Merge remote-tracking branch 'stro/master'

12 files changed, 141 insertions, 56 deletions

diff --git a/krebs/1systems/hope/config.nix b/krebs/1systems/hope/config.nix
new file mode 100644
index 00000000..c19b210c
--- /dev/null
+++ b/krebs/1systems/hope/config.nix
@@ -0,0 +1,41 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+  ip = config.krebs.build.host.nets.internet.ip4.addr;
+  bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1";
+
+in {
+  imports = [
+    <stockholm/krebs>
+    <stockholm/krebs/2configs>
+    <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
+
+    <stockholm/krebs/2configs/secret-passwords.nix>
+    {
+      users.extraUsers = {
+        satan = {
+          name = "satan";
+          uid = 1338;
+          home = "/home/satan";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          initialPassword = "test";
+        };
+      };
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.hope;
+
+  networking = let
+    address = config.krebs.build.host.nets.internet.ip4.addr;
+  in {
+    defaultGateway = bestGuessGateway address;
+    interfaces.enp2s1.ip4 = singleton {
+      inherit address;
+      prefixLength = 24;
+    };
+    nameservers = ["8.8.8.8"];
+  };
+}
diff --git a/krebs/1systems/hope/source.nix b/krebs/1systems/hope/source.nix
new file mode 100644
index 00000000..7121d1d9
--- /dev/null
+++ b/krebs/1systems/hope/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+  name = "hope";
+}
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 27fbb708..9cd10317 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -30,6 +30,38 @@ let
   });
 in {
   hosts = {
+    hope = {
+      owner = config.krebs.users.krebs;
+      managed = true;
+      nets = {
+        internet = {
+          ip4.addr = "45.62.225.18";
+          aliases = [
+            "hope.i"
+          ];
+          ssh.port = 45621;
+        };
+        retiolum = {
+          ip4.addr = "10.243.77.4";
+          ip6.addr = "42:0:0:0:0:0:77:4";
+          aliases = [
+            "hope.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5
+            uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a
+            2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4
+            A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK
+            fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC
+            K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/";
+    };
     hotdog = {
       owner = config.krebs.users.krebs;
       managed = true;
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index bb6f84c7..58f55ce6 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -40,15 +40,6 @@ with import <stockholm/lib>;
       };
     }
     {
-      #zalando project
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql;
-      };
-      virtualisation.docker.enable = true;
-      #users.users.mainUser.extraGroups = [ "docker" ];
-    }
-    {
       lass.umts = {
         enable = true;
         modem = "/dev/serial/by-id/usb-Lenovo_F5521gw_C12AD95CB7B78F90-if09";
@@ -91,6 +82,9 @@ with import <stockholm/lib>;
         client.enable = true;
       };
     }
+    {
+      services.mongodb.enable = true;
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.mors;
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index b6d49d6e..ef015aeb 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -41,7 +41,11 @@ with import <stockholm/lib>;
     "/boot" = {
       device = "/dev/sda1";
     };
-
+    "/home" = {
+      device = "/dev/mapper/pool-home";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
     "/tmp" = {
       device = "tmpfs";
       fsType = "tmpfs";
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 22a7b1c1..e96f4dc7 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -200,6 +200,7 @@ with import <stockholm/lib>;
       filter.INPUT.policy = "DROP";
       filter.FORWARD.policy = "DROP";
       filter.INPUT.rules = [
+        { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
         { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
         { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
         { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false;  precedence = 10000; }
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 9f9bb24f..7a988118 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -78,11 +78,13 @@ let
                      and NOT to:shackspace \
                      and NOT to:c-base \
                      and NOT from:security-alert@hpe.com \
-                     and NOT to:nix-devel"\
+                     and NOT to:nix-devel\
+                     and NOT to:radio"\
         "shack"     "notmuch://?query=to:shackspace"\
         "c-base"    "notmuch://?query=to:c-base"\
         "security"  "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
         "nix"       "notmuch://?query=to:nix-devel"\
+        "radio"     "notmuch://?query=to:radio or tag:radio"\
         "TODO"      "notmuch://?query=tag:TODO"\
         "Starred"   "notmuch://?query=tag:*"\
         "Archive"   "notmuch://?query=tag:archive"\
@@ -126,7 +128,7 @@ let
 
     bind index t noop
     bind pager t noop
-    macro index t "<modify-labels>+TODO\n"        # tag as Archived
+    macro index t "<modify-labels>"        # tag as Archived
 
     # top index bar in email view
     set pager_index_lines=7
diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix
index 04fd9213..b3de42c7 100644
--- a/lass/2configs/mpv.nix
+++ b/lass/2configs/mpv.nix
@@ -2,40 +2,16 @@
 
 let
 
-  scripts = lib.concatStringsSep "," [
-    good
-    delete
-  ];
-
   mpv = pkgs.symlinkJoin {
     name = "mpv";
     paths = [
       (pkgs.writeDashBin "mpv" ''
-        exec ${pkgs.mpv}/bin/mpv --no-config --script=${scripts} "$@"
+        exec ${pkgs.mpv}/bin/mpv --no-config "$@"
       '')
       pkgs.mpv
     ];
   };
 
-  moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" ''
-    tmp_dir = "${dir}"
-
-    function move_current_track_${key}()
-      track = mp.get_property("path")
-      os.execute("mkdir -p '" .. tmp_dir .. "'")
-      os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'")
-      print("moved '" .. track .. "' to " .. tmp_dir)
-    end
-
-    mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key})
-  '';
-
-  good = moveToDir "G" "./.good";
-  delete = moveToDir "D" "./.graveyard";
-
-  up = moveToDir "U" "./up";
-  down = moveToDir "Y" "./down";
-
 in {
   environment.systemPackages = [
     mpv
diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix
index 83de4d40..c93c65ad 100644
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@@ -31,6 +31,16 @@ let
       type = types.str;
       default = "default";
     };
+    pppDefaults = mkOption {
+      type = types.str;
+      default = ''
+        noipdefault
+        usepeerdns
+        defaultroute
+        persist
+        noauth
+      '';
+    };
   };
 
   nixpkgs-1509 = import (pkgs.fetchFromGitHub {
@@ -71,7 +81,16 @@ let
       lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
     '';
 
-    environment.wvdial.dialerDefaults = wvdial-defaults;
+    environment.etc = [
+      {
+        source = pkgs.writeText "wvdial.conf" wvdial-defaults;
+        target = "wvdial.conf";
+      }
+      {
+        source = pkgs.writeText "wvdial" cfg.pppDefaults;
+        target = "ppp/peers/wvdial";
+      }
+    ];
 
     systemd.services.umts = {
       description = "UMTS wvdial Service";
diff --git a/mv/1systems/stro.nix b/mv/1systems/stro/config.nix
index bb37aedd..669655ee 100644
--- a/mv/1systems/stro.nix
+++ b/mv/1systems/stro/config.nix
@@ -8,18 +8,6 @@ with import <stockholm/lib>;
     build = {
       user = config.krebs.users.mv;
       host = config.krebs.hosts.stro;
-      source = let
-        HOME = getEnv "HOME";
-        host = config.krebs.build.host;
-      in {
-        nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix";
-        secrets.file = "${HOME}/secrets/${host.name}";
-        stockholm.file = "${HOME}/stockholm";
-        nixpkgs.git = {
-          url = https://github.com/NixOS/nixpkgs;
-          ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f";
-        };
-      };
     };
   };
 
@@ -27,7 +15,7 @@ with import <stockholm/lib>;
     <secrets>
     <stockholm/krebs>
     <stockholm/tv/2configs/audit.nix>
-    <stockholm/tv/2configs/bash.nix>
+    <stockholm/tv/2configs/bash>
     <stockholm/tv/2configs/exim-retiolum.nix>
     <stockholm/tv/2configs/hw/x220.nix>
     <stockholm/tv/2configs/im.nix>
@@ -40,7 +28,6 @@ with import <stockholm/lib>;
     <stockholm/tv/2configs/xdg.nix>
     <stockholm/tv/2configs/xserver>
     <stockholm/tv/3modules>
-    <stockholm/tv/5pkgs>
   ];
 
   boot.kernel.sysctl = {
@@ -124,13 +111,13 @@ with import <stockholm/lib>;
 
   nix = {
     binaryCaches = ["https://cache.nixos.org"];
-    # TODO check if both are required:
-    chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
     requireSignedBinaryCaches = true;
-    useChroot = true;
+    # TODO check if both are required:
+    sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+    useSandbox = true;
   };
 
-  nixpkgs.config.allowUnfree = false;
+  nixpkgs.config.packageOverrides = import <stockholm/tv/5pkgs> pkgs;
 
   users = {
     defaultUserShell = "/run/current-system/sw/bin/bash";
diff --git a/mv/1systems/stro/source.nix b/mv/1systems/stro/source.nix
new file mode 100644
index 00000000..888d616c
--- /dev/null
+++ b/mv/1systems/stro/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/mv/source.nix> {
+  name = "stro";
+}
diff --git a/mv/source.nix b/mv/source.nix
new file mode 100644
index 00000000..8b156391
--- /dev/null
+++ b/mv/source.nix
@@ -0,0 +1,23 @@
+with import <stockholm/lib>;
+host@{ name, override ? {} }: let
+  builder = if getEnv "dummy_secrets" == "true"
+              then "buildbot"
+              else "mv";
+  _file = <stockholm> + "/mv/1systems/${name}/source.nix";
+in
+  evalSource (toString _file) [
+    {
+      nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
+      nixpkgs.git = {
+        # nixos-17.03
+        ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78";
+        url = https://github.com/NixOS/nixpkgs;
+      };
+      secrets.file = getAttr builder {
+        buildbot = toString <stockholm/mv/dummy_secrets>;
+        mv = "/home/mv/secrets/${name}";
+      };
+      stockholm.file = toString <stockholm>;
+    }
+    override
+  ]