From dba0db28d96978d51284512c6b57a48fbfa9f492 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 17 Nov 2015 19:04:32 +0100 Subject: mv: init --- mv/1systems/stro.nix | 245 +++++++++++++++++++++++++++++++++++ mv/2configs/default.nix | 194 +++++++++++++++++++++++++++ mv/2configs/hw/x220.nix | 77 +++++++++++ mv/2configs/mail-client.nix | 13 ++ mv/2configs/smartd.nix | 17 +++ mv/2configs/vim.nix | 123 ++++++++++++++++++ mv/2configs/xserver/Xresources.nix | 215 ++++++++++++++++++++++++++++++ mv/2configs/xserver/default.nix | 153 ++++++++++++++++++++++ mv/2configs/xserver/xserver.conf.nix | 40 ++++++ mv/3modules/default.nix | 7 + mv/3modules/iptables.nix | 126 ++++++++++++++++++ 11 files changed, 1210 insertions(+) create mode 100644 mv/1systems/stro.nix create mode 100644 mv/2configs/default.nix create mode 100644 mv/2configs/hw/x220.nix create mode 100644 mv/2configs/mail-client.nix create mode 100644 mv/2configs/smartd.nix create mode 100644 mv/2configs/vim.nix create mode 100644 mv/2configs/xserver/Xresources.nix create mode 100644 mv/2configs/xserver/default.nix create mode 100644 mv/2configs/xserver/xserver.conf.nix create mode 100644 mv/3modules/default.nix create mode 100644 mv/3modules/iptables.nix (limited to 'mv') diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix new file mode 100644 index 000000000..9edcea007 --- /dev/null +++ b/mv/1systems/stro.nix @@ -0,0 +1,245 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + krebs.build.host = config.krebs.hosts.stro; + + krebs.build.source.git.nixpkgs.rev = + "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; + + krebs.build.target = "lolwat"; + + imports = [ + ../2configs/hw/x220.nix + ../2configs/mail-client.nix + ../2configs/xserver + { + environment.systemPackages = with pkgs; [ + + # stockholm + genid + gnumake + hashPassword + lentil + parallel + (pkgs.writeScriptBin "im" '' + #! ${pkgs.bash}/bin/bash + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + + # root + cryptsetup + ntp # ntpate + + # tv + bc + bind # dig + #cac + dic + file + gnupg21 + haskellPackages.hledger + htop + jq + manpages + mkpasswd + netcat + nix-repl + nmap + nq + p7zip + pass + posix_man_pages + qrencode + texLive + tmux + + #ack + #apache-httpd + #ascii + #emacs + #es + #esniper + #gcc + #gptfdisk + #graphviz + #haskellPackages.cabal2nix + #haskellPackages.ghc + #haskellPackages.shake + #hdparm + #i7z + #iftop + #imagemagick + #inotifyTools + #iodine + #iotop + #lshw + #lsof + #minicom + #mtools + #ncmpc + #nethogs + #nix-prefetch-scripts #cvs bug + #openssl + #openswan + #parted + #perl + #powertop + #ppp + #proot + #pythonPackages.arandr + #pythonPackages.youtube-dl + #racket + #rxvt_unicode-with-plugins + #scrot + #sec + #silver-searcher + #sloccount + #smartmontools + #socat + #sshpass + #strongswan + #sysdig + #sysstat + #tcpdump + #tlsdate + #unetbootin + #utillinuxCurses + #wvdial + #xdotool + #xkill + #xl2tpd + #xsel + + unison + ]; + } + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + krebs.exim-retiolum.enable = true; + } + { + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "cd" + "gum" + "pigstarter" + ]; + }; + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "xuca"; device = "/dev/sda2"; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/xuvga-root"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/home" = { + device = "/dev/mapper/xuvga-home"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + nixpkgs.config.chromium.enablePepperFlash = true; + + #nixpkgs.config.allowUnfreePredicate = pkg: + # pkgs.lib.hasPrefix "virtualbox" pkg.name; + + #nixpkgs.config.allowUnfree = true; + #hardware.bumblebee.enable = true; + #hardware.bumblebee.group = "video"; + hardware.enableAllFirmware = true; + #hardware.opengl.driSupport32Bit = true; + hardware.pulseaudio.enable = true; + + environment.systemPackages = with pkgs; [ + #xlibs.fontschumachermisc + #slock + ethtool + #firefoxWrapper # with plugins + #chromiumDevWrapper + tinc + iptables + #jack2 + + gptfdisk + ]; + + security.setuidPrograms = [ + "sendmail" # for cron + ]; + + services.printing.enable = true; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + #virtualisation.libvirtd.enable = true; + + #services.bitlbee.enable = true; + #services.tor.client.enable = true; + #services.tor.enable = true; + + #nixpkgs.config.virtualbox.enableExtensionPack = true; + + # XXX Enable for maximum slowness: + virtualisation.virtualbox.host.enable = true; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; +} diff --git a/mv/2configs/default.nix b/mv/2configs/default.nix new file mode 100644 index 000000000..f5b647558 --- /dev/null +++ b/mv/2configs/default.nix @@ -0,0 +1,194 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + krebs.enable = true; + + krebs.build = { + user = config.krebs.users.tv; + target = mkDefault "root@${config.krebs.build.host.name}"; + source = { + git.nixpkgs = { + url = mkDefault https://github.com/NixOS/nixpkgs; + rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613"; + target-path = mkDefault "/var/src/nixpkgs"; + }; + dir.secrets = { + path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + dir.stockholm = { + path = mkDefault "/home/tv/stockholm"; + target-path = mkDefault "/var/src/stockholm"; + }; + }; + }; + + networking.hostName = config.krebs.build.host.name; + + imports = [ + + ./vim.nix + { + # stockholm dependencies + environment.systemPackages = with pkgs; [ + git + ]; + } + { + users = { + defaultUserShell = "/run/current-system/sw/bin/bash"; + mutableUsers = false; + users = { + tv = { + isNormalUser = true; + uid = 1337; + }; + }; + }; + } + { + security.sudo.extraConfig = '' + Defaults mailto="${config.krebs.users.tv.mail}" + ''; + time.timeZone = "Europe/Berlin"; + } + { + # TODO check if both are required: + nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + + nix.useChroot = true; + } + { + environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; + + environment.systemPackages = with pkgs; [ + rxvt_unicode.terminfo + ]; + + environment.shellAliases = mkForce { + # alias cal='cal -m3' + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + dmesg = "dmesg -L --reltime"; + view = "vim -R"; + + reload = "systemctl reload"; + restart = "systemctl restart"; + start = "systemctl start"; + status = "systemctl status"; + stop = "systemctl stop"; + }; + + environment.variables = { + NIX_PATH = + with config.krebs.build.source; with dir; with git; + mkForce (concatStringsSep ":" [ + "nixpkgs=${nixpkgs.target-path}" + "secrets=${stockholm.target-path}/null" + ]); + }; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + ${readFile ./bash_completion.sh} + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then + PS1="ssh-agent[$SSH_AGENT_PID] $PS1" + fi + ''; + }; + + programs.ssh.startAgent = false; + } + + { + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + } + + { + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + } + + { + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + } + + { + # TODO: exim + security.setuidPrograms = [ + "sendmail" # for sudo + ]; + } + { + environment.systemPackages = [ + pkgs.get + pkgs.krebszones + pkgs.nix-prefetch-scripts + pkgs.push + ]; + } + + { + systemd.tmpfiles.rules = let + forUsers = flip map users; + isUser = { group, ... }: hasSuffix "users" group; + users = filter isUser (mapAttrsToList (_: id) config.users.users); + in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -"); + environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME"; + } + ]; +} diff --git a/mv/2configs/hw/x220.nix b/mv/2configs/hw/x220.nix new file mode 100644 index 000000000..7426555df --- /dev/null +++ b/mv/2configs/hw/x220.nix @@ -0,0 +1,77 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../smartd.nix + ]; + + boot.initrd.availableKernelModules = [ + "aesni-intel" + "ahci" + "fbcon" + "i915" + ]; + boot.kernelModules = [ + "kvm-intel" + "msr" + "tp-smapi" + ]; + + boot.extraModulePackages = [ + config.boot.kernelPackages.tp_smapi + ]; + + # disabled for fbcon and i915 to kick in or to disable the kernelParams + # XXX: investigate + boot.vesa = false; + + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.wireless.enable = true; + + #hardware.enableAllFirmware = true; + #nixpkgs.config.allowUnfree = true; + #zramSwap.enable = true; + #zramSwap.numDevices = 2; + + hardware.trackpoint = { + enable = true; + sensitivity = 220; + speed = 0; + emulateWheel = true; + }; + + services.tlp.enable = true; + services.tlp.extraConfig = '' + START_CHARGE_THRESH_BAT0=80 + ''; + + nix = { + buildCores = 2; + maxJobs = 2; + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + + services.logind.extraConfig = '' + HandleHibernateKey=ignore + HandleLidSwitch=ignore + HandlePowerKey=ignore + HandleSuspendKey=ignore + ''; + + services.xserver = { + videoDriver = "intel"; + #vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; + #deviceSection = '' + # Option "AccelMethod" "sna" + #''; + }; + + #services.xserver.displayManager.sessionCommands ='' + # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1 + # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2 + # xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5 + #''; +} diff --git a/mv/2configs/mail-client.nix b/mv/2configs/mail-client.nix new file mode 100644 index 000000000..8b6f8bbcd --- /dev/null +++ b/mv/2configs/mail-client.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +with pkgs; +{ + environment.systemPackages = [ + much + msmtp + notmuch + pythonPackages.alot + qprint + w3m + ]; +} diff --git a/mv/2configs/smartd.nix b/mv/2configs/smartd.nix new file mode 100644 index 000000000..9c4d8b2d8 --- /dev/null +++ b/mv/2configs/smartd.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + services.smartd = { + enable = true; + devices = [ + { + device = "DEVICESCAN"; + options = toString [ + "-a" + "-m ${config.krebs.users.tv.mail}" + "-s (O/../.././09|S/../.././04|L/../../6/05)" + ]; + } + ]; + }; +} diff --git a/mv/2configs/vim.nix b/mv/2configs/vim.nix new file mode 100644 index 000000000..a961b6b26 --- /dev/null +++ b/mv/2configs/vim.nix @@ -0,0 +1,123 @@ +{ lib, pkgs, ... }: + +with lib; +let + out = { + environment.systemPackages = [ + pkgs.vim + ]; + + # Nano really is just a stupid name for Vim. + nixpkgs.config.packageOverrides = pkgs: { + nano = pkgs.vim; + }; + + environment.etc.vimrc.source = vimrc; + + environment.variables.EDITOR = mkForce "vim"; + environment.variables.VIMINIT = ":so /etc/vimrc"; + }; + + extra-runtimepath = concatStringsSep "," [ + "${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree" + ]; + + vimrc = pkgs.writeText "vimrc" '' + set nocompatible + + set autoindent + set backspace=indent,eol,start + set backup + set backupdir=$HOME/.vim/backup/ + set directory=$HOME/.vim/cache// + set hlsearch + set incsearch + set mouse=a + set noruler + set pastetoggle= + set runtimepath=${extra-runtimepath},$VIMRUNTIME + set shortmess+=I + set showcmd + set showmatch + set ttimeoutlen=0 + set undodir=$HOME/.vim/undo + set undofile + set undolevels=1000000 + set undoreload=1000000 + set viminfo='20,<1000,s100,h,n$HOME/.vim/cache/info + set visualbell + set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o + set wildmenu + set wildmode=longest,full + + set et ts=2 sts=2 sw=2 + + filetype plugin indent on + + set t_Co=256 + colorscheme industry + syntax on + + au Syntax * syn match Tabstop containedin=ALL /\t\+/ + \ | hi Tabstop ctermbg=16 + \ | syn match TrailingSpace containedin=ALL /\s\+$/ + \ | hi TrailingSpace ctermbg=88 + \ | hi Normal ctermfg=White + + au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" '' + syn region String start=+\[[[:alnum:]]*|+ end=+|]+ + ''} + + au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" '' + setf nix + set isk=@,48-57,_,192-255,-,' + + " Ref + syn match INT /\<[0-9]\+\>/ + syn match PATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ + syn match HPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ + syn match SPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/ + syn match URI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/ + hi link INT Constant + hi link PATH Constant + hi link HPATH Constant + hi link SPATH Constant + hi link URI Constant + + syn match String /"\([^\\"]\|\\.\)*"/ + syn match Comment /\(^\|\s\)#.*/ + ''} + + au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile + + nmap q :buffer + nmap :buffer + + cnoremap + + noremap :q + + nnoremap [5^ :tabp + nnoremap [6^ :tabn + nnoremap [5@ :tabm -1 + nnoremap [6@ :tabm +1 + + nnoremap :tabp + nnoremap :tabn + inoremap :tabp + inoremap :tabn + + " + noremap Oa | noremap! Oa + noremap Ob | noremap! Ob + noremap Oc | noremap! Oc + noremap Od | noremap! Od + " <[C]S-{Up,Down,Right,Left> + noremap [a | noremap! [a + noremap [b | noremap! [b + noremap [c | noremap! [c + noremap [d | noremap! [d + vnoremap u + ''; +in +out diff --git a/mv/2configs/xserver/Xresources.nix b/mv/2configs/xserver/Xresources.nix new file mode 100644 index 000000000..f287bf206 --- /dev/null +++ b/mv/2configs/xserver/Xresources.nix @@ -0,0 +1,215 @@ +{ config, lib, pkgs, ... }: + +with lib; + +pkgs.writeText "Xresources" '' + !URxvt*background: #050505 + + ! 2013-02-25 \e was reas escape before + ! *VT100.Translations: #override\ + ! :: string("\e[5~")\n\ + ! :: string("\e[6~") + + ! XTerm*VT100*Translations: #override \ + ! ShiftReturn: string(" &") string(0x0A) \n\ + ! MetaReturn: string(" | less") string(0x0A) \n\ + ! ~ShiftPrior: scroll-back(1,page) \n\ + ! ~ShiftNext: scroll-forw(1,page) \n\ + ! ShiftPrior: scroll-back(1) \n\ + ! ShiftNext: scroll-forw(1) \n\ + ! Delete: string(0x1b) string("[2~") + ! \n\ + ! BackSpace: string(0x7f) + + ! 2013-02-2013-02-25 + ! ! : load bash-completion (if not already) + ! URxvt*VT100*Translations: #override\ + ! Metac:\ + ! string("\eOH# \eOF\n+compl\n\eOA\eOA\eOH\e[3~\e[3~\eOF")\ + ! string(0x7)\n + + ! do not scroll automatically on output: + ! XTerm*scrollTtyOutput: false + URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}‘’" + ! URxvt*secondaryScreen: false + + ! URxvt*loginShell: true + + URxvt*eightBitInput: false + ! *eightBitOutput: 1 + ! URxvt*decTerminalID: 220 + ! URxvt*utf8: 1 + ! URxvt*locale: UTF-8 + ! XTerm*customization: -color + URxvt*SaveLines: 4096 + URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1 + URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1 + + ! 2013-05-23 if this does not work try + ! xset +fp /usr/share/fonts/local/ + ! xset fp rehash + ! URxvt*font: -*-termsynu-edium-*-*-*-12-*-*-*-*-*-iso10646-1 + ! URxvt*boldFont: -*-termsynu-bold-*-*-*-12-*-*-*-*-*-iso10646-1 + ! + !-misc-termsynu-medium-r-normal--12-87-100-100-c-70-iso10646-1 + + ! XTerm*font: -misc-fixed-medium-r-normal--13-120-75-75-c-80-iso10646-1 + URxvt*scrollBar: false + + ! XTerm*font:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1 + ! URxvt*boldFont:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1 + + URxvt*background: #050505 + ! URxvt*background: #041204 + + !URxvt.depth: 32 + !URxvt*background: rgba:0500/0500/0500/cccc + + ! URxvt*background: #080810 + URxvt*foreground: #d0d7d0 + ! URxvt*background: black + ! URxvt*foreground: white + ! URxvt*background: rgb:00/00/40 + ! URxvt*foreground: rgb:a0/a0/d0 + ! XTerm*cursorColor: rgb:00/00/60 + URxvt*cursorColor: #f042b0 + URxvt*cursorColor2: #f0b000 + URxvt*cursorBlink: off + ! URxvt*cursorUnderline: true + ! URxvt*highlightColor: #232323 + ! URxvt*highlightTextColor: #b0ffb0 + + URxvt*.pointerBlank: true + URxvt*.pointerBlankDelay: 987654321 + URxvt*.pointerColor: #f042b0 + URxvt*.pointerColor2: #050505 + + ! URxvt*fading: 50 + ! URxvt*fadeColor: #0f0f0f + + ! XTerm*colorMode: on + ! URxvt*dynamicColors: on + ! URxvt*boldColors: off + + URxvt*jumpScroll: true + + ! allow synthetic events for fvwm, so pass window specific keys + ! XTerm*allowSendEvents: true + URxvt*allowSendEvents: false + + ! better double/tripple clicking in xterms + ! Format: csv, [low-]high:value + ! + ! extend character class 48 due they are used in urls + ! (see: man xterm; /CHARACTER CLASSES) + ! ! % -./ @ & = ? + URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48 + URxvt*cutNewline: False + URxvt*cutToBeginningOfLine: False + + ! BLACK for indigo background + URxvt*color0: #232342 + + ! TODO: man xterm; /ACTIONS + + ! *VT100*colorULMode: on + ! XTerm*underLine: on + ! + ! URxvt*color0: black + ! URxvt*color1: red3 + ! URxvt*color2: green3 + ! URxvt*color3: yellow3 + ! URxvt*color4: blue2 + ! URxvt*color5: magenta3 + ! URxvt*color6: cyan3 + ! URxvt*color7: gray90 + ! URxvt*color8: burlywood1 + ! URxvt*color9: sienna1 + ! URxvt*color10: PaleVioletRed1 + ! URxvt*color11: LightSkyBlue + ! URxvt*color12: white + ! URxvt*color13: white + ! URxvt*color14: white + ! URxvt*color33: #f0b0f0 + + + ! URxvt*color0: #000000 + ! URxvt*color1: #c00000 + ! URxvt*color2: #80c070 + URxvt*color3: #c07000 + ! URxvt*color4: #0000c0 + URxvt*color4: #4040c0 + ! URxvt*color5: #c000c0 + ! URxvt*color6: #008080 + URxvt*color7: #c0c0c0 + + URxvt*color8: #707070 + URxvt*color9: #ff6060 + URxvt*color10: #70ff70 + URxvt*color11: #ffff70 + URxvt*color12: #7070ff + URxvt*color13: #ff50ff + URxvt*color14: #70ffff + URxvt*color15: #ffffff + + ! XTerm*color91: #000070 + ! XTerm*color92: #000080 + ! XTerm*color93: #000090 + ! XTerm*color94: #0000a0 + ! XTerm*color95: #0000b0 + ! XTerm*color96: #0000c0 + ! XTerm*color97: #0000d0 + ! XTerm*color98: #0000e0 + ! XTerm*color99: #0000f0 + + ! !! vim-create-colorscheme {{{ + ! !! Question cterm=none + ! XTerm*color20: #f0b000 + ! !! }}} + ! + ! + ! #include ".xrdb/look-zenburn.xrdb" + ! #include ".xrdb/xterm.xrdb" + + + + ! URxvt.perl-ext: matcher + ! URxvt.urlLauncher: cr + ! URxvt.underlineColor: blue + + ! URxvt.matcher.button: 1 + ! URxvt.perl-ext: default,matcher + ! URxvt.urlLauncher: cr + ! URxvt.matcher.pattern.1: \\bwww\\.[\\w-]+\\.[\\w./?&@#-]*[\\w/-] + ! URxvt.underlineColor: blue + + ! 2014-05-12 von lass + !URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select + !URxvt.url-select.launcher: /home/tv/bin/ff -new-tab + !URxvt.url-select.underline: true + !URxvt.keysym.M-u: perl:url-select:select_next + !URxvt.keysym.M-Escape: perl:keyboard-select:activate + !URxvt.keysym.M-s: perl:keyboard-select:search + + + + + ! 2013-02-25 I neve use this + URxvt*iso14755: False + + URxvt*urgentOnBell: True + URxvt*visualBell: True + + ! ref https://github.com/muennich/urxvt-perls + URxvt*perl-ext: default,url-select + URxvt*keysym.M-u: perl:url-select:select_next + URxvt*url-select.launcher: ${pkgs.ff}/bin/ff -new-tab + URxvt*url-select.underline: true + URxvt*colorUL: #4682B4 + URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl + + root-urxvt*background: #230000 + root-urxvt*foreground: #e0c0c0 + root-urxvt*BorderColor: #400000 + root-urxvt*color0: #800000 +'' diff --git a/mv/2configs/xserver/default.nix b/mv/2configs/xserver/default.nix new file mode 100644 index 000000000..afc2d699c --- /dev/null +++ b/mv/2configs/xserver/default.nix @@ -0,0 +1,153 @@ +{ config, lib, pkgs, ... }@args: + +with lib; + +let + # TODO krebs.build.user + user = config.users.users.tv; + + out = { + services.xserver.display = 11; + services.xserver.tty = 11; + + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; + }; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + systemd.services.urxvtd = { + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = { + ExecReload = need-reload "urxvtd.service"; + ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd"; + Restart = "always"; + RestartSec = "2s"; + StartLimitBurst = 0; + User = user.name; + }; + }; + + environment.systemPackages = [ + pkgs.ff + pkgs.gitAndTools.qgit + pkgs.mpv + pkgs.pavucontrol + pkgs.slock + pkgs.sxiv + pkgs.xsel + pkgs.zathura + ]; + + security.setuidPrograms = [ + "slock" + ]; + + systemd.services.display-manager = mkForce {}; + + services.xserver.enable = true; + + systemd.services.xmonad = { + wantedBy = [ "multi-user.target" ]; + requires = [ "xserver.service" ]; + environment = xmonad-environment; + serviceConfig = { + ExecStart = "${xmonad-start}/bin/xmonad"; + ExecStop = "${xmonad-stop}/bin/xmonad-stop"; + User = user.name; + WorkingDirectory = user.home; + }; + }; + + systemd.services.xserver = { + after = [ + "systemd-udev-settle.service" + "local-fs.target" + "acpid.service" + ]; + reloadIfChanged = true; + environment = xserver-environment; + serviceConfig = { + ExecReload = need-reload "xserver.service"; + ExecStart = "${xserver}/bin/xserver"; + }; + }; + }; + + xmonad-environment = { + DISPLAY = ":${toString config.services.xserver.display}"; + XMONAD_STATE = "/tmp/xmonad.state"; + + # XXX JSON is close enough :) + XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [ + "Dashboard" # we start here + "23" + "cr" + "ff" + "hack" + "im" + "mail" + "stockholm" + "za" "zh" "zj" "zs" + ]); + }; + + xmonad-start = pkgs.writeScriptBin "xmonad" '' + #! ${pkgs.bash}/bin/bash + set -efu + export PATH; PATH=${makeSearchPath "bin" [ + pkgs.rxvt_unicode + ]}:/var/setuid-wrappers + settle() {( + # Use PATH for a clean journal + command=''${1##*/} + PATH=''${1%/*}; export PATH + shift + until "$command" "$@"; do + ${pkgs.coreutils}/bin/sleep 1 + done + )&} + settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL: + settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} + settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' + exec ${pkgs.xmonad-tv}/bin/xmonad + ''; + + xmonad-stop = pkgs.writeScriptBin "xmonad-stop" '' + #! /bin/sh + exec ${pkgs.xmonad-tv}/bin/xmonad --shutdown + ''; + + xserver-environment = { + XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension. + XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. + LD_LIBRARY_PATH = concatStringsSep ":" ( + [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ] + ++ concatLists (catAttrs "libPath" config.services.xserver.drivers)); + }; + + xserver = pkgs.writeScriptBin "xserver" '' + #! /bin/sh + set -efu + exec ${pkgs.xorg.xorgserver}/bin/X \ + :${toString config.services.xserver.display} \ + vt${toString config.services.xserver.tty} \ + -config ${import ./xserver.conf.nix args} \ + -logfile /var/log/X.${toString config.services.xserver.display}.log \ + -nolisten tcp \ + -xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \ + ''; + + need-reload = s: let + pkg = pkgs.writeScriptBin "need-reload" '' + #! /bin/sh + echo "$*" + ''; + in "${pkg}/bin/need-reload ${s}"; + +in out diff --git a/mv/2configs/xserver/xserver.conf.nix b/mv/2configs/xserver/xserver.conf.nix new file mode 100644 index 000000000..e8a997a99 --- /dev/null +++ b/mv/2configs/xserver/xserver.conf.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver; +in + +pkgs.stdenv.mkDerivation { + name = "xserver.conf"; + + xfs = optionalString (cfg.useXFS != false) + ''FontPath "${toString cfg.useXFS}"''; + + inherit (cfg) config; + + buildCommand = + '' + echo 'Section "Files"' >> $out + echo $xfs >> $out + + for i in ${toString config.fonts.fonts}; do + if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then + for j in $(find $i -name fonts.dir); do + echo " FontPath \"$(dirname $j)\"" >> $out + done + fi + done + + for i in $(find ${toString cfg.modules} -type d); do + if test $(echo $i/*.so* | wc -w) -ne 0; then + echo " ModulePath \"$i\"" >> $out + fi + done + + echo 'EndSection' >> $out + + echo "$config" >> $out + ''; +} diff --git a/mv/3modules/default.nix b/mv/3modules/default.nix new file mode 100644 index 000000000..963f108b2 --- /dev/null +++ b/mv/3modules/default.nix @@ -0,0 +1,7 @@ +_: + +{ + imports = [ + ./iptables.nix + ]; +} diff --git a/mv/3modules/iptables.nix b/mv/3modules/iptables.nix new file mode 100644 index 000000000..cbf49f577 --- /dev/null +++ b/mv/3modules/iptables.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; +let + cfg = config.tv.iptables; + + out = { + options.tv.iptables = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "tv.iptables"; + + input-internet-accept-new-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-new-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + }; + + imp = { + networking.firewall.enable = false; + + systemd.services.tv-iptables = { + description = "tv-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} tv-iptables_start"; + }; + }; + }; + + + accept-new-tcp = port: + "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + + rules = iptables-version: + pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' + *nat + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] + ++ [ + "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" + "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ] + )} + COMMIT + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + :Retiolum - [0:0] + ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([] + ++ [ + "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" + "-i lo -j ACCEPT" + ] + ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) + ++ ["-i retiolum -j Retiolum"] + )} + ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] + ++ { + ip4tables = [ + "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" + ]; + ip6tables = [ + "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" + ]; + }."ip${toString iptables-version}tables" + ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) + ++ { + ip4tables = [ + "-p tcp -j REJECT --reject-with tcp-reset" + "-p udp -j REJECT --reject-with icmp-port-unreachable" + "-j REJECT --reject-with icmp-proto-unreachable" + ]; + ip6tables = [ + "-p tcp -j REJECT --reject-with tcp-reset" + "-p udp -j REJECT --reject-with icmp6-port-unreachable" + "-j REJECT" + ]; + }."ip${toString iptables-version}tables" + )} + COMMIT + ''; + + startScript = pkgs.writeScript "tv-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules 4} + ip6tables-restore < ${rules 6} + ''; + +in +out + +#let +# cfg = config.tv.iptables; +# arg' = arg // { inherit cfg; }; +#in +# +#{ +# options.tv.iptables = import ./options.nix arg'; +# config = lib.mkIf cfg.enable (import ./config.nix arg'); +#} -- cgit v1.2.3