8 files changed, 93 insertions, 17 deletions

diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix
index f7d6991c5..a028e5073 100644
--- a/makefu/2configs/base-gui.nix
+++ b/makefu/2configs/base-gui.nix
@@ -87,5 +87,8 @@ in
       URxvt.url-select.underline: true
       URxvt.searchable-scrollback: CM-s
     '';
-    in "cat ${xdefaultsfile} | xrdb -merge";
+    in ''
+      cat ${xdefaultsfile} | xrdb -merge
+      ${pkgs.xorg.xhost}/bin/xhost +local:
+    '';
 }
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index f675c4ac8..4b5389c32 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -45,6 +45,7 @@ in {
             #certificate =   "${sec}/wildcard.krebsco.de.crt";
             #certificate_key = "${sec}/wildcard.krebsco.de.key";
             ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+            force_encryption = true;
           };
           locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
             root ${acmechall}/${ext-dom}/;
@@ -54,10 +55,7 @@ in {
           ssl_session_timeout  10m;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }'';
+          '';
         };
         defaultPermissions = "read";
         secretKey = secKey;
diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix
index 786df6d40..fb74919c4 100644
--- a/makefu/2configs/fetchWallpaper.nix
+++ b/makefu/2configs/fetchWallpaper.nix
@@ -3,7 +3,7 @@
 {
   krebs.fetchWallpaper = {
     enable = true;
-    display = ":0";
+    display = ":0.0";
     unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
     timerConfig = {
       OnCalendar = "*:0/30";
diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix
index c10ec1314..9047cfb66 100644
--- a/makefu/2configs/hw/tp-x2x0.nix
+++ b/makefu/2configs/hw/tp-x2x0.nix
@@ -12,6 +12,12 @@ with config.krebs.lib;
   zramSwap.enable = true;
   zramSwap.numDevices = 2;
 
+  # enable synaptics so we can easily disable the touchpad
+  #   enable the touchpad with `synclient TouchpadOff=0`
+  services.xserver.synaptics = {
+    enable = true;
+    additionalOptions = ''Option "TouchpadOff" "1"'';
+  };
   hardware.trackpoint = {
     enable = true;
     sensitivity = 220;
@@ -19,7 +25,6 @@ with config.krebs.lib;
     emulateWheel = true;
   };
 
-
   services.tlp.enable = true;
   services.tlp.extraConfig = ''
     # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix
index 3cc91b630..92cc1fc43 100644
--- a/makefu/2configs/main-laptop.nix
+++ b/makefu/2configs/main-laptop.nix
@@ -16,6 +16,44 @@ with config.krebs.lib;
 
   users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ];
 
+  krebs.power-action = let
+    speak = "${pkgs.espeak}/bin/espeak";
+    whisper = text: ''${pkgs.espeak}/bin/espeak -v +whisper -s 110 "${text}"'';
+    note = "${pkgs.libnotify}/bin/notify-send";
+  in {
+    enable = true;
+    plans.low-battery = {
+      upperLimit = 25;
+      lowerLimit = 15;
+      charging = false;
+      action = whisper "power level low, please plug me in";
+    };
+    plans.nag-harder = {
+      upperLimit = 15;
+      lowerLimit = 5;
+      action = pkgs.writeDash "crit-speak" ''
+        ${whisper "Power level critical, do something"}
+        ${note} Battery -u critical -t 600000 "Power level critical, do something!"
+      '';
+    };
+    plans.last-chance = {
+      upperLimit = 5;
+      lowerLimit = 3;
+      charging = false;
+      action = pkgs.writeDash "suspend-wrapper" ''
+        ${note} Battery -u crit "You've had your chance, suspend in 5 seconds"
+        ${concatMapStringsSep "\n" (i: ''
+            ${note} -u critical -t 1000 ${toString i}
+            ${speak} ${toString i} &
+            sleep 1
+          '')
+          [ 5 4 3 2 1 ]}
+        /var/setuid-wrappers/sudo ${pkgs.systemd}/bin/systemctl suspend
+      '';
+    };
+  };
+  users.users.power-action.extraGroups = [ "audio" ];
+  security.sudo.extraConfig = "${config.krebs.power-action.user.name} ALL= (root) NOPASSWD: ${pkgs.systemd}/bin/systemctl suspend";
 
   services.redshift = {
     enable = true;
diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix
index 10985c833..655dee7b2 100644
--- a/makefu/2configs/nginx/euer.wiki.nix
+++ b/makefu/2configs/nginx/euer.wiki.nix
@@ -3,8 +3,15 @@
 with config.krebs.lib;
 let
   sec = toString <secrets>;
-  ssl_cert = "${sec}/wildcard.krebsco.de.crt";
-  ssl_key  = "${sec}/wildcard.krebsco.de.key";
+  ext-dom = "wiki.euer.krebsco.de";
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+
+  #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+  #ssl_key  = "${sec}/wildcard.krebsco.de.key";
+  ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
+  ssl_key = "${acmepath}/${ext-dom}/key.pem";
+
   user = config.services.nginx.user;
   group = config.services.nginx.group;
   fpm-socket = "/var/run/php5-fpm.sock";
@@ -80,22 +87,23 @@ in {
         listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
                    "${internal-ip}:80" "${internal-ip}:443 ssl" ];
         server-names = [
-          "wiki.euer.krebsco.de"
+          ext-dom
           "wiki.makefu.retiolum"
           "wiki.makefu"
         ];
+        ssl = {
+          enable = true;
+          # these certs will be needed if acme has not yet created certificates:
+          certificate =   ssl_cert;
+          certificate_key = ssl_key;
+          force_encryption = true;
+        };
         extraConfig = ''
           gzip on;
           gzip_buffers 4 32k;
           gzip_types  text/plain application/x-javascript text/css;
-          ssl_certificate ${ssl_cert};
-          ssl_certificate_key ${ssl_key};
           default_type text/plain;
 
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }
-
         '';
         locations = [
           (nameValuePair "/" ''
@@ -111,8 +119,20 @@ in {
             include ${pkgs.nginx}/conf/fastcgi_params;
             include ${pkgs.nginx}/conf/fastcgi.conf;
           '')
+          (nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '')
+
         ];
       };
     };
   };
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
 }
diff --git a/makefu/2configs/tinc/siem.nix b/makefu/2configs/tinc/siem.nix
new file mode 100644
index 000000000..8f17f1a0a
--- /dev/null
+++ b/makefu/2configs/tinc/siem.nix
@@ -0,0 +1,12 @@
+{lib, config, ... }:
+{
+  # TODO do not know why we need to force it, port is only set via default to 655
+  krebs.build.host.nets.siem.tinc.port = lib.mkForce 1655;
+  krebs.dns.providers.siem = "hosts";
+  networking.firewall.allowedUDPPorts = [ 1665 ];
+  networking.firewall.allowedTCPPorts = [ 1655 ];
+  krebs.tinc.siem = {
+    enable = true;
+    connectTo = [ "shoney" ];
+  };
+}
diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix
index 99c1315e1..a3286b7fd 100644
--- a/makefu/2configs/zsh-user.nix
+++ b/makefu/2configs/zsh-user.nix
@@ -22,7 +22,7 @@ in
       bindkey "\e[3~" delete-char
       zstyle ':completion:*' menu select
 
-      gpg-connect-agent updatestartuptty /bye >/dev/null
+      ${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye >/dev/null
       GPG_TTY=$(tty)
       export GPG_TTY
       unset SSH_AGENT_PID