Merge remote-tracking branch 'prism/master'

8 files changed, 69 insertions, 7 deletions

diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index 62daed8be..422927b28 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -16,6 +16,8 @@ with config.krebs.lib;
   nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
   krebs = {
     enable = true;
+
+    dns.providers.siem = "hosts";
     search-domain = "retiolum";
     build =  {
       user = config.krebs.users.makefu;
@@ -24,7 +26,9 @@ with config.krebs.lib;
           url = https://github.com/nixos/nixpkgs;
           rev = "63b9785"; # stable @ 2016-06-01
         };
-        secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/";
+        secrets = if getEnv "dummy_secrets" == "true"
+                  then toString <stockholm/makefu/6tests/data/secrets>
+                  else "/home/makefu/secrets/${config.krebs.build.host.name}";
         stockholm = "/home/makefu/stockholm";
 
         # Defaults for all stockholm users?
@@ -154,6 +158,15 @@ with config.krebs.lib;
     "net.ipv6.conf.default.use_tempaddr" = 2;
   };
 
+  system.activationScripts.nix-defexpr = ''
+    (set -euf
+     for i in /home/makefu /root/;do
+       f="$i/.nix-defexpr"
+       rm -fr "$f"
+       ln -s /var/src/nixpkgs "$f"
+     done)
+  '';
+
   i18n = {
     consoleKeyMap = "us";
     defaultLocale = "en_US.UTF-8";
diff --git a/makefu/2configs/fs/CAC-CentOS-7-64bit.nix b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix
new file mode 100644
index 000000000..c9eb97f44
--- /dev/null
+++ b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix
@@ -0,0 +1,20 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/centos/root";
+      fsType = "xfs";
+    };
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+    };
+  };
+  swapDevices = [
+    { device = "/dev/centos/swap"; }
+  ];
+}
diff --git a/makefu/2configs/fs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix
index b82c0e44e..5c7cdf716 100644
--- a/makefu/2configs/fs/sda-crypto-root.nix
+++ b/makefu/2configs/fs/sda-crypto-root.nix
@@ -1,16 +1,16 @@
 { config, lib, pkgs, ... }:
 
 # sda:  bootloader grub2
-# sda1: boot ext4 (label nixboot)
+# sda1: boot ext4 (label nixboot) - must be unlocked on boot if required:
+  # boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
 # sda2: cryptoluks -> ext4
 with config.krebs.lib;
 {
   boot = {
     loader.grub.enable = true;
     loader.grub.version = 2;
-    loader.grub.device = "/dev/sda";
+    loader.grub.device = lib.mkDefault "/dev/sda";
 
-    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
     initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ];
     initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
   };
diff --git a/makefu/2configs/hw/CAC.nix b/makefu/2configs/hw/CAC.nix
new file mode 100644
index 000000000..9ed18344a
--- /dev/null
+++ b/makefu/2configs/hw/CAC.nix
@@ -0,0 +1,13 @@
+_:
+{
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+  boot.loader.grub.splashImage = null;
+  nix = {
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+  sound.enable = false;
+}
diff --git a/makefu/2configs/hw/fingerprint-reader.nix b/makefu/2configs/hw/fingerprint-reader.nix
new file mode 100644
index 000000000..1f2f00b03
--- /dev/null
+++ b/makefu/2configs/hw/fingerprint-reader.nix
@@ -0,0 +1,6 @@
+_: {
+  # add fingerprint with fprintd-enroll
+  services.fprintd.enable = true;
+  security.pam.services.login.fprintAuth = true;
+  security.pam.services.xscreensaver.fprintAuth = true;
+}
diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix
index be3d1eb70..1c9a34965 100644
--- a/makefu/2configs/hw/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x220.nix
@@ -5,7 +5,7 @@ with config.krebs.lib;
 
   imports = [ ./tp-x2x0.nix ];
   boot = {
-    kernelModules = [ "kvm-intel" "acpi_call" ];
+    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
   };
 
@@ -28,7 +28,7 @@ with config.krebs.lib;
 
   # enable HDMI output switching with pulseaudio
   hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
-    ${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"}
+    ${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"}
     load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"
   '';
 
diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix
index 7f9dc67a5..c10ec1314 100644
--- a/makefu/2configs/hw/tp-x2x0.nix
+++ b/makefu/2configs/hw/tp-x2x0.nix
@@ -22,7 +22,8 @@ with config.krebs.lib;
 
   services.tlp.enable = true;
   services.tlp.extraConfig = ''
-    START_CHARGE_THRESH_BAT0=80
+    # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
+    #START_CHARGE_THRESH_BAT0=80
     STOP_CHARGE_THRESH_BAT0=95
 
     CPU_SCALING_GOVERNOR_ON_AC=performance
diff --git a/makefu/2configs/save-diskspace.nix b/makefu/2configs/save-diskspace.nix
new file mode 100644
index 000000000..cc2b29cac
--- /dev/null
+++ b/makefu/2configs/save-diskspace.nix
@@ -0,0 +1,9 @@
+_:
+# TODO: do not check out nixpkgs master but fetch revision from github
+{
+  services.nixosManual.enable = false;
+  programs.man.enable = false;
+  services.journald.extraConfig = "SystemMaxUse=50M";
+  nix.gc.automatic = true;
+  nix.gc.dates = "03:10";
+}