diff options
-rw-r--r-- | krebs/3modules/makefu/default.nix | 32 | ||||
-rw-r--r-- | makefu/1systems/pornocauster.nix | 30 | ||||
-rw-r--r-- | makefu/2configs/default.nix | 5 | ||||
-rw-r--r-- | makefu/2configs/exim-retiolum.nix | 3 | ||||
-rw-r--r-- | makefu/2configs/git/cgit-retiolum.nix | 3 | ||||
-rw-r--r-- | makefu/2configs/omo-share.nix | 8 | ||||
-rw-r--r-- | makefu/2configs/steam.nix | 6 | ||||
-rw-r--r-- | makefu/2configs/temp-share-samba.nix | 28 | ||||
-rw-r--r-- | makefu/5pkgs/default.nix | 1 | ||||
-rw-r--r-- | makefu/5pkgs/skytraq-logger/default.nix | 31 | ||||
l--------- | makefu/5pkgs/skytraq-logger/result | 1 | ||||
-rw-r--r-- | tv/2configs/xserver/default.nix | 221 | ||||
-rw-r--r-- | tv/5pkgs/ff/default.nix | 10 |
13 files changed, 243 insertions, 136 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index a6d4597f7..7d4bef9ad 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -270,8 +270,8 @@ with config.krebs.lib; ''; }; }; - ssh.privkey.path = <secrets/ssh_host_ed25519_key>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch"; + #ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch"; }; wbob = rec { cores = 1; @@ -409,6 +409,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e"; aliases = [ "heidi.r" + "heidi.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -424,6 +425,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; + soundflower = rec { cores = 1; nets = { @@ -594,7 +596,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; }; - + } // { # hosts only maintained in stockholm, not owned by me + tpsw = { + cores = 2; + owner = config.krebs.users.ciko; # main laptop + nets = { + retiolum = { + ip4.addr = "10.243.183.236"; + ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c"; + aliases = [ "tpsw.r" "tpsw.retiolum" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAvwYPFAINwV0EH0myFpNzRjVbqXdAmJP616C5JvODklhZWJxFxlKJ + Poczl57j2Z+4bonkTrJmsNtSaQLPKYH4H1qfo/lwz7nqEpPi3Xp4Fgts23w36eML + WBvbw0fQO9R8zZJIIdRkJ2qqlhZiTlor1Gtlm8Z1RmpKkhL9O6Yzj94VhGLhABVl + OsaF2M3PgXJMiLry67jzbAs3+mVaT3iBTzWOaOyREjKQEUg9B9IDxrmZMSWqdXZM + 0wfzaCjS40jD73m7tqi7W3tXzAUP4mEeUqkC+NC2Zgm/lJ5B1KPx7AyNqtRLsBLd + pIdJs6ng63WV1fyHYUWMYqZk9zB/tQ0b0wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; }; users = rec { makefu = { @@ -615,6 +638,9 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB inherit (makefu) mail pgp; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob"; }; + ciko = { + mail = "wieczorek.stefan@googlemail.com"; + }; exco = { mail = "dickbutt@excogitation.de"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de"; diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 88c187758..fa39b121c 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -26,6 +26,7 @@ # services ../2configs/git/brain-retiolum.nix ../2configs/tor.nix + ../2configs/steam.nix # ../2configs/buildbot-standalone.nix # hardware specifics are in here @@ -35,23 +36,36 @@ # ../2configs/mediawiki.nix #../2configs/wordpress.nix ../2configs/nginx/public_html.nix + + # temporary modules + # ../2configs/temp/share-samba.nix + # ../2configs/temp/elkstack.nix + # ../2configs/temp/sabnzbd.nix ]; + krebs.nginx = { default404 = false; servers.default.listen = [ "80 default_server" ]; servers.default.server-names = [ "_" ]; }; - krebs.retiolum.enable = true; - # steam - hardware.opengl.driSupport32Bit = true; - hardware.pulseaudio.support32Bit = true; + + environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; + + virtualisation.docker.enable = true; # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - 25 - 80 - ]; + networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedUDPPorts = [ 665 ]; krebs.build.host = config.krebs.hosts.pornocauster; + + krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; + krebs.retiolum = { + enable = true; + connectTo = [ "omo" "gum" "prism" ]; + }; + networking.extraHosts = '' + 192.168.1.11 omo.local + ''; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index afdeec40e..62daed8be 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -22,7 +22,7 @@ with config.krebs.lib; source = mapAttrs (_: mkDefault) { nixpkgs = { url = https://github.com/nixos/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; # unstable @ 2016-02-27, tested on wry + rev = "63b9785"; # stable @ 2016-06-01 }; secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/"; stockholm = "/home/makefu/stockholm"; @@ -75,7 +75,7 @@ with config.krebs.lib; systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" ]; - + nix.nixPath = [ "/var/src" ]; environment.variables = { NIX_PATH = mkForce "/var/src"; EDITOR = mkForce "vim"; @@ -126,6 +126,7 @@ with config.krebs.lib; nixpkgs.config.packageOverrides = pkgs: { nano = pkgs.runCommand "empty" {} "mkdir -p $out"; tinc = pkgs.tinc_pre; + gnupg1compat = super.gnupg1compat.override { gnupg = self.gnupg21; }; }; services.cron.enable = false; diff --git a/makefu/2configs/exim-retiolum.nix b/makefu/2configs/exim-retiolum.nix index 34943f593..910066e0a 100644 --- a/makefu/2configs/exim-retiolum.nix +++ b/makefu/2configs/exim-retiolum.nix @@ -2,9 +2,10 @@ with config.krebs.lib; { + networking.firewall.allowedTCPPorts = [ 25 ]; + krebs.exim-retiolum.enable = true; environment.systemPackages = with pkgs; [ msmtp ]; - } diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 0b69dbcaf..44d759488 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -15,6 +15,9 @@ let tinc_graphs = { desc = "Tinc Advanced Graph Generation"; }; + stockholm-init = { + desc = "Build new Stockholm hosts"; + }; cac-api = { }; init-stockholm = { desc = "Init stuff for stockholm"; diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix index 08bdd4a40..7e9842e14 100644 --- a/makefu/2configs/omo-share.nix +++ b/makefu/2configs/omo-share.nix @@ -69,15 +69,15 @@ in { browseable = "yes"; "guest ok" = "yes"; }; - usenet-rw = { - path = "/media/crypt0/usenet"; + crypt0-rw = { + path = "/media/crypt0/"; "read only" = "no"; browseable = "yes"; "guest ok" = "no"; "valid users" = "makefu"; }; - emu-rw = { - path = "/media/crypt1/emu"; + crypt1-rw = { + path = "/media/crypt1/"; "read only" = "no"; browseable = "yes"; "guest ok" = "no"; diff --git a/makefu/2configs/steam.nix b/makefu/2configs/steam.nix new file mode 100644 index 000000000..d4ec84abf --- /dev/null +++ b/makefu/2configs/steam.nix @@ -0,0 +1,6 @@ +{pkgs, ...}: +{ + environment.systemPackages = [ pkgs.steam ]; + hardware.opengl.driSupport32Bit = true; + hardware.pulseaudio.support32Bit = true; +} diff --git a/makefu/2configs/temp-share-samba.nix b/makefu/2configs/temp-share-samba.nix new file mode 100644 index 000000000..5f21e3bf7 --- /dev/null +++ b/makefu/2configs/temp-share-samba.nix @@ -0,0 +1,28 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 9cd2629de..6d227fa6d 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -13,6 +13,7 @@ in nodemcu-uploader = callPackage ./nodemcu-uploader {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; inherit (callPackage ./devpi {}) devpi-web devpi-server; + skytraq-logger = callPackage ./skytraq-logger/ {}; taskserver = callPackage ./taskserver {}; }; } diff --git a/makefu/5pkgs/skytraq-logger/default.nix b/makefu/5pkgs/skytraq-logger/default.nix new file mode 100644 index 000000000..1ad81594a --- /dev/null +++ b/makefu/5pkgs/skytraq-logger/default.nix @@ -0,0 +1,31 @@ +{ stdenv, lib, pkgs, fetchFromGitHub, ... }: +stdenv.mkDerivation rec { + name = "skytraq-datalogger-${version}"; + version = "4966a8"; + src = fetchFromGitHub { + owner = "makefu"; + repo = "skytraq-datalogger"; + rev = version ; + sha256 = "1qaszrs7638kc9x4qq4m1yxqmk8jw7wajywvdk4wc2i007p89v3y"; + }; + buildFlags = "CC=gcc"; + makeFlags = "PREFIX=bin/ DESTDIR=$(out)"; + + preInstall = '' + mkdir -p $out/bin + ''; + #patchPhase = '' + # sed -i -e 's#/usr/bin/gcc#gcc#' -e Makefile + #''; + + buildInputs = with pkgs;[ + curl + gnugrep + ]; + + meta = { + homepage = http://github.com/makefu/skytraq-datalogger; + description = "datalogger for skytraq"; + license = lib.licenses.gpl2; + }; +} diff --git a/makefu/5pkgs/skytraq-logger/result b/makefu/5pkgs/skytraq-logger/result new file mode 120000 index 000000000..b132d6257 --- /dev/null +++ b/makefu/5pkgs/skytraq-logger/result @@ -0,0 +1 @@ +/nix/store/xpwdwpw2nkgi16yhpxin2kivaz7z588h-skytraq-datalogger-4966a8
\ No newline at end of file diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix index b5b116786..965c3bbe1 100644 --- a/tv/2configs/xserver/default.nix +++ b/tv/2configs/xserver/default.nix @@ -1,135 +1,126 @@ -{ config, lib, pkgs, ... }@args: - +{ config, pkgs, ... }@args: with config.krebs.lib; - let # TODO krebs.build.user user = config.users.users.tv; +in { + + environment.systemPackages = [ + pkgs.ff + pkgs.gitAndTools.qgit + pkgs.mpv + pkgs.sxiv + pkgs.xsel + pkgs.zathura + ]; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + # TODO dedicated group, i.e. with a single user [per-user-setuid] + # TODO krebs.setuid.slock.path vs /var/setuid-wrappers + krebs.setuid.slock = { + filename = "${pkgs.slock}/bin/slock"; + group = "wheel"; + envp = { + DISPLAY = ":${toString config.services.xserver.display}"; + USER = user.name; + }; + }; - out = { - services.xserver.display = 11; - services.xserver.tty = 11; + services.xserver = { + enable = true; + display = 11; + tty = 11; - services.xserver.synaptics = { + synaptics = { enable = true; twoFingerScroll = true; accelFactor = "0.035"; }; + }; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - - systemd.services.urxvtd = { - wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; - serviceConfig = { - ExecReload = need-reload "urxvtd.service"; - ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd"; - Restart = "always"; - RestartSec = "2s"; - StartLimitBurst = 0; - User = user.name; - }; + systemd.services.display-manager.enable = false; + + systemd.services.xmonad = { + wantedBy = [ "multi-user.target" ]; + requires = [ "xserver.service" ]; + environment = { + DISPLAY = ":${toString config.services.xserver.display}"; + + XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" '' + ${pkgs.xorg.xhost}/bin/xhost +LOCAL: & + ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} & + ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} & + ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' & + wait + ''; + + XMONAD_STATE = "/tmp/xmonad.state"; + + # XXX JSON is close enough :) + XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [ + "Dashboard" # we start here + "23" + "cr" + "ff" + "hack" + "im" + "mail" + "stockholm" + "za" "zh" "zj" "zs" + ]); }; - - environment.systemPackages = [ - pkgs.ff - pkgs.gitAndTools.qgit - pkgs.mpv - pkgs.sxiv - pkgs.xsel - pkgs.zathura - ]; - - # TODO dedicated group, i.e. with a single user - # TODO krebs.setuid.slock.path vs /var/setuid-wrappers - krebs.setuid.slock = { - filename = "${pkgs.slock}/bin/slock"; - group = "wheel"; - envp = { - DISPLAY = ":${toString config.services.xserver.display}"; - USER = user.name; - }; + serviceConfig = { + SyslogIdentifier = "xmonad"; + ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv"; + ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown"; + User = user.name; + WorkingDirectory = user.home; }; + }; - systemd.services.display-manager.enable = false; - - services.xserver.enable = true; - - systemd.services.xmonad = { - wantedBy = [ "multi-user.target" ]; - requires = [ "xserver.service" ]; - environment = xmonad-environment; - serviceConfig = { - ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv"; - ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown"; - User = user.name; - WorkingDirectory = user.home; - }; + systemd.services.xserver = { + after = [ + "systemd-udev-settle.service" + "local-fs.target" + "acpid.service" + ]; + reloadIfChanged = true; + environment = { + XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension. + XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. + LD_LIBRARY_PATH = concatStringsSep ":" ( + [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ] + ++ concatLists (catAttrs "libPath" config.services.xserver.drivers)); }; - - systemd.services.xserver = { - after = [ - "systemd-udev-settle.service" - "local-fs.target" - "acpid.service" + serviceConfig = { + SyslogIdentifier = "xserver"; + ExecReload = "${pkgs.coreutils}/bin/echo NOP"; + ExecStart = toString [ + "${pkgs.xorg.xorgserver}/bin/X" + ":${toString config.services.xserver.display}" + "vt${toString config.services.xserver.tty}" + "-config ${import ./xserver.conf.nix args}" + "-logfile /dev/null -logverbose 0 -verbose 3" + "-nolisten tcp" + "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb" ]; - reloadIfChanged = true; - environment = xserver-environment; - serviceConfig = { - ExecReload = need-reload "xserver.service"; - ExecStart = toString [ - "${pkgs.xorg.xorgserver}/bin/X" - ":${toString config.services.xserver.display}" - "vt${toString config.services.xserver.tty}" - "-config ${import ./xserver.conf.nix args}" - "-logfile /var/log/X.${toString config.services.xserver.display}.log" - "-nolisten tcp" - "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb" - ]; - }; }; }; - xmonad-environment = { - DISPLAY = ":${toString config.services.xserver.display}"; - - XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" '' - ${pkgs.xorg.xhost}/bin/xhost +LOCAL: & - ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} & - ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} & - ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' & - wait - ''; - - XMONAD_STATE = "/tmp/xmonad.state"; - - # XXX JSON is close enough :) - XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [ - "Dashboard" # we start here - "23" - "cr" - "ff" - "hack" - "im" - "mail" - "stockholm" - "za" "zh" "zj" "zs" - ]); - }; - - xserver-environment = { - XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension. - XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. - LD_LIBRARY_PATH = concatStringsSep ":" ( - [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ] - ++ concatLists (catAttrs "libPath" config.services.xserver.drivers)); + systemd.services.urxvtd = { + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = { + SyslogIdentifier = "urxvtd"; + ExecReload = "${pkgs.coreutils}/bin/echo NOP"; + ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd"; + Restart = "always"; + RestartSec = "2s"; + StartLimitBurst = 0; + User = user.name; + }; }; - - need-reload = s: toString [ - "${pkgs.writeDashBin "need-reload" ''echo "$*"''}/bin/need-reload" - (shell.escape s) - ]; - -in out +} diff --git a/tv/5pkgs/ff/default.nix b/tv/5pkgs/ff/default.nix index 2db404030..b1d2c579a 100644 --- a/tv/5pkgs/ff/default.nix +++ b/tv/5pkgs/ff/default.nix @@ -1,8 +1,12 @@ { pkgs, ... }: -pkgs.writeScriptBin "ff" '' - #! ${pkgs.bash}/bin/bash - exec sudo -u ff -i <<EOF +# TODO use krebs.setuid +# This requires that we can create setuid executables that can only be accessed +# by a single user. [per-user-setuid] + +# using bash for %q +pkgs.writeBashBin "ff" '' + exec /var/setuid-wrappers/sudo -u ff -i <<EOF exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") EOF '' |