summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--jeschli/1systems/bln/config.nix12
-rw-r--r--jeschli/1systems/brauerei/config.nix2
-rw-r--r--jeschli/2configs/urxvt.nix2
-rw-r--r--jeschli/source.nix2
-rw-r--r--krebs/1systems/hotdog/config.nix5
-rw-r--r--krebs/2configs/buildbot-all.nix4
-rw-r--r--krebs/3modules/buildbot/slave.nix2
-rw-r--r--krebs/3modules/nin/default.nix45
-rw-r--r--krebs/5pkgs/simple/internetarchive/default.nix33
-rw-r--r--krebs/source.nix2
-rw-r--r--lass/1systems/daedalus/config.nix1
-rw-r--r--lass/1systems/dishfire/config.nix1
-rw-r--r--lass/1systems/mors/config.nix5
-rw-r--r--lass/1systems/prism/config.nix16
-rw-r--r--lass/2configs/IM.nix15
-rw-r--r--lass/2configs/ableton.nix20
-rw-r--r--lass/2configs/dns-stuff.nix22
-rw-r--r--lass/2configs/rebuild-on-boot.nix18
-rw-r--r--lass/2configs/security-workarounds.nix2
-rw-r--r--lass/source.nix2
-rw-r--r--makefu/1systems/filepimp/config.nix5
-rw-r--r--makefu/1systems/gum/config.nix27
-rw-r--r--makefu/1systems/omo/config.nix5
-rw-r--r--makefu/1systems/vbob/config.nix26
-rw-r--r--makefu/2configs/default.nix3
-rw-r--r--makefu/2configs/tools/all.nix1
-rw-r--r--makefu/2configs/tools/consoles.nix9
-rw-r--r--makefu/2configs/tools/dev.nix3
-rw-r--r--makefu/2configs/tools/mobility.nix2
-rw-r--r--makefu/5pkgs/bin2iso/default.nix28
-rw-r--r--makefu/5pkgs/cue2pops/default.nix24
-rw-r--r--makefu/5pkgs/gen-oath-safe/default.nix5
-rw-r--r--makefu/5pkgs/hdl-dump/default.nix33
-rw-r--r--makefu/5pkgs/opl-utils/default.nix27
-rw-r--r--makefu/source.nix3
-rw-r--r--nin/1systems/axon/config.nix117
-rw-r--r--nin/1systems/axon/source.nix4
-rw-r--r--nin/2configs/default.nix2
-rw-r--r--nin/2configs/git.nix2
39 files changed, 466 insertions, 71 deletions
diff --git a/jeschli/1systems/bln/config.nix b/jeschli/1systems/bln/config.nix
index 901970e81..873c0fa3d 100644
--- a/jeschli/1systems/bln/config.nix
+++ b/jeschli/1systems/bln/config.nix
@@ -38,7 +38,7 @@
networking.hostName = "BLN02NB0154"; # Define your hostname.
networking.networkmanager.enable = true;
- #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
+ # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Select internationalisation properties.
# i18n = {
@@ -54,7 +54,11 @@
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
nixpkgs.config.allowUnfree = true;
- environment.shellAliases = { n = "nix-shell"; };
+ environment.shellAliases = {
+ n = "nix-shell";
+ gd = "cd /home/markus/go/src/gitlab.dcso.lolcat";
+ gh = "cd /home/markus/go/src/github.com";
+ };
environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
environment.systemPackages = with pkgs; [
# system helper
@@ -62,6 +66,7 @@
copyq
dmenu
git
+ tig
i3lock
keepass
networkmanagerapplet
@@ -72,6 +77,8 @@
rxvt_unicode
# editors
emacs
+ # databases
+ sqlite
# internet
thunderbird
hipchat
@@ -91,6 +98,7 @@
jetbrains.pycharm-professional
jetbrains.webstorm
jetbrains.goland
+ jetbrains.datagrip
texlive.combined.scheme-full
pandoc
redis
diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix
index 171a002da..2dec45795 100644
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@@ -96,7 +96,7 @@
# Enable the X11 windowing system.
services.xserver.enable = true;
- # services.xserver.layout = "us";
+ services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
diff --git a/jeschli/2configs/urxvt.nix b/jeschli/2configs/urxvt.nix
index a2e02de35..69811eb0a 100644
--- a/jeschli/2configs/urxvt.nix
+++ b/jeschli/2configs/urxvt.nix
@@ -28,7 +28,7 @@ with import <stockholm/lib>;
URxvt*scrollBar: false
URxvt*urgentOnBell: true
- URxvt*font: xft:DejaVu Sans Mono:pixelsize=20
+ URxvt*font: xft:DejaVu Sans Mono:pixelsize=12
URXvt*faceSize: 12
'';
}
diff --git a/jeschli/source.nix b/jeschli/source.nix
index d1b64b0ed..ae9e1e72e 100644
--- a/jeschli/source.nix
+++ b/jeschli/source.nix
@@ -10,7 +10,7 @@ in
nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "f9390d6";
+ ref = "d83c808";
};
secrets.file = getAttr builder {
buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 73b5377bd..98fb88702 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -20,10 +20,5 @@
boot.isContainer = true;
networking.useDHCP = false;
- krebs.repo-sync.repos.stockholm.timerConfig = {
- OnBootSec = "5min";
- OnUnitInactiveSec = "2min";
- RandomizedDelaySec = "2min";
- };
krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
}
diff --git a/krebs/2configs/buildbot-all.nix b/krebs/2configs/buildbot-all.nix
index ca994e996..5ea78f227 100644
--- a/krebs/2configs/buildbot-all.nix
+++ b/krebs/2configs/buildbot-all.nix
@@ -1,10 +1,6 @@
with import <stockholm/lib>;
{ lib, config, pkgs, ... }:
{
- imports = [
- <stockholm/krebs/2configs/repo-sync.nix>
- ];
-
networking.firewall.allowedTCPPorts = [ 80 8010 9989 ];
krebs.ci.enable = true;
krebs.ci.treeStableTimer = 1;
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 0af553c5d..fba585448 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -161,7 +161,7 @@ let
ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
set -efux
#remove garbage from old versions
- rm -r ${workdir}
+ rm -rf ${workdir}
mkdir -p ${workdir}/info
cp ${buildbot-slave-init} ${workdir}/buildbot.tac
echo ${contact} > ${workdir}/info/admin
diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix
index aab568352..1a0999b8d 100644
--- a/krebs/3modules/nin/default.nix
+++ b/krebs/3modules/nin/default.nix
@@ -32,6 +32,47 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
};
+ axon= {
+ cores = 2;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.134.66";
+ ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379";
+ aliases = [
+ "axon.retiolum"
+ "axon.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo
+ glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj
+ KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH
+ L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j
+ VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY
+ PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN
+ X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh
+ m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp
+ OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT
+ LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H
+ /F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK
+ MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w
+ 7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm
+ ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3
+ 1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF
+ 29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt
+ 4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj
+ FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl
+ buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p
+ hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG
+ yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi
+ ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc";
+ };
onondaga = {
cores = 1;
nets = {
@@ -63,6 +104,10 @@ with import <stockholm/lib>;
};
users = {
nin = {
+ mail = "nin@axon.retiolum";
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon";
+ };
+ nin_h = {
mail = "nin@hiawatha.retiolum";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
};
diff --git a/krebs/5pkgs/simple/internetarchive/default.nix b/krebs/5pkgs/simple/internetarchive/default.nix
index f5e1bbff3..2f55e6f42 100644
--- a/krebs/5pkgs/simple/internetarchive/default.nix
+++ b/krebs/5pkgs/simple/internetarchive/default.nix
@@ -1,38 +1,39 @@
-{ pkgs, fetchFromGitHub, ... }:
+{ stdenv, pkgs, fetchPypi, ... }:
with pkgs.python3Packages;
buildPythonPackage rec {
pname = "internetarchive";
version = "1.7.3";
name = "${pname}-${version}";
+
+ src = fetchPypi {
+ inherit pname version;
+ sha256 = "0x3saklabdx7qrr11h5bjfd75hfbih7pw5gvl2784zvvvrqrz45g";
+ };
+
propagatedBuildInputs = [
requests
- jsonpatch
- docopt
- clint
- six
- schema
- backports_csv
+ jsonpatch
+ docopt
+ clint
+ six
+ schema
+ backports_csv
];
-# check only works when cloned from git repo
+ # check only works when cloned from git repo
doCheck = false;
+
checkInputs = [
pytest
- responses
+ responses
];
prePatch = ''
sed -i "s/'schema.*'/'schema>=0.4.0'/" setup.py
- '';
-
- src = fetchPypi {
- inherit pname version;
- sha256 = "0x3saklabdx7qrr11h5bjfd75hfbih7pw5gvl2784zvvvrqrz45g";
- };
+ '';
meta = with stdenv.lib; {
description = "python library and cli for uploading files to internet archive";
license = licenses.agpl3;
};
-
}
diff --git a/krebs/source.nix b/krebs/source.nix
index 8fbdce284..b952aa2a2 100644
--- a/krebs/source.nix
+++ b/krebs/source.nix
@@ -17,6 +17,6 @@ in
stockholm.file = toString <stockholm>;
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
- ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
+ ref = "0b30c1dd4c638e318957fc6a9198cf2429e38cb5"; # nixos-17.09 @ 2018-01-04
};
}
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 6674b3db5..8ec744584 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -41,6 +41,7 @@ with import <stockholm/lib>;
skype
wine
];
+ nixpkgs.config.firefox.enableAdobeFlash = true;
services.xserver.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix
index 416edeb82..7993c763e 100644
--- a/lass/1systems/dishfire/config.nix
+++ b/lass/1systems/dishfire/config.nix
@@ -43,6 +43,7 @@
networking.dhcpcd.allowInterfaces = [
"enp*"
"eth*"
+ "ens*"
];
}
{
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index ad133802f..c231a0b10 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -30,6 +30,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/otp-ssh.nix>
<stockholm/lass/2configs/c-base.nix>
<stockholm/lass/2configs/br.nix>
+ <stockholm/lass/2configs/ableton.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@@ -70,10 +71,6 @@ with import <stockholm/lib>;
];
}
{
- #ps vita stuff
- boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
- }
- {
services.tor = {
enable = true;
client.enable = true;
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 593a1fc9c..03e9f6eeb 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -184,14 +184,17 @@ in {
}
{
#hotdog
+ systemd.services."container@hotdog".reloadIfChanged = mkForce false;
containers.hotdog = {
config = { ... }: {
+ imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
+ autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.1";
@@ -200,8 +203,10 @@ in {
}
{
#kaepsele
+ systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
containers.kaepsele = {
config = { ... }: {
+ imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
@@ -209,6 +214,7 @@ in {
tv.pubkey
];
};
+ autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
@@ -217,8 +223,10 @@ in {
}
{
#onondaga
+ systemd.services."container@onondaga".reloadIfChanged = mkForce false;
containers.onondaga = {
config = { ... }: {
+ imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
@@ -226,6 +234,7 @@ in {
config.krebs.users.nin.pubkey
];
};
+ autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.5";
@@ -302,6 +311,13 @@ in {
}
];
}
+ {
+ krebs.repo-sync.repos.stockholm.timerConfig = {
+ OnBootSec = "5min";
+ OnUnitInactiveSec = "2min";
+ RandomizedDelaySec = "2min";
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix
index b94cb0634..51512955e 100644
--- a/lass/2configs/IM.nix
+++ b/lass/2configs/IM.nix
@@ -20,6 +20,17 @@ let
'';
in {
+ services.bitlbee = {
+ enable = true;
+ portNumber = 6666;
+ plugins = [
+ pkgs.bitlbee-facebook
+ pkgs.bitlbee-steam
+ pkgs.bitlbee-discord
+ ];
+ libpurple_plugins = [ pkgs.telegram-purple ];
+ };
+
users.extraUsers.chat = {
home = "/home/chat";
uid = genid "chat";
@@ -46,6 +57,10 @@ in {
restartIfChanged = false;
+ path = [
+ pkgs.rxvt_unicode.terminfo
+ ];
+
serviceConfig = {
User = "chat";
RemainAfterExit = true;
diff --git a/lass/2configs/ableton.nix b/lass/2configs/ableton.nix
new file mode 100644
index 000000000..9d6f481b0
--- /dev/null
+++ b/lass/2configs/ableton.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }: let
+ mainUser = config.users.extraUsers.mainUser;
+in {
+ users.users= {
+ ableton = {
+ isNormalUser = true;
+ extraGroups = [
+ "audio"
+ "video"
+ ];
+ packages = [
+ pkgs.wine
+ pkgs.winetricks
+ ];
+ };
+ };
+ security.sudo.extraConfig = ''
+ ${mainUser.name} ALL=(ableton) NOPASSWD: ALL
+ '';
+}
diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix
index 411b07503..cbcce8df9 100644
--- a/lass/2configs/dns-stuff.nix
+++ b/lass/2configs/dns-stuff.nix
@@ -11,24 +11,6 @@ with import <stockholm/lib>;
key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
};
};
- services.dnsmasq = {
- enable = true;
- resolveLocalQueries = false;
- extraConfig = ''
- server=127.1.0.1
- #no-resolv
- cache-size=1000
- min-cache-ttl=3600
- bind-dynamic
- all-servers
- dnssec
- trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
- rebind-domain-ok=/onion/
- server=/.onion/127.0.0.1#9053
- port=53
- '';
- };
- networking.extraResolvconfConf = ''
- name_servers='127.0.0.1'
- '';
+ services.resolved.enable = true;
+ services.resolved.fallbackDns = [ "127.1.0.1" ];
}
diff --git a/lass/2configs/rebuild-on-boot.nix b/lass/2configs/rebuild-on-boot.nix
new file mode 100644
index 000000000..60198be7b
--- /dev/null
+++ b/lass/2configs/rebuild-on-boot.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+ systemd.services.rebuild-on-boot = {
+ wantedBy = [ "multi-user.target" ];
+ environment = {
+ NIX_REMOTE = "daemon";
+ HOME = "/var/empty";
+ };
+ serviceConfig = {
+ ExecStart = pkgs.writeScript "rebuild" ''
+ #!${pkgs.bash}/bin/bash
+ (/run/current-system/sw/bin/nixos-rebuild -I /var/src switch) &
+ '';
+ ExecStop = "${pkgs.coreutils}/bin/sleep 10";
+ };
+ };
+}
diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix
index 537c8a59b..c3d07d5fe 100644
--- a/lass/2configs/security-workarounds.nix
+++ b/lass/2configs/security-workarounds.nix
@@ -5,4 +5,6 @@ with import <stockholm/lib>;
boot.extraModprobeConfig = ''
install dccp /run/current-system/sw/bin/false
'';
+
+ boot.kernelPackages = pkgs.linuxPackages_latest;
}
diff --git a/lass/source.nix b/lass/source.nix
index 473dd2cf2..46c6d31dc 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "3aec59c";
+ ref = "d202e30";
};
secrets = getAttr builder {
buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;
diff --git a/makefu/1systems/filepimp/config.nix b/makefu/1systems/filepimp/config.nix
index e9058ec85..30ba61a9b 100644
--- a/makefu/1systems/filepimp/config.nix
+++ b/makefu/1systems/filepimp/config.nix
@@ -71,7 +71,10 @@ in {
'') allDisks);
fileSystems = let
xfsmount = name: dev:
- { "/media/${name}" = { device = dev; fsType = "xfs"; }; };
+ { "/media/${name}" = {
+ device = dev; fsType = "xfs";
+ options = [ "nofail" ];
+ }; };
in
# (xfsmount "j0" (part1 jDisk0)) //
(xfsmount "j1" (part1 jDisk1)) //
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 1fe0b62f9..6e5f3c2d4 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -108,16 +108,35 @@ in {
# };
#}
{ # wireguard server
- networking.firewall.allowedUDPPorts = [ 51820 ];
+
+ # TODO: networking.nat
+
+ # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ # conf.all.proxy_arp =1
+ networking.firewall = {
+ allowedUDPPorts = [ 51820 ];
+ extraCommands = ''
+ iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
+ };
+
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ];
+ listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
- peers = [{
- # allowedIPs = [ "0.0.0.0/0" "::/0" ];
+ peers = [
+ {
+ # x
allowedIPs = [ "10.244.0.2/32" ];
publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
- }];
+ }
+ {
+ # vbob
+ allowedIPs = [ "10.244.0.3/32" ];
+ publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+ }
+ ];
};
}
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index aaecebadc..ce3ffbcf3 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -143,7 +143,10 @@ in {
];
fileSystems = let
cryptMount = name:
- { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
+ { "/media/${name}" = {
+ device = "/dev/mapper/${name}"; fsType = "xfs";
+ options = [ "nofail" ];
+ };};
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2"
diff --git a/makefu/1systems/vbob/config.nix b/makefu/1systems/vbob/config.nix
index f318c0e61..ffd9deaee 100644
--- a/makefu/1systems/vbob/config.nix
+++ b/makefu/1systems/vbob/config.nix
@@ -7,7 +7,8 @@
<stockholm/makefu>
{
imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
- boot.loader.grub.device = "/dev/vda";
+ boot.loader.grub.device = "/dev/sda";
+ virtualisation.virtualbox.guest.enable = true;
}
# {
# imports = [
@@ -49,6 +50,27 @@
# environment
<stockholm/makefu/2configs/tinc/retiolum.nix>
+ (let
+ gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr;
+ gateway = "10.0.2.2";
+ in {
+ # make sure the route to gum gets added after the network is online
+ systemd.services.wireguard-wg0.after = [ "network-online.target" ];
+ networking.wireguard.interfaces.wg0 = {
+ ips = [ "10.244.0.3/24" ];
+ privateKeyFile = (toString <secrets>) + "/wireguard.key";
+ # explicit route via eth0 to gum
+ preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"];
+ peers = [
+ { # gum
+ endpoint = "${gum-ip}:51820";
+ allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ];
+ publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ })
];
networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
@@ -90,5 +112,5 @@
8010
];