summaryrefslogtreecommitdiffstats
path: root/tv/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'tv/2configs')
-rw-r--r--tv/2configs/audit.nix9
-rw-r--r--tv/2configs/default.nix13
-rw-r--r--tv/2configs/exim-retiolum.nix2
-rw-r--r--tv/2configs/exim-smarthost.nix2
-rw-r--r--tv/2configs/nginx/default.nix2
-rw-r--r--tv/2configs/nginx/public_html.nix2
-rw-r--r--tv/2configs/retiolum.nix6
-rw-r--r--tv/2configs/vim.nix365
8 files changed, 246 insertions, 155 deletions
diff --git a/tv/2configs/audit.nix b/tv/2configs/audit.nix
new file mode 100644
index 00000000..644741a5
--- /dev/null
+++ b/tv/2configs/audit.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+ security.audit = {
+ rules = [
+ "-a task,never"
+ ];
+ };
+}
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 741955ee..a9ba1ead 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with config.krebs.lib;
stockholm = "/home/tv/stockholm";
nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
- rev = "87fe38fd0e19ca83fc3ea338f8e0e7b12971d204";
+ rev = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f";
};
} // optionalAttrs config.krebs.build.host.secure {
secrets-master = "/home/tv/secrets/master";
@@ -25,6 +25,7 @@ with config.krebs.lib;
imports = [
<secrets>
+ ./audit.nix
./backup.nix
./nginx
./vim.nix
@@ -152,6 +153,7 @@ with config.krebs.lib;
services.cron.enable = false;
services.nscd.enable = false;
services.ntp.enable = false;
+ services.timesyncd.enable = true;
}
{
@@ -168,13 +170,20 @@ with config.krebs.lib;
}
{
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+ }
+
+ {
services.openssh = {
enable = true;
hostKeys = [
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
- tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
+ tv.iptables.input-internet-accept-tcp = singleton "ssh";
}
{
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
index 9197a3c3..ad355f8b 100644
--- a/tv/2configs/exim-retiolum.nix
+++ b/tv/2configs/exim-retiolum.nix
@@ -4,5 +4,5 @@ with config.krebs.lib;
{
krebs.exim-retiolum.enable = true;
- tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
+ tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
}
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index 3616a8f5..351b54da 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -43,5 +43,5 @@ with config.krebs.lib;
{ from = "mirko"; to = "mv"; }
];
};
- tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
+ tv.iptables.input-internet-accept-tcp = singleton "smtp";
}
diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 1fac65a3..d0d07d5c 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -12,6 +12,6 @@ with config.krebs.lib;
];
};
tv.iptables = optionalAttrs config.krebs.nginx.enable {
- input-retiolum-accept-new-tcp = singleton "http";
+ input-retiolum-accept-tcp = singleton "http";
};
}
diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix
index 15a3b548..858f1656 100644
--- a/tv/2configs/nginx/public_html.nix
+++ b/tv/2configs/nginx/public_html.nix
@@ -11,5 +11,5 @@ with config.krebs.lib;
'')
];
};
- tv.iptables.input-internet-accept-new-tcp = singleton "http";
+ tv.iptables.input-internet-accept-tcp = singleton "http";
}
diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix
index e1598d79..f7945415 100644
--- a/tv/2configs/retiolum.nix
+++ b/tv/2configs/retiolum.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
with config.krebs.lib;
@@ -12,6 +12,8 @@ with config.krebs.lib;
"cd"
"ire"
];
+ tincPackage = pkgs.tinc_pre;
};
- tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
+ tv.iptables.input-internet-accept-tcp = singleton "tinc";
+ tv.iptables.input-internet-accept-udp = singleton "tinc";
}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index 85045332..86c5d05d 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -14,8 +14,17 @@ let
};
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+ pkgs.vimPlugins.ctrlp
pkgs.vimPlugins.undotree
(pkgs.vimUtils.buildVimPlugin {
+ name = "vim-syntax-jq";
+ src = pkgs.fetchgit {
+ url = https://github.com/vito-c/jq.vim;
+ rev = "99d55a300047946a82ecdd7617323a751199ad2d";
+ sha256 = "00mmwg4swwmllknzzx07af080lcy7y5i6341rc6c08i2vka48nv9";
+ };
+ })
+ (pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
@@ -101,6 +110,176 @@ let
command! -n=0 -bar ShowSyntax :call ShowSyntax()
'';
})))
+ ((rtp: rtp // { inherit rtp; }) (pkgs.writeOut "vim-tv" {
+ "/syntax/haskell.vim".text = /* vim */ ''
+ syn region String start=+\[[[:alnum:]]*|+ end=+|]+
+
+ hi link ConId Identifier
+ hi link VarId Identifier
+ hi link hsDelimiter Delimiter
+ '';
+ "/syntax/nix.vim".text = /* vim */ ''
+ "" Quit when a (custom) syntax file was already loaded
+ "if exists("b:current_syntax")
+ " finish
+ "endif
+
+ "setf nix
+
+ " Ref <nix/src/libexpr/lexer.l>
+ syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
+ syn match NixINT /\<[0-9]\+\>/
+ syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+ syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+ syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
+ syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
+ syn region NixSTRING
+ \ matchgroup=NixSTRING
+ \ start='"'
+ \ skip='\\"'
+ \ end='"'
+ syn region NixIND_STRING
+ \ matchgroup=NixIND_STRING
+ \ start="'''"
+ \ skip="'''\('\|[$]\|\\[nrt]\)"
+ \ end="'''"
+
+ syn match NixOther /[-!+&<>|():/;=.,?\[\]*@]/
+
+ syn match NixCommentMatch /\(^\|\s\)#.*/
+ syn region NixCommentRegion start="/\*" end="\*/"
+
+ hi link NixCode Statement
+ hi link NixData Constant
+ hi link NixComment Comment
+
+ hi link NixCommentMatch NixComment
+ hi link NixCommentRegion NixComment
+ hi link NixID NixCode
+ hi link NixINT NixData
+ hi link NixPATH NixData
+ hi link NixHPATH NixData
+ hi link NixSPATH NixData
+ hi link NixURI NixData
+ hi link NixSTRING NixData
+ hi link NixIND_STRING NixData
+
+ hi link NixEnter NixCode
+ hi link NixOther NixCode
+ hi link NixQuote NixData
+
+ syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
+ syn cluster nix_ind_strings contains=NixIND_STRING
+ syn cluster nix_strings contains=NixSTRING
+
+ ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
+ startAlts = filter isString [
+ ''/\* ${lang} \*/''
+ extraStart
+ ];
+ sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
+ in /* vim */ ''
+ syn include @nix_${lang}_syntax syntax/${lang}.vim
+ if exists("b:current_syntax")
+ unlet b:current_syntax
+ endif
+
+ syn match nix_${lang}_sigil
+ \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
+ \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
+ \ transparent
+
+ syn region nix_${lang}_region_STRING
+ \ matchgroup=NixSTRING
+ \ start='"'
+ \ skip='\\"'
+ \ end='"'
+ \ contained
+ \ contains=@nix_${lang}_syntax
+ \ transparent
+
+ syn region nix_${lang}_region_IND_STRING
+ \ matchgroup=NixIND_STRING
+ \ start="'''"
+ \ skip="'''\('\|[$]\|\\[nrt]\)"
+ \ end="'''"
+ \ contained
+ \ contains=@nix_${lang}_syntax
+ \ transparent
+
+ syn cluster nix_ind_strings
+ \ add=nix_${lang}_region_IND_STRING
+
+ syn cluster nix_strings
+ \ add=nix_${lang}_region_STRING
+
+ " This is required because containedin isn't transitive.
+ syn cluster nix_has_dollar_curly
+ \ add=@nix_${lang}_syntax
+ '') {
+ c = {};
+ cabal = {};
+ diff = {};
+ haskell = {};
+ jq.extraStart = concatStringsSep ''\|'' [
+ ''writeJq.*''
+ ''write[^ \t\r\n]*[ \t\r\n]*"[^"]*\.jq"''
+ ];
+ lua = {};
+ sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
+ sh.extraStart = concatStringsSep ''\|'' [
+ ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"''
+ ''[a-z]*Phase[ \t\r\n]*=''
+ ];
+ vim.extraStart =
+ ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
+ xdefaults = {};
+ })}
+
+ " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
+ syn clear shVarAssign
+
+ syn region nixINSIDE_DOLLAR_CURLY
+ \ matchgroup=NixEnter
+ \ start="[$]{"
+ \ end="}"
+ \ contains=TOP
+ \ containedin=@nix_has_dollar_curly
+ \ transparent
+
+ syn region nix_inside_curly
+ \ matchgroup=NixEnter
+ \ start="{"
+ \ end="}"
+ \ contains=TOP
+ \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
+ \ transparent
+
+ syn match NixQuote /'''\(''$\|\\.\)/he=s+2
+ \ containedin=@nix_ind_strings
+ \ contained
+
+ syn match NixQuote /'''\('\|\\.\)/he=s+1
+ \ containedin=@nix_ind_strings
+ \ contained
+
+ syn match NixQuote /\\./he=s+1
+ \ containedin=@nix_strings
+ \ contained
+
+ syn sync fromstart
+
+ let b:current_syntax = "nix"
+
+ set isk=@,48-57,_,192-255,-,'
+ '';
+ "/syntax/sed.vim".text = /* vim */ ''
+ syn region sedBranch
+ \ matchgroup=sedFunction start="T"
+ \ matchgroup=sedSemicolon end=";\|$"
+ \ contains=sedWhitespace
+ '';
+ }))
];
dirs = {
@@ -121,6 +300,9 @@ let
vim = pkgs.writeDashBin "vim" ''
set -efu
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
+ if test $# = 0 && test -e "$PWD/.ctrlpignore"; then
+ set -- +CtrlP
+ fi
exec ${pkgs.vim}/bin/vim "$@"
'';
@@ -137,7 +319,7 @@ let
set mouse=a
set noruler
set pastetoggle=<INS>
- set runtimepath=${extra-runtimepath},$VIMRUNTIME
+ set runtimepath=$VIMRUNTIME,${extra-runtimepath}
set shortmess+=I
set showcmd
set showmatch
@@ -164,15 +346,10 @@ let
\ | syn match TabStop containedin=ALL /\t\+/
\ | syn keyword Todo containedin=ALL TODO
- au BufRead,BufNewFile *.hs so ${hs.vim}
-
- au BufRead,BufNewFile *.nix so ${nix.vim}
+ au BufRead,BufNewFile *.nix set ft=nix
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
- nmap <esc>q :buffer
- nmap <M-q> :buffer
-
cnoremap <C-A> <Home>
noremap <C-c> :q<cr>
@@ -198,147 +375,41 @@ let
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
vnoremap u <nop>
- '';
-
- hs.vim = pkgs.writeText "hs.vim" ''
- syn region String start=+\[[[:alnum:]]*|+ end=+|]+
-
- hi link ConId Identifier
- hi link VarId Identifier
- hi link hsDelimiter Delimiter
- '';
- nix.vim = pkgs.writeText "nix.vim" ''
- setf nix
-
- " Ref <nix/src/libexpr/lexer.l>
- syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
- syn match NixINT /\<[0-9]\+\>/
- syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
- syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
- syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
- syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
- syn region NixSTRING
- \ matchgroup=NixSTRING
- \ start='"'
- \ skip='\\"'
- \ end='"'
- syn region NixIND_STRING
- \ matchgroup=NixIND_STRING
- \ start="'''"
- \ skip="'''\('\|[$]\|\\[nrt]\)"
- \ end="'''"
-
- syn match NixOther /[():/;=.,?\[\]]/
-
- syn match NixCommentMatch /\(^\|\s\)#.*/
- syn region NixCommentRegion start="/\*" end="\*/"
-
- hi link NixCode Statement
- hi link NixData Constant
- hi link NixComment Comment
-
- hi link NixCommentMatch NixComment
- hi link NixCommentRegion NixComment
- hi link NixID NixCode
- hi link NixINT NixData
- hi link NixPATH NixData
- hi link NixHPATH NixData
- hi link NixSPATH NixData
- hi link NixURI NixData
- hi link NixSTRING NixData
- hi link NixIND_STRING NixData
-
- hi link NixEnter NixCode
- hi link NixOther NixCode
- hi link NixQuote NixData
-
- syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
- syn cluster nix_ind_strings contains=NixIND_STRING
- syn cluster nix_strings contains=NixSTRING
-
- ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
- startAlts = filter isString [
- ''/\* ${lang} \*/''
- extraStart
- ];
- sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
- in /* vim */ ''
- syn include @nix_${lang}_syntax syntax/${lang}.vim
- unlet b:current_syntax
-
- syn match nix_${lang}_sigil
- \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
- \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
- \ transparent
-
- syn region nix_${lang}_region_STRING
- \ matchgroup=NixSTRING
- \ start='"'
- \ skip='\\"'
- \ end='"'
- \ contained
- \ contains=@nix_${lang}_syntax
- \ transparent
-
- syn region nix_${lang}_region_IND_STRING
- \ matchgroup=NixIND_STRING
- \ start="'''"
- \ skip="'''\('\|[$]\|\\[nrt]\)"
- \ end="'''"
- \ contained
- \ contains=@nix_${lang}_syntax
- \ transparent
-
- syn cluster nix_ind_strings
- \ add=nix_${lang}_region_IND_STRING
-
- syn cluster nix_strings
- \ add=nix_${lang}_region_STRING
-
- syn cluster nix_has_dollar_curly
- \ add=@nix_${lang}_syntax
- '') {
- c = {};
- cabal = {};
- haskell = {};
- sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
- vim.extraStart =
- ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
- })}
-
- " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
- syn clear shVarAssign
-
- syn region nixINSIDE_DOLLAR_CURLY
- \ matchgroup=NixEnter
- \ start="[$]{"
- \ end="}"
- \ contains=TOP
- \ containedin=@nix_has_dollar_curly
- \ transparent
-
- syn region nix_inside_curly
- \ matchgroup=NixEnter
- \ start="{"
- \ end="}"
- \ contains=TOP
- \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
- \ transparent
-
- syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
- \ containedin=@nix_ind_strings
- \ contained
-
- syn match NixQuote /\\./he=s+1
- \ containedin=@nix_strings
- \ contained
-
- syn sync fromstart
-
- let b:current_syntax = "nix"
-
- set isk=@,48-57,_,192-255,-,'
+ "
+ " CtrlP-related configuration
+ "
+ hi CtrlPPrtCursor ctermbg=199
+ hi CtrlPMatch ctermfg=226
+ set showtabline=0
+ let g:ctrlp_cmd = 'CtrlPMixed'
+ let g:ctrlp_map = '<esc>q'
+ let g:ctrlp_working_path_mode = 'a'
+ " Cannot use autoignore extension because it fails to initialize properly:
+ " when started the first time, e.g. using `vim +CtrlP`, then it won't use
+ " patterns from .ctrlpignore until CtrlP gets reopened and F5 pressed...
+ fu s:gen_ctrlp_custom_ignore()
+ let l:prefix = getcwd()
+ let l:pats = readfile(l:prefix . "/.ctrlpignore")
+ let l:pats = filter(l:pats, 's:ctrlpignore_filter(v:val)')
+ let l:pats = map(l:pats, 's:ctrlpignore_rewrite(v:val)')
+ return l:prefix . "\\(" . join(l:pats, "\\|") . "\\)"
+ endfu
+ fu s:ctrlpignore_filter(s)
+ " filter comments and blank lines
+ return match(a:s, '^\s*\(#.*\)''$') == -1
+ endfu
+ fu s:ctrlpignore_rewrite(s)
+ if a:s[0:0] == "^"
+ return "/" . a:s[1:]
+ else
+ return "/.*" . a:s
+ endif
+ endfu
+ try
+ let g:ctrlp_custom_ignore = s:gen_ctrlp_custom_ignore()
+ catch /^Vim\%((\a\+)\)\=:E484/
+ endtry
'';
in
out
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 23:26:04 +0000