From 7c146a105a81bb543c68445b98d746c628d62eed Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 2 Nov 2017 14:27:55 +0100 Subject: ma gum.r: update hw specifics --- makefu/1systems/gum/config.nix | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index e769b1e22..667804bf0 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -2,16 +2,22 @@ with import ; let - external-mac = "3a:66:48:8e:82:b2"; + # hw-specific + external-mac = "2a:c5:6e:d2:fc:7f"; + main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; + external-gw = "185.194.140.1"; + # single partition, label "nixos" + # cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate + + + # static external-ip = config.krebs.build.host.nets.internet.ip4.addr; external-ip6 = config.krebs.build.host.nets.internet.ip6.addr; - external-gw = "188.68.40.1"; external-gw6 = "fe80::1"; external-netmask = 22; external-netmask6 = 64; - ext-if = "et0"; # gets renamed on the fly internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; - main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; + ext-if = "et0"; # gets renamed on the fly in { imports = [ @@ -19,6 +25,7 @@ in { # + # -- cgit v1.2.3 From 6d2bcf3929e1a01f22f11fbe93dbfb47d68f9311 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 8 Nov 2017 10:50:42 +0100 Subject: ma darth: use for lan partying --- makefu/1systems/darth/config.nix | 41 +++++++++++----------------------------- 1 file changed, 11 insertions(+), 30 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/darth/config.nix b/makefu/1systems/darth/config.nix index 7accb13d3..046c1574c 100644 --- a/makefu/1systems/darth/config.nix +++ b/makefu/1systems/darth/config.nix @@ -2,6 +2,8 @@ with import ; let + # all the good stuff resides in /data + byid = dev: "/dev/disk/by-id/" + dev; rootDisk = byid "ata-INTEL_SSDSC2BW480H6_CVTR53120385480EGN"; bootPart = rootDisk + "-part1"; @@ -21,44 +23,23 @@ in { - - - # SIEM - # - # {services.tinc.networks.siem = { - # name = "sdarth"; - # extraConfig = "ConnectTo = sjump"; - # }; - # } + # - # { - # makefu.forward-journal = { - # enable = true; - # src = "10.8.10.2"; - # dst = "10.8.10.6"; - # }; - # } - - ## Sharing - # - #{ - # services.samba.shares = { - # isos = { - # path = "/data/isos/"; - # "read only" = "yes"; - # browseable = "yes"; - # "guest ok" = "yes"; - # }; - # }; - #} + + # lan party + + + + + ]; #networking.firewall.enable = false; makefu.server.primary-itf = "enp0s25"; - krebs.hidden-ssh.enable = true; + # krebs.hidden-ssh.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; -- cgit v1.2.3 From bf7d2f52fd36b47bad03bd85451eb12c79c3a7ae Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 8 Nov 2017 10:54:44 +0100 Subject: ma tsp.r: is now acer aspire timeline 1810tz --- makefu/1systems/tsp/config.nix | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/tsp/config.nix b/makefu/1systems/tsp/config.nix index 75a11d3a7..7b751e514 100644 --- a/makefu/1systems/tsp/config.nix +++ b/makefu/1systems/tsp/config.nix @@ -1,20 +1,20 @@ # # # -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = [ # Include the results of the hardware scan. - + + # hardware specifics are in here # imports tp-x2x0.nix - + # - - + # @@ -22,9 +22,41 @@ ]; # not working in vm krebs.build.host = config.krebs.hosts.tsp; + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; + boot.loader.grub.copyKernels = true; networking.firewall.allowedTCPPorts = [ 25 ]; + # acer aspire + networking.wireless.enable = lib.mkDefault true; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + hardware.cpu.intel.updateMicrocode = true; + + zramSwap.enable = true; + zramSwap.numDevices = 2; + + services.tlp.enable = true; + services.tlp.extraConfig = '' + # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery + START_CHARGE_THRESH_BAT0=67 + STOP_CHARGE_THRESH_BAT0=100 + + + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=ondemand + CPU_MIN_PERF_ON_AC=0 + CPU_MAX_PERF_ON_AC=100 + CPU_MIN_PERF_ON_BAT=0 + CPU_MAX_PERF_ON_BAT=30 + ''; + + powerManagement.resumeCommands = '' + ${pkgs.rfkill}/bin/rfkill unblock all + ''; + } -- cgit v1.2.3 From 4d51e5ec7740abe4270976c8a0606d50e4e6a8e4 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 14 Nov 2017 10:17:16 +0100 Subject: ma hosts: cleanup configs --- makefu/1systems/gum/config.nix | 2 +- makefu/1systems/latte/config.nix | 2 +- makefu/1systems/omo/config.nix | 2 +- makefu/1systems/wbob/config.nix | 5 ++++- makefu/1systems/x/config.nix | 7 +++++-- 5 files changed, 12 insertions(+), 6 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 667804bf0..98d5d2988 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -83,7 +83,7 @@ in { # # Temporary: - + # ]; makefu.dl-dir = "/var/download"; diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index 3b06660c6..5352b029f 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -18,7 +18,7 @@ in { # Security - + # # Tools diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index a22ff10bd..1d157460b 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -82,7 +82,7 @@ in { # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload # Temporary: - + # ]; makefu.full-populate = true; makefu.server.primary-itf = primaryInterface; diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index 3a53b70cb..ac51fd9ca 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -24,9 +24,12 @@ in { # # # - + # Services + + # temporary + # ]; krebs = { diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index f7db75564..1524b485f 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -23,8 +23,6 @@ with import ; # # - # - # # # # @@ -75,6 +73,11 @@ with import ; { programs.adb.enable = true; } + # temporary + # + # + # + # ]; -- cgit v1.2.3 From 1cbc2e5aa359e7e9b4b32c9ef75902576347a6d0 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 14 Nov 2017 15:36:50 +0100 Subject: ma hw/stk1160: rip --- makefu/1systems/x/config.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 1524b485f..1dd1a070f 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -62,7 +62,7 @@ with import ; - + # # # Filesystem @@ -87,7 +87,6 @@ with import ; nixpkgs.config.allowUnfree = true; - environment.systemPackages = [ pkgs.passwdqc-utils ]; # configure pulseAudio to provide a HDMI sink as well @@ -105,4 +104,7 @@ with import ; ''; # hard dependency because otherwise the device will not be unlocked boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; + + nix.package = pkgs.nixUnstable; + environment.systemPackages = [ pkgs.passwdqc-utils pkgs.nixUnstable ]; } -- cgit v1.2.3 From 9472ad810cd05cd1da5882fa495408472555caf7 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 15 Nov 2017 12:43:09 +0100 Subject: ma cake.r: sound.enable = false --- makefu/1systems/cake/config.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix index c287c28df..1a617e52d 100644 --- a/makefu/1systems/cake/config.nix +++ b/makefu/1systems/cake/config.nix @@ -6,9 +6,6 @@ # configure your hw: # ]; - users.extraUsers.root.openssh.authorizedKeys.keys = [ - config.krebs.users.tv.pubkey - ]; krebs = { enable = true; tinc.retiolum.enable = true; @@ -23,6 +20,7 @@ programs.man.enable = false; services.nixosManual.enable = false; boot.tmpOnTmpfs = lib.mkForce false; + sound.enable = false; hardware.enableRedistributableFirmware = true; hardware.firmware = [ -- cgit v1.2.3 From a56a9bf39e0338ce3b3f1fbfca08b701be27367a Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 5 Dec 2017 15:15:32 +0100 Subject: ma wbob.r: add grafana --- makefu/1systems/wbob/config.nix | 51 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 3 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index ac51fd9ca..f7b60fa93 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -3,6 +3,7 @@ let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F"; user = config.makefu.gui.user; + primaryIP = "192.168.8.11"; in { imports = @@ -10,16 +11,19 @@ in { - - - + + # + # + # # + + # # # @@ -27,6 +31,44 @@ in { # Services + + + + + (let + collectd-port = 25826; + influx-port = 8086; + grafana-port = 3000; # TODO nginx forward + db = "collectd_db"; + logging-interface = "enp0s25"; + in { + services.grafana.enable = true; + services.grafana.addr = "0.0.0.0"; + + services.influxdb.enable = true; + services.influxdb.extraConfig = { + meta.hostname = config.krebs.build.host.name; + # meta.logging-enabled = true; + http.bind-address = ":${toString influx-port}"; + admin.bind-address = ":8083"; + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = db; + bind-address = ":${toString collectd-port}"; + }]; + }; + + networking.firewall.extraCommands = '' + iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT + iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT + iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT + + ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT + ''; + }) # temporary # @@ -96,6 +138,9 @@ in { # rt2870 with nonfree creates wlp2s0 from wlp0s20u2 # not explicitly setting the interface results in wpa_supplicant to crash networking.wireless.interfaces = [ "wlp2s0" ]; + networking.interfaces.enp0s25.ip4 = [ + { address = primaryIP; prefixLength = 24;} + ]; networking.interfaces.virbr1.ip4 = [{ address = "10.8.8.11"; prefixLength = 24; -- cgit v1.2.3 From 6d07e8aec19f3d5fa1d61904c476016879609b6a Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 8 Dec 2017 13:38:57 +0100 Subject: ma gum.r: network config changes, add tor --- makefu/1systems/gum/config.nix | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 98d5d2988..b66ef1ab8 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -46,7 +46,7 @@ in { # services - + # @@ -65,6 +65,8 @@ in { + + { services.taskserver.enable = true; services.taskserver.fqdn = config.krebs.build.host.name; @@ -84,13 +86,40 @@ in { # Temporary: # + + + #{ + # services.dockerRegistry.enable = true; + # networking.firewall.allowedTCPPorts = [ 8443 ]; + + # services.nginx.virtualHosts."euer.krebsco.de" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # client_max_body_size 1000M; + # ''; + # locations."/".proxyPass = "http://localhost:5000"; + # }; + #} + { # wireguard server + networking.firewall.allowedUDPPorts = [ 51820 ]; + #networking.wireguard.interfaces.wg0 = { + # ips = [ "10.244.0.1/24" ]; + # privateKeyFile = (toString ) + "/wireguard.key"; + # allowedIPsAsRoutes = true; + # peers = [{ + # allowedIPs = [ "0.0.0.0/0" "::/0" ]; + # publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; + # }]; + #}; + } ]; makefu.dl-dir = "/var/download"; services.openssh.hostKeys = [ - { bits = 4096; path = ; type = "rsa"; } - { path = ; type = "ed25519"; } ]; + { bits = 4096; path = (toString ); type = "rsa"; } + { path = (toString ); type = "ed25519"; } ]; ###### stable services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; -- cgit v1.2.3 From 907e45dd8038f3b91860b2bec5d075890918a1e3 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 8 Dec 2017 13:39:40 +0100 Subject: ma omo.r: enable europastats --- makefu/1systems/omo/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 1d157460b..4af87dc10 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -61,6 +61,7 @@ in { # logs to influx + # services -- cgit v1.2.3 From e99a9ac9f113ea9d79ae3b830d8b328c9ef03e40 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 8 Dec 2017 14:04:35 +0100 Subject: ma wbob.r: enable bureautomation --- makefu/1systems/wbob/config.nix | 13 +++---------- makefu/1systems/wbob/source.nix | 2 +- 2 files changed, 4 insertions(+), 11 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index f7b60fa93..c30ee4c58 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -18,7 +18,6 @@ in { - # @@ -34,7 +33,10 @@ in { + + + (let collectd-port = 25826; influx-port = 8086; @@ -60,13 +62,7 @@ in { }; networking.firewall.extraCommands = '' - iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT - iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT - - ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT - ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT - ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT ''; }) @@ -138,9 +134,6 @@ in { # rt2870 with nonfree creates wlp2s0 from wlp0s20u2 # not explicitly setting the interface results in wpa_supplicant to crash networking.wireless.interfaces = [ "wlp2s0" ]; - networking.interfaces.enp0s25.ip4 = [ - { address = primaryIP; prefixLength = 24;} - ]; networking.interfaces.virbr1.ip4 = [{ address = "10.8.8.11"; prefixLength = 24; diff --git a/makefu/1systems/wbob/source.nix b/makefu/1systems/wbob/source.nix index 6f079d712..b768aa87d 100644 --- a/makefu/1systems/wbob/source.nix +++ b/makefu/1systems/wbob/source.nix @@ -1,4 +1,4 @@ import { name="wbob"; - musnix = true; + # musnix = true; } -- cgit v1.2.3 From 1f0a5b9c48d9bb6ff4da068f42acc57ec44f99a4 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 8 Dec 2017 14:24:39 +0100 Subject: ma tsp.r: enable touchpad --- makefu/1systems/tsp/config.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/tsp/config.nix b/makefu/1systems/tsp/config.nix index 7b751e514..680fa2cbc 100644 --- a/makefu/1systems/tsp/config.nix +++ b/makefu/1systems/tsp/config.nix @@ -32,6 +32,8 @@ # acer aspire networking.wireless.enable = lib.mkDefault true; + services.xserver.synaptics.enable = true; + hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; -- cgit v1.2.3