summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--modules/cloudkrebs/default.nix1
-rw-r--r--modules/lass/base.nix227
-rw-r--r--modules/lass/desktop-base.nix243
3 files changed, 230 insertions, 241 deletions
diff --git a/modules/cloudkrebs/default.nix b/modules/cloudkrebs/default.nix
index 5e50b7b21..938447e0e 100644
--- a/modules/cloudkrebs/default.nix
+++ b/modules/cloudkrebs/default.nix
@@ -7,6 +7,7 @@
./networking.nix
../../secrets/cloudkrebs-pw.nix
../lass/sshkeys.nix
+ ../lass/base.nix
../common/nixpkgs.nix
];
diff --git a/modules/lass/base.nix b/modules/lass/base.nix
new file mode 100644
index 000000000..d16c4d341
--- /dev/null
+++ b/modules/lass/base.nix
@@ -0,0 +1,227 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./sshkeys.nix
+ ];
+
+ nix.useChroot = true;
+
+ users.mutableUsers = false;
+
+ boot.tmpOnTmpfs = true;
+ # see tmpfiles.d(5)
+ systemd.tmpfiles.rules = [
+ "d /tmp 1777 root root - -"
+ ];
+
+ # multiple-definition-problem when defining environment.variables.EDITOR
+ environment.extraInit = ''
+ EDITOR=vim
+ PAGER=most
+ '';
+
+ environment.systemPackages = with pkgs; [
+ git
+ most
+
+ #network
+ iptables
+ ];
+
+ programs.bash = {
+ enableCompletion = true;
+ interactiveShellInit = ''
+ HISTCONTROL='erasedups:ignorespace'
+ HISTSIZE=65536
+ HISTFILESIZE=$HISTSIZE
+
+ shopt -s checkhash
+ shopt -s histappend histreedit histverify
+ shopt -s no_empty_cmd_completion
+ complete -d cd
+
+ #fancy colors
+ if [ -e ~/LS_COLORS ]; then
+ eval $(dircolors ~/LS_COLORS)
+ fi
+
+ if [ -e /etc/nixos/dotfiles/link ]; then
+ /etc/nixos/dotfiles/link
+ fi
+ '';
+ promptInit = ''
+ if test $UID = 0; then
+ PS1='\[\033[1;31m\]\w\[\033[0m\] '
+ elif test $UID = 1337; then
+ PS1='\[\033[1;32m\]\w\[\033[0m\] '
+ else
+ PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
+ fi
+ if test -n "$SSH_CLIENT"; then
+ PS1='\[\033[35m\]\h'" $PS1"
+ fi
+ '';
+ };
+
+ services.gitolite = {
+ enable = true;
+ dataDir = "/home/gitolite";
+ adminPubkey = config.sshKeys.lass.pub;
+ #commonHooks = [
+ # (pkgs.writeText "irc-announce" ''
+ # #! /bin/sh
+ # set -euf
+
+ # config_file="$GL_ADMIN_BASE/conf/irc-announce.conf"
+ # if test -f "$config_file"; then
+ # . "$config_file"
+ # fi
+
+ # # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update
+ # # any relevant gitolite LOCAL_CODE!
+ # # CAVEAT we hope that IRC_NICK is unique
+ # IRC_NICK="''${IRC_NICK-gl$GL_TID}"
+ # IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}"
+ # IRC_SERVER="''${IRC_SERVER-ire.retiolum}"
+ # IRC_PORT="''${IRC_PORT-6667}"
+
+ # # for privmsg_cat below
+ # export IRC_CHANNEL
+
+ # # collect users that are mentioned in the gitolite configuration
+ # interested_users="$(perl -e '
+ # do "gl-conf";
+ # print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} });
+ # ')"
+
+ # # CAVEAT beware of real TABs in grep pattern!
+ # # CAVEAT there will never be more than 42 relevant log entries!
+ # log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^ ]* $GL_TID ")"
+ # update_log="$(echo "$log" | grep "^[^ ]* $GL_TID update")"
+
+ # # (debug output)
+ # env | sed 's/^/env: /'
+ # echo "$log" | sed 's/^/log: /'
+
+ # # see http://gitolite.com/gitolite/dev-notes.html#lff
+ # reponame=$(echo "$update_log" | cut -f 4)
+ # username=$(echo "$update_log" | cut -f 5)
+ # ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||')
+ # old_sha=$(echo "$update_log" | cut -f 8)
+ # new_sha=$(echo "$update_log" | cut -f 9)
+
+ # # check if new branch is created
+ # if test $old_sha = 0000000000000000000000000000000000000000; then
+ # # TODO what should we really show?
+ # old_sha=$new_sha^
+ # fi
+
+ # #
+ # git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)"
+ # commit_count=$(echo "$git_log" | wc -l)
+
+ # # echo2 and cat2 are used output to both, stdout and stderr
+ # # This is used to see what we send to the irc server. (debug output)
+ # echo2() { echo "$*"; echo "$*" >&2; }
+ # cat2() { tee /dev/stderr; }
+
+ # # privmsg_cat transforms stdin to a privmsg
+ # privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
+
+ # # ircin is used to feed the output of netcat back to the "irc client"
+ # # so we can implement expect-like behavior with sed^_^
+ # # XXX mkselfdestructingtmpfifo would be nice instead of this cruft
+ # tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
+ # cd "$tmpdir"
+ # mkfifo ircin
+ # trap "
+ # rm ircin
+ # cd '$OLDPWD'
+ # rmdir '$tmpdir'
+ # trap - EXIT INT QUIT
+ # " EXIT INT QUIT
+
+ # #
+ # #
+ # #
+ # {
+ # echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
+ # echo2 "NICK $IRC_NICK"
+
+ # # wait for MODE message
+ # sed -n '/^:[^ ]* MODE /q'
+
+ # echo2 "JOIN $IRC_CHANNEL"
+
+ # echo "$interested_users" \
+ # | tr ' ' '\n' \
+ # | grep -v "^$GL_USER" \
+ # | sed 's/$/: poke/' \
+ # | privmsg_cat \
+ # | cat2
+
+ # printf '[13%s] %s pushed %s new commit%s to 6%s %s\n' \
+ # "$reponame" \
+ # "$username" \
+ # "$commit_count" \
+ # "$(test $commit_count = 1 || echo s)" \
+ # "$(hostname)" \
+ # "$ref_name" \
+ # | privmsg_cat \
+ # | cat2
+
+ # echo "$git_log" \
+ # | sed 's/^/14/;s/ / /' \
+ # | privmsg_cat \
+ # | cat2
+
+ # echo2 "PART $IRC_CHANNEL"
+
+ # # wait for PART confirmation
+ # sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
+
+ # echo2 'QUIT :Gone to have lunch'
+ # } < ircin \
+ # | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
+ # '')
+ #];
+ };
+
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ # XXX bits here make no science
+ { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ networking.firewall = {
+ enable = true;
+
+ allowedTCPPorts = [
+ 22
+ ];
+
+ extraCommands = ''
+ iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ iptables -A INPUT -j ACCEPT -i lo
+
+ #iptables -N Retiolum
+ iptables -A INPUT -j Retiolum -i retiolum
+ iptables -A Retiolum -j ACCEPT -p icmp
+ iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
+ iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
+ iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
+ iptables -A Retiolum -j REJECT
+ '';
+
+ extraStopCommands = "iptables -F";
+ };
+}
diff --git a/modules/lass/desktop-base.nix b/modules/lass/desktop-base.nix
index c6a9231ef..94184548e 100644
--- a/modules/lass/desktop-base.nix
+++ b/modules/lass/desktop-base.nix
@@ -2,12 +2,7 @@
{
imports = [
- ./sshkeys.nix
- ];
- boot.tmpOnTmpfs = true;
- # see tmpfiles.d(5)
- systemd.tmpfiles.rules = [
- "d /tmp 1777 root root - -"
+ ./base.nix
];
time.timeZone = "Europe/Berlin";
@@ -19,258 +14,24 @@
systemWide = true;
};
- # multiple-definition-problem when defining environment.variables.EDITOR
- environment.extraInit = ''
- EDITOR=vim
- PAGER=most
- '';
-
- programs.bash = {
- enableCompletion = true;
- interactiveShellInit = ''
- HISTCONTROL='erasedups:ignorespace'
- HISTSIZE=65536
- HISTFILESIZE=$HISTSIZE
-
- shopt -s checkhash
- shopt -s histappend histreedit histverify
- shopt -s no_empty_cmd_completion
- complete -d cd
-
- #fancy colors
- if [ -e ~/LS_COLORS ]; then
- eval $(dircolors ~/LS_COLORS)
- fi
-
- if [ -e /etc/nixos/dotfiles/link ]; then
- /etc/nixos/dotfiles/link
- fi
- '';
- promptInit = ''
- if test $UID = 0; then
- PS1='\[\033[1;31m\]\w\[\033[0m\] '
- elif test $UID = 1337; then
- PS1='\[\033[1;32m\]\w\[\033[0m\] '
- else
- PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
- fi
- if test -n "$SSH_CLIENT"; then
- PS1='\[\033[35m\]\h'" $PS1"
- fi
- '';
- };
-
programs.ssh.startAgent = false;
security.setuidPrograms = [ "slock" ];
- ###SERVICES BEGIN
- services.gitolite = {
- enable = true;
- dataDir = "/home/gitolite";
- adminPubkey = config.sshKeys.lass.pub;
- commonHooks = [
- (pkgs.writeText "irc-announce" ''
- #! /bin/sh
- set -euf
-
- config_file="$GL_ADMIN_BASE/conf/irc-announce.conf"
- if test -f "$config_file"; then
- . "$config_file"
- fi
-
- # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update
- # any relevant gitolite LOCAL_CODE!
- # CAVEAT we hope that IRC_NICK is unique
- IRC_NICK="''${IRC_NICK-gl$GL_TID}"
- IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}"
- IRC_SERVER="''${IRC_SERVER-ire.retiolum}"
- IRC_PORT="''${IRC_PORT-6667}"
-
- # for privmsg_cat below
- export IRC_CHANNEL
-
- # collect users that are mentioned in the gitolite configuration
- interested_users="$(perl -e '
- do "gl-conf";
- print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} });
- ')"
-
- # CAVEAT beware of real TABs in grep pattern!
- # CAVEAT there will never be more than 42 relevant log entries!
- log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^ ]* $GL_TID ")"
- update_log="$(echo "$log" | grep "^[^ ]* $GL_TID update")"
-
- # (debug output)
- env | sed 's/^/env: /'
- echo "$log" | sed 's/^/log: /'
-
- # see http://gitolite.com/gitolite/dev-notes.html#lff
- reponame=$(echo "$update_log" | cut -f 4)
- username=$(echo "$update_log" | cut -f 5)
- ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||')
- old_sha=$(echo "$update_log" | cut -f 8)
- new_sha=$(echo "$update_log" | cut -f 9)
-
- # check if new branch is created
- if test $old_sha = 0000000000000000000000000000000000000000; then
- # TODO what should we really show?
- old_sha=$new_sha^
- fi
-
- #
- git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)"
- commit_count=$(echo "$git_log" | wc -l)
-
- # echo2 and cat2 are used output to both, stdout and stderr
- # This is used to see what we send to the irc server. (debug output)
- echo2() { echo "$*"; echo "$*" >&2; }
- cat2() { tee /dev/stderr; }
-
- # privmsg_cat transforms stdin to a privmsg
- privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
-
- # ircin is used to feed the output of netcat back to the "irc client"
- # so we can implement expect-like behavior with sed^_^
- # XXX mkselfdestructingtmpfifo would be nice instead of this cruft
- tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
- cd "$tmpdir"
- mkfifo ircin
- trap "
- rm ircin
- cd '$OLDPWD'
- rmdir '$tmpdir'
- trap - EXIT INT QUIT
- " EXIT INT QUIT
-
- #
- #
- #
- {
- echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
- echo2 "NICK $IRC_NICK"
-
- # wait for MODE message
- sed -n '/^:[^ ]* MODE /q'
-
- echo2 "JOIN $IRC_CHANNEL"
-
- echo "$interested_users" \
- | tr ' ' '\n' \
- | grep -v "^$GL_USER" \
- | sed 's/$/: poke/' \
- | privmsg_cat \
- | cat2
-
- printf '[13%s] %s pushed %s new commit%s to 6%s %s\n' \
- "$reponame" \
- "$username" \
- "$commit_count" \
- "$(test $commit_count = 1 || echo s)" \
- "$(hostname)" \
- "$ref_name" \
- | privmsg_cat \
- | cat2
-
- echo "$git_log" \
- | sed 's/^/14/;s/ / /' \
- | privmsg_cat \
- | cat2
-
- echo2 "PART $IRC_CHANNEL"
-
- # wait for PART confirmation
- sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
-
- echo2 'QUIT :Gone to have lunch'
- } < ircin \
- | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
- '')
- ];
- };
-
- services.journald.extraConfig = ''
- SystemMaxUse=1G
- RuntimeMaxUse=128M
- '';
-
- services.openssh = {
- enable = true;
- hostKeys = [
- # XXX bits here make no science
- { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
- ];
- };
-
services.printing = {
enable = true;
drivers = [ pkgs.foomatic_filters ];
};
- ###SERVICES END
environment.systemPackages = with pkgs; [
- gitolite
- git
- #terminal
- most
powertop
- #network
- iptables
-
- #video stuff
+ #window manager stuff
haskellPackages.xmobar
haskellPackages.yeganesh
dmenu2
xlibs.fontschumachermisc
];
- nix.useChroot = true;
-
- #
- # user settings
- #
- users.mutableUsers = false;
- users.extraUsers = {
- #gitolite = {
- # name = "gitolite";
- # description = "gitolite git manager";
- # home = "/home/gitolite";
- # createHome = true;
- # useDefaultShell = true;
- #};
- testing = {
- name = "testing";
- description = "user for testing various stuff";
- home = "/home/testing";
- useDefaultShell = true;
- createHome = true;
- };
- };
-
- networking.firewall = {
- enable = true;
-
- allowedTCPPorts = [
- 22
- ];
-
- extraCommands = ''
- iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- iptables -A INPUT -j ACCEPT -i lo
-
- #iptables -N Retiolum
- iptables -A INPUT -j Retiolum -i retiolum
- iptables -A Retiolum -j ACCEPT -p icmp
- iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
- iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
- iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
- iptables -A Retiolum -j REJECT
- '';
-
- extraStopCommands = "iptables -F";
- };
-
}