diff options
Diffstat (limited to 'tv/systems')
-rw-r--r-- | tv/systems/cd.nix | 143 | ||||
-rw-r--r-- | tv/systems/mkdir.nix | 83 | ||||
-rw-r--r-- | tv/systems/nomic.nix | 116 | ||||
-rw-r--r-- | tv/systems/rmdir.nix | 84 | ||||
-rw-r--r-- | tv/systems/wu.nix | 409 |
5 files changed, 0 insertions, 835 deletions
diff --git a/tv/systems/cd.nix b/tv/systems/cd.nix deleted file mode 100644 index 037248c..0000000 --- a/tv/systems/cd.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - tvpkgs = import ../pkgs { inherit pkgs; }; -in - -{ - krebs.build.host = config.krebs.hosts.cd; - krebs.build.user = config.krebs.users.tv; - - krebs.build.target = "root@cd.internet"; - - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; - - imports = [ - ../configs/CAC-Developer-2.nix - ../configs/CAC-CentOS-7-64bit.nix - ../configs/base.nix - ../configs/consul-server.nix - ../configs/exim-smarthost.nix - ../configs/git.nix - { - imports = [ ../configs/charybdis.nix ]; - tv.charybdis = { - enable = true; - sslCert = ../../Zcerts/charybdis_cd.crt.pem; - }; - } - { - tv.ejabberd = { - enable = true; - hosts = [ "jabber.viljetic.de" ]; - }; - } - { - krebs.github-hosts-sync.enable = true; - tv.iptables.input-internet-accept-new-tcp = - singleton config.krebs.github-hosts-sync.port; - } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - tv.iptables.input-internet-accept-new-tcp = singleton "http"; - krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; - } - { - # TODO make public_html also available to cd, cd.retiolum (AKA default) - tv.iptables.input-internet-accept-new-tcp = singleton "http"; - krebs.nginx.servers.public_html = { - server-names = singleton "cd.viljetic.de"; - locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - ''); - }; - } - { - krebs.nginx.servers.viljetic = { - server-names = singleton "viljetic.de"; - # TODO directly set root (instead via location) - locations = singleton (nameValuePair "/" '' - root ${tvpkgs.viljetic-pages}; - ''); - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - networking.interfaces.enp2s1.ip4 = [ - { - address = "162.219.7.216"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "162.219.7.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - - environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update - htop - iftop - iotop - iptables - mutt # for mv - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - users.extraUsers = { - mv = { - uid = 1338; - group = "users"; - home = "/home/mv"; - createHome = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.mv.pubkey - ]; - }; - }; -} diff --git a/tv/systems/mkdir.nix b/tv/systems/mkdir.nix deleted file mode 100644 index f601ec8..0000000 --- a/tv/systems/mkdir.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - krebs.build.host = config.krebs.hosts.mkdir; - krebs.build.user = config.krebs.users.tv; - - krebs.build.target = "root@mkdir.internet"; - - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; - }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; - - imports = [ - ../configs/CAC-Developer-1.nix - ../configs/CAC-CentOS-7-64bit.nix - ../configs/base.nix - ../configs/consul-server.nix - ../configs/exim-smarthost.nix - ../configs/git.nix - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - networking.interfaces.enp2s1.ip4 = [ - { - address = "162.248.167.241"; # TODO - prefixLength = 24; - } - ]; - networking.defaultGateway = "162.248.167.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - - environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update - htop - iftop - iotop - iptables - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; -} diff --git a/tv/systems/nomic.nix b/tv/systems/nomic.nix deleted file mode 100644 index c96fe38..0000000 --- a/tv/systems/nomic.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - krebs.build.host = config.krebs.hosts.nomic; - krebs.build.user = config.krebs.users.tv; - - krebs.build.target = "root@nomic.gg23"; - - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; - }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; - - imports = [ - ../configs/AO753.nix - ../configs/base.nix - ../configs/consul-server.nix - ../configs/exim-retiolum.nix - ../configs/git.nix - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } - ]; - - boot.initrd.luks = { - cryptoModules = [ "aes" "sha1" "xts" ]; - devices = [ - { - name = "luks1"; - device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4"; - } - ]; - }; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; - fsType = "ext4"; - }; - - fileSystems."/home" = - { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; - fsType = "btrfs"; - }; - - swapDevices = [ ]; - - nix = { - buildCores = 2; - maxJobs = 2; - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - - # TODO base - boot.tmpOnTmpfs = true; - - environment.systemPackages = with pkgs; [ - (writeScriptBin "play" '' - #! /bin/sh - set -euf - mpv() { exec ${mpv}/bin/mpv "$@"; } - case $1 in - deepmix) mpv http://deepmix.ru/deepmix128.pls;; - groovesalad) mpv http://somafm.com/play/groovesalad;; - ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;; - *) - echo "$0: bad argument: $*" >&2 - exit 23 - esac - '') - rxvt_unicode.terminfo - tmux - ]; -} diff --git a/tv/systems/rmdir.nix b/tv/systems/rmdir.nix deleted file mode 100644 index fa91516..0000000 --- a/tv/systems/rmdir.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - krebs.build.host = config.krebs.hosts.rmdir; - krebs.build.user = config.krebs.users.tv; - - krebs.build.target = "root@rmdir.internet"; - - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; - - imports = [ - ../configs/CAC-Developer-1.nix - ../configs/CAC-CentOS-7-64bit.nix - ../configs/base.nix - ../configs/consul-server.nix - ../configs/exim-smarthost.nix - ../configs/git.nix - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "mkdir" - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - networking.interfaces.enp2s1.ip4 = [ - { - address = "167.88.44.94"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "167.88.44.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - - environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update - htop - iftop - iotop - iptables - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; -} diff --git a/tv/systems/wu.nix b/tv/systems/wu.nix deleted file mode 100644 index 7c52d94..0000000 --- a/tv/systems/wu.nix +++ /dev/null @@ -1,409 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - tvpkgs = import ../pkgs { inherit pkgs; }; -in - -{ - krebs.build.host = config.krebs.hosts.wu; - krebs.build.user = config.krebs.users.tv; - - krebs.build.target = "root@wu"; - - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; - }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; - - imports = [ - ../configs/w110er.nix - ../configs/base.nix - ../configs/consul-client.nix - ../configs/exim-retiolum.nix - ../configs/git.nix - ../configs/mail-client.nix - ../configs/xserver.nix - ../configs/synaptics.nix # TODO w110er if xserver is enabled - ../configs/urlwatch.nix - { - environment.systemPackages = with pkgs; [ - - # stockholm - git - gnumake - parallel - tvpkgs.genid - tvpkgs.hashPassword - tvpkgs.lentil - (pkgs.writeScriptBin "ff" '' - #! ${pkgs.bash}/bin/bash - exec sudo -u ff -i <<EOF - exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") - EOF - '') - (pkgs.writeScriptBin "im" '' - #! ${pkgs.bash}/bin/bash - export PATH=${makeSearchPath "bin" (with pkgs; [ - tmux - gnugrep - weechat - ])} - if tmux list-sessions -F\#S | grep -q '^im''$'; then - exec tmux attach -t im - else - exec tmux new -s im weechat - fi - '') - - # root - cryptsetup - ntp # ntpate - - # tv - bc - bind # dig - file - gitAndTools.qgit - gnupg21 - haskellPackages.hledger - htop - jq - manpages - mkpasswd - mpv - netcat - nix-repl - nmap - p7zip - pavucontrol - posix_man_pages - qrencode - sxiv - texLive - tmux - tvpkgs.dic - zathura - - #ack - #apache-httpd - #ascii - #emacs - #es - #esniper - #gcc - #gptfdisk - #graphviz - #haskellPackages.cabal2nix - #haskellPackages.ghc - #haskellPackages.shake - #hdparm - #i7z - #iftop - #imagemagick - #inotifyTools - #iodine - #iotop - #lshw - #lsof - #minicom - #mtools - #ncmpc - #neovim - #nethogs - #nix-prefetch-scripts #cvs bug - #openssl - #openswan - #parted - #perl - #powertop - #ppp - #proot - #pythonPackages.arandr - #pythonPackages.youtube-dl - #racket - #rxvt_unicode-with-plugins - #scrot - #sec - #silver-searcher - #sloccount - #smartmontools - #socat - #sshpass - #strongswan - #sysdig - #sysstat - #tcpdump - #tlsdate - #unetbootin - #utillinuxCurses - #wvdial - #xdotool - #xkill - #xl2tpd - #xsel - ]; - } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } - { - users.extraGroups = { - tv.gid = 1337; - slaves.gid = 3799582008; # genid slaves - }; - - users.extraUsers = - mapAttrs (name: user@{ extraGroups ? [], ... }: user // { - inherit name; - home = "/home/${name}"; - createHome = true; - useDefaultShell = true; - group = "tv"; - extraGroups = ["slaves"] ++ extraGroups; - }) { - ff = { - uid = 13378001; - extraGroups = [ - "audio" - "video" - ]; - }; - - cr = { - uid = 13378002; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - fa = { - uid = 2300001; - }; - - rl = { - uid = 2300002; - }; - - tief = { - uid = 2300702; - }; - - btc-bitcoind = { - uid = 2301001; - }; - - btc-electrum = { - uid = 2301002; - }; - - ltc-litecoind = { - uid = 2301101; - }; - - eth = { - uid = 2302001; - }; - - emse-hsdb = { - uid = 4200101; - }; - - wine = { - uid = 13370400; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - df = { - uid = 13370401; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - xr = { - uid = 13370061; - extraGroups = [ - "audio" - "video" - ]; - }; - - "23" = { - uid = 13370023; - }; - - electrum = { - uid = 13370102; - }; - - skype = { - uid = 6660001; - extraGroups = [ - "audio" - ]; - }; - - onion = { - uid = 6660010; - }; - - zalora = { - uid = 1000301; - extraGroups = [ - "audio" - # TODO remove vboxusers when hardening is active - "vboxusers" - "video" - ]; - }; - }; - - security.sudo.extraConfig = - let - isSlave = u: elem "slaves" u.extraGroups; - masterOf = u: u.group; - slaves = filterAttrs (_: isSlave) config.users.extraUsers; - toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL"; - in - concatMapStringsSep "\n" toSudoers (attrValues slaves); - } - ]; - - boot.initrd.luks = { - cryptoModules = [ "aes" "sha512" "xts" ]; - devices = [ - { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; } - ]; - }; - - fileSystems = { - "/" = { - device = "/dev/mapper/vg840-wuroot"; - fsType = "btrfs"; - options = "defaults,noatime,ssd,compress=lzo"; - }; - "/home" = { - device = "/dev/mapper/home"; - options = "defaults,noatime,ssd,compress=lzo"; - }; - "/boot" = { - device = "/dev/sda1"; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = "nosuid,nodev,noatime"; - }; - }; - - nixpkgs.config.chromium.enablePepperFlash = true; - - nixpkgs.config.allowUnfree = true; - hardware.bumblebee.enable = true; - hardware.bumblebee.group = "video"; - hardware.enableAllFirmware = true; - hardware.opengl.driSupport32Bit = true; - hardware.pulseaudio.enable = true; - - environment.systemPackages = with pkgs; [ - xlibs.fontschumachermisc - slock - ethtool - #firefoxWrapper # with plugins - #chromiumDevWrapper - tinc - iptables - #jack2 - ]; - - security.setuidPrograms = [ - "sendmail" # for cron - "slock" - ]; - - services.printing.enable = true; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" # does this work with mounted /tmp? - ]; - - virtualisation.libvirtd.enable = true; - - networking.extraHosts = '' - 192.168.1.1 wrt.gg23 wrt - 192.168.1.11 mors.gg23 - 192.168.1.12 uriel.gg23 - 192.168.1.23 raspi.gg23 raspi - 192.168.1.37 wu.gg23 - 192.168.1.111 nomic.gg23 - 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker - ''; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" - - # for jack - KERNEL=="rtc0", GROUP="audio" - KERNEL=="hpet", GROUP="audio" - ''; - - services.bitlbee.enable = true; - services.tor.client.enable = true; - services.tor.enable = true; - services.virtualboxHost.enable = true; - - # TODO w110er if xserver is enabled - services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; -} |