diff options
Diffstat (limited to '2configs/tv')
-rw-r--r-- | 2configs/tv/AO753.nix | 39 | ||||
-rw-r--r-- | 2configs/tv/CAC-CentOS-7-64bit.nix | 47 | ||||
-rw-r--r-- | 2configs/tv/CAC-Developer-1.nix | 6 | ||||
-rw-r--r-- | 2configs/tv/CAC-Developer-2.nix | 6 | ||||
-rw-r--r-- | 2configs/tv/base.nix | 175 | ||||
-rw-r--r-- | 2configs/tv/consul-client.nix | 9 | ||||
-rw-r--r-- | 2configs/tv/consul-server.nix | 22 | ||||
-rw-r--r-- | 2configs/tv/cryptoroot.nix | 4 | ||||
-rw-r--r-- | 2configs/tv/exim-retiolum.nix | 126 | ||||
-rw-r--r-- | 2configs/tv/exim-smarthost.nix | 474 | ||||
-rw-r--r-- | 2configs/tv/git-public.nix | 83 | ||||
-rw-r--r-- | 2configs/tv/smartd.nix | 17 | ||||
-rw-r--r-- | 2configs/tv/synaptics.nix | 14 | ||||
-rw-r--r-- | 2configs/tv/urxvt.nix | 24 | ||||
-rw-r--r-- | 2configs/tv/w110er.nix | 42 | ||||
-rw-r--r-- | 2configs/tv/xserver.nix | 41 |
16 files changed, 1129 insertions, 0 deletions
diff --git a/2configs/tv/AO753.nix b/2configs/tv/AO753.nix new file mode 100644 index 000000000..70eae1786 --- /dev/null +++ b/2configs/tv/AO753.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/smartd.nix + ]; + + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ahci" + ]; + + boot.kernelModules = [ + "kvm-intel" + "wl" + ]; + + boot.extraModulePackages = [ + config.boot.kernelPackages.broadcom_sta + ]; + + networking.wireless.enable = true; + + services.logind.extraConfig = '' + HandleHibernateKey=ignore + HandleLidSwitch=ignore + HandlePowerKey=ignore + HandleSuspendKey=ignore + ''; + + nixpkgs.config = { + allowUnfree = false; + allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name); + }; +} diff --git a/2configs/tv/CAC-CentOS-7-64bit.nix b/2configs/tv/CAC-CentOS-7-64bit.nix new file mode 100644 index 000000000..95c6e815c --- /dev/null +++ b/2configs/tv/CAC-CentOS-7-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/2configs/tv/CAC-Developer-1.nix b/2configs/tv/CAC-Developer-1.nix new file mode 100644 index 000000000..37bc32afb --- /dev/null +++ b/2configs/tv/CAC-Developer-1.nix @@ -0,0 +1,6 @@ +_: + +{ + nix.maxJobs = 1; + sound.enable = false; +} diff --git a/2configs/tv/CAC-Developer-2.nix b/2configs/tv/CAC-Developer-2.nix new file mode 100644 index 000000000..fedb808df --- /dev/null +++ b/2configs/tv/CAC-Developer-2.nix @@ -0,0 +1,6 @@ +_: + +{ + nix.maxJobs = 2; + sound.enable = false; +} diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix new file mode 100644 index 000000000..f91e5bc50 --- /dev/null +++ b/2configs/tv/base.nix @@ -0,0 +1,175 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + # "7.4.335" -> "74" + majmin = x: concatStrings (take 2 (splitString "." x)); +in + +{ + imports = [ + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import /root/src/secrets/hashedPasswords.nix); + } + { + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.mutableUsers = false; + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/tv_wu.ssh.pub + ]; + }; + tv = { + uid = 1337; + group = "users"; + home = "/home/tv"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/tv_wu.ssh.pub + ]; + }; + }; + } + { + security.sudo.extraConfig = '' + Defaults mailto="tv@wu.retiolum" + ''; + time.timeZone = "Europe/Berlin"; + } + { + # TODO check if both are required: + nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + + nix.useChroot = true; + } + + { + environment.systemPackages = with pkgs; [ + vim + ]; + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + + environment.shellAliases = { + # alias cal='cal -m3' + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + environment.variables.VIM = "/etc/vim"; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then + PS1="ssh-agent[$SSH_AGENT_PID] $PS1" + fi + ''; + }; + + programs.ssh.startAgent = false; + } + + { + nixpkgs.config.packageOverrides = pkgs: + { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + } + + { + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + } + + { + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + } + + { + # TODO: exim + security.setuidPrograms = [ + "sendmail" # for sudo + ]; + } + ]; +} diff --git a/2configs/tv/consul-client.nix b/2configs/tv/consul-client.nix new file mode 100644 index 000000000..0a8bf4d75 --- /dev/null +++ b/2configs/tv/consul-client.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + imports = [ ./consul-server.nix ]; + + tv.consul = { + server = pkgs.lib.mkForce false; + }; +} diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix new file mode 100644 index 000000000..1c8dcb884 --- /dev/null +++ b/2configs/tv/consul-server.nix @@ -0,0 +1,22 @@ +{ config, ... }: + +{ + imports = [ ../../3modules/tv/consul.nix ]; + tv.consul = rec { + enable = true; + + inherit (config.tv.identity) self; + inherit (self) dc; + + server = true; + + hosts = with config.tv.identity.hosts; [ + # TODO get this list automatically from each host where tv.consul.enable is true + cd + mkdir + nomic + rmdir + #wu + ]; + }; +} diff --git a/2configs/tv/cryptoroot.nix b/2configs/tv/cryptoroot.nix new file mode 100644 index 000000000..04618ac4a --- /dev/null +++ b/2configs/tv/cryptoroot.nix @@ -0,0 +1,4 @@ +{ ... }: + +{ +} diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix new file mode 100644 index 000000000..efab5cf32 --- /dev/null +++ b/2configs/tv/exim-retiolum.nix @@ -0,0 +1,126 @@ +{ config, pkgs, ... }: + +{ + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.tv.retiolum.enable; + let + # TODO get the hostname from config.tv.retiolum. + retiolumHostname = "${config.networking.hostName}.retiolum"; + in + { enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; +} diff --git a/2configs/tv/exim-smarthost.nix b/2configs/tv/exim-smarthost.nix new file mode 100644 index 000000000..a4c47b399 --- /dev/null +++ b/2configs/tv/exim-smarthost.nix @@ -0,0 +1,474 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) toFile; + inherit (pkgs.lib.attrsets) mapAttrs; + inherit (pkgs.lib.strings) concatMapStringsSep; +in + +{ + services.exim = + let + retiolumHostname = "${config.networking.hostName}.retiolum"; + + internet-aliases = [ + { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } + + { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } + + { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } + + { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } + ]; + + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + + to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); + lsearch = + mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit internet-aliases; + inherit system-aliases; + }; + in + { + enable = true; + config = + '' + primary_hostname = ${retiolumHostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + #: viljetic.de : SHACK_REDIR_HOSTNAME + domainlist relay_to_domains = + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + # av_scanner = clamd:/tmp/clamd + # spamd_address = 127.0.0.1 783 + + # tls_advertise_hosts = * + # tls_certificate = /etc/ssl/exim.crt + # tls_privatekey = /etc/ssl/exim.pem + # (debian) tls_verify_certificates (to check client certs) + + # daemon_smtp_ports = 25 : 465 : 587 + # tls_on_connect_ports = 465 + + # qualify_domain defaults to primary_hostname + # qualify_recipient defaults to qualify_domain + + # allow_domain_literals + + never_users = root + + host_lookup = * + + # ident callbacks for all incoming SMTP calls + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + # sender_unqualified_hosts = + # recipient_unqualified_hosts = + + # percent_hack_domains = + + # arch & debian + #ignore_bounce_errors_after = 2d + #timeout_frozen_after = 7d + # debian + #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + #freeze_tell = postmaster + #trusted_users = uucp + # arch + #split_spool_directory = true + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). + # We do this by testing for an empty sending host field. + accept hosts = : + # arch & debian: + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + ## feature RETIOLUM_MAIL + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + # debian: control = submission/sender_retain + # arch & debian: + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example + # + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain + + # Client SMTP Authorization (csa) checks on the sending host. + # Such checks do DNS lookups for special SRV records. + # require verify = csa + + accept + + + acl_check_data: + # see av_scanner + #deny malware = * + # message = This message contains a virus ($malware_name). + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You may also need to set the spamd_address + # option above. + # + # warn spam = nobody + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + warn + sender_domains = viljetic.de : shackspace.de + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + # if ipv6-enabled then instead use: + # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + + # (debian) same_domain_copy_routing = yes + # (debian) ignore private rfc1918 and APIPA addresses + # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + # 255.255.255.255 + + # Fail and bounce if the router does not find the domain in the DNS. + # I.e. no more routers are tried. + # There are a few cases where a dnslookup router will decline to accept an + # address; if such a router is expected to handle "all remaining non-local + # domains", then it is important to set no_more. + no_more + + # XXX this is only used because these "well known aliases" goto tv@cd.retiolum + # TODO bounce everything, there is no @cd.retiolum + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + # TODO this is only b/c mv here... send mv's mails somewhere else... + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + # serialize_hosts = TODO-all-slow-hosts + + remote_smtp: + driver = smtp + # debian has also stuff for tls, headers_rewrite and more here + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + + + # group = mail + # mode = 0660 + + + #address_pipe: + # driver = pipe + # return_output + # + #address_file: + # driver = appendfile + # delivery_date_add + # envelope_to_add + # return_path_add + # + #address_reply: + # driver = autoreply + + + #maildrop_pipe: + # debug_print = "T: maildrop_pipe for $local_part@$domain" + # driver = pipe + # path = "/bin:/usr/bin:/usr/local/bin" + # command = "/usr/bin/maildrop" + # return_path_add + # delivery_date_add + # envelope_to_add + + + + + + ##begin retry + # Address or Domain Error Retries + + # Our host_redirect destinations might be offline a lot. + # TODO define fallback destinations(?) + #lsearch;${lsearch.internet-aliases} * F,42d,1m + + + ## begin rewrite + + # just in case (shackspace.de should already do this) + #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T + + + ## begin authenticators + #PLAIN: + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + #LOGIN: + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + + + }; + +} + +# config = '' +# primary_hostname = ${retiolumHostname} +# domainlist local_domains = @ : localhost +# domainlist relay_to_domains = *.retiolum +# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 +# +# acl_smtp_rcpt = acl_check_rcpt +# acl_smtp_data = acl_check_data +# +# host_lookup = * +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s +# +# log_file_path = syslog +# syslog_timestamp = false +# syslog_duplication = false +# +# begin acl +# +# acl_check_rcpt: +# accept hosts = : +# control = dkim_disable_verify +# +# deny message = Restricted characters in address +# domains = +local_domains +# local_parts = ^[.] : ^.*[@%!/|] +# +# deny message = Restricted characters in address +# domains = !+local_domains +# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ +# +# accept local_parts = postmaster +# domains = +local_domains +# +# #accept +# # hosts = *.retiolum +# # domains = *.retiolum +# # control = dkim_disable_verify +# +# #require verify = sender +# +# accept hosts = +relay_from_hosts +# control = submission +# control = dkim_disable_verify +# +# accept authenticated = * +# control = submission +# control = dkim_disable_verify +# +# require message = relay not permitted +# domains = +local_domains : +relay_to_domains +# +# require verify = recipient +# +# accept +# +# +# acl_check_data: +# accept +# +# +# begin routers +# +# retiolum: +# driver = manualroute +# domains = ! ${retiolumHostname} : *.retiolum +# transport = remote_smtp +# route_list = ^.* $0 byname +# no_more +# +# nonlocal: +# debug_print = "R: nonlocal for $local_part@$domain" +# driver = redirect +# domains = ! +local_domains +# allow_fail +# data = :fail: Mailing to remote domains not supported +# no_more +# +# local_user: +# # debug_print = "R: local_user for $local_part@$domain" +# driver = accept +# check_local_user +# # local_part_suffix = +* : -* +# # local_part_suffix_optional +# transport = home_maildir +# cannot_route_message = Unknown user +# +# +# begin transports +# +# remote_smtp: +# driver = smtp +# +# home_maildir: +# driver = appendfile +# maildir_format +# directory = $home/Maildir +# directory_mode = 0700 +# delivery_date_add +# envelope_to_add +# return_path_add +# # group = mail +# # mode = 0660 +# +# begin retry +# *.retiolum * F,42d,1m +# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h +# +# begin rewrite +# +# begin authenticators +# ''; +# }; +#} diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix new file mode 100644 index 000000000..0ca04d263 --- /dev/null +++ b/2configs/tv/git-public.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + inherit (builtins) map readFile; + inherit (lib) concatMap listToAttrs; + # TODO lib should already include our stuff + inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; + + public-git-repos = [ + (public "cgserver") + (public "crude-mail-setup") + (public "dot-xmonad") + (public "hack") + (public "load-env") + (public "make-snapshot") + (public "mime") + (public "much") + (public "nixos-infest") + (public "nixpkgs") + (public "painload") + (public "regfish") + (public' { + name = "shitment"; + desc = "turn all the computers into one computer!"; + }) + (public "wai-middleware-time") + (public "web-routes-wai-custom") + ]; + + users = addNames { + tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; + lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; + uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; + makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; + }; + + repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos); + + rules = concatMap ({ rules, ... }: rules) public-git-repos; + + public' = |