From 8170b281964688b542fb151054c5d86d819008b3 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Tue, 28 Jul 2015 20:40:25 +0200
Subject: tv: reintroduce directory numbers

---
 tv/1systems/cd.nix    | 143 ++++++++++++++++++
 tv/1systems/mkdir.nix |  83 ++++++++++
 tv/1systems/nomic.nix | 116 ++++++++++++++
 tv/1systems/rmdir.nix |  84 +++++++++++
 tv/1systems/wu.nix    | 409 ++++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 835 insertions(+)
 create mode 100644 tv/1systems/cd.nix
 create mode 100644 tv/1systems/mkdir.nix
 create mode 100644 tv/1systems/nomic.nix
 create mode 100644 tv/1systems/rmdir.nix
 create mode 100644 tv/1systems/wu.nix

(limited to 'tv/1systems')

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
new file mode 100644
index 00000000..54292eb8
--- /dev/null
+++ b/tv/1systems/cd.nix
@@ -0,0 +1,143 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  tvpkgs = import ../5pkgs { inherit pkgs; };
+in
+
+{
+  krebs.build.host = config.krebs.hosts.cd;
+  krebs.build.user = config.krebs.users.tv;
+
+  krebs.build.target = "root@cd.internet";
+
+  krebs.build.deps = {
+    nixpkgs = {
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+    };
+    secrets = {
+      url = "/home/tv/secrets/${config.krebs.build.host.name}";
+    };
+    stockholm = {
+      url = toString ../..;
+    };
+  };
+
+  imports = [
+    ../2configs/CAC-Developer-2.nix
+    ../2configs/CAC-CentOS-7-64bit.nix
+    ../2configs/base.nix
+    ../2configs/consul-server.nix
+    ../2configs/exim-smarthost.nix
+    ../2configs/git.nix
+    {
+      imports = [ ../2configs/charybdis.nix ];
+      tv.charybdis = {
+        enable = true;
+        sslCert = ../../Zcerts/charybdis_cd.crt.pem;
+      };
+    }
+    {
+      tv.ejabberd = {
+        enable = true;
+        hosts = [ "jabber.viljetic.de" ];
+      };
+    }
+    {
+      krebs.github-hosts-sync.enable = true;
+      tv.iptables.input-internet-accept-new-tcp =
+        singleton config.krebs.github-hosts-sync.port;
+    }
+    {
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "tinc"
+          "smtp"
+          "xmpp-client"
+          "xmpp-server"
+        ];
+        input-retiolum-accept-new-tcp = [
+          "http"
+        ];
+      };
+    }
+    {
+      tv.iptables.input-internet-accept-new-tcp = singleton "http";
+      krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
+    }
+    {
+      # TODO make public_html also available to cd, cd.retiolum (AKA default)
+      tv.iptables.input-internet-accept-new-tcp = singleton "http";
+      krebs.nginx.servers.public_html = {
+        server-names = singleton "cd.viljetic.de";
+        locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+          alias /home/$1/public_html$2;
+        '');
+      };
+    }
+    {
+      krebs.nginx.servers.viljetic = {
+        server-names = singleton "viljetic.de";
+        # TODO directly set root (instead via location)
+        locations = singleton (nameValuePair "/" ''
+          root ${tvpkgs.viljetic-pages};
+        '');
+      };
+    }
+    {
+      krebs.retiolum = {
+        enable = true;
+        connectTo = [
+          "fastpoke"
+          "pigstarter"
+          "ire"
+        ];
+      };
+    }
+  ];
+
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "162.219.7.216";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "162.219.7.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    mutt    # for mv
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  users.extraUsers = {
+    mv = {
+      uid = 1338;
+      group = "users";
+      home = "/home/mv";
+      createHome = true;
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = [
+        config.krebs.users.mv.pubkey
+      ];
+    };
+  };
+}
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
new file mode 100644
index 00000000..cd3d3b5c
--- /dev/null
+++ b/tv/1systems/mkdir.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  krebs.build.host = config.krebs.hosts.mkdir;
+  krebs.build.user = config.krebs.users.tv;
+
+  krebs.build.target = "root@mkdir.internet";
+
+  krebs.build.deps = {
+    nixpkgs = {
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
+    };
+    secrets = {
+      url = "/home/tv/secrets/${config.krebs.build.host.name}";
+    };
+    stockholm = {
+      url = toString ../..;
+    };
+  };
+
+  imports = [
+    ../2configs/CAC-Developer-1.nix
+    ../2configs/CAC-CentOS-7-64bit.nix
+    ../2configs/base.nix
+    ../2configs/consul-server.nix
+    ../2configs/exim-smarthost.nix
+    ../2configs/git.nix
+    {
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "tinc"
+          "smtp"
+        ];
+        input-retiolum-accept-new-tcp = [
+          "http"
+        ];
+      };
+    }
+    {
+      krebs.retiolum = {
+        enable = true;
+        connectTo = [
+          "cd"
+          "fastpoke"
+          "pigstarter"
+          "ire"
+        ];
+      };
+    }
+  ];
+
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "162.248.167.241"; # TODO
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "162.248.167.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+}
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
new file mode 100644
index 00000000..b9a10cb4
--- /dev/null
+++ b/tv/1systems/nomic.nix
@@ -0,0 +1,116 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  krebs.build.host = config.krebs.hosts.nomic;
+  krebs.build.user = config.krebs.users.tv;
+
+  krebs.build.target = "root@nomic.gg23";
+
+  krebs.build.deps = {
+    nixpkgs = {
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
+    };
+    secrets = {
+      url = "/home/tv/secrets/${config.krebs.build.host.name}";
+    };
+    stockholm = {
+      url = toString ../..;
+    };
+  };
+
+  imports = [
+    ../2configs/AO753.nix
+    ../2configs/base.nix
+    ../2configs/consul-server.nix
+    ../2configs/exim-retiolum.nix
+    ../2configs/git.nix
+    {
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "http"
+          "tinc"
+          "smtp"
+        ];
+      };
+    }
+    {
+      krebs.nginx = {
+        enable = true;
+        servers.default.locations = [
+          (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+            alias /home/$1/public_html$2;
+          '')
+        ];
+      };
+    }
+    {
+      krebs.retiolum = {
+        enable = true;
+        connectTo = [
+          "gum"
+          "pigstarter"
+        ];
+      };
+    }
+  ];
+
+  boot.initrd.luks = {
+    cryptoModules = [ "aes" "sha1" "xts" ];
+    devices = [
+      {
+        name = "luks1";
+        device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
+      }
+    ];
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+      fsType = "btrfs";
+    };
+
+  swapDevices = [ ];
+
+  nix = {
+    buildCores = 2;
+    maxJobs = 2;
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+
+  # TODO base
+  boot.tmpOnTmpfs = true;
+
+  environment.systemPackages = with pkgs; [
+    (writeScriptBin "play" ''
+      #! /bin/sh
+      set -euf
+      mpv() { exec ${mpv}/bin/mpv "$@"; }
+      case $1 in
+        deepmix)      mpv http://deepmix.ru/deepmix128.pls;;
+        groovesalad)  mpv http://somafm.com/play/groovesalad;;
+        ntslive)      mpv http://listen2.ntslive.co.uk/listen.pls;;
+        *)
+          echo "$0: bad argument: $*" >&2
+          exit 23
+      esac
+    '')
+    rxvt_unicode.terminfo
+    tmux
+  ];
+}
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
new file mode 100644
index 00000000..c8ac43e4
--- /dev/null
+++ b/tv/1systems/rmdir.nix
@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  krebs.build.host = config.krebs.hosts.rmdir;
+  krebs.build.user = config.krebs.users.tv;
+
+  krebs.build.target = "root@rmdir.internet";
+
+  krebs.build.deps = {
+    nixpkgs = {
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+    };
+    secrets = {
+      url = "/home/tv/secrets/${config.krebs.build.host.name}";
+    };
+    stockholm = {
+      url = toString ../..;
+    };
+  };
+
+  imports = [
+    ../2configs/CAC-Developer-1.nix
+    ../2configs/CAC-CentOS-7-64bit.nix
+    ../2configs/base.nix
+    ../2configs/consul-server.nix
+    ../2configs/exim-smarthost.nix
+    ../2configs/git.nix
+    {
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "tinc"
+          "smtp"
+        ];
+        input-retiolum-accept-new-tcp = [
+          "http"
+        ];
+      };
+    }
+    {
+      krebs.retiolum = {
+        enable = true;
+        connectTo = [
+          "cd"
+          "mkdir"
+          "fastpoke"
+          "pigstarter"
+          "ire"
+        ];
+      };
+    }
+  ];
+
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "167.88.44.94";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "167.88.44.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+}
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
new file mode 100644
index 00000000..27691ec5
--- /dev/null
+++ b/tv/1systems/wu.nix
@@ -0,0 +1,409 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  tvpkgs = import ../5pkgs { inherit pkgs; };
+in
+
+{
+  krebs.build.host = config.krebs.hosts.wu;
+  krebs.build.user = config.krebs.users.tv;
+
+  krebs.build.target = "root@wu";
+
+  krebs.build.deps = {
+    nixpkgs = {
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
+    };
+    secrets = {
+      url = "/home/tv/secrets/${config.krebs.build.host.name}";
+    };
+    stockholm = {
+      url = toString ../..;
+    };
+  };
+
+  imports = [
+    ../2configs/w110er.nix
+    ../2configs/base.nix
+    ../2configs/consul-client.nix
+    ../2configs/exim-retiolum.nix
+    ../2configs/git.nix
+    ../2configs/mail-client.nix
+    ../2configs/xserver.nix
+    ../2configs/synaptics.nix # TODO w110er if xserver is enabled
+    ../2configs/urlwatch.nix
+    {
+      environment.systemPackages = with pkgs; [
+
+        # stockholm
+        git
+        gnumake
+        parallel
+        tvpkgs.genid
+        tvpkgs.hashPassword
+        tvpkgs.lentil
+        (pkgs.writeScriptBin "ff" ''
+          #! ${pkgs.bash}/bin/bash
+          exec sudo -u ff -i <<EOF
+          exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
+          EOF
+        '')
+        (pkgs.writeScriptBin "im" ''
+          #! ${pkgs.bash}/bin/bash
+          export PATH=${makeSearchPath "bin" (with pkgs; [
+            tmux
+            gnugrep
+            weechat
+          ])}
+          if tmux list-sessions -F\#S | grep -q '^im''$'; then
+            exec tmux attach -t im
+          else
+            exec tmux new -s im weechat
+          fi
+        '')
+
+        # root
+        cryptsetup
+        ntp # ntpate
+
+        # tv
+        bc
+        bind # dig
+        file
+        gitAndTools.qgit
+        gnupg21
+        haskellPackages.hledger
+        htop
+        jq
+        manpages
+        mkpasswd
+        mpv
+        netcat
+        nix-repl
+        nmap
+        p7zip
+        pavucontrol
+        posix_man_pages
+        qrencode
+        sxiv
+        texLive
+        tmux
+        tvpkgs.dic
+        zathura
+
+        #ack
+        #apache-httpd
+        #ascii
+        #emacs
+        #es
+        #esniper
+        #gcc
+        #gptfdisk
+        #graphviz
+        #haskellPackages.cabal2nix
+        #haskellPackages.ghc
+        #haskellPackages.shake
+        #hdparm
+        #i7z
+        #iftop
+        #imagemagick
+        #inotifyTools
+        #iodine
+        #iotop
+        #lshw
+        #lsof
+        #minicom
+        #mtools
+        #ncmpc
+        #neovim
+        #nethogs
+        #nix-prefetch-scripts #cvs bug
+        #openssl
+        #openswan
+        #parted
+        #perl
+        #powertop
+        #ppp
+        #proot
+        #pythonPackages.arandr
+        #pythonPackages.youtube-dl
+        #racket
+        #rxvt_unicode-with-plugins
+        #scrot
+        #sec
+        #silver-searcher
+        #sloccount
+        #smartmontools
+        #socat
+        #sshpass
+        #strongswan
+        #sysdig
+        #sysstat
+        #tcpdump
+        #tlsdate
+        #unetbootin
+        #utillinuxCurses
+        #wvdial
+        #xdotool
+        #xkill
+        #xl2tpd
+        #xsel
+      ];
+    }
+    {
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "http"
+          "tinc"
+          "smtp"
+        ];
+      };
+    }
+    {
+      krebs.nginx = {
+        enable = true;
+        servers.default.locations = [
+          (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+            alias /home/$1/public_html$2;
+          '')
+        ];
+      };
+    }
+    {
+      krebs.retiolum = {
+        enable = true;
+        connectTo = [
+          "gum"
+          "pigstarter"
+        ];
+      };
+    }
+    {
+      users.extraGroups = {
+        tv.gid = 1337;
+        slaves.gid = 3799582008; # genid slaves
+      };
+
+      users.extraUsers =
+        mapAttrs (name: user@{ extraGroups ? [], ... }: user // {
+          inherit name;
+          home = "/home/${name}";
+          createHome = true;
+          useDefaultShell = true;
+          group = "tv";
+          extraGroups = ["slaves"] ++ extraGroups;
+        }) {
+          ff = {
+            uid = 13378001;
+            extraGroups = [
+              "audio"
+              "video"
+            ];
+          };
+
+          cr = {
+            uid = 13378002;
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          fa = {
+            uid = 2300001;
+          };
+
+          rl = {
+            uid = 2300002;
+          };
+
+          tief = {
+            uid = 2300702;
+          };
+
+          btc-bitcoind = {
+            uid = 2301001;
+          };
+
+          btc-electrum = {
+            uid = 2301002;
+          };
+
+          ltc-litecoind = {
+            uid = 2301101;
+          };
+
+          eth = {
+            uid = 2302001;
+          };
+
+          emse-hsdb = {
+            uid = 4200101;
+          };
+
+          wine = {
+            uid = 13370400;
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          df = {
+            uid = 13370401;
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          xr = {
+            uid = 13370061;
+            extraGroups = [
+              "audio"
+              "video"
+            ];
+          };
+
+          "23" = {
+            uid = 13370023;
+          };
+
+          electrum = {
+            uid = 13370102;
+          };
+
+          skype = {
+            uid = 6660001;
+            extraGroups = [
+              "audio"
+            ];
+          };
+
+          onion = {
+            uid = 6660010;
+          };
+
+          zalora = {
+            uid = 1000301;
+            extraGroups = [
+              "audio"
+              # TODO remove vboxusers when hardening is active
+              "vboxusers"
+              "video"
+            ];
+          };
+        };
+
+      security.sudo.extraConfig =
+        let
+          isSlave = u: elem "slaves" u.extraGroups;
+          masterOf = u: u.group;
+          slaves = filterAttrs (_: isSlave) config.users.extraUsers;
+          toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL";
+        in
+        concatMapStringsSep "\n" toSudoers (attrValues slaves);
+    }
+  ];
+
+  boot.initrd.luks = {
+    cryptoModules = [ "aes" "sha512" "xts" ];
+    devices = [
+      { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
+    ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/vg840-wuroot";
+      fsType = "btrfs";
+      options = "defaults,noatime,ssd,compress=lzo";
+    };
+    "/home" = {
+      device = "/dev/mapper/home";
+      options = "defaults,noatime,ssd,compress=lzo";
+    };
+    "/boot" = {
+      device = "/dev/sda1";
+    };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = "nosuid,nodev,noatime";
+    };
+  };
+
+  nixpkgs.config.chromium.enablePepperFlash = true;
+
+  nixpkgs.config.allowUnfree = true;
+  hardware.bumblebee.enable = true;
+  hardware.bumblebee.group = "video";
+  hardware.enableAllFirmware = true;
+  hardware.opengl.driSupport32Bit = true;
+  hardware.pulseaudio.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    xlibs.fontschumachermisc
+    slock
+    ethtool
+    #firefoxWrapper # with plugins
+    #chromiumDevWrapper
+    tinc
+    iptables
+    #jack2
+  ];
+
+  security.setuidPrograms = [
+    "sendmail"  # for cron
+    "slock"
+  ];
+
+  services.printing.enable = true;
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  # see tmpfiles.d(5)
+  systemd.tmpfiles.rules = [
+    "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+  ];
+
+  virtualisation.libvirtd.enable = true;
+
+  networking.extraHosts = ''
+    192.168.1.1 wrt.gg23 wrt
+    192.168.1.11 mors.gg23
+    192.168.1.12 uriel.gg23
+    192.168.1.23 raspi.gg23 raspi
+    192.168.1.37 wu.gg23
+    192.168.1.111 nomic.gg23
+    192.168.1.124 schnabeldrucker.gg23 schnabeldrucker
+  '';
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
+    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
+
+    # for jack
+    KERNEL=="rtc0", GROUP="audio"
+    KERNEL=="hpet", GROUP="audio"
+  '';
+
+  services.bitlbee.enable = true;
+  services.tor.client.enable = true;
+  services.tor.enable = true;
+  services.virtualboxHost.enable = true;
+
+  # TODO w110er if xserver is enabled
+  services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
+}
-- 
cgit v1.2.3