Merge remote-tracking branch 'cd/master'

11 files changed, 68 insertions, 53 deletions

diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix
deleted file mode 100644
index 0a8bf4d75..000000000
--- a/tv/2configs/consul-client.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [ ./consul-server.nix ];
-
-  tv.consul = {
-    server = pkgs.lib.mkForce false;
-  };
-}
diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix
deleted file mode 100644
index d10f9ea75..000000000
--- a/tv/2configs/consul-server.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, ... }:
-
-{
-  tv.consul = rec {
-    enable = true;
-
-    self = config.krebs.build.host;
-    inherit (self) dc;
-
-    server = true;
-
-    hosts = with config.krebs.hosts; [
-      # TODO get this list automatically from each host where tv.consul.enable is true
-      cd
-      mkdir
-      nomic
-      rmdir
-      #wu
-    ];
-  };
-}
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 310077021..57c4620c4 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -8,15 +8,13 @@ with lib;
   krebs.build = {
     user = config.krebs.users.tv;
     target = mkDefault "root@${config.krebs.build.host.name}";
-    source-version = 2;
     source = mapAttrs (_: mkDefault) ({
-      nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix";
-      nixpkgs = symlink:stockholm-nixpkgs;
+      nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix";
+      nixpkgs = symlink:stockholm/nixpkgs;
       secrets = "/home/tv/secrets/${config.krebs.build.host.name}";
       secrets-common = "/home/tv/secrets/common";
-      stockholm-krebs = "/home/tv/stockholm/krebs";
-      stockholm-nixpkgs = "/home/tv/stockholm/nixpkgs";
-      stockholm-private = "/home/tv/stockholm/tv";
+      stockholm = "/home/tv/stockholm";
+      stockholm-user = "symlink:stockholm/tv";
       upstream-nixpkgs = {
         url = https://github.com/NixOS/nixpkgs;
         rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
@@ -70,6 +68,9 @@ with lib;
       nix.useChroot = true;
     }
     {
+      nixpkgs.config.allowUnfree = false;
+    }
+    {
       environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
 
       environment.systemPackages = with pkgs; [
@@ -101,7 +102,7 @@ with lib;
       };
 
       environment.variables = {
-        NIX_PATH = mkForce "/var/src";
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
       };
 
       programs.bash = {
@@ -163,12 +164,17 @@ with lib;
     }
 
     {
+      tv.iptables.enable = true;
+    }
+
+    {
       services.openssh = {
         enable = true;
         hostKeys = [
           { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
+      tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
     }
 
     {
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
new file mode 100644
index 000000000..aedf25823
--- /dev/null
+++ b/tv/2configs/exim-retiolum.nix
@@ -0,0 +1,8 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  krebs.exim-retiolum.enable = true;
+  tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
+}
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index f5f63d284..bcfea7821 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
 
 {
   krebs.exim-smarthost = {
@@ -34,4 +36,5 @@
       { from = "mirko"; to = "mv"; }
     ];
   };
+  tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
 }
diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index 800deff1b..b8180085f 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -9,7 +9,7 @@ let
       enable = true;
       root-title = "public repositories at ${config.krebs.build.host.name}";
       root-desc = "keep calm and engage";
-      repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+      repos = repos;
       rules = rules;
     };
   };
@@ -22,8 +22,8 @@ let
 
   public-repos = mapAttrs make-public-repo ({
   } // mapAttrValues (setAttr "section" "1. Miscellaneous") {
-    cac = {
-      desc = "CloudAtCost command line interface";
+    cac-api = {
+      desc = "CloudAtCost API command line interface";
     };
     get = {};
     hack = {};
@@ -39,6 +39,7 @@ let
     stockholm = {
       desc = "take all the computers hostage, they'll love you!";
     };
+    with-tmpdir = {};
   } // mapAttrValues (setAttr "section" "2. Haskell libraries") {
     blessings = {};
     mime = {};
@@ -98,7 +99,7 @@ let
         repo = [ repo ];
         perm = fetch;
       } ++
-      optional (length (repo.collaborators or []) > 0) {
+      optional (repo.collaborators or [] != []) {
         user = repo.collaborators;
         repo = [ repo ];
         perm = fetch;
diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix
index acd9ee32b..72a40819f 100644
--- a/tv/2configs/hw/AO753.nix
+++ b/tv/2configs/hw/AO753.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
 
 {
   imports = [
@@ -39,8 +41,5 @@
     HandleSuspendKey=ignore
   '';
 
-  nixpkgs.config = {
-    allowUnfree = false;
-    allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name);
-  };
+  nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name;
 }
diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix
index 8549311e7..7cec670fa 100644
--- a/tv/2configs/hw/x220.nix
+++ b/tv/2configs/hw/x220.nix
@@ -14,7 +14,6 @@
   networking.wireless.enable = true;
 
   #hardware.enableAllFirmware = true;
-  #nixpkgs.config.allowUnfree = true;
   #zramSwap.enable = true;
   #zramSwap.numDevices = 2;
 
diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix
new file mode 100644
index 000000000..dc74f7f8d
--- /dev/null
+++ b/tv/2configs/nginx-public_html.nix
@@ -0,0 +1,15 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  krebs.nginx = {
+    enable = true;
+    servers.default.locations = [
+      (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+        alias /home/$1/public_html$2;
+      '')
+    ];
+  };
+  tv.iptables.input-internet-accept-new-tcp = singleton "http";
+}
diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix
new file mode 100644
index 000000000..d2bb9e6cf
--- /dev/null
+++ b/tv/2configs/retiolum.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  krebs.retiolum = {
+    enable = true;
+    connectTo = filter (ne config.krebs.build.host.name) [
+      "gum"
+      "prism"
+      "echelon"
+      "cd"
+      "ire"
+    ];
+  };
+  tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
+}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index bab949270..23f90af05 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -7,11 +7,6 @@ let
       vim
     ];
 
-    # Nano really is just a stupid name for Vim.
-    nixpkgs.config.packageOverrides = pkgs: {
-      nano = pkgs.vim;
-    };
-
     environment.etc.vimrc.source = vimrc;
 
     environment.variables.EDITOR = mkForce "vim";
@@ -110,6 +105,8 @@ let
 
       syn match String /"\([^\\"]\|\\.\)*"/
       syn match Comment /\(^\|\s\)#.*/
+
+      let b:current_syntax = "nix"
     ''}
 
     au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile