diff options
31 files changed, 281 insertions, 380 deletions
@@ -24,7 +24,8 @@ else ifdef system deploy infest:;@ export get=krebs.$@ export filter=json - make -s eval | sh + script=$$(make -s eval) + echo "$$script" | sh .PHONY: eval eval: @@ -48,6 +49,40 @@ endif $${target+--argstr target "$$target"}) echo "$$result" | filter +export target_host ?= $(system) +export target_user ?= root +export target_path ?= /var/src + +# usage: make populate system=foo [target_host=bar] +.PHONY: populate +populate: export lib = \ + let nlib = import <nixpkgs/lib>; in \ + nlib // import krebs/4lib { lib = nlib; } // builtins +populate: export source = \ + with builtins; \ + with (import ./. {}).users.$${getEnv "LOGNAME"}.$${getEnv "system"}; \ + assert config.krebs.build.source-version == 2; \ + config.krebs.build.source +populate:;@ + result=$$(nix-instantiate \ + --eval \ + --json \ + --arg lib "$$lib" \ + --arg source "$$source" \ + --argstr target-user "$$target_user" \ + --argstr target-host "$$target_host" \ + --argstr target-path "$$target_path" \ + -A populate \ + krebs/v2) + script=$$(echo "$$result" | jq -r .) + echo "$$script" | sh + +# usage: make rebuild system=foo [target_host=bar] [operation=switch] +.PHONY: rebuild +rebuild: populate ;@set -x + ssh "$$target_user@$$target_host" \ + nixos-rebuild "$${operation-switch}" -I "$$target_path" + else $(error unbound variable: system[s]) endif diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix new file mode 120000 index 0000000..74e9d76 --- /dev/null +++ b/nixpkgs/default.nix @@ -0,0 +1 @@ +../upstream-nixpkgs/default.nix
\ No newline at end of file diff --git a/nixpkgs/lib b/nixpkgs/lib new file mode 120000 index 0000000..2284ef4 --- /dev/null +++ b/nixpkgs/lib @@ -0,0 +1 @@ +../upstream-nixpkgs/lib
\ No newline at end of file diff --git a/nixpkgs/nixos/default.nix b/nixpkgs/nixos/default.nix new file mode 100644 index 0000000..6c5adf3 --- /dev/null +++ b/nixpkgs/nixos/default.nix @@ -0,0 +1,65 @@ +{ configuration ? import <upstream-nixpkgs/nixos/lib/from-env.nix> "NIXOS_CONFIG" <nixos-config> +, system ? builtins.currentSystem +}: + +let + eval-config = modules: import <upstream-nixpkgs/nixos/lib/eval-config.nix> { + inherit system; + modules = modules ++ [({ config, lib, ... }: with lib; { + imports = filter dir.has-default-nix (concatLists [ + (map (p: p + "/2configs") [ <stockholm-private> ]) + (map (p: p + "/3modules") [ <stockholm-krebs> <stockholm-private> ]) + ]); + + krebs.current = { + enable = true; + host = config.krebs.hosts.${readFile /proc/sys/kernel/hostname}; + user = config.krebs.users.${getEnv "LOGNAME"}; + }; + + nixpkgs.config.packageOverrides = pkgs: let + kpkgs = import <stockholm-krebs/5pkgs> { inherit lib pkgs; }; + upkgs = import <stockholm-private/5pkgs> { inherit lib; pkgs = pkgs // kpkgs; }; + in kpkgs // upkgs; + })]; + specialArgs = { + lib = let + nlib = import <upstream-nixpkgs/lib> // builtins; + klib = nlib // import <stockholm-krebs/4lib> { lib = nlib; }; + ulib = klib // (with klib; let p = <stockholm-private> + "/4lib"; in + optionalAttrs (dir.has-default-nix p) + (import p { lib = klib; })); + in ulib; + }; + }; + + eval = eval-config [ + configuration + ]; + + # This is for `nixos-rebuild build-vm'. + vm = eval-config [ + configuration + <upstream-nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> + ]; + + # This is for `nixos-rebuild build-vm-with-bootloader'. + vm-with-bootloader = eval-config [ + configuration + <upstream-nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> + { virtualisation.useBootLoader = true; } + ]; +in + +{ + inherit (eval) config options; + + system = eval.config.system.build.toplevel; + + vm = vm.config.system.build.vm; + + vmWithBootLoader = vm-with-bootloader.config.system.build.vm; + + # The following are used by nixos-rebuild. + nixFallback = eval.pkgs.nixUnstable; +} diff --git a/nixpkgs/nixos/lib b/nixpkgs/nixos/lib new file mode 120000 index 0000000..eb942f8 --- /dev/null +++ b/nixpkgs/nixos/lib @@ -0,0 +1 @@ +../../upstream-nixpkgs/nixos/lib
\ No newline at end of file diff --git a/nixpkgs/nixos/modules b/nixpkgs/nixos/modules new file mode 120000 index 0000000..8fbc437 --- /dev/null +++ b/nixpkgs/nixos/modules @@ -0,0 +1 @@ +../../upstream-nixpkgs/nixos/modules
\ No newline at end of file diff --git a/nixpkgs/pkgs b/nixpkgs/pkgs new file mode 120000 index 0000000..ce5f544 --- /dev/null +++ b/nixpkgs/pkgs @@ -0,0 +1 @@ +../upstream-nixpkgs/pkgs
\ No newline at end of file diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 8c2a9ae..e42d575 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -6,12 +6,17 @@ with lib; krebs.build.host = config.krebs.hosts.cd; krebs.build.target = "root@cd.internet"; + krebs.build.source.upstream-nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "b7ff030"; + }; + imports = [ ../2configs/hw/CAC-Developer-2.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix + ../2configs/retiolum.nix ../2configs/urlwatch.nix { imports = [ ../2configs/charybdis.nix ]; @@ -25,6 +30,10 @@ with lib; enable = true; hosts = [ "jabber.viljetic.de" ]; }; + tv.iptables.input-internet-accept-new-tcp = [ + "xmpp-client" + "xmpp-server" + ]; } { krebs.github-hosts-sync.enable = true; @@ -32,38 +41,17 @@ with lib; singleton config.krebs.github-hosts-sync.port; } { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = [ "cgit.cd.krebsco.de" "cgit.cd.viljetic.de" ]; - } - { # TODO make public_html also available to cd, cd.retiolum (AKA default) - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2; ''); }; - } - { krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) @@ -71,16 +59,7 @@ with lib; root ${pkgs.viljetic-pages}; ''); }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; } ]; diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 9d8a0bc..79e5f73 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -22,7 +22,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 0c6c935..37ef204 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -5,45 +5,14 @@ with lib; { krebs.build.host = config.krebs.hosts.nomic; - krebs.build.target = "root@nomic.gg23"; - imports = [ ../2configs/hw/AO753.nix - #../2configs/consul-server.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.exim-retiolum.enable = true; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } + ../2configs/nginx-public_html.nix + ../2configs/pulse.nix + ../2configs/retiolum.nix + ../2configs/xserver ]; boot.initrd.luks = { diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 1f1d975..6fd79c5 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -23,7 +23,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 54ceb77..29e6de0 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -7,10 +7,12 @@ with lib; imports = [ ../2configs/hw/w110er.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -18,7 +20,7 @@ with lib; # stockholm gnumake hashPassword - lentil + haskellPackages.lentil parallel (pkgs.writeScriptBin "im" '' #! ${pkgs.bash}/bin/bash @@ -41,7 +43,7 @@ with lib; # tv bc bind # dig - cac + cac-api dic file get @@ -123,39 +125,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.exim-retiolum.enable = true; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { @@ -188,7 +157,7 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name; hardware.bumblebee.enable = true; hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 1f3e010..8c4af2b 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -5,15 +5,14 @@ with lib; { krebs.build.host = config.krebs.hosts.xu; - krebs.build.source.git.nixpkgs.rev = - "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; - imports = [ ../2configs/hw/x220.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -21,7 +20,7 @@ with lib; # stockholm gnumake hashPassword - lentil + haskellPackages.lentil parallel (pkgs.writeScriptBin "im" '' #! ${pkgs.bash}/bin/bash @@ -124,40 +123,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.exim-retiolum.enable = true; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { @@ -190,7 +155,6 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; #hardware.bumblebee.enable = true; #hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index 51d3bb8..ce937a7 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -2,41 +2,17 @@ with lib; { krebs.backup.plans = addNames { - xu-test-cd = { + wu-home-xu = { method = "push"; - - src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; }; - dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; }; - - #startAt = "0,6,12,18:00"; - startAt = "minutely"; + src = { host = config.krebs.hosts.wu; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; }; + startAt = "05:00"; snapshots = { - minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; }; - hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; }; }; - #xu-test-wu = { - # method = "push"; - # dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; }; - #}; - cd-test-xu = { - method = "pull"; - src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; }; - dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; }; - startAt = "minutely"; - snapshots = { - minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; }; - hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; - }; - }; } diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix deleted file mode 100644 index 0a8bf4d..0000000 --- a/tv/2configs/consul-client.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ ./consul-server.nix ]; - - tv.consul = { - server = pkgs.lib.mkForce false; - }; -} diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix deleted file mode 100644 index d10f9ea..0000000 --- a/tv/2configs/consul-server.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: - -{ - tv.consul = rec { - enable = true; - - self = config.krebs.build.host; - inherit (self) dc; - - server = true; - - hosts = with config.krebs.hosts; [ - # TODO get this list automatically from each host where tv.consul.enable is true - cd - mkdir - nomic - rmdir - #wu - ]; - }; -} diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index c300633..ee1d952 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -8,20 +8,24 @@ with lib; krebs.build = { user = config.krebs.users.tv; target = mkDefault "root@${config.krebs.build.host.name}"; - source = { - git.nixpkgs = { - url = mkDefault https://github.com/NixOS/nixpkgs; - rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613"; - target-path = mkDefault "/var/src/nixpkgs"; + source-version = 2; + source = mapAttrs (_: mkDefault) ({ + nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix"; + nixpkgs = symlink:stockholm-nixpkgs; + null = "/home/tv/stockholm/null"; + secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; + secrets-common = "/home/tv/secrets/common"; + stockholm-krebs = "/home/tv/stockholm/krebs"; + stockholm-nixpkgs = "/home/tv/stockholm/nixpkgs"; + stockholm-private = "/home/tv/stockholm/tv"; + upstream-nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "77f8f35d57618c1ba456d968524f2fb2c3448295"; + dev = "/home/tv/nixpkgs"; }; - dir.secrets = { - path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - dir.stockholm = { - path = mkDefault "/home/tv/stockholm"; - target-path = mkDefault "/var/src/stockholm"; - }; - }; + } // optionalAttrs config.krebs.build.host.secure { + secrets-master = "/home/tv/secrets/master"; + }); }; networking.hostName = config.krebs.build.host.name; @@ -67,6 +71,9 @@ with lib; nix.useChroot = true; } { + nixpkgs.config.allowUnfree = false; + } + { environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; environment.systemPackages = with pkgs; [ @@ -98,12 +105,7 @@ with lib; }; environment.variables = { - NIX_PATH = - with config.krebs.build.source; with dir; with git; - mkForce (concatStringsSep ":" [ - "nixpkgs=${nixpkgs.target-path}" - "secrets=${stockholm.target-path}/null" - ]); + NIX_PATH = mkForce "secrets=/var/src/null:/var/src"; }; programs.bash = { @@ -142,7 +144,12 @@ with lib; ''; }; - programs.ssh.startAgent = false; + programs.ssh = { + extraConfig = '' + UseRoaming no + ''; + startAgent = false; + }; } { @@ -160,12 +167,17 @@ with lib; } { + tv.iptables.enable = true; + } + + { services.openssh = { enable = true; hostKeys = [ { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "ssh"; } { @@ -177,7 +189,8 @@ with lib; { systemd.tmpfiles.rules = let forUsers = flip map users; - isUser = { group, ... }: hasSuffix "users" group; + isUser = { name, group, ... }: + name == "root" || hasSuffix "users" group; users = filter isUser (mapAttrsToList (_: id) config.users.users); in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -"); environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME"; diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix new file mode 100644 index 0000000..aedf258 --- /dev/null +++ b/tv/2configs/exim-retiolum.nix @@ -0,0 +1,8 @@ +{ lib, ... }: + +with lib; + +{ + krebs.exim-retiolum.enable = true; + tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; +} diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index f5f63d2..bcfea78 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { krebs.exim-smarthost = { @@ -34,4 +36,5 @@ { from = "mirko"; to = "mv"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; } diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 800deff..b818008 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -9,7 +9,7 @@ let enable = true; root-title = "public repositories at ${config.krebs.build.host.name}"; root-desc = "keep calm and engage"; - repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; + repos = repos; rules = rules; }; }; @@ -22,8 +22,8 @@ let public-repos = mapAttrs make-public-repo ({ } // mapAttrValues (setAttr "section" "1. Miscellaneous") { - cac = { - desc = "CloudAtCost command line interface"; + cac-api = { + desc = "CloudAtCost API command line interface"; }; get = {}; hack = {}; @@ -39,6 +39,7 @@ let stockholm = { desc = "take all the computers hostage, they'll love you!"; }; + with-tmpdir = {}; } // mapAttrValues (setAttr "section" "2. Haskell libraries") { blessings = {}; mime = {}; @@ -98,7 +99,7 @@ let repo = [ repo ]; perm = fetch; } ++ - optional (length (repo.collaborators or []) > 0) { + optional (repo.collaborators or [] != []) { user = repo.collaborators; repo = [ repo ]; perm = fetch; diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index acd9ee3..72a4081 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { imports = [ @@ -39,8 +41,5 @@ HandleSuspendKey=ignore ''; - nixpkgs.config = { - allowUnfree = false; - allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name); - }; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name; } diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index 8549311..7cec670 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -14,7 +14,6 @@ networking.wireless.enable = true; #hardware.enableAllFirmware = true; - #nixpkgs.config.allowUnfree = true; #zramSwap.enable = true; #zramSwap.numDevices = 2; diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix new file mode 100644 index 0000000..dc74f7f --- /dev/null +++ b/tv/2configs/nginx-public_html.nix @@ -0,0 +1,15 @@ +{ lib, ... }: + +with lib; + +{ + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; +} diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix index 3db3532..e1894ca 100644 --- a/tv/2configs/pulse.nix +++ b/tv/2configs/pulse.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: +with lib; let pkg = pkgs.pulseaudioLight; runDir = "/run/pulse"; @@ -35,36 +36,43 @@ let in { - systemd.tmpfiles.rules = [ - "d ${runDir} 0750 pulse pulse - -" - "d ${runDir}/home 0700 pulse pulse - -" - ]; - - system.activationScripts.pulseaudio-hack = '' - ln -fns ${clientConf} /etc/pulse/client.conf - ''; - environment = { etc = { "asound.conf".source = alsaConf; - #"pulse/client.conf" = lib.mkForce { source = clientConf; }; + # XXX mkForce is not strong enough (and neither is mkOverride) to create + # /etc/pulse/client.conf, see pulseaudio-hack below for a solution. + #"pulse/client.conf" = mkForce { source = clientConf; }; + #"pulse/client.conf".source = mkForce clientConf; "pulse/default.pa".source = configFile; }; - systemPackages = [ pkg ]; + systemPackages = [ + pkg + ] ++ optionals config.services.xserver.enable [ + pkgs.pavucontrol + ]; }; # Allow PulseAudio to get realtime priority using rtkit. security.rtkit.enable = true; + system.activationScripts.pulseaudio-hack = '' + ln -fns ${clientConf} /etc/pulse/client.conf + ''; + systemd.services.pulse = { wantedBy = [ "sound.target" ]; before = [ "sound.target" ]; environment = { PULSE_RUNTIME_PATH = "${runDir}/home"; - #DISPLAY = ":${toString config.services.xserver.display}"; }; serviceConfig = { ExecStart = "${pkg}/bin/pulseaudio"; + ExecStartPre = pkgs.writeScript "pulse-start" '' + #! /bin/sh + install -o pulse -g pulse -m 0750 -d ${runDir} + install -o pulse -g pulse -m 0700 -d ${runDir}/home + ''; + PermissionsStartOnly = "true"; User = "pulse"; }; }; diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix new file mode 100644 index 0000000..d2bb9e6 --- /dev/null +++ b/tv/2configs/retiolum.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: + +with lib; + +{ + krebs.retiolum = { + enable = true; + connectTo = filter (ne config.krebs.build.host.name) [ + "gum" + "prism" + "echelon" + "cd" + "ire" + ]; + }; + tv.iptables.input-internet-accept-new-tcp = singleton "tinc"; +} diff |