From d213df5c00d3073d2f3bc09471fce466153df881 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 11 Jul 2015 16:55:22 +0200 Subject: NWO --- .gitignore | 1 + 0make/tv/cd.makefile | 4 + 0make/tv/mkdir.makefile | 4 + 0make/tv/nomic.makefile | 4 + 0make/tv/rmdir.makefile | 4 + 0make/tv/wu.makefile | 4 + 1systems/tv/cd.nix | 98 ++++++++ 1systems/tv/mkdir.nix | 76 ++++++ 1systems/tv/nomic.nix | 111 +++++++++ 1systems/tv/rmdir.nix | 77 ++++++ 1systems/tv/wu.nix | 388 ++++++++++++++++++++++++++++++ 2configs/tv/AO753.nix | 39 +++ 2configs/tv/CAC-CentOS-7-64bit.nix | 47 ++++ 2configs/tv/CAC-Developer-1.nix | 6 + 2configs/tv/CAC-Developer-2.nix | 6 + 2configs/tv/base.nix | 175 ++++++++++++++ 2configs/tv/consul-client.nix | 9 + 2configs/tv/consul-server.nix | 22 ++ 2configs/tv/cryptoroot.nix | 4 + 2configs/tv/exim-retiolum.nix | 126 ++++++++++ 2configs/tv/exim-smarthost.nix | 474 +++++++++++++++++++++++++++++++++++++ 2configs/tv/git-public.nix | 83 +++++++ 2configs/tv/smartd.nix | 17 ++ 2configs/tv/synaptics.nix | 14 ++ 2configs/tv/urxvt.nix | 24 ++ 2configs/tv/w110er.nix | 42 ++++ 2configs/tv/xserver.nix | 41 ++++ 3modules/tv/consul.nix | 122 ++++++++++ 3modules/tv/ejabberd.nix | 171 +++++++++++++ 3modules/tv/git.nix | 406 +++++++++++++++++++++++++++++++ 3modules/tv/identity.nix | 71 ++++++ 3modules/tv/iptables.nix | 129 ++++++++++ 3modules/tv/nginx.nix | 83 +++++++ 3modules/tv/retiolum.nix | 241 +++++++++++++++++++ 3modules/tv/urlwatch.nix | 156 ++++++++++++ 4lib/tv/default.nix | 62 +++++ 4lib/tv/git.nix | 181 ++++++++++++++ 4lib/tv/modules.nix | 21 ++ Makefile | 70 ++++++ Zhosts/Styx | 10 + Zhosts/ThinkArmageddon | 9 + Zhosts/TriBot | 11 + Zhosts/ach | 11 + Zhosts/air | 11 + Zhosts/alarmpi | 11 + Zhosts/albi10 | 11 + Zhosts/albi7 | 10 + Zhosts/almoehi | 11 + Zhosts/alphalabs | 10 + Zhosts/apfull | 11 + Zhosts/bitchctl | 11 + Zhosts/bitchextend | 11 + Zhosts/bitchtop | 11 + Zhosts/box | 10 + Zhosts/bridge | 12 + Zhosts/c2ft | 10 + Zhosts/c2fthome | 10 + Zhosts/casino | 11 + Zhosts/cat1 | 11 + Zhosts/cband | 11 + Zhosts/cd | 17 ++ Zhosts/cloudkrebs | 12 + Zhosts/darth | 12 + Zhosts/dei | 11 + Zhosts/destroy | 11 + Zhosts/devstar | 11 + Zhosts/eigenserv | 11 + Zhosts/elvis | 12 + Zhosts/exile | 9 + Zhosts/exitium_mobilis | 10 + Zhosts/falk | 11 + Zhosts/fastpoke | 12 + Zhosts/filebitch | 11 + Zhosts/filepimp | 11 + Zhosts/flap | 11 + Zhosts/foobar | 11 + Zhosts/fuerkrebs | 10 + Zhosts/go | 13 + Zhosts/gum | 13 + Zhosts/heidi | 11 + Zhosts/horisa | 12 + Zhosts/horreum_magnus | 15 ++ Zhosts/incept | 13 + Zhosts/ire | 12 + Zhosts/ire2 | 9 + Zhosts/irkel | 12 + Zhosts/juhulian | 11 + Zhosts/k2 | 28 +++ Zhosts/kabinett | 11 + Zhosts/kaepsele | 11 + Zhosts/kalle | 11 + Zhosts/karthus | 10 + Zhosts/khackplug | 11 + Zhosts/kheurop | 12 + Zhosts/kiosk | 12 + Zhosts/krebsplug | 10 + Zhosts/kvasir | 11 + Zhosts/laqueus | 11 + Zhosts/linuxatom | 11 + Zhosts/luminos | 11 + Zhosts/machine | 11 + Zhosts/makalu | 11 + Zhosts/mako | 11 + Zhosts/miefda0 | 10 + Zhosts/minikrebs | 10 + Zhosts/mkdir | 11 + Zhosts/monitor | 11 + Zhosts/mors | 10 + Zhosts/motor | 12 + Zhosts/mu | 10 + Zhosts/muhbaasu | 13 + Zhosts/nomic | 10 + Zhosts/nomic2 | 10 + Zhosts/nukular | 11 + Zhosts/omo | 9 + Zhosts/pic | 11 + Zhosts/pigstarter | 13 + Zhosts/pike | 11 + Zhosts/pornocauster | 10 + Zhosts/radiotuxmini | 11 + Zhosts/random | 10 + Zhosts/raspafari | 11 + Zhosts/reimae | 12 + Zhosts/rmdir | 11 + Zhosts/robchina | 11 + Zhosts/rockit | 11 + Zhosts/rtjure_debian_oder_so | 11 + Zhosts/rtjure_ras | 11 + Zhosts/rtjure_rdrlab_linkstation | 11 + Zhosts/rubus | 9 + Zhosts/senderechner | 10 + Zhosts/serenity | 11 + Zhosts/seruundroid | 12 + Zhosts/sir_krebs_a_lot | 11 + Zhosts/skirfir | 11 + Zhosts/sleipnir | 12 + Zhosts/smove | 9 + Zhosts/sokrates | 11 + Zhosts/sokrateslaptop | 11 + Zhosts/soundflower | 10 + Zhosts/steve | 10 + Zhosts/tahoe | 12 + Zhosts/taschenkrebs | 11 + Zhosts/terrapi | 11 + Zhosts/thomasDOTde | 9 + Zhosts/tincdroid | 9 + Zhosts/tpsw | 11 + Zhosts/ufo | 11 + Zhosts/uriel | 11 + Zhosts/vault | 10 + Zhosts/voyager | 17 ++ Zhosts/wooktop | 11 + Zhosts/wu | 10 + Zhosts/ytart | 9 + Zhosts/zombiecancer | 11 + Zpubkeys/deploy_wu.ssh.pub | 1 + Zpubkeys/lass.ssh.pub | 1 + Zpubkeys/makefu.ssh.pub | 1 + Zpubkeys/mv_vod.ssh.pub | 1 + Zpubkeys/tv_wu.ssh.pub | 1 + Zpubkeys/uriel.ssh.pub | 1 + 161 files changed, 4912 insertions(+) create mode 100644 .gitignore create mode 100644 0make/tv/cd.makefile create mode 100644 0make/tv/mkdir.makefile create mode 100644 0make/tv/nomic.makefile create mode 100644 0make/tv/rmdir.makefile create mode 100644 0make/tv/wu.makefile create mode 100644 1systems/tv/cd.nix create mode 100644 1systems/tv/mkdir.nix create mode 100644 1systems/tv/nomic.nix create mode 100644 1systems/tv/rmdir.nix create mode 100644 1systems/tv/wu.nix create mode 100644 2configs/tv/AO753.nix create mode 100644 2configs/tv/CAC-CentOS-7-64bit.nix create mode 100644 2configs/tv/CAC-Developer-1.nix create mode 100644 2configs/tv/CAC-Developer-2.nix create mode 100644 2configs/tv/base.nix create mode 100644 2configs/tv/consul-client.nix create mode 100644 2configs/tv/consul-server.nix create mode 100644 2configs/tv/cryptoroot.nix create mode 100644 2configs/tv/exim-retiolum.nix create mode 100644 2configs/tv/exim-smarthost.nix create mode 100644 2configs/tv/git-public.nix create mode 100644 2configs/tv/smartd.nix create mode 100644 2configs/tv/synaptics.nix create mode 100644 2configs/tv/urxvt.nix create mode 100644 2configs/tv/w110er.nix create mode 100644 2configs/tv/xserver.nix create mode 100644 3modules/tv/consul.nix create mode 100644 3modules/tv/ejabberd.nix create mode 100644 3modules/tv/git.nix create mode 100644 3modules/tv/identity.nix create mode 100644 3modules/tv/iptables.nix create mode 100644 3modules/tv/nginx.nix create mode 100644 3modules/tv/retiolum.nix create mode 100644 3modules/tv/urlwatch.nix create mode 100644 4lib/tv/default.nix create mode 100644 4lib/tv/git.nix create mode 100644 4lib/tv/modules.nix create mode 100644 Makefile create mode 100644 Zhosts/Styx create mode 100644 Zhosts/ThinkArmageddon create mode 100644 Zhosts/TriBot create mode 100644 Zhosts/ach create mode 100644 Zhosts/air create mode 100644 Zhosts/alarmpi create mode 100644 Zhosts/albi10 create mode 100644 Zhosts/albi7 create mode 100644 Zhosts/almoehi create mode 100644 Zhosts/alphalabs create mode 100644 Zhosts/apfull create mode 100644 Zhosts/bitchctl create mode 100644 Zhosts/bitchextend create mode 100644 Zhosts/bitchtop create mode 100644 Zhosts/box create mode 100644 Zhosts/bridge create mode 100644 Zhosts/c2ft create mode 100644 Zhosts/c2fthome create mode 100644 Zhosts/casino create mode 100644 Zhosts/cat1 create mode 100644 Zhosts/cband create mode 100644 Zhosts/cd create mode 100644 Zhosts/cloudkrebs create mode 100644 Zhosts/darth create mode 100644 Zhosts/dei create mode 100644 Zhosts/destroy create mode 100644 Zhosts/devstar create mode 100644 Zhosts/eigenserv create mode 100644 Zhosts/elvis create mode 100644 Zhosts/exile create mode 100644 Zhosts/exitium_mobilis create mode 100644 Zhosts/falk create mode 100644 Zhosts/fastpoke create mode 100644 Zhosts/filebitch create mode 100644 Zhosts/filepimp create mode 100644 Zhosts/flap create mode 100644 Zhosts/foobar create mode 100644 Zhosts/fuerkrebs create mode 100644 Zhosts/go create mode 100644 Zhosts/gum create mode 100644 Zhosts/heidi create mode 100644 Zhosts/horisa create mode 100644 Zhosts/horreum_magnus create mode 100644 Zhosts/incept create mode 100644 Zhosts/ire create mode 100644 Zhosts/ire2 create mode 100644 Zhosts/irkel create mode 100644 Zhosts/juhulian create mode 100644 Zhosts/k2 create mode 100644 Zhosts/kabinett create mode 100644 Zhosts/kaepsele create mode 100644 Zhosts/kalle create mode 100644 Zhosts/karthus create mode 100644 Zhosts/khackplug create mode 100644 Zhosts/kheurop create mode 100644 Zhosts/kiosk create mode 100644 Zhosts/krebsplug create mode 100644 Zhosts/kvasir create mode 100644 Zhosts/laqueus create mode 100644 Zhosts/linuxatom create mode 100644 Zhosts/luminos create mode 100644 Zhosts/machine create mode 100644 Zhosts/makalu create mode 100644 Zhosts/mako create mode 100644 Zhosts/miefda0 create mode 100644 Zhosts/minikrebs create mode 100644 Zhosts/mkdir create mode 100644 Zhosts/monitor create mode 100644 Zhosts/mors create mode 100644 Zhosts/motor create mode 100644 Zhosts/mu create mode 100644 Zhosts/muhbaasu create mode 100644 Zhosts/nomic create mode 100644 Zhosts/nomic2 create mode 100644 Zhosts/nukular create mode 100644 Zhosts/omo create mode 100644 Zhosts/pic create mode 100644 Zhosts/pigstarter create mode 100644 Zhosts/pike create mode 100644 Zhosts/pornocauster create mode 100644 Zhosts/radiotuxmini create mode 100644 Zhosts/random create mode 100644 Zhosts/raspafari create mode 100644 Zhosts/reimae create mode 100644 Zhosts/rmdir create mode 100644 Zhosts/robchina create mode 100644 Zhosts/rockit create mode 100644 Zhosts/rtjure_debian_oder_so create mode 100644 Zhosts/rtjure_ras create mode 100644 Zhosts/rtjure_rdrlab_linkstation create mode 100644 Zhosts/rubus create mode 100644 Zhosts/senderechner create mode 100644 Zhosts/serenity create mode 100644 Zhosts/seruundroid create mode 100644 Zhosts/sir_krebs_a_lot create mode 100644 Zhosts/skirfir create mode 100644 Zhosts/sleipnir create mode 100644 Zhosts/smove create mode 100644 Zhosts/sokrates create mode 100644 Zhosts/sokrateslaptop create mode 100644 Zhosts/soundflower create mode 100644 Zhosts/steve create mode 100644 Zhosts/tahoe create mode 100644 Zhosts/taschenkrebs create mode 100644 Zhosts/terrapi create mode 100644 Zhosts/thomasDOTde create mode 100644 Zhosts/tincdroid create mode 100644 Zhosts/tpsw create mode 100644 Zhosts/ufo create mode 100644 Zhosts/uriel create mode 100644 Zhosts/vault create mode 100644 Zhosts/voyager create mode 100644 Zhosts/wooktop create mode 100644 Zhosts/wu create mode 100644 Zhosts/ytart create mode 100644 Zhosts/zombiecancer create mode 100644 Zpubkeys/deploy_wu.ssh.pub create mode 100644 Zpubkeys/lass.ssh.pub create mode 100644 Zpubkeys/makefu.ssh.pub create mode 100644 Zpubkeys/mv_vod.ssh.pub create mode 100644 Zpubkeys/tv_wu.ssh.pub create mode 100644 Zpubkeys/uriel.ssh.pub diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..1ce08211 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/.graveyard diff --git a/0make/tv/cd.makefile b/0make/tv/cd.makefile new file mode 100644 index 00000000..e021423f --- /dev/null +++ b/0make/tv/cd.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cd-global +nixpkgs_url := https://github.com/NixOS/nixpkgs +nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 +secrets_dir := /home/tv/secrets/cd diff --git a/0make/tv/mkdir.makefile b/0make/tv/mkdir.makefile new file mode 100644 index 00000000..b10398a0 --- /dev/null +++ b/0make/tv/mkdir.makefile @@ -0,0 +1,4 @@ +deploy_host := root@mkdir +nixpkgs_url := https://github.com/NixOS/nixpkgs +nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 +secrets_dir := /home/tv/secrets/mkdir diff --git a/0make/tv/nomic.makefile b/0make/tv/nomic.makefile new file mode 100644 index 00000000..c11f4115 --- /dev/null +++ b/0make/tv/nomic.makefile @@ -0,0 +1,4 @@ +deploy_host := root@nomic-local +nixpkgs_url := https://github.com/NixOS/nixpkgs +nixpkgs_rev := 4e5e44140bfc27211dffbb3cd727842ab02eb9d6 +secrets_dir := /home/tv/secrets/nomic diff --git a/0make/tv/rmdir.makefile b/0make/tv/rmdir.makefile new file mode 100644 index 00000000..6075bd3d --- /dev/null +++ b/0make/tv/rmdir.makefile @@ -0,0 +1,4 @@ +deploy_host := root@rmdir +nixpkgs_url := https://github.com/NixOS/nixpkgs +nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 +secrets_dir := /home/tv/secrets/rmdir diff --git a/0make/tv/wu.makefile b/0make/tv/wu.makefile new file mode 100644 index 00000000..81f561ce --- /dev/null +++ b/0make/tv/wu.makefile @@ -0,0 +1,4 @@ +deploy_host := root@wu +nixpkgs_url := https://github.com/NixOS/nixpkgs +nixpkgs_rev := e1af50c4c4c0332136283e9231f0a32ac11f2b90 +secrets_dir := /home/tv/secrets/wu diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix new file mode 100644 index 00000000..e2ce9bba --- /dev/null +++ b/1systems/tv/cd.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-smarthost.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/ejabberd.nix ]; + tv.ejabberd = { + enable = true; + hosts = [ "jabber.viljetic.de" ]; + }; + } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.cd; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.hostName = "cd"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + users.extraUsers = { + mv = { + uid = 1338; + group = "users"; + home = "/home/mv"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/mv_vod.ssh.pub + ]; + }; + }; +} diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix new file mode 100644 index 00000000..e4e89872 --- /dev/null +++ b/1systems/tv/mkdir.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/CAC-Developer-1.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-smarthost.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.mkdir; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "cd" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.hostName = "mkdir"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.248.167.241"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.248.167.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; +} diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix new file mode 100644 index 00000000..1696c509 --- /dev/null +++ b/1systems/tv/nomic.nix @@ -0,0 +1,111 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/AO753.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-retiolum.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.nomic; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + imports = [ ../../3modules/tv/nginx.nix ]; + tv.nginx = { + enable = true; + retiolum-locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha1" "xts" ]; + devices = [ + { + name = "luks1"; + device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4"; + } + ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; + fsType = "ext4"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; + fsType = "btrfs"; + }; + + swapDevices = [ ]; + + nix = { + buildCores = 2; + maxJobs = 2; + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + + # TODO base + boot.tmpOnTmpfs = true; + + environment.systemPackages = with pkgs; [ + (writeScriptBin "play" '' + #! /bin/sh + set -euf + mpv() { exec ${mpv}/bin/mpv "$@"; } + case $1 in + deepmix) mpv http://deepmix.ru/deepmix128.pls;; + groovesalad) mpv http://somafm.com/play/groovesalad;; + ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;; + *) + echo "$0: bad argument: $*" >&2 + exit 23 + esac + '') + rxvt_unicode.terminfo + tmux + ]; + + networking.hostName = "nomic"; +} diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix new file mode 100644 index 00000000..14817c9b --- /dev/null +++ b/1systems/tv/rmdir.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/CAC-Developer-1.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-server.nix + ../../2configs/tv/exim-smarthost.nix + ../../2configs/tv/git-public.nix + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.rmdir; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "cd" + "mkdir" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.hostName = "rmdir"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "167.88.44.94"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "167.88.44.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; +} diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix new file mode 100644 index 00000000..2645b8c2 --- /dev/null +++ b/1systems/tv/wu.nix @@ -0,0 +1,388 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../2configs/tv/w110er.nix + ../../2configs/tv/base.nix + ../../2configs/tv/consul-client.nix + ../../2configs/tv/exim-retiolum.nix + ../../2configs/tv/git-public.nix + # TODO git-private.nix + ../../2configs/tv/xserver.nix + ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.wu; + }; + } + { + imports = [ ../../3modules/tv/iptables.nix ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + imports = [ ../../3modules/tv/nginx.nix ]; + tv.nginx = { + enable = true; + retiolum-locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + { + imports = [ ../../3modules/tv/urlwatch.nix ]; + tv.urlwatch = { + enable = true; + mailto = "tv@wu.retiolum"; # TODO + onCalendar = "*-*-* 05:00:00"; + urls = [ + ## nixpkgs maintenance + + # 2014-07-29 when one of the following urls change + # then we have to update the package + + # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix + http://simple-evcorr.sourceforge.net/ + + # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix + https://thp.io/2008/urlwatch/ + + # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix + https://api.github.com/repos/ioerror/tlsdate/tags + + # 2015-02-18 + # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix + http://www.fourmilab.ch/webtools/qprint/ + + # 2014-09-24 ref https://github.com/4z3/xintmap + http://www.mathstat.dal.ca/~selinger/quipper/ + + # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 + # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix + http://nixos.org/releases/nixops/ + + ## other + + https://nixos.org/channels/nixos-unstable/git-revision + + ## 2014-10-17 + ## TODO update ~/src/login/default.nix + #http://hackage.haskell.org/package/bcrypt + #http://hackage.haskell.org/package/cron + #http://hackage.haskell.org/package/hyphenation + #http://hackage.haskell.org/package/iso8601-time + #http://hackage.haskell.org/package/ixset-typed + #http://hackage.haskell.org/package/system-command + #http://hackage.haskell.org/package/transformers + #http://hackage.haskell.org/package/web-routes-wai + #http://hackage.haskell.org/package/web-page + ]; + }; + } + { + users.extraGroups = { + tv-sub.gid = 1337; + }; + + users.extraUsers = + mapAttrs (name: user: user // { + inherit name; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + }) { + ff = { + uid = 13378001; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + ]; + }; + + cr = { + uid = 13378002; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + vimb = { + uid = 13378003; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + fa = { + uid = 2300001; + group = "tv-sub"; + }; + + rl = { + uid = 2300002; + group = "tv-sub"; + }; + + tief = { + uid = 2300702; + group = "tv-sub"; + }; + + btc-bitcoind = { + uid = 2301001; + group = "tv-sub"; + }; + + btc-electrum = { + uid = 2301002; + group = "tv-sub"; + }; + + ltc-litecoind = { + uid = 2301101; + group = "tv-sub"; + }; + + eth = { + uid = 2302001; + group = "tv-sub"; + }; + + emse-hsdb = { + uid = 4200101; + group = "tv-sub"; + }; + + wine = { + uid = 13370400; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + # dwarffortress + df = { + uid = 13370401; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined + FTL = { + uid = 13370402; + #group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + freeciv = { + uid = 13370403; + group = "tv-sub"; + }; + + xr = { + uid = 13370061; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + ]; + }; + + "23" = { + uid = 13370023; + group = "tv-sub"; + }; + + electrum = { + uid = 13370102; + group = "tv-sub"; + }; + + Reaktor = { + uid = 4230010; + group = "tv-sub"; + }; + + gitolite = { + uid = 7700; + }; + + skype = { + uid = 6660001; + group = "tv-sub"; + extraGroups = [ + "audio" + ]; + }; + + onion = { + uid = 6660010; + group = "tv-sub"; + }; + + zalora = { + uid = 1000301; + group = "tv-sub"; + extraGroups = [ + "audio" + # TODO remove vboxusers when hardening is active + "vboxusers" + "video" + ]; + }; + }; + + security.sudo.extraConfig = + let + inherit (import ../../4lib/tv { inherit lib pkgs; }) + isSuffixOf; + + hasMaster = { group ? "", ... }: + isSuffixOf "-sub" group; + + masterOf = user : removeSuffix "-sub" user.group; + in + concatStringsSep "\n" + (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL") + (filter hasMaster (attrValues config.users.extraUsers))); + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/vg840-wuroot"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/home" = { + device = "/dev/mapper/home"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + nixpkgs.config.firefox.enableAdobeFlash = true; + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.bumblebee.enable = true; + hardware.bumblebee.group = "video"; + hardware.enableAllFirmware = true; + hardware.opengl.driSupport32Bit = true; + hardware.pulseaudio.enable = true; + + networking.hostName = "wu"; + + environment.systemPackages = with pkgs; [ + xlibs.fontschumachermisc + slock + ethtool + #firefoxWrapper # with plugins + #chromiumDevWrapper + tinc + iptables + #jack2 + ]; + + security.setuidPrograms = [ + "sendmail" # for cron + "slock" + ]; + + services.printing.enable = true; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + virtualisation.libvirtd.enable = true; + + networking.extraHosts = '' + 192.168.1.1 wrt.gg23 wrt + 192.168.1.11 mors.gg23 + 192.168.1.12 uriel.gg23 + 192.168.1.23 raspi.gg23 raspi + 192.168.1.37 wu.gg23 + 192.168.1.110 nomic.gg23 + 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker + ''; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + services.bitlbee.enable = true; + services.tor.client.enable = true; + services.tor.enable = true; + services.virtualboxHost.enable = true; + + # TODO w110er if xserver is enabled + services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; +} diff --git a/2configs/tv/AO753.nix b/2configs/tv/AO753.nix new file mode 100644 index 00000000..70eae178 --- /dev/null +++ b/2configs/tv/AO753.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/smartd.nix + ]; + + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ahci" + ]; + + boot.kernelModules = [ + "kvm-intel" + "wl" + ]; + + boot.extraModulePackages = [ + config.boot.kernelPackages.broadcom_sta + ]; + + networking.wireless.enable = true; + + services.logind.extraConfig = '' + HandleHibernateKey=ignore + HandleLidSwitch=ignore + HandlePowerKey=ignore + HandleSuspendKey=ignore + ''; + + nixpkgs.config = { + allowUnfree = false; + allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name); + }; +} diff --git a/2configs/tv/CAC-CentOS-7-64bit.nix b/2configs/tv/CAC-CentOS-7-64bit.nix new file mode 100644 index 00000000..95c6e815 --- /dev/null +++ b/2configs/tv/CAC-CentOS-7-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/2configs/tv/CAC-Developer-1.nix b/2configs/tv/CAC-Developer-1.nix new file mode 100644 index 00000000..37bc32af --- /dev/null +++ b/2configs/tv/CAC-Developer-1.nix @@ -0,0 +1,6 @@ +_: + +{ + nix.maxJobs = 1; + sound.enable = false; +} diff --git a/2configs/tv/CAC-Developer-2.nix b/2configs/tv/CAC-Developer-2.nix new file mode 100644 index 00000000..fedb808d --- /dev/null +++ b/2configs/tv/CAC-Developer-2.nix @@ -0,0 +1,6 @@ +_: + +{ + nix.maxJobs = 2; + sound.enable = false; +} diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix new file mode 100644 index 00000000..f91e5bc5 --- /dev/null +++ b/2configs/tv/base.nix @@ -0,0 +1,175 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + # "7.4.335" -> "74" + majmin = x: concatStrings (take 2 (splitString "." x)); +in + +{ + imports = [ + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import /root/src/secrets/hashedPasswords.nix); + } + { + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.mutableUsers = false; + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/tv_wu.ssh.pub + ]; + }; + tv = { + uid = 1337; + group = "users"; + home = "/home/tv"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/tv_wu.ssh.pub + ]; + }; + }; + } + { + security.sudo.extraConfig = '' + Defaults mailto="tv@wu.retiolum" + ''; + time.timeZone = "Europe/Berlin"; + } + { + # TODO check if both are required: + nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + + nix.useChroot = true; + } + + { + environment.systemPackages = with pkgs; [ + vim + ]; + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + + environment.shellAliases = { + # alias cal='cal -m3' + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + environment.variables.VIM = "/etc/vim"; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then + PS1="ssh-agent[$SSH_AGENT_PID] $PS1" + fi + ''; + }; + + programs.ssh.startAgent = false; + } + + { + nixpkgs.config.packageOverrides = pkgs: + { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + } + + { + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + } + + { + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + } + + { + # TODO: exim + security.setuidPrograms = [ + "sendmail" # for sudo + ]; + } + ]; +} diff --git a/2configs/tv/consul-client.nix b/2configs/tv/consul-client.nix new file mode 100644 index 00000000..0a8bf4d7 --- /dev/null +++ b/2configs/tv/consul-client.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + imports = [ ./consul-server.nix ]; + + tv.consul = { + server = pkgs.lib.mkForce false; + }; +} diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix new file mode 100644 index 00000000..1c8dcb88 --- /dev/null +++ b/2configs/tv/consul-server.nix @@ -0,0 +1,22 @@ +{ config, ... }: + +{ + imports = [ ../../3modules/tv/consul.nix ]; + tv.consul = rec { + enable = true; + + inherit (config.tv.identity) self; + inherit (self) dc; + + server = true; + + hosts = with config.tv.identity.hosts; [ + # TODO get this list automatically from each host where tv.consul.enable is true + cd + mkdir + nomic + rmdir + #wu + ]; + }; +} diff --git a/2configs/tv/cryptoroot.nix b/2configs/tv/cryptoroot.nix new file mode 100644 index 00000000..04618ac4 --- /dev/null +++ b/2configs/tv/cryptoroot.nix @@ -0,0 +1,4 @@ +{ ... }: + +{ +} diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix new file mode 100644 index 00000000..efab5cf3 --- /dev/null +++ b/2configs/tv/exim-retiolum.nix @@ -0,0 +1,126 @@ +{ config, pkgs, ... }: + +{ + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.tv.retiolum.enable; + let + # TODO get the hostname from config.tv.retiolum. + retiolumHostname = "${config.networking.hostName}.retiolum"; + in + { enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; +} diff --git a/2configs/tv/exim-smarthost.nix b/2configs/tv/exim-smarthost.nix new file mode 100644 index 00000000..a4c47b39 --- /dev/null +++ b/2configs/tv/exim-smarthost.nix @@ -0,0 +1,474 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) toFile; + inherit (pkgs.lib.attrsets) mapAttrs; + inherit (pkgs.lib.strings) concatMapStringsSep; +in + +{ + services.exim = + let + retiolumHostname = "${config.networking.hostName}.retiolum"; + + internet-aliases = [ + { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } + + { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } + + { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } + + { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } + ]; + + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + + to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); + lsearch = + mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit internet-aliases; + inherit system-aliases; + }; + in + { + enable = true; + config = + '' + primary_hostname = ${retiolumHostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + #: viljetic.de : SHACK_REDIR_HOSTNAME + domainlist relay_to_domains = + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + # av_scanner = clamd:/tmp/clamd + # spamd_address = 127.0.0.1 783 + + # tls_advertise_hosts = * + # tls_certificate = /etc/ssl/exim.crt + # tls_privatekey = /etc/ssl/exim.pem + # (debian) tls_verify_certificates (to check client certs) + + # daemon_smtp_ports = 25 : 465 : 587 + # tls_on_connect_ports = 465 + + # qualify_domain defaults to primary_hostname + # qualify_recipient defaults to qualify_domain + + # allow_domain_literals + + never_users = root + + host_lookup = * + + # ident callbacks for all incoming SMTP calls + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + # sender_unqualified_hosts = + # recipient_unqualified_hosts = + + # percent_hack_domains = + + # arch & debian + #ignore_bounce_errors_after = 2d + #timeout_frozen_after = 7d + # debian + #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + #freeze_tell = postmaster + #trusted_users = uucp + # arch + #split_spool_directory = true + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). + # We do this by testing for an empty sending host field. + accept hosts = : + # arch & debian: + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + ## feature RETIOLUM_MAIL + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + # debian: control = submission/sender_retain + # arch & debian: + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example + # + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain + + # Client SMTP Authorization (csa) checks on the sending host. + # Such checks do DNS lookups for special SRV records. + # require verify = csa + + accept + + + acl_check_data: + # see av_scanner + #deny malware = * + # message = This message contains a virus ($malware_name). + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You may also need to set the spamd_address + # option above. + # + # warn spam = nobody + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + warn + sender_domains = viljetic.de : shackspace.de + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + # if ipv6-enabled then instead use: + # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + + # (debian) same_domain_copy_routing = yes + # (debian) ignore private rfc1918 and APIPA addresses + # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + # 255.255.255.255 + + # Fail and bounce if the router does not find the domain in the DNS. + # I.e. no more routers are tried. + # There are a few cases where a dnslookup router will decline to accept an + # address; if such a router is expected to handle "all remaining non-local + # domains", then it is important to set no_more. + no_more + + # XXX this is only used because these "well known aliases" goto tv@cd.retiolum + # TODO bounce everything, there is no @cd.retiolum + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + # TODO this is only b/c mv here... send mv's mails somewhere else... + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + # serialize_hosts = TODO-all-slow-hosts + + remote_smtp: + driver = smtp + # debian has also stuff for tls, headers_rewrite and more here + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + + + # group = mail + # mode = 0660 + + + #address_pipe: + # driver = pipe + # return_output + # + #address_file: + # driver = appendfile + # delivery_date_add + # envelope_to_add + # return_path_add + # + #address_reply: + # driver = autoreply + + + #maildrop_pipe: + # debug_print = "T: maildrop_pipe for $local_part@$domain" + # driver = pipe + # path = "/bin:/usr/bin:/usr/local/bin" + # command = "/usr/bin/maildrop" + # return_path_add + # delivery_date_add + # envelope_to_add + + + + + + ##begin retry + # Address or Domain Error Retries + + # Our host_redirect destinations might be offline a lot. + # TODO define fallback destinations(?) + #lsearch;${lsearch.internet-aliases} * F,42d,1m + + + ## begin rewrite + + # just in case (shackspace.de should already do this) + #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T + + + ## begin authenticators + #PLAIN: + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + #LOGIN: + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + + + }; + +} + +# config = '' +# primary_hostname = ${retiolumHostname} +# domainlist local_domains = @ : localhost +# domainlist relay_to_domains = *.retiolum +# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 +# +# acl_smtp_rcpt = acl_check_rcpt +# acl_smtp_data = acl_check_data +# +# host_lookup = * +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s +# +# log_file_path = syslog +# syslog_timestamp = false +# syslog_duplication = false +# +# begin acl +# +# acl_check_rcpt: +# accept hosts = : +# control = dkim_disable_verify +# +# deny message = Restricted characters in address +# domains = +local_domains +# local_parts = ^[.] : ^.*[@%!/|] +# +# deny message = Restricted characters in address +# domains = !+local_domains +# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ +# +# accept local_parts = postmaster +# domains = +local_domains +# +# #accept +# # hosts = *.retiolum +# # domains = *.retiolum +# # control = dkim_disable_verify +# +# #require verify = sender +# +# accept hosts = +relay_from_hosts +# control = submission +# control = dkim_disable_verify +# +# accept authenticated = * +# control = submission +# control = dkim_disable_verify +# +# require message = relay not permitted +# domains = +local_domains : +relay_to_domains +# +# require verify = recipient +# +# accept +# +# +# acl_check_data: +# accept +# +# +# begin routers +# +# retiolum: +# driver = manualroute +# domains = ! ${retiolumHostname} : *.retiolum +# transport = remote_smtp +# route_list = ^.* $0 byname +# no_more +# +# nonlocal: +# debug_print = "R: nonlocal for $local_part@$domain" +# driver = redirect +# domains = ! +local_domains +# allow_fail +# data = :fail: Mailing to remote domains not supported +# no_more +# +# local_user: +# # debug_print = "R: local_user for $local_part@$domain" +# driver = accept +# check_local_user +# # local_part_suffix = +* : -* +# # local_part_suffix_optional +# transport = home_maildir +# cannot_route_message = Unknown user +# +# +# begin transports +# +# remote_smtp: +# driver = smtp +# +# home_maildir: +# driver = appendfile +# maildir_format +# directory = $home/Maildir +# directory_mode = 0700 +# delivery_date_add +# envelope_to_add +# return_path_add +# # group = mail +# # mode = 0660 +# +# begin retry +# *.retiolum * F,42d,1m +# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h +# +# begin rewrite +# +# begin authenticators +# ''; +# }; +#} diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix new file mode 100644 index 00000000..0ca04d26 --- /dev/null +++ b/2configs/tv/git-public.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + inherit (builtins) map readFile; + inherit (lib) concatMap listToAttrs; + # TODO lib should already include our stuff + inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; + + public-git-repos = [ + (public "cgserver") + (public "crude-mail-setup") + (public "dot-xmonad") + (public "hack") + (public "load-env") + (public "make-snapshot") + (public "mime") + (public "much") + (public "nixos-infest") + (public "nixpkgs") + (public "painload") + (public "regfish") + (public' { + name = "shitment"; + desc = "turn all the computers into one computer!"; + }) + (public "wai-middleware-time") + (public "web-routes-wai-custom") + ]; + + users = addNames { + tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; + lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; + uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; + makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; + }; + + repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos); + + rules = concatMap ({ rules, ... }: rules) public-git-repos; + + public' = { name, desc }: + let + x = public name; + in + x // { repo = x.repo // { inherit desc; }; }; + + public = repo-name: + rec { + repo = { + name = repo-name; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; + }; + }; + public = true; + }; + rules = with git; with users; [ + { user = tv; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ lass makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + +in + +{ + imports = [ + ../../3modules/tv/git.nix + ]; + tv.git = { + enable = true; +