summaryrefslogtreecommitdiffstats
path: root/tv
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-02-28 02:26:44 +0100
committermakefu <github@syntax-fehler.de>2016-02-28 02:26:44 +0100
commitdb72d5911f1556d3b1cfbe8f1a2d8f6765728952 (patch)
treeab12aafd2994c265cd4fd604e554b2e8db2da021 /tv
parent64a1dc64a3a7daf57e1ebc677e35c4dc89d9c36b (diff)
parent8c859335a879c515a1415bc8b15b5cb7eb519efc (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'tv')
-rw-r--r--tv/1systems/nomic.nix1
-rw-r--r--tv/1systems/wu.nix7
-rw-r--r--tv/1systems/xu.nix7
-rw-r--r--tv/2configs/default.nix19
-rw-r--r--tv/2configs/exim-retiolum.nix4
-rw-r--r--tv/2configs/exim-smarthost.nix4
-rw-r--r--tv/2configs/vim.nix14
-rw-r--r--tv/2configs/wu-binary-cache/client.nix7
-rw-r--r--tv/2configs/wu-binary-cache/default.nix25
9 files changed, 60 insertions, 28 deletions
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 45320690b..fa9c90816 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -15,6 +15,7 @@ with config.krebs.lib;
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
+ ../2configs/wu-binary-cache/client.nix
../2configs/xserver
];
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 8c363d9fc..0bf242109 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -16,6 +16,7 @@ with config.krebs.lib;
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
+ ../2configs/wu-binary-cache
../2configs/xserver
{
environment.systemPackages = with pkgs; [
@@ -126,12 +127,12 @@ with config.krebs.lib;
"/" = {
device = "/dev/mapper/vg840-wuroot";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/home";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
@@ -139,7 +140,7 @@ with config.krebs.lib;
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
- options = "nosuid,nodev,noatime";
+ options = ["nosuid" "nodev" "noatime"];
};
};
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index c6a69a85a..46fb59ff3 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -15,6 +15,7 @@ with config.krebs.lib;
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
+ ../2configs/wu-binary-cache/client.nix
../2configs/xserver
../2configs/xu-qemu0.nix
{
@@ -137,12 +138,12 @@ with config.krebs.lib;
"/" = {
device = "/dev/mapper/xuvga-root";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/xuvga-home";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
@@ -150,7 +151,7 @@ with config.krebs.lib;
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
- options = "nosuid,nodev,noatime";
+ options = ["nosuid" "nodev" "noatime"];
};
};
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 5a1e90bc4..0a3e40a5c 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,8 +14,7 @@ with config.krebs.lib;
stockholm = "/home/tv/stockholm";
nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
- rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
- dev = "/home/tv/nixpkgs";
+ rev = "40c586b7ce2c559374df435f46d673baf711c543";
};
} // optionalAttrs config.krebs.build.host.secure {
secrets-master = "/home/tv/secrets/master";
@@ -49,20 +48,20 @@ with config.krebs.lib;
}
{
security.sudo.extraConfig = ''
+ Defaults env_keep+="SSH_CLIENT"
Defaults mailto="${config.krebs.users.tv.mail}"
Defaults !lecture
'';
time.timeZone = "Europe/Berlin";
}
+
{
# TODO check if both are required:
nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
- nix.trustedBinaryCaches = [
- "https://cache.nixos.org"
- "http://cache.nixos.org"
- "http://hydra.nixos.org"
- ];
+ nix.requireSignedBinaryCaches = true;
+
+ nix.binaryCaches = ["https://cache.nixos.org"];
nix.useChroot = true;
}
@@ -178,12 +177,6 @@ with config.krebs.lib;
}
{
- # TODO: exim
- security.setuidPrograms = [
- "sendmail" # for sudo
- ];
- }
- {
environment.systemPackages = [
pkgs.get
pkgs.krebszones
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
index 9197a3c30..dbe83dcf1 100644
--- a/tv/2configs/exim-retiolum.nix
+++ b/tv/2configs/exim-retiolum.nix
@@ -4,5 +4,9 @@ with config.krebs.lib;
{
krebs.exim-retiolum.enable = true;
+ krebs.setuid.sendmail = {
+ filename = "${pkgs.exim}/bin/exim";
+ mode = "4111";
+ };
tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
}
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index 75dd9b42f..3ea010524 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -40,5 +40,9 @@ with config.krebs.lib;
{ from = "mirko"; to = "mv"; }
];
};
+ krebs.setuid.sendmail = {
+ filename = "${pkgs.exim}/bin/exim";
+ mode = "4111";
+ };
tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index b0c26e50e..6e2059484 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -13,21 +13,17 @@ let
environment.variables.VIMINIT = ":so /etc/vimrc";
};
- extra-runtimepath = let
- inherit (pkgs.vimUtils) buildVimPlugin rtpPath;
- fromVimPlugins = pkgs: concatStringsSep ","
- (mapAttrsToList (name: pkg: "${pkg}/${rtpPath}/${name}") pkgs);
- in fromVimPlugins {
- inherit (pkgs.vimPlugins) undotree;
- file-line = buildVimPlugin {
+ extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+ pkgs.vimPlugins.undotree
+ (pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
rev = "refs/tags/1.0";
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
- };
- };
+ })
+ ];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
diff --git a/tv/2configs/wu-binary-cache/client.nix b/tv/2configs/wu-binary-cache/client.nix
new file mode 100644
index 000000000..9634c21d4
--- /dev/null
+++ b/tv/2configs/wu-binary-cache/client.nix
@@ -0,0 +1,7 @@
+_:
+{
+ nix = {
+ binaryCaches = ["http://cache.wu.gg23"];
+ binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="];
+ };
+}
diff --git a/tv/2configs/wu-binary-cache/default.nix b/tv/2configs/wu-binary-cache/default.nix
new file mode 100644
index 000000000..6fcac21af
--- /dev/null
+++ b/tv/2configs/wu-binary-cache/default.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }: with config.krebs.lib;
+{
+ services.nix-serve = assert config.krebs.build.host.name == "wu"; {
+ enable = true;
+ secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
+ };
+ systemd.services.nix-serve = {
+ requires = ["secret.service"];
+ after = ["secret.service"];
+ };
+ krebs.secret.files.nix-serve-key = {
+ path = "/run/secret/nix-serve.key";
+ owner.name = "nix-serve";
+ source-path = toString <secrets> + "/nix-serve.key";
+ };
+ krebs.nginx = {
+ enable = true;
+ servers.nix-serve = {
+ server-names = [ "cache.wu.gg23" ];
+ locations = singleton (nameValuePair "/" ''
+ proxy_pass http://localhost:${toString config.services.nix-serve.port};
+ '');
+ };
+ };
+}