summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/2configs/default.nix1
-rw-r--r--krebs/3modules/lass/default.nix2
-rw-r--r--krebs/3modules/tv/default.nix23
-rw-r--r--krebs/source.nix2
-rw-r--r--lass/1systems/daedalus/config.nix74
-rw-r--r--lass/1systems/iso.nix1
-rw-r--r--lass/1systems/mors/config.nix7
-rw-r--r--lass/1systems/prism/config.nix16
-rw-r--r--lass/1systems/skynet/config.nix4
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/git.nix4
-rw-r--r--lass/2configs/ircd.nix1
-rw-r--r--lass/2configs/mail.nix2
-rw-r--r--lass/2configs/newsbot-js.nix21
-rw-r--r--lass/5pkgs/xmonad-lass.nix1
-rw-r--r--makefu/1systems/darth/config.nix93
-rw-r--r--makefu/1systems/gum/config.nix24
-rw-r--r--makefu/1systems/x/config.nix9
-rw-r--r--makefu/2configs/audio/jack-on-pulse.nix2
-rw-r--r--makefu/2configs/backup.nix1
-rw-r--r--makefu/2configs/deployment/gitlab.nix39
-rw-r--r--makefu/2configs/elchos/search.nix17
-rw-r--r--makefu/2configs/fs/sda-crypto-root.nix6
-rw-r--r--makefu/2configs/git/gitlab-runner-shackspace.nix32
-rw-r--r--makefu/2configs/hw/tp-x230.nix4
-rw-r--r--makefu/2configs/lanparty/samba.nix31
-rw-r--r--makefu/2configs/nsupdate-data.nix55
-rw-r--r--makefu/2configs/share/anon-ftp.nix2
-rw-r--r--makefu/2configs/share/gum.nix4
-rw-r--r--makefu/2configs/tools/android-pentest.nix3
-rw-r--r--makefu/2configs/tools/dev.nix3
-rw-r--r--makefu/2configs/tools/extra-gui.nix1
-rw-r--r--makefu/2configs/urlwatch/default.nix25
-rw-r--r--makefu/2configs/vim.nix3
-rw-r--r--makefu/2configs/virtualisation/docker.nix6
-rw-r--r--makefu/5pkgs/cmpforopenssl/default.nix82
-rw-r--r--makefu/5pkgs/cmpforopenssl/nix-ssl-cert-file.patch14
-rw-r--r--makefu/5pkgs/custom/alsa-tools/default.nix (renamed from makefu/5pkgs/alsa-tools/default.nix)0
-rw-r--r--makefu/5pkgs/custom/default.nix3
-rw-r--r--makefu/5pkgs/custom/inkscape/dxf_fix.patch13
-rw-r--r--makefu/5pkgs/custom/qcma/default.nix (renamed from makefu/5pkgs/qcma/default.nix)5
-rw-r--r--makefu/5pkgs/default.nix14
-rw-r--r--makefu/5pkgs/dionaea/default.nix50
-rw-r--r--makefu/5pkgs/farpd/default.nix2
-rw-r--r--makefu/5pkgs/libopencm3/default.nix30
-rw-r--r--makefu/5pkgs/logstash-output-exec/default.nix32
-rw-r--r--makefu/5pkgs/mcomix/default.nix20
-rw-r--r--makefu/5pkgs/minibar/default.nix12
-rw-r--r--makefu/5pkgs/nltk/default.nix17
-rw-r--r--makefu/5pkgs/novnc/default.nix1
-rw-r--r--makefu/5pkgs/programs-db/default.nix12
-rw-r--r--makefu/6tests/data/secrets/nsupdate-data.nix1
-rw-r--r--makefu/6tests/data/secrets/shackspace-gitlab-ci-token.nix1
-rw-r--r--makefu/source.nix5
55 files changed, 709 insertions, 126 deletions
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index daf9bd9d0..e7ece87b6 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -22,6 +22,7 @@ with import <stockholm/lib>;
environment.systemPackages = with pkgs; [
git
+ vim
rxvt_unicode.terminfo
];
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index cae0d1f37..7aeeb1f21 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -43,7 +43,7 @@ with import <stockholm/lib>;
cores = 2;
nets = rec {
internet = {
- ip4.addr = "104.233.79.118";
+ ip4.addr = "45.62.226.163";
aliases = [
"echelon.i"
];
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 81db2d411..68cba633b 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -113,14 +113,6 @@ with import <stockholm/lib>;
};
kaepsele = {
nets = {
- internet = {
- ip4.addr = "92.222.10.169";
- aliases = [
- "kaepsele.i"
- "kaepsele.internet"
- # TODO "kaepsele.org"
- ];
- };
retiolum = {
ip4.addr = "10.243.166.2";
ip6.addr = "42:b9d:6660:d07c:2bb7:4e91:1a01:2e7d";
@@ -129,17 +121,18 @@ with import <stockholm/lib>;
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAxj7kaye4pGLou7mVRTVgtcWFjuEosJlxVg24gM7nU1EaoRnBD93/
- Y3Je7BSUbz5xMXr5SFTPSkitInL7vU+jDOf2bEpqv+uUJAJIz85494oPS9xocdWo
- rQsrQRAtOg4MLD+YIoAxQm2Mc4nt2CSE1+UP4uXGxpuh0c051b+9Kmwv1bTyHB9y
- y01VSkDvNyHk5eA+RGDiujBAzhi35hzTlQgCJ3REOBiq4YmE1d3qpk3oNiYUcrcu
- yFzQrSRIfhXjuzIR+wxqS95HDUsewSwt9HgkjJzYF5sQZSea0/XsroFqZyTJ8iB5
- FQx2emBqB525cWKOt0f5jgyjklhozhJyiwIDAQAB
+ MIIBCgKCAQEA4+kDaKhCBNlpHqRCA2R6c4UEFk0OaiPwHvjmBBjpihTJVyffIEYm
+ QFZ5ZNkaVumSOAgKk9ygppO9WsNasl1ag+IRWik9oupdzEkNjgvOMBVJGhcwGZGF
+ 6UEY5sdA1n0qg74og5BGSiXUBiaahVM0rAfCNk8gV3qrot5kWJMQLb9BKabJ56eb
+ JrgWepxuVaw3BoEhz6uusuvw5i1IF382L8R11hlvyefifXONFOAUjCrCr0bCb4uK
+ ZZcRUU35pbHLDXXTOrOarOO1tuVGu85VXo3S1sLaaouHYjhTVT8bxqbwcNhxBXYf
+ ONLv0f7G5XwecgUNbE6ZTfjV5PQKaww3lwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
- ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA9cDUg7qm37uOhQpdKSgpnJPWao9VZR6LFNphVcJQ++gYvVgWu6WMhigiy7DcGQSStUlXkZc4HZBBugwwNWcf7aAF6ijBuG5rVwb9AFQmSexpTOfWap33iA5f+LXYFHe7iv4Pt9TYO1ga1Ryl4EGKb7ol2h5vbKC+JiGaDejB0WqhBAyrTg4tTWO8k2JT11CrlTjNVctqV0IVAMtTc/hcJcNusnoGD4ic0QGSzEMYxcIGRNvIgWmxhI6GHeaHxXWH5fv4b0OpLlDfVUsIvEo9KVozoLGm/wgLBG/tQXKaF9qVMVgOYi9sX/hDLwhRrcD2cyAlq9djo2pMARYiriXF";
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wr36T0MmB8pnSO5/pw9/Dfe5+IMgVHOhm6EUa55jj";
};
mu = {
cores = 2;
diff --git a/krebs/source.nix b/krebs/source.nix
index db30e1e35..400826351 100644
--- a/krebs/source.nix
+++ b/krebs/source.nix
@@ -14,6 +14,6 @@ in
stockholm.file = toString <stockholm>;
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
- ref = "0590ecbe9e6b9a076065be29370701da758c61f1"; # nixos-17.03 @ 2017-07-30
+ ref = "51a83266d164195698f04468d90d2c6238ed3491"; # nixos-17.03 @ 2017-07-30
};
}
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 290d8a780..36daea1d5 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -1,23 +1,75 @@
+with import <stockholm/lib>;
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
- <stockholm/lass/2configs/boot/stock-x220.nix>
+ <stockholm/lass/2configs/boot/coreboot.nix>
- <stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
- <stockholm/lass/2configs/git.nix>
- <stockholm/lass/2configs/exim-retiolum.nix>
- <stockholm/lass/2configs/baseX.nix>
- <stockholm/lass/2configs/browsers.nix>
- <stockholm/lass/2configs/programs.nix>
- <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
- <stockholm/lass/2configs/games.nix>
+ {
+ # bubsy config
+ users.users.bubsy = {
+ uid = genid "bubsy";
+ home = "/home/bubsy";
+ group = "users";
+ createHome = true;
+ extraGroups = [
+ "audio"
+ "networkmanager"
+ ];
+ useDefaultShell = true;
+ };
+ networking.networkmanager.enable = true;
+ networking.wireless.enable = mkForce false;
+ hardware.pulseaudio = {
+ enable = true;
+ systemWide = true;
+ };
+ environment.systemPackages = with pkgs; [
+ pavucontrol
+ firefox
+ hexchat
+ networkmanagerapplet
+ ];
+ services.xserver.enable = true;
+ services.xserver.displayManager.lightdm.enable = true;
+ services.xserver.desktopManager.plasma5.enable = true;
+ }
+ {
+ krebs.per-user.bitcoin.packages = [
+ pkgs.electrum
+ ];
+ users.extraUsers = {
+ bitcoin = {
+ name = "bitcoin";
+ description = "user for bitcoin stuff";
+ home = "/home/bitcoin";
+ useDefaultShell = true;
+ createHome = true;
+ };
+ };
+ security.sudo.extraConfig = ''
+ bubsy ALL=(bitcoin) NOPASSWD: ALL
+ '';
+ }
];
+ time.timeZone = "Europe/Berlin";
+
+ hardware.trackpoint = {
+ enable = true;
+ sensitivity = 220;
+ speed = 0;
+ emulateWheel = true;
+ };
+
+ services.logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ '';
+
krebs.build.host = config.krebs.hosts.daedalus;
fileSystems = {
@@ -29,7 +81,7 @@
};
services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0"
- SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0"
+ SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
+ SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
}
diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 0b048a2b1..be064bed2 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -37,6 +37,7 @@ with import <stockholm/lib>;
};
};
boot.kernelParams = [ "copytoram" ];
+ networking.hostName = "lass-iso";
}
{
krebs.enable = true;
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 2cb6a7519..bb6f84c7b 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -5,7 +5,7 @@ with import <stockholm/lib>;
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
- <stockholm/lass/2configs/boot/coreboot.nix>
+ <stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
@@ -104,8 +104,8 @@ with import <stockholm/lib>;
};
services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
- SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
+ SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0"
+ SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
@@ -139,7 +139,6 @@ with import <stockholm/lib>;
urban
mk_sql_pair
remmina
- thunderbird
iodine
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 5d05ae399..744bae551 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -298,6 +298,22 @@ in {
localAddress = "10.233.2.2";
};
}
+ {
+ #kaepsele
+ containers.kaepsele = {
+ config = { ... }: {
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
+ lass.pubkey
+ tv.pubkey
+ ];
+ };
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.3";
+ localAddress = "10.233.2.4";
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index b707f4388..0b9499982 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -44,6 +44,10 @@ with import <stockholm/lib>;
krebs.build.host = config.krebs.hosts.skynet;
+ services.logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ '';
+
#fileSystems = {
# "/bku" = {
# device = "/dev/mapper/pool-bku";
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 86d0ac7c1..3a99e65a0 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -48,6 +48,7 @@ in {
acpi
dic
dmenu
+ gi
gitAndTools.qgit
lm_sensors
haskellPackages.hledger
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 728e265f6..611e1b9da 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -40,6 +40,7 @@ with import <stockholm/lib>;
{ from = "patreon@lassul.us"; to = lass.mail; }
{ from = "steam@lassul.us"; to = lass.mail; }
{ from = "securityfocus@lassul.us"; to = lass.mail; }
+ { from = "radio@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index d3f5d1f39..eb606037e 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -80,7 +80,7 @@ let
public = true;
};
- make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: {
+ make-restricted-repo = name: { collaborators ? [], announce ? false, hooks ? {}, ... }: {
inherit collaborators name;
public = false;
hooks = optionalAttrs announce {
@@ -93,7 +93,7 @@ let
# TODO define branches in some kind of option per repo
branches = [ "master" "staging*" ];
};
- };
+ } // hooks;
};
make-rules =
diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix
index b72e2b087..ee4c0216c 100644
--- a/lass/2configs/ircd.nix
+++ b/lass/2configs/ircd.nix
@@ -13,7 +13,6 @@
sid = "1as";
description = "miep!";
network_name = "irc.retiolum";
- network_desc = "Retiolum IRC Network";
hub = yes;
vhost = "0.0.0.0";
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index ee0c3f938..9f9bb24fa 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -72,13 +72,13 @@ let
''} %r |"
virtual-mailboxes \
+ "Unread" "notmuch://?query=tag:unread"\
"INBOX" "notmuch://?query=tag:inbox \
and NOT tag:killed \
and NOT to:shackspace \
and NOT to:c-base \
and NOT from:security-alert@hpe.com \
and NOT to:nix-devel"\
- "Unread" "notmuch://?query=tag:unread"\
"shack" "notmuch://?query=to:shackspace"\
"c-base" "notmuch://?query=to:c-base"\
"security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix
index 9983fd567..5e028a3fb 100644
--- a/lass/2configs/newsbot-js.nix
+++ b/lass/2configs/newsbot-js.nix
@@ -15,7 +15,6 @@ let
bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#news #bundestag
bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#news
bitcoinpakistan|https://bitcoinspakistan.com/feed/|#news #financial
- c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#news
cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#news
carta|http://feeds2.feedburner.com/carta-standard-rss|#news
catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#news
@@ -27,7 +26,11 @@ let
ccc|http://www.ccc.de/rss/updates.rdf|#news
chan_b|https://boards.4chan.org/b/index.rss|#brainfuck
chan_biz|https://boards.4chan.org/biz/index.rss|#news #brainfuck
+ chan_g|https://boards.4chan.org/g/index.rss|#news
chan_int|https://boards.4chan.org/int/index.rss|#news #brainfuck
+ chan_sci|https://boards.4chan.org/sci/index.rss|#news
+ chan_x|https://boards.4chan.org/x/index.rss|#news
+ c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#news
cryptogon|http://www.cryptogon.com/?feed=rss2|#news
csm|http://rss.csmonitor.com/feeds/csm|#news
csm_world|http://rss.csmonitor.com/feeds/world|#news
@@ -61,6 +64,7 @@ let
greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#news
guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#news
gulli|http://ticker.gulli.com/rss/|#news
+ hackernews|https://news.ycombinator.com/rss|#news
handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#news #financial
heise|https://www.heise.de/newsticker/heise-atom.xml|#news
hindu_business|http://www.thehindubusinessline.com/?service=rss|#news #financial
@@ -100,7 +104,12 @@ let
reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#news #brainfuck
reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#news
reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#news #financial
+ reddit_consp|http://reddit.com/r/conspiracy/.rss|#news
+ reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news
+ reddit_nix|http://www.reddit.com/r/nixos/.rss|#news
reddit_prog|http://www.reddit.com/r/programming/new/.rss|#news
+ reddit_sci|http://www.reddit.com/r/science/.rss|#news
+ reddit_tech|http://www.reddit.com/r/technology/.rss|#news
reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#news #tpp
reddit_world|http://www.reddit.com/r/worldnews/.rss|#news
r-ethereum|http://www.reddit.com/r/ethereum/.rss|#news
@@ -156,16 +165,6 @@ let
wp_world|http://feeds.washingtonpost.com/rss/rss_blogpost|#news
xkcd|https://xkcd.com/rss.xml|#news
zdnet|http://www.zdnet.com/news/rss.xml|#news
-
- chan_g|https://boards.4chan.org/g/index.rss|#news
- chan_x|https://boards.4chan.org/x/index.rss|#news
- chan_sci|https://boards.4chan.org/sci/index.rss|#news
- reddit_consp|http://reddit.com/r/conspiracy/.rss|#news
- reddit_sci|http://www.reddit.com/r/science/.rss|#news
- reddit_tech|http://www.reddit.com/r/technology/.rss|#news
- reddit_nix|http://www.reddit.com/r/nixos/.rss|#news
- reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news
- hackernews|https://news.ycombinator.com/rss|#news
'';
in {
environment.systemPackages = [
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 22ec7efa9..38a9550df 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -98,6 +98,7 @@ myKeyMap =
[ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f")
, ("M4-C-p", spawn "${pkgs.scrot}/bin/scrot ~/public_html/scrot.png")
, ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
+ , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
, ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
, ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
, ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")
diff --git a/makefu/1systems/darth/config.nix b/makefu/1systems/darth/config.nix
index 9dbe67429..7accb13d3 100644
--- a/makefu/1systems/darth/config.nix
+++ b/makefu/1systems/darth/config.nix
@@ -3,44 +3,62 @@
with import <stockholm/lib>;
let
byid = dev: "/dev/disk/by-id/" + dev;
- rootDisk = byid "ata-ADATA_SSD_S599_64GB_10460000000000000039";
- auxDisk = byid "ata-HGST_HTS721010A9E630_JR10006PH3A02F";
- dataPartition = auxDisk + "-part1";
+ rootDisk = byid "ata-INTEL_SSDSC2BW480H6_CVTR53120385480EGN";
+ bootPart = rootDisk + "-part1";
+ rootPart = rootDisk + "-part2";
allDisks = [ rootDisk ]; # auxDisk
in {
imports = [
<stockholm/makefu>
- <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
+ <stockholm/makefu/2configs/fs/sda-crypto-root.nix>
+ <stockholm/makefu/2configs/sshd-totp.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/exim-retiolum.nix>
- <stockholm/makefu/2configs/virtualisation/libvirt.nix>
+ # <stockholm/makefu/2configs/virtualisation/libvirt.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
- <stockholm/makefu/2configs/share/temp-share-samba.nix>
+ <stockholm/makefu/2configs/tools/core.nix>
+ <stockholm/makefu/2configs/stats/client.nix>
+ <stockholm/makefu/2configs/nsupdate-data.nix>
+
+ # SIEM
+ #<stockholm/makefu/2configs/tinc/siem.nix>
+ # {services.tinc.networks.siem = {
+ # name = "sdarth";
+ # extraConfig = "ConnectTo = sjump";
+ # };
+ # }
+
+ # {
+ # makefu.forward-journal = {
+ # enable = true;
+ # src = "10.8.10.2";
+ # dst = "10.8.10.6";
+ # };
+ # }
+
+ ## Sharing
+ # <stockholm/makefu/2configs/share/temp-share-samba.nix>
+ #{
+ # services.samba.shares = {
+ # isos = {
+ # path = "/data/isos/";
+ # "read only" = "yes";
+ # browseable = "yes";
+ # "guest ok" = "yes";
+ # };
+ # };
+ #}
+ <stockholm/makefu/2configs/share/anon-ftp.nix>
];
- services.samba.shares = {
- isos = {
- path = "/data/isos/";
- "read only" = "yes";
- browseable = "yes";
- "guest ok" = "yes";
- };
- };
- services.tinc.networks.siem = {
- name = "sdarth";
- extraConfig = "ConnectTo = sjump";
- };
- makefu.forward-journal = {
- enable = true;
- src = "10.8.10.2";
- dst = "10.8.10.6";
- };
- #networking.firewall.enable = false;
+ #networking.firewall.enable = false;
+ makefu.server.primary-itf = "enp0s25";
+ krebs.hidden-ssh.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
@@ -49,31 +67,28 @@ in {
firewall = {
allowPing = true;
logRefusedConnections = false;
- trustedInterfaces = [ "eno1" ];
+ # trustedInterfaces = [ "eno1" ];
allowedUDPPorts = [ 80 655 1655 67 ];
allowedTCPPorts = [ 80 655 1655 ];
};
# fallback connection to the internal virtual network
- interfaces.virbr3.ip4 = [{
- address = "10.8.8.2";
- prefixLength = 24;
- }];
+ # interfaces.virbr3.ip4 = [{
+ # address = "10.8.8.2";
+ # prefixLength = 24;
+ # }];
};
# TODO smartd omo darth gum all-in-one
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
- zramSwap.enable = true;
-
- #fileSystems."/data" = {
- # device = dataPartition;
- # fsType = "ext4";
- #};
boot.loader.grub.device = rootDisk;
-
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.makefu-omo.pubkey
- config.krebs.users.makefu-vbob.pubkey
+ boot.initrd.luks.devices = [
+ { name = "luksroot";
+ device = rootPart;
+ allowDiscards = true;
+ keyFileSize = 4096;
+ keyFile = "/dev/sdb";
+ }
];
krebs.build.host = config.krebs.hosts.darth;
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index bbb8cfe11..110edc130 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -9,6 +9,7 @@ let
external-gw6 = "fe80::1";
external-netmask = 22;
external-netmask6 = 64;
+ ext-if = "et0"; # gets renamed on the fly
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
main