summaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/cd/default.nix118
-rw-r--r--modules/cd/iptables.nix (renamed from modules/iptables-cd.nix)0
-rw-r--r--modules/cd/networking.nix (renamed from modules/networking-cd.nix)0
-rw-r--r--modules/lass/urxvtd.nix (renamed from modules/urxvtd.nix)2
-rw-r--r--modules/mu/default.nix477
-rw-r--r--modules/tv/base-cac-CentOS-7-64bit.nix (renamed from modules/base-cac-CentOS-7-64bit.nix)0
-rw-r--r--modules/tv/base.nix (renamed from modules/base.nix)0
-rw-r--r--modules/tv/ejabberd.nix (renamed from modules/ejabberd-cd.nix)0
-rw-r--r--modules/tv/exim-retiolum.nix (renamed from modules/exim.nix)0
-rw-r--r--modules/tv/exim-smarthost.nix (renamed from modules/exim-cd.nix)0
-rw-r--r--modules/tv/nginx.nix (renamed from modules/nginx.nix)0
-rw-r--r--modules/tv/retiolum.nix (renamed from modules/retiolum.nix)0
-rw-r--r--modules/tv/sanitize.nix (renamed from modules/sanitize.nix)0
-rw-r--r--modules/tv/synaptics.nix (renamed from modules/synaptics.nix)0
-rw-r--r--modules/tv/tools.nix (renamed from modules/tools.nix)2
-rw-r--r--modules/tv/urxvt.nix (renamed from modules/urxvt-tv.nix)0
-rw-r--r--modules/tv/users.nix (renamed from modules/users.nix)2
-rw-r--r--modules/tv/xserver.nix (renamed from modules/xserver.nix)0
-rw-r--r--modules/wu/default.nix469
-rw-r--r--modules/wu/hosts.nix (renamed from modules/hosts.nix)0
-rw-r--r--modules/wu/iptables.nix (renamed from modules/iptables.nix)0
21 files changed, 1067 insertions, 3 deletions
diff --git a/modules/cd/default.nix b/modules/cd/default.nix
new file mode 100644
index 000000000..a4e6bbc7d
--- /dev/null
+++ b/modules/cd/default.nix
@@ -0,0 +1,118 @@
+{ config, pkgs, ... }:
+
+{
+ imports =
+ [
+ <secrets/hashedPasswords.nix>
+ ./iptables.nix
+ ./networking.nix
+ ../tv/base-cac-CentOS-7-64bit.nix
+ ../tv/ejabberd.nix # XXX echtes modul
+ ../tv/exim-smarthost.nix
+ ../tv/retiolum.nix
+ ../tv/sanitize.nix
+ ];
+
+ # "Developer 2" plan has two vCPUs.
+ nix.maxJobs = 2;
+
+
+ environment.systemPackages = with pkgs; [
+ htop
+ iftop
+ iotop
+ iptables
+ mutt # for mv
+ nethogs
+ rxvt_unicode.terminfo
+ tcpdump
+ ];
+
+ security.rtkit.enable = false;
+
+ services.cron.enable = false;
+
+ services.ejabberd-cd = {
+ enable = true;
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ services.ntp.enable = false;
+
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ # XXX bits here make no science
+ { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ permitRootLogin = "yes";
+ };
+
+ services.retiolum = {
+ enable = true;
+ hosts = /etc/nixos/hosts;
+ privateKeyFile = "/etc/nixos/secrets/cd.retiolum.rsa_key.priv";
+ connectTo = [
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+
+ sound.enable = false;
+
+ # TODO base
+ time.timeZone = "UTC";
+
+ # TODO replace by ./modules/cd-users.nix
+ users.extraGroups = {
+
+ # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+ # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+ # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+ # Docs: man:tmpfiles.d(5)
+ # man:systemd-tmpfiles(8)
+ # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+ # Main PID: 19272 (code=exited, status=1/FAILURE)
+ #
+ # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+ # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+ # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+ # warning: error(s) occured while switching to the new configuration
+ lock.gid = 10001;
+
+ };
+ users.extraUsers =
+ {
+ root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEieAihh+o208aeCA14fAtjzyZN/nrpOJt2vZ5VYZp69 deploy@wu"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDYv5OkVrnerkzJwgi7ol7HzcWJf4oWCJTX84trFX5vgJXu1zMvSe+koY8xpnMOd7WHF2wgsjjrFlMuixTrfMPc/OjvG2N1TlnvzlFD8ivTW/AJzDwNxT//niqAYAZ9kmb8e/zE/SyNHSKZcyEKGiiW2+YW9wWHPYRP/XiNEjLP3BeTGScMwWr001V/8m7ne4SGHrE1FbHbHqaBXgqUFgnvzMY3CsfDafODZlj5xSMNGHyLGNNKvu3YR1crcAjbQrBXBdwaArThFxp+e2uWrnffshlks6WtRyR1AFVjc/gxEG74Axq1AHY6EJm2Fw/JdFNiYQ7yyQZHS9bZJYjgnWF tv@nomic"
+ ];
+ };
+
+ mv = rec {
+ name = "mv";
+ uid = 1338;
+ group = "users";
+ home = "/home/${name}";
+ createHome = true;
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"
+ ];
+ };
+
+ };
+
+ users.mutableUsers = false;
+
+}
diff --git a/modules/iptables-cd.nix b/modules/cd/iptables.nix
index 48425e8dc..48425e8dc 100644
--- a/modules/iptables-cd.nix
+++ b/modules/cd/iptables.nix
diff --git a/modules/networking-cd.nix b/modules/cd/networking.nix
index 215e20829..215e20829 100644
--- a/modules/networking-cd.nix
+++ b/modules/cd/networking.nix
diff --git a/modules/urxvtd.nix b/modules/lass/urxvtd.nix
index 7eb471ed9..a62e64a98 100644
--- a/modules/urxvtd.nix
+++ b/modules/lass/urxvtd.nix
@@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
let
- inherit (import ../lib { inherit pkgs; }) shell-escape;
+ inherit (import ../../lib { inherit pkgs; }) shell-escape;
inherit (pkgs) writeScript;
in
diff --git a/modules/mu/default.nix b/modules/mu/default.nix
new file mode 100644
index 000000000..baec9bf8e
--- /dev/null
+++ b/modules/mu/default.nix
@@ -0,0 +1,477 @@
+# TODO maybe give RT-stuff only to group rt or sth.
+
+{ config, pkgs, ... }:
+
+let
+ lib = import ../../lib { inherit pkgs; };
+
+ inherit (lib) majmin;
+in
+
+{
+ imports = [
+ <secrets/hashedPasswords.nix>
+ ../tv/exim-retiolum.nix
+ ../tv/retiolum.nix
+ ../tv/sanitize.nix
+ ];
+
+ time.timeZone = "Europe/Berlin";
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
+ SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
+
+ # for jack
+ KERNEL=="rtc0", GROUP="audio"
+ KERNEL=="hpet", GROUP="audio"
+ '';
+
+
+ # hardware configuration
+ boot.initrd.luks.devices = [
+ { name = "vgmu1"; device = "/dev/sda2"; }
+ ];
+ boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ];
+ boot.initrd.availableKernelModules = [ "ahci" ];
+ #boot.kernelParams = [
+ # "intel_pstate=enable"
+ #];
+ boot.kernelModules = [ "fbcon" "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ #boot.kernelPackages = pkgs.linuxPackages_3_17;
+
+ boot.kernel.sysctl = {
+ # Enable IPv6 Privacy Extensions
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+
+ boot.extraModprobeConfig = ''
+ options kvm_intel nested=1
+ '';
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/vgmu1/nixroot";
+ fsType = "ext4";
+ options = "defaults,noatime";
+ };
+ "/home" = {
+ device = "/dev/vgmu1/home";
+ options = "defaults,noatime";
+ };
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = "nosuid,nodev,noatime";
+ };
+ };
+
+ swapDevices =[ ];
+
+ nix.maxJobs = 8;
+ nix.useChroot = true;
+
+ nixpkgs.config.firefox.enableAdobeFlash = true;
+ nixpkgs.config.chromium.enablePepperFlash = true;
+
+ nixpkgs.config.allowUnfree = true;
+ hardware.opengl.driSupport32Bit = true;
+
+ hardware.pulseaudio.enable = true;
+
+ hardware.enableAllFirmware = true;
+
+ # Use the gummiboot efi boot loader.
+ boot.loader.gummiboot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostName = "mu";
+ #networking.wireless.enable = true;
+ networking.networkmanager.enable = true;
+
+ networking.extraHosts = ''
+ '';
+
+ #system.activationScripts.powertopTunables =
+ # ''
+ # #echo 1 > /sys/module/snd_hda_intel/parameters/power_save
+ # echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
+ # (cd /sys/bus/pci/devices
+ # for i in *; do
+ # echo auto > $i/power/control # defaults to 'on'
+ # done)
+ # # TODO maybe do this via udev or systemd
+ # # ref https://wiki.archlinux.org/index.php/Wake-on-LAN
+ # # disable wol this cannot find ethtool
+ # # TODO (cd /sys/class/net
+ # # TODO for i in *; do
+ # # TODO if ethtool $i | grep -q Wake-on &&
+ # # TODO ! ethtool $i | grep -q 'Wake-on: d'; then
+ # # TODO ethtool -s $i wol d
+ # # TODO fi
+ # # TODO done)
+ # ${pkgs.ethtool}/sbin/ethtool -s en0 wol d
+ # '';
+
+ environment.systemPackages = with pkgs; [
+ slock
+ tinc
+ iptables
+ vim
+ gimp
+ xsane
+ firefoxWrapper
+ chromiumDev
+ skype
+ libreoffice
+ kde4.l10n.de
+ kde4.networkmanagement
+ pidgin-with-plugins
+ pidginotr
+
+ kde4.print_manager
+ #foomatic_filters
+ #gutenprint
+ #cups_pdf_filter
+ #ghostscript
+ ];
+
+
+ environment.etc."vim/vimrc".text = ''
+ set nocp
+ '';
+ environment.etc."vim/vim${majmin pkgs.vim.version}".source =
+ "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}";
+
+ # multiple-definition-problem when defining environment.variables.EDITOR
+ environment.extraInit = ''
+ EDITOR=vim
+ '';
+ environment.variables.VIM = "/etc/vim";
+
+ i18n.defaultLocale = "de_DE.UTF-8";
+
+ environment.shellAliases = {
+ # alias cal='cal -m3'
+ bc = "bc -q";
+ gp = "gp -q";
+ df = "df -h";
+ du = "du -h";
+ # alias grep='grep --color=auto'
+
+ # TODO alias cannot contain #\'
+ # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
+
+ # alias la='ls -lA'
+ lAtr = "ls -lAtr";
+ # alias ll='ls -l'
+ ls = "ls -h --color=auto --group-directories-first";
+ # alias vim='vim -p'
+ # alias vi='vim'
+ # alias view='vim -R'
+ dmesg = "dmesg -L --reltime";
+ };
+
+
+ programs.bash = {
+ interactiveShellInit = ''
+ HISTCONTROL='erasedups:ignorespace'
+ HISTSIZE=65536
+ HISTFILESIZE=$HISTSIZE
+
+ shopt -s checkhash
+ shopt -s histappend histreedit histverify
+ shopt -s no_empty_cmd_completion
+ complete -d cd
+
+ # TODO source bridge
+ '';
+ promptInit = ''
+ case $UID in
+ 0)
+ PS1='\[\e[1;31m\]\w\[\e[0m\] '
+ ;;
+ 1337)
+ PS1='\[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ 2000)
+ PS1='\[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ *)
+ PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ esac
+ if test -n "$SSH_CLIENT"; then
+ PS1='\[\e[35m\]\h'" $PS1"
+ fi
+ '';
+ };
+
+
+ programs.ssh.startAgent = false;
+
+
+ security.setuidPrograms = [
+ "sendmail" # for cron
+ "slock"
+ ];
+
+ security.pam.loginLimits = [
+ # for jack
+ { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
+ { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
+ ];
+
+ #services.haveged.enable = true;
+ #security.rngd.enable = true;
+
+ services.retiolum = {
+ enable = true;
+ hosts = /etc/nixos/hosts;
+ connectTo = [
+ "gum"
+ "pigstarter"
+ ];
+ };
+
+ security.rtkit.enable = false;
+ services.nscd.enable = false;
+ services.ntp.enable = false;
+ #services.dbus.enable = true; # rqd4 wpa_supplicant
+
+ services.sshd.enable = true;
+
+ # vixiecron sucks
+ services.cron.enable = false;
+ services.fcron.enable = true;
+
+ fonts.fonts = [
+ pkgs.xlibs.fontschumachermisc
+ ];
+
+ #services.logind.extraConfig = ''
+ # HandleHibernateKey=ignore
+ # HandleLidSwitch=ignore
+ # HandlePowerKey=ignore
+ # HandleSuspendKey=ignore
+ #'';
+ #services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;
+
+ # Enable the OpenSSH daemon.
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ # XXX bits here make no science
+ { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ };
+
+ # Enable CUPS to print documents.
+ # services.printing.enable = true;
+ services.printing = {
+ enable = true;
+ #drivers = [
+ # #pkgs.foomatic_filters
+ # #pkgs.gutenprint
+ # #pkgs.cups_pdf_filter
+ # #pkgs.ghostscript
+ #];
+ #cupsdConf = ''
+ # LogLevel debug2
+ #'';
+ };
+
+ # Enable the X11 windowing system.
+ services.xserver.enable = true;
+ #services.xserver.display = 11;
+ #services.xserver.tty = 11;
+ services.xserver.layout = "de";
+ services.xserver.xkbOptions = "eurosign:e";
+
+ # TODO this is host specific
+ services.xserver.synaptics = {
+ enable = true;
+ twoFingerScroll = true;
+ #accelFactor = "0.035";
+ #additionalOptions = ''
+ # Option "FingerHigh" "60"
+ # Option "FingerLow" "60"
+ #'';
+ };
+
+ services.xserver.desktopManager.kde4.enable = true;
+ services.xserver.displayManager.auto = {
+ enable = true;
+ user = "vv";
+ };
+
+ users.defaultUserShell = "/run/current-system/sw/bin/bash";
+ users.mutableUsers = false;
+ users.extraGroups =
+ {
+ };
+ users.extraUsers =
+ {
+ tv = {
+ uid = 1337;
+ name = "tv";
+ group = "users";
+ home = "/home/tv";
+ useDefaultShell = true;
+ extraGroups = [
+ "audio"
+ "video"
+ "wheel"
+ ];
+ createHome = true;
+ };
+
+ vv = {
+ uid = 2000;
+ name = "vv";
+ home = "/home/vv";
+ createHome = true;
+ group = "users";
+ useDefaultShell = true;
+ extraGroups = [
+ "audio"
+ "video"
+ "networkmanager"
+ ];
+ };
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ # see tmpfiles.d(5)
+ systemd.tmpfiles.rules = [
+ "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+ ];
+
+ # TODO services.smartd
+ # TODO services.statsd
+ # TODO services.tor
+ # TODO write arandr
+ # TODO what does system.copySystemConfiguration (we need some kind of bku scheme)
+ # TODO systemd.timers instead of cron(??)
+
+ virtualisation.libvirtd.enable = true;
+
+ #
+ # iptables
+ #
+ networking.firewall.enable = false;
+ system.activationScripts.iptables =
+ let
+ log = false;
+ when = c: f: if c then f else "";
+ in
+ ''
+ ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
+ ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
+ ipXtables() { ip4tables "$@"; ip6tables "$@"; }
+
+ #
+ # nat
+ #
+
+ # reset tables
+ ipXtables -t nat -F
+ ipXtables -t nat -X
+
+ #
+ ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
+ ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
+
+ #
+ # filter
+ #
+
+ # reset tables
+ ipXtables -P INPUT DROP
+ ipXtables -P FORWARD DROP
+ ipXtables -F
+ ipXtables -X
+
+ # create custom chains
+ ipXtables -N Retiolum
+
+ # INPUT
+ ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ ipXtables -A INPUT -j ACCEPT -i lo
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j Retiolum -i retiolum
+ ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
+
+ # FORWARD
+ ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
+
+ # Retiolum
+ ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
+ ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
+
+
+ ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
+ ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
+ ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
+ ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
+ ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
+ ip6tables -A Retiolum -j REJECT
+
+ '';
+
+
+
+
+ #system.replaceRuntimeDependencies = with pkgs;
+ # let
+ # bashVulnPatches = [
+ # (fetchurl {
+ # url = "mirror://gnu/bash/bash-4.2-patches/bash42-048";
+ # sha256 = "091xk1ms7ycnczsl3fx461gjhj69j6ycnfijlymwj6mj60ims6km";
+ # })
+ # (fetchurl {
+ # url = "file:///etc/nixos/bash-20140926.patch";
+ # sha256 = "0gdwnimsbi4vh5l46krss4wjrgbch94skn4y2w3rpvb1w4jypha4";
+ # })
+ # ];
+ # in
+ # [
+ # {
+ # original = bash;
+ # replacement = pkgs.lib.overrideDerivation bash (oldAttrs: {
+ # patches = oldAttrs.patches ++ bashVulnPatches;
+ # });
+ # }
+ # {
+ # original = bashInteractive;
+ # replacement = pkgs.lib.overrideDerivation bashInteractive (oldAttrs: {
+ # patches = oldAttrs.patches ++ bashVulnPatches;
+ # });
+ # }
+ # {
+ # original = bitlbee;
+ # replacement = pkgs.lib.overrideDerivation bitlbee (oldAttrs: {
+ # configureFlags = [
+ # "--gcov=1"
+ # "--otr=1"
+ # "--ssl=gnutls"
+ # ];
+ # });
+ # }
+ #];
+
+
+}
diff --git a/modules/base-cac-CentOS-7-64bit.nix b/modules/tv/base-cac-CentOS-7-64bit.nix
index 42ab481b3..42ab481b3 100644
--- a/modules/base-cac-CentOS-7-64bit.nix
+++ b/modules/tv/base-cac-CentOS-7-64bit.nix
diff --git a/modules/base.nix b/modules/tv/base.nix
index 76c8b8970..76c8b8970 100644
--- a/modules/base.nix
+++ b/modules/tv/base.nix
diff --git a/modules/ejabberd-cd.nix b/modules/tv/ejabberd.nix
index e836d2cdd..e836d2cdd 100644
--- a/modules/ejabberd-cd.nix
+++ b/modules/tv/ejabberd.nix
diff --git a/modules/exim.nix b/modules/tv/exim-retiolum.nix
index e80358fcd..e80358fcd 100644
--- a/modules/exim.nix
+++ b/modules/tv/exim-retiolum.nix
diff --git a/modules/exim-cd.nix b/modules/tv/exim-smarthost.nix
index a4c47b399..a4c47b399 100644
--- a/modules/exim-cd.nix
+++ b/modules/tv/exim-smarthost.nix
diff --git a/modules/nginx.nix b/modules/tv/nginx.nix
index 8b420613b..8b420613b 100644
--- a/modules/nginx.nix
+++ b/modules/tv/nginx.nix
diff --git a/modules/retiolum.nix b/modules/tv/retiolum.nix
index 578547af6..578547af6 100644
--- a/modules/retiolum.nix
+++ b/modules/tv/retiolum.nix
diff --git a/modules/sanitize.nix b/modules/tv/sanitize.nix
index b6c749b6d..b6c749b6d 100644
--- a/modules/sanitize.nix
+++ b/modules/tv/sanitize.nix
diff --git a/modules/synaptics.nix b/modules/tv/synaptics.nix
index c47cb9deb..c47cb9deb 100644
--- a/modules/synaptics.nix
+++ b/modules/tv/synaptics.nix
diff --git a/modules/tools.nix b/modules/tv/tools.nix
index 4be84a6be..cf3fda93a 100644
--- a/modules/tools.nix
+++ b/modules/tv/tools.nix
@@ -5,7 +5,7 @@ let
inherit (lib.strings) concatStringsSep stringAsChars;
inherit (lib.attrsets) attrValues mapAttrs;
inherit (lib) makeSearchPath;
- inherit (import ../lib { inherit pkgs; }) shell-escape;
+ inherit (import ../../lib { inherit pkgs; }) shell-escape;
# TODO make these scripts available in an maintenance shell
diff --git a/modules/urxvt-tv.nix b/modules/tv/urxvt.nix
index a97581248..a97581248 100644
--- a/modules/urxvt-tv.nix
+++ b/modules/tv/urxvt.nix
diff --git a/modules/users.nix b/modules/tv/users.nix
index 79a00e3a1..f42ba33c5 100644
--- a/modules/users.nix
+++ b/modules/tv/users.nix
@@ -189,7 +189,7 @@ let
sudoers =
let
inherit (builtins) filter hasAttr;
- inherit (import ../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList;
+ inherit (import ../../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList;
hasMaster = { group ? "", ... }:
isSuffixOf "-sub" group;
diff --git a/modules/xserver.nix b/modules/tv/xserver.nix
index 897dbcc28..897dbcc28 100644
--- a/modules/xserver.nix
+++ b/modules/tv/xserver.nix
diff --git a/modules/wu/default.nix b/modules/wu/default.nix
new file mode 100644
index 000000000..f586552e4
--- /dev/null
+++ b/modules/wu/default.nix
@@ -0,0 +1,469 @@
+{ config, pkgs, ... }:
+
+let
+ lib = import ../../lib { inherit pkgs; };
+
+ inherit (lib) majmin;
+in
+
+{
+ imports = [
+ ./hosts.nix
+ ./iptables.nix
+ ../tv/base.nix
+ ../tv/exim-retiolum.nix
+ ../tv/nginx.nix
+ ../tv/retiolum.nix
+ ../tv/sanitize.nix
+ ../tv/synaptics.nix
+ #../tv/tools.nix
+ ../tv/urxvt.nix
+ ../tv/users.nix
+ ../tv/xserver.nix
+ ];
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
+ SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
+
+ # for jack
+ KERNEL=="rtc0", GROUP="audio"
+ KERNEL=="hpet", GROUP="audio"
+ '';
+
+ #services.virtualbox.enable = true;
+ #services.virtualboxGuest.enable = false;
+ services.virtualboxHost.enable = true;
+ #services.virtualboxHost.addNetworkInterface = false;
+ #systemd.services.vboxnet =
+ # let
+ # remove_vboxnets = ''
+ # for i in $(cd /sys/class/net && ls | grep ^vboxnet); do
+ # VBoxManage hostonlyif remove $i
+ # done
+ # '';
+ # in {
+ # wantedBy = [ "multi-user.target" ];
+ # requires = [ "dev-vboxnetctl.device" ];
+ # after = [ "dev-vboxnetctl.device" ];
+ # path = with pkgs; [
+ # linuxPackages.virtualbox
+ # nettools
+ # ];
+ # postStop = remove_vboxnets;
+ # script = ''
+ # ${remove_vboxnets} # just in case...
+ # VBoxManage hostonlyif create # vboxnet0
+ # ifconfig vboxnet0 up 169.254.13.37/16
+ # '';
+ # serviceConfig = {
+ # Type = "oneshot";
+ # PrivateTmp = true;
+ # RemainAfterExit = "yes";
+ # };
+ # environment.VBOX_USER_HOME = "/tmp";
+ # };
+
+
+ services.bitlbee.enable = true;
+
+ #services.rabbitmq = {
+ # enable = true;
+ # cookie = "f00f";
+ # plugins = [
+ # "rabbitmq_management"
+ # ];
+ #};
+
+
+ #services.elasticsearch.enable = true;
+
+ #services.cgserver = {
+ # enable = true;
+ # httpPort = 8003;
+ # #flushLog = false;
+ # #cgroupRoot = "/sys/fs/cgroup";
+ # #user = "zalora";
+ #};
+
+
+
+
+ #services.tlsdated = {
+ # enable = true;
+ # extraOptions = "-p";
+ #};
+
+ services.tor.enable = true;
+ services.tor.client.enable = true;
+
+
+
+ # hardware configuration
+ boot.initrd.luks.devices = [
+ { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
+ ];
+ boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ];
+ boot.initrd.availableKernelModules = [ "ahci" ];
+ #boot.kernelParams = [
+ # "intel_pstate=enable"
+ #];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ # 2014-12-17 pkgs.linuxPackages_3_14 is known good
+ boot.kernelPackages = pkgs.linuxPackages_3_18;
+
+ boot.kernel.sysctl = {
+ # Enable IPv6 Privacy Extensions
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+
+ boot.extraModprobeConfig = ''
+ options kvm_intel nested=1
+ '';
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/vg840-wuroot";
+ fsType = "btrfs";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/home" = {
+ device = "/dev/mapper/home";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = "nosuid,nodev,noatime";
+ };
+ };
+
+ swapDevices =[ ];
+
+
+ nixpkgs.config.firefox.enableAdobeFlash = true;
+ nixpkgs.config.chromium.enablePepperFlash = true;
+
+ nixpkgs.config.allowUnfree = true;
+ hardware.bumblebee.enable = true; # TODO this is host specific
+ hardware.bumblebee.group = "video";
+ #services.xserver.videoDrivers = [ "nvidia" ];
+ hardware.opengl.driSupport32Bit = true;
+
+ hardware.pulseaudio.enable = true;
+
+ hardware.enableAllFirmware = true;
+
+ # Use the gummiboot efi boot loader.
+ boot.loader.gummiboot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostName = "wu";
+ networking.wireless.enable = true;
+
+
+ # Select internationalisation properties.
+ # i18n = {
+ # consoleFont = "lat9w-16";
+ # consoleKeyMap = "us";
+ # defaultLocale = "en_US.UTF-8";
+ # };
+
+ system.activationScripts.powertopTunables =
+ ''
+ echo 1 > /sys/module/snd_hda_intel/parameters/power_save
+ echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
+ (cd /sys/bus/pci/devices
+ for i in *; do
+ echo auto > $i/power/control # defaults to 'on'
+ done)
+ # TODO maybe do this via udev or systemd
+ # ref https://wiki.archlinux.org/index.php/Wake-on-LAN
+ # disable wol this cannot find ethtool
+ # TODO (cd /sys/class/net
+ # TODO for i in *; do
+ # TODO if ethtool $i | grep -q Wake-on &&
+ # TODO ! ethtool $i | grep -q 'Wake-on: d'; then
+ # TODO ethtool -s $i wol d
+ # TODO fi
+ # TODO done)
+ ${pkgs.ethtool}/sbin/ethtool -s en0 wol d
+ '';
+
+ environment.systemPackages = with pkgs; [
+ xlibs.fontschumachermisc
+ slock
+ ethtool
+ #firefoxWrapper # with plugins
+ #chromiumDevWrapper
+ tinc
+ iptables
+ vim
+ #jack2
+ ];
+
+
+ environment.etc."vim/vimrc".text = ''
+ set nocp
+ '';
+ environment.etc."vim/vim${majmin pkgs.vim.version}".source =
+ "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}";
+
+ # multiple-definition-problem when defining environment.variables.EDITOR
+ environment.extraInit = ''
+ EDITOR=vim
+ '';
+ environment.variables.VIM = "/etc/vim";
+
+ environment.shellAliases = {
+ # alias cal='cal -m3'
+ bc = "bc -q";
+ gp = "gp -q";
+ df = "df -h";
+ du = "du -h";
+ # alias grep='grep --color=auto'
+
+ # TODO alias cannot contain #\'
+ # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
+
+ # alias la='ls -lA'
+ lAtr = "ls -lAtr";
+ # alias ll='ls -l'
+ ls = "ls -h --color=auto --group-directories-first";
+ # alias vim='vim -p'
+ # alias vi='vim'
+ # alias view='vim -R'
+ dmesg = "dmesg -L --reltime";
+ };
+
+
+ programs.bash = {
+ interactiveShellInit = ''
+ HISTCONTROL='erasedups:ignorespace'
+ HISTSIZE=65536
+ HISTFILESIZE=$HISTSIZE
+
+ shopt -s checkhash
+ shopt -s histappend histreedit histverify
+ shopt -s no_empty_cmd_completion
+ complete -d cd
+
+ # TODO source bridge
+ '';
+ promptInit = ''
+ case $UID in
+ 0)
+ PS1='\[\e[1;31m\]\w\[\e[0m\] '
+ ;;
+ 1337)
+ PS1='\[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ *)
+ PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ esac
+ if test -n "$SSH_CLIENT"; then
+ PS1='\[\e[35m\]\h'" $PS1"
+ fi
+ if test -n "$SSH_AGENT_PID"; then