.extraUsers.mainUser; +in { imports = [ ./base.nix ]; @@ -34,4 +36,30 @@ xlibs.fontschumachermisc ]; + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + services.xserver = { + enable = true; + + windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + windowManager.xmonad.enable = true; + windowManager.xmonad.enableContribAndExtras = true; + windowManager.default = "xmonad"; + desktopManager.default = "none"; + desktopManager.xterm.enable = false; + displayManager.slim.enable = true; + displayManager.auto.enable = true; + displayManager.auto.user = mainUser.name; + + layout = "us,de"; + xkbModel = "evdev"; + xkbVariant = "altgr-intl,nodeadkeys"; + xkbOptions = "grp:caps_toggle"; + + }; + } diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix new file mode 100644 index 0000000..be521fe --- /dev/null +++ b/old/modules/lass/iptables/config.nix @@ -0,0 +1,119 @@ +{ cfg, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr; + +#===== new api v4 + + #buildTable :: iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = iptv: ts: + let + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; + + #TODO: sort by precedence + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map buildRule ts."${tn}"."${cn}".rules + ) + else + "" + ; + + + buildRule = rule: + #TODO implement rule validation-test here + # + #target: + #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN + + #predicate: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "lass-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "lass-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; +in + +{ + networking.firewall.enable = false; + + systemd.services.lass-iptables = { + description = "lass-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} lass-iptables_start"; + }; + }; +} diff --git a/old/modules/lass/iptables/default.nix b/old/modules/lass/iptables/default.nix new file mode 100644 index 0000000..7d46d45 --- /dev/null +++ b/old/modules/lass/iptables/default.nix @@ -0,0 +1,11 @@ +arg@{ config, lib, pkgs, ... }: + +let + cfg = config.lass.iptables; + arg' = arg // { inherit cfg; }; +in + +{ + options.lass.iptables = import ./options.nix arg'; + config = lib.mkIf cfg.enable (import ./config.nix arg'); +} diff --git a/old/modules/lass/iptables/options.nix b/old/modules/lass/iptables/options.nix new file mode 100644 index 0000000..eb3bfc0 --- /dev/null +++ b/old/modules/lass/iptables/options.nix @@ -0,0 +1,44 @@ +{ lib, ... }: + +let + inherit (lib) mkEnableOption mkOption types; +in + +{ + enable = mkEnableOption "iptables"; + + #tables.filter.INPUT = { + # policy = "DROP"; + # rules = [ + # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } + # ]; + #}; + #new api + tables = mkOption { + type = with types; attrsOf (attrsOf (submodule ({ + options = { + policy = mkOption { + type = str; + default = "-"; + }; + rules = mkOption { + type = nullOr (listOf (submodule ({ + options = { + predicate = mkOption { + type = str; + }; + target = mkOption { + type = str; + }; + precedence = mkOption { + type = int; + default = 0; + }; + }; + }))); + default = null; + }; + }; + }))); + }; +} diff --git a/old/modules/lass/ircd.nix b/old/modules/lass/ircd.nix index 3c9e257..c57f7dd 100644 --- a/old/modules/lass/ircd.nix +++ b/old/modules/lass/ircd.nix @@ -20,7 +20,7 @@ #ssl_dh_params = "etc/dh.pem"; #ssld_count = 1; - #default_max_clients = 1024; + default_max_clients = 10000; #nicklen = 30; }; @@ -40,23 +40,28 @@ sslport = 9999; }; - auth { - user = "*@*"; - class = "users"; - }; - class "users" { ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 10; - number_per_ip_global = 50; + number_per_ident = 200; + number_per_ip = 200; + number_per_ip_global = 500; cidr_ipv4_bitlen = 24; cidr_ipv6_bitlen = 64; - number_per_cidr = 200; - max_number = 3000; + number_per_cidr = 9000; + max_number = 10000; sendq = 400 kbytes; }; + exempt { + ip = "127.0.0.1"; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + channel { use_invex = yes; use_except = yes; diff --git a/old/modules/lass/retiolum-uriel.nix b/old/modules/lass/retiolum-uriel.nix deleted file mode 100644 index 11dc61c..0000000 --- a/old/modules/lass/retiolum-uriel.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum.nix - ]; - - services.retiolum = { - enable = true; - hosts = ../../hosts; - privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/old/modules/lass/vim.nix b/old/modules/lass/vim.nix index e1cff0d..3fe45e1 100644 --- a/old/modules/lass/vim.nix +++ b/old/modules/lass/vim.nix @@ -56,6 +56,8 @@ in { vnoremap < <gv vnoremap > >gv + nmap <esc>q :buffer + "Tabwidth set ts=2 sts=2 sw=2 et diff --git a/old/modules/lass/xserver-lass.nix b/old/modules/lass/xserver-lass.nix deleted file mode 100644 index 5c2d169..0000000 --- a/old/modules/lass/xserver-lass.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - services.xserver.enable = true; - - - #fonts.enableFontConfig = true; - #fonts.enableFontDir = true; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - #services.xfs.enable = true; - #services.xserver.useXFS = "unix/:7100"; - - #services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; - - #services.xserver.display = 11; - #services.xserver.tty = 11; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - #services.xserver.multitouch.enable = true; - - services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ - X11-xshape - ]; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.windowManager.xmonad.enableContribAndExtras = true; - services.xserver.windowManager.default = "xmonad"; - services.xserver.desktopManager.default = "none"; - services.xserver.desktopManager.xterm.enable = false; - - services.xserver.displayManager.slim.enable = true; - services.xserver.displayManager.auto.enable = true; - services.xserver.displayManager.auto.user = mainUser.name; - #services.xserver.displayManager.job.logsXsession = true; - - services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; - -} diff --git a/old/modules/mors/default.nix b/old/modules/mors/default.nix index d83d6ab..8ba052d 100644 --- a/old/modules/mors/default.nix +++ b/old/modules/mors/default.nix @@ -5,8 +5,7 @@ ../lass/xresources.nix ../lass/desktop-base.nix ../lass/programs.nix - ../lass/retiolum-mors.nix - ../lass/xserver-lass.nix + ./retiolum.nix ../tv/synaptics.nix ../lass/bitcoin.nix ../lass/browsers.nix @@ -31,7 +30,7 @@ nixpkgs = { url = "https://github.com/Lassulus/nixpkgs"; - rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530"; + rev = "7ef800430789252dac47f0b67e75a6b9bb616397"; }; networking.hostName = "mors"; @@ -110,6 +109,7 @@ SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" ''; + #TODO activationScripts seem broken, fix them! #activationScripts #split up and move into base system.activationScripts.powertopTunables = '' @@ -141,10 +141,18 @@ echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' ''; - system.activationScripts.trackpoint = '' - echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' - echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' - ''; + + hardware.trackpoint = { + enable = true; + sensitivity = 220; + speed = 0; + emulateWheel = true; + }; + + #system.activationScripts.trackpoint = '' + # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' + # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' + #''; services.xserver = { videoDriver = "intel"; @@ -201,6 +209,9 @@ ]; }; + services.mongodb = { + enable = true; + }; #services.ircdHybrid = { # enable = true; diff --git a/old/modules/mors/git.nix b/old/modules/mors/git.nix index 1dd61d1..3750648 100644 --- a/old/modules/mors/git.nix +++ b/old/modules/mors/git.nix @@ -1,71 +1,130 @@ { config, lib, pkgs, ... }: -{ - imports = [ - ../tv/git +let + inherit (builtins) map readFile; + inherit (lib) concatMap listToAttrs; + # TODO lib should already include our stuff + inherit (import ../../lib { inherit lib pkgs; }) addNames git; + + x-repos = [ + (krebs-private "brain") + + (public "painload") + (public "shitment") + (public "wai-middleware-time") + (public "web-routes-wai-custom") + + (secret "pass") + + (tv-lass "emse-drywall") + (tv-lass "emse-hsdb") ]; - services.git = - let - inherit (builtins) readFile; - # TODO lib should already include our stuff - inherit (import ../../lib { inherit lib pkgs; }) addNames git; + users = addNames { + tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; }; + lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; }; + uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; }; + makefu = { pubkey = "xxx"; }; + }; - krebs-private = name: desc: - { - inherit desc; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - } - in rec { - enable = true; + repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); - users = addNames { - tv = { pubkey = readFile <pubkeys/tv.ssh.pub>; }; - lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; }; - uriel = { pubkey = readFile <pubkeys/lass.ssh.pub>; }; - makefu = { pubkey = "xxx"; }; - }; + rules = concatMap ({ rules, ... }: rules) x-repos; - repos = addNames { - shitment = { - desc = "shitment repository"; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; + krebs-private = repo-name: + rec { + repo = { + name = repo-name; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; }; - public = true; }; - testing = { - desc = "testing repository"; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#repository"; - server = "ire.retiolum"; - }; + }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + + public = repo-name: + rec { + repo = { + name = repo-name; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; }; - public = true; }; + public = true; + }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + + secret = repo-name: + rec { + repo = { + name = repo-name; + hooks = {}; }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; - rules = with git; with users; with repos; [ + tv-lass = repo-name: + rec { + repo = { + name = repo-name; + hooks = {}; + }; + rules = with git; with users; [ { user = lass; - repo = [ testing shitment ]; - perm = push master [ non-fast-forward create delete merge ]; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; } - { user = [ tv uriel makefu ]; - repo = [ testing shitment ]; + { user = [ tv ]; + repo = [ repo ]; perm = fetch; } ]; }; + +in + +{ + imports = [ + ../tv/git + ]; + + tv.git = { + enable = true; + inherit repos rules users; + }; } diff --git a/old/modules/mors/paths.nix b/old/modules/mors/paths.nix new file mode 100644 index 0000000..153356a --- /dev/null +++ b/old/modules/mors/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/Lassulus/nixpkgs; + rev = "7ef800430789252dac47f0b67e75a6b9bb616397"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets; +} diff --git a/old/modules/mors/repos.nix b/old/modules/mors/repos.nix index e31ba94..1f7f334 100644 --- a/old/modules/mors/repos.nix +++ b/old/modules/mors/repos.nix @@ -35,6 +35,15 @@ extraConfig = "option hook.post-receive = irc-announce"; }; + emse-drywall = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + emse-hsdb = { users = { lass = "RW+"; diff --git a/old/modules/lass/retiolum-mors.nix b/old/modules/mors/retiolum.nix index 61a7856..1148bee 100644 --- a/old/modules/lass/retiolum-mors.nix +++ b/old/modules/mors/retiolum.nix @@ -2,12 +2,12 @@ { imports = [ - ../tv/retiolum.nix + ../tv/retiolum ]; - services.retiolum = { + tv.retiolum = { enable = true; - hosts = ../../hosts; + hosts = <retiolum-hosts>; privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; connectTo = [ "fastpoke" diff --git a/old/modules/uriel/default.nix b/old/modules/uriel/default.nix index 7f2b903..eb0f3e9 100644 --- a/old/modules/uriel/default.nix +++ b/old/modules/uriel/default.nix @@ -3,8 +3,7 @@ { imports = [ ../lass/desktop-base.nix - ../lass/retiolum-uriel.nix - ../lass/xserver-lass.nix + ./retiolum.nix ../lass/browsers.nix ../lass/programs.nix ../lass/games.nix @@ -18,11 +17,12 @@ ../lass/bird.nix ./repos.nix ../lass/chromium-patched.nix + ./git.nix ]; nixpkgs = { url = "https://github.com/Lassulus/nixpkgs"; - rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530"; + rev = "7ef800430789252dac47f0b67e75a6b9bb616397"; }; networking.hostName = "uriel"; @@ -106,6 +106,10 @@ environment.systemPackages = with pkgs; [ ]; + #for google hangout + + users.extraUsers.google.extraGroups = [ "audio" "video" ]; + #users.extraGroups = { # loot = { diff --git a/old/modules/uriel/git.nix b/old/modules/uriel/git.nix new file mode 100644 index 0000000..3750648 --- /dev/null +++ b/old/modules/uriel/git.nix @@ -0,0 +1,130 @@ +{ config, lib, pkgs, ... }: + +let + inherit (builtins) map readFile; + inherit (lib) concatMap listToAttrs; + # TODO lib should already include our stuff + inherit (import ../../lib { inherit lib pkgs; }) addNames git; + + x-repos = [ + (krebs-private "brain") + + (public "painload") + (public "shitment") + (public "wai-middleware-time") + (public "web-routes-wai-custom") + + (secret "pass") + + (tv-lass "emse-drywall") + (tv-lass "emse-hsdb") + ]; + + users = addNames { + tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; }; + lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; }; + uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; }; + makefu = { pubkey = "xxx"; }; + }; + + repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); + + rules = concatMap ({ rules, ... }: rules) x-repos; + + krebs-private = repo-name: + rec { + repo = { + name = repo-name; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; + }; + }; + }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + + public = repo-name: + rec { + repo = { + name = repo-name; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; + }; + }; + public = true; + }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + + secret = repo-name: + rec { + repo = { + name = repo-name; + hooks = {}; + }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + + tv-lass = repo-name: + rec { + repo = { + name = repo-name; + hooks = {}; + }; + rules = with git; with users; [ + { user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ tv ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + +in + +{ + imports = [ + ../tv/git + ]; + + tv.git = { + enable = true; + inherit repos rules users; + }; +} diff --git a/old/modules/uriel/retiolum.nix b/old/modules/uriel/retiolum.nix new file mode 100644 index 0000000..1e90083 --- /dev/null +++ b/old/modules/uriel/retiolum.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum + ../lass/iptables + ]; + + tv.retiolum = { + enable = true; + hosts = ../../hosts; + privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + #networking.firewall.allowedTCPPorts = [ 655 ]; + #networking.firewall.allowedUDPPorts = [ 655 ]; + #lass.iptables = { + # #input-internet-accept-new-tcp = [ "tinc" ]; + # #input-internet-accept-new-udp = [ "tinc" ]; + # tables.retiolum = { + # interfaces = [ "retiolum" "wl0" ]; + # allowed-tcp = [ "tinc" ]; + # allowed-udp = [ "tinc" ]; + # }; + #}; +} |