diff options
| -rw-r--r-- | 0make/lass/cloudkrebs.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/cd.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/mkdir.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/nomic.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/rmdir.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/wu.makefile | 4 | ||||
| -rw-r--r-- | 1systems/lass/mors.nix | 220 | ||||
| -rw-r--r-- | 1systems/lass/uriel.nix | 195 | ||||
| -rw-r--r-- | 2configs/lass/base.nix | 136 | ||||
| -rw-r--r-- | 2configs/lass/binary-caches.nix | 13 | ||||
| -rw-r--r-- | 2configs/lass/bird.nix | 13 | ||||
| -rw-r--r-- | 2configs/lass/bitcoin.nix | 17 | ||||
| -rw-r--r-- | 2configs/lass/browsers.nix | 67 | ||||
| -rw-r--r-- | 2configs/lass/chromium-patched.nix | 48 | ||||
| -rw-r--r-- | 2configs/lass/desktop-base.nix | 65 | ||||
| -rw-r--r-- | 2configs/lass/elster.nix | 20 | ||||
| -rw-r--r-- | 2configs/lass/games.nix | 25 | ||||
| -rw-r--r-- | 2configs/lass/git-repos.nix | 140 | ||||
| -rw-r--r-- | 2configs/lass/gitolite-base.nix | 173 | ||||
| -rw-r--r-- | 2configs/lass/ircd.nix | 92 | ||||
| -rw-r--r-- | 2configs/lass/mors/repos.nix | 87 | ||||
| -rw-r--r-- | 2configs/lass/mors/retiolum.nix | 21 | ||||
| -rw-r--r-- | 2configs/lass/pass.nix | 10 | ||||
| -rw-r--r-- | 2configs/lass/programs.nix | 24 | ||||
| -rw-r--r-- | 2configs/lass/sshkeys.nix | 11 | ||||
| -rw-r--r-- | 2configs/lass/steam.nix | 30 | ||||
| -rw-r--r-- | 2configs/lass/texlive.nix | 7 | ||||
| -rw-r--r-- | 2configs/lass/urxvt.nix | 40 | ||||
| -rw-r--r-- | 2configs/lass/vim.nix | 118 | ||||
| -rw-r--r-- | 2configs/lass/virtualbox.nix | 22 | ||||
| -rw-r--r-- | 2configs/lass/wine.nix | 23 | ||||
| -rw-r--r-- | 3modules/krebs/default.nix | 309 | ||||
| -rw-r--r-- | 3modules/krebs/git.nix | 490 | ||||
| -rw-r--r-- | 3modules/krebs/github-hosts-sync.nix | 83 | ||||
| -rw-r--r-- | 3modules/krebs/nginx.nix | 72 | ||||
| -rw-r--r-- | 3modules/krebs/retiolum.nix | 226 | ||||
| -rw-r--r-- | 3modules/krebs/urlwatch.nix | 136 | ||||
| -rw-r--r-- | 3modules/lass/iptables.nix | 187 | ||||
| -rw-r--r-- | 3modules/lass/sshkeys.nix | 26 | ||||
| -rw-r--r-- | 3modules/lass/urxvtd.nix | 55 | ||||
| -rw-r--r-- | 3modules/lass/xresources.nix | 57 | ||||
| -rw-r--r-- | 4lib/krebs/default.nix | 33 | ||||
| -rw-r--r-- | 4lib/krebs/types.nix | 104 | ||||
| -rw-r--r-- | 4lib/tv/default.nix | 52 | ||||
| -rw-r--r-- | Makefile | 85 | ||||
| -rw-r--r-- | Zpkgs/krebs/default.nix | 14 | ||||
| -rw-r--r-- | Zpkgs/krebs/dic.nix | 36 | ||||
| -rw-r--r-- | Zpkgs/krebs/genid.nix | 22 | ||||
| -rw-r--r-- | Zpkgs/krebs/github-hosts-sync.nix | 40 | ||||
| -rw-r--r-- | Zpkgs/krebs/github-known_hosts.nix | 13 | ||||
| -rw-r--r-- | Zpkgs/krebs/hashPassword.nix | 16 | ||||
| -rw-r--r-- | Zpkgs/tv/lentil/1.patch | 39 | ||||
| -rw-r--r-- | tv/1systems/cd.nix (renamed from 1systems/tv/cd.nix) | 34 | ||||
| -rw-r--r-- | tv/1systems/mkdir.nix (renamed from 1systems/tv/mkdir.nix) | 28 | ||||
| -rw-r--r-- | tv/1systems/nomic.nix (renamed from 1systems/tv/nomic.nix) | 26 | ||||
| -rw-r--r-- | tv/1systems/rmdir.nix (renamed from 1systems/tv/rmdir.nix) | 28 | ||||
| -rw-r--r-- | tv/1systems/wu.nix (renamed from 1systems/tv/wu.nix) | 120 | ||||
| -rw-r--r-- | tv/2configs/AO753.nix (renamed from 2configs/tv/AO753.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/CAC-CentOS-7-64bit.nix (renamed from 2configs/tv/CAC-CentOS-7-64bit.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/CAC-Developer-1.nix (renamed from 2configs/tv/CAC-Developer-1.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/CAC-Developer-2.nix (renamed from 2configs/tv/CAC-Developer-2.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/base.nix (renamed from 2configs/tv/base.nix) | 1 | ||||
| -rw-r--r-- | tv/2configs/bash_completion.sh (renamed from 2configs/tv/bash_completion.sh) | 0 | ||||
| -rw-r--r-- | tv/2configs/charybdis.nix (renamed from 2configs/tv/charybdis.nix) | 136 | ||||
| -rw-r--r-- | tv/2configs/consul-client.nix (renamed from 2configs/tv/consul-client.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/consul-server.nix (renamed from 2configs/tv/consul-server.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/cryptoroot.nix (renamed from 2configs/tv/cryptoroot.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/exim-retiolum.nix (renamed from 2configs/tv/exim-retiolum.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/exim-smarthost.nix (renamed from 2configs/tv/exim-smarthost.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/git.nix (renamed from 2configs/tv/git.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/mail-client.nix (renamed from 2configs/tv/mail-client.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/smartd.nix (renamed from 2configs/tv/smartd.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/synaptics.nix (renamed from 2configs/tv/synaptics.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/urlwatch.nix (renamed from 2configs/tv/urlwatch.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/urxvt.nix (renamed from 2configs/tv/urxvt.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/w110er.nix (renamed from 2configs/tv/w110er.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/xserver.nix (renamed from 2configs/tv/xserver.nix) | 2 | ||||
| -rw-r--r-- | tv/3modules/consul.nix (renamed from 3modules/tv/consul.nix) | 2 | ||||
| -rw-r--r-- | tv/3modules/default.nix (renamed from 3modules/tv/default.nix) | 0 | ||||
| -rw-r--r-- | tv/3modules/ejabberd.nix (renamed from 3modules/tv/ejabberd.nix) | 0 | ||||
| -rw-r--r-- | tv/3modules/iptables.nix (renamed from 3modules/tv/iptables.nix) | 4 | ||||
| -rw-r--r-- | tv/4lib/default.nix | 27 | ||||
| -rw-r--r-- | tv/4lib/git.nix (renamed from 4lib/tv/git.nix) | 0 | ||||
| -rw-r--r-- | tv/4lib/modules.nix (renamed from 4lib/tv/modules.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/charybdis/default.nix (renamed from Zpkgs/tv/charybdis/default.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/charybdis/remove-setenv.patch (renamed from Zpkgs/tv/charybdis/remove-setenv.patch) | 2 | ||||
| -rw-r--r-- | tv/5pkgs/default.nix (renamed from Zpkgs/tv/default.nix) | 4 | ||||
| -rw-r--r-- | tv/5pkgs/lentil/default.nix (renamed from Zpkgs/tv/lentil/default.nix) | 6 | ||||
| -rw-r--r-- | tv/5pkgs/lentil/syntaxes.patch (renamed from Zpkgs/tv/lentil/syntaxes.patch) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/much.nix (renamed from Zpkgs/tv/much.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/viljetic-pages/default.nix (renamed from Zpkgs/tv/viljetic-pages/default.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/viljetic-pages/index.html (renamed from Zpkgs/tv/viljetic-pages/index.html) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/viljetic-pages/logo.xpm (renamed from Zpkgs/tv/viljetic-pages/logo.xpm) | 0 |
93 files changed, 256 insertions, 3910 deletions
diff --git a/0make/lass/cloudkrebs.makefile b/0make/lass/cloudkrebs.makefile new file mode 100644 index 0000000..baf7660 --- /dev/null +++ b/0make/lass/cloudkrebs.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cloudkrebs +nixpkgs_url := https://github.com/Lassulus/nixpkgs +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b +secrets_dir := /home/lass/secrets/cloudkrebs diff --git a/0make/tv/cd.makefile b/0make/tv/cd.makefile deleted file mode 100644 index e021423..0000000 --- a/0make/tv/cd.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@cd-global -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 -secrets_dir := /home/tv/secrets/cd diff --git a/0make/tv/mkdir.makefile b/0make/tv/mkdir.makefile deleted file mode 100644 index b10398a..0000000 --- a/0make/tv/mkdir.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@mkdir -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 -secrets_dir := /home/tv/secrets/mkdir diff --git a/0make/tv/nomic.makefile b/0make/tv/nomic.makefile deleted file mode 100644 index 9e0b867..0000000 --- a/0make/tv/nomic.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@nomic.gg23 -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696 -secrets_dir := /home/tv/secrets/nomic diff --git a/0make/tv/rmdir.makefile b/0make/tv/rmdir.makefile deleted file mode 100644 index 6075bd3..0000000 --- a/0make/tv/rmdir.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@rmdir -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 -secrets_dir := /home/tv/secrets/rmdir diff --git a/0make/tv/wu.makefile b/0make/tv/wu.makefile deleted file mode 100644 index ef7e511..0000000 --- a/0make/tv/wu.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@wu -nixpkgs_url := /home/tv/src/nixpkgs -nixpkgs_rev := 7725eb1d3ed85fc34edde3c3a7907ab234933a68 -secrets_dir := /home/tv/secrets/wu diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix deleted file mode 100644 index 940dc4f..0000000 --- a/1systems/lass/mors.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/git-repos.nix - ../../2configs/tv/synaptics.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } - ]; - - networking.hostName = "mors"; - networking.wireless.enable = true; - - networking.extraHosts = '' - ''; - - nix.maxJobs = 4; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/big/nix"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - - "/mnt/loot" = { - device = "/dev/big/loot"; - fsType = "ext4"; - }; - - "/home" = { - device = "/dev/big/home"; - fsType = "ext4"; - }; - - "/home/lass" = { - device = "/dev/big/home-lass"; - fsType = "ext4"; - }; - - "/mnt/backups" = { - device = "/dev/big/backups"; - fsType = "ext4"; - }; - - "/home/games/.local/share/Steam" = { - device = "/dev/big/steam"; - fsType = "ext4"; - }; - - "/home/virtual/virtual" = { - device = "/dev/big/virtual"; - fsType = "ext4"; - }; - - "/mnt/public" = { - device = "/dev/big/public"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" - ''; - - #TODO activationScripts seem broken, fix them! - #activationScripts - #split up and move into base - system.activationScripts.powertopTunables = '' - #Enable Audio codec power management - echo '1' > '/sys/module/snd_hda_intel/parameters/power_save' - #VM writeback timeout - echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs' - #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] - echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' - #Autosuspend for USB device Biometric Coprocessor - echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' - - #Runtime PMs - echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' - ''; - - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - #system.activationScripts.trackpoint = '' - # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' - # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' - #''; - - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; - - users.extraUsers = { - #main user - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - extraGroups = [ "wheel" "audio" ]; - }; - }; - - environment.systemPackages = with pkgs; [ - ]; - - #TODO: fix this shit - ##fprint stuff - ##sudo fprintd-enroll $USER to save fingerprints - #services.fprintd.enable = true; - #security.pam.services.sudo.fprintAuth = true; - - users.extraGroups = { - loot = { - members = [ - config.users.extraUsers.mainUser.name - "firefox" - "chromium" - "google" - "virtual" - ]; - }; - }; - - networking.firewall = { - allowPing = true; - allowedTCPPorts = [ - 8000 - ]; - allowedUDPPorts = [ - 67 - ]; - }; - - services.mongodb = { - enable = true; - }; -} diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix deleted file mode 100644 index 25745d0..0000000 --- a/1systems/lass/uriel.nix +++ /dev/null @@ -1,195 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/bird.nix - ../../2configs/lass/git-repos.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } - ]; - - networking.hostName = "uriel"; - networking.wireless.enable = true; - nix.maxJobs = 2; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.gummiboot.enable = true; - loader.gummiboot.timeout = 5; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - extraModprobeConfig = '' - ''; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - #services.xserver = { - #}; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; - - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" "audio" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - - environment.systemPackages = with pkgs; [ - ]; - - #for google hangout - - users.extraUsers.google.extraGroups = [ "audio" "video" ]; - - - #users.extraGroups = { - # loot = { - # members = [ - # "lass" - # "firefox" - # "chromium" - # "google" - # ]; - # }; - #}; - # - # iptables - # - #networking.firewall.enable = false; - #system.activationScripts.iptables = - # let - # log = false; - # when = c: f: if c then f else ""; - # in - # '' - # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - # ipXtables() { ip4tables "$@"; ip6tables "$@"; } - - # # - # # nat - # # - - # # reset tables - # ipXtables -t nat -F - # ipXtables -t nat -X - - # # - # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # # - # # filter - # # - - # # reset tables - # ipXtables -P INPUT DROP - # ipXtables -P FORWARD DROP - # ipXtables -F - # ipXtables -X - - # # create custom chains - # ipXtables -N Retiolum - - # # INPUT - # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # ipXtables -A INPUT -j ACCEPT -i lo - # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - # ipXtables -A INPUT -j Retiolum -i retiolum - # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # # FORWARD - # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # # Retiolum - # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - - # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - # ip6tables -A Retiolum -j REJECT - - # ''; -} diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix deleted file mode 100644 index 5e5b8a7..0000000 --- a/2configs/lass/base.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ - ./sshkeys.nix - ../../3modules/lass/iptables.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import /root/src/secrets/hashedPasswords.nix); - } - - ]; - - nix.useChroot = true; - - users.mutableUsers = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - PAGER=most - ''; - - environment.systemPackages = with pkgs; [ - git - most - rxvt_unicode.terminfo - - #network - iptables - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - security.setuidPrograms = [ - "sendmail" - ]; - - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - lass.iptables = { - enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } - ]; - }; - }; - - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; -} diff --git a/2configs/lass/binary-caches.nix b/2configs/lass/binary-caches.nix deleted file mode 100644 index c272752..0000000 --- a/2configs/lass/binary-caches.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - nix.sshServe.enable = true; - nix.sshServe.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" - ]; - nix.binaryCaches = [ - #"scp://nix-ssh@mors" - #"scp://nix-ssh@uriel" - ]; -} diff --git a/2configs/lass/bird.nix b/2configs/lass/bird.nix deleted file mode 100644 index 3fc265c..0000000 --- a/2configs/lass/bird.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - config.services.bird = { - enable = true; - config = '' - router id 192.168.122.1; - protocol device { - scan time 10; - } - ''; - }; -} diff --git a/2configs/lass/bitcoin.nix b/2configs/lass/bitcoin.nix deleted file mode 100644 index d3bccbf..0000000 --- a/2configs/lass/bitcoin.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - electrum - ]; - - users.extraUsers = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - useDefaultShell = true; - createHome = true; - }; - }; -} diff --git a/2configs/lass/browsers.nix b/2configs/lass/browsers.nix deleted file mode 100644 index 8aecea9..0000000 --- a/2configs/lass/browsers.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - - nixpkgs.config.packageOverrides = pkgs : { - chromium = pkgs.chromium.override { - pulseSupport = true; - }; - }; - - environment.systemPackages = with pkgs; [ - firefox - ]; - - users.extraUsers = { - firefox = { - name = "firefox"; - description = "user for running firefox"; - home = "/home/firefox"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - chromium = { - name = "chromium"; - description = "user for running chromium"; - home = "/home/chromium"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - facebook = { - name = "facebook"; - description = "user for running facebook in chromium"; - home = "/home/facebook"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - google = { - name = "google"; - description = "user for running google+/gmail in chromium"; - home = "/home/google"; - useDefaultShell = true; - createHome = true; - }; - flash = { - name = "flash"; - description = "user for running flash stuff"; - home = "/home/flash"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(firefox) NOPASSWD: ALL - ${mainUser.name} ALL=(chromium) NOPASSWD: ALL - ${mainUser.name} ALL=(facebook) NOPASSWD: ALL - ${mainUser.name} ALL=(google) NOPASSWD: ALL - ${mainUser.name} ALL=(flash) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/chromium-patched.nix b/2configs/lass/chromium-patched.nix deleted file mode 100644 index 7151817..0000000 --- a/2configs/lass/chromium-patched.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -#settings to test: -# - #"ForceEphemeralProfiles": true, -let - masterPolicy = pkgs.writeText "master.json" '' - { - "PasswordManagerEnabled": false, - "DefaultGeolocationSetting": 2, - "RestoreOnStartup": 1, - "AutoFillEnabled": false, - "BackgroundModeEnabled": false, - "DefaultBrowserSettingEnabled": false, - "SafeBrowsingEnabled": false, - "ExtensionInstallForcelist": [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", - "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" - ] - } - ''; - - master_preferences = pkgs.writeText "master_preferences" '' - { - "browser": { - "custom_chrome_frame": true - }, - - "extensions": { - "theme": { - "id": "", - "use_system": true - } - } - } - ''; -in { - environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; - - environment.systemPackages = [ - #pkgs.chromium - (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { - buildCommand = attrs.buildCommand + '' - touch $out/TEST123 - ''; - })) - ]; -} diff --git a/2configs/lass/desktop-base.nix b/2configs/lass/desktop-base.nix deleted file mode 100644 index ee7a94b..0000000 --- a/2configs/lass/desktop-base.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; -in { - imports = [ - ./base.nix - ]; - - time.timeZone = "Europe/Berlin"; - - virtualisation.libvirtd.enable = true; - - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - - programs.ssh.startAgent = false; - - security.setuidPrograms = [ "slock" ]; - - services.printing = { - enable = true; - drivers = [ pkgs.foomatic_filters ]; - }; - - environment.systemPackages = with pkgs; [ - - powertop - - #window manager stuff - haskellPackages.xmobar - haskellPackages.yeganesh - dmenu2 - xlibs.fontschumachermisc - ]; - - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - - services.xserver = { - enable = true; - - windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ - X11-xshape - ]; - windowManager.xmonad.enable = true; - windowManager.xmonad.enableContribAndExtras = true; - windowManager.default = "xmonad"; - desktopManager.default = "none"; - desktopManager.xterm.enable = false; - displayManager.slim.enable = true; - displayManager.auto.enable = true; - displayManager.auto.user = mainUser.name; - - layout = "us,de"; - xkbModel = "evdev"; - xkbVariant = "altgr-intl,nodeadkeys"; - xkbOptions = "grp:caps_toggle"; - - }; - -} diff --git a/2configs/lass/elster.nix b/2configs/lass/elster.nix deleted file mode 100644 index 1edd018..0000000 --- a/2configs/lass/elster.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - users.extraUsers = { - elster = { - name = "elster"; - description = "user for running elster-online"; - home = "/home/elster"; - useDefaultShell = true; - extraGroups = []; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(elster) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/games.nix b/2configs/lass/games.nix deleted file mode 100644 index 6043a87..0000000 --- a/2configs/lass/games.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - environment.systemPackages = with pkgs; [ - dwarf_fortress - ]; - - users.extraUsers = { - games = { - name = "games"; - description = "user playing games"; - home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; - createHome = true; - useDefaultShell = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(games) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix deleted file mode 100644 index c0c305b..0000000 --- a/2configs/lass/git-repos.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - - x-repos = [ - (krebs-private "brain") - - (public "painload") - (public "shitment") - (public "wai-middleware-time") - (public "web-routes-wai-custom") - - (secret "pass") - - (tv-lass "emse-drywall") - (tv-lass "emse-hsdb") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); - - rules = concatMap ({ rules, ... }: rules) x-repos; - - krebs-private = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - secret = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - tv-lass = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ../../3modules/lass/iptables.nix - ]; - - tv.git = { - enable = true; - inherit repos rules users; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - }; - -} diff --git a/2configs/lass/gitolite-base.nix b/2configs/lass/gitolite-base.nix deleted file mode 100644 index b476299..0000000 --- a/2configs/lass/gitolite-base.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, ... }: - -{ - services.gitolite = { - mutable = false; - keys = { - lass = config.sshKeys.lass.pub; - uriel = config.sshKeys.uriel.pub; - }; - rc = '' - %RC = ( - UMASK => 0077, - GIT_CONFIG_KEYS => "", - LOG_EXTRA => 1, - ROLES => { - READERS => 1, - WRITERS => 1, - }, - LOCAL_CODE => "$ENV{HOME}/.gitolite", - ENABLE => [ - 'help', - 'desc', - 'info', - 'perms', - 'writable', - 'ssh-authkeys', - 'git-config', - 'daemon', - 'gitweb', - 'repo-specific-hooks', - ], - ); - 1; - ''; - - repoSpecificHooks = { - irc-announce = '' - #! /bin/sh - set -euf - - config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" - if test -f "$config_file"; then - . "$config_file" - fi - - # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update - # any relevant gitolite LOCAL_CODE! - # CAVEAT we hope that IRC_NICK is unique - IRC_NICK="''${IRC_NICK-gl$GL_TID}" - IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" - IRC_SERVER="''${IRC_SERVER-ire.retiolum}" - IRC_PORT="''${IRC_PORT-6667}" - - # for privmsg_cat below - export IRC_CHANNEL - - # collect users that are mentioned in the gitolite configuration - interested_users="$(perl -e ' - do "gl-conf"; - print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); - ')" - - # CAVEAT beware of real TABs in grep pattern! - # CAVEAT there will never be more than 42 relevant log entries! - tab=$(printf '\x09') - log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" - - update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" - - # (debug output) - env | sed 's/^/env: /' - echo "$log" | sed 's/^/log: /' - - # see http://gitolite.com/gitolite/dev-notes.html#lff - reponame=$(echo "$update_log" | cut -f 4) - username=$(echo "$update_log" | cut -f 5) - ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') - old_sha=$(echo "$update_log" | cut -f 8) - new_sha=$(echo "$update_log" | cut -f 9) - - # check if new branch is created - if test $old_sha = 0000000000000000000000000000000000000000; then - # TODO what should we really show? - old_sha=$new_sha^ - fi - - # - git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" - commit_count=$(echo "$git_log" | wc -l) - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - # - # - # - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - echo "$interested_users" \ - | tr ' ' '\n' \ - | grep -v "^$GL_USER" \ - | sed 's/$/: poke/' \ - | privmsg_cat \ - | cat2 - - printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ - "$reponame" \ - "$username" \ - "$commit_count" \ - "$(test $commit_count = 1 || echo s)" \ - "$(hostname)" \ - "$ref_name" \ - | privmsg_cat \ - | cat2 - - echo "$git_log" \ - | sed 's/^/\x0314/;s/ /\x03 /' \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - }; - customFiles = [ - { - path = ".gitolite/conf/irc-announce.conf"; - file = '' - IRC_NICK="$(hostname)$GL_TID" - case "$GL_REPO" in - brain|painload|services|load-env|config) - IRC_CHANNEL='#retiolum' - ;; - *) - IRC_CHANNEL='&testing' - ;; - esac - ''; - } - ]; - }; -} diff --git a/2configs/lass/ircd.nix b/2configs/lass/ircd.nix deleted file mode 100644 index f71b769..0000000 --- a/2configs/lass/ircd.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ config, pkgs, ... }: - -{ - config.services.charybdis = { - enable = true; - config = '' - serverinfo { - name = "ire.irc.retiolum"; - sid = "4z3"; - description = "miep!"; - network_name = "irc.retiolum"; - network_desc = "Retiolum IRC Network"; - hub = yes; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 10000; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - sslport = 9999; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 200; - number_per_ip = 200; - number_per_ip_global = 500; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 9000; - max_number = 10000; - sendq = 400 kbytes; - }; - - exempt { - ip = "127.0.0.1"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = exceed_limit; - }; - - channel { - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 15; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - general { - #maybe we want ident someday? - disable_auth = yes; - }; - ''; - }; -} diff --git a/2configs/lass/mors/repos.nix b/2configs/lass/mors/repos.nix deleted file mode 100644 index 1f7f334..0000000 --- a/2configs/lass/mors/repos.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ ... }: - -{ - imports = [ - ../lass/gitolite-base.nix - ../common/krebs-keys.nix - ../common/krebs-repos.nix - ]; - - services.gitolite = { - repos = { - - config = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - pass = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - load-env = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-drywall = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-hsdb = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - brain = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - #hooks.post-receive = irc-announce; - }; - - painload = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - services = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - xmonad-config = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - }; - }; -} diff --git a/2configs/lass/mors/retiolum.nix b/2configs/lass/mors/retiolum.nix deleted file mode 100644 index 1148bee..0000000 --- a/2configs/lass/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = <retiolum-hosts>; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/2configs/lass/pass.nix b/2configs/lass/pass.nix deleted file mode 100644 index 33eca0a..0000000 --- a/2configs/lass/pass.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - pass - gnupg1 - ]; - - services.xserver.startGnuPGAgent = true; -} diff --git a/2configs/lass/programs.nix b/2configs/lass/programs.nix deleted file mode 100644 index 41d241b..0000000 --- a/2configs/lass/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -## TODO sort and split up -{ - environment.systemPackages = with pkgs; [ - aria2 - gnupg1compat - htop - i3lock - mc - mosh - mpv - pass - pavucontrol - pv - pwgen - python34Packages.livestreamer - remmina - silver-searcher - wget - xsel - youtube-dl - ]; -} diff --git a/2configs/lass/sshkeys.nix b/2configs/lass/sshkeys.nix deleted file mode 100644 index 114a259..0000000 --- a/2configs/lass/sshkeys.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: - -{ - imports = [ - ../../3modules/lass/sshkeys.nix - ]; - - config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; - - config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; -} diff --git a/2configs/lass/steam.nix b/2configs/lass/steam.nix deleted file mode 100644 index 7d088fc..0000000 --- a/2configs/lass/steam.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: - -{ - - imports = [ - ./games.nix - ]; - # - # Steam stuff - # source: https://nixos.org/wiki/Talk:Steam - # - ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - - nixpkgs.config.steam.java = true; - environment.systemPackages = with pkgs; [ - steam - ]; - networking.firewall = { - allowedUDPPorts = [ - 27031 - 27036 - ]; - allowedTCPPorts = [ - 27036 - 27037 - ]; - }; - -} diff --git a/2configs/lass/texlive.nix b/2configs/lass/texlive.nix deleted file mode 100644 index 295df31..0000000 --- a/2configs/lass/texlive.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - (pkgs.texLiveAggregationFun { paths = [ pkgs.texLive pkgs.texLiveFull ]; }) - ]; -} diff --git a/2configs/lass/urxvt.nix b/2configs/lass/urxvt.nix deleted file mode 100644 index a2074ba..0000000 --- a/2configs/lass/urxvt.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (config.users.extraUsers) mainUser; - -in - -{ - imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix - ]; - - services.urxvtd = { - enable = true; - users = [ mainUser.name ]; - urxvtPackage = pkgs.rxvt_unicode_with-plugins; - }; - services.xresources.enable = true; - services.xresources.resources.urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* - URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* - URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select - URxvt.url-select.launcher: browser-select - URxvt.url-select.underline: true - URxvt.keysym.M-u: perl:url-select:select_next - URxvt.keysym.M-Escape: perl:keyboard-select:activate - URxvt.keysym.M-s: perl:keyboard-select:search - - URxvt.intensityStyles: false - - URxvt*background: #000000 - URxvt*foreground: #ffffff - - !change unreadable blue - URxvt*color4: #268bd2 - ''; -} diff --git a/2configs/lass/vim.nix b/2configs/lass/vim.nix deleted file mode 100644 index 3fe45e1..0000000 --- a/2configs/lass/vim.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ config, pkgs, ... }: - -let - customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { - name = "Mustang2"; - src = pkgs.fetchFromGitHub { - owner = "croaker"; - repo = "mustang-vim"; - rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; - sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; - }; - }; - -in { - - environment.systemPackages = [ - (pkgs.vim_configurable.customize { - name = "vim"; - - vimrcConfig.customRC = '' - set nocompatible - set t_Co=16 - syntax on - " TODO autoload colorscheme file - set background=dark - colorscheme mustang - filetype off - filetype plugin indent on - - imap <F1> <nop> - - set mouse=a - set ruler - set showmatch - set backspace=2 - set visualbell - set encoding=utf8 - set showcmd - set wildmenu - - set title - set titleold= - set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} - - set autoindent - - set ttyfast - - set pastetoggle=<INS> - - - " Force Saving Files that Require Root Permission - command! W silent w !sudo tee "%" >/dev/null - - nnoremap <C-c> :q<Return> - vnoremap < <gv - vnoremap > >gv - - nmap <esc>q :buffer - - "Tabwidth - set ts=2 sts=2 sw=2 et - - " create Backup/tmp/undo dirs - function! InitBackupDir() - let l:parent = $HOME . '/.vim/' - let l:backup = l:parent . 'backups/' - let l:tmpdir = l:parent . 'tmp/' - let l:undodi = l:parent . 'undo/' - - if !isdirectory(l:parent) - call mkdir(l:parent) - endif - if !isdirectory(l:backup) - call mkdir(l:backup) - endif - if !isdirectory(l:tmpdir) - call mkdir(l:tmpdir) - endif - if !isdirectory(l:undodi) - call mkdir(l:undodi) - endif - endfunction - call InitBackupDir() - - " Backups & Files - set backup - set backupdir=~/.vim/backups - set directory=~/.vim/tmp// - set viminfo='20,<1000,s100,h,n~/.vim/tmp/info - set undodir=$HOME/.vim/undo - set undofile - - " highlight whitespaces - highlight ExtraWhitespace ctermbg=red guibg=red - match ExtraWhitespace /\s\+$/ - autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ - autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/ - autocmd InsertLeave * match ExtraWhitespace /\s\+$/ - autocmd BufWinLeave * call clearmatches() - - "ft specific stuff - autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et - autocmd BufRead *.hs set ts=4 sts=4 sw=4 et - - "esc timeout - set timeoutlen=1000 ttimeoutlen=0 - ''; - - vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; - vimrcConfig.vam.pluginDictionaries = [ - { names = [ "Gundo" "commentary" "mustang2" ]; } - { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } - ]; - - }) - ]; -} diff --git a/2configs/lass/virtualbox.nix b/2configs/lass/virtualbox.nix deleted file mode 100644 index 0262031..0000000 --- a/2configs/lass/virtualbox.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - services.virtualboxHost.enable = true; - - users.extraUsers = { - virtual = { - name = "virtual"; - description = "user for running VirtualBox"; - home = "/home/virtual"; - useDefaultShell = true; - extraGroups = [ "vboxusers" "audio" ]; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(virtual) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/wine.nix b/2configs/lass/wine.nix deleted file mode 100644 index 8d55da7..0000000 --- a/2configs/lass/wine.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - environment.systemPackages = with pkgs; [ - wineUnstable - ]; - users.extraUsers = { - wine = { - name = "wine"; - description = "user for running wine"; - home = "/home/wine"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(wine) NOPASSWD: ALL - ''; -} diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix deleted file mode 100644 index 3c2f7c9..0000000 --- a/3modules/krebs/default.nix +++ /dev/null @@ -1,309 +0,0 @@ -{ config, lib, ... }: - -with import ../../4lib/krebs { inherit lib; }; -let - cfg = config.krebs; - - out = { - imports = [ - ./github-hosts-sync.nix - ./git.nix - ./nginx.nix - ./retiolum.nix - ./urlwatch.nix - ]; - options.krebs = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs"; - - build = mkOption { - type = types.submodule { - options = { - host = mkOption { - type = types.host; - }; - user = mkOption { - type = types.user; - }; - }; - }; - # Define defaul value, so unset values of the submodule get reported. - default = {}; - }; - - hosts = mkOption { - type = with types; attrsOf host; - }; - - users = mkOption { - type = with types; attrsOf user; - }; - - # XXX is there a better place to define search-domain? - # TODO search-domains :: listOf hostname - search-domain = mkOption { - type = types.hostname; - default = ""; - example = "retiolum"; - }; - }; - - imp = mkMerge [ - { krebs = lass-imp; } - { krebs = makefu-imp; } - { krebs = tv-imp; } - { - # XXX This overlaps with krebs.retiolum - networking.extraHosts = - let - # TODO move domain name providers to a dedicated module - # providers : tree label providername - providers = { - internet = "hosts"; - retiolum = "hosts"; - de.viljetic = "regfish"; - de.krebsco = "ovh"; - }; - - # splitByProvider : [alias] -> listset providername alias - splitByProvider = foldl (acc: alias: listset-insert (providerOf alias) alias acc) {}; - - # providerOf : alias -> providername - providerOf = alias: - tree-get (splitString "." alias) providers; - in - concatStringsSep "\n" (flatten ( - # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - longs = (splitByProvider net.aliases).hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) config.krebs.hosts - )); - } - ]; - - lass-imp = { - hosts = addNames { - }; - users = addNames { - lass = { - pubkey = readFile ../../Zpubkeys/lass.ssh.pub; - }; - uriel = { - pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; - }; - }; - }; - - makefu-imp = { - hosts = addNames { - pnp = { - cores = 1; - dc = "makefu"; #vm on 'omo' - nets = { - retiolum = { - addrs4 = ["10.243.0.210"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; - aliases = [ - "pnp.retiolum" - "cgit.pnp.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g - Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V - pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR - SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T - TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr - Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - }; - users = addNames { - makefu = { - mail = "root@euer.krebsco.de"; - pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; - }; - }; - }; - - tv-imp = { - hosts = addNames { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - }; - users = addNames { - mv = { - mail = "mv@cd.retiolum"; - pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; - }; - tv = { - mail = "tv@wu.retiolum"; - pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; - }; - }; - }; - -in -out diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix deleted file mode 100644 index 6046451..0000000 --- a/3modules/krebs/git.nix +++ /dev/null @@ -1,490 +0,0 @@ -{ config, pkgs, lib, ... }: - -# TODO unify logging of shell scripts to user and journal -# TODO move all scripts to ${etcDir}, so ControlMaster connections -# immediately pick up new authenticators -# TODO when authorized_keys changes, then restart ssh -# (or kill already connected users somehow) - -with import ../../4lib/krebs { inherit lib; }; -let - cfg = config.krebs.git; - - out = { - # TODO don't import krebs.nginx here - imports = [ - ../../3modules/krebs/nginx.nix - ]; - options.krebs.git = api; - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.cgit cgit-imp) - git-imp - ]); - }; - - api = { - enable = mkEnableOption "krebs.git"; - - cgit = mkOption { - type = types.bool; - default = true; - description = '' - Enable cgit. - Cgit is an attempt to create a fast web interface for the git version - control system, using a built in cache to decrease pressure on the - git server. - cgit in this module is being served via fastcgi nginx.This module - deploys a http://cgit.<hostname> nginx configuration and enables nginx - if not yet enabled. - ''; - }; - dataDir = mkOption { - type = types.str; - default = "/var/lib/git"; - description = "Directory used to store repositories."; - }; - etcDir = mkOption { - type = types.str; - default = "/etc/git"; - }; - repos = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository description. - ''; - }; - section = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository section. - ''; - }; - name = mkOption { - type = types.str; - description = '' - Repository name. - ''; - }; - hooks = mkOption { - type = types.attrsOf types.str; - default = {}; - description = '' - Repository-specific hooks. - ''; - }; - public = mkOption { - type = types.bool; - default = false; - description = '' - Allow everybody to read the repository via HTTP if cgit enabled. - ''; - # TODO allow every configured user to fetch the repository via SSH. - }; - }; - })); - - default = {}; - - example = literalExample '' - { - testing = { - name = "testing"; - hooks.post-update = ''' - #! /bin/sh - set -euf - echo post-update hook: $* >&2 - '''; - }; - testing2 = { name = "testing2"; }; - } - ''; - - description = '' - Repositories. - ''; - }; - root-desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed below the heading on the repository index page. - Default value: "a fast webinterface for the git dscm". - ''; - }; - root-title = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed as heading on the repository index page. - Default value: "Git Repository Browser". - ''; - }; - rules = mkOption { - type = types.unspecified; - }; - }; - - git-imp = { - system.activationScripts.git-init = "${init-script}"; - - # TODO maybe put all scripts here and then use PATH? - environment.etc."${etc-base}".source = - scriptFarm "git-ssh-authorizers" { - authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (map getName perm.allow-commands) - ]) cfg.rules); - - authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (ensureList perm.allow-receive-ref) - (map getName perm.allow-receive-modes) - ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); - }; - - users.extraUsers = singleton { - description = "Git repository hosting user"; - name = "git"; - shell = "/bin/sh"; - openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - config.krebs.users; - uid = 129318403; # genid git - }; - }; - - cgit-imp = { - users.extraUsers = lib.singleton { - inherit (fcgitwrap-user) group name uid; - home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); - }; - - users.extraGroups = lib.singleton { - inherit (fcgitwrap-group) gid name; - }; - - services.fcgiwrap = { - enable = true; - user = fcgitwrap-user.name; - group = fcgitwrap-user.group; - # socketAddress = "/run/fcgiwrap.sock" (default) - # socketType = "unix" (default) - }; - - environment.etc."cgitrc".text = '' - css=/static/cgit.css - logo=/static/cgit.png - - # if you do not want that webcrawler (like google) index your site - robots=noindex, nofollow - - virtual-root=/ - - # TODO make this nicer (and/or somewhere else) - cache-root=/tmp/cgit - - cache-size=1000 - enable-commit-graph=1 - enable-index-links=1 - enable-index-owner=0 - enable-log-filecount=1 - enable-log-linecount=1 - enable-remote-branches=1 - - ${optionalString (cfg.root-title != null) "root-title=${cfg.root-title}"} - ${optionalString (cfg.root-desc != null) "root-desc=${cfg.root-desc}"} - - snapshots=0 - max-stats=year - - ${concatMapStringsSep "\n" (repo: '' - repo.url=${repo.name} - repo.path=${cfg.dataDir}/${repo.name} - ${optionalString (repo.section != null) "repo.section=${repo.section}"} - ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} - '') (filter isPublicRepo (attrValues cfg.repos))} - ''; - - system.activationScripts.cgit = '' - mkdir -m 0700 -p /tmp/cgit - chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit - ''; - - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; - }; - }; - - fcgitwrap-user = { - name = "fcgiwrap"; - uid = 2867890860; # genid fcgiwrap - group = "fcgiwrap"; - }; - - fcgitwrap-group = { - name = fcgitwrap-user.name; - gid = fcgitwrap-user.uid; - }; - - - ensureList = x: - if typeOf x == "list" then x else [x]; - - getName = x: x.name; - - isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: - # TODO assert name - # TODO assert pubkey - let - options = concatStringsSep "," [ - ''command="exec ${git-ssh-command} ${name}"'' - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ]; - in - "${options} ${pubkey}"; - - # [case-pattern] -> shell-script - # Create a shell script that succeeds (exit 0) when all its arguments - # match the case patterns (in the given order). - makeAuthorizeScript = - let - # TODO escape - to-pattern = x: concatStringsSep "|" (ensureList x); - go = i: ps: - if ps == [] - then "exit 0" - else '' - case ''$${toString i} in ${to-pattern (head ps)}) - ${go (i + 1) (tail ps)} - esac''; - in - patterns: '' - #! /bin/sh - set -euf - ${concatStringsSep "\n" (map (go 1) patterns)} - exit -1 - ''; - - reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); - - # TODO makeGitHooks that uses runCommand instead of scriptFarm? - scriptFarm = - farm-name: scripts: - let - makeScript = script-name: script-string: { - name = script-name; - path = pkgs.writeScript "${farm-name}_${script-name}" script-string; - }; - in - pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts); - - - git-ssh-command = pkgs.writeScript "git-ssh-command" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - git - gnugrep - gnused - systemd - ])} - - abort() { - echo "error: $1" >&2 - systemd-cat -p err -t git echo "error: $1" - exit -1 - } - - GIT_SSH_USER=$1 - - systemd-cat -p info -t git echo \ - "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" - - # References: The Base Definitions volume of - # POSIX.1‐2013, Section 3.278, Portable Filename Character Set - portable_filename_bre="^[A-Za-z0-9._-]\\+$" - - command=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read command') - - GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read reponame') - - ${cfg.etcDir}/authorize-command \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ - || abort 'access denied' - - repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO - - systemd-cat -p info -t git \ - echo "authorized exec $command $repodir" - - export GIT_SSH_USER - export GIT_SSH_REPO - exec "$command" "$repodir" - ''; - - init-script = pkgs.writeScript "git-init" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - gawk - git - gnugrep - gnused - ])} - - dataDir=${escapeShellArg cfg.dataDir} - mkdir -p "$dataDir" - - # Notice how the presence of hooks symlinks determine whether - # we manage a repositry or not. - - # Make sure that no existing repository has hooks. We can delete - # symlinks because we assume we created them. - find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete - bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) - if echo "$bad_hooks" | grep -q .; then - printf 'error: unknown hooks:\n%s\n' \ - "$(echo "$bad_hooks" | sed 's/^/ /')" \ - >&2 - exit -1 - fi - - # Initialize repositories. - ${concatMapStringsSep "\n" (repo: - let - hooks = scriptFarm "git-hooks" (makeHooks repo); - in - '' - reponame=${escapeShellArg repo.name} - repodir=$dataDir/$reponame - mode=${toString (if isPublicRepo repo then 0711 else 0700)} - if ! test -d "$repodir"; then - mkdir -m "$mode" "$repodir" - git init --bare --template=/var/empty "$repodir" - chown -R git:nogroup "$repodir" - fi - ln -s ${hooks} "$repodir/hooks" - '' - ) (attrValues cfg.repos)} - - # Warn about repositories that exist but aren't mentioned in the - # current configuration (and thus didn't receive a hooks symlink). - unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ - -type d \! -exec test -e '{}/hooks' \; -print) - if echo "$unknown_repos" | grep -q .; then - printf 'warning: stale repositories:\n%s\n' \ - "$(echo "$unknown_repos" | sed 's/^/ /')" \ - >&2 - fi - ''; - - makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { - pre-receive = '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils # env - git - systemd - ])} - - accept() { - #systemd-cat -p info -t git echo "authorized $1" - accept_string="''${accept_string+$accept_string - }authorized $1" - } - reject() { - #systemd-cat -p err -t git echo "denied $1" - #echo 'access denied' >&2 - #exit_code=-1 - reject_string="''${reject_string+$reject_string - }access denied: $1" - } - - empty=0000000000000000000000000000000000000000 - - accept_string= - reject_string= - while read oldrev newrev ref; do - - if [ $oldrev = $empty ]; then - receive_mode=create - elif [ $newrev = $empty ]; then - receive_mode=delete - elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then - receive_mode=fast-forward - else - receive_mode=non-fast-forward - fi - - if ${cfg.etcDir}/authorize-push \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then - accept "$receive_mode $ref" - else - reject "$receive_mode $ref" - fi - done - - if [ -n "$reject_string" ]; then - systemd-cat -p err -t git echo "$reject_string" - exit -1 - fi - - systemd-cat -p info -t git echo "$accept_string" - - ${optionalString (hasAttr "post-receive" repo.hooks) '' - # custom post-receive hook - ${repo.hooks.post-receive}''} - ''; - }; - - etc-base = - assert (hasPrefix "/etc/" cfg.etcDir); - removePrefix "/etc/" cfg.etcDir; - -in -out diff --git a/3modules/krebs/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix deleted file mode 100644 index c3b56ef..0000000 --- a/3modules/krebs/github-hosts-sync.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.github-hosts-sync; - - out = { - options.krebs.github-hosts-sync = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; - dataDir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/github-hosts-sync"; - }; - ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} - default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; - }; - }; - - imp = { - systemd.services.github-hosts-sync = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - port = toString cfg.port; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "github-hosts-sync"; - User = user.name; - Restart = "always"; - ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' - #! /bin/sh - set -euf - - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ - ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" - - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts - ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - home = cfg.dataDir; - }; - }; - - user = { - name = "github-hosts-sync"; - uid = 3220554646; # genid github-hosts-sync - }; - - Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; -in -out diff --git a/3modules/krebs/nginx.nix b/3modules/krebs/nginx.nix deleted file mode 100644 index 702e8a7..0000000 --- a/3modules/krebs/nginx.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - servers = mkOption { - type = with types; attrsOf optionSet; - options = singleton { - server-names = mkOption { - type = with types; listOf str; - # TODO use identity - default = [ - "${config.networking.hostName}" - "${config.networking.hostName}.retiolum" - ]; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - }; - }; - default = {}; - }; - }; - - imp = { - services.nginx = { - enable = true; - httpConfig = '' - include ${pkgs.nginx}/conf/mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - server { - listen 80 default_server; - server_name _; - return 404; - } - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - - indent = replaceChars ["\n"] ["\n "]; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, locations, ... }: '' - server { - listen 80; - server_name ${toString server-names}; - ${indent (concatStrings (map to-location locations))} - } - ''; - -in -out diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix deleted file mode 100644 index 481d656..0000000 --- a/3modules/krebs/retiolum.nix +++ /dev/null @@ -1,226 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.retiolum; - - out = { - options.krebs.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.retiolum"; - - name = mkOption { - type = types.str; - default = config.networking.hostName; - # Description stolen from tinc.conf(5). - description = '' - This is the name which identifies this tinc daemon. It must - be unique for the virtual private network this daemon will - connect to. The Name may only consist of alphanumeric and - underscore characters. If Name starts with a $, then the - contents of the environment variable that follows will be - used. In that case, invalid characters will be converted to - underscores. If Name is $HOST, but no such environment - variable exist, the hostname will be read using the - gethostnname() system call This is the name which identifies - the this tinc daemon. - ''; - }; - - generateEtcHosts = mkOption { - type = types.str; - default = "both"; - description = '' - If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>, - then generate entries in <filename>/etc/hosts</filename> from subnets. - ''; - }; - - network = mkOption { - type = types.str; - default = "retiolum"; - description = '' - The tinc network name. - It is used to generate long host entries, - and name the TUN device. - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - type = with types; either package path; - default = ../../Zhosts; - description = '' - If a path is given, then it will be used to generate an ad-hoc package. - ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = '' - Generate file with <literal>tincd -K</literal>. - This file must exist on the local system. The default points to - <secrets/retiolum.rsa_key.priv>. - ''; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "gum" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - ''; - }; - - }; - - imp = { - environment.systemPackages = [ tinc hosts iproute ]; - - networking.extraHosts = retiolumExtraHosts; - - systemd.services.retiolum = { - description = "Tinc daemon for Retiolum"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - serviceConfig = { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; - SyslogIdentifier = "retiolum"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "retiolum"; - uid = 301281149; # genid retiolum - }; - - tinc = cfg.tincPackage; - - hosts = getAttr (typeOf cfg.hosts) { - package = cfg.hosts; - path = pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 \ - | xargs -0 cp --target-directory $out - ''; - }; - }; - - iproute = cfg.iproutePackage; - - retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" - { } - '' - generate() { - (cd ${hosts} - printf \'\' - for i in `ls`; do - names=$(hostnames $i) - for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do - names="$names $(hostnames $j)" - done - sed -En ' - s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p - ' $i - done | sort - printf \'\' - ) - } - - case ${cfg.generateEtcHosts} in - short) - hostnames() { echo "$1"; } - generate - ;; - long) - hostnames() { echo "$1.${cfg.network}"; } - generate - ;; - both) - hostnames() { echo "$1.${cfg.network} $1"; } - generate - ;; - *) - echo '""' - ;; - esac > $out - ''); - - - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${hosts} $out/hosts - - cat > $out/tinc.conf <<EOF - Name = ${cfg.name} - Device = /dev/net/tun - Interface = ${cfg.network} - ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)} - PrivateKeyFile = /tmp/retiolum-rsa_key.priv - EOF - - # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up - cat > $out/tinc-up <<EOF - host=$out/hosts/${cfg.name} - ${iproute}/sbin/ip link set \$INTERFACE up - - addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host) - if [ -n "\$addr4" ];then - ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE - ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE - fi - addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host) - ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE - ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE - EOF - - chmod +x $out/tinc-up - ''; - -in out diff --git a/3modules/krebs/urlwatch.nix b/3modules/krebs/urlwatch.nix deleted file mode 100644 index 58de72f..0000000 --- a/3modules/krebs/urlwatch.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ config, lib, pkgs, ... }: - -# TODO multiple users -# TODO inform about unused caches -# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" -# TODO hooks.py - -with builtins; -with lib; -let - cfg = config.krebs.urlwatch; - - # TODO assert sendmail's existence - out = { - options.krebs.urlwatch = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.urlwatch"; - - dataDir = mkOption { - type = types.str; - default = "/var/lib/urlwatch"; - description = '' - Directory where the urlwatch service should store its state. - ''; - }; - from = mkOption { - type = types.str; - default = "${user.name}@${config.networking.hostName}.retiolum"; - description = '' - Content of the From: header of the generated mails. - ''; - }; - mailto = mkOption { - type = types.str; - description = '' - Content of the To: header of the generated mails. [AKA recipient :)] - ''; - }; - onCalendar = mkOption { - type = types.str; - description = '' - Run urlwatch at this interval. - The format is described in systemd.time(7), CALENDAR EVENTS. - ''; - example = "04:23"; - }; - urls = mkOption { - type = with types; listOf str; - description = "URL to watch."; - example = [ - https://nixos.org/channels/nixos-unstable/git-revision - ]; - }; - }; - - urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); - - imp = { - systemd.timers.urlwatch = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = cfg.onCalendar; - Persistent = "true"; - }; - }; - systemd.services.urlwatch = { - path = with pkgs; [ - coreutils - gnused - urlwatch - ]; - environment = { - HOME = cfg.dataDir; - LC_ALL = "en_US.UTF-8"; - LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive"; - SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - }; - serviceConfig = { - User = user.name; - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Type = "oneshot"; - ExecStartPre = - pkgs.writeScript "urlwatch-prestart" '' - #! /bin/sh - set -euf - - dataDir=$HOME - - if ! test -e "$dataDir"; then - mkdir -m 0700 -p "$dataDir" - chown ${user.name}: "$dataDir" - fi - ''; - ExecStart = pkgs.writeScript "urlwatch" '' - #! /bin/sh - set -euf - - from=${escapeShellArg cfg.from} - mailto=${escapeShellArg cfg.mailto} - urlsFile=${escapeShellArg urlsFile} - - cd /tmp - - urlwatch -e --urls="$urlsFile" > changes 2>&1 || : - - if test -s changes; then - date=$(date -R) - subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ - | tr \\n \ ) - { - echo "Date: $date" - echo "From: $from" - echo "Subject: $subject" - echo "To: $mailto" - echo - cat changes - } | /var/setuid-wrappers/sendmail -t - fi - ''; - }; - }; - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "urlwatch"; - uid = 3467631196; # genid urlwatch - }; -in -out diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix deleted file mode 100644 index c97b9f7..0000000 --- a/3modules/lass/iptables.nix +++ /dev/null @@ -1,187 +0,0 @@ -arg@{ config, lib, pkgs, ... }: - -let - inherit (pkgs) writeScript writeText; - - inherit (lib) - concatMapStringsSep - concatStringsSep - attrNames - unique - fold - any - attrValues - catAttrs - filter - flatten - length - hasAttr - mkEnableOption - mkOption - mkIf - types - sort; - - elemIsIn = a: as: - any (x: x == a) as; - - cfg = config.lass.iptables; - - out = { - options.lass.iptables = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "iptables"; - - #tables.filter.INPUT = { - # policy = "DROP"; - # rules = [ - # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } - # ]; - #}; - #new api - tables = mkOption { - type = with types; attrsOf (attrsOf (submodule ({ - options = { - policy = mkOption { - type = str; - default = "-"; - }; - rules = mkOption { - type = nullOr (listOf (submodule ({ - options = { - predicate = mkOption { - type = str; - }; - target = mkOption { - type = str; - }; - precedence = mkOption { - type = int; - default = 0; - }; - }; - }))); - default = null; - }; - }; - }))); - }; - }; - - imp = { - networking.firewall.enable = false; - - systemd.services.lass-iptables = { - description = "lass-iptables"; - wantedBy = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; - after = [ "systemd-modules-load.service" ]; - - path = with pkgs; [ - iptables - ]; - - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript} lass-iptables_start"; - }; - }; - }; - - #buildTable :: iptablesVersion -> iptablesAttrSet` -> str - #todo: differentiate by iptables-version - buildTables = v: ts: - let - - declareChain = t: cn: - #TODO: find out what to do whit these count numbers - ":${cn} ${t."${cn}".policy} [0:0]"; - - buildChain = tn: cn: - let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; - - in - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules - ) - else - "" - ; - - - buildRule = tn: cn: rule: - #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. - "${rule.predicate} -j ${rule.target}"; - - buildTable = tn: - "*${tn}\n" + - concatStringsSep "\n" ([] - ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") - ) + - #this looks dirty, find a better way to do this (maybe optionalString) - concatStringsSep "" ([] - ++ map (buildChain tn) (attrNames ts."${tn}") - ) + - "\nCOMMIT"; - in - concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) - ); - -#===== - - rules4 = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - writeText "lass-iptables-rules${toString iptables-version}" '' - ${buildTables iptables-version tables} - ''; - - startScript = writeScript "lass-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} - ''; - -in -out - diff --git a/3modules/lass/sshkeys.nix b/3modules/lass/sshkeys.nix deleted file mode 100644 index 5f1c606..0000000 --- a/3modules/lass/sshkeys.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - sshKeys = mkOption { - type = types.attrsOf (types.submodule ( - { config, ... }: - { - options = { - pub = mkOption { - type = types.str; - description = "Public part of the ssh key."; - }; - - priv = mkOption { - type = types.str; - description = "Private part of the ssh key."; - }; - }; - })); - description = "collection of ssh-keys"; - }; - }; -} diff --git a/3modules/lass/urxvtd.nix b/3modules/lass/urxvtd.nix deleted file mode 100644 index 469616a..0000000 --- a/3modules/lass/urxvtd.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -let -in - -with builtins; -with lib; - -{ - options = { - services.urxvtd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable urxvtd per user"; - }; - users = mkOption { - type = types.listOf types.string; - default = []; - description = "users to run urxvtd for"; - }; - urxvtPackage = mkOption { - type = types.package; - default = pkgs.rxvt_unicode; - description = "urxvt package to use"; - }; - }; - }; - - config = - let - cfg = config.services.urxvtd; - users = cfg.users; - urxvt = cfg.urxvtPackage; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - path = [ pkgs.xlibs.xrdb ]; - environment = { - DISPLAY = ":0"; - URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; - }; - serviceConfig = { - Restart = "always"; - User = user; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - in - mkIf cfg.enable { - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); - }; -} diff --git a/3modules/lass/xresources.nix b/3modules/lass/xresources.nix deleted file mode 100644 index 15c5b8b..0000000 --- a/3modules/lass/xresources.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: -#prefix with Attribute Name -#ex: urxvt - -# -# -with builtins; -with lib; - - -let - - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; - inherit (pkgs) writeScript; - -in - -{ - - options = { - services.xresources.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the automatic loading of Xresources definitions at display-manager start; - ''; - }; - - services.xresources.resources = mkOption { - default = {}; - type = types.attrsOf types.str; - example = { - urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - ''; - }; - description = '' - Xresources definitions. - ''; - }; - }; - - config = - let - cfg = config.services.xresources; - xres = concatStringsSep "\n" (attrValues cfg.resources); - - in mkIf cfg.enable { - services.xserver.displayManager.sessionCommands = '' - echo ${shell-escape xres} | xrdb -merge - ''; - }; - -} diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix deleted file mode 100644 index 0c42a5d..0000000 --- a/4lib/krebs/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -builtins // lib // rec { - - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - types = import ./types.nix { inherit lib; }; - - - # listset k v = set k [v] - - # listset-insert : k -> v -> listset k v -> listset k v - listset-insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; - - # tree k v = set k (either v (tree k v)) - - # tree-get : [k] -> tree k v -> v - tree-get = path: x: - let - y = x.${last path}; - in - if typeOf y != "set" - then y - else tree-get (init path) y; - -} diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix deleted file mode 100644 index 3d3d75a..0000000 --- a/4lib/krebs/types.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ lib, ... }: - -with lib; -with types; - -types // rec { - - host = submodule { - options = { - name = mkOption { - type = label; - }; - dc = mkOption { - type = label; - }; - cores = mkOption { - type = positive; - }; - nets = mkOption { - type = attrsOf net; - apply = x: assert hasAttr "retiolum" x; x; - }; - secure = mkOption { - type = bool; - default = false; - description = '' - If true, then the host is capable of keeping secret information. - - TODO define minimum requirements for secure hosts - ''; - }; - }; - }; - - net = submodule ({ config, ... }: { - options = { - via = mkOption { - type = nullOr net; - default = null; - }; - addrs = mkOption { - type = listOf addr; - apply = _: config.addrs4 ++ config.addrs6; - }; - addrs4 = mkOption { - type = listOf addr4; - default = []; - }; - addrs6 = mkOption { - type = listOf addr6; - default = []; - }; - aliases = mkOption { - # TODO nonEmptyListOf hostname - type = listOf hostname; - }; - tinc = mkOption { - type = let net-config = config; in submodule ({ config, ... }: { - options = { - config = mkOption { - type = str; - apply = _: '' - ${optionalString (net-config.via != null) - (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} - ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} - ${config.pubkey} - ''; - }; - pubkey = mkOption { - type = str; - }; - }; - }); - }; - }; - }); - - positive = mkOptionType { - name = "positive integer"; - check = x: isInt x && x > 0; - merge = mergeOneOption; - }; - - user = submodule { - options = { - mail = mkOption { - type = str; # TODO retiolum mail address - }; - name = mkOption { - type = str; # TODO - }; - pubkey = mkOption { - type = str; - }; - }; - }; - - # TODO - addr = str; - addr4 = str; - addr6 = str; - hostname = str; - label = str; -} diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix deleted file mode 100644 index 16888c2..0000000 --- a/4lib/tv/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ lib, pkgs, ... }: - -let - krebs = import ../../4lib/krebs { inherit lib; }; -in - -with krebs; - -krebs // rec { - - git = import ./git.nix { - lib = lib // { - inherit addNames; - }; - inherit pkgs; - }; - - # "7.4.335" -> "74" - majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - - concat = xs : - if xs == [] - then "" - else head xs + concat (tail xs) - ; - - flip = f : x : y : f y x; - - # isSuffixOf :: String -> String -> Bool - isSuffixOf = - s : xs : - let - sn = stringLength s; - xsn = stringLength xs; - in - xsn >= sn && substring (xsn - sn) sn xs == s ; - - # setMap :: (String -> a -> b) -> Set String a -> [b] - #setMap = f: xs: map (k : f k (getAttr k xs)) (attrNames xs); - - # setToList :: Set k a -> [a] - #setToList = setMap (_: v: v); - - shell-escape = - let - isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; - in - stringAsChars (c: - if isSafeChar c then c - else if c == "\n" then "'\n'" - else "\\${c}"); -} @@ -2,7 +2,7 @@ # usage: # make system=foo # make systems='foo bar' -# make eval system=foo get=config.networking.extraHosts +# make eval system=foo get=config.networking.extraHosts [filter=json] # .ONESHELL: @@ -17,91 +17,30 @@ $(systems): --tagstring {} \ -q make systems= system={} ::: $(systems) else ifdef system -include 0make/$(LOGNAME)/$(system).makefile .PHONY: deploy deploy:;@ - system_name=$(system) - deploy_host=$(deploy_host) - nixpkgs_url=$(nixpkgs_url) - nixpkgs_rev=$(nixpkgs_rev) - secrets_dir=$(secrets_dir) - - prepush(){( - dst=$$1 - src=$$2 - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --rsync-path="mkdir -p \"$$dst\" && rsync" \ - --usermap=\*:0 \ - --groupmap=\*:0 \ - --delete-excluded \ - -vrLptgoD \ - "$$src/" "$$deploy_host:$$dst" - )} - - prepush /root/src/stockholm "$$PWD" - prepush /root/src/secrets "$$secrets_dir" - - ssh -S none "$$deploy_host" -T env \ - nixpkgs_url="$$nixpkgs_url" \ - nixpkgs_rev="$$nixpkgs_rev" \ - system_name="$$system_name" \ - user_name="$$LOGNAME" \ - sh -euf \ - <<-\EOF - prefetch(){( - dst=$$1 - url=$$2 - rev=$$3 - mkdir -p "$$dst" - cd "$$dst" - if ! test -e .git; then - git init - fi - if ! cur_url=$$(git config remote.origin.url 2>/dev/null); then - git remote add origin "$$url" - elif test "$$cur_url" != "$$url"; then - git remote set-url origin "$$url" - fi - if test "$$(git rev-parse --verify HEAD 2>/dev/null)" != "$$rev"; then - git fetch origin - git checkout "$$rev" -- . - git checkout -q "$$rev" - git submodule init - git submodule update - fi - git clean -dxf - )} - - prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" - - echo build system... - NIX_PATH=/root/src \ - nix-build \ - -Q \ - -A system \ - '<stockholm>' \ - --argstr user-name "$$user_name" \ - --argstr system-name "$$system_name" - - result/bin/switch-to-configuration switch - EOF + make eval system=$(system) get=config.krebs.build.script filter=json | sh .PHONY: eval eval: @ +ifeq ($(filter),json) + extraArgs=--json + filter() { jq -r .; } +else + filter() { cat; } +endif NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ nix-instantiate \ - --json \ + $${extraArgs-} \ + $${json+--json} \ + $${json+--strict} \ --eval \ - --strict \ -A "$$get" \ '<stockholm>' \ --argstr user-name "$$LOGNAME" \ --argstr system-name "$$system" \ - | jq -r . + | filter else $(error unbound variable: system[s]) endif diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix deleted file mode 100644 index 231fda7..0000000 --- a/Zpkgs/krebs/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, ... }: - -let - inherit (pkgs) callPackage; -in - -pkgs // -{ - dic = callPackage ./dic.nix {}; - genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; - hashPassword = callPackage ./hashPassword.nix {}; -} diff --git a/Zpkgs/krebs/dic.nix b/Zpkgs/krebs/dic.nix deleted file mode 100644 index 571773d..0000000 --- a/Zpkgs/krebs/dic.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ stdenv, fetchgit, coreutils, curl, gnused, gnugrep, ... }: - -stdenv.mkDerivation { - name = "dic"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - path = stdenv.lib.makeSearchPath "bin" [ - coreutils - curl - gnused - gnugrep - ]; - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n PATH=${path}; export PATH,' \ - < ./util/bin/dic \ - > $out/bin/dic - - chmod +x $out/bin/dic - ''; -} diff --git a/Zpkgs/krebs/genid.nix b/Zpkgs/krebs/genid.nix deleted file mode 100644 index c75bec3..0000000 --- a/Zpkgs/krebs/genid.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ lib, pkgs, ... }: - -pkgs.writeScriptBin "genid" '' - #! /bin/sh - # usage: genid NAME - set -euf - - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ - bc - coreutils - ])} - - name=$1 - hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F) - echo " - min=2^24 # bigger than nobody and nogroup, see <nixos/modules/misc/ids.nix> - # and some spare for stuff like lxd. - max=2^32 # see 2^(8*sizeof(uid_t)) - ibase=16 - ($hash + min) % max - " | bc -'' diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix deleted file mode 100644 index d69b2b1..0000000 --- a/Zpkgs/krebs/github-hosts-sync.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchgit, pkgs, ... }: - -stdenv.mkDerivation { - name = "github-hosts-sync"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; - path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - git - gnugrep - gnused - openssh - socat - ]); - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ - < ./retiolum/scripts/github_hosts_sync/hosts-sync \ - > $out/bin/github-hosts-sync - - chmod +x $out/bin/github-hosts-sync - ''; -} diff --git a/Zpkgs/krebs/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix deleted file mode 100644 index 302fdd8..0000000 --- a/Zpkgs/krebs/github-known_hosts.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -let - github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); -in - -toFile "github-known_hosts" - (concatMapStrings - (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") - (range 0 255)) diff --git a/Zpkgs/krebs/hashPassword.nix b/Zpkgs/krebs/hashPassword.nix deleted file mode 100644 index a10340c..0000000 --- a/Zpkgs/krebs/hashPassword.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, pkgs, ... }: - -pkgs.writeScriptBin "hashPassword" '' - #! /bin/sh - # usage: hashPassword - set -euf - - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ - coreutils - mkpasswd - openssl - ])} - - salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16) - exec mkpasswd -m sha-512 -S "$salt" -'' diff --git a/Zpkgs/tv/lentil/1.patch b/Zpkgs/tv/lentil/1.patch deleted file mode 100644 index 6e5a00c..0000000 --- a/Zpkgs/tv/lentil/1.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -rN -u old-lentil/src/Lentil/File.hs new-lentil/src/Lentil/File.hs ---- old-lentil/src/Lentil/File.hs 2015-07-20 22:43:23.177620724 +0200 -+++ new-lentil/src/Lentil/File.hs 2015-07-20 22:43:23.177620724 +0200 -@@ -13,10 +13,13 @@ - import Lentil.Types - import Lentil.Parse.Run - -+import System.Directory - import System.FilePath - import System.FilePath.Find -+import Data.Either - import Data.Monoid - import Control.Applicative -+import Control.Exception.Base - - import qualified Data.List as L - -@@ -36,7 +39,12 @@ - -------------- - - findIssues :: [FilePath] -> [FilePath] -> IO [Issue] --findIssues is xs = find always (findClause is xs) "." >>= issueFinder -+findIssues is xs = -+ (mapM (try . canonicalizePath) is :: IO [Either SomeException FilePath]) >>= -+ return . rights >>= -+ mapM (\i -> find always (findClause [i] xs) i) >>= -+ return . concat >>= -+ issueFinder - - -- fp to include, fp to exclude, clause - findClause :: [FilePath] -> [FilePath] -> FindClause Bool -@@ -47,6 +55,6 @@ - (not <$> fmap getAny xc) - where - fp2fc :: FilePath -> FindClause Any -- fp2fc f = Any . L.isPrefixOf (combine "." f) <$> filePath -+ fp2fc f = Any . L.isPrefixOf f <$> filePath - -- TODO: combine funziona su windows? [feature:intermediate] - diff --git a/1systems/tv/cd.nix b/tv/1systems/cd.nix index 6913508..54292eb 100644 --- a/1systems/tv/cd.nix +++ b/tv/1systems/cd.nix @@ -3,21 +3,37 @@ with lib; let - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; + tvpkgs = import ../5pkgs { inherit pkgs; }; in { krebs.build.host = config.krebs.hosts.cd; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@cd.internet"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/CAC-Developer-2.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git.nix + ../2configs/CAC-Developer-2.nix + ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-smarthost.nix + ../2configs/git.nix { - imports = [ ../../2configs/tv/charybdis.nix ]; + imports = [ ../2configs/charybdis.nix ]; tv.charybdis = { enable = true; sslCert = ../../Zcerts/charybdis_cd.crt.pem; @@ -68,7 +84,7 @@ in server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) locations = singleton (nameValuePair "/" '' - root ${Zpkgs.viljetic-pages}; + root ${tvpkgs.viljetic-pages}; ''); }; } diff --git a/1systems/tv/mkdir.nix b/tv/1systems/mkdir.nix index 7542ad0..cd3d3b5 100644 --- a/1systems/tv/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -4,14 +4,30 @@ with lib; { krebs.build.host = config.krebs.hosts.mkdir; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@mkdir.internet"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/CAC-Developer-1.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git.nix + ../2configs/CAC-Developer-1.nix + ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-smarthost.nix + ../2configs/git.nix { tv.iptables = { enable = true; diff --git a/1systems/tv/nomic.nix b/tv/1systems/nomic.nix index cd6e025..b9a10cb 100644 --- a/1systems/tv/nomic.nix +++ b/tv/1systems/nomic.nix @@ -4,13 +4,29 @@ with lib; { krebs.build.host = config.krebs.hosts.nomic; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@nomic.gg23"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/AO753.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git.nix + ../2configs/AO753.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix { tv.iptables = { enable = true; diff --git a/1systems/tv/rmdir.nix b/tv/1systems/rmdir.nix index 9233014..c8ac43e 100644 --- a/1systems/tv/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -4,14 +4,30 @@ with lib; { krebs.build.host = config.krebs.hosts.rmdir; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@rmdir.internet"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/CAC-Developer-1.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git.nix + ../2configs/CAC-Developer-1.nix + ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-smarthost.nix + ../2configs/git.nix { tv.iptables = { enable = true; diff --git a/1systems/tv/wu.nix b/tv/1systems/wu.nix index 192b65b..27691ec 100644 --- a/1systems/tv/wu.nix +++ b/tv/1systems/wu.nix @@ -3,22 +3,38 @@ with lib; let - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; + tvpkgs = import ../5pkgs { inherit pkgs; }; in { krebs.build.host = config.krebs.hosts.wu; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@wu"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/w110er.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-client.nix - ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git.nix - ../../2configs/tv/mail-client.nix - ../../2configs/tv/xserver.nix - ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled - ../../2configs/tv/urlwatch.nix + ../2configs/w110er.nix + ../2configs/base.nix + ../2configs/consul-client.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix + ../2configs/mail-client.nix + ../2configs/xserver.nix + ../2configs/synaptics.nix # TODO w110er if xserver is enabled + ../2configs/urlwatch.nix { environment.systemPackages = with pkgs; [ @@ -26,9 +42,9 @@ in git gnumake parallel - Zpkgs.genid - Zpkgs.hashPassword - Zpkgs.lentil + tvpkgs.genid + tvpkgs.hashPassword + tvpkgs.lentil (pkgs.writeScriptBin "ff" '' #! ${pkgs.bash}/bin/bash exec sudo -u ff -i <<EOF @@ -75,8 +91,8 @@ in sxiv texLive tmux + tvpkgs.dic zathura - Zpkgs.dic #ack #apache-httpd @@ -169,19 +185,21 @@ in } { users.extraGroups = { - tv-sub.gid = 1337; + tv.gid = 1337; + slaves.gid = 3799582008; # genid slaves }; users.extraUsers = - mapAttrs (name: user: user // { + mapAttrs (name: user@{ extraGroups ? [], ... }: user // { inherit name; home = "/home/${name}"; createHome = true; useDefaultShell = true; + group = "tv"; + extraGroups = ["slaves"] ++ extraGroups; }) { ff = { uid = 13378001; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -190,17 +208,6 @@ in cr = { uid = 13378002; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - vimb = { - uid = 13378003; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -210,47 +217,38 @@ in fa = { uid = 2300001; - group = "tv-sub"; }; rl = { uid = 2300002; - group = "tv-sub"; }; tief = { uid = 2300702; - group = "tv-sub"; }; btc-bitcoind = { uid = 2301001; - group = "tv-sub"; }; btc-electrum = { uid = 2301002; - group = "tv-sub"; }; ltc-litecoind = { uid = 2301101; - group = "tv-sub"; }; eth = { uid = 2302001; - group = "tv-sub"; }; emse-hsdb = { uid = 4200101; - group = "tv-sub"; }; wine = { uid = 13370400; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -258,21 +256,8 @@ in ]; }; - # dwarffortress df = { uid = 13370401; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined - FTL = { - uid = 13370402; - #group = "tv-sub"; extraGroups = [ "audio" "video" @@ -280,14 +265,8 @@ in ]; }; - freeciv = { - uid = 13370403; - group = "tv-sub"; - }; - xr = { uid = 13370061; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -296,26 +275,14 @@ in "23" = { uid = 13370023; - group = "tv-sub"; }; electrum = { uid = 13370102; - group = "tv-sub"; - }; - - Reaktor = { - uid = 4230010; - group = "tv-sub"; - }; - - gitolite = { - uid = 7700; }; skype = { uid = 6660001; - group = "tv-sub"; extraGroups = [ "audio" ]; @@ -323,12 +290,10 @@ in onion = { uid = 6660010; - group = "tv-sub"; }; zalora = { uid = 1000301; - group = "tv-sub"; extraGroups = [ "audio" # TODO remove vboxusers when hardening is active @@ -340,17 +305,12 @@ in security.sudo.extraConfig = let - inherit (import ../../4lib/tv { inherit lib pkgs; }) - isSuffixOf; - - hasMaster = { group ? "", ... }: - isSuffixOf "-sub" group; - - masterOf = user : removeSuffix "-sub" user.group; + isSlave = u: elem "slaves" u.extraGroups; + masterOf = u: u.group; + slaves = filterAttrs (_: isSlave) config.users.extraUsers; + toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL"; in - concatStringsSep "\n" - (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL") - (filter hasMaster (attrValues config.users.extraUsers))); + concatMapStringsSep "\n" toSudoers (attrValues slaves); } ]; diff --git a/2configs/tv/AO753.nix b/tv/2configs/AO753.nix index 70eae17..96167ce 100644 --- a/2configs/tv/AO753.nix +++ b/tv/2configs/AO753.nix @@ -2,7 +2,7 @@ { imports = [ - ../../2configs/tv/smartd.nix + ../2configs/smartd.nix ]; boot.loader.grub = { diff --git a/2configs/tv/CAC-CentOS-7-64bit.nix b/tv/2configs/CAC-CentOS-7-64bit.nix index 95c6e81..168d1d9 100644 --- a/2configs/tv/CAC-CentOS-7-64bit.nix +++ b/tv/2configs/CAC-CentOS-7-64bit.nix @@ -33,7 +33,7 @@ _: # man:systemd-tmpfiles(8) # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) # Main PID: 19272 (code=exited, status=1/FAILURE) - # + # # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. diff --git a/2configs/tv/CAC-Developer-1.nix b/tv/2configs/CAC-Developer-1.nix index 37bc32a..37bc32a 100644 --- a/2configs/tv/CAC-Developer-1.nix +++ b/tv/2configs/CAC-Developer-1.nix diff --git a/2configs/tv/CAC-Developer-2.nix b/tv/2configs/CAC-Developer-2.nix index fedb808..fedb808 100644 --- a/2configs/tv/CAC-Developer-2.nix +++ b/tv/2configs/CAC-Developer-2.nix diff --git a/2configs/tv/base.nix b/tv/2configs/base.nix index 06f83ea..997d4c2 100644 --- a/2configs/tv/base.nix +++ b/tv/2configs/base.nix @@ -10,7 +10,6 @@ in { krebs.enable = true; - krebs.search-domain = "retiolum"; networking.hostName = config.krebs.build.host.name; diff --git a/2configs/tv/bash_completion.sh b/tv/2configs/bash_completion.sh index 537484f..537484f 100644 --- a/2configs/tv/bash_completion.sh +++ b/tv/2configs/bash_completion.sh diff --git a/2configs/tv/charybdis.nix b/tv/2configs/charybdis.nix index d78e162..bf45bf2 100644 --- a/2configs/tv/charybdis.nix +++ b/tv/2configs/charybdis.nix @@ -1,5 +1,9 @@ { config, lib, pkgs, ... }: +let + tvpkgs = import ../5pkgs { inherit pkgs; }; +in + with builtins; with lib; let @@ -59,7 +63,7 @@ let ExecStart = pkgs.writeScript "charybdis-service" '' #! /bin/sh set -euf - exec ${Zpkgs.charybdis}/bin/charybdis-ircd \ + exec ${tvpkgs.charybdis}/bin/charybdis-ircd \ -foreground \ -logfile /dev/stderr \ -configfile ${configFile} @@ -88,7 +92,7 @@ let * * See reference.conf for more information. */ - + /* Extensions */ #loadmodule "extensions/chm_operonly_compat.so"; #loadmodule "extensions/chm_quietunreg_compat.so"; @@ -111,17 +115,17 @@ let #loadmodule "extensions/sno_globaloper.so"; #loadmodule "extensions/sno_whois.so"; loadmodule "extensions/override.so"; - + /* * IP cloaking extensions: use ip_cloaking_4.0 * if you're linking 3.2 and later, otherwise use * ip_cloaking.so, for compatibility with older 3.x * releases. */ - + #loadmodule "extensions/ip_cloaking_4.0.so"; #loadmodule "extensions/ip_cloaking.so"; - + serverinfo { name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; sid = "4z3"; @@ -129,23 +133,23 @@ let network_name = "irc.retiolum"; #network_desc = "Retiolum IRC Network"; hub = yes; - + /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; /* for IPv6 */ vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; - + /* ssl_private_key: our ssl private key */ ssl_private_key = "/tmp/ssl.key"; - + /* ssl_cert: certificate for our ssl server */ ssl_cert = ${toJSON cfg.sslCert}; - + /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ ssl_dh_params = "/tmp/dh.pem"; - + /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of * cpu/cpu cores you have might be useful. A number greater than one @@ -153,20 +157,20 @@ let * two file descriptors per SSL connection. */ ssld_count = 1; - + /* default max clients: the default maximum number of clients * allowed to connect. This can be changed once ircd has started by * issuing: * /quote set maxclients <limit> */ default_max_clients = 1024; - + /* nicklen: enforced nickname length (for this server only; must not * be longer than the maximum length set while building). */ nicklen = 30; }; - + admin { name = "tv"; description = "peer"; @@ -184,11 +188,11 @@ let fname_operspylog = "/dev/stderr"; fname_ioerrorlog = "/dev/stderr"; }; - + /* class {} blocks MUST be specified before anything that uses them. That * means they must be defined before auth {} and before connect {}. */ - + class "krebs" { ping_time = 2 minutes; number_per_ident = 10; @@ -200,7 +204,7 @@ let max_number = 3000; sendq = 1 megabyte; }; - + class "users" { ping_time = 2 minutes; number_per_ident = 10; @@ -212,21 +216,21 @@ let max_number = 3000; sendq = 400 kbytes; }; - + class "opers" { ping_time = 5 minutes; number_per_ip = 10; max_number = 1000; sendq = 1 megabyte; }; - + class "server" { ping_time = 5 minutes; connectfreq = 5 minutes; max_number = 1; sendq = 4 megabytes; }; - + listen { /* defer_accept: wait for clients to send IRC handshake data before * accepting them. if you intend to use software which depends on the @@ -234,7 +238,7 @@ let * otherwise, you probably want to leave it on. */ defer_accept = yes; - + /* If you want to listen on a specific IP only, specify host. * host definitions apply only to the following port line. */ @@ -245,7 +249,7 @@ let port = 6667; sslport = 6697; }; - + /* auth {}: allow users to connect to the ircd (OLD I:) * auth {} blocks MUST be specified in order of precedence. The first one * that matches a user will be used. So place spoofs first, then specials, @@ -260,21 +264,21 @@ let */ user = "*@10.243.0.0/12"; user = "*@42::/16"; - + /* password: an optional password that is required to use this block. * By default this is not encrypted, specify the flag "encrypted" in * flags = ...; below if it is. */ #password = "letmein"; - + /* spoof: fake the users user@host to be be this. You may either * specify a host or a user@host to spoof to. This is free-form, * just do everyone a favour and dont abuse it. (OLD I: = flag) */ #spoof = "I.still.hate.packets"; - + /* Possible flags in auth: - * + * * encrypted | password is encrypted with mkpasswd * spoof_notice | give a notice when spoofing hosts * exceed_limit (old > flag) | allow user to exceed class user limits @@ -293,88 +297,88 @@ let * need_sasl | require SASL id for user in this class */ flags = kline_exempt, exceed_limit, flood_exempt; - + /* class: the class the user is placed in */ class = "krebs"; }; - + auth { user = "*@*"; class = "users"; }; - + /* privset {} blocks MUST be specified before anything that uses them. That * means they must be defined before operator {}. */ privset "local_op" { privs = oper:local_kill, oper:operwall; }; - + privset "server_bot" { extends = "local_op"; privs = oper:kline, oper:remoteban, snomask:nick_changes; }; - + privset "global_op" { extends = "local_op"; privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline, oper:resv, oper:mass_notice, oper:remoteban; }; - + privset "admin" { extends = "global_op"; privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override; }; - + privset "aids" { privs = oper:override, oper:rehash; }; - + operator "aids" { user = "*@10.243.*"; privset = "aids"; flags = ~encrypted; password = "balls"; }; - + operator "god" { /* name: the name of the oper must go above */ - + /* user: the user@host required for this operator. CIDR *is* * supported now. auth{} spoofs work here, other spoofs do not. * multiple user="" lines are supported. */ user = "*god@127.0.0.1"; - + /* password: the password required to oper. Unless ~encrypted is - * contained in flags = ...; this will need to be encrypted using + * contained in flags = ...; this will need to be encrypted using * mkpasswd, MD5 is supported */ password = "5"; - + /* rsa key: the public key for this oper when using Challenge. - * A password should not be defined when this is used, see + * A password should not be defined when this is used, see * doc/challenge.txt for more information. */ #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub"; - + /* umodes: the specific umodes this oper gets when they oper. * If this is specified an oper will not be given oper_umodes * These are described above oper_only_umodes in general {}; */ #umodes = locops, servnotice, operwall, wallop; - + /* fingerprint: if specified, the oper's client certificate * fingerprint will be checked against the specified fingerprint * below. */ #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b"; - + /* snomask: specific server notice mask on oper up. * If this is specified an oper will not be given oper_snomask. */ snomask = "+Zbfkrsuy"; - + /* flags: misc options for the operator. You may prefix an option * with ~ to disable it, e.g. ~encrypted. * @@ -386,30 +390,30 @@ let * need_ssl: must be using SSL/TLS to oper up */ flags = encrypted; - + /* privset: privileges set to grant */ privset = "admin"; }; - + service { name = "services.int"; }; - + cluster { name = "*"; flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; }; - + shared { oper = "*@*", "*"; flags = all, rehash; }; - + /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ exempt { ip = "127.0.0.1"; }; - + channel { use_invex = yes; use_except = yes; @@ -431,14 +435,14 @@ let channel_target_change = yes; disable_local_channels = no; }; - + serverhide { flatten_links = yes; links_delay = 5 minutes; hidden = no; disable_hidden = no; }; - + /* These are the blacklist settings. * You can have multiple combinations of host and rejection reasons. * They are used in pairs of one host/rejection reason. @@ -471,7 +475,7 @@ let host = "rbl.efnetrbl.org"; type = ipv4; reject_reason = "''${nick}, your IP (''${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=''${ip}"; - + # host = "ircbl.ahbl.org"; # type = ipv4; # reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for having an open proxy. In order to protect ''${network-name} from abuse, we are not allowing connections with open proxies to connect."; @@ -485,43 +489,43 @@ let # type = ipv4, ipv6; # reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for some reason. In order to protect ''${network-name} from abuse, we are not allowing connections listed in ''${dnsbl-host} to connect"; }; - + alias "NickServ" { target = "NickServ"; }; - + alias "ChanServ" { target = "ChanServ"; }; - + alias "OperServ" { target = "OperServ"; }; - + alias "MemoServ" { target = "MemoServ"; }; - + alias "NS" { target = "NickServ"; }; - + alias "CS" { target = "ChanServ"; }; - + alias "OS" { target = "OperServ"; }; - + alias "MS" { target = "MemoServ"; }; - + general { hide_error_messages = opers; hide_spoof_ips = yes; - + /* * default_umodes: umodes to enable on connect. * If you have enabled the new ip_cloaking_4.0 module, and you want @@ -533,7 +537,7 @@ let * default_umodes = "+ih"; */ default_umodes = "+i"; - + default_operstring = "is an IRC Operator"; default_adminstring = "is a Server Administrator"; servicestring = "is a Network Service"; @@ -587,17 +591,15 @@ let max_ratelimit_tokens = 30; away_interval = 30; }; - + modules { path = "modules"; path = "modules/autoload"; }; - + exempt { ip = "10.243.0.0/16"; }; ''; - - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; in out diff --git a/2configs/tv/consul-client.nix b/tv/2configs/consul-client.nix index 0a8bf4d..0a8bf4d 100644 --- a/2configs/tv/consul-client.nix +++ b/tv/2configs/consul-client.nix diff --git a/2configs/tv/consul-server.nix b/tv/2configs/consul-server.nix index d10f9ea..d10f9ea 100644 --- a/2configs/tv/consul-server.nix +++ b/tv/2configs/consul-server.nix diff --git a/2configs/tv/cryptoroot.nix b/tv/2configs/cryptoroot.nix index 04618ac..04618ac 100644 --- a/2configs/tv/cryptoroot.nix +++ b/tv/2configs/cryptoroot.nix diff --git a/2configs/tv/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 851a0c6..851a0c6 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix diff --git a/2configs/tv/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index c93189b..c93189b 100644 --- a/2configs/tv/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix diff --git a/2configs/tv/git.nix b/tv/2configs/git.nix index 2c0cc6b..ecb98ce 100644 --- a/2configs/tv/git.nix +++ b/tv/2configs/git.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../4lib/tv { inherit lib pkgs; }; +with import ../4lib { inherit lib pkgs; }; let out = { diff --git a/2configs/tv/mail-client.nix b/tv/2configs/mail-client.nix index 00f9a96..a632cf7 100644 --- a/2configs/tv/mail-client.nix +++ b/tv/2configs/mail-client.nix @@ -1,6 +1,6 @@ { pkgs, ... }: -with import ../../Zpkgs/tv { inherit pkgs; }; +with import ../5pkgs { inherit pkgs; }; { environment.systemPackages = [ diff --git a/2configs/tv/smartd.nix b/tv/2configs/smartd.nix index 9c4d8b2..9c4d8b2 100644 --- a/2configs/tv/smartd.nix +++ b/tv/2configs/smartd.nix diff --git a/2configs/tv/synaptics.nix b/tv/2configs/synaptics.nix index c47cb9d..c47cb9d 100644 --- a/2configs/tv/synaptics.nix +++ b/tv/2configs/synaptics.nix diff --git a/2configs/tv/urlwatch.nix b/tv/2configs/urlwatch.nix index a69b151..a69b151 100644 --- a/2configs/tv/urlwatch.nix +++ b/tv/2configs/urlwatch.nix diff --git a/2configs/tv/urxvt.nix b/tv/2configs/urxvt.nix index 89bb421..89bb421 100644 --- a/2configs/tv/urxvt.nix +++ b/tv/2configs/urxvt.nix diff --git a/2configs/tv/w110er.nix b/tv/2configs/w110er.nix index 7ef0e6e..e580b21 100644 --- a/2configs/tv/w110er.nix +++ b/tv/2configs/w110er.nix @@ -2,7 +2,7 @@ { imports = [ - ../../2configs/tv/smartd.nix + ../2configs/smartd.nix ]; boot.extraModprobeConfig = '' diff --git a/2configs/tv/xserver.nix b/tv/2configs/xserver.nix index 4a3de48..7fc07f9 100644 --- a/2configs/tv/xserver.nix +++ b/tv/2configs/xserver.nix @@ -2,7 +2,7 @@ { imports = [ - ../../2configs/tv/urxvt.nix # TODO via xserver + ../2configs/urxvt.nix # TODO via xserver ]; services.xserver.enable = true; diff --git a/3modules/tv/consul.nix b/tv/3modules/consul.nix index 4e54c2a..82a15c0 100644 --- a/3modules/tv/consul.nix +++ b/tv/3modules/consul.nix @@ -5,7 +5,7 @@ # TODO consul-bootstrap HOST that actually does is # TODO tools to inspect state of a cluster in outage state -with import ../../4lib/tv { inherit lib pkgs; }; +with import ../4lib { inherit lib pkgs; }; let cfg = config.tv.consul; diff --git a/3modules/tv/default.nix b/tv/3modules/default.nix index bb10d82..bb10d82 100644 --- a/3modules/tv/default.nix +++ b/tv/3modules/default.nix diff --git a/3modules/tv/ejabberd.nix b/tv/3modules/ejabberd.nix index 2910a9a..2910a9a 100644 --- a/3modules/tv/ejabberd.nix +++ b/tv/3modules/ejabberd.nix diff --git a/3modules/tv/iptables.nix b/tv/3modules/iptables.nix index 173e582..cbf49f5 100644 --- a/3modules/tv/iptables.nix +++ b/tv/3modules/iptables.nix @@ -36,9 +36,9 @@ let path = with pkgs; [ iptables ]; - + restartIfChanged = true; - + serviceConfig = { Type = "simple"; RemainAfterExit = true; diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix new file mode 100644 index 0000000..352689a --- /dev/null +++ b/tv/4lib/default.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, ... }: + +let + krebs = import ../../krebs/4lib { inherit lib; }; +in + +with krebs; + +krebs // rec { + + git = import ./git.nix { + lib = krebs; + inherit pkgs; + }; + + # "7.4.335" -> "74" + majmin = with lib; x : concatStrings (take 2 (splitString "." x)); + + shell-escape = + let + isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; + in + stringAsChars (c: + if isSafeChar c then c + else if c == "\n" then "'\n'" + else "\\${c}"); +} diff --git a/4lib/tv/git.nix b/tv/4lib/git.nix index 2b25deb..2b25deb 100644 --- a/4lib/tv/git.nix +++ b/tv/4lib/git.nix diff --git a/4lib/tv/modules.nix b/tv/4lib/modules.nix index 248e638..248e638 100644 --- a/4lib/tv/modules.nix +++ b/tv/4lib/modules.nix diff --git a/Zpkgs/tv/charybdis/default.nix b/tv/5pkgs/charybdis/default.nix index f3e6be4..f3e6be4 100644 --- a/Zpkgs/tv/charybdis/default.nix +++ b/tv/5pkgs/charybdis/default.nix diff --git a/Zpkgs/tv/charybdis/remove-setenv.patch b/tv/5pkgs/charybdis/remove-setenv.patch index c53c1ff..bbaf95e 100644 --- a/Zpkgs/tv/charybdis/remove-setenv.patch +++ b/tv/5pkgs/charybdis/remove-setenv.patch @@ -5,7 +5,7 @@ index 03dd907..3698e85 100644 @@ -82,7 +82,6 @@ start_bandb(void) const char *suffix = ""; #endif - + - rb_setenv("BANDB_DBPATH", PKGLOCALSTATEDIR "/ban.db", 1); if(bandb_path == NULL) { diff --git a/Zpkgs/tv/default.nix b/tv/5pkgs/default.nix index 50625f8..7b5d10a 100644 --- a/Zpkgs/tv/default.nix +++ b/tv/5pkgs/default.nix @@ -2,10 +2,10 @@ let inherit (pkgs) callPackage; - krebs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in -krebs // { +kpkgs // { charybdis = callPackage ./charybdis {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; diff --git a/Zpkgs/tv/lentil/default.nix b/tv/5pkgs/lentil/default.nix index 1385cbd..fc9b4fd 100644 --- a/Zpkgs/tv/lentil/default.nix +++ b/tv/5pkgs/lentil/default.nix @@ -4,13 +4,11 @@ overrides = self: super: { lentil = super.lentil.override { mkDerivation = (attrs: self.mkDerivation (attrs // { - version = "0.1.2.7"; - sha256 = "1g3if2y41li6wyg7ffvpybqvbywiq8bf5b5fb6pz499hinzahb9d"; + version = "0.1.3.0"; + sha256 = "0xa59avh0bvfg69xh9p5b8dppfhx29mvfq8v41sk9j7qbcnzjivg"; patches = [ - ./1.patch ./syntaxes.patch ]; - doCheck = false; })); }; }; diff --git a/Zpkgs/tv/lentil/syntaxes.patch b/tv/5pkgs/lentil/syntaxes.patch index a9390ae..a9390ae 100644 --- a/Zpkgs/tv/lentil/syntaxes.patch +++ b/tv/5pkgs/lentil/syntaxes.patch diff --git a/Zpkgs/tv/much.nix b/tv/5pkgs/much.nix index 82586b4..82586b4 100644 --- a/Zpkgs/tv/much.nix +++ b/tv/5pkgs/much.nix diff --git a/Zpkgs/tv/viljetic-pages/default.nix b/tv/5pkgs/viljetic-pages/default.nix index 1ae55cc..1ae55cc 100644 --- a/Zpkgs/tv/viljetic-pages/default.nix +++ b/tv/5pkgs/viljetic-pages/default.nix diff --git a/Zpkgs/tv/viljetic-pages/index.html b/tv/5pkgs/viljetic-pages/index.html index c06b3f9..c06b3f9 100644 --- a/Zpkgs/tv/viljetic-pages/index.html +++ b/tv/5pkgs/viljetic-pages/index.html diff --git a/Zpkgs/tv/viljetic-pages/logo.xpm b/tv/5pkgs/viljetic-pages/logo.xpm index bb263da..bb263da 100644 --- a/Zpkgs/tv/viljetic-pages/logo.xpm +++ b/tv/5pkgs/viljetic-pages/logo.xpm |