summaryrefslogtreecommitdiffstats
path: root/modules/wu
diff options
context:
space:
mode:
Diffstat (limited to 'modules/wu')
-rw-r--r--modules/wu/default.nix464
-rw-r--r--modules/wu/hosts.nix22
-rw-r--r--modules/wu/paths.nix12
-rw-r--r--modules/wu/users.nix227
4 files changed, 0 insertions, 725 deletions
diff --git a/modules/wu/default.nix b/modules/wu/default.nix
deleted file mode 100644
index e55fbaf3f..000000000
--- a/modules/wu/default.nix
+++ /dev/null
@@ -1,464 +0,0 @@
-{ config, pkgs, ... }:
-
-let
- location = pkgs.lib.nameValuePair; # TODO this is also in modules/tv/git/cgit.nix
-in
-
-{
- imports = [
- ./hosts.nix
- ../tv/base.nix
- ../tv/config/consul-client.nix
- ../tv/exim-retiolum.nix
- ../tv/environment.nix
- ../tv/sanitize.nix
- ../tv/smartd.nix
- ../tv/synaptics.nix
- ../tv/urxvt.nix
- ../tv/xserver.nix
- ../wu/users.nix
- {
- imports = [ ../tv/identity ];
- tv.identity = {
- enable = true;
- self = config.tv.identity.hosts.wu;
- };
- }
- {
- imports = [ ../tv/iptables ];
- tv.iptables = {
- enable = true;
- input-internet-accept-new-tcp = [
- "ssh"
- "http"
- "tinc"
- "smtp"
- ];
- };
- }
- {
- imports = [ ../tv/nginx ];
- tv.nginx = {
- enable = true;
- retiolum-locations = [
- (location "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
- };
- }
- {
- imports = [ ../tv/retiolum ];
- tv.retiolum = {
- enable = true;
- hosts = <retiolum-hosts>;
- connectTo = [
- "gum"
- "pigstarter"
- ];
- };
- }
- {
- imports = [ ../tv/urlwatch ];
- tv.urlwatch = {
- enable = true;
- mailto = "tv@wu.retiolum";
- onCalendar = "*-*-* 05:00:00";
- urls = [
- ## nixpkgs maintenance
-
- # 2014-07-29 when one of the following urls change
- # then we have to update the package
-
- # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
- http://simple-evcorr.sourceforge.net/
-
- # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
- https://thp.io/2008/urlwatch/
-
- # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
- https://api.github.com/repos/ioerror/tlsdate/tags
-
- # 2015-02-18
- # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
- http://www.fourmilab.ch/webtools/qprint/
-
- # 2014-09-24 ref https://github.com/4z3/xintmap
- http://www.mathstat.dal.ca/~selinger/quipper/
-
- # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
- # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
- http://nixos.org/releases/nixops/
-
- ## other
-
- https://nixos.org/channels/nixos-unstable/git-revision
-
- ## 2014-10-17
- ## TODO update ~/src/login/default.nix
- #http://hackage.haskell.org/package/bcrypt
- #http://hackage.haskell.org/package/cron
- #http://hackage.haskell.org/package/hyphenation
- #http://hackage.haskell.org/package/iso8601-time
- #http://hackage.haskell.org/package/ixset-typed
- #http://hackage.haskell.org/package/system-command
- #http://hackage.haskell.org/package/transformers
- #http://hackage.haskell.org/package/web-routes-wai
- #http://hackage.haskell.org/package/web-page
- ];
- };
- }
- ];
-
- nix = {
- buildCores = 4;
- maxJobs = 4;
- daemonIONiceLevel = 1;
- daemonNiceLevel = 1;
- };
-
- services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
- SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
-
- # for jack
- KERNEL=="rtc0", GROUP="audio"
- KERNEL=="hpet", GROUP="audio"
- '';
-
- #services.virtualbox.enable = true;
- #services.virtualboxGuest.enable = false;
- services.virtualboxHost.enable = true;
- #services.virtualboxHost.addNetworkInterface = false;
- #systemd.services.vboxnet =
- # let
- # remove_vboxnets = ''
- # for i in $(cd /sys/class/net && ls | grep ^vboxnet); do
- # VBoxManage hostonlyif remove $i
- # done
- # '';
- # in {
- # wantedBy = [ "multi-user.target" ];
- # requires = [ "dev-vboxnetctl.device" ];
- # after = [ "dev-vboxnetctl.device" ];
- # path = with pkgs; [
- # linuxPackages.virtualbox
- # nettools
- # ];
- # postStop = remove_vboxnets;
- # script = ''
- # ${remove_vboxnets} # just in case...
- # VBoxManage hostonlyif create # vboxnet0
- # ifconfig vboxnet0 up 169.254.13.37/16
- # '';
- # serviceConfig = {
- # Type = "oneshot";
- # PrivateTmp = true;
- # RemainAfterExit = "yes";
- # };
- # environment.VBOX_USER_HOME = "/tmp";
- # };
-
-
- services.bitlbee.enable = true;
-
- #services.rabbitmq = {
- # enable = true;
- # cookie = "f00f";
- # plugins = [
- # "rabbitmq_management"
- # ];
- #};
-
-
- #services.elasticsearch.enable = true;
-
- #services.cgserver = {
- # enable = true;
- # httpPort = 8003;
- # #flushLog = false;
- # #cgroupRoot = "/sys/fs/cgroup";
- # #user = "zalora";
- #};
-
-
-
-
- #services.tlsdated = {
- # enable = true;
- # extraOptions = "-p";
- #};
-
- services.tor.enable = true;
- services.tor.client.enable = true;
-
-
-
- # hardware configuration
- boot.initrd.luks.devices = [
- { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
- ];
- boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ];
- boot.initrd.availableKernelModules = [ "ahci" ];
- #boot.kernelParams = [
- # "intel_pstate=enable"
- #];
- boot.kernelModules = [ "kvm-intel" ];
- boot.extraModulePackages = [ ];
-
- # 2014-12-17 pkgs.linuxPackages_3_14 is known good
- boot.kernelPackages = pkgs.linuxPackages_3_18;
-
- boot.kernel.sysctl = {
- # Enable IPv6 Privacy Extensions
- "net.ipv6.conf.all.use_tempaddr" = 2;
- "net.ipv6.conf.default.use_tempaddr" = 2;
- };
-
- boot.extraModprobeConfig = ''
- options kvm_intel nested=1
- '';
-
- fileSystems = {
- "/" = {
- device = "/dev/mapper/vg840-wuroot";
- fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
- };
- "/home" = {
- device = "/dev/mapper/home";
- options = "defaults,noatime,ssd,compress=lzo";
- };
- "/boot" = {
- device = "/dev/sda1";
- };
- "/tmp" = {
- device = "tmpfs";
- fsType = "tmpfs";
- options = "nosuid,nodev,noatime";
- };
- };
-
- swapDevices =[ ];
-
-
- nixpkgs.config.firefox.enableAdobeFlash = true;
- nixpkgs.config.chromium.enablePepperFlash = true;
-
- nixpkgs.config.allowUnfree = true;
- hardware.bumblebee.enable = true; # TODO this is host specific
- hardware.bumblebee.group = "video";
- #services.xserver.videoDrivers = [ "nvidia" ];
- hardware.opengl.driSupport32Bit = true;
-
- hardware.pulseaudio.enable = true;
-
- hardware.enableAllFirmware = true;
-
- # Use the gummiboot efi boot loader.
- boot.loader.gummiboot.enable = true;
- boot.loader.efi.canTouchEfiVariables = true;
-
- networking.hostName = "wu";
- networking.wireless.enable = true;
-
-
- # Select internationalisation properties.
- # i18n = {
- # consoleFont = "lat9w-16";
- # consoleKeyMap = "us";
- # defaultLocale = "en_US.UTF-8";
- # };
-
- system.activationScripts.powertopTunables =
- ''
- echo 1 > /sys/module/snd_hda_intel/parameters/power_save
- echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
- (cd /sys/bus/pci/devices
- for i in *; do
- echo auto > $i/power/control # defaults to 'on'
- done)
- # TODO maybe do this via udev or systemd
- # ref https://wiki.archlinux.org/index.php/Wake-on-LAN
- # disable wol this cannot find ethtool
- # TODO (cd /sys/class/net
- # TODO for i in *; do
- # TODO if ethtool $i | grep -q Wake-on &&
- # TODO ! ethtool $i | grep -q 'Wake-on: d'; then
- # TODO ethtool -s $i wol d
- # TODO fi
- # TODO done)
- ${pkgs.ethtool}/sbin/ethtool -s en0 wol d
- '';
-
- environment.systemPackages = with pkgs; [
- xlibs.fontschumachermisc
- slock
- ethtool
- #firefoxWrapper # with plugins
- #chromiumDevWrapper
- tinc
- iptables
- #jack2
- ];
-
- security.setuidPrograms = [
- "sendmail" # for cron
- "slock"
- ];
-
- # TODO
- # Currently ./run doesn't know about certificates
- #security.pki.certificateFiles = [
- # ./certs/zalora-ca.crt
- #];
-
- #security.pam.loginLimits = [
- # # for jack
- # { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
- # { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
- #];
-
- #services.haveged.enable = true;
- #security.rngd.enable = true;
-
- #services.privoxy = {
- # enable = true;
- # extraConfig = ''
- # actionsfile /etc/privoxy/easylist.script.action
- # actionsfile /etc/privoxy/easylistgermany.script.action
- # filterfile /etc/privoxy/easylist.script.filter
- # filterfile /etc/privoxy/easylistgermany.script.filter
- # '';
- #};
-
- #services.dbus.enable = true; # rqd4 wpa_supplicant
-
- services.logind.extraConfig = ''
- HandleHibernateKey=ignore
- HandleLidSwitch=ignore
- HandlePowerKey=ignore
- HandleSuspendKey=ignore
- '';
-
- # Enable the OpenSSH daemon.
- services.openssh = {
- enable = true;
- hostKeys = [
- # XXX bits here make no science
- { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
- ];
- };
-
- # services.printing.enable = true;
- services.printing = {
- enable = true;
- #extraConf = ''
- # LogLevel debug
- #'';
- drivers = with pkgs; [
- #cups_filters
- #foomatic_filters
- #gutenprint
- #hplip
- ];
- };
-
-
-
- #services.kmscon.enable = true;
-
-
- # TODO virtualisation.libvirtd.enable = true;
- # users.extraUsers.tv.extraGroups += [ "libvirtd" ]
-
-
-
-
- services.journald.extraConfig = ''
- SystemMaxUse=1G
- RuntimeMaxUse=128M
- '';
-
-
- #systemd.timers.chargeMon = {
- # wantedBy = [ "multi-user.target" ];
- # timerConfig.OnCalendar = "*-*-* *:*:00";
- #};
- #systemd.services.chargeMon = {
- # path = [ ];
- # environment = {
- # ac_online = "/sys/class/power_supply/AC/online";
- # charge_now = "/sys/class/power_supply/BAT/charge_now";
- # charge_full = "/sys/class/power_supply/BAT/charge_full";
- # };
- # serviceConfig = {
- # User = "nobody";
- # Type = "oneshot";
- # };
- # script = ''
- # if test $(cat $ac_online) == 1; then
- # echo "AC is online"
- # exit
- # fi
- # cat $charge_now
- # '';
- #};
-
- # see tmpfiles.d(5)
- systemd.tmpfiles.rules = [
- "d /tmp 1777 root root - -" # does this work with mounted /tmp?
- ];
-
- # TODO services.smartd
- # TODO services.statsd
- # TODO services.tor
- # TODO write arandr
- # TODO what does system.copySystemConfiguration (we need some kind of bku scheme)
- # TODO systemd.timers instead of cron(??)
-
- virtualisation.libvirtd.enable = true;
-
-
-
-
- #system.replaceRuntimeDependencies = with pkgs;
- # let
- # bashVulnPatches = [
- # (fetchurl {
- # url = "mirror://gnu/bash/bash-4.2-patches/bash42-048";
- # sha256 = "091xk1ms7ycnczsl3fx461gjhj69j6ycnfijlymwj6mj60ims6km";
- # })
- # (fetchurl {
- # url = "file:///etc/nixos/bash-20140926.patch";
- # sha256 = "0gdwnimsbi4vh5l46krss4wjrgbch94skn4y2w3rpvb1w4jypha4";
- # })
- # ];
- # in
- # [
- # {
- # original = bash;
- # replacement = pkgs.lib.overrideDerivation bash (oldAttrs: {
- # patches = oldAttrs.patches ++ bashVulnPatches;
- # });
- # }
- # {
- # original = bashInteractive;
- # replacement = pkgs.lib.overrideDerivation bashInteractive (oldAttrs: {
- # patches = oldAttrs.patches ++ bashVulnPatches;
- # });
- # }
- # {
- # original = bitlbee;
- # replacement = pkgs.lib.overrideDerivation bitlbee (oldAttrs: {
- # configureFlags = [
- # "--gcov=1"
- # "--otr=1"
- # "--ssl=gnutls"
- # ];
- # });
- # }
- #];
-
-
-}
diff --git a/modules/wu/hosts.nix b/modules/wu/hosts.nix
deleted file mode 100644
index 207553b08..000000000
--- a/modules/wu/hosts.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.extraHosts =
- ''
- 192.168.1.1 wrt.gg23 wrt
- 192.168.1.11 mors.gg23
- 192.168.1.12 uriel.gg23
- 192.168.1.23 raspi.gg23 raspi
- 192.168.1.37 wu.gg23
- 192.168.1.110 nomic.gg23
- 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker
-
- 127.0.0.1 dev.zalora.sg www.dev.zalora.sg bob.dev.zalora.sg static.dev.zalora.sg
- 127.0.0.1 dev.zalora.com.my www.dev.zalora.com.my bob.dev.zalora.com.my static.dev.zalora.com.my
- 127.0.0.1 dev.zalora.com.ph www.dev.zalora.com.ph bob.dev.zalora.com.ph static.dev.zalora.com.ph
- 127.0.0.1 dev.zalora.vn www.dev.zalora.vn bob.dev.zalora.vn static.dev.zalora.vn
- 127.0.0.1 dev.zalora.co.id www.dev.zalora.co.id bob.dev.zalora.co.id static.dev.zalora.co.id
- 127.0.0.1 dev.zalora.co.th www.dev.zalora.co.th bob.dev.zalora.co.th static.dev.zalora.co.th
- 127.0.0.1 dev.zalora.com.hk www.dev.zalora.com.hk bob.dev.zalora.com.hk static.dev.zalora.com.hk
- '';
-}
diff --git a/modules/wu/paths.nix b/modules/wu/paths.nix
deleted file mode 100644
index 2d2ff7b74..000000000
--- a/modules/wu/paths.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- lib.file.url = ../../lib;
- modules.file.url = ../../modules;
- nixpkgs.git = {
- url = https://github.com/NixOS/nixpkgs;
- rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
- cache = ../../tmp/git-cache;
- };
- pubkeys.file.url = ../../pubkeys;
- retiolum-hosts.file.url = ../../hosts;
- secrets.file.url = ../../secrets/wu/nix;
-}
diff --git a/modules/wu/users.nix b/modules/wu/users.nix
deleted file mode 100644
index e50878cd0..000000000
--- a/modules/wu/users.nix
+++ /dev/null
@@ -1,227 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
- inherit (builtins) attrValues;
- inherit (pkgs.lib) concatMap filterAttrs mapAttrs concatStringsSep;
-
-
- users = {
- tv = {
- uid = 1337;
- group = "users";
- extraGroups = [
- "audio"
- "video"
- "wheel"
- ];
- };
-
- ff = {
- uid = 13378001;
- group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- ];
- };
-
- cr = {
- uid = 13378002;
- group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- "bumblebee"
- ];
- };
-
- vimb = {
- uid = 13378003;
- group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- "bumblebee"
- ];
- };
-
- fa = {
- uid = 2300001;
- group = "tv-sub";
- };
-
- rl = {
- uid = 2300002;
- group = "tv-sub";
- };
-
- tief = {
- uid = 2300702;
- group = "tv-sub";
- };
-
- btc-bitcoind = {
- uid = 2301001;
- group = "tv-sub";
- };
-
- btc-electrum = {
- uid = 2301002;
- group = "tv-sub";
- };
-
- ltc-litecoind = {
- uid = 2301101;
- group = "tv-sub";
- };
-
- eth = {
- uid = 2302001;
- group = "tv-sub";
- };
-
- emse-hsdb = {
- uid = 4200101;
- group = "tv-sub";
- };
-
- wine = {
- uid = 13370400;
- group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- "bumblebee"
- ];
- };
-
- # dwarffortress
- df = {
- uid = 13370401;
- group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- "bumblebee"
- ];
- };
-
- # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined
- FTL = {
- uid = 13370402;
- #group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- "bumblebee"
- ];
- };
-
- freeciv = {
- uid = 13370403;
- group = "tv-sub";
- };
-
- xr = {
- uid = 13370061;
- group = "tv-sub";
- extraGroups = [
- "audio"
- "video"
- ];
- };
-
- "23" = {
- uid = 13370023;
- group = "tv-sub";
- };
-
- electrum = {
- uid = 13370102;
- group = "tv-sub";
- };
-
- Reaktor = {
- uid = 4230010;
- group = "tv-sub";
- };
-
- gitolite = {
- uid = 7700;
- };
-
- skype = {
- uid = 6660001;
- group = "tv-sub";
- extraGroups = [
- "audio"
- ];
- };
-
- onion = {
- uid = 6660010;
- group = "tv-sub";
- };
-
- zalora = {
- uid = 1000301;
- group = "tv-sub";
- extraGroups = [
- "audio"
- # TODO remove vboxusers when hardening is active
- "vboxusers"
- "video"
- ];
- };
-
- };
-
-
- extraUsers =
- mapAttrs (name: user: user // {
- inherit name;
- home = "/home/${name}";
- createHome = true;
- useDefaultShell = true;
- }) users;
-
-
- extraGroups = {
- tv-sub.gid = 1337;
- };
-
-
- sudoers =
- let
- inherit (builtins) filter hasAttr;
- inherit (import ../../lib { inherit lib pkgs; })
- concat isSuffixOf removeSuffix setToList;
-
- hasMaster = { group ? "", ... }:
- isSuffixOf "-sub" group;
-
- masterOf = user : removeSuffix "-sub" user.group;
- in
- concatStringsSep "\n"
- (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL")
- (filter hasMaster (attrValues extraUsers)));
-
-in
-
-
-{
- imports = [
- { users.extraUsers = import <secrets/extraUsers.nix>; }
- ];
-
- users.defaultUserShell = "/run/current-system/sw/bin/bash";
- users.extraGroups = extraGroups;
- users.extraUsers = extraUsers;
- users.mutableUsers = false;
-
- security.sudo.extraConfig =
- ''
- Defaults mailto="tv@wu.retiolum"
- ${sudoers}
- '';
-}