summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-02-04 11:16:17 +0100
committermakefu <github@syntax-fehler.de>2016-02-04 11:16:17 +0100
commita6bfdbdf6d0d29955589de57e99127c4ac8ede5e (patch)
tree7af0effd583903bdd5d82804aa57afad1f17e2cd
parentdb2a1da01749e876e7881641220aef56d93580ff (diff)
parent1c6213b4cc7c0029c3ec78f03ff2ccc37c1f0278 (diff)
Merge 'cd/master' - update krebs.build.source
-rw-r--r--Makefile76
l---------nixpkgs/default.nix1
-rw-r--r--nixpkgs/krebs0
l---------nixpkgs/lib1
-rw-r--r--nixpkgs/nixos/default.nix1
l---------nixpkgs/nixos/lib1
l---------nixpkgs/nixos/modules1
l---------nixpkgs/pkgs1
l---------root1
-rw-r--r--shared/2configs/buildbot-standalone.nix2
-rw-r--r--tv/1systems/cd.nix43
-rw-r--r--tv/1systems/mkdir.nix1
-rw-r--r--tv/1systems/nomic.nix41
-rw-r--r--tv/1systems/rmdir.nix1
-rw-r--r--tv/1systems/wu.nix43
-rw-r--r--tv/1systems/xu.nix44
-rw-r--r--tv/2configs/backup.nix40
-rw-r--r--tv/2configs/consul-client.nix9
-rw-r--r--tv/2configs/consul-server.nix21
-rw-r--r--tv/2configs/default.nix52
-rw-r--r--tv/2configs/exim-retiolum.nix8
-rw-r--r--tv/2configs/exim-smarthost.nix5
-rw-r--r--tv/2configs/git.nix9
-rw-r--r--tv/2configs/hw/AO753.nix9
-rw-r--r--tv/2configs/hw/x220.nix1
-rw-r--r--tv/2configs/nginx-public_html.nix15
-rw-r--r--tv/2configs/pulse.nix32
-rw-r--r--tv/2configs/retiolum.nix17
-rw-r--r--tv/2configs/vim.nix9
-rw-r--r--tv/2configs/xserver/default.nix1
-rw-r--r--tv/3modules/consul.nix118
-rw-r--r--tv/3modules/default.nix1
-rw-r--r--tv/5pkgs/default.nix3
-rw-r--r--tv/5pkgs/ejabberd/default.nix28
34 files changed, 216 insertions, 420 deletions
diff --git a/Makefile b/Makefile
index 5b898c5..e82e39c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,53 +1,51 @@
-#
-# usage:
-# make infest system=foo [target=bar]
-# make [deploy] system=foo [target=bar]
-# make [deploy] systems='foo bar'
-# make eval get=users.tv.wu.config.time.timeZone [filter=json]
-#
-
.ONESHELL:
.SHELLFLAGS := -eufc
-ifdef systems
-$(systems):
- @
- unset target
- parallel \
- --line-buffer \
- -j0 \
- --no-notice \
- --tagstring {} \
- -q make -s systems= system={} ::: $(systems)
-else ifdef system
-.PHONY: deploy infest
-deploy infest:;@
- export get=krebs.$@
- export filter=json
- make -s eval | sh
+ifndef system
+$(error unbound variable: system)
+endif
+
+export target_host ?= $(system)
+export target_user ?= root
+export target_path ?= /var/src
+
+# usage: make deploy system=foo [target_host=bar]
+.PHONY: deploy
+deploy: populate ;@set -x
+ ssh "$$target_user@$$target_host" nixos-rebuild switch -I "$$target_path"
+# usage: make populate system=foo [target_host=bar]
+.PHONY: populate
+populate:;@
+ result=$$(make -s eval get=config.krebs.build.populate filter=json)
+ echo "$$result" | sh
+
+# usage: make eval system=foo get=config.krebs.build [LOGNAME=tv] [filter=json]
.PHONY: eval
-eval:
- @
+eval:;@
ifeq ($(filter),json)
extraArgs='--json --strict'
- filter() { jq -r .; }
+ filter() { echo "$$1" | jq -r .; }
else
- filter() { cat; }
+ filter() { echo "$$1"; }
endif
result=$$(nix-instantiate \
$${extraArgs-} \
+ --show-trace \
+ --readonly-mode \
--eval \
-A "$$get" \
- -I stockholm="$$PWD" \
- '<stockholm>' \
- --argstr current-date "$$(date -Is)" \
- --argstr current-host-name "$$HOSTNAME" \
- --argstr current-user-name "$$LOGNAME" \
- $${system+--argstr system "$$system"} \
- $${target+--argstr target "$$target"})
- echo "$$result" | filter
+ --arg configuration "./$$LOGNAME/1systems/$$system.nix")
+ filter "$$result"
-else
-$(error unbound variable: system[s])
-endif
+## usage: make install system=foo target=
+#.PHONY: install
+#install: ssh = ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+#install:;@set -x
+# $(ssh) "$$target_user@$$target_host" \
+# env target_path=/var/src \
+# sh -s prepare < krebs/4lib/infest/prepare.sh
+# make -s populate target_path=/mnt"$$target_path"
+# $(ssh) "$$target_user@$$target_host" \
+# env NIXOS_CONFIG=/var/src/nixos-config \
+# nixos-install
diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix
new file mode 120000
index 0000000..74e9d76
--- /dev/null
+++ b/nixpkgs/default.nix
@@ -0,0 +1 @@
+../upstream-nixpkgs/default.nix \ No newline at end of file
diff --git a/nixpkgs/krebs b/nixpkgs/krebs
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/nixpkgs/krebs
diff --git a/nixpkgs/lib b/nixpkgs/lib
new file mode 120000
index 0000000..2284ef4
--- /dev/null
+++ b/nixpkgs/lib
@@ -0,0 +1 @@
+../upstream-nixpkgs/lib \ No newline at end of file
diff --git a/nixpkgs/nixos/default.nix b/nixpkgs/nixos/default.nix
new file mode 100644
index 0000000..4fe08ef
--- /dev/null
+++ b/nixpkgs/nixos/default.nix
@@ -0,0 +1 @@
+import <stockholm>
diff --git a/nixpkgs/nixos/lib b/nixpkgs/nixos/lib
new file mode 120000
index 0000000..9e69d1a
--- /dev/null
+++ b/nixpkgs/nixos/lib
@@ -0,0 +1 @@
+../../../upstream-nixpkgs/nixos/lib \ No newline at end of file
diff --git a/nixpkgs/nixos/modules b/nixpkgs/nixos/modules
new file mode 120000
index 0000000..8aa2488
--- /dev/null
+++ b/nixpkgs/nixos/modules
@@ -0,0 +1 @@
+../../../upstream-nixpkgs/nixos/modules \ No newline at end of file
diff --git a/nixpkgs/pkgs b/nixpkgs/pkgs
new file mode 120000
index 0000000..ce5f544
--- /dev/null
+++ b/nixpkgs/pkgs
@@ -0,0 +1 @@
+../upstream-nixpkgs/pkgs \ No newline at end of file
diff --git a/root b/root
new file mode 120000
index 0000000..1cd1825
--- /dev/null
+++ b/root
@@ -0,0 +1 @@
+../stockholm-user \ No newline at end of file
diff --git a/shared/2configs/buildbot-standalone.nix b/shared/2configs/buildbot-standalone.nix
index c614bd3..9982dd9 100644
--- a/shared/2configs/buildbot-standalone.nix
+++ b/shared/2configs/buildbot-standalone.nix
@@ -86,7 +86,6 @@
-I stockholm=. \
--show-trace \
-I secrets=. '<stockholm>' \
- --argstr current-date lol \
--argstr current-user-name shared \
--argstr current-host-name lol \
--strict --json"])
@@ -98,7 +97,6 @@
-I stockholm=. \
-I secrets=. '<stockholm>' \
--show-trace \
- --argstr current-date lol \
--argstr current-user-name shared \
--argstr current-host-name lol \
--strict --json"])
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 8c2a9ae..e42d575 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -6,12 +6,17 @@ with lib;
krebs.build.host = config.krebs.hosts.cd;
krebs.build.target = "root@cd.internet";
+ krebs.build.source.upstream-nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "b7ff030";
+ };
+
imports = [
../2configs/hw/CAC-Developer-2.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
- #../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix
+ ../2configs/retiolum.nix
../2configs/urlwatch.nix
{
imports = [ ../2configs/charybdis.nix ];
@@ -25,6 +30,10 @@ with lib;
enable = true;
hosts = [ "jabber.viljetic.de" ];
};
+ tv.iptables.input-internet-accept-new-tcp = [
+ "xmpp-client"
+ "xmpp-server"
+ ];
}
{
krebs.github-hosts-sync.enable = true;
@@ -32,38 +41,17 @@ with lib;
singleton config.krebs.github-hosts-sync.port;
}
{
- tv.iptables = {
- enable = true;
- input-internet-accept-new-tcp = [
- "ssh"
- "tinc"
- "smtp"
- "xmpp-client"
- "xmpp-server"
- ];
- input-retiolum-accept-new-tcp = [
- "http"
- ];
- };
- }
- {
- tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.cgit.server-names = [
"cgit.cd.krebsco.de"
"cgit.cd.viljetic.de"
];
- }
- {
# TODO make public_html also available to cd, cd.retiolum (AKA default)
- tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de";
locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'');
};
- }
- {
krebs.nginx.servers.viljetic = {
server-names = singleton "viljetic.de";
# TODO directly set root (instead via location)
@@ -71,16 +59,7 @@ with lib;
root ${pkgs.viljetic-pages};
'');
};
- }
- {
- krebs.retiolum = {
- enable = true;
- connectTo = [
- "fastpoke"
- "pigstarter"
- "ire"
- ];
- };
+ tv.iptables.input-internet-accept-new-tcp = singleton "http";
}
];
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
index 9d8a0bc..79e5f73 100644
--- a/tv/1systems/mkdir.nix
+++ b/tv/1systems/mkdir.nix
@@ -22,7 +22,6 @@ in
imports = [
../2configs/hw/CAC-Developer-1.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
- ../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix
{
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 0c6c935..37ef204 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -5,45 +5,14 @@ with lib;
{
krebs.build.host = config.krebs.hosts.nomic;
- krebs.build.target = "root@nomic.gg23";
-
imports = [
../2configs/hw/AO753.nix
- #../2configs/consul-server.nix
+ ../2configs/exim-retiolum.nix
../2configs/git.nix
- {
- tv.iptables = {
- enable = true;
- input-internet-accept-new-tcp = [
- "ssh"
- "http"
- "tinc"
- "smtp"
- ];
- };
- }
- {
- krebs.exim-retiolum.enable = true;
- }
- {
- krebs.nginx = {
- enable = true;
- servers.default.locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
- };
- }
- {
- krebs.retiolum = {
- enable = true;
- connectTo = [
- "gum"
- "pigstarter"
- ];
- };
- }
+ ../2configs/nginx-public_html.nix
+ ../2configs/pulse.nix
+ ../2configs/retiolum.nix
+ ../2configs/xserver
];
boot.initrd.luks = {
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
index 1f1d975..6fd79c5 100644
--- a/tv/1systems/rmdir.nix
+++ b/tv/1systems/rmdir.nix
@@ -23,7 +23,6 @@ in
imports = [
../2configs/hw/CAC-Developer-1.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
- ../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix
{
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 54ceb77..29e6de0 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -7,10 +7,12 @@ with lib;
imports = [
../2configs/hw/w110er.nix
- #../2configs/consul-client.nix
+ ../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/mail-client.nix
+ ../2configs/nginx-public_html.nix
../2configs/pulse.nix
+ ../2configs/retiolum.nix
../2configs/xserver
{
environment.systemPackages = with pkgs; [
@@ -18,7 +20,7 @@ with lib;
# stockholm
gnumake
hashPassword
- lentil
+ haskellPackages.lentil
parallel
(pkgs.writeScriptBin "im" ''
#! ${pkgs.bash}/bin/bash
@@ -41,7 +43,7 @@ with lib;
# tv
bc
bind # dig
- cac
+ cac-api
dic
file
get
@@ -123,39 +125,6 @@ with lib;
unison
];
}
- {
- tv.iptables = {
- enable = true;
- input-internet-accept-new-tcp = [
- "ssh"
- "http"
- "tinc"
- "smtp"
- ];
- };
- }
- {
- krebs.exim-retiolum.enable = true;
- }
- {
- krebs.nginx = {
- enable = true;
- servers.default.locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
- };
- }
- {
- krebs.retiolum = {
- enable = true;
- connectTo = [
- "gum"
- "pigstarter"
- ];
- };
- }
];
boot.initrd.luks = {
@@ -188,7 +157,7 @@ with lib;
nixpkgs.config.chromium.enablePepperFlash = true;
- nixpkgs.config.allowUnfree = true;
+ nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name;
hardware.bumblebee.enable = true;
hardware.bumblebee.group = "video";
hardware.enableAllFirmware = true;
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index 1f3e010..8c4af2b 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -5,15 +5,14 @@ with lib;
{
krebs.build.host = config.krebs.hosts.xu;
- krebs.build.source.git.nixpkgs.rev =
- "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a";
-
imports = [
../2configs/hw/x220.nix
- #../2configs/consul-client.nix
+ ../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/mail-client.nix
+ ../2configs/nginx-public_html.nix
../2configs/pulse.nix
+ ../2configs/retiolum.nix
../2configs/xserver
{
environment.systemPackages = with pkgs; [
@@ -21,7 +20,7 @@ with lib;
# stockholm
gnumake
hashPassword
- lentil
+ haskellPackages.lentil
parallel
(pkgs.writeScriptBin "im" ''
#! ${pkgs.bash}/bin/bash
@@ -124,40 +123,6 @@ with lib;
unison
];
}
- {
- tv.iptables = {
- enable = true;
- input-internet-accept-new-tcp = [
- "ssh"
- "http"
- "tinc"
- "smtp"
- ];
- };
- }
- {
- krebs.exim-retiolum.enable = true;
- }
- {
- krebs.nginx = {
- enable = true;
- servers.default.locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
- };
- }
- {
- krebs.retiolum = {
- enable = true;
- connectTo = [
- "cd"
- "gum"
- "pigstarter"
- ];
- };
- }
];
boot.initrd.luks = {
@@ -190,7 +155,6 @@ with lib;
nixpkgs.config.chromium.enablePepperFlash = true;
- nixpkgs.config.allowUnfree = true;
#hardware.bumblebee.enable = true;
#hardware.bumblebee.group = "video";
hardware.enableAllFirmware = true;
diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix
index 51d3bb8..ce937a7 100644
--- a/tv/2configs/backup.nix
+++ b/tv/2configs/backup.nix
@@ -2,41 +2,17 @@
with lib;
{
krebs.backup.plans = addNames {
- xu-test-cd = {
+ wu-home-xu = {
method = "push";
-
- src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; };
- dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; };
-
- #startAt = "0,6,12,18:00";
- startAt = "minutely";
+ src = { host = config.krebs.hosts.wu; path = "/home"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; };
+ startAt = "05:00";
snapshots = {
- minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
- hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
+ daily = { format = "%Y-%m-%d"; retain = 7; };
+ weekly = { format = "%YW%W"; retain = 4; };
+ monthly = { format = "%Y-%m"; retain = 12; };
+ yearly = { format = "%Y"; };
};
};
- #xu-test-wu = {
- # method = "push";
- # dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; };
- #};
- cd-test-xu = {
- method = "pull";
- src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; };
- dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; };
- startAt = "minutely";
- snapshots = {
- minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
- hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
- };
-
};
}
diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix
deleted file mode 100644
index 0a8bf4d..0000000
--- a/tv/2configs/consul-client.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-
-{
- imports = [ ./consul-server.nix ];
-
- tv.consul = {
- server = pkgs.lib.mkForce false;
- };
-}
diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix
deleted file mode 100644
index d10f9ea..0000000
--- a/tv/2configs/consul-server.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, ... }:
-
-{
- tv.consul = rec {
- enable = true;
-
- self = config.krebs.build.host;
- inherit (self) dc;
-
- server = true;
-
- hosts = with config.krebs.hosts; [
- # TODO get this list automatically from each host where tv.consul.enable is true
- cd
- mkdir
- nomic
- rmdir
- #wu
- ];
- };
-}
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index c300633..57c4620 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -8,20 +8,21 @@ with lib;
krebs.build = {
user = config.krebs.users.tv;
target = mkDefault "root@${config.krebs.build.host.name}";
- source = {
- git.nixpkgs = {
- url = mkDefault https://github.com/NixOS/nixpkgs;
- rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613";
- target-path = mkDefault "/var/src/nixpkgs";
+ source = mapAttrs (_: mkDefault) ({
+ nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix";
+ nixpkgs = symlink:stockholm/nixpkgs;
+ secrets = "/home/tv/secrets/${config.krebs.build.host.name}";
+ secrets-common = "/home/tv/secrets/common";
+ stockholm = "/home/tv/stockholm";
+ stockholm-user = "symlink:stockholm/tv";
+ upstream-nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
+ dev = "/home/tv/nixpkgs";
};
- dir.secrets = {
- path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}";
- };
- dir.stockholm = {
- path = mkDefault "/home/tv/stockholm";
- target-path = mkDefault "/var/src/stockholm";
- };
- };
+ } // optionalAttrs config.krebs.build.host.secure {
+ secrets-master = "/home/tv/secrets/master";
+ });
};
networking.hostName = config.krebs.build.host.name;
@@ -67,6 +68,9 @@ with lib;
nix.useChroot = true;
}
{
+ nixpkgs.config.allowUnfree = false;
+ }
+ {
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
environment.systemPackages = with pkgs; [
@@ -98,12 +102,7 @@ with lib;
};
environment.variables = {
- NIX_PATH =
- with config.krebs.build.source; with dir; with git;
- mkForce (concatStringsSep ":" [
- "nixpkgs=${nixpkgs.target-path}"
- "secrets=${stockholm.target-path}/null"
- ]);
+ NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
programs.bash = {
@@ -142,7 +141,12 @@ with lib;
'';
};
- programs.ssh.startAgent = false;
+ programs.ssh = {
+ extraConfig = ''
+ UseRoaming no
+ '';
+ startAgent = false;
+ };
}
{
@@ -160,12 +164,17 @@ with lib;
}
{
+ tv.iptables.enable = true;
+ }
+
+ {
services.openssh = {
enable = true;
hostKeys = [
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
+ tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
}
{
@@ -177,7 +186,8 @@ with lib;
{
systemd.tmpfiles.rules = let
forUsers = flip map users;
- isUser = { group, ... }: hasSuffix "users" group;
+ isUser = { name, group, ... }:
+ name == "root" || hasSuffix "users" group;
users = filter isUser (mapAttrsToList (_: id) config.users.users);
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
new file mode 100644
index 0000000..aedf258
--- /dev/null
+++ b/tv/2configs/exim-retiolum.nix
@@ -0,0 +1,8 @@
+{ lib, ... }:
+
+with lib;
+
+{
+ krebs.exim-retiolum.enable = true;
+ tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
+}
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index f5f63d2..bcfea78 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
{
krebs.exim-smarthost = {
@@ -34,4 +36,5 @@
{ from = "mirko"; to = "mv"; }
];
};
+ tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
}
diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index 800deff..b818008 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -9,7 +9,7 @@ let
enable = true;
root-title = "public repositories at ${config.krebs.build.host.name}";
root-desc = "keep calm and engage";
- repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+ repos = repos;
rules = rules;
};
};
@@ -22,8 +22,8 @@ let
public-repos = mapAttrs make-public-repo ({
} // mapAttrValues (setAttr "section" "1. Miscellaneous") {
- cac = {
- desc = "CloudAtCost command line interface";
+ cac-api = {
+ desc = "CloudAtCost API command line interface";
};
get = {};
hack = {};
@@ -39,6 +39,7 @@ let
stockholm = {
desc = "take all the computers hostage, they'll love you!";
};
+ with-tmpdir = {};
} // mapAttrValues (setAttr "section" "2. Haskell libraries") {
blessings = {};
mime = {};
@@ -98,7 +99,7 @@ let
repo = [ repo ];
perm = fetch;
} ++
- optional (length (repo.collaborators or []) > 0) {
+ optional (repo.collaborators or [] != []) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix
index acd9ee3..72a4081 100644
--- a/tv/2configs/hw/AO753.nix
+++ b/tv/2configs/hw/AO753.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
{
imports = [
@@ -39,8 +41,5 @@
HandleSuspendKey=ignore
'';
- nixpkgs.config = {
- allowUnfree = false;
- allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name);
- };
+ nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name;
}
diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix
index 8549311..7cec670 100644
--- a/tv/2configs/hw/x220.nix
+++ b/tv/2configs/hw/x220.nix
@@ -14,7 +14,6 @@
networking.wireless.enable = true;
#hardware.enableAllFirmware = true;
- #nixpkgs.config.allowUnfree = true;
#zramSwap.enable = true;
#zramSwap.numDevices = 2;
diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix
new file mode 100644
index 0000000..dc74f7f
--- /dev/null
+++ b/tv/2configs/nginx-public_html.nix
@@ -0,0 +1,15 @@
+{ lib, ... }:
+
+with lib;
+
+{
+ krebs.nginx = {
+ enable = true;
+ servers.default.locations = [
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ tv.iptables.input-internet-accept-new-tcp = singleton "http";
+}
diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix
index 3db3532..e1894ca 100644
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }:
+with lib;
let
pkg = pkgs.pulseaudioLight;
runDir = "/run/pulse";
@@ -35,36 +36,43 @@ let
in
{
- systemd.tmpfiles.rules = [
- "d ${runDir} 0750 pulse pulse - -"
- "d ${runDir}/home 0700 pulse pulse - -"
- ];
-
- system.activationScripts.pulseaudio-hack = ''
- ln -fns ${clientConf} /etc/pulse/client.conf
- '';
-
environment = {
etc = {
"asound.conf".source = alsaConf;
- #"pulse/client.conf" = lib.mkForce { source = clientConf; };
+ # XXX mkForce is not strong enough (and neither is mkOverride) to create
+ # /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
+ #"pulse/client.conf" = mkForce { source = clientConf; };
+ #"pulse/client.conf".source = mkForce clientConf;
"pulse/default.pa".source = configFile;
};
- systemPackages = [ pkg ];
+ systemPackages = [
+ pkg
+ ] ++ optionals config.services.xserver.enable [
+ pkgs.pavucontrol
+ ];
};
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
+ system.activationScripts.pulseaudio-hack = ''
+ ln -fns ${clientConf} /etc/pulse/client.conf
+ '';
+
systemd.services.pulse = {
wantedBy = [ "sound.target" ];
before = [ "sound.target" ];
environment = {
PULSE_RUNTIME_PATH = "${runDir}/home";
- #DISPLAY = ":${toString config.services.xserver.display}";
};
serviceConfig = {
ExecStart = "${pkg}/bin/pulseaudio";
+ ExecStartPre = pkgs.writeScript "pulse-start" ''
+ #! /bin/sh
+ install -o pulse -g pulse -m 0750 -d ${runDir}
+ install -o pulse -g pulse -m 0700 -d ${runDir}/home
+ '';
+ PermissionsStartOnly = "true";
User = "pulse";
};
};
diff --git a/tv/2configs/retio