Merge remote-tracking branch 'lass/master' into HEAD

author: makefu <github@syntax-fehler.de> 2018-12-12 17:53:38 +0100
committer: makefu <github@syntax-fehler.de> 2018-12-12 17:53:38 +0100
commit: 97aaf34c3311291ac47967ac1313e2d955b8228a (patch)
tree: d119d7ae674863f645e840e14bde0fbfe6f6a16c /lass
parent: 2e18ee84f02c0d7abcf936b1d39c42ab8e75825c (diff)
parent: 25cf61f6a74b69656d15f52021f25a6c2e4068e6 (diff)
12 files changed, 151 insertions, 23 deletions
diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix
new file mode 100644
index 00000000..0d82ba61
--- /dev/null
+++ b/lass/1systems/morpheus/config.nix
@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  imports = [
+    <stockholm/lass>
+
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/power-action.nix>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/games.nix>
+    <stockholm/lass/2configs/steam.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.morpheus;
+
+  networking.wireless.enable = false;
+  networking.networkmanager.enable = true;
+
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
+
+  nixpkgs.config.packageOverrides = super: {
+    steam = super.steam.override {
+      withPrimus = true;
+      extraPkgs = p: with p; [
+        glxinfo
+        nettools
+        bumblebee
+      ];
+    };
+  };
+}
diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix
new file mode 100644
index 00000000..0f08acb2
--- /dev/null
+++ b/lass/1systems/morpheus/physical.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ./config.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostId = "60ce7e88";
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
+
+  hardware.bumblebee.enable = true;
+  hardware.bumblebee.group = "video";
+
+  fileSystems."/" =
+    { device = "rpool/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/DF3B-4528";
+      fsType = "vfat";
+    };
+
+  nix.maxJobs = lib.mkDefault 8;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 207c7c64..46cdbbb6 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -34,6 +34,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/backup.nix>
     <stockholm/lass/2configs/print.nix>
     <stockholm/lass/2configs/blue-host.nix>
+    <stockholm/lass/2configs/network-manager.nix>
     {
       krebs.iptables.tables.filter.INPUT.rules = [
         #risk of rain
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index e2097e93..ec397651 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -297,31 +297,28 @@ with import <stockholm/lib>;
       };
     }
     {
-      krebs.iptables.tables.filter.INPUT.rules = [
-         { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
-      ];
-      krebs.iptables.tables.nat.PREROUTING.rules = [
-        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+      imports = [
+        <stockholm/lass/2configs/wirelum.nix>
       ];
+      #krebs.iptables.tables.nat.PREROUTING.rules = [
+      #  { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+      #];
       krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; }
         { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
       ];
       krebs.iptables.tables.nat.POSTROUTING.rules = [
         { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
       ];
-      networking.wireguard.interfaces.wg0 = {
-        ips = [ "10.244.1.1/24" ];
-        listenPort = 51820;
-        privateKeyFile = (toString <secrets>) + "/wireguard.key";
-        allowedIPsAsRoutes = true;
-        peers = [
-          {
-            # lass-android
-            allowedIPs = [ "10.244.1.2/32" ];
-            publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
-          }
-        ];
+      services.dnsmasq = {
+        enable = true;
+        resolveLocalQueries = false;
+
+        extraConfig= ''
+          listen-address=10.244.1.1
+          except-interface=lo
+          interface=wg0
+        '';
       };
     }
     {
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index ff7b2368..58fa564a 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -19,7 +19,11 @@ with import <stockholm/lib>;
   users.groups.download.members = [ "transmission" ];
   users.users.transmission.group = mkForce "download";
 
-  systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
+  systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
+  systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
+  systemd.services.transmission.postStart = ''
+    chmod 775 /var/download/finished
+  '';
   services.transmission = {
     enable = true;
     settings = {
@@ -52,6 +56,9 @@ with import <stockholm/lib>;
           autoindex on;
         '';
       };
+      locations."/dl".extraConfig = ''
+        return 301 /;
+      '';
       locations."/" = {
         root = "/var/download/finished";
         extraConfig = ''
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index d781f8c7..859a2a1b 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,7 +9,6 @@ in {
     ./power-action.nix
     ./copyq.nix
     ./urxvt.nix
-    ./network-manager.nix
     {
       hardware.pulseaudio = {
         enable = true;
@@ -97,9 +96,9 @@ in {
     enable = true;
     layout = "us";
     display = mkForce 0;
-    xkbModel = "evdev";
     xkbVariant = "altgr-intl";
-    xkbOptions = "caps:backspace";
+    xkbOptions = "caps:escape";
+    libinput.enable = true;
     displayManager.lightdm.enable = true;
     windowManager.default = "xmonad";
     windowManager.session = [{
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index a4311317..dea32d4d 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -10,6 +10,7 @@ with import <stockholm/lib>;
     ./zsh.nix
     ./htop.nix
     ./security-workarounds.nix
+    ./wirelum.nix
     {
       users.extraUsers =
         mapAttrs (_: h: { hashedPassword = h; })
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 1ee45bb4..1acfe505 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -94,6 +94,7 @@ with import <stockholm/lib>;
       { from = "osmocom@lassul.us"; to = lass.mail; }
       { from = "lesswrong@lassul.us"; to = lass.mail; }
       { from = "nordvpn@lassul.us"; to = lass.mail; }
+      { from = "csv-direct@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 49602898..62e3f6d5 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -57,6 +57,7 @@ let
 
 in {
   environment.systemPackages = with pkgs; [
+    dolphinEmu
     doom1
     doom2
     vdoom1
diff --git a/lass/2configs/mouse.nix b/lass/2configs/mouse.nix
index 098809d6..f5f9319e 100644
--- a/lass/2configs/mouse.nix
+++ b/lass/2configs/mouse.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
 {
   hardware.trackpoint = {
     enable = true;
@@ -7,6 +7,7 @@
     emulateWheel = true;
   };
 
+  services.xserver.libinput.enable = lib.mkForce false;
   services.xserver.synaptics = {
     enable = true;
     horizEdgeScroll = false;
diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix
new file mode 100644
index 00000000..cd8a20c6
--- /dev/null
+++ b/lass/2configs/wirelum.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+  self = config.krebs.build.host.nets.wirelum;
+  isRouter = !isNull self.via;
+
+in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
+  #hack for modprobe inside containers
+  systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
+    (pkgs.writeDashBin "modprobe" ":")
+  ]);
+
+  boot.kernel.sysctl = mkIf isRouter {
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+     { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
+    { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
+  ];
+
+  networking.wireguard.interfaces.wirelum = {
+    ips =
+      (optional (!isNull self.ip4) self.ip4.addr) ++
+      (optional (!isNull self.ip6) self.ip6.addr);
+    listenPort = 51820;
+    privateKeyFile = (toString <secrets>) + "/wirelum.key";
+    allowedIPsAsRoutes = true;
+    peers = mapAttrsToList
+      (_: host: {
+        allowedIPs = if isRouter then
+          (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
+          (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
+        else
+          host.nets.wirelum.wireguard.subnets
+        ;
+        endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
+        persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
+        publicKey = host.nets.wirelum.wireguard.pubkey;
+      })
+      (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
+  };
+}
diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix
index b6cb2ec7..5997dca0 100644
--- a/lass/5pkgs/l-gen-secrets/default.nix
+++ b/lass/5pkgs/l-gen-secrets/default.nix
@@ -8,6 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" ''
   ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
   ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
   ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
+  ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wirelum.key
+  ${pkgs.coreutils}/bin/cat $TMPDIR/wirelum.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wirelum.pub
   cat <<EOF > $TMPDIR/hashedPasswords.nix
   {
     root = "$HASHED_PASSWORD";
@@ -35,6 +37,15 @@ pkgs.writeDashBin "l-gen-secrets" ''
   $(cat $TMPDIR/retiolum.rsa_key.pub)
           ${"''"};
         };
+        wirelum = {
+          ip6.addr = (wip6 "changeme").address;
+          aliases = [
+            "$HOSTNAME.w"
+          ];
+          wireguard.pubkey = ${"''"}
+  $(cat $TMPDIR/wirelum.pub)
+          ${"''"};
+        };
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
author	makefu <github@syntax-fehler.de>	2018-12-12 17:53:38 +0100
committer	makefu <github@syntax-fehler.de>	2018-12-12 17:53:38 +0100
commit	97aaf34c3311291ac47967ac1313e2d955b8228a (patch)
tree	d119d7ae674863f645e840e14bde0fbfe6f6a16c /lass
parent	2e18ee84f02c0d7abcf936b1d39c42ab8e75825c (diff)
parent	25cf61f6a74b69656d15f52021f25a6c2e4068e6 (diff)