diff options
Diffstat (limited to 'tv/1systems/wu.nix')
| -rw-r--r-- | tv/1systems/wu.nix | 409 |
1 files changed, 409 insertions, 0 deletions
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix new file mode 100644 index 000000000..27691ec56 --- /dev/null +++ b/tv/1systems/wu.nix @@ -0,0 +1,409 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + tvpkgs = import ../5pkgs { inherit pkgs; }; +in + +{ + krebs.build.host = config.krebs.hosts.wu; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@wu"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + + imports = [ + ../2configs/w110er.nix + ../2configs/base.nix + ../2configs/consul-client.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix + ../2configs/mail-client.nix + ../2configs/xserver.nix + ../2configs/synaptics.nix # TODO w110er if xserver is enabled + ../2configs/urlwatch.nix + { + environment.systemPackages = with pkgs; [ + + # stockholm + git + gnumake + parallel + tvpkgs.genid + tvpkgs.hashPassword + tvpkgs.lentil + (pkgs.writeScriptBin "ff" '' + #! ${pkgs.bash}/bin/bash + exec sudo -u ff -i <<EOF + exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") + EOF + '') + (pkgs.writeScriptBin "im" '' + #! ${pkgs.bash}/bin/bash + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + + # root + cryptsetup + ntp # ntpate + + # tv + bc + bind # dig + file + gitAndTools.qgit + gnupg21 + haskellPackages.hledger + htop + jq + manpages + mkpasswd + mpv + netcat + nix-repl + nmap + p7zip + pavucontrol + posix_man_pages + qrencode + sxiv + texLive + tmux + tvpkgs.dic + zathura + + #ack + #apache-httpd + #ascii + #emacs + #es + #esniper + #gcc + #gptfdisk + #graphviz + #haskellPackages.cabal2nix + #haskellPackages.ghc + #haskellPackages.shake + #hdparm + #i7z + #iftop + #imagemagick + #inotifyTools + #iodine + #iotop + #lshw + #lsof + #minicom + #mtools + #ncmpc + #neovim + #nethogs + #nix-prefetch-scripts #cvs bug + #openssl + #openswan + #parted + #perl + #powertop + #ppp + #proot + #pythonPackages.arandr + #pythonPackages.youtube-dl + #racket + #rxvt_unicode-with-plugins + #scrot + #sec + #silver-searcher + #sloccount + #smartmontools + #socat + #sshpass + #strongswan + #sysdig + #sysstat + #tcpdump + #tlsdate + #unetbootin + #utillinuxCurses + #wvdial + #xdotool + #xkill + #xl2tpd + #xsel + ]; + } + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + { + users.extraGroups = { + tv.gid = 1337; + slaves.gid = 3799582008; # genid slaves + }; + + users.extraUsers = + mapAttrs (name: user@{ extraGroups ? [], ... }: user // { + inherit name; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + group = "tv"; + extraGroups = ["slaves"] ++ extraGroups; + }) { + ff = { + uid = 13378001; + extraGroups = [ + "audio" + "video" + ]; + }; + + cr = { + uid = 13378002; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + fa = { + uid = 2300001; + }; + + rl = { + uid = 2300002; + }; + + tief = { + uid = 2300702; + }; + + btc-bitcoind = { + uid = 2301001; + }; + + btc-electrum = { + uid = 2301002; + }; + + ltc-litecoind = { + uid = 2301101; + }; + + eth = { + uid = 2302001; + }; + + emse-hsdb = { + uid = 4200101; + }; + + wine = { + uid = 13370400; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + df = { + uid = 13370401; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + xr = { + uid = 13370061; + extraGroups = [ + "audio" + "video" + ]; + }; + + "23" = { + uid = 13370023; + }; + + electrum = { + uid = 13370102; + }; + + skype = { + uid = 6660001; + extraGroups = [ + "audio" + ]; + }; + + onion = { + uid = 6660010; + }; + + zalora = { + uid = 1000301; + extraGroups = [ + "audio" + # TODO remove vboxusers when hardening is active + "vboxusers" + "video" + ]; + }; + }; + + security.sudo.extraConfig = + let + isSlave = u: elem "slaves" u.extraGroups; + masterOf = u: u.group; + slaves = filterAttrs (_: isSlave) config.users.extraUsers; + toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL"; + in + concatMapStringsSep "\n" toSudoers (attrValues slaves); + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/vg840-wuroot"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/home" = { + device = "/dev/mapper/home"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.bumblebee.enable = true; + hardware.bumblebee.group = "video"; + hardware.enableAllFirmware = true; + hardware.opengl.driSupport32Bit = true; + hardware.pulseaudio.enable = true; + + environment.systemPackages = with pkgs; [ + xlibs.fontschumachermisc + slock + ethtool + #firefoxWrapper # with plugins + #chromiumDevWrapper + tinc + iptables + #jack2 + ]; + + security.setuidPrograms = [ + "sendmail" # for cron + "slock" + ]; + + services.printing.enable = true; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + virtualisation.libvirtd.enable = true; + + networking.extraHosts = '' + 192.168.1.1 wrt.gg23 wrt + 192.168.1.11 mors.gg23 + 192.168.1.12 uriel.gg23 + 192.168.1.23 raspi.gg23 raspi + 192.168.1.37 wu.gg23 + 192.168.1.111 nomic.gg23 + 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker + ''; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + services.bitlbee.enable = true; + services.tor.client.enable = true; + services.tor.enable = true; + services.virtualboxHost.enable = true; + + # TODO w110er if xserver is enabled + services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; +} |