diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/cd/default.nix | 118 | ||||
-rw-r--r-- | modules/cd/iptables.nix (renamed from modules/iptables-cd.nix) | 0 | ||||
-rw-r--r-- | modules/cd/networking.nix (renamed from modules/networking-cd.nix) | 0 | ||||
-rw-r--r-- | modules/lass/urxvtd.nix (renamed from modules/urxvtd.nix) | 2 | ||||
-rw-r--r-- | modules/mu/default.nix | 477 | ||||
-rw-r--r-- | modules/tv/base-cac-CentOS-7-64bit.nix (renamed from modules/base-cac-CentOS-7-64bit.nix) | 0 | ||||
-rw-r--r-- | modules/tv/base.nix (renamed from modules/base.nix) | 0 | ||||
-rw-r--r-- | modules/tv/ejabberd.nix (renamed from modules/ejabberd-cd.nix) | 0 | ||||
-rw-r--r-- | modules/tv/exim-retiolum.nix (renamed from modules/exim.nix) | 0 | ||||
-rw-r--r-- | modules/tv/exim-smarthost.nix (renamed from modules/exim-cd.nix) | 0 | ||||
-rw-r--r-- | modules/tv/nginx.nix (renamed from modules/nginx.nix) | 0 | ||||
-rw-r--r-- | modules/tv/retiolum.nix (renamed from modules/retiolum.nix) | 0 | ||||
-rw-r--r-- | modules/tv/sanitize.nix (renamed from modules/sanitize.nix) | 0 | ||||
-rw-r--r-- | modules/tv/synaptics.nix (renamed from modules/synaptics.nix) | 0 | ||||
-rw-r--r-- | modules/tv/tools.nix (renamed from modules/tools.nix) | 2 | ||||
-rw-r--r-- | modules/tv/urxvt.nix (renamed from modules/urxvt-tv.nix) | 0 | ||||
-rw-r--r-- | modules/tv/users.nix (renamed from modules/users.nix) | 2 | ||||
-rw-r--r-- | modules/tv/xserver.nix (renamed from modules/xserver.nix) | 0 | ||||
-rw-r--r-- | modules/wu/default.nix | 469 | ||||
-rw-r--r-- | modules/wu/hosts.nix (renamed from modules/hosts.nix) | 0 | ||||
-rw-r--r-- | modules/wu/iptables.nix (renamed from modules/iptables.nix) | 0 |
21 files changed, 1067 insertions, 3 deletions
diff --git a/modules/cd/default.nix b/modules/cd/default.nix new file mode 100644 index 000000000..a4e6bbc7d --- /dev/null +++ b/modules/cd/default.nix @@ -0,0 +1,118 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + <secrets/hashedPasswords.nix> + ./iptables.nix + ./networking.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/ejabberd.nix # XXX echtes modul + ../tv/exim-smarthost.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ]; + + # "Developer 2" plan has two vCPUs. + nix.maxJobs = 2; + + + environment.systemPackages = with pkgs; [ + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + security.rtkit.enable = false; + + services.cron.enable = false; + + services.ejabberd-cd = { + enable = true; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.ntp.enable = false; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + services.retiolum = { + enable = true; + hosts = /etc/nixos/hosts; + privateKeyFile = "/etc/nixos/secrets/cd.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + + sound.enable = false; + + # TODO base + time.timeZone = "UTC"; + + # TODO replace by ./modules/cd-users.nix + users.extraGroups = { + + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + + }; + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEieAihh+o208aeCA14fAtjzyZN/nrpOJt2vZ5VYZp69 deploy@wu" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDYv5OkVrnerkzJwgi7ol7HzcWJf4oWCJTX84trFX5vgJXu1zMvSe+koY8xpnMOd7WHF2wgsjjrFlMuixTrfMPc/OjvG2N1TlnvzlFD8ivTW/AJzDwNxT//niqAYAZ9kmb8e/zE/SyNHSKZcyEKGiiW2+YW9wWHPYRP/XiNEjLP3BeTGScMwWr001V/8m7ne4SGHrE1FbHbHqaBXgqUFgnvzMY3CsfDafODZlj5xSMNGHyLGNNKvu3YR1crcAjbQrBXBdwaArThFxp+e2uWrnffshlks6WtRyR1AFVjc/gxEG74Axq1AHY6EJm2Fw/JdFNiYQ7yyQZHS9bZJYjgnWF tv@nomic" + ]; + }; + + mv = rec { + name = "mv"; + uid = 1338; + group = "users"; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod" + ]; + }; + + }; + + users.mutableUsers = false; + +} diff --git a/modules/iptables-cd.nix b/modules/cd/iptables.nix index 48425e8dc..48425e8dc 100644 --- a/modules/iptables-cd.nix +++ b/modules/cd/iptables.nix diff --git a/modules/networking-cd.nix b/modules/cd/networking.nix index 215e20829..215e20829 100644 --- a/modules/networking-cd.nix +++ b/modules/cd/networking.nix diff --git a/modules/urxvtd.nix b/modules/lass/urxvtd.nix index 7eb471ed9..a62e64a98 100644 --- a/modules/urxvtd.nix +++ b/modules/lass/urxvtd.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - inherit (import ../lib { inherit pkgs; }) shell-escape; + inherit (import ../../lib { inherit pkgs; }) shell-escape; inherit (pkgs) writeScript; in diff --git a/modules/mu/default.nix b/modules/mu/default.nix new file mode 100644 index 000000000..baec9bf8e --- /dev/null +++ b/modules/mu/default.nix @@ -0,0 +1,477 @@ +# TODO maybe give RT-stuff only to group rt or sth. + +{ config, pkgs, ... }: + +let + lib = import ../../lib { inherit pkgs; }; + + inherit (lib) majmin; +in + +{ + imports = [ + <secrets/hashedPasswords.nix> + ../tv/exim-retiolum.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ]; + + time.timeZone = "Europe/Berlin"; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + + # hardware configuration + boot.initrd.luks.devices = [ + { name = "vgmu1"; device = "/dev/sda2"; } + ]; + boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ]; + boot.initrd.availableKernelModules = [ "ahci" ]; + #boot.kernelParams = [ + # "intel_pstate=enable" + #]; + boot.kernelModules = [ "fbcon" "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + #boot.kernelPackages = pkgs.linuxPackages_3_17; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + ''; + + fileSystems = { + "/" = { + device = "/dev/vgmu1/nixroot"; + fsType = "ext4"; + options = "defaults,noatime"; + }; + "/home" = { + device = "/dev/vgmu1/home"; + options = "defaults,noatime"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + swapDevices =[ ]; + + nix.maxJobs = 8; + nix.useChroot = true; + + nixpkgs.config.firefox.enableAdobeFlash = true; + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.opengl.driSupport32Bit = true; + + hardware.pulseaudio.enable = true; + + hardware.enableAllFirmware = true; + + # Use the gummiboot efi boot loader. + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "mu"; + #networking.wireless.enable = true; + networking.networkmanager.enable = true; + + networking.extraHosts = '' + ''; + + #system.activationScripts.powertopTunables = + # '' + # #echo 1 > /sys/module/snd_hda_intel/parameters/power_save + # echo 1500 > /proc/sys/vm/dirty_writeback_centisecs + # (cd /sys/bus/pci/devices + # for i in *; do + # echo auto > $i/power/control # defaults to 'on' + # done) + # # TODO maybe do this via udev or systemd + # # ref https://wiki.archlinux.org/index.php/Wake-on-LAN + # # disable wol this cannot find ethtool + # # TODO (cd /sys/class/net + # # TODO for i in *; do + # # TODO if ethtool $i | grep -q Wake-on && + # # TODO ! ethtool $i | grep -q 'Wake-on: d'; then + # # TODO ethtool -s $i wol d + # # TODO fi + # # TODO done) + # ${pkgs.ethtool}/sbin/ethtool -s en0 wol d + # ''; + + environment.systemPackages = with pkgs; [ + slock + tinc + iptables + vim + gimp + xsane + firefoxWrapper + chromiumDev + skype + libreoffice + kde4.l10n.de + kde4.networkmanagement + pidgin-with-plugins + pidginotr + + kde4.print_manager + #foomatic_filters + #gutenprint + #cups_pdf_filter + #ghostscript + ]; + + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + environment.variables.VIM = "/etc/vim"; + + i18n.defaultLocale = "de_DE.UTF-8"; + + environment.shellAliases = { + # alias cal='cal -m3' + bc = "bc -q"; + gp = "gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + 2000) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + ''; + }; + + + programs.ssh.startAgent = false; + + + security.setuidPrograms = [ + "sendmail" # for cron + "slock" + ]; + + security.pam.loginLimits = [ + # for jack + { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; } + { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; } + ]; + + #services.haveged.enable = true; + #security.rngd.enable = true; + + services.retiolum = { + enable = true; + hosts = /etc/nixos/hosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + + security.rtkit.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + #services.dbus.enable = true; # rqd4 wpa_supplicant + + services.sshd.enable = true; + + # vixiecron sucks + services.cron.enable = false; + services.fcron.enable = true; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + #services.logind.extraConfig = '' + # HandleHibernateKey=ignore + # HandleLidSwitch=ignore + # HandlePowerKey=ignore + # HandleSuspendKey=ignore + #''; + #services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + # Enable CUPS to print documents. + # services.printing.enable = true; + services.printing = { + enable = true; + #drivers = [ + # #pkgs.foomatic_filters + # #pkgs.gutenprint + # #pkgs.cups_pdf_filter + # #pkgs.ghostscript + #]; + #cupsdConf = '' + # LogLevel debug2 + #''; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + #services.xserver.display = 11; + #services.xserver.tty = 11; + services.xserver.layout = "de"; + services.xserver.xkbOptions = "eurosign:e"; + + # TODO this is host specific + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + #accelFactor = "0.035"; + #additionalOptions = '' + # Option "FingerHigh" "60" + # Option "FingerLow" "60" + #''; + }; + + services.xserver.desktopManager.kde4.enable = true; + services.xserver.displayManager.auto = { + enable = true; + user = "vv"; + }; + + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.mutableUsers = false; + users.extraGroups = + { + }; + users.extraUsers = + { + tv = { + uid = 1337; + name = "tv"; + group = "users"; + home = "/home/tv"; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + createHome = true; + }; + + vv = { + uid = 2000; + name = "vv"; + home = "/home/vv"; + createHome = true; + group = "users"; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "networkmanager" + ]; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + # TODO services.smartd + # TODO services.statsd + # TODO services.tor + # TODO write arandr + # TODO what does system.copySystemConfiguration (we need some kind of bku scheme) + # TODO systemd.timers instead of cron(??) + + virtualisation.libvirtd.enable = true; + + # + # iptables + # + networking.firewall.enable = false; + system.activationScripts.iptables = + let + log = false; + when = c: f: if c then f else ""; + in + '' + ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + ipXtables() { ip4tables "$@"; ip6tables "$@"; } + + # + # nat + # + + # reset tables + ipXtables -t nat -F + ipXtables -t nat -X + + # + ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # + # filter + # + + # reset tables + ipXtables -P INPUT DROP + ipXtables -P FORWARD DROP + ipXtables -F + ipXtables -X + + # create custom chains + ipXtables -N Retiolum + + # INPUT + ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + ipXtables -A INPUT -j ACCEPT -i lo + ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + ipXtables -A INPUT -j Retiolum -i retiolum + ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # FORWARD + ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # Retiolum + ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + ip6tables -A Retiolum -j REJECT + + ''; + + + + + #system.replaceRuntimeDependencies = with pkgs; + # let + # bashVulnPatches = [ + # (fetchurl { + # url = "mirror://gnu/bash/bash-4.2-patches/bash42-048"; + # sha256 = "091xk1ms7ycnczsl3fx461gjhj69j6ycnfijlymwj6mj60ims6km"; + # }) + # (fetchurl { + # url = "file:///etc/nixos/bash-20140926.patch"; + # sha256 = "0gdwnimsbi4vh5l46krss4wjrgbch94skn4y2w3rpvb1w4jypha4"; + # }) + # ]; + # in + # [ + # { + # original = bash; + # replacement = pkgs.lib.overrideDerivation bash (oldAttrs: { + # patches = oldAttrs.patches ++ bashVulnPatches; + # }); + # } + # { + # original = bashInteractive; + # replacement = pkgs.lib.overrideDerivation bashInteractive (oldAttrs: { + # patches = oldAttrs.patches ++ bashVulnPatches; + # }); + # } + # { + # original = bitlbee; + # replacement = pkgs.lib.overrideDerivation bitlbee (oldAttrs: { + # configureFlags = [ + # "--gcov=1" + # "--otr=1" + # "--ssl=gnutls" + # ]; + # }); + # } + #]; + + +} diff --git a/modules/base-cac-CentOS-7-64bit.nix b/modules/tv/base-cac-CentOS-7-64bit.nix index 42ab481b3..42ab481b3 100644 --- a/modules/base-cac-CentOS-7-64bit.nix +++ b/modules/tv/base-cac-CentOS-7-64bit.nix diff --git a/modules/base.nix b/modules/tv/base.nix index 76c8b8970..76c8b8970 100644 --- a/modules/base.nix +++ b/modules/tv/base.nix diff --git a/modules/ejabberd-cd.nix b/modules/tv/ejabberd.nix index e836d2cdd..e836d2cdd 100644 --- a/modules/ejabberd-cd.nix +++ b/modules/tv/ejabberd.nix diff --git a/modules/exim.nix b/modules/tv/exim-retiolum.nix index e80358fcd..e80358fcd 100644 --- a/modules/exim.nix +++ b/modules/tv/exim-retiolum.nix diff --git a/modules/exim-cd.nix b/modules/tv/exim-smarthost.nix index a4c47b399..a4c47b399 100644 --- a/modules/exim-cd.nix +++ b/modules/tv/exim-smarthost.nix diff --git a/modules/nginx.nix b/modules/tv/nginx.nix index 8b420613b..8b420613b 100644 --- a/modules/nginx.nix +++ b/modules/tv/nginx.nix diff --git a/modules/retiolum.nix b/modules/tv/retiolum.nix index 578547af6..578547af6 100644 --- a/modules/retiolum.nix +++ b/modules/tv/retiolum.nix diff --git a/modules/sanitize.nix b/modules/tv/sanitize.nix index b6c749b6d..b6c749b6d 100644 --- a/modules/sanitize.nix +++ b/modules/tv/sanitize.nix diff --git a/modules/synaptics.nix b/modules/tv/synaptics.nix index c47cb9deb..c47cb9deb 100644 --- a/modules/synaptics.nix +++ b/modules/tv/synaptics.nix diff --git a/modules/tools.nix b/modules/tv/tools.nix index 4be84a6be..cf3fda93a 100644 --- a/modules/tools.nix +++ b/modules/tv/tools.nix @@ -5,7 +5,7 @@ let inherit (lib.strings) concatStringsSep stringAsChars; inherit (lib.attrsets) attrValues mapAttrs; inherit (lib) makeSearchPath; - inherit (import ../lib { inherit pkgs; }) shell-escape; + inherit (import ../../lib { inherit pkgs; }) shell-escape; # TODO make these scripts available in an maintenance shell diff --git a/modules/urxvt-tv.nix b/modules/tv/urxvt.nix index a97581248..a97581248 100644 --- a/modules/urxvt-tv.nix +++ b/modules/tv/urxvt.nix diff --git a/modules/users.nix b/modules/tv/users.nix index 79a00e3a1..f42ba33c5 100644 --- a/modules/users.nix +++ b/modules/tv/users.nix @@ -189,7 +189,7 @@ let sudoers = let inherit (builtins) filter hasAttr; - inherit (import ../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList; + inherit (import ../../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList; hasMaster = { group ? "", ... }: isSuffixOf "-sub" group; diff --git a/modules/xserver.nix b/modules/tv/xserver.nix index 897dbcc28..897dbcc28 100644 --- a/modules/xserver.nix +++ b/modules/tv/xserver.nix diff --git a/modules/wu/default.nix b/modules/wu/default.nix new file mode 100644 index 000000000..f586552e4 --- /dev/null +++ b/modules/wu/default.nix @@ -0,0 +1,469 @@ +{ config, pkgs, ... }: + +let + lib = import ../../lib { inherit pkgs; }; + + inherit (lib) majmin; +in + +{ + imports = [ + ./hosts.nix + ./iptables.nix + ../tv/base.nix + ../tv/exim-retiolum.nix + ../tv/nginx.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ../tv/synaptics.nix + #../tv/tools.nix + ../tv/urxvt.nix + ../tv/users.nix + ../tv/xserver.nix + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + #services.virtualbox.enable = true; + #services.virtualboxGuest.enable = false; + services.virtualboxHost.enable = true; + #services.virtualboxHost.addNetworkInterface = false; + #systemd.services.vboxnet = + # let + # remove_vboxnets = '' + # for i in $(cd /sys/class/net && ls | grep ^vboxnet); do + # VBoxManage hostonlyif remove $i + # done + # ''; + # in { + # wantedBy = [ "multi-user.target" ]; + # requires = [ "dev-vboxnetctl.device" ]; + # after = [ "dev-vboxnetctl.device" ]; + # path = with pkgs; [ + # linuxPackages.virtualbox + # nettools + # ]; + # postStop = remove_vboxnets; + # script = '' + # ${remove_vboxnets} # just in case... + # VBoxManage hostonlyif create # vboxnet0 + # ifconfig vboxnet0 up 169.254.13.37/16 + # ''; + # serviceConfig = { + # Type = "oneshot"; + # PrivateTmp = true; + # RemainAfterExit = "yes"; + # }; + # environment.VBOX_USER_HOME = "/tmp"; + # }; + + + services.bitlbee.enable = true; + + #services.rabbitmq = { + # enable = true; + # cookie = "f00f"; + # plugins = [ + # "rabbitmq_management" + # ]; + #}; + + + #services.elasticsearch.enable = true; + + #services.cgserver = { + # enable = true; + # httpPort = 8003; + # #flushLog = false; + # #cgroupRoot = "/sys/fs/cgroup"; + # #user = "zalora"; + #}; + + + + + #services.tlsdated = { + # enable = true; + # extraOptions = "-p"; + #}; + + services.tor.enable = true; + services.tor.client.enable = true; + + + + # hardware configuration + boot.initrd.luks.devices = [ + { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; } + ]; + boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ]; + boot.initrd.availableKernelModules = [ "ahci" ]; + #boot.kernelParams = [ + # "intel_pstate=enable" + #]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # 2014-12-17 pkgs.linuxPackages_3_14 is known good + boot.kernelPackages = pkgs.linuxPackages_3_18; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + ''; + + fileSystems = { + "/" = { + device = "/dev/mapper/vg840-wuroot"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/home" = { + device = "/dev/mapper/home"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + swapDevices =[ ]; + + + nixpkgs.config.firefox.enableAdobeFlash = true; + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.bumblebee.enable = true; # TODO this is host specific + hardware.bumblebee.group = "video"; + #services.xserver.videoDrivers = [ "nvidia" ]; + hardware.opengl.driSupport32Bit = true; + + hardware.pulseaudio.enable = true; + + hardware.enableAllFirmware = true; + + # Use the gummiboot efi boot loader. + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "wu"; + networking.wireless.enable = true; + + + # Select internationalisation properties. + # i18n = { + # consoleFont = "lat9w-16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + system.activationScripts.powertopTunables = + '' + echo 1 > /sys/module/snd_hda_intel/parameters/power_save + echo 1500 > /proc/sys/vm/dirty_writeback_centisecs + (cd /sys/bus/pci/devices + for i in *; do + echo auto > $i/power/control # defaults to 'on' + done) + # TODO maybe do this via udev or systemd + # ref https://wiki.archlinux.org/index.php/Wake-on-LAN + # disable wol this cannot find ethtool + # TODO (cd /sys/class/net + # TODO for i in *; do + # TODO if ethtool $i | grep -q Wake-on && + # TODO ! ethtool $i | grep -q 'Wake-on: d'; then + # TODO ethtool -s $i wol d + # TODO fi + # TODO done) + ${pkgs.ethtool}/sbin/ethtool -s en0 wol d + ''; + + environment.systemPackages = with pkgs; [ + xlibs.fontschumachermisc + slock + ethtool + #firefoxWrapper # with plugins + #chromiumDevWrapper + tinc + iptables + vim + #jack2 + ]; + + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + environment.variables.VIM = "/etc/vim"; + + environment.shellAliases = { + # alias cal='cal -m3' + bc = "bc -q"; + gp = "gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then |