summaryrefslogtreecommitdiffstats
path: root/tv/1systems
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2015-07-28 21:56:10 +0200
committermakefu <github@syntax-fehler.de>2015-07-28 21:56:10 +0200
commitf7e206b608a2844c4e81173a673369402f8da06b (patch)
tree109f929d89dfa7a4a1b686019494b2355bcbc81f /tv/1systems
parentfca517dd0e61c67d2a485f578e7146b46f048f69 (diff)
parent3228890813535514dfdfe9d049486a9e6054e479 (diff)
Merge remote-tracking branch 'cd/user-toplevel' into user-toplevel
Diffstat (limited to 'tv/1systems')
-rw-r--r--tv/1systems/cd.nix143
-rw-r--r--tv/1systems/mkdir.nix83
-rw-r--r--tv/1systems/nomic.nix116
-rw-r--r--tv/1systems/rmdir.nix84
-rw-r--r--tv/1systems/wu.nix409
5 files changed, 835 insertions, 0 deletions
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
new file mode 100644
index 000000000..54292eb83
--- /dev/null
+++ b/tv/1systems/cd.nix
@@ -0,0 +1,143 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ tvpkgs = import ../5pkgs { inherit pkgs; };
+in
+
+{
+ krebs.build.host = config.krebs.hosts.cd;
+ krebs.build.user = config.krebs.users.tv;
+
+ krebs.build.target = "root@cd.internet";
+
+ krebs.build.deps = {
+ nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ };
+ secrets = {
+ url = "/home/tv/secrets/${config.krebs.build.host.name}";
+ };
+ stockholm = {
+ url = toString ../..;
+ };
+ };
+
+ imports = [
+ ../2configs/CAC-Developer-2.nix
+ ../2configs/CAC-CentOS-7-64bit.nix
+ ../2configs/base.nix
+ ../2configs/consul-server.nix
+ ../2configs/exim-smarthost.nix
+ ../2configs/git.nix
+ {
+ imports = [ ../2configs/charybdis.nix ];
+ tv.charybdis = {
+ enable = true;
+ sslCert = ../../Zcerts/charybdis_cd.crt.pem;
+ };
+ }
+ {
+ tv.ejabberd = {
+ enable = true;
+ hosts = [ "jabber.viljetic.de" ];
+ };
+ }
+ {
+ krebs.github-hosts-sync.enable = true;
+ tv.iptables.input-internet-accept-new-tcp =
+ singleton config.krebs.github-hosts-sync.port;
+ }
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "tinc"
+ "smtp"
+ "xmpp-client"
+ "xmpp-server"
+ ];
+ input-retiolum-accept-new-tcp = [
+ "http"
+ ];
+ };
+ }
+ {
+ tv.iptables.input-internet-accept-new-tcp = singleton "http";
+ krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
+ }
+ {
+ # TODO make public_html also available to cd, cd.retiolum (AKA default)
+ tv.iptables.input-internet-accept-new-tcp = singleton "http";
+ krebs.nginx.servers.public_html = {
+ server-names = singleton "cd.viljetic.de";
+ locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '');
+ };
+ }
+ {
+ krebs.nginx.servers.viljetic = {
+ server-names = singleton "viljetic.de";
+ # TODO directly set root (instead via location)
+ locations = singleton (nameValuePair "/" ''
+ root ${tvpkgs.viljetic-pages};
+ '');
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+ }
+ ];
+
+ networking.interfaces.enp2s1.ip4 = [
+ {
+ address = "162.219.7.216";
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = "162.219.7.1";
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+
+ environment.systemPackages = with pkgs; [
+ git # required for ./deploy, clone_or_update
+ htop
+ iftop
+ iotop
+ iptables
+ mutt # for mv
+ nethogs
+ rxvt_unicode.terminfo
+ tcpdump
+ ];
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ users.extraUsers = {
+ mv = {
+ uid = 1338;
+ group = "users";
+ home = "/home/mv";
+ createHome = true;
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.mv.pubkey
+ ];
+ };
+ };
+}
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
new file mode 100644
index 000000000..cd3d3b5c4
--- /dev/null
+++ b/tv/1systems/mkdir.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ krebs.build.host = config.krebs.hosts.mkdir;
+ krebs.build.user = config.krebs.users.tv;
+
+ krebs.build.target = "root@mkdir.internet";
+
+ krebs.build.deps = {
+ nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
+ };
+ secrets = {
+ url = "/home/tv/secrets/${config.krebs.build.host.name}";
+ };
+ stockholm = {
+ url = toString ../..;
+ };
+ };
+
+ imports = [
+ ../2configs/CAC-Developer-1.nix
+ ../2configs/CAC-CentOS-7-64bit.nix
+ ../2configs/base.nix
+ ../2configs/consul-server.nix
+ ../2configs/exim-smarthost.nix
+ ../2configs/git.nix
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "tinc"
+ "smtp"
+ ];
+ input-retiolum-accept-new-tcp = [
+ "http"
+ ];
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "cd"
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+ }
+ ];
+
+ networking.interfaces.enp2s1.ip4 = [
+ {
+ address = "162.248.167.241"; # TODO
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = "162.248.167.1";
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+
+ environment.systemPackages = with pkgs; [
+ git # required for ./deploy, clone_or_update
+ htop
+ iftop
+ iotop
+ iptables
+ nethogs
+ rxvt_unicode.terminfo
+ tcpdump
+ ];
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+}
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
new file mode 100644
index 000000000..b9a10cb4f
--- /dev/null
+++ b/tv/1systems/nomic.nix
@@ -0,0 +1,116 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ krebs.build.host = config.krebs.hosts.nomic;
+ krebs.build.user = config.krebs.users.tv;
+
+ krebs.build.target = "root@nomic.gg23";
+
+ krebs.build.deps = {
+ nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
+ };
+ secrets = {
+ url = "/home/tv/secrets/${config.krebs.build.host.name}";
+ };
+ stockholm = {
+ url = toString ../..;
+ };
+ };
+
+ imports = [
+ ../2configs/AO753.nix
+ ../2configs/base.nix
+ ../2configs/consul-server.nix
+ ../2configs/exim-retiolum.nix
+ ../2configs/git.nix
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "http"
+ "tinc"
+ "smtp"
+ ];
+ };
+ }
+ {
+ krebs.nginx = {
+ enable = true;
+ servers.default.locations = [
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
+ ];
+
+ boot.initrd.luks = {
+ cryptoModules = [ "aes" "sha1" "xts" ];
+ devices = [
+ {
+ name = "luks1";
+ device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
+ }
+ ];
+ };
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+ fsType = "btrfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+ fsType = "ext4";
+ };
+
+ fileSystems."/home" =
+ { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+ fsType = "btrfs";
+ };
+
+ swapDevices = [ ];
+
+ nix = {
+ buildCores = 2;
+ maxJobs = 2;
+ daemonIONiceLevel = 1;
+ daemonNiceLevel = 1;
+ };
+
+ # TODO base
+ boot.tmpOnTmpfs = true;
+
+ environment.systemPackages = with pkgs; [
+ (writeScriptBin "play" ''
+ #! /bin/sh
+ set -euf
+ mpv() { exec ${mpv}/bin/mpv "$@"; }
+ case $1 in
+ deepmix) mpv http://deepmix.ru/deepmix128.pls;;
+ groovesalad) mpv http://somafm.com/play/groovesalad;;
+ ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;;
+ *)
+ echo "$0: bad argument: $*" >&2
+ exit 23
+ esac
+ '')
+ rxvt_unicode.terminfo
+ tmux
+ ];
+}
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
new file mode 100644
index 000000000..c8ac43e4c
--- /dev/null
+++ b/tv/1systems/rmdir.nix
@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ krebs.build.host = config.krebs.hosts.rmdir;
+ krebs.build.user = config.krebs.users.tv;
+
+ krebs.build.target = "root@rmdir.internet";
+
+ krebs.build.deps = {
+ nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ };
+ secrets = {
+ url = "/home/tv/secrets/${config.krebs.build.host.name}";
+ };
+ stockholm = {
+ url = toString ../..;
+ };
+ };
+
+ imports = [
+ ../2configs/CAC-Developer-1.nix
+ ../2configs/CAC-CentOS-7-64bit.nix
+ ../2configs/base.nix
+ ../2configs/consul-server.nix
+ ../2configs/exim-smarthost.nix
+ ../2configs/git.nix
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "tinc"
+ "smtp"
+ ];
+ input-retiolum-accept-new-tcp = [
+ "http"
+ ];
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "cd"
+ "mkdir"
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+ }
+ ];
+
+ networking.interfaces.enp2s1.ip4 = [
+ {
+ address = "167.88.44.94";
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = "167.88.44.1";
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+
+ environment.systemPackages = with pkgs; [
+ git # required for ./deploy, clone_or_update
+ htop
+ iftop
+ iotop
+ iptables
+ nethogs
+ rxvt_unicode.terminfo
+ tcpdump
+ ];
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+}
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
new file mode 100644
index 000000000..27691ec56
--- /dev/null
+++ b/tv/1systems/wu.nix
@@ -0,0 +1,409 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ tvpkgs = import ../5pkgs { inherit pkgs; };
+in
+
+{
+ krebs.build.host = config.krebs.hosts.wu;
+ krebs.build.user = config.krebs.users.tv;
+
+ krebs.build.target = "root@wu";
+
+ krebs.build.deps = {
+ nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
+ };
+ secrets = {
+ url = "/home/tv/secrets/${config.krebs.build.host.name}";
+ };
+ stockholm = {
+ url = toString ../..;
+ };
+ };
+
+ imports = [
+ ../2configs/w110er.nix
+ ../2configs/base.nix
+ ../2configs/consul-client.nix
+ ../2configs/exim-retiolum.nix
+ ../2configs/git.nix
+ ../2configs/mail-client.nix
+ ../2configs/xserver.nix
+ ../2configs/synaptics.nix # TODO w110er if xserver is enabled
+ ../2configs/urlwatch.nix
+ {
+ environment.systemPackages = with pkgs; [
+
+ # stockholm
+ git
+ gnumake
+ parallel
+ tvpkgs.genid
+ tvpkgs.hashPassword
+ tvpkgs.lentil
+ (pkgs.writeScriptBin "ff" ''
+ #! ${pkgs.bash}/bin/bash
+ exec sudo -u ff -i <<EOF
+ exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
+ EOF
+ '')
+ (pkgs.writeScriptBin "im" ''
+ #! ${pkgs.bash}/bin/bash
+ export PATH=${makeSearchPath "bin" (with pkgs; [
+ tmux
+ gnugrep
+ weechat
+ ])}
+ if tmux list-sessions -F\#S | grep -q '^im''$'; then
+ exec tmux attach -t im
+ else
+ exec tmux new -s im weechat
+ fi
+ '')
+
+ # root
+ cryptsetup
+ ntp # ntpate
+
+ # tv
+ bc
+ bind # dig
+ file
+ gitAndTools.qgit
+ gnupg21
+ haskellPackages.hledger
+ htop
+ jq
+ manpages
+ mkpasswd
+ mpv
+ netcat
+ nix-repl
+ nmap
+ p7zip
+ pavucontrol
+ posix_man_pages
+ qrencode
+ sxiv
+ texLive
+ tmux
+ tvpkgs.dic
+ zathura
+
+ #ack
+ #apache-httpd
+ #ascii
+ #emacs
+ #es
+ #esniper
+ #gcc
+ #gptfdisk
+ #graphviz
+ #haskellPackages.cabal2nix
+ #haskellPackages.ghc
+ #haskellPackages.shake
+ #hdparm
+ #i7z
+ #iftop
+ #imagemagick
+ #inotifyTools
+ #iodine
+ #iotop
+ #lshw
+ #lsof
+ #minicom
+ #mtools
+ #ncmpc
+ #neovim
+ #nethogs
+ #nix-prefetch-scripts #cvs bug
+ #openssl
+ #openswan
+ #parted
+ #perl
+ #powertop
+ #ppp
+ #proot
+ #pythonPackages.arandr
+ #pythonPackages.youtube-dl
+ #racket
+ #rxvt_unicode-with-plugins
+ #scrot
+ #sec
+ #silver-searcher
+ #sloccount
+ #smartmontools
+ #socat
+ #sshpass
+ #strongswan
+ #sysdig
+ #sysstat
+ #tcpdump
+ #tlsdate
+ #unetbootin
+ #utillinuxCurses
+ #wvdial
+ #xdotool
+ #xkill
+ #xl2tpd
+ #xsel
+ ];
+ }
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "http"
+ "tinc"
+ "smtp"
+ ];
+ };
+ }
+ {
+ krebs.nginx = {
+ enable = true;
+ servers.default.locations = [
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
+ {
+ users.extraGroups = {
+ tv.gid = 1337;
+ slaves.gid = 3799582008; # genid slaves
+ };
+
+ users.extraUsers =
+ mapAttrs (name: user@{ extraGroups ? [], ... }: user // {
+ inherit name;
+ home = "/home/${name}";
+ createHome = true;
+ useDefaultShell = true;
+ group = "tv";
+ extraGroups = ["slaves"] ++ extraGroups;
+ }) {
+ ff = {
+ uid = 13378001;
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ };
+
+ cr = {
+ uid = 13378002;
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ fa = {
+ uid = 2300001;
+ };
+
+ rl = {
+ uid = 2300002;
+ };
+
+ tief = {
+ uid = 2300702;
+ };
+
+ btc-bitcoind = {
+ uid = 2301001;
+ };
+
+ btc-electrum = {
+ uid = 2301002;
+ };
+
+ ltc-litecoind = {
+ uid = 2301101;
+ };
+
+ eth = {
+ uid = 2302001;
+ };
+
+ emse-hsdb = {
+ uid = 4200101;
+ };
+
+ wine = {
+ uid = 13370400;
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ df = {
+ uid = 13370401;
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ xr = {
+ uid = 13370061;
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ };
+
+ "23" = {
+ uid = 13370023;
+ };
+
+ electrum = {
+ uid = 13370102;
+ };
+
+ skype = {
+ uid = 6660001;
+ extraGroups = [
+ "audio"
+ ];
+ };
+
+ onion = {
+ uid = 6660010;
+ };
+
+ zalora = {
+ uid = 1000301;
+ extraGroups = [
+ "audio"
+ # TODO remove vboxusers when hardening is active
+ "vboxusers"
+ "video"
+ ];
+ };
+ };
+
+ security.sudo.extraConfig =
+ let
+ isSlave = u: elem "slaves" u.extraGroups;
+ masterOf = u: u.group;
+ slaves = filterAttrs (_: isSlave) config.users.extraUsers;
+ toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL";
+ in
+ concatMapStringsSep "\n" toSudoers (attrValues slaves);
+ }
+ ];
+
+ boot.initrd.luks = {
+ cryptoModules = [ "aes" "sha512" "xts" ];
+ devices = [
+ { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
+ ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/vg840-wuroot";
+ fsType = "btrfs";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/home" = {
+ device = "/dev/mapper/home";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = "nosuid,nodev,noatime";
+ };
+ };
+
+ nixpkgs.config.chromium.enablePepperFlash = true;
+
+ nixpkgs.config.allowUnfree = true;
+ hardware.bumblebee.enable = true;
+ hardware.bumblebee.group = "video";
+ hardware.enableAllFirmware = true;
+ hardware.opengl.driSupport32Bit = true;
+ hardware.pulseaudio.enable = true;
+
+ environment.systemPackages = with pkgs; [
+ xlibs.fontschumachermisc
+ slock
+ ethtool
+ #firefoxWrapper # with plugins
+ #chromiumDevWrapper
+ tinc
+ iptables
+ #jack2
+ ];
+
+ security.setuidPrograms = [
+ "sendmail" # for cron
+ "slock"
+ ];
+
+ services.printing.enable = true;
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ # see tmpfiles.d(5)
+ systemd.tmpfiles.rules = [
+ "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+ ];
+
+ virtualisation.libvirtd.enable = true;
+
+ networking.extraHosts = ''
+ 192.168.1.1 wrt.gg23 wrt
+ 192.168.1.11 mors.gg23
+ 192.168.1.12 uriel.gg23
+ 192.168.1.23 raspi.gg23 raspi
+ 192.168.1.37 wu.gg23
+ 192.168.1.111 nomic.gg23
+ 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker
+ '';
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
+ SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
+
+ # for jack
+ KERNEL=="rtc0", GROUP="audio"
+ KERNEL=="hpet", GROUP="audio"
+ '';
+
+ services.bitlbee.enable = true;
+ services.tor.client.enable = true;
+ services.tor.enable = true;
+ services.virtualboxHost.enable = true;
+
+ # TODO w110er if xserver is enabled
+ services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
+}