summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/lass/default.nix35
-rw-r--r--krebs/4lib/infest/prepare.sh25
-rw-r--r--krebs/Zhosts/prism12
-rw-r--r--lass/1systems/echelon.nix17
-rw-r--r--lass/1systems/prism.nix88
-rw-r--r--lass/2configs/base.nix4
-rw-r--r--lass/2configs/baseX.nix2
-rw-r--r--lass/2configs/downloading.nix10
-rw-r--r--lass/2configs/git.nix2
-rw-r--r--lass/2configs/retiolum.nix2
-rw-r--r--tv/1systems/cd.nix4
-rw-r--r--tv/1systems/mkdir.nix4
-rw-r--r--tv/1systems/nomic.nix9
-rw-r--r--tv/1systems/rmdir.nix4
-rw-r--r--tv/1systems/wu.nix4
-rw-r--r--tv/1systems/xu.nix390
-rw-r--r--tv/2configs/CAC-CentOS-7-64bit.nix47
-rw-r--r--tv/2configs/CAC-Developer-1.nix6
-rw-r--r--tv/2configs/CAC-Developer-2.nix6
-rw-r--r--tv/2configs/cryptoroot.nix4
-rw-r--r--tv/2configs/fs/CAC-CentOS-7-64bit.nix20
-rw-r--r--tv/2configs/hw/AO753.nix (renamed from tv/2configs/AO753.nix)9
-rw-r--r--tv/2configs/hw/CAC-Developer-1.nix8
-rw-r--r--tv/2configs/hw/CAC-Developer-2.nix8
-rw-r--r--tv/2configs/hw/CAC.nix13
-rw-r--r--tv/2configs/hw/w110er.nix (renamed from tv/2configs/w110er.nix)6
-rw-r--r--tv/2configs/hw/x220.nix60
-rw-r--r--tv/2configs/xserver/default.nix22
-rw-r--r--tv/2configs/xserver/xmonad/Util/Debunk.hs16
-rw-r--r--tv/5pkgs/default.nix3
-rw-r--r--tv/5pkgs/xmonad-tv/.gitignore (renamed from tv/2configs/xserver/xmonad/.gitignore)0
-rw-r--r--tv/5pkgs/xmonad-tv/Main.hs (renamed from tv/2configs/xserver/xmonad/Main.hs)30
-rw-r--r--tv/5pkgs/xmonad-tv/Makefile6
-rw-r--r--tv/5pkgs/xmonad-tv/Util/Font.hs (renamed from tv/2configs/xserver/xmonad/Util/Font.hs)0
-rw-r--r--tv/5pkgs/xmonad-tv/Util/Pager.hs (renamed from tv/2configs/xserver/xmonad/Util/Pager.hs)0
-rw-r--r--tv/5pkgs/xmonad-tv/Util/Rhombus.hs (renamed from tv/2configs/xserver/xmonad/Util/Rhombus.hs)1
-rw-r--r--tv/5pkgs/xmonad-tv/Util/Shutdown.hs (renamed from tv/2configs/xserver/xmonad/Util/Shutdown.hs)2
-rw-r--r--tv/5pkgs/xmonad-tv/Util/Submap.hs (renamed from tv/2configs/xserver/xmonad/Util/Submap.hs)0
-rw-r--r--tv/5pkgs/xmonad-tv/Util/XUtils.hs (renamed from tv/2configs/xserver/xmonad/Util/XUtils.hs)0
-rw-r--r--tv/5pkgs/xmonad-tv/xmonad.cabal (renamed from tv/2configs/xserver/xmonad/xmonad.cabal)1
40 files changed, 756 insertions, 124 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 498282b03..0be166255 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -33,7 +33,7 @@ let
in {
hosts = addNames {
echelon = {
- cores = 4;
+ cores = 2;
dc = "lass"; #dc = "cac";
nets = rec {
internet = {
@@ -66,6 +66,39 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
};
+ prism = {
+ cores = 4;
+ dc = "lass"; #dc = "cac";
+ nets = rec {
+ internet = {
+ addrs4 = ["213.239.205.240"];
+ aliases = [
+ "prism.internet"
+ ];
+ };
+ retiolum = {
+ via = internet;
+ addrs4 = ["10.243.0.103"];
+ addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"];
+ aliases = [
+ "prism.retiolum"
+ "cgit.prism.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl
+ kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl
+ JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I
+ AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5
+ jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j
+ anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKVjJrM7fHfHpvZXEA3hmX4JliHl6h6Q8AGOPcu+9fF";
+ };
fastpoke = {
dc = "lass";
nets = rec {
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index 94c9b0fb5..182a068ef 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -11,12 +11,28 @@ prepare() {(
;;
centos)
case $VERSION_ID in
+ 6)
+ prepare_centos "$@"
+ exit
+ ;;
7)
prepare_centos "$@"
exit
;;
esac
;;
+ debian)
+ case $VERSION_ID in
+ 7)
+ prepare_debian "$@"
+ exit
+ ;;
+ 8)
+ prepare_debian "$@"
+ exit
+ ;;
+ esac
+ ;;
esac
elif test -e /etc/centos-release; then
case $(cat /etc/centos-release) in
@@ -31,6 +47,7 @@ prepare() {(
)}
prepare_arch() {
+ pacman -Sy
type bzip2 2>/dev/null || pacman -S --noconfirm bzip2
type git 2>/dev/null || pacman -S --noconfirm git
type rsync 2>/dev/null || pacman -S --noconfirm rsync
@@ -44,6 +61,14 @@ prepare_centos() {
prepare_common
}
+prepare_debian() {
+ apt-get update
+ type bzip2 2>/dev/null || apt-get install bzip2
+ type git 2>/dev/null || apt-get install git
+ type rsync 2>/dev/null || apt-get install rsync
+ prepare_common
+}
+
prepare_common() {
if ! getent group nixbld >/dev/null; then
diff --git a/krebs/Zhosts/prism b/krebs/Zhosts/prism
new file mode 100644
index 000000000..4c875631f
--- /dev/null
+++ b/krebs/Zhosts/prism
@@ -0,0 +1,12 @@
+Address = 213.239.205.240
+Subnet = 10.243.0.103
+Subnet = 42:0000:0000:0000:0000:0000:0000:15ab
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl
+kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl
+JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I
+AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5
+jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j
+anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index 94c793b08..dc0ca0274 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -47,6 +47,23 @@ in {
{ predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; }
];
}
+ {
+ users.extraUsers = {
+ satan = {
+ name = "satan";
+ uid = 1338;
+ home = "/home/satan";
+ group = "users";
+ createHome = true;
+ useDefaultShell = true;
+ extraGroups = [
+ ];
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
+ ];
+ };
+ };
+ }
];
krebs.build.host = config.krebs.hosts.echelon;
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
new file mode 100644
index 000000000..570cdfb7c
--- /dev/null
+++ b/lass/1systems/prism.nix
@@ -0,0 +1,88 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) head;
+
+ ip = (head config.krebs.build.host.nets.internet.addrs4);
+in {
+ imports = [
+ ../2configs/base.nix
+ ../2configs/downloading.nix
+ {
+ users.extraGroups = {
+ # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+ # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+ # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+ # Docs: man:tmpfiles.d(5)
+ # man:systemd-tmpfiles(8)
+ # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+ # Main PID: 19272 (code=exited, status=1/FAILURE)
+ #
+ # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+ # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+ # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+ # warning: error(s) occured while switching to the new configuration
+ lock.gid = 10001;
+ };
+ }
+ {
+ networking.interfaces.et0.ip4 = [
+ {
+ address = ip;
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = "213.239.205.225";
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0"
+ '';
+
+ }
+ {
+ #boot.loader.gummiboot.enable = true;
+ #boot.loader.efi.canTouchEfiVariables = true;
+ boot.loader.grub = {
+ devices = [
+ "/dev/sda"
+ "/dev/sdb"
+ ];
+ splashImage = null;
+ };
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "vmw_pvscsi"
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/pool/nix";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36";
+ };
+
+ fileSystems."/var/download" = {
+ device = "/dev/pool/download";
+ };
+
+ }
+ {
+ sound.enable = false;
+ }
+ {
+ #workaround for server dying after 6-7h
+ boot.kernelPackages = pkgs.linuxPackages_4_2;
+ }
+ ];
+
+ krebs.build.host = config.krebs.hosts.prism;
+}
diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix
index 6fa9c5b2d..057af7bc4 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/base.nix
@@ -27,8 +27,6 @@ with lib;
createHome = true;
useDefaultShell = true;
extraGroups = [
- "audio"
- "wheel"
];
openssh.authorizedKeys.keys = map readFile [
../../krebs/Zpubkeys/lass.ssh.pub
@@ -50,7 +48,7 @@ with lib;
source = {
git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
- rev = "33bdc011f5360288cd10b9fda90da2950442b2ab";
+ rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
};
dir.secrets = {
host = config.krebs.hosts.mors;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 1f5c3de55..3be3676aa 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -8,6 +8,8 @@ in {
./urxvt.nix
];
+ users.extraUsers.mainUser.extraGroups = [ "audio" ];
+
time.timeZone = "Europe/Berlin";
virtualisation.libvirtd.enable = true;
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index 5052da5c8..553a3a557 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -1,5 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+with lib;
{
imports = [
../3modules/folderPerms.nix
@@ -10,9 +11,13 @@
name = "download";
home = "/var/download";
createHome = true;
+ useDefaultShell = true;
extraGroups = [
"download"
];
+ openssh.authorizedKeys.keys = map readFile [
+ ../../krebs/Zpubkeys/lass.ssh.pub
+ ];
};
transmission = {
@@ -43,6 +48,7 @@
rpc-username = "download";
#add rpc-password in secrets
rpc-password = "test123";
+ peer-port = 51413;
};
};
@@ -50,6 +56,8 @@
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
];
};
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 2164b2e33..7e8fc03c7 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -33,6 +33,8 @@ let
web-routes-wai-custom = {};
go = {};
newsbot-js = {};
+ kimsufi-check = {};
+ realwallpaper = {};
};
restricted-repos = mapAttrs make-restricted-repo (
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index 7f0bcc5e8..d26a2f4c4 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -16,7 +16,7 @@
enable = true;
hosts = ../../krebs/Zhosts;
connectTo = [
- "fastpoke"
+ "prism"
"cloudkrebs"
"echelon"
"pigstarter"
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index d2b08bef7..69f1300be 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -24,8 +24,8 @@ with lib;
};
imports = [
- ../2configs/CAC-Developer-2.nix
- ../2configs/CAC-CentOS-7-64bit.nix
+ ../2configs/hw/CAC-Developer-2.nix
+ ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
#../2configs/consul-server.nix
../2configs/exim-smarthost.nix
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
index f0c7dc2a0..305ea7269 100644
--- a/tv/1systems/mkdir.nix
+++ b/tv/1systems/mkdir.nix
@@ -37,8 +37,8 @@ in
};
imports = [
- ../2configs/CAC-Developer-1.nix
- ../2configs/CAC-CentOS-7-64bit.nix
+ ../2configs/hw/CAC-Developer-1.nix
+ ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/consul-server.nix
../2configs/exim-smarthost.nix
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 210846215..61f833d41 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -24,7 +24,7 @@ with lib;
};
imports = [
- ../2configs/AO753.nix
+ ../2configs/hw/AO753.nix
../2configs/base.nix
#../2configs/consul-server.nix
../2configs/git.nix
@@ -87,13 +87,6 @@ with lib;
swapDevices = [ ];
- nix = {
- buildCores = 2;
- maxJobs = 2;
- daemonIONiceLevel = 1;
- daemonNiceLevel = 1;
- };
-
# TODO base
boot.tmpOnTmpfs = true;
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
index c52222cd1..f77268b53 100644
--- a/tv/1systems/rmdir.nix
+++ b/tv/1systems/rmdir.nix
@@ -37,8 +37,8 @@ in
};
imports = [
- ../2configs/CAC-Developer-1.nix
- ../2configs/CAC-CentOS-7-64bit.nix
+ ../2configs/hw/CAC-Developer-1.nix
+ ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/consul-server.nix
../2configs/exim-smarthost.nix
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 586ad1725..65389b662 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -24,7 +24,7 @@ with lib;
};
imports = [
- ../2configs/w110er.nix
+ ../2configs/hw/w110er.nix
../2configs/base.nix
#../2configs/consul-client.nix
../2configs/git.nix
@@ -389,6 +389,4 @@ with lib;
services.tor.enable = true;
services.virtualboxHost.enable = true;
- # TODO w110er if xserver is enabled
- services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
}
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
new file mode 100644
index 000000000..82f5abf73
--- /dev/null
+++ b/tv/1systems/xu.nix
@@ -0,0 +1,390 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ krebs.build.host = config.krebs.hosts.xu;
+ krebs.build.user = config.krebs.users.tv;
+
+ krebs.build.target = "root@xu";
+
+ krebs.build.source = {
+ git.nixpkgs = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "e57024f821c94caf5684964474073649b8b6356b";
+ };
+ dir.secrets = {
+ host = config.krebs.hosts.wu;
+ path = "/home/tv/secrets/xu";
+ };
+ dir.stockholm = {
+ host = config.krebs.hosts.wu;
+ path = "/home/tv/stockholm";
+ };
+ };
+
+ imports = [
+ ../2configs/hw/x220.nix
+ ../2configs/base.nix
+ #../2configs/consul-client.nix
+ ../2configs/git.nix
+ ../2configs/mail-client.nix
+ ../2configs/xserver
+ {
+ environment.systemPackages = with pkgs; [
+
+ # stockholm
+ genid
+ gnumake
+ hashPassword
+ lentil
+ parallel
+ (pkgs.writeScriptBin "im" ''
+ #! ${pkgs.bash}/bin/bash
+ export PATH=${makeSearchPath "bin" (with pkgs; [
+ tmux
+ gnugrep
+ weechat
+ ])}
+ if tmux list-sessions -F\#S | grep -q '^im''$'; then
+ exec tmux attach -t im
+ else
+ exec tmux new -s im weechat
+ fi
+ '')
+
+ # root
+ cryptsetup
+ ntp # ntpate
+
+ # tv
+ bc
+ bind # dig
+ #cac
+ dic
+ ff
+ file
+ gitAndTools.qgit #xserver
+ gnupg21
+ haskellPackages.hledger
+ htop
+ jq
+ manpages
+ mkpasswd
+ mpv #xserver
+ netcat
+ nix-repl
+ nmap
+ nq
+ p7zip
+ pavucontrol #xserver
+ posix_man_pages
+ #pssh
+ qrencode
+ sxiv #xserver
+ texLive
+ tmux
+ zathura #xserver
+
+ #ack
+ #apache-httpd
+ #ascii
+ #emacs
+ #es
+ #esniper
+ #gcc
+ #gptfdisk
+ #graphviz
+ #haskellPackages.cabal2nix
+ #haskellPackages.ghc
+ #haskellPackages.shake
+ #hdparm
+ #i7z
+ #iftop
+ #imagemagick
+ #inotifyTools
+ #iodine
+ #iotop
+ #lshw
+ #lsof
+ #minicom
+ #mtools
+ #ncmpc
+ #neovim
+ #nethogs
+ #nix-prefetch-scripts #cvs bug
+ #openssl
+ #openswan
+ #parted
+ #perl
+ #powertop
+ #ppp
+ #proot
+ #pythonPackages.arandr
+ #pythonPackages.youtube-dl
+ #racket
+ #rxvt_unicode-with-plugins
+ #scrot
+ #sec
+ #silver-searcher
+ #sloccount
+ #smartmontools
+ #socat
+ #sshpass
+ #strongswan
+ #sysdig
+ #sysstat
+ #tcpdump
+ #tlsdate
+ #unetbootin
+ #utillinuxCurses
+ #wvdial
+ #xdotool
+ #xkill
+ #xl2tpd
+ #xsel
+ ];
+ }
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "http"
+ "tinc"
+ "smtp"
+ ];
+ };
+ }
+ {
+ krebs.exim-retiolum.enable = true;
+ }
+ {
+ krebs.nginx = {
+ enable = true;
+ servers.default.locations = [
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "cd"
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
+ {
+ users.extraGroups = {
+ tv.gid = 1337;
+ slaves.gid = 3799582008; # genid slaves
+ };
+
+ users.extraUsers =
+ mapAttrs (name: user@{ extraGroups ? [], ... }: user // {
+ inherit name;
+ home = "/home/${name}";
+ createHome = true;
+ useDefaultShell = true;
+ group = "tv";
+ extraGroups = ["slaves"] ++ extraGroups;
+ }) {
+ ff = {
+ uid = 13378001;
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ };
+
+ cr = {
+ uid = 13378002;
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ fa = {
+ uid = 2300001;
+ };
+
+ rl = {
+ uid = 2300002;
+ };
+
+ tief = {
+ uid = 2300702;
+ };
+
+ btc-bitcoind = {
+ uid = 2301001;
+ };
+
+ btc-electrum = {
+ uid = 2301002;
+ };
+
+ ltc-litecoind = {
+ uid = 2301101;
+ };
+
+ eth = {
+ uid = 2302001;
+ };
+
+ emse-hsdb = {
+ uid = 4200101;
+ };
+
+ wine = {
+ uid = 13370400;
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ df = {
+ uid = 13370401;
+ extraGroups = [
+ "audio"
+ "video"
+ "bumblebee"
+ ];
+ };
+
+ xr = {
+ uid = 13370061;
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ };
+
+ "23" = {
+ uid = 13370023;
+ };
+
+ electrum = {
+ uid = 13370102;
+ };
+
+ skype = {
+ uid = 6660001;
+ extraGroups = [
+ "audio"
+ ];
+ };
+
+ onion = {
+ uid = 6660010;
+ };
+
+ zalora = {
+ uid = 1000301;
+ extraGroups = [
+ "audio"
+ # TODO remove vboxusers when hardening is active
+ "vboxusers"
+ "video"
+ ];
+ };
+ };
+
+ security.sudo.extraConfig =
+ let
+ isSlave = u: elem "slaves" u.extraGroups;
+ masterOf = u: u.group;
+ slaves = filterAttrs (_: isSlave) config.users.extraUsers;
+ toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL";
+ in
+ concatMapStringsSep "\n" toSudoers (attrValues slaves);
+ }
+ ];
+
+ boot.initrd.luks = {
+ cryptoModules = [ "aes" "sha512" "xts" ];
+ devices = [
+ { name = "xuca"; device = "/dev/sda2"; }
+ ];
+ };
+
+ fileSystems = {
+ "/" = {
+