diff options
-rw-r--r-- | modules/lass/bitcoin.nix | 17 | ||||
-rw-r--r-- | modules/lass/browsers-lass.nix | 65 | ||||
-rw-r--r-- | modules/lass/desktop-base.nix | 157 | ||||
-rw-r--r-- | modules/lass/elster.nix | 17 | ||||
-rw-r--r-- | modules/lass/games.nix | 22 | ||||
-rw-r--r-- | modules/lass/pass.nix | 10 | ||||
-rw-r--r-- | modules/lass/programs.nix | 24 | ||||
-rw-r--r-- | modules/lass/retiolum-mors.nix | 21 | ||||
-rw-r--r-- | modules/lass/steam.nix | 29 | ||||
-rw-r--r-- | modules/lass/urxvt-lass.nix | 54 | ||||
-rw-r--r-- | modules/lass/vim.nix | 93 | ||||
-rw-r--r-- | modules/lass/virtualbox.nix | 16 | ||||
-rw-r--r-- | modules/lass/wine.nix | 17 | ||||
-rw-r--r-- | modules/lass/xserver-lass.nix | 8 | ||||
-rw-r--r-- | modules/mors/default.nix | 287 |
15 files changed, 837 insertions, 0 deletions
diff --git a/modules/lass/bitcoin.nix b/modules/lass/bitcoin.nix new file mode 100644 index 000000000..d3bccbf5c --- /dev/null +++ b/modules/lass/bitcoin.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + electrum + ]; + + users.extraUsers = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + useDefaultShell = true; + createHome = true; + }; + }; +} diff --git a/modules/lass/browsers-lass.nix b/modules/lass/browsers-lass.nix new file mode 100644 index 000000000..8c27de7b4 --- /dev/null +++ b/modules/lass/browsers-lass.nix @@ -0,0 +1,65 @@ +{ config, pkgs, ... }: + +{ + + nixpkgs.config.packageOverrides = pkgs : { + chromium = pkgs.chromium.override { + pulseSupport = true; + }; + }; + + environment.systemPackages = with pkgs; [ + firefox + chromium + ]; + + users.extraUsers = { + firefox = { + name = "firefox"; + description = "user for running firefox"; + home = "/home/firefox"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + chromium = { + name = "chromium"; + description = "user for running chromium"; + home = "/home/chromium"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + facebook = { + name = "facebook"; + description = "user for running facebook in chromium"; + home = "/home/facebook"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + google = { + name = "google"; + description = "user for running google+/gmail in chromium"; + home = "/home/google"; + useDefaultShell = true; + createHome = true; + }; + flash = { + name = "flash"; + description = "user for running flash stuff"; + home = "/home/flash"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + }; + + security.sudo.extraConfig = '' + lass ALL=(firefox) NOPASSWD: ALL + lass ALL=(chromium) NOPASSWD: ALL + lass ALL=(facebook) NOPASSWD: ALL + lass ALL=(google) NOPASSWD: ALL + lass ALL=(flash) NOPASSWD: ALL + ''; +} diff --git a/modules/lass/desktop-base.nix b/modules/lass/desktop-base.nix new file mode 100644 index 000000000..8b8da6538 --- /dev/null +++ b/modules/lass/desktop-base.nix @@ -0,0 +1,157 @@ +{ config, pkgs, ... }: + +{ + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + time.timeZone = "Europe/Berlin"; + + virtualisation.libvirtd.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + PAGER=most + ''; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + programs.ssh.startAgent = false; + + security.setuidPrograms = [ "slock" ]; + + ###SERVICES BEGIN + services.gitolite = { + enable = true; + dataDir = "/home/gitolite"; + adminPubkey = '' + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors + ''; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.printing = { + enable = true; + drivers = [ pkgs.foomatic_filters ]; + }; + ###SERVICES END + + environment.systemPackages = with pkgs; [ + gitolite + git + + #terminal + most + powertop + + #network + iptables + + #video stuff + haskellPackages.xmobar + haskellPackages.yeganesh + dmenu2 + xlibs.fontschumachermisc + ]; + + nix.useChroot = true; + + # + # user settings + # + users.mutableUsers = false; + users.extraUsers = { + #gitolite = { + # name = "gitolite"; + # description = "gitolite git manager"; + # home = "/home/gitolite"; + # createHome = true; + # useDefaultShell = true; + #}; + testing = { + name = "testing"; + description = "user for testing various stuff"; + home = "/home/testing"; + useDefaultShell = true; + createHome = true; + }; + }; + + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 + ]; + + extraCommands = '' + iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + iptables -A INPUT -j ACCEPT -i lo + + #iptables -N Retiolum + iptables -A INPUT -j Retiolum -i retiolum + iptables -A Retiolum -j ACCEPT -p icmp + iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + iptables -A Retiolum -j REJECT + ''; + + extraStopCommands = "iptables -F"; + }; + +} diff --git a/modules/lass/elster.nix b/modules/lass/elster.nix new file mode 100644 index 000000000..c31c2f310 --- /dev/null +++ b/modules/lass/elster.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + users.extraUsers = { + elster = { + name = "elster"; + description = "user for running elster-online"; + home = "/home/elster"; + useDefaultShell = true; + extraGroups = []; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + lass ALL=(elster) NOPASSWD: ALL + ''; +} diff --git a/modules/lass/games.nix b/modules/lass/games.nix new file mode 100644 index 000000000..d48c484da --- /dev/null +++ b/modules/lass/games.nix @@ -0,0 +1,22 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + dwarf_fortress + ]; + + users.extraUsers = { + games = { + name = "games"; + description = "user playing games"; + home = "/home/games"; + extraGroups = [ "audio" ]; + createHome = true; + useDefaultShell = true; + }; + }; + + security.sudo.extraConfig = '' + lass ALL=(games) NOPASSWD: ALL + ''; +} diff --git a/modules/lass/pass.nix b/modules/lass/pass.nix new file mode 100644 index 000000000..33eca0a17 --- /dev/null +++ b/modules/lass/pass.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + pass + gnupg1 + ]; + + services.xserver.startGnuPGAgent = true; +} diff --git a/modules/lass/programs.nix b/modules/lass/programs.nix new file mode 100644 index 000000000..41d241bac --- /dev/null +++ b/modules/lass/programs.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +## TODO sort and split up +{ + environment.systemPackages = with pkgs; [ + aria2 + gnupg1compat + htop + i3lock + mc + mosh + mpv + pass + pavucontrol + pv + pwgen + python34Packages.livestreamer + remmina + silver-searcher + wget + xsel + youtube-dl + ]; +} diff --git a/modules/lass/retiolum-mors.nix b/modules/lass/retiolum-mors.nix new file mode 100644 index 000000000..61a7856c1 --- /dev/null +++ b/modules/lass/retiolum-mors.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum.nix + ]; + + services.retiolum = { + enable = true; + hosts = ../../hosts; + privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; +} diff --git a/modules/lass/steam.nix b/modules/lass/steam.nix new file mode 100644 index 000000000..d54873b1f --- /dev/null +++ b/modules/lass/steam.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: + +{ + + imports = [ + ./games.nix + ]; + # + # Steam stuff + # source: https://nixos.org/wiki/Talk:Steam + # + ##TODO: make steam module + hardware.opengl.driSupport32Bit = true; + + environment.systemPackages = with pkgs; [ + steam + ]; + networking.firewall = { + allowedUDPPorts = [ + 27031 + 27036 + ]; + allowedTCPPorts = [ + 27036 + 27037 + ]; + }; + +} diff --git a/modules/lass/urxvt-lass.nix b/modules/lass/urxvt-lass.nix new file mode 100644 index 000000000..ca3fe363c --- /dev/null +++ b/modules/lass/urxvt-lass.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: + +{ + imports = [ + ./urxvtd.nix + ]; + + services.urxvtd = { + enable = true; + users = [ "lass" ]; + urxvtPackage = pkgs.rxvt_unicode_with-plugins; + xresources = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select + URxvt.url-select.launcher: browser-select + URxvt.url-select.underline: true + URxvt.keysym.M-u: perl:url-select:select_next + URxvt.keysym.M-Escape: perl:keyboard-select:activate + URxvt.keysym.M-s: perl:keyboard-select:search + + URxvt.intensityStyles: false + + !solarized colors + URxvt*fading: 5 + URxvt*background: #002b36 + URxvt*foreground: #657b83 + URxvt*fadeColor: #002b36 + URxvt*cursorColor: #93a1a1 + URxvt*pointerColorBackground: #586e75 + URxvt*pointerColorForeground: #93a1a1 + URxvt*colorUL: #859900 + URxvt*colorBD: #268bd2 + URxvt*color0: #073642 + URxvt*color8: #002b36 + URxvt*color1: #dc322f + URxvt*color9: #cb4b16 + URxvt*color2: #859900 + URxvt*color10: #586e75 + URxvt*color3: #b58900 + URxvt*color11: #657b83 + URxvt*color4: #268bd2 + URxvt*color12: #839496 + URxvt*color5: #d33682 + URxvt*color13: #6c71c4 + URxvt*color6: #2aa198 + URxvt*color14: #93a1a1 + URxvt*color7: #eee8d5 + URxvt*color15: #fdf6e3 + ''; + }; +} diff --git a/modules/lass/vim.nix b/modules/lass/vim.nix new file mode 100644 index 000000000..e277bd725 --- /dev/null +++ b/modules/lass/vim.nix @@ -0,0 +1,93 @@ +{ config, pkgs, ... }: + +{ + + environment.systemPackages = with pkgs; [ + (vim_configurable.customize { + name = "vim"; + + vimrcConfig.customRC = '' + set nocompatible + set t_Co=16 + syntax on + " TODO autoload colorscheme file + set background=dark + colorscheme solarized + filetype off + filetype plugin indent on + + imap <F1> <nop> + + set mouse=a + set ruler + set showmatch + set backspace=2 + set visualbell + set encoding=utf8 + set showcmd + set wildmenu + + set title + set titleold= + set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} + + set autoindent + + set ttyfast + + set pastetoggle=<INS> + + + " Force Saving Files that Require Root Permission + command! W silent w !sudo tee "%" >/dev/null + + nnoremap <C-c> :q<Return> + vnoremap < <gv + vnoremap > >gv + + "Tabwidth + set ts=2 sts=2 sw=2 et + autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et + autocmd BufRead *.hs set ts=4 sts=4 sw=4 et + + " create Backup/tmp/undo dirs + function! InitBackupDir() + let l:parent = $HOME . '/.vim/' + let l:backup = l:parent . 'backups/' + let l:tmpdir = l:parent . 'tmp/' + let l:undodi = l:parent . 'undo/' + + if !isdirectory(l:parent) + call mkdir(l:parent) + endif + if !isdirectory(l:backup) + call mkdir(l:backup) + endif + if !isdirectory(l:tmpdir) + call mkdir(l:tmpdir) + endif + if !isdirectory(l:undodi) + call mkdir(l:undodi) + endif + endfunction + call InitBackupDir() + + " Backups & Files + set backup + set backupdir=~/.vim/backups + set directory=~/.vim/tmp// + set viminfo='20,<1000,s100,h,n~/.vim/tmp/info + set undodir=$HOME/.vim/undo + set undofile + ''; + + vimrcConfig.vam.knownPlugins = vimPlugins; + vimrcConfig.vam.pluginDictionaries = [ + { name = "Gundo"; } + { name = "commentary"; } + { name = "vim-addon-nix"; } + { name = "colors-solarized"; } + ]; + }) + ]; +} diff --git a/modules/lass/virtualbox.nix b/modules/lass/virtualbox.nix new file mode 100644 index 000000000..bd57077b7 --- /dev/null +++ b/modules/lass/virtualbox.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +{ + services.virtualboxHost.enable = true; + + users.extraUsers = { + virtual = { + name = "virtual"; + description = "user for running VirtualBox"; + home = "/home/virtual"; + useDefaultShell = true; + extraGroups = [ "vboxusers" ]; + createHome = true; + }; + }; +} diff --git a/modules/lass/wine.nix b/modules/lass/wine.nix new file mode 100644 index 000000000..838b67d2a --- /dev/null +++ b/modules/lass/wine.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + users.extraUsers = { + elster = { + name = "elster"; + description = "user for running elster-online"; + home = "/home/elster"; + useDefaultShell = true; + extraGroups = []; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + lass ALL=(wine) NOPASSWD: ALL + ''; +} diff --git a/modules/lass/xserver-lass.nix b/modules/lass/xserver-lass.nix new file mode 100644 index 000000000..62f711505 --- /dev/null +++ b/modules/lass/xserver-lass.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/xserver.nix + ]; + services.xserver.displayManager.auto.user = "lass"; +} diff --git a/modules/mors/default.nix b/modules/mors/default.nix new file mode 100644 index 000000000..bbe235117 --- /dev/null +++ b/modules/mors/default.nix @@ -0,0 +1,287 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../lass/desktop-base.nix + ../lass/programs.nix + ../lass/retiolum-mors.nix + ../lass/xserver-lass.nix + ../tv/synaptics.nix + ../lass/bitcoin.nix + ../lass/browsers-lass.nix + ../lass/games.nix + ../tv/exim-retiolum.nix + ../lass/pass.nix + ../lass/vim.nix + ../lass/virtualbox.nix + ../lass/elster.nix + ../lass/urxvt-lass.nix + ../lass/steam.nix + ]; + + networking.hostName = "mors"; + networking.wireless.enable = true; + + networking.extraHosts = '' + ''; + nix.maxJobs = 4; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + boot = { + kernelParams = [ + "acpi.brightness_switch_enabled=0" + ]; + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + extraModprobeConfig = '' + ''; + }; + fileSystems = { + "/" = { + device = "/dev/big/nix"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + + "/mnt/loot" = { + device = "/dev/big/loot"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/big/home"; + fsType = "ext4"; + }; + + "/home/lass" = { + device = "/dev/big/home-lass"; + fsType = "ext4"; + }; + + "/mnt/backups" = { + device = "/dev/big/backups"; + fsType = "ext4"; + }; + + "/home/games/.local/share/Steam" = { + device = "/dev/big/steam"; + fsType = "ext4"; + }; + + "/home/virtual/virtual" = { + device = "/dev/big/virtual"; + fsType = "ext4"; + }; + + "/mnt/public" = { + device = "/dev/big/public"; + fsType = "ext4"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; + + #activationScripts + #split up and move into base + system.activationScripts.powertopTunables = '' + #Enable Audio codec power management + echo '1' > '/sys/module/snd_hda_intel/parameters/power_save' + #VM writeback timeout + echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs' + #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] + echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' + #Autosuspend for USB device Biometric Coprocessor + echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' + + #Runtime PMs + echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' + ''; + system.activationScripts.trackpoint = '' + echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' + echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' + ''; + + services.xserver = { + + videoDriver = "intel"; + vaapiDrivers = [ pkgs.vaapiIntel ]; + deviceSection = '' + Option "AccelMethod" "sna" + BusID "PCI:0:2:0" + ''; + }; + + #TODO move into modules + users.extraUsers = { + root = { + hashedPassword = "$6$78Zog6OCAQn6tFCO$jpOPksguWEsOPz7u1r6kVApD0Zb2SqjFV8Gn1JCZevcMtBI.jm0CcojXvW.v23xWDt4wZE4KcxFSNWNU.E9ef."; + }; + #main user + lass = { + uid = 1337; + name = "lass"; + #isNormalUser = true; + group = "users"; + createHome = true; + home = "/home/lass"; + useDefaultShell = true; + isSystemUser = false; + description = "lassulus"; + extraGroups = [ "wheel" "audio" ]; + hashedPassword = "$6$78Zog6OCAQn6tFCO$jpOPksguWEsOPz7u1r6kVApD0Zb2SqjFV8Gn1JCZevcMtBI.jm0CcojXvW.v23xWDt4wZE4KcxFSNWNU.E9ef."; + }; + #miefda-mc-dev user + miefda = { + uid = 1338; + name = "miefda"; + #isNormalUser = true; + group = "users"; + createHome = true; + home = "/home/miefda"; + useDefaultShell = true; + isSystemUser = false; + description = "miefda-minecraft-dev"; + }; + }; + + environment.systemPackages = with pkgs; [ + ]; + + #TODO: fix this shit + ##fprint stuff + ##sudo fprintd-enroll $USER to save fingerprints + #services.fprintd.enable = true; + #security.pam.services.sudo.fprintAuth = true; + + users.extraGroups = { + loot = { + members = [ + "lass" + "firefox" + "chromium" + "google" + ]; + }; + }; + + networking.firewall = { + allowPing = true; + allowedTCPPorts = [ + 8000 + ]; + allowedUDPPorts = [ + 67 + ]; + }; + + services.ircdHybrid = { + enable = true; + + description = "local test server"; + }; + + #TODO + #services.urxvtd = { + # enable = true; + # users = [ "lass" ]; + # urxvtPackage = pkgs.rxvt_unicode_with-plugins; + #}; + + #system.activationScripts.iptables = + # let + # log = false; + # when = c: f: if c then f else ""; + # in + # '' + # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + # ipXtables() { ip4tables "$@"; ip6tables "$@"; } + + # # + # # nat + # # + + # # reset tables + # ipXtables -t nat -F + # ipXtables -t nat -X + + # # + # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # # + # # filter + # # + + # # reset tables + # ipXtables -P INPUT DROP + # ipXtables -P FORWARD DROP + # ipXtables -F + # ipXtables -X + + # # create custom chains + # ipXtables -N Retiolum + + # # INPUT + # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # ipXtables -A INPUT -j ACCEPT -i lo + # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + + # #mc + # ipXtables -A INPUT -j ACCEPT -p tcp --dport 25565 + # ipXtables -A INPUT -j ACCEPT -p udp --dport 25565 + + # ipXtables -A INPUT -j Retiolum -i retiolum + # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # # FORWARD + # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # # Retiolum + # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + # ip6tables -A Retiolum -j REJECT + + # ''; +} |