diff options
author | lassulus <lass@aidsballs.de> | 2015-07-27 10:09:13 +0200 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2015-07-27 10:09:13 +0200 |
commit | 54a01c0c74bdd4233962d62c4e6631f7f8b50f77 (patch) | |
tree | 705a3f8307b49e52bd95ecac8cd6d6ca828921a4 | |
parent | 6476abd6ac7e000d0759569a1e2754acb2f518ca (diff) | |
parent | 3197897292f0fc8f38d30ad6ddc9742be4a7cc1d (diff) |
Merge branch 'tv' into master
43 files changed, 873 insertions, 490 deletions
diff --git a/0make/makefu/pnp.makefile b/0make/makefu/pnp.makefile new file mode 100644 index 000000000..a18efe0e0 --- /dev/null +++ b/0make/makefu/pnp.makefile @@ -0,0 +1,4 @@ +deploy_host := root@pnp +nixpkgs_url := https://github.com/nixos/nixpkgs +nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 +secrets_dir := /home/makefu/secrets/pnp diff --git a/0make/tv/nomic.makefile b/0make/tv/nomic.makefile index 4ae1ccd10..9e0b8671b 100644 --- a/0make/tv/nomic.makefile +++ b/0make/tv/nomic.makefile @@ -1,4 +1,4 @@ deploy_host := root@nomic.gg23 nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 6ad8fab785695d04a6925e8b3464ca7c71a85c3f +nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696 secrets_dir := /home/tv/secrets/nomic diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix new file mode 100644 index 000000000..7e4ccf2c1 --- /dev/null +++ b/1systems/makefu/pnp.nix @@ -0,0 +1,52 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ../../2configs/makefu/base.nix + ../../2configs/makefu/cgit-retiolum.nix + ]; + krebs.enable = true; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; + +# networking.firewall is enabled by default + networking.firewall.allowedTCPPorts = [ 80 ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + "fastpoke" + ]; + }; + + nix.maxJobs = 2; + networking.hostName = "pnp"; # Define your hostname. + +# $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + wget + git + gnumake + jq + ]; +} diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index d3cae6f4a..6913508b5 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -7,13 +7,15 @@ let in { + krebs.build.host = config.krebs.hosts.cd; + imports = [ ../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/charybdis.nix ]; tv.charybdis = { @@ -22,24 +24,17 @@ in }; } { - imports = [ ../../3modules/tv/ejabberd.nix ]; tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; }; } { - imports = [ ../../3modules/tv/github-hosts-sync.nix ]; - tv.github-hosts-sync.enable = true; + krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = - singleton config.tv.github-hosts-sync.port; - } - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.cd; + singleton config.krebs.github-hosts-sync.port; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -55,21 +50,13 @@ in }; } { - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; + krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.public_html = { + krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2; @@ -77,7 +64,7 @@ in }; } { - tv.nginx.servers.viljetic = { + krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) locations = singleton (nameValuePair "/" '' @@ -86,10 +73,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "fastpoke" "pigstarter" @@ -99,7 +84,6 @@ in } ]; - networking.hostName = "cd"; networking.interfaces.enp2s1.ip4 = [ { address = "162.219.7.216"; @@ -135,8 +119,8 @@ in home = "/home/mv"; createHome = true; useDefaultShell = true; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/mv_vod.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.mv.pubkey ]; }; }; diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index e0e057d63..7542ad0ce 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -3,19 +3,16 @@ with lib; { + krebs.build.host = config.krebs.hosts.mkdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.mkdir; - } + ../../2configs/tv/git.nix { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,10 +26,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "fastpoke" @@ -43,7 +38,6 @@ with lib; } ]; - networking.hostName = "mkdir"; networking.interfaces.enp2s1.ip4 = [ { address = "162.248.167.241"; # TODO diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 6f984c44d..cd6e02596 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -3,18 +3,15 @@ with lib; { + krebs.build.host = config.krebs.hosts.nomic; + imports = [ ../../2configs/tv/AO753.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.nomic; - } + ../../2configs/tv/git.nix { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -26,8 +23,7 @@ with lib; }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' @@ -37,10 +33,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" @@ -103,6 +97,4 @@ with lib; rxvt_unicode.terminfo tmux ]; - - networking.hostName = "nomic"; } diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index b77a1c39e..9233014ba 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -3,19 +3,16 @@ with lib; { + krebs.build.host = config.krebs.hosts.rmdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.rmdir; - } + ../../2configs/tv/git.nix { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,10 +26,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "mkdir" @@ -44,7 +39,6 @@ with lib; } ]; - networking.hostName = "rmdir"; networking.interfaces.enp2s1.ip4 = [ { address = "167.88.44.94"; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 400005cb7..37264635b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -7,28 +7,27 @@ let in { + krebs.build.host = config.krebs.hosts.wu; + imports = [ ../../2configs/tv/w110er.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-client.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - # TODO git-private.nix + ../../2configs/tv/git.nix ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.wu; - } + ../../2configs/tv/urlwatch.nix { environment.systemPackages = with pkgs; [ - # shitment + # stockholm git gnumake parallel Zpkgs.genid + Zpkgs.hashPassword Zpkgs.lentil # root @@ -96,7 +95,6 @@ in #ppp #proot #pythonPackages.arandr - #pythonPackages.urlwatch #pythonPackages.youtube-dl #racket #rxvt_unicode-with-plugins @@ -122,7 +120,6 @@ in ]; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -134,8 +131,7 @@ in }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' @@ -145,10 +141,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" @@ -156,56 +150,6 @@ in }; } { - imports = [ ../../3modules/tv/urlwatch.nix ]; - tv.urlwatch = { - enable = true; - mailto = "tv@wu.retiolum"; # TODO - onCalendar = "*-*-* 05:00:00"; - urls = [ - ## nixpkgs maintenance - - # 2014-07-29 when one of the following urls change - # then we have to update the package - - # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix - http://simple-evcorr.sourceforge.net/ - - # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix - https://thp.io/2008/urlwatch/ - - # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix - https://api.github.com/repos/ioerror/tlsdate/tags - - # 2015-02-18 - # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix - http://www.fourmilab.ch/webtools/qprint/ - - # 2014-09-24 ref https://github.com/4z3/xintmap - http://www.mathstat.dal.ca/~selinger/quipper/ - - # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 - # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix - http://nixos.org/releases/nixops/ - - ## other - - https://nixos.org/channels/nixos-unstable/git-revision - - ## 2014-10-17 - ## TODO update ~/src/login/default.nix - #http://hackage.haskell.org/package/bcrypt - #http://hackage.haskell.org/package/cron - #http://hackage.haskell.org/package/hyphenation - #http://hackage.haskell.org/package/iso8601-time - #http://hackage.haskell.org/package/ixset-typed - #http://hackage.haskell.org/package/system-command - #http://hackage.haskell.org/package/transformers - #http://hackage.haskell.org/package/web-routes-wai - #http://hackage.haskell.org/package/web-page - ]; - }; - } - { users.extraGroups = { tv-sub.gid = 1337; }; @@ -429,8 +373,6 @@ in hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.enable = true; - networking.hostName = "wu"; - environment.systemPackages = with pkgs; [ xlibs.fontschumachermisc slock diff --git a/2configs/makefu/base.nix b/2configs/makefu/base.nix new file mode 100644 index 000000000..25b80930b --- /dev/null +++ b/2configs/makefu/base.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ ]; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; + }; + makefu = { + uid = 9001; + group = "users"; + home = "/home/makefu"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; + }; + }; + + services.openssh.enable = true; + nix.useChroot = true; + + users.mutableUsers = true; + + boot.tmpOnTmpfs = true; + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + environment.extraInit = '' + EDITOR=vim + ''; + + environment.systemPackages = with pkgs; [ + git + vim + rxvt_unicode.terminfo + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=900001 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + ''; + + promptInit = '' + case $UID in + 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; + 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; + *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + environment.shellAliases = { + lsl = "ls -lAtr"; + }; + + nixpkgs.config.packageOverrides = pkgs: { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + + security.setuidPrograms = [ "sendmail" ]; + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + # Enable IPv6 Privacy Extensions + boot.kernel.sysctl = { + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; +} diff --git a/2configs/makefu/cgit-retiolum.nix b/2configs/makefu/cgit-retiolum.nix new file mode 100644 index 000000000..d5ad35fda --- /dev/null +++ b/2configs/makefu/cgit-retiolum.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + imports = [ ../../3modules/krebs/git.nix ]; + krebs.git = { + enable = true; + root-title = "public repositories "; + root-desc = "keep calm and enrage"; + inherit repos rules ; + }; + }; + + repos = public-repos; + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + }; + + # TODO move users to separate module + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = makefu; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass tv uriel ]; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index 0494ea08e..06f83ea9e 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -9,6 +9,11 @@ let in { + krebs.enable = true; + krebs.search-domain = "retiolum"; + + networking.hostName = config.krebs.build.host.name; + imports = [ { users.extraUsers = @@ -22,8 +27,8 @@ in { users.extraUsers = { root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/tv_wu.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey ]; }; tv = { @@ -37,15 +42,15 @@ in "video" "wheel" ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/tv_wu.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey ]; }; }; } { security.sudo.extraConfig = '' - Defaults mailto="tv@wu.retiolum" + Defaults mailto="${config.krebs.users.tv.mail}" ''; time.timeZone = "Europe/Berlin"; } diff --git a/2configs/tv/charybdis.nix b/2configs/tv/charybdis.nix index a45c7aebe..d78e162cb 100644 --- a/2configs/tv/charybdis.nix +++ b/2configs/tv/charybdis.nix @@ -123,7 +123,7 @@ let #loadmodule "extensions/ip_cloaking.so"; serverinfo { - name = ${toJSON (head config.tv.identity.self.nets.retiolum.aliases)}; + name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; sid = "4z3"; description = "miep!"; network_name = "irc.retiolum"; @@ -133,9 +133,9 @@ let /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ - vhost = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs4}; + vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; /* for IPv6 */ - vhost6 = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs6}; + vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; /* ssl_private_key: our ssl private key */ ssl_private_key = "/tmp/ssl.key"; @@ -170,7 +170,7 @@ let admin { name = "tv"; description = "peer"; - email = "tv@wu.retiolum"; + mail = "${config.krebs.users.tv.mail}"; }; log { @@ -240,7 +240,7 @@ let */ # XXX This is stupid because only one host is allowed[?] #host = ''${concatMapStringsSep ", " toJSON ( - # config.tv.identity.self.nets.retiolum.addrs + # config.krebs.build.host.nets.retiolum.addrs #)}; port = 6667; sslport = 6697; diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb884..d10f9ea75 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,16 +1,15 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; - inherit (config.tv.identity) self; + self = config.krebs.build.host; inherit (self) dc; server = true; - hosts = with config.tv.identity.hosts; [ + hosts = with config.krebs.hosts; [ # TODO get this list automatically from each host where tv.consul.enable is true cd mkdir diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf32..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular co |