{ config, lib, pkgs, ... }: with import <stockholm/lib>; { imports = [ { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import <secrets/hashedPasswords.nix>); } ./vim.nix ./binary-cache/nixos.nix ]; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); krebs = { enable = true; dns.providers.lan = "hosts"; search-domain = "retiolum"; build = { user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; ref = "f66d782"; # unstable @ 2017-02-04 in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then { git = { url = https://github.com/makefu/nixpkgs; inherit ref; }; } else # TODO use http, once it is implemented # right now it is simply extracted revision folder ## prepare so we do not have to wait for rsync: ## cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/125ffff -L | tar zx && mv NixOS-nixpkgs-125ffff nixpkgs { file = "/home/makefu/store/${ref}";}; secrets.file = if getEnv "dummy_secrets" == "true" then toString <stockholm/makefu/6tests/data/secrets> else "/home/makefu/secrets/${host.name}"; stockholm.file = getEnv "PWD"; # Defaults for all stockholm users? nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix"; }; }; }; users.extraUsers = { root = { openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; makefu = { uid = 9001; group = "users"; home = "/home/makefu"; createHome = true; useDefaultShell = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; }; networking.hostName = config.krebs.build.host.name; nix.maxJobs = config.krebs.build.host.cores; time.timeZone = "Europe/Berlin"; #nix.maxJobs = 1; programs.ssh = { startAgent = false; }; services.openssh.enable = true; nix.useSandbox = true; users.mutableUsers = false; boot.tmpOnTmpfs = true; networking.firewall.rejectPackets = true; networking.firewall.allowPing = true; systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" ]; nix.nixPath = [ "/var/src" ]; environment.variables = let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { NIX_PATH = mkForce "/var/src"; EDITOR = mkForce "vim"; CURL_CA_BUNDLE = ca-bundle; GIT_SSL_CAINFO = ca-bundle; SSL_CERT_FILE = ca-bundle; }; environment.systemPackages = with pkgs; [ jq git get gnumake rxvt_unicode.terminfo htop ]; programs.bash = { enableCompletion = true; interactiveShellInit = '' HISTCONTROL='erasedups:ignorespace' HISTSIZE=900001 HISTFILESIZE=$HISTSIZE PYTHONSTARTUP="~/.pythonrc"; shopt -s checkhash shopt -s histappend histreedit histverify shopt -s no_empty_cmd_completion ''; promptInit = '' case $UID in 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; esac if test -n "$SSH_CLIENT"; then PS1='\[\033[35m\]\h'" $PS1" fi ''; }; environment.shellAliases = { lsl = "ls -lAtr"; psg = "ps -ef | grep"; nmap = "nmap -oN $HOME/loot/scan-`date +\%s`.nmap -oX $HOME/loot/scan-`date +%s`.xml"; grep = "grep --color=auto"; }; nixpkgs.config.packageOverrides = pkgs: { nano = pkgs.runCommand "empty" {} "mkdir -p $out"; tinc = pkgs.tinc_pre; }; services.cron.enable = false; services.nscd.enable = false; services.ntp.enable = false; services.timesyncd.enable = true; services.ntp.servers = [ "pool.ntp.org" "time.windows.com" "time.apple.com" "time.nist.gov" ]; nix.extraOptions = '' auto-optimise-store = true ''; security.setuidPrograms = [ "sendmail" ]; services.journald.extraConfig = '' SystemMaxUse=1G RuntimeMaxUse=128M ''; # Enable IPv6 Privacy Extensions boot.kernel.sysctl = { "net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2; }; system.activationScripts.nix-defexpr = '' (set -euf for i in /home/makefu /root/;do f="$i/.nix-defexpr" rm -fr "$f" ln -s /var/src/nixpkgs "$f" done) ''; i18n = { consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; }; # suppress chrome autit event messages security.audit = { rules = [ "-a task,never" ]; }; }