diff options
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/mv/default.nix | 41 | ||||
-rw-r--r-- | krebs/3modules/tv/default.nix | 2 | ||||
-rw-r--r-- | mv/1systems/stro.nix | 172 | ||||
-rw-r--r-- | tv/2configs/exim-smarthost.nix | 2 |
5 files changed, 216 insertions, 2 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index a38d2b227..d64d8047a 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -91,6 +91,7 @@ let imp = lib.mkMerge [ { krebs = import ./lass { inherit config lib; }; } { krebs = import ./makefu { inherit config lib; }; } + { krebs = import ./mv { inherit config lib; }; } { krebs = import ./shared { inherit config lib; }; } { krebs = import ./tv { inherit config lib; }; } { diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix new file mode 100644 index 000000000..dc47d8983 --- /dev/null +++ b/krebs/3modules/mv/default.nix @@ -0,0 +1,41 @@ +{ config, ... }: + +with config.krebs.lib; + +{ + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.mv) { + stro = { + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.111.111"; + ip6.addr = "42:0:0:0:0:0:111:111"; + aliases = [ + "stro.r" + "cgit.stro.r" + "stro.retiolum" + "cgit.stro.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b + vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb + FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg + ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG + oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq + XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+7Qa51l0NSkBiaK2s8vQEoeObV3UPZyEzMxfUK/ZAO root@stro"; + }; + }; + users = { + mv = { + mail = "mv@stro.r"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfMqkfXsGRaXJ86Pi5svAx4508ij5kc4cMLGwr1CLvFI5G7EHggiHMZYooibmkZimBF1PvLM1lOdoptJ4nSmc3UGuQaeV9BpZ1dNXexc8wOmVPKzAHYZG/2upcV/xVZQ9lk3UOmDym6fDUXThMx4nXdhOjScgWpKp7+0N3JRCf2UHusZjWFGlhE9l4irLFHCwlZeBQ16DNF4fc03vsfZBB1ZrGGZlaVpkcY+FTC3sm8R0iF5QGaq8PgltJoCNnp3L1g3Yn7Elva7kCHjZfJC1pu5icV8vZMNptPn1b10gPsNwb302FCjvZohzRcMo39L2gwdNWQmflYfYk+NPY9EgqkLtSvZJywYu8oTVLeYBAp0ZGzJR4+uIH9at/WQF499HFMxpF4uwYiQweUcPiHrrOqI5zLQoOvqh9Jv0UMsnFynNrszbCTgwzeW8bcvv8ILcjE9of8GXRCrlIMvt7Z9q8xrb5j1RhKscvusyyNOAL+HMZl6jgSxUBDtzRqPZ62QHJsBEBdRXdJRQLGeHNW9kGPrh/tiKGucuT3/HZC+2Rcemxt3RVT60+lHkghrMLi0/VOWBUKL9J94UK5xIE4Gb3RTW9DcNK53U4ql+N4ORSSEuhk3Rqzx3Bzv7AXpLKQCFKdB7tjxzGN7sCQM3PBUUo6Tk0VG2cIKOjzTRnDJlb7Q== mv@stro"; + }; + }; +} diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index d04f1cab2..a933cbddb 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -418,7 +418,7 @@ with config.krebs.lib; dv = { mail = "dv@alnus.r"; }; - mv = { + mv-cd = { mail = "mv@cd.r"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"; }; diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix new file mode 100644 index 000000000..c948754df --- /dev/null +++ b/mv/1systems/stro.nix @@ -0,0 +1,172 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs = { + enable = true; + build = { + user = config.krebs.users.mv; + host = config.krebs.hosts.stro; + source = let + HOME = getEnv "HOME"; + host = config.krebs.build.host; + in { + nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix"; + secrets.file = "${HOME}/secrets/${host.name}"; + stockholm.file = "${HOME}/stockholm"; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; + }; + }; + }; + }; + + imports = [ + <secrets> + <stockholm/krebs> + <stockholm/tv/2configs/audit.nix> + <stockholm/tv/2configs/bash.nix> + <stockholm/tv/2configs/exim-retiolum.nix> + <stockholm/tv/2configs/hw/x220.nix> + <stockholm/tv/2configs/im.nix> + <stockholm/tv/2configs/mail-client.nix> + <stockholm/tv/2configs/retiolum.nix> + <stockholm/tv/2configs/ssh.nix> + <stockholm/tv/2configs/sshd.nix> + <stockholm/tv/2configs/vim.nix> + <stockholm/tv/2configs/xdg.nix> + <stockholm/tv/2configs/xserver> + <stockholm/tv/3modules> + <stockholm/tv/5pkgs> + ]; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { + name = "luks1"; + device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part2"; + } + ]; + }; + + environment = { + profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; + shellAliases = mkForce { + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + ls = "ls -h --color=auto --group-directories-first"; + dmesg = "dmesg -L --reltime"; + view = "vim -R"; + + reload = "systemctl reload"; + restart = "systemctl restart"; + start = "systemctl start"; + status = "systemctl status"; + stop = "systemctl stop"; + }; + systemPackages = with pkgs; [ + dic + htop + p7zip + q + + pavucontrol + rxvt_unicode.terminfo + + # stockholm + git + gnumake + populate + ]; + variables = { + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; + }; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part1"; + }; + "/" = { + device = "/dev/mapper/vg1-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/home" = { + device = "/dev/mapper/vg1-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + networking.hostName = config.krebs.build.host.name; + + nix = { + binaryCaches = ["https://cache.nixos.org"]; + # TODO check if both are required: + chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + requireSignedBinaryCaches = true; + useChroot = true; + }; + + nixpkgs.config.allowUnfree = false; + + users = { + defaultUserShell = "/run/current-system/sw/bin/bash"; + mutableUsers = false; + users = { + mv = { + inherit (config.krebs.users.mv) home uid; + isNormalUser = true; + }; + }; + }; + + security.setuidPrograms = [ + "sendmail" + ]; + + security.sudo.extraConfig = '' + Defaults env_keep+="SSH_CLIENT" + Defaults mailto="${config.krebs.users.mv.mail}" + Defaults !lecture + ''; + + services.cron.enable = false; + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + services.nscd.enable = false; + services.ntp.enable = false; + services.timesyncd.enable = true; + + time.timeZone = "Europe/Berlin"; + + tv.iptables = { + enable = true; + accept-echo-request = "internet"; + }; + + system.stateVersion = "16.03"; +} diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 351b54da1..cade6fa7b 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -20,7 +20,7 @@ with config.krebs.lib; ]; internet-aliases = with config.krebs.users; [ { from = "postmaster@viljetic.de"; to = tv.mail; } # RFC 822 - { from = "mirko@viljetic.de"; to = mv.mail; } + { from = "mirko@viljetic.de"; to = mv-cd.mail; } { from = "tomislav@viljetic.de"; to = tv.mail; } { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } { from = "tv@viljetic.de"; to = tv.mail; } |