diff options
Diffstat (limited to 'lass/2configs')
| -rw-r--r-- | lass/2configs/baseX.nix | 5 | ||||
| -rw-r--r-- | lass/2configs/browsers.nix | 97 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 21 | ||||
| -rw-r--r-- | lass/2configs/exim-smarthost.nix | 5 | ||||
| -rw-r--r-- | lass/2configs/games.nix | 18 | ||||
| -rw-r--r-- | lass/2configs/gc.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/git.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/hw/x220.nix | 21 | ||||
| -rw-r--r-- | lass/2configs/pass.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/radio.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/starcraft.nix | 33 | ||||
| -rw-r--r-- | lass/2configs/steam.nix | 5 | ||||
| -rw-r--r-- | lass/2configs/ts3.nix | 4 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 49 | ||||
| -rw-r--r-- | lass/2configs/yubikey.nix | 25 | ||||
| -rw-r--r-- | lass/2configs/zsh.nix | 1 |
16 files changed, 109 insertions, 183 deletions
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index ecbb7541f..52d694c46 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -10,6 +10,7 @@ in { ./copyq.nix ./urxvt.nix ./xdg-open.nix + ./yubikey.nix { hardware.pulseaudio = { enable = true; @@ -54,7 +55,7 @@ in { time.timeZone = "Europe/Berlin"; programs.ssh.agentTimeout = "10m"; - programs.ssh.startAgent = true; + programs.ssh.startAgent = false; services.openssh.forwardX11 = true; environment.systemPackages = with pkgs; [ @@ -62,11 +63,11 @@ in { acpilight ag cabal2nix - cholerab dic dmenu font-size fzfmenu + gimp gitAndTools.qgit git-preview gnome3.dconf diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index c0085995d..eafab400c 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -1,100 +1,13 @@ { config, lib, pkgs, ... }: - -with import <stockholm/lib>; -let - - mainUser = config.users.extraUsers.mainUser; - - browser-select = let - sortedPaths = sort (a: b: a.value.precedence > b.value.precedence) - (mapAttrsToList (name: value: { inherit name value; }) - config.lass.browser.paths); - in pkgs.writeScriptBin "browser-select" '' - BROWSER=$(echo -e "${concatStringsSep "\\n" (map (getAttr "name") sortedPaths)}" | ${pkgs.dmenu}/bin/dmenu) - case $BROWSER in - ${concatMapStringsSep "\n" (n: '' - ${n.name}) - export BIN=${n.value.path}/bin/${n.name} - ;; - '') (sortedPaths)} - esac - $BIN "$@" - ''; - - createUser = script: name: groups: precedence: dpi: - { - lass.xjail.${name} = { - inherit script groups dpi; - }; - environment.systemPackages = [ - config.lass.xjail-bins.${name} - (pkgs.writeDashBin "cx-${name}" '' - DISPLAY=:${toString (genid_uint31 name)} ${pkgs.xclip}/bin/xclip -o | DISPLAY=:0 ${pkgs.xclip}/bin/xclip - '') - ]; - lass.browser.paths.${name} = { - path = config.lass.xjail-bins.${name}; - inherit precedence; - }; - }; - - createChromiumUser = name: groups: precedence: - createUser (pkgs.writeDash name '' - ${pkgs.chromium}/bin/chromium "$@" - '') name groups precedence 80; - - createFirefoxUser = name: groups: precedence: - createUser (pkgs.writeDash name '' - ${pkgs.firefox}/bin/firefox "$@" - '') name groups precedence 80; - - createQuteUser = name: groups: precedence: - createUser (pkgs.writeDash name '' - ${pkgs.qutebrowser}/bin/qutebrowser "$@" - '') name groups precedence 60; - -in { - - lass.browser.select = browser-select; - - environment.systemPackages = [ - browser-select - ]; - +{ + lass.browser.config = { + cr = { groups = [ "audio" "video" ]; precedence = 9; }; + }; programs.chromium = { enable = true; extensions = [ "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin - "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium + "ihlenndgcmojhcghmfjfneahoeklbjjh" #cVim ]; }; - - imports = [ - { - options.lass.browser.select = mkOption { - type = types.path; - }; - options.lass.browser.paths = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - path = mkOption { - type = types.path; - }; - precedence = mkOption { - type = types.int; - default = 0; - }; - }; - })); - }; - } - ( createFirefoxUser "ff" [ "audio" ] 11 ) - ( createQuteUser "qb" [ "audio" ] 10 ) - ( createChromiumUser "cr" [ "audio" "video" ] 9 ) - ( createChromiumUser "gm" [ "video" "audio" ] 8 ) - ( createChromiumUser "wk" [ "audio" ] 0 ) - ( createChromiumUser "fb" [ "audio" ] 0 ) - ( createChromiumUser "com" [ "audio" ] 0 ) - ( createChromiumUser "fin" [] (-1) ) - ]; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 972b4760a..27242b129 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -23,8 +23,8 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ config.krebs.users.lass-mors.pubkey config.krebs.users.lass-blue.pubkey - config.krebs.users.lass-shodan.pubkey - config.krebs.users.lass-icarus.pubkey + config.krebs.users.lass-xerxes.pubkey + config.krebs.users.lass-yubikey.pubkey ]; }; mainUser = { @@ -42,6 +42,8 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ config.krebs.users.lass-mors.pubkey config.krebs.users.lass-blue.pubkey + config.krebs.users.lass-xerxes.pubkey + config.krebs.users.lass-yubikey.pubkey ]; }; }; @@ -173,13 +175,7 @@ with import <stockholm/lib>; ''; }; - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; + services.openssh.enable = true; services.journald.extraConfig = '' SystemMaxUse=1G @@ -190,7 +186,9 @@ with import <stockholm/lib>; enable = true; tables = { nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } ]; nat.OUTPUT.rules = [ @@ -217,7 +215,4 @@ with import <stockholm/lib>; networking.dhcpcd.extraConfig = '' noipv4ll ''; - services.netdata = { - enable = true; - }; } diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index d1e6b195b..a82672998 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -15,6 +15,7 @@ with import <stockholm/lib>; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ config.krebs.hosts.mors config.krebs.hosts.blue + config.krebs.hosts.xerxes ]; internet-aliases = with config.krebs.users; [ { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 @@ -106,6 +107,10 @@ with import <stockholm/lib>; { from = "ubisoft@lassul.us"; to = lass.mail; } { from = "kottezeller@lassul.us"; to = lass.mail; } { from = "pie@lassul.us"; to = lass.mail; } + { from = "vebit@lassul.us"; to = lass.mail; } + { from = "vcvrack@lassul.us"; to = lass.mail; } + { from = "epic@lassul.us"; to = lass.mail; } + { from = "microsoft@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index a3acb82bb..c0e6beba4 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -10,7 +10,7 @@ let doom = pkgs.writeDash "doom" '' DOOM_DIR=''${DOOM_DIR:-~/doom/} ${vdoom} \ - -file $DOOM_DIR/lib/brutalv20.pk3 \ + -file $DOOM_DIR/lib/brutalv21.pk3 \ "$@" ''; doom1 = pkgs.writeDashBin "doom1" '' @@ -56,15 +56,6 @@ let ''; in { - environment.systemPackages = with pkgs; [ - dolphinEmu - doom1 - doom2 - vdoom1 - vdoom2 - vdoomserver - ]; - users.extraUsers = { games = { name = "games"; @@ -76,7 +67,14 @@ in { packages = with pkgs; [ minecraft steam-run + scummvm dolphinEmu + doom1 + doom2 + vdoom1 + vdoom2 + vdoomserver + retroarchBare ]; }; }; diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index a1bb26049..0ddb63a03 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! (elem config.krebs.build.host.name [ "mors" "helios" ] || config.boot.isContainer); + automatic = ! (elem config.krebs.build.host.name [ "mors" "xerxes" ] || config.boot.isContainer); }; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 7650f4294..ced0d7955 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -180,7 +180,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-mors lass-shodan lass-icarus lass-blue ]; + user = [ lass lass-mors lass-shodan lass-icarus lass-blue lass-xerxes ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix index 5649041f9..89b119347 100644 --- a/lass/2configs/hw/x220.nix +++ b/lass/2configs/hw/x220.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, pkgs, ... }: { imports = [ <stockholm/krebs/2configs/hw/x220.nix> @@ -8,7 +8,20 @@ initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + extraModulePackages = [ + config.boot.kernelPackages.tp_smapi + config.boot.kernelPackages.acpi_call + ]; + kernelModules = [ + "acpi_call" + "tp_smapi" + ]; }; + + environment.systemPackages = [ + pkgs.tpacpi-bat + ]; + fileSystems = { "/" = { device = "/dev/mapper/pool-root"; @@ -33,4 +46,10 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; + services.tlp.enable = true; + services.tlp.extraConfig = '' + START_CHARGE_THRESH_BAT0=80 + STOP_CHARGE_THRESH_BAT0=95 + ''; + } diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 1c253a6c5..156ebcae7 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -2,7 +2,7 @@ { krebs.per-user.lass.packages = with pkgs; [ - pass + (pass.withExtensions (ext: [ ext.pass-otp ])) gnupg ]; diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix index 7e1433fde..b24d7af3e 100644 --- a/lass/2configs/radio.nix +++ b/lass/2configs/radio.nix @@ -260,7 +260,7 @@ in { }; krebs.syncthing.folders."the_playlist" = { path = "/home/radio/music/the_playlist"; - peers = [ "mors" "phone" "prism" ]; + peers = [ "mors" "phone" "prism" "xerxes" ]; }; krebs.permown."/home/radio/music/the_playlist" = { owner = "radio"; diff --git a/lass/2configs/starcraft.nix b/lass/2configs/starcraft.nix index 742b877e8..c95a610e7 100644 --- a/lass/2configs/starcraft.nix +++ b/lass/2configs/starcraft.nix @@ -1,36 +1,5 @@ { config, pkgs, ... }: let mainUser = config.users.extraUsers.mainUser; - newWine = pkgs.wineStaging; - #newWine = pkgs.wineStaging.overrideAttrs (old: { - # name = "wine-3.7"; - # buildInputs = old.buildInputs ++ [ - # pkgs.libuuid.bin - # pkgs.autoconf.out - # ]; - # src = pkgs.fetchurl { - # url = "https://dl.winehq.org/wine/source/3.x/wine-3.7.tar.xz"; - # sha256 = "1drbzk3y0m14lkq3vzwwkvain5shykgcbmyzh6gcb5r4sxh3givn"; - # }; - # postPatch = old.postPatch or "" + '' - # patchShebangs tools - # cp -r ${pkgs.fetchFromGitHub { - # sha256 = "0kam73jqhah7bzji5csxxhhfdp6byhzpcph6xnzjqz2aic5xk7xi"; - # owner = "wine-staging"; - # repo = "wine-staging"; - # rev = "v3.7"; - # }}/patches . - # chmod +w patches - # cd patches - # patchShebangs gitapply.sh - # ./patchinstall.sh DESTDIR="$PWD/.." --all - # cd .. - # ''; - - #}); - #newWine = (import (builtins.fetchGit { - # url = "https://github.com/NixOS/nixpkgs"; - # rev = "696c6bed4e8e2d9fd9b956dea7e5d49531e9d13f"; - #}) {}).wineStaging; in { users.users= { starcraft = { @@ -40,7 +9,7 @@ in { "video" ]; packages = [ - newWine + pkgs.wineWowPackages.minimal pkgs.winetricks pkgs.mpg123 ]; diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index e1b523e3a..701e5047e 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -11,9 +11,8 @@ # ##TODO: make steam module nixpkgs.config.steam.java = true; - environment.systemPackages = with pkgs; [ - steam - ]; + + users.users.games.packages = [ pkgs.steam ]; #ports for inhome streaming krebs.iptables = { diff --git a/lass/2configs/ts3.nix b/lass/2configs/ts3.nix index 5b92d0919..d0cfdf478 100644 --- a/lass/2configs/ts3.nix +++ b/lass/2configs/ts3.nix @@ -10,8 +10,8 @@ { predicate = "-p tcp --dport 9987"; target = "ACCEPT"; } { predicate = "-p udp --dport 9987"; target = "ACCEPT"; } ##file transfer port - #{ predicate = "-p tcp --dport 30033"; target = "ACCEPT"; } - #{ predicate = "-p udp --dport 30033"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 30033"; target = "ACCEPT"; } + { predicate = "-p udp --dport 30033"; target = "ACCEPT"; } ##query port #{ predicate = "-p tcp --dport 10011"; target = "ACCEPT"; } #{ predicate = "-p udp --dport 10011"; target = "ACCEPT"; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 9980e0501..b9673de70 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -26,7 +26,6 @@ in { ./default.nix ./sqlBackup.nix (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ "jarugadesign.de" "www.jarugadesign.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -41,6 +40,7 @@ in { "youthtube.xyz" "joemisch.com" "weirdwednesday.de" + "jarugadesign.de" "www.apanowicz.de" "www.nirwanabluete.de" @@ -50,6 +50,7 @@ in { "www.ubikmedia.de" "www.joemisch.com" "www.weirdwednesday.de" + "www.jarugadesign.de" "aldona2.ubikmedia.de" "apanowicz.ubikmedia.de" @@ -64,6 +65,7 @@ in { "freemonkey.ubikmedia.de" "jarugadesign.ubikmedia.de" "crypto4art.ubikmedia.de" + "jarugadesign.ubikmedia.de" ]) ]; @@ -250,14 +252,13 @@ in { lines = 1000; }; }; + services.restic.backups.domsen = { initialize = true; - extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ]; - repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES"; + repository = "/backups/domsen"; passwordFile = toString <secrets> + "/domsen_backup_pw"; timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; paths = [ - "/srv/http" "/home/domsen/Mail" "/home/ms/Mail" "/home/klabusterbeere/Mail" @@ -270,32 +271,32 @@ in { }; boot.kernel.sysctl."fs.inotify.max_user_watches" = "1048576"; + krebs.syncthing.folders = { + domsen-backups = { + path = "/backups/domsen"; + peers = [ "domsen-backup" ]; + }; + domsen-backup-srv-http = { + path = "/srv/http"; + peers = [ "domsen-backup" ]; + }; + }; + + system.activationScripts.domsen-backups = '' + ${pkgs.coreutils}/bin/chmod 750 /backups + ''; + krebs.permown = { - "/srv/http/ubikmedia.de" = { - owner = "domsen"; - group = "nginx"; + "/backups/domsen" = { + owner = "backup"; + group = "syncthing"; umask = "0007"; }; - "/srv/http/o.ubikmedia.de" = { - owner = "domsen"; + "/srv/http" = { + owner = "syncthing"; group = "nginx"; umask = "0007"; }; - "/srv/http/freemonkey.art" = { - owner = "domsen"; - group = "nginx"; - umask = "0002"; - }; - "/srv/http/jarugadesign.de" = { - owner = "domsen"; - group = "nginx"; - umask = "0002"; - }; - "/srv/http/reich-gebaeudereinigung.de" = { - owner = "domsen"; - group = "nginx"; - umask = "0002"; - }; }; } diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix new file mode 100644 index 000000000..e6482c58c --- /dev/null +++ b/lass/2configs/yubikey.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + yubikey-personalization + ]; + + services.udev.packages = with pkgs; [ yubikey-personalization ]; + services.pcscd.enable = true; + + environment.shellInit = '' + if [ "$UID" -eq 1337 ]; then + export GPG_TTY="$(tty)" + gpg-connect-agent /bye + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" + fi + ''; + + programs = { + ssh.startAgent = false; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; +} diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index 53106b03b..05964eb51 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -8,6 +8,7 @@ zsh-newuser-install() { :; } ''; interactiveShellInit = '' + unsetopt nomatch # no matches found urls setopt autocd extendedglob bindkey -e |