From afb6afff1d0f81d8a0dcfd94fa8e46a849bb094f Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 27 Jul 2015 02:02:34 +0200 Subject: * tv -> tv * --- tv/configs/AO753.nix | 39 ++ tv/configs/CAC-CentOS-7-64bit.nix | 47 ++ tv/configs/CAC-Developer-1.nix | 6 + tv/configs/CAC-Developer-2.nix | 6 + tv/configs/base.nix | 188 ++++++++ tv/configs/bash_completion.sh | 779 ++++++++++++++++++++++++++++++++++ tv/configs/charybdis.nix | 605 ++++++++++++++++++++++++++ tv/configs/consul-client.nix | 9 + tv/configs/consul-server.nix | 21 + tv/configs/cryptoroot.nix | 4 + tv/configs/exim-retiolum.nix | 126 ++++++ tv/configs/exim-smarthost.nix | 475 +++++++++++++++++++++ tv/configs/git.nix | 90 ++++ tv/configs/mail-client.nix | 14 + tv/configs/smartd.nix | 17 + tv/configs/synaptics.nix | 14 + tv/configs/urlwatch.nix | 51 +++ tv/configs/urxvt.nix | 24 ++ tv/configs/w110er.nix | 42 ++ tv/configs/xserver.nix | 41 ++ tv/lib/default.nix | 27 ++ tv/lib/git.nix | 182 ++++++++ tv/lib/modules.nix | 21 + tv/modules/consul.nix | 118 +++++ tv/modules/default.nix | 9 + tv/modules/ejabberd.nix | 166 ++++++++ tv/modules/iptables.nix | 126 ++++++ tv/pkgs/charybdis/default.nix | 34 ++ tv/pkgs/charybdis/remove-setenv.patch | 12 + tv/pkgs/default.nix | 13 + tv/pkgs/lentil/1.patch | 39 ++ tv/pkgs/lentil/default.nix | 17 + tv/pkgs/lentil/syntaxes.patch | 11 + tv/pkgs/much.nix | 64 +++ tv/pkgs/viljetic-pages/default.nix | 16 + tv/pkgs/viljetic-pages/index.html | 10 + tv/pkgs/viljetic-pages/logo.xpm | 24 ++ tv/systems/cd.nix | 127 ++++++ tv/systems/mkdir.nix | 67 +++ tv/systems/nomic.nix | 100 +++++ tv/systems/rmdir.nix | 68 +++ tv/systems/wu.nix | 393 +++++++++++++++++ 42 files changed, 4242 insertions(+) create mode 100644 tv/configs/AO753.nix create mode 100644 tv/configs/CAC-CentOS-7-64bit.nix create mode 100644 tv/configs/CAC-Developer-1.nix create mode 100644 tv/configs/CAC-Developer-2.nix create mode 100644 tv/configs/base.nix create mode 100644 tv/configs/bash_completion.sh create mode 100644 tv/configs/charybdis.nix create mode 100644 tv/configs/consul-client.nix create mode 100644 tv/configs/consul-server.nix create mode 100644 tv/configs/cryptoroot.nix create mode 100644 tv/configs/exim-retiolum.nix create mode 100644 tv/configs/exim-smarthost.nix create mode 100644 tv/configs/git.nix create mode 100644 tv/configs/mail-client.nix create mode 100644 tv/configs/smartd.nix create mode 100644 tv/configs/synaptics.nix create mode 100644 tv/configs/urlwatch.nix create mode 100644 tv/configs/urxvt.nix create mode 100644 tv/configs/w110er.nix create mode 100644 tv/configs/xserver.nix create mode 100644 tv/lib/default.nix create mode 100644 tv/lib/git.nix create mode 100644 tv/lib/modules.nix create mode 100644 tv/modules/consul.nix create mode 100644 tv/modules/default.nix create mode 100644 tv/modules/ejabberd.nix create mode 100644 tv/modules/iptables.nix create mode 100644 tv/pkgs/charybdis/default.nix create mode 100644 tv/pkgs/charybdis/remove-setenv.patch create mode 100644 tv/pkgs/default.nix create mode 100644 tv/pkgs/lentil/1.patch create mode 100644 tv/pkgs/lentil/default.nix create mode 100644 tv/pkgs/lentil/syntaxes.patch create mode 100644 tv/pkgs/much.nix create mode 100644 tv/pkgs/viljetic-pages/default.nix create mode 100644 tv/pkgs/viljetic-pages/index.html create mode 100644 tv/pkgs/viljetic-pages/logo.xpm create mode 100644 tv/systems/cd.nix create mode 100644 tv/systems/mkdir.nix create mode 100644 tv/systems/nomic.nix create mode 100644 tv/systems/rmdir.nix create mode 100644 tv/systems/wu.nix (limited to 'tv') diff --git a/tv/configs/AO753.nix b/tv/configs/AO753.nix new file mode 100644 index 000000000..c103ce2d7 --- /dev/null +++ b/tv/configs/AO753.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../configs/smartd.nix + ]; + + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ahci" + ]; + + boot.kernelModules = [ + "kvm-intel" + "wl" + ]; + + boot.extraModulePackages = [ + config.boot.kernelPackages.broadcom_sta + ]; + + networking.wireless.enable = true; + + services.logind.extraConfig = '' + HandleHibernateKey=ignore + HandleLidSwitch=ignore + HandlePowerKey=ignore + HandleSuspendKey=ignore + ''; + + nixpkgs.config = { + allowUnfree = false; + allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name); + }; +} diff --git a/tv/configs/CAC-CentOS-7-64bit.nix b/tv/configs/CAC-CentOS-7-64bit.nix new file mode 100644 index 000000000..168d1d97b --- /dev/null +++ b/tv/configs/CAC-CentOS-7-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/tv/configs/CAC-Developer-1.nix b/tv/configs/CAC-Developer-1.nix new file mode 100644 index 000000000..37bc32afb --- /dev/null +++ b/tv/configs/CAC-Developer-1.nix @@ -0,0 +1,6 @@ +_: + +{ + nix.maxJobs = 1; + sound.enable = false; +} diff --git a/tv/configs/CAC-Developer-2.nix b/tv/configs/CAC-Developer-2.nix new file mode 100644 index 000000000..fedb808df --- /dev/null +++ b/tv/configs/CAC-Developer-2.nix @@ -0,0 +1,6 @@ +_: + +{ + nix.maxJobs = 2; + sound.enable = false; +} diff --git a/tv/configs/base.nix b/tv/configs/base.nix new file mode 100644 index 000000000..06f83ea9e --- /dev/null +++ b/tv/configs/base.nix @@ -0,0 +1,188 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; + +let + # "7.4.335" -> "74" + majmin = x: concatStrings (take 2 (splitString "." x)); +in + +{ + krebs.enable = true; + krebs.search-domain = "retiolum"; + + networking.hostName = config.krebs.build.host.name; + + imports = [ + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import /root/src/secrets/hashedPasswords.nix); + } + { + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.mutableUsers = false; + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + tv = { + uid = 1337; + group = "users"; + home = "/home/tv"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + }; + } + { + security.sudo.extraConfig = '' + Defaults mailto="${config.krebs.users.tv.mail}" + ''; + time.timeZone = "Europe/Berlin"; + } + { + # TODO check if both are required: + nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + + nix.useChroot = true; + } + { + # oldvim + environment.systemPackages = with pkgs; [ + vim + ]; + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + + environment.variables.VIM = "/etc/vim"; + } + { + environment.systemPackages = with pkgs; [ + rxvt_unicode.terminfo + ]; + + environment.shellAliases = { + # alias cal='cal -m3' + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + ${readFile ./bash_completion.sh} + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then + PS1="ssh-agent[$SSH_AGENT_PID] $PS1" + fi + ''; + }; + + programs.ssh.startAgent = false; + } + + { + nixpkgs.config.packageOverrides = pkgs: + { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + } + + { + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + } + + { + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + } + + { + # TODO: exim + security.setuidPrograms = [ + "sendmail" # for sudo + ]; + } + ]; +} diff --git a/tv/configs/bash_completion.sh b/tv/configs/bash_completion.sh new file mode 100644 index 000000000..537484fb9 --- /dev/null +++ b/tv/configs/bash_completion.sh @@ -0,0 +1,779 @@ + +# Expand variable starting with tilde (~) +# We want to expand ~foo/... to /home/foo/... to avoid problems when +# word-to-complete starting with a tilde is fed to commands and ending up +# quoted instead of expanded. +# Only the first portion of the variable from the tilde up to the first slash +# (~../) is expanded. The remainder of the variable, containing for example +# a dollar sign variable ($) or asterisk (*) is not expanded. +# Example usage: +# +# $ v="~"; __expand_tilde_by_ref v; echo "$v" +# +# Example output: +# +# v output +# -------- ---------------- +# ~ /home/user +# ~foo/bar /home/foo/bar +# ~foo/$HOME /home/foo/$HOME +# ~foo/a b /home/foo/a b +# ~foo/* /home/foo/* +# +# @param $1 Name of variable (not the value of the variable) to expand +__expand_tilde_by_ref() +{ + # Does $1 start with tilde (~)? + if [[ ${!1} == \~* ]]; then + # Does $1 contain slash (/)? + if [[ ${!1} == */* ]]; then + # Yes, $1 contains slash; + # 1: Remove * including and after first slash (/), i.e. "~a/b" + # becomes "~a". Double quotes allow eval. + # 2: Remove * before the first slash (/), i.e. "~a/b" + # becomes "b". Single quotes prevent eval. + # +-----1----+ +---2----+ + eval $1="${!1/%\/*}"/'${!1#*/}' + else + # No, $1 doesn't contain slash + eval $1="${!1}" + fi + fi +} # __expand_tilde_by_ref() + + +# Get the word to complete. +# This is nicer than ${COMP_WORDS[$COMP_CWORD]}, since it handles cases +# where the user is completing in the middle of a word. +# (For example, if the line is "ls foobar", +# and the cursor is here --------> ^ +# @param $1 string Characters out of $COMP_WORDBREAKS which should NOT be +# considered word breaks. This is useful for things like scp where +# we want to return host:path and not only path, so we would pass the +# colon (:) as $1 in this case. +# @param $2 integer Index number of word to return, negatively offset to the +# current word (default is 0, previous is 1), respecting the exclusions +# given at $1. For example, `_get_cword "=:" 1' returns the word left of +# the current word, respecting the exclusions "=:". +# @deprecated Use `_get_comp_words_by_ref cur' instead +# @see _get_comp_words_by_ref() +_get_cword() +{ + local LC_CTYPE=C + local cword words + __reassemble_comp_words_by_ref "$1" words cword + + # return previous word offset by $2 + if [[ ${2//[^0-9]/} ]]; then + printf "%s" "${words[cword-$2]}" + elif [[ "${#words[cword]}" -eq 0 || "$COMP_POINT" == "${#COMP_LINE}" ]]; then + printf "%s" "${words[cword]}" + else + local i + local cur="$COMP_LINE" + local index="$COMP_POINT" + for (( i = 0; i <= cword; ++i )); do + while [[ + # Current word fits in $cur? + "${#cur}" -ge ${#words[i]} && + # $cur doesn't match cword? + "${cur:0:${#words[i]}}" != "${words[i]}" + ]]; do + # Strip first character + cur="${cur:1}" + # Decrease cursor position + ((index--)) + done + + # Does found word matches cword? + if [[ "$i" -lt "$cword" ]]; then + # No, cword lies further; + local old_size="${#cur}" + cur="${cur#${words[i]}}" + local new_size="${#cur}" + index=$(( index - old_size + new_size )) + fi + done + + if [[ "${words[cword]:0:${#cur}}" != "$cur" ]]; then + # We messed up! At least return the whole word so things + # keep working + printf "%s" "${words[cword]}" + else + printf "%s" "${cur:0:$index}" + fi + fi +} # _get_cword() + + +# Get word previous to the current word. +# This is a good alternative to `prev=${COMP_WORDS[COMP_CWORD-1]}' because bash4 +# will properly return the previous word with respect to any given exclusions to +# COMP_WORDBREAKS. +# @deprecated Use `_get_comp_words_by_ref cur prev' instead +# @see _get_comp_words_by_ref() +# +_get_pword() +{ + if [[ $COMP_CWORD -ge 1 ]]; then + _get_cword "${@:-}" 1 + fi +} + + + +# Complete variables. +# @return True (0) if variables were completed, +# False (> 0) if not. +_variables() +{ + if [[ $cur =~ ^(\$\{?)([A-Za-z0-9_]*)$ ]]; then + [[ $cur == *{* ]] && local suffix=} || local suffix= + COMPREPLY+=( $( compgen -P ${BASH_REMATCH[1]} -S "$suffix" -v -- \ + "${BASH_REMATCH[2]}" ) ) + return 0 + fi + return 1 +} + +# Assign variable one scope above the caller +# Usage: local "$1" && _upvar $1 "value(s)" +# Param: $1 Variable name to assign value to +# Param: $* Value(s) to assign. If multiple values, an array is +# assigned, otherwise a single value is assigned. +# NOTE: For assigning multiple variables, use '_upvars'. Do NOT +# use multiple '_upvar' calls, since one '_upvar' call might +# reassign a variable to be used by another '_upvar' call. +# See: http://fvue.nl/wiki/Bash:_Passing_variables_by_reference +_upvar() +{ + if unset -v "$1"; then # Unset & validate varname + if (( $# == 2 )); then + eval $1=\"\$2\" # Return single value + else + eval $1=\(\"\${@:2}\"\) # Return array + fi + fi +} + +# Assign variables one scope above the caller +# Usage: local varname [varname ...] && +# _upvars [-v varname value] | [-aN varname [value ...]] ... +# Available OPTIONS: +# -aN Assign next N values to varname as array +# -v Assign single value to varname +# Return: 1 if error occurs +# See: http://fvue.nl/wiki/Bash:_Passing_variables_by_reference +_upvars() +{ + if ! (( $# )); then + echo "${FUNCNAME[0]}: usage: ${FUNCNAME[0]} [-v varname"\ + "value] | [-aN varname [value ...]] ..." 1>&2 + return 2 + fi + while (( $# )); do + case $1 in + -a*) + # Error checking + [[ ${1#-a} ]] || { echo "bash: ${FUNCNAME[0]}: \`$1': missing"\ + "number specifier" 1>&2; return 1; } + printf %d "${1#-a}" &> /dev/null || { echo "bash:"\ + "${FUNCNAME[0]}: \`$1': invalid number specifier" 1>&2 + return 1; } + # Assign array of -aN elements + [[ "$2" ]] && unset -v "$2" && eval $2=\(\"\${@:3:${1#-a}}\"\) && + shift $((${1#-a} + 2)) || { echo "bash: ${FUNCNAME[0]}:"\ + "\`$1${2+ }$2': missing argument(s)" 1>&2; return 1; } + ;; + -v) + # Assign single value + [[ "$2" ]] && unset -v "$2" && eval $2=\"\$3\" && + shift 3 || { echo "bash: ${FUNCNAME[0]}: $1: missing"\ + "argument(s)" 1>&2; return 1; } + ;; + *) + echo "bash: ${FUNCNAME[0]}: $1: invalid option" 1>&2 + return 1 ;; + esac + done +} + +# @param $1 exclude Characters out of $COMP_WORDBREAKS which should NOT be +# considered word breaks. This is useful for things like scp where +# we want to return host:path and not only path, so we would pass the +# colon (:) as $1 in this case. +# @param $2 words Name of variable to return words to +# @param $3 cword Name of variable to return cword to +# @param $4 cur Name of variable to return current word to complete to +# @see __reassemble_comp_words_by_ref() +__get_cword_at_cursor_by_ref() +{ + local cword words=() + __reassemble_comp_words_by_ref "$1" words cword + + local i cur index=$COMP_POINT lead=${COMP_LINE:0:$COMP_POINT} + # Cursor not at position 0 and not leaded by just space(s)? + if [[ $index -gt 0 && ( $lead && ${lead//[[:space:]]} ) ]]; then + cur=$COMP_LINE + for (( i = 0; i <= cword; ++i )); do + while [[ + # Current word fits in $cur? + ${#cur} -ge ${#words[i]} && + # $cur doesn't match cword? + "${cur:0:${#words[i]}}" != "${words[i]}" + ]]; do + # Strip first character + cur="${cur:1}" + # Decrease cursor position + ((index--)) + done + + # Does found word match cword? + if [[ $i -lt $cword ]]; then + # No, cword lies further; + local old_size=${#cur} + cur="${cur#"${words[i]}"}" + local new_size=${#cur} + index=$(( index - old_size + new_size )) + fi + done + # Clear $cur if just space(s) + [[ $cur && ! ${cur//[[:space:]]} ]] && cur= + # Zero $index if negative + [[ $index -lt 0 ]] && index=0 + fi + + local "$2" "$3" "$4" && _upvars -a${#words[@]} $2 "${words[@]}" \ + -v $3 "$cword" -v $4 "${cur:0:$index}" +} + +# Reassemble command line words, excluding specified characters from the +# list of word completion separators (COMP_WORDBREAKS). +# @param $1 chars Characters out of $COMP_WORDBREAKS which should +# NOT be considered word breaks. This is useful for things like scp where +# we want to return host:path and not only path, so we would pass the +# colon (:) as $1 here. +# @param $2 words Name of variable to return words to +# @param $3 cword Name of variable to return cword to +# +__reassemble_comp_words_by_ref() +{ + local exclude i j line ref + # Exclude word separator characters? + if [[ $1 ]]; then + # Yes, exclude word separator characters; + # Exclude only those characters, which were really included + exclude="${1//[^$COMP_WORDBREAKS]}" + fi + + # Default to cword unchanged + eval $3=$COMP_CWORD + # Are characters excluded which were former included? + if [[ $exclude ]]; then + # Yes, list of word completion separators has shrunk; + line=$COMP_LINE + # Re-assemble words to complete + for (( i=0, j=0; i < ${#COMP_WORDS[@]}; i++, j++)); do + # Is current word not word 0 (the command itself) and is word not + # empty and is word made up of just word separator characters to + # be excluded and is current word not preceded by whitespace in + # original line? + while [[ $i -gt 0 && ${COMP_WORDS[$i]} == +([$exclude]) ]]; do + # Is word separator not preceded by whitespace in original line + # and are we not going to append to word 0 (the command + # itself), then append to current word. + [[ $line != [$' \t']* ]] && (( j >= 2 )) && ((j--)) + # Append word separator to current or new word + ref="$2[$j]" + eval $2[$j]=\${!ref}\${COMP_WORDS[i]} + # Indicate new cword + [[ $i == $COMP_CWORD ]] && eval $3=$j + # Remove optional whitespace + word separator from line copy + line=${line#*"${COMP_WORDS[$i]}"} + # Start new word if word separator in original line is + # followed by whitespace. + [[ $line == [$' \t']* ]] && ((j++)) + # Indicate next word if available, else end *both* while and + # for loop + (( $i < ${#COMP_WORDS[@]} - 1)) && ((i++)) || break 2 + done + # Append word to current word + ref="$2[$j]" + eval $2[$j]=\${!ref}\${COMP_WORDS[i]} + # Remove optional whitespace + word from line copy + line=${line#*"${COMP_WORDS[i]}"} + # Indicate new cword + [[ $i == $COMP_CWORD ]] && eval $3=$j + done + [[ $i == $COMP_CWORD ]] && eval $3=$j + else + # No, list of word completions separators hasn't changed; + eval $2=\( \"\${COMP_WORDS[@]}\" \) + fi +} # __reassemble_comp_words_by_ref() + + +# If the word-to-complete contains a colon (:), left-trim COMPREPLY items with +# word-to-complete. +# With a colon in COMP_WORDBREAKS, words containing +# colons are always completed as entire words if the word to complete contains +# a colon. This function fixes this, by removing the colon-containing-prefix +# from COMPREPLY items. +# The preferred solution is to remove the colon (:) from COMP_WORDBREAKS in +# your .bashrc: +# +# # Remove colon (:) from list of word completion separators +# COMP_WORDBREAKS=${COMP_WORDBREAKS//:} +# +# See also: Bash FAQ - E13) Why does filename completion misbehave if a colon +# appears in the filename? - http://tiswww.case.edu/php/chet/bash/FAQ +# @param $1 current word to complete (cur) +# @modifies global array $COMPREPLY +# +__ltrim_colon_completions() +{ + if [[ "$1" == *:* && "$COMP_WORDBREAKS" == *:* ]]; then + # Remove colon-word prefix from COMPREPLY items + local colon_word=${1%"${1##*:}"} + local i=${#COMPREPLY[*]} + while [[ $((--i)) -ge 0 ]]; do + COMPREPLY[$i]=${COMPREPLY[$i]#"$colon_word"} + done + fi +} # __ltrim_colon_completions() + + +# NOTE: Using this function as a helper function is deprecated. Use +# `_known_hosts_real' instead. +_known_hosts() +{ + local cur prev words cword + _init_completion -n : || return + + # NOTE: Using `_known_hosts' as a helper function and passing options + # to `_known_hosts' is deprecated: Use `_known_hosts_real' instead. + local options + [[ "$1" == -a || "$2" == -a ]] && options=-a + [[ "$1" == -c || "$2" == -c ]] && options+=" -c" + _known_hosts_real $options -- "$cur" +} # _known_hosts() + + +# Helper function for completing _known_hosts. +# This function performs host completion based on ssh's config and known_hosts +# files, as well as hostnames reported by avahi-browse if +# COMP_KNOWN_HOSTS_WITH_AVAHI is set to a non-empty value. Also hosts from +# HOSTFILE (compgen -A hostname) are added, unless +# COMP_KNOWN_HOSTS_WITH_HOSTFILE is set to an empty value. +# Usage: _known_hosts_real [OPTIONS] CWORD +# Options: -a Use aliases +# -c Use `:' suffix +# -F configfile Use `configfile' for configuration settings +# -p PREFIX Use PREFIX +# Return: Completions, starting with CWORD, are added to COMPREPLY[] +_known_hosts_real() +{ + local configfile flag prefix + local cur curd awkcur user suffix aliases i host + local -a kh khd config + + local OPTIND=1 + while getopts "acF:p:" flag "$@"; do + case $flag in + a) aliases='yes' ;; + c) suffix=':' ;; + F) configfile=$OPTARG ;; + p) prefix=$OPTARG ;; + esac + done + [[ $# -lt $OPTIND ]] && echo "error: $FUNCNAME: missing mandatory argument CWORD" + cur=${!OPTIND}; let "OPTIND += 1" + [[ $# -ge $OPTIND ]] && echo "error: $FUNCNAME("$@"): unprocessed arguments:"\ + $(while [[ $# -ge $OPTIND ]]; do printf '%s\n' ${!OPTIND}; shift; done) + + [[ $cur == *@* ]] && user=${cur%@*}@ && cur=${cur#*@} + kh=() + + # ssh config files + if [[ -n $configfile ]]; then + [[ -r $configfile ]] && config+=( "$configfile" ) + else + for i in /etc/ssh/ssh_config ~/.ssh/config ~/.ssh2/config; do + [[ -r $i ]] && config+=( "$i" ) + done + fi + + # Known hosts files from configs + if [[ ${#config[@]} -gt 0 ]]; then + local OIFS=$IFS IFS=$'\n' j + local -a tmpkh + # expand paths (if present) to global and user known hosts files + # TODO(?): try to make known hosts files with more than one consecutive + # spaces in their name work (watch out for ~ expansion + # breakage! Alioth#311595) + tmpkh=( $( awk 'sub("^[ \t]*([Gg][Ll][Oo][Bb][Aa][Ll]|[Uu][Ss][Ee][Rr])[Kk][Nn][Oo][Ww][Nn][Hh][Oo][Ss][Tt][Ss][Ff][Ii][Ll][Ee][ \t]+", "") { print $0 }' "${config[@]}" | sort -u ) ) + IFS=$OIFS + for i in "${tmpkh[@]}"; do + # First deal with quoted entries... + while [[ $i =~ ^([^\"]*)\"([^\"]*)\"(.*)$ ]]; do + i=${BASH_REMATCH[1]}${BASH_REMATCH[3]} + j=${BASH_REMATCH[2]} + __expand_tilde_by_ref j # Eval/expand possible `~' or `~user' + [[ -r $j ]] && kh+=( "$j" ) + done + # ...and then the rest. + for j in $i; do + __expand_tilde_by_ref j # Eval/expand possible `~' or `~user' + [[ -r $j ]] && kh+=( "$j" ) + done + done + fi + + + if [[ -z $configfile ]]; then + # Global and user known_hosts files + for i in /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 \ + /etc/known_hosts /etc/known_hosts2 ~/.ssh/known_hosts \ + ~/.ssh/known_hosts2; do + [[ -r $i ]] && kh+=( "$i" ) + done + for i in /etc/ssh2/knownhosts ~/.ssh2/hostkeys; do + [[ -d $i ]] && khd+=( "$i"/*pub ) + done + fi + + # If we have known_hosts files to use + if [[ ${#kh[@]} -gt 0 || ${#khd[@]} -gt 0 ]]; then + # Escape slashes and dots in paths for awk + awkcur=${cur//\//\\\/} + awkcur=${awkcur//\./\\\.} + curd=$awkcur + + if [[ "$awkcur" == [0-9]*[.:]* ]]; then + # Digits followed by a dot or a colon - just search for that + awkcur="^$awkcur[.:]*" + elif [[ "$awkcur" == [0-9]* ]]; then + # Digits followed by no dot or colon - search for digits followed + # by a dot or a colon + awkcur="^$awkcur.*[.:]" + elif [[ -z $awkcur ]]; then + # A blank - search for a dot, a colon, or an alpha character + awkcur="[a-z.:]" + else + awkcur="^$awkcur" + fi + + if [[ ${#kh[@]} -gt 0 ]]; then + # FS needs to look for a comma separated list + COMPREPLY+=( $( awk 'BEGIN {FS=","} + /^\s*[^|\#]/ { + sub("^@[^ ]+ +", ""); \ + sub(" .*$", ""); \ + for (i=1; i<=NF; ++i) { \ + sub("^\\[", "", $i); sub("\\](:[0-9]+)?$", "", $i); \ + if ($i !~ /[*?]/ && $i ~ /'"$awkcur"'/) {print $i} \ + }}' "${kh[@]}" 2>/dev/null ) ) + fi + if [[ ${#khd[@]} -gt 0 ]]; then + # Needs to look for files called + # .../.ssh2/key_22_.pub + # dont fork any processes, because in a cluster environment, + # there can be hundreds of hostkeys + for i in "${khd[@]}" ; do + if [[ "$i" == *key_22_$curd*.pub && -r "$i" ]]; then + host=${i/#*key_22_/} + host=${host/%.pub/} + COMPREPLY+=( $host ) + fi + done + fi + + # apply suffix and prefix + for (( i=0; i < ${#COMPREPLY[@]}; i++ )); do + COMPREPLY[i]=$prefix$user${COMPREPLY[i]}$suffix + done + fi + + # append any available aliases from config files + if [[ ${#config[@]} -gt 0 && -n "$aliases" ]]; then + local hosts=$( sed -ne 's/^[ \t]*[Hh][Oo][Ss][Tt]\([Nn][Aa][Mm][Ee]\)\{0,1\}['"$'\t '"']\{1,\}\([^#*?]*\)\(#.*\)\{0,1\}$/\2/p' "${config[@]}" ) + COMPREPLY+=( $( compgen -P "$prefix$user" \ + -S "$suffix" -W "$hosts" -- "$cur" ) ) + fi + + # Add hosts reported by avahi-browse, if desired and it's available. + if [[ ${COMP_KNOWN_HOSTS_WITH_AVAHI:-} ]] && \ + type avahi-browse &>/dev/null; then + # The original call to avahi-browse also had "-k", to avoid lookups + # into avahi's services DB. We don't need the name of the service, and + # if it contains ";", it may mistify the result. But on Gentoo (at + # least), -k wasn't available (even if mentioned in the manpage) some + # time ago, so... + COMPREPLY+=( $( compgen -P "$prefix$user" -S "$suffix" -W \ + "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \ + awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) ) + fi + + # Add hosts reported by ruptime. + COMPREPLY+=( $( compgen -W \ + "$( ruptime 2>/dev/null | awk '!/^ruptime:/ { print $1 }' )" \ + -- "$cur" ) ) + + # Add results of normal hostname completion, unless + # `COMP_KNOWN_HOSTS_WITH_HOSTFILE' is set to an empty value. + if [[ -n ${COMP_KNOWN_HOSTS_WITH_HOSTFILE-1} ]]; then + COMPREPLY+=( + $( compgen -A hostname -P "$prefix$user" -S "$suffix" -- "$cur" ) ) + fi + + __ltrim_colon_completions "$prefix$user$cur" + + return 0 +} # _known_hosts_real() + + +# Get the word to complete and optional previous words. +# This is nicer than ${COMP_WORDS[$COMP_CWORD]}, since it handles cases +# where the user is completing in the middle of a word. +# (For example, if the line is "ls foobar", +# and the cursor is here --------> ^ +# Also one is able to cross over possible wordbreak characters. +# Usage: _get_comp_words_by_ref [OPTIONS] [VARNAMES] +# Available VARNAMES: +# cur Return cur via $cur +# prev Return prev via $prev +# words Return words via $words +# cword Return cword via $cword +# +# Available OPTIONS: +# -n EXCLUDE Characters out of $COMP_WORDBREAKS which should NOT be +# considered word breaks. This is useful for things like scp +# where we want to return host:path and not only path, so we +# would pass the colon (:) as -n option in this case. +# -c VARNAME Return cur via $VARNAME +# -p VARNAME Return prev via $VARNAME +# -w VARNAME Return words via $VARNAME +# -i VARNAME Return cword via $VARNAME +# +# Example usage: +# +# $ _get_comp_words_by_ref -n : cur prev +# +_get_comp_words_by_ref() +{ + local exclude flag i OPTIND=1 + local cur cword words=() + local upargs=() upvars=() vcur vcword vprev vwords + + while getopts "c:i:n:p:w:" flag "$@"; do + case $flag in + c) vcur=$OPTARG ;; + i) vcword=$OPTARG ;; + n) exclude=$OPTARG ;; + p) vprev=$OPTARG ;; + w) vwords=$OPTARG ;; + esac + done + while [[ $# -ge $OPTIND ]]; do + case ${!OPTIND} in + cur) vcur=cur ;; + prev) vprev=prev ;; + cword) vcword=cword ;; + words) vwords=words ;; + *) echo "bash: $FUNCNAME(): \`${!OPTIND}': unknown argument" \ + 1>&2; return 1 + esac + let "OPTIND += 1" + done + + __get_cword_at_cursor_by_ref "$exclude" words cword cur + + [[ $vcur ]] && { upvars+=("$vcur" ); upargs+=(-v $vcur "$cur" ); } + [[ $vcword ]] && { upvars+=("$vcword"); upargs+=(-v $vcword "$cword"); } + [[ $vprev && $cword -ge 1 ]] && { upvars+=("$vprev" ); upargs+=(-v $vprev + "${words[cword - 1]}"); } + [[ $vwords ]] && { upvars+=("$vwords"); upargs+=(-a${#words[@]} $vwords + "${words[@]}"); } + + (( ${#upvars[@]} )) && local "${upvars[@]}" && _upvars "${upargs[@]}" +} + +# Initialize completion and deal with various general things: do file +# and variable completion where appropriate, and adjust prev, words, +# and cword as if no redirections exist so that completions do not +# need to deal with them. Before calling this function, make sure +# cur, prev, words, and cword are local, ditto split if you use -s. +# +# Options: +# -n EXCLUDE Passed to _get_comp_words_by_ref -n with redirection chars +# -e XSPEC Passed to _filedir as first arg for stderr redirections +# -o XSPEC Passed to _filedir as first arg for other output redirections +# -i XSPEC Passed to _filedir as first arg for stdin redirections +# -s Split long options with _split_longopt, implies -n = +# @return True (0) if completion needs further processing, +# False (> 0) no further processing is necessary. +# +_init_completion() +{ + local exclude= flag outx errx inx OPTIND=1 + + while getopts "n:e:o:i:s" flag "$@"; do + case $flag in + n) exclude+=$OPTARG ;; + e) errx=$OPTARG ;; + o) outx=$OPTARG ;; + i) inx=$OPTARG ;; + s) split=false ; exclude+== ;; + esac + done + + # For some reason completion functions are not invoked at all by + # bash (at least as of 4.1.7) after the command line contains an + # ampersand so we don't get a chance to deal with redirections + # containing them, but if we did, hopefully the below would also + # do the right thing with them... + + COMPREPLY=() + local redir="@(?([0-9])<|?([0-9&])>?(>)|>&)" + _get_comp_words_by_ref -n "$exclude<>&" cur prev words cword + + # Complete variable names. + _variables && return 1 + + # Complete on files if current is a redirect possibly followed by a + # filename, e.g. ">foo", or previous is a "bare" redirect, e.g. ">". + if [[ $cur == $redir* || $prev == $redir ]]; then + local xspec + case $cur in + 2'>'*) xspec=$errx ;; + *'>'*) xspec=$outx ;; + *'<'*) xspec=$inx ;; + *) + case $prev in + 2'>'*) xspec=$errx ;; + *'>'*) xspec=$outx ;; + *'<'*) xspec=$inx ;; + esac + ;; + esac + cur="${cur##$redir}" + _filedir $xspec + return 1 + fi + + # Remove all redirections so completions don't have to deal with them. + local i skip + for (( i=1; i < ${#words[@]}; )); do + if [[ ${words[i]} == $redir* ]]; then + # If "bare" redirect, remove also the next word (skip=2). + [[ ${words[i]} == $redir ]] && skip=2 || skip=1 + words=( "${words[@]:0:i}" "${words[@]:i+skip}" ) + [[ $i -le $cword ]] && cword=$(( cword - skip )) + else + i=$(( ++i )) + fi + done + + [[ $cword -le 0 ]] && return 1 + prev=${words[cword-1]} + + [[ ${split-} ]] && _split_longopt && split=true + + return 0 +} + +# Try to complete -o SubOptions= +# +# Returns 0 if the completion was handled or non-zero otherwise. +_ssh_suboption_check() +{ + # Get prev and cur words without splitting on = + local cureq=`_get_cword :=` preveq=`_get_pword :=` + if [[ $cureq == *=* && $preveq == -o ]]; then + _ssh_suboption $cureq + return $? + fi + return 1 +} + +_complete_ssh() +{ + local cur prev words cword + _init_completion -n : || return + + local configfile + local -a config + + _ssh_suboption_check && return 0 + + case $prev in + -F|-i|-S) + _filedir + return 0 + ;; + -c) + _ssh_ciphers + return 0 + ;; + -m) + _ssh_macs + return 0 + ;; + -l) + COMPREPLY=( $( compgen -u -- "$cur" ) ) + return 0 + ;; + -O) + COMPREPLY=( $( compgen -W 'check forward exit stop' -- "$cur" ) ) + return 0 + ;; + -o) + _ssh_options + return 0 + ;; + -w) + _available_interfaces + return 0 + ;; + -b) + _ip_addresses + return 0 + ;; + -D|-e|-I|-L|-p|-R|-W) + return 0 + ;; + esac + + if [[ "$cur" == -F* ]]; then + cur=${cur#-F} + _filedir + # Prefix completions with '-F' + COMPREPLY=( "${COMPREPLY[@]/#/-F}" ) + cur=-F$cur # Restore cur + elif [[ "$cur" == -* ]]; then + COMPREPLY=( $( compgen -W '$( _parse_usage "$1" )' -- "$cur" ) ) + else + # Search COMP_WORDS for '-F configfile' or '-Fconfigfile' argument + set -- "${words[@]}" + while [[ $# -gt 0 ]]; do + if [[ $1 == -F* ]]; then + if [[ ${#1} -gt 2 ]]; then + configfile="$(dequote "${1:2}")" + else + shift + [[ $1 ]] && configfile="$(dequote "$1")" + fi + break + fi + shift + done + _known_hosts_real -a -F "$configfile" "$cur" + if [[ $cword -ne 1 ]]; then + compopt -o filenames + COMPREPLY+=( $( compgen -c -- "$cur" ) ) + fi + fi + + return 0 +} && +shopt -u hostcomplete && complete -F _complete_ssh ssh diff --git a/tv/configs/charybdis.nix b/tv/configs/charybdis.nix new file mode 100644 index 000000000..977626d27 --- /dev/null +++ b/tv/configs/charybdis.nix @@ -0,0 +1,605 @@ +{ config, lib, pkgs, ... }: + +let + tvpkgs = import ../pkgs { inherit pkgs; }; +in + +with builtins; +with lib; +let + cfg = config.tv.charybdis; + + out = { + options.tv.charybdis = api; + config = mkIf cfg.enable (mkMerge [ + imp + { tv.iptables.input-retiolum-accept-new-tcp = [ 6667 6697 ]; } + ]); + }; + + api = { + enable = mkEnableOption "tv.charybdis"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/charybdis"; + }; + dhParams = mkOption { + type = types.str; + default = "/root/src/secrets/charybdis.dh.pem"; + }; + motd = mkOption { + type = types.str; + default = "/join #retiolum"; + }; + sslCert = mkOption { + type = types.path; + }; + sslKey = mkOption { + type = types.str; + default = "/root/src/secrets/charybdis.key.pem"; + }; + }; + + imp = { + systemd.services.charybdis = { + wantedBy = [ "multi-user.target" ]; + environment = { + BANDB_DBPATH = "${cfg.dataDir}/ban.db"; + }; + serviceConfig = { + PermissionsStartOnly = "true"; + SyslogIdentifier = "charybdis"; + User = user.name; + PrivateTmp = "true"; + Restart = "always"; + ExecStartPre = pkgs.writeScript "charybdis-init" '' + #! /bin/sh + mkdir -p ${cfg.dataDir} + chown ${user.name}: ${cfg.dataDir} + install -o ${user.name} -m 0400 ${cfg.sslKey} /tmp/ssl.key + install -o ${user.name} -m 0400 ${cfg.dhParams} /tmp/dh.pem + echo ${escapeShellArg cfg.motd} > /tmp/ircd.motd + ''; + ExecStart = pkgs.writeScript "charybdis-service" '' + #! /bin/sh + set -euf + exec ${tvpkgs.charybdis}/bin/charybdis-ircd \ + -foreground \ + -logfile /dev/stderr \ + -configfile ${configFile} + ''; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "charybdis"; + uid = 3748224544; # genid charybdis + }; + + configFile = toFile "charybdis-ircd.conf" '' + /* doc/example.conf - brief example configuration file + * + * Copyright (C) 2000-2002 Hybrid Development Team + * Copyright (C) 2002-2005 ircd-ratbox development team + * Copyright (C) 2005-2006 charybdis development team + * + * $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $ + * + * See reference.conf for more information. + */ + + /* Extensions */ + #loadmodule "extensions/chm_operonly_compat.so"; + #loadmodule "extensions/chm_quietunreg_compat.so"; + #loadmodule "extensions/chm_sslonly_compat.so"; + #loadmodule "extensions/createauthonly.so"; + #loadmodule "extensions/extb_account.so"; + #loadmodule "extensions/extb_canjoin.so"; + #loadmodule "extensions/extb_channel.so"; + #loadmodule "extensions/extb_extgecos.so"; + #loadmodule "extensions/extb_oper.so"; + #loadmodule "extensions/extb_realname.so"; + #loadmodule "extensions/extb_server.so"; + #loadmodule "extensions/extb_ssl.so"; + #loadmodule "extensions/hurt.so"; + #loadmodule "extensions/m_findforwards.so"; + #loadmodule "extensions/m_identify.so"; + #loadmodule "extensions/no_oper_invis.so"; + #loadmodule "extensions/sno_farconnect.so"; + #loadmodule "extensions/sno_globalkline.so"; + #loadmodule "extensions/sno_globaloper.so"; + #loadmodule "extensions/sno_whois.so"; + loadmodule "extensions/override.so"; + + /* + * IP cloaking extensions: use ip_cloaking_4.0 + * if you're linking 3.2 and later, otherwise use + * ip_cloaking.so, for compatibility with older 3.x + * releases. + */ + + #loadmodule "extensions/ip_cloaking_4.0.so"; + #loadmodule "extensions/ip_cloaking.so"; + + serverinfo { + name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; + sid = "4z3"; + description = "miep!"; + network_name = "irc.retiolum"; + #network_desc = "Retiolum IRC Network"; + hub = yes; + + /* On multi-homed hosts you may need the following. These define + * the addresses we connect from to other servers. */ + /* for IPv4 */ + vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; + /* for IPv6 */ + vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; + + /* ssl_private_key: our ssl private key */ + ssl_private_key = "/tmp/ssl.key"; + + /* ssl_cert: certificate for our ssl server */ + ssl_cert = ${toJSON cfg.sslCert}; + + /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ + ssl_dh_params = "/tmp/dh.pem"; + + /* ssld_count: number of ssld processes you want to start, if you + * have a really busy server, using N-1 where N is the number of + * cpu/cpu cores you have might be useful. A number greater than one + * can also be useful in case of bugs in ssld and because ssld needs + * two file descriptors per SSL connection. + */ + ssld_count = 1; + + /* default max clients: the default maximum number of clients + * allowed to connect. This can be changed once ircd has started by + * issuing: + * /quote set maxclients + */ + default_max_clients = 1024; + + /* nicklen: enforced nickname length (for this server only; must not + * be longer than the maximum length set while building). + */ + nicklen = 30; + }; + + admin { + name = "tv"; + description = "peer"; + mail = "${config.krebs.users.tv.mail}"; + }; + + log { + fname_userlog = "/dev/stderr"; + fname_fuserlog = "/dev/stderr"; + fname_operlog = "/dev/stderr"; + fname_foperlog = "/dev/stderr"; + fname_serverlog = "/dev/stderr"; + fname_klinelog = "/dev/stderr"; + fname_killlog = "/dev/stderr"; + fname_operspylog = "/dev/stderr"; + fname_ioerrorlog = "/dev/stderr"; + }; + + /* class {} blocks MUST be specified before anything that uses them. That + * means they must be defined before auth {} and before connect {}. + */ + + class "krebs" { + ping_time = 2 minutes; + number_per_ident = 10; + number_per_ip = 2048; + number_per_ip_global = 4096; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 65536; + max_number = 3000; + sendq = 1 megabyte; + }; + + class "users" { + ping_time = 2 minutes; + number_per_ident = 10; + number_per_ip = 1024; + number_per_ip_global = 4096; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 65536; + max_number = 3000; + sendq = 400 kbytes; + }; + + class "opers" { + ping_time = 5 minutes; + number_per_ip = 10; + max_number = 1000; + sendq = 1 megabyte; + }; + + class "server" { + ping_time = 5 minutes; + connectfreq = 5 minutes; + max_number = 1; + sendq = 4 megabytes; + }; + + listen { + /* defer_accept: wait for clients to send IRC handshake data before + * accepting them. if you intend to use software which depends on the + * server replying first, such as BOPM, you should disable this feature. + * otherwise, you probably want to leave it on. + */ + defer_accept = yes; + + /* If you want to listen on a specific IP only, specify host. + * host definitions apply only to the following port line. + */ + # XXX This is stupid because only one host is allowed[?] + #host = ''${concatMapStringsSep ", " toJSON ( + # config.krebs.build.host.nets.retiolum.addrs + #)}; + port = 6667; + sslport = 6697; + }; + + /* auth {}: allow users to connect to the ircd (OLD I:) + * auth {} blocks MUST be specified in order of precedence. The first one + * that matches a user will be used. So place spoofs first, then specials, + * then general access, then restricted. + */ + auth { + /* user: the user@host allowed to connect. Multiple IPv4/IPv6 user + * lines are permitted per auth block. This is matched against the + * hostname and IP address (using :: shortening for IPv6 and + * prepending a 0 if it starts with a colon) and can also use CIDR + * masks. + */ + user = "*@10.243.0.0/12"; + user = "*@42::/16"; + + /* password: an optional password that is required to use this block. + * By default this is not encrypted, specify the flag "encrypted" in + * flags = ...; below if it is. + */ + #password = "letmein"; + + /* spoof: fake the users user@host to be be this. You may either + * specify a host or a user@host to spoof to. This is free-form, + * just do everyone a favour and dont abuse it. (OLD I: = flag) + */ + #spoof = "I.still.hate.packets"; + + /* Possible flags in auth: + * + * encrypted | password is encrypted with mkpasswd + * spoof_notice | give a notice when spoofing hosts + * exceed_limit (old > flag) | allow user to exceed class user limits + * kline_exempt (old ^ flag) | exempt this user from k/g/xlines&dnsbls + * dnsbl_exempt | exempt this user from dnsbls + * spambot_exempt | exempt this user from spambot checks + * shide_exempt | exempt this user from serverhiding + * jupe_exempt | exempt this user from generating + * warnings joining juped channels + * resv_exempt | exempt this user from resvs + * flood_exempt | exempt this user from flood limits + * USE WITH CAUTION. + * no_tilde (old - flag) | don't prefix ~ to username if no ident + * need_ident (old + flag) | require ident for user in this class + * need_ssl | require SSL/TLS for user in this class + * need_sasl | require SASL id for user in this class + */ + flags = kline_exempt, exceed_limit, flood_exempt; + + /* class: the class the user is placed in */ + class = "krebs"; + }; + + auth { + user = "*@*"; + class = "users"; + }; + + /* privset {} blocks MUST be specified before anything that uses them. That + * means they must be defined before operator {}. + */ + privset "local_op" { + privs = oper:local_kill, oper:operwall; + }; + + privset "server_bot" { + extends = "local_op"; + privs = oper:kline, oper:remoteban, snomask:nick_changes; + }; + + privset "global_op" { + extends = "local_op"; + privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline, + oper:resv, oper:mass_notice, oper:remoteban; + }; + + privset "admin" { + extends = "global_op"; + privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override; + }; + + privset "aids" { + privs = oper:override, oper:rehash; + }; + + operator "aids" { + user = "*@10.243.*"; + privset = "aids"; + flags = ~encrypted; + password = "balls"; + }; + + operator "god" { + /* name: the name of the oper must go above */ + + /* user: the user@host required for this operator. CIDR *is* + * supported now. auth{} spoofs work here, other spoofs do not. + * multiple user="" lines are supported. + */ + user = "*god@127.0.0.1"; + + /* password: the password required to oper. Unless ~encrypted is + * contained in flags = ...; this will need to be encrypted using + * mkpasswd, MD5 is supported + */ + password = "5"; + + /* rsa key: the public key for this oper when using Challenge. + * A password should not be defined when this is used, see + * doc/challenge.txt for more information. + */ + #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub"; + + /* umodes: the specific umodes this oper gets when they oper. + * If this is specified an oper will not be given oper_umodes + * These are described above oper_only_umodes in general {}; + */ + #umodes = locops, servnotice, operwall, wallop; + + /* fingerprint: if specified, the oper's client certificate + * fingerprint will be checked against the specified fingerprint + * below. + */ + #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b"; + + /* snomask: specific server notice mask on oper up. + * If this is specified an oper will not be given oper_snomask. + */ + snomask = "+Zbfkrsuy"; + + /* flags: misc options for the operator. You may prefix an option + * with ~ to disable it, e.g. ~encrypted. + * + * Default flags are encrypted. + * + * Available options: + * + * encrypted: the password above is encrypted [DEFAULT] + * need_ssl: must be using SSL/TLS to oper up + */ + flags = encrypted; + + /* privset: privileges set to grant */ + privset = "admin"; + }; + + service { + name = "services.int"; + }; + + cluster { + name = "*"; + flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; + }; + + shared { + oper = "*@*", "*"; + flags = all, rehash; + }; + + /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ + exempt { + ip = "127.0.0.1"; + }; + + channel { + use_invex = yes; + use_except = yes; + use_forward = yes; + use_knock = yes; + knock_delay = 5 minutes; + knock_delay_channel = 1 minute; + max_chans_per_user = 15; + max_bans = 100; + max_bans_large = 500; + default_split_user_count = 0; + default_split_server_count = 0; + no_create_on_split = no; + no_join_on_split = no; + burst_topicwho = yes; + kick_on_split_riding = no; + only_ascii_channels = no; + resv_forcepart = yes; + channel_target_change = yes; + disable_local_channels = no; + }; + + serverhide { + flatten_links = yes; + links_delay = 5 minutes; + hidden = no; + disable_hidden = no; + }; + + /* These are the blacklist settings. + * You can have multiple combinations of host and rejection reasons. + * They are used in pairs of one host/rejection reason. + * + * These settings should be adequate for most networks, and are (presently) + * required for use on StaticBox. + * + * Word to the wise: Do not use blacklists like SPEWS for blocking IRC + * connections. + * + * As of charybdis 2.2, you can do some keyword substitution on the rejection + * reason. The available keyword substitutions are: + * + * ''${ip} - the user's IP + * ''${host} - the user's canonical hostname + * ''${dnsbl-host} - the dnsbl hostname the lookup was done against + * ''${nick} - the user's nickname + * ''${network-name} - the name of the network + * + * As of charybdis 3.4, a type parameter is supported, which specifies the + * address families the blacklist supports. IPv4 and IPv6 are supported. + * IPv4 is currently the default as few blacklists support IPv6 operation + * as of this writing. + * + * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be + * contacted, via email, at admins@2mbit.com before using these BLs. + * See for more information. + */ + blacklist { + host = "rbl.efnetrbl.org"; + type = ipv4; + reject_reason = "''${nick}, your IP (''${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=''${ip}"; + + # host = "ircbl.ahbl.org"; + # type = ipv4; + # reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for having an open proxy. In order to protect ''${network-name} from abuse, we are not allowing connections with open proxies to connect."; + # + # host = "tor.ahbl.org"; + # type = ipv4; + # reject_reason = "''${nick}, your IP (''${ip}) is listed as a TOR exit node. In order to protect ''${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network."; + # + /* Example of a blacklist that supports both IPv4 and IPv6 */ + # host = "foobl.blacklist.invalid"; + # type = ipv4, ipv6; + # reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for some reason. In order to protect ''${network-name} from abuse, we are not allowing connections listed in ''${dnsbl-host} to connect"; + }; + + alias "NickServ" { + target = "NickServ"; + }; + + alias "ChanServ" { + target = "ChanServ"; + }; + + alias "OperServ" { + target = "OperServ"; + }; + + alias "MemoServ" { + target = "MemoServ"; + }; + + alias "NS" { + target = "NickServ"; + }; + + alias "CS" { + target = "ChanServ"; + }; + + alias "OS" { + target = "OperServ"; + }; + + alias "MS" { + target = "MemoServ"; + }; + + general { + hide_error_messages = opers; + hide_spoof_ips = yes; + + /* + * default_umodes: umodes to enable on connect. + * If you have enabled the new ip_cloaking_4.0 module, and you want + * to make use of it, add +x to this option, i.e.: + * default_umodes = "+ix"; + * + * If you have enabled the old ip_cloaking module, and you want + * to make use of it, add +h to this option, i.e.: + * default_umodes = "+ih"; + */ + default_umodes = "+i"; + + default_operstring = "is an IRC Operator"; + default_adminstring = "is a Server Administrator"; + servicestring = "is a Network Service"; + disable_fake_channels = no; + tkline_expire_notices = no; + default_floodcount = 1000; + failed_oper_notice = yes; + dots_in_ident=2; + min_nonwildcard = 4; + min_nonwildcard_simple = 3; + max_accept = 100; + max_monitor = 100; + anti_nick_flood = yes; + max_nick_time = 20 seconds; + max_nick_changes = 5; + anti_spam_exit_message_time = 5 minutes; + ts_warn_delta = 30 seconds; + ts_max_delta = 5 minutes; + client_exit = yes; + collision_fnc = yes; + resv_fnc = yes; + global_snotices = yes; + dline_with_reason = yes; + kline_delay = 0 seconds; + kline_with_reason = yes; + kline_reason = "K-Lined"; + identify_service = "NickServ@services.int"; + identify_command = "IDENTIFY"; + non_redundant_klines = yes; + warn_no_nline = yes; + use_propagated_bans = yes; + stats_e_disabled = no; + stats_c_oper_only=no; + stats_h_oper_only=no; + client_flood_max_lines = 16000; + client_flood_burst_rate = 32000; + client_flood_burst_max = 32000; + client_flood_message_num = 32000; + client_flood_message_time = 32000; + use_whois_actually = no; + oper_only_umodes = operwall, locops, servnotice; + oper_umodes = locops, servnotice, operwall, wallop; + oper_snomask = "+s"; + burst_away = yes; + nick_delay = 0 seconds; # 15 minutes if you want to enable this + reject_ban_time = 1 minute; + reject_after_count = 3; + reject_duration = 5 minutes; + throttle_duration = 60; + throttle_count = 4; + max_ratelimit_tokens = 30; + away_interval = 30; + }; + + modules { + path = "modules"; + path = "modules/autoload"; + }; + + exempt { + ip = "10.243.0.0/16"; + }; + ''; +in +out diff --git a/tv/configs/consul-client.nix b/tv/configs/consul-client.nix new file mode 100644 index 000000000..0a8bf4d75 --- /dev/null +++ b/tv/configs/consul-client.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + imports = [ ./consul-server.nix ]; + + tv.consul = { + server = pkgs.lib.mkForce false; + }; +} diff --git a/tv/configs/consul-server.nix b/tv/configs/consul-server.nix new file mode 100644 index 000000000..d10f9ea75 --- /dev/null +++ b/tv/configs/consul-server.nix @@ -0,0 +1,21 @@ +{ config, ... }: + +{ + tv.consul = rec { + enable = true; + + self = config.krebs.build.host; + inherit (self) dc; + + server = true; + + hosts = with config.krebs.hosts; [ + # TODO get this list automatically from each host where tv.consul.enable is true + cd + mkdir + nomic + rmdir + #wu + ]; + }; +} diff --git a/tv/configs/cryptoroot.nix b/tv/configs/cryptoroot.nix new file mode 100644 index 000000000..04618ac4a --- /dev/null +++ b/tv/configs/cryptoroot.nix @@ -0,0 +1,4 @@ +{ ... }: + +{ +} diff --git a/tv/configs/exim-retiolum.nix b/tv/configs/exim-retiolum.nix new file mode 100644 index 000000000..851a0c625 --- /dev/null +++ b/tv/configs/exim-retiolum.nix @@ -0,0 +1,126 @@ +{ config, pkgs, ... }: + +{ + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.krebs.retiolum.enable; + let + # TODO get the hostname from config.krebs.retiolum. + retiolumHostname = "${config.networking.hostName}.retiolum"; + in + { enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; +} diff --git a/tv/configs/exim-smarthost.nix b/tv/configs/exim-smarthost.nix new file mode 100644 index 000000000..c93189b8a --- /dev/null +++ b/tv/configs/exim-smarthost.nix @@ -0,0 +1,475 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) toFile; + inherit (pkgs.lib.attrsets) mapAttrs; + inherit (pkgs.lib.strings) concatMapStringsSep; +in + +{ + services.exim = + let + retiolumHostname = "${config.networking.hostName}.retiolum"; + + internet-aliases = with config.krebs.users; [ + { from = "tomislav@viljetic.de"; to = tv.mail; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = tv.mail; } + + { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } + + { from = "mirko@viljetic.de"; to = mv.mail; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = tv.mail; } + + # TODO lists@smtp.retiolum [consul] + { from = "postmaster@krebsco.de"; to = tv.mail; } + ]; + + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + + to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); + lsearch = + mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit internet-aliases; + inherit system-aliases; + }; + in + { + enable = true; + config = + '' + primary_hostname = ${retiolumHostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + #: viljetic.de : SHACK_REDIR_HOSTNAME + domainlist relay_to_domains = + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + # av_scanner = clamd:/tmp/clamd + # spamd_address = 127.0.0.1 783 + + # tls_advertise_hosts = * + # tls_certificate = /etc/ssl/exim.crt + # tls_privatekey = /etc/ssl/exim.pem + # (debian) tls_verify_certificates (to check client certs) + + # daemon_smtp_ports = 25 : 465 : 587 + # tls_on_connect_ports = 465 + + # qualify_domain defaults to primary_hostname + # qualify_recipient defaults to qualify_domain + + # allow_domain_literals + + never_users = root + + host_lookup = * + + # ident callbacks for all incoming SMTP calls + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + # sender_unqualified_hosts = + # recipient_unqualified_hosts = + + # percent_hack_domains = + + # arch & debian + #ignore_bounce_errors_after = 2d + #timeout_frozen_after = 7d + # debian + #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + #freeze_tell = postmaster + #trusted_users = uucp + # arch + #split_spool_directory = true + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). + # We do this by testing for an empty sending host field. + accept hosts = : + # arch & debian: + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + ## feature RETIOLUM_MAIL + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + # debian: control = submission/sender_retain + # arch & debian: + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example + # + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain + + # Client SMTP Authorization (csa) checks on the sending host. + # Such checks do DNS lookups for special SRV records. + # require verify = csa + + accept + + + acl_check_data: + # see av_scanner + #deny malware = * + # message = This message contains a virus ($malware_name). + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You may also need to set the spamd_address + # option above. + # + # warn spam = nobody + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + warn + sender_domains = viljetic.de : shackspace.de + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + # if ipv6-enabled then instead use: + # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + + # (debian) same_domain_copy_routing = yes + # (debian) ignore private rfc1918 and APIPA addresses + # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + # 255.255.255.255 + + # Fail and bounce if the router does not find the domain in the DNS. + # I.e. no more routers are tried. + # There are a few cases where a dnslookup router will decline to accept an + # address; if such a router is expected to handle "all remaining non-local + # domains", then it is important to set no_more. + no_more + + # XXX this is only used because these "well known aliases" goto tv@cd.retiolum + # TODO bounce everything, there is no @cd.retiolum + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + # TODO this is only b/c mv here... send mv's mails somewhere else... + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + # serialize_hosts = TODO-all-slow-hosts + + remote_smtp: + driver = smtp + # debian has also stuff for tls, headers_rewrite and more here + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + + + # group = mail + # mode = 0660 + + + #address_pipe: + # driver = pipe + # return_output + # + #address_file: + # driver = appendfile + # delivery_date_add + # envelope_to_add + # return_path_add + # + #address_reply: + # driver = autoreply + + + #maildrop_pipe: + # debug_print = "T: maildrop_pipe for $local_part@$domain" + # driver = pipe + # path = "/bin:/usr/bin:/usr/local/bin" + # command = "/usr/bin/maildrop" + # return_path_add + # delivery_date_add + # envelope_to_add + + + + + + ##begin retry + # Address or Domain Error Retries + + # Our host_redirect destinations might be offline a lot. + # TODO define fallback destinations(?) + #lsearch;${lsearch.internet-aliases} * F,42d,1m + + + ## begin rewrite + + # just in case (shackspace.de should already do this) + #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T + + + ## begin authenticators + #PLAIN: + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + #LOGIN: + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + + + }; + +} + +# config = '' +# primary_hostname = ${retiolumHostname} +# domainlist local_domains = @ : localhost +# domainlist relay_to_domains = *.retiolum +# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 +# +# acl_smtp_rcpt = acl_check_rcpt +# acl_smtp_data = acl_check_data +# +# host_lookup = * +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s +# +# log_file_path = syslog +# syslog_timestamp = false +# syslog_duplication = false +# +# begin acl +# +# acl_check_rcpt: +# accept hosts = : +# control = dkim_disable_verify +# +# deny message = Restricted characters in address +# domains = +local_domains +# local_parts = ^[.] : ^.*[@%!/|] +# +# deny message = Restricted characters in address +# domains = !+local_domains +# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ +# +# accept local_parts = postmaster +# domains = +local_domains +# +# #accept +# # hosts = *.retiolum +# # domains = *.retiolum +# # control = dkim_disable_verify +# +# #require verify = sender +# +# accept hosts = +relay_from_hosts +# control = submission +# control = dkim_disable_verify +# +# accept authenticated = * +# control = submission +# control = dkim_disable_verify +# +# require message = relay not permitted +# domains = +local_domains : +relay_to_domains +# +# require verify = recipient +# +# accept +# +# +# acl_check_data: +# accept +# +# +# begin routers +# +# retiolum: +# driver = manualroute +# domains = ! ${retiolumHostname} : *.retiolum +# transport = remote_smtp +# route_list = ^.* $0 byname +# no_more +# +# nonlocal: +# debug_print = "R: nonlocal for $local_part@$domain" +# driver = redirect +# domains = ! +local_domains +# allow_fail +# data = :fail: Mailing to remote domains not supported +# no_more +# +# local_user: +# # debug_print = "R: local_user for $local_part@$domain" +# driver = accept +# check_local_user +# # local_part_suffix = +* : -* +# # local_part_suffix_optional +# transport = home_maildir +# cannot_route_message = Unknown user +# +# +# begin transports +# +# remote_smtp: +# driver = smtp +# +# home_maildir: +# driver = appendfile +# maildir_format +# directory = $home/Maildir +# directory_mode = 0700 +# delivery_date_add +# envelope_to_add +# return_path_add +# # group = mail +# # mode = 0660 +# +# begin retry +# *.retiolum * F,42d,1m +# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h +# +# begin rewrite +# +# begin authenticators +# ''; +# }; +#} diff --git a/tv/configs/git.nix b/tv/configs/git.nix new file mode 100644 index 000000000..01d29012c --- /dev/null +++ b/tv/configs/git.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +with import ../lib { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + cgserver = {}; + crude-mail-setup = {}; + dot-xmonad = {}; + hack = {}; + load-env = {}; + make-snapshot = {}; + mime = {}; + much = {}; + nixos-infest = {}; + nixpkgs = {}; + painload = {}; + quipper = {}; + regfish = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + xintmap = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = tv; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/tv/configs/mail-client.nix b/tv/configs/mail-client.nix new file mode 100644 index 000000000..035f296b9 --- /dev/null +++ b/tv/configs/mail-client.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: + +with import ../pkgs { inherit pkgs; }; + +{ + environment.systemPackages = [ + much + msmtp + notmuch + pythonPackages.alot + qprint + w3m + ]; +} diff --git a/tv/configs/smartd.nix b/tv/configs/smartd.nix new file mode 100644 index 000000000..9c4d8b2d8 --- /dev/null +++ b/tv/configs/smartd.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + services.smartd = { + enable = true; + devices = [ + { + device = "DEVICESCAN"; + options = toString [ + "-a" + "-m ${config.krebs.users.tv.mail}" + "-s (O/../.././09|S/../.././04|L/../../6/05)" + ]; + } + ]; + }; +} diff --git a/tv/configs/synaptics.nix b/tv/configs/synaptics.nix new file mode 100644 index 000000000..c47cb9deb --- /dev/null +++ b/tv/configs/synaptics.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: + +{ + # TODO this is host specific + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; + additionalOptions = '' + Option "FingerHigh" "60" + Option "FingerLow" "60" + ''; + }; +} diff --git a/tv/configs/urlwatch.nix b/tv/configs/urlwatch.nix new file mode 100644 index 000000000..a69b1519c --- /dev/null +++ b/tv/configs/urlwatch.nix @@ -0,0 +1,51 @@ +{ config, ... }: + +{ + krebs.urlwatch = { + enable = true; + mailto = config.krebs.users.tv.mail; + onCalendar = "*-*-* 05:00:00"; + urls = [ + ## nixpkgs maintenance + + # 2014-07-29 when one of the following urls change + # then we have to update the package + + # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix + https://api.github.com/repos/simple-evcorr/sec/tags + + # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix + https://thp.io/2008/urlwatch/ + + # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix + https://api.github.com/repos/ioerror/tlsdate/tags + + # 2015-02-18 + # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix + http://www.fourmilab.ch/webtools/qprint/ + + # 2014-09-24 ref https://github.com/4z3/xintmap + http://www.mathstat.dal.ca/~selinger/quipper/ + + # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 + # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix + http://nixos.org/releases/nixops/ + + ## other + + https://nixos.org/channels/nixos-unstable/git-revision + + ## 2014-10-17 + ## TODO update ~/src/login/default.nix + #http://hackage.haskell.org/package/bcrypt + #http://hackage.haskell.org/package/cron + #http://hackage.haskell.org/package/hyphenation + #http://hackage.haskell.org/package/iso8601-time + #http://hackage.haskell.org/package/ixset-typed + #http://hackage.haskell.org/package/system-command + #http://hackage.haskell.org/package/transformers + #http://hackage.haskell.org/package/web-routes-wai + #http://hackage.haskell.org/package/web-page + ]; + }; +} diff --git a/tv/configs/urxvt.nix b/tv/configs/urxvt.nix new file mode 100644 index 000000000..89bb421aa --- /dev/null +++ b/tv/configs/urxvt.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + +with builtins; + +let + users = [ "tv" ]; + urxvt = pkgs.rxvt_unicode; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + +in + +{ + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); +} diff --git a/tv/configs/w110er.nix b/tv/configs/w110er.nix new file mode 100644 index 000000000..96ee8c75b --- /dev/null +++ b/tv/configs/w110er.nix @@ -0,0 +1,42 @@ +{ pkgs, ... }: + +{ + imports = [ + ../configs/smartd.nix + ]; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + ''; + + boot.initrd.availableKernelModules = [ "ahci" ]; + boot.kernelModules = [ "kvm-intel" ]; + + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.wireless.enable = true; + + nix = { + buildCores = 4; + maxJobs = 4; + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + + services.logind.extraConfig = '' + HandleHibernateKey=ignore + HandleLidSwitch=ignore + HandlePowerKey=ignore + HandleSuspendKey=ignore + ''; + + system.activationScripts.powertopTunables = '' + echo 1 > /sys/module/snd_hda_intel/parameters/power_save + echo 1500 > /proc/sys/vm/dirty_writeback_centisecs + (cd /sys/bus/pci/devices + for i in *; do + echo auto > $i/power/control # defaults to 'on' + done) + ''; +} diff --git a/tv/configs/xserver.nix b/tv/configs/xserver.nix new file mode 100644 index 000000000..ec94359ee --- /dev/null +++ b/tv/configs/xserver.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../configs/urxvt.nix # TODO via xserver + ]; + + services.xserver.enable = true; + + + #fonts.enableFontConfig = true; + #fonts.enableFontDir = true; + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + #services.xfs.enable = true; + #services.xserver.useXFS = "unix/:7100"; + + services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; + + #services.xserver.display = 11; + #services.xserver.tty = 11; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + #services.xserver.multitouch.enable = true; + + services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + services.xserver.windowManager.xmonad.enable = true; + services.xserver.windowManager.xmonad.enableContribAndExtras = true; + services.xserver.windowManager.default = "xmonad"; + services.xserver.desktopManager.default = "none"; + services.xserver.desktopManager.xterm.enable = false; + + services.xserver.displayManager.slim.enable = true; + #services.xserver.displayManager.auto.enable = true; + #services.xserver.displayManager.auto.user = "tv"; + #services.xserver.displayManager.job.logsXsession = true; +} diff --git a/tv/lib/default.nix b/tv/lib/default.nix new file mode 100644 index 000000000..e0a295f17 --- /dev/null +++ b/tv/lib/default.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, ... }: + +let + krebs = import ../../4lib/krebs { inherit lib; }; +in + +with krebs; + +krebs // rec { + + git = import ./git.nix { + lib = krebs; + inherit pkgs; + }; + + # "7.4.335" -> "74" + majmin = with lib; x : concatStrings (take 2 (splitString "." x)); + + shell-escape = + let + isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; + in + stringAsChars (c: + if isSafeChar c then c + else if c == "\n" then "'\n'" + else "\\${c}"); +} diff --git a/tv/lib/git.nix b/tv/lib/git.nix new file mode 100644 index 000000000..2b25debdc --- /dev/null +++ b/tv/lib/git.nix @@ -0,0 +1,182 @@ +{ lib, pkgs, ... }: + +let + inherit (lib) addNames escapeShellArg makeSearchPath; + + commands = addNames { + git-receive-pack = {}; + git-upload-pack = {}; + }; + + receive-modes = addNames { + fast-forward = {}; + non-fast-forward = {}; + create = {}; + delete = {}; + merge = {}; # TODO implement in git.nix + }; + + permissions = { + fetch = { + allow-commands = [ + commands.git-upload-pack + ]; + }; + + push = ref: extra-modes: { + allow-commands = [ + commands.git-receive-pack + commands.git-upload-pack + ]; + allow-receive-ref = ref; + allow-receive-modes = [ receive-modes.fast-forward ] ++ extra-modes; + }; + }; + + refs = { + master = "refs/heads/master"; + all-heads = "refs/heads/*"; + }; + + irc-announce-script = pkgs.writeScript "irc-announce-script" '' + #! /bin/sh + set -euf + + export PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + gawk + gnused + netcat + nettools + ])} + + IRC_SERVER=$1 + IRC_PORT=$2 + IRC_NICK=$3$$ + IRC_CHANNEL=$4 + message=$5 + + export IRC_CHANNEL # for privmsg_cat + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + printf '%s' "$message" \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + ''; + + hooks = { + # TODO make this a package? + irc-announce = { nick, channel, server, port ? 6667 }: '' + #! /bin/sh + set -euf + + export PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + git + gnused + ])} + + nick=${escapeShellArg nick} + channel=${escapeShellArg channel} + server=${escapeShellArg server} + port=${toString port} + + host=$nick + cgit_endpoint=http://cgit.$host + + empty=0000000000000000000000000000000000000000 + + unset message + while read oldrev newrev ref; do + + if [ $oldrev = $empty ]; then + receive_mode=create + elif [ $newrev = $empty ]; then + receive_mode=delete + elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then + receive_mode=fast-forward + else + receive_mode=non-fast-forward + fi + + h=$(echo $ref | sed 's:^refs/heads/::') + + # empty_tree=$(git hash-object -t tree /dev/null + empty_tree=4b825dc6 + + id=$(echo $newrev | cut -b-7) + id2=$(echo $oldrev | cut -b-7) + if [ $newrev = $empty ]; then id=$empty_tree; fi + if [ $oldrev = $empty ]; then id2=$empty_tree; fi + + case $receive_mode in + create) + #git log --oneline $id2 + link="$cgit_endpoint/$GIT_SSH_REPO/?h=$h" + ;; + delete) + #git log --oneline $id2 + link="$cgit_endpoint/$GIT_SSH_REPO/ ($h)" + ;; + fast-forward|non-fast-forward) + #git diff --stat $id..$id2 + link="$cgit_endpoint/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2" + ;; + esac + + #$host $GIT_SSH_REPO $ref $link + message="''${message+$message + }$GIT_SSH_USER $receive_mode $link" + done + + if test -n "''${message-}"; then + exec ${irc-announce-script} \ + "$server" \ + "$port" \ + "$nick" \ + "$channel" \ + "$message" + fi + ''; + }; + +in +commands // receive-modes // permissions // refs // hooks diff --git a/tv/lib/modules.nix b/tv/lib/modules.nix new file mode 100644 index 000000000..248e638ea --- /dev/null +++ b/tv/lib/modules.nix @@ -0,0 +1,21 @@ +let + pkgs = import {}; + inherit (pkgs.lib) concatMap hasAttr; +in rec { + + no-touch-args = { + config = throw "no-touch-args: can't touch config!"; + lib = throw "no-touch-args: can't touch lib!"; + pkgs = throw "no-touch-args: can't touch pkgs!"; + }; + + # list-imports : path -> [path] + # Return a module's transitive list of imports. + # XXX duplicates won't get eliminated from the result. + list-imports = path: + let module = import path no-touch-args; + imports = if hasAttr "imports" module + then concatMap list-imports module.imports + else []; + in [path] ++ imports; +} diff --git a/tv/modules/consul.nix b/tv/modules/consul.nix new file mode 100644 index 000000000..83a430c2f --- /dev/null +++ b/tv/modules/consul.nix @@ -0,0 +1,118 @@ +{ config, lib, pkgs, ... }: + +# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect +# but -bootstrap +# TODO consul-bootstrap HOST that actually does is +# TODO tools to inspect state of a cluster in outage state + +with import ../lib { inherit lib pkgs; }; +let + cfg = config.tv.consul; + + out = { + options.tv.consul = api; + config = mkIf cfg.enable (mkMerge [ + imp + { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; } + # TODO udp for 8301 + ]); + }; + + api = { + enable = mkEnableOption "tv.consul"; + + dc = mkOption { + type = types.label; + }; + hosts = mkOption { + type = with types; listOf host; + }; + encrypt-file = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/root/src/secrets/consul-encrypt.json"; + }; + data-dir = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/var/lib/consul"; + }; + self = mkOption { + type = types.host; + }; + server = mkOption { + type = types.bool; + default = false; + }; + GOMAXPROCS = mkOption { + type = types.int; + default = cfg.self.cores; + }; + }; + + consul-config = { + datacenter = cfg.dc; + data_dir = cfg.data-dir; + log_level = "INFO"; + #node_name = + server = cfg.server; + enable_syslog = true; + retry_join = + # TODO allow consul in other nets than retiolum [maybe] + concatMap (host: host.nets.retiolum.addrs) + (filter (host: host.name != cfg.self.name) cfg.hosts); + leave_on_terminate = true; + } // optionalAttrs cfg.server { + bootstrap_expect = length cfg.hosts; + leave_on_terminate = false; + }; + + imp = { + environment.systemPackages = with pkgs; [ + consul + ]; + + systemd.services.consul = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + consul + ]; + environment = { + GOMAXPROCS = toString cfg.GOMAXPROCS; + }; + serviceConfig = { + PermissionsStartOnly = "true"; + SyslogIdentifier = "consul"; + User = user.name; + PrivateTmp = "true"; + Restart = "always"; + ExecStartPre = pkgs.writeScript "consul-init" '' + #! /bin/sh + mkdir -p ${cfg.data-dir} + chown ${user.name}: ${cfg.data-dir} + install -o ${user.name} -m 0400 ${cfg.encrypt-file} /tmp/encrypt.json + ''; + ExecStart = pkgs.writeScript "consul-service" '' + #! /bin/sh + set -euf + exec >/dev/null + exec consul agent \ + -config-file=${toFile "consul.json" (toJSON consul-config)} \ + -config-file=/tmp/encrypt.json + ''; + #-node=${cfg.self.fqdn} \ + #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "consul"; + uid = 2999951406; # genid consul + }; + +in +out diff --git a/tv/modules/default.nix b/tv/modules/default.nix new file mode 100644 index 000000000..bb10d8261 --- /dev/null +++ b/tv/modules/default.nix @@ -0,0 +1,9 @@ +_: + +{ + imports = [ + ./consul.nix + ./ejabberd.nix + ./iptables.nix + ]; +} diff --git a/tv/modules/ejabberd.nix b/tv/modules/ejabberd.nix new file mode 100644 index 000000000..2910a9a69 --- /dev/null +++ b/tv/modules/ejabberd.nix @@ -0,0 +1,166 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; +let + cfg = config.tv.ejabberd; + + out = { + options.tv.ejabberd = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "tv.ejabberd"; + + certFile = mkOption { + type = types.str; + default = "/root/src/secrets/ejabberd.pem"; + }; + + hosts = mkOption { + type = with types; listOf str; + }; + }; + + imp = { + environment.systemPackages = [ my-ejabberdctl ]; + + systemd.services.ejabberd = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + PermissionsStartOnly = "true"; + SyslogIdentifier = "ejabberd"; + User = user.name; + ExecStartPre = pkgs.writeScript "ejabberd-start" '' + #! /bin/sh + install -o ${user.name} -m 0400 ${cfg.certFile} /etc/ejabberd/ejabberd.pem + ''; + ExecStart = pkgs.writeScript "ejabberd-service" '' + #! /bin/sh + ${my-ejabberdctl}/bin/ejabberdctl start + ''; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + home = "/var/ejabberd"; + createHome = true; + }; + }; + + user = { + name = "ejabberd"; + uid = 3499746127; # genid ejabberd + }; + + my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" '' + #! /bin/sh + set -euf + exec env \ + SPOOLDIR=/var/ejabberd \ + EJABBERD_CONFIG_PATH=${config-file} \ + ${pkgs.ejabberd}/bin/ejabberdctl \ + --logs /var/ejabberd \ + "$@" + ''; + + config-file = pkgs.writeText "ejabberd.cfg" '' + {loglevel, 3}. + {hosts, ${toErlang cfg.hosts}}. + {listen, + [ + {5222, ejabberd_c2s, [ + starttls, + {certfile, "/etc/ejabberd/ejabberd.pem"}, + {access, c2s}, + {shaper, c2s_shaper}, + {max_stanza_size, 65536} + ]}, + {5269, ejabberd_s2s_in, [ + {shaper, s2s_shaper}, + {max_stanza_size, 131072} + ]}, + {5280, ejabberd_http, [ + captcha, + http_bind, + http_poll, + web_admin + ]} + ]}. + {s2s_use_starttls, required}. + {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. + {auth_method, internal}. + {shaper, normal, {maxrate, 1000}}. + {shaper, fast, {maxrate, 50000}}. + {max_fsm_queue, 1000}. + {acl, local, {user_regexp, ""}}. + {access, max_user_sessions, [{10, all}]}. + {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. + {access, local, [{allow, local}]}. + {access, c2s, [{deny, blocked}, + {allow, all}]}. + {access, c2s_shaper, [{none, admin}, + {normal, all}]}. + {access, s2s_shaper, [{fast, all}]}. + {access, announce, [{allow, admin}]}. + {access, configure, [{allow, admin}]}. + {access, muc_admin, [{allow, admin}]}. + {access, muc_create, [{allow, local}]}. + {access, muc, [{allow, all}]}. + {access, pubsub_createnode, [{allow, local}]}. + {access, register, [{allow, all}]}. + {language, "en"}. + {modules, + [ + {mod_adhoc, []}, + {mod_announce, [{access, announce}]}, + {mod_blocking,[]}, + {mod_caps, []}, + {mod_configure,[]}, + {mod_disco, []}, + {mod_irc, []}, + {mod_http_bind, []}, + {mod_last, []}, + {mod_muc, [ + {access, muc}, + {access_create, muc_create}, + {access_persistent, muc_create}, + {access_admin, muc_admin} + ]}, + {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, + {mod_ping, []}, + {mod_privacy, []}, + {mod_private, []}, + {mod_pubsub, [ + {access_createnode, pubsub_createnode}, + {ignore_pep_from_offline, true}, + {last_item_cache, false}, + {plugins, ["flat", "hometree", "pep"]} + ]}, + {mod_register, [ + {welcome_message, {"Welcome!", + "Hi.\nWelcome to this XMPP server."}}, + {ip_access, [{allow, "127.0.0.0/8"}, + {deny, "0.0.0.0/0"}]}, + {access, register} + ]}, + {mod_roster, []}, + {mod_shared_roster,[]}, + {mod_stats, []}, + {mod_time, []}, + {mod_vcard, []}, + {mod_version, []} + ]}. + ''; + + + # XXX this is a placeholder that happens to work the default strings. + toErlang = builtins.toJSON; + +in +out diff --git a/tv/modules/iptables.nix b/tv/modules/iptables.nix new file mode 100644 index 000000000..cbf49f577 --- /dev/null +++ b/tv/modules/iptables.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; +let + cfg = config.tv.iptables; + + out = { + options.tv.iptables = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "tv.iptables"; + + input-internet-accept-new-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-new-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + }; + + imp = { + networking.firewall.enable = false; + + systemd.services.tv-iptables = { + description = "tv-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} tv-iptables_start"; + }; + }; + }; + + + accept-new-tcp = port: + "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + + rules = iptables-version: + pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' + *nat + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] + ++ [ + "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" + "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ] + )} + COMMIT + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + :Retiolum - [0:0] + ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([] + ++ [ + "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" + "-i lo -j ACCEPT" + ] + ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) + ++ ["-i retiolum -j Retiolum"] + )} + ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] + ++ { + ip4tables = [ + "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" + ]; + ip6tables = [ + "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" + ]; + }."ip${toString iptables-version}tables" + ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) + ++ { + ip4tables = [ + "-p tcp -j REJECT --reject-with tcp-reset" + "-p udp -j REJECT --reject-with icmp-port-unreachable" + "-j REJECT --reject-with icmp-proto-unreachable" + ]; + ip6tables = [ + "-p tcp -j REJECT --reject-with tcp-reset" + "-p udp -j REJECT --reject-with icmp6-port-unreachable" + "-j REJECT" + ]; + }."ip${toString iptables-version}tables" + )} + COMMIT + ''; + + startScript = pkgs.writeScript "tv-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules 4} + ip6tables-restore < ${rules 6} + ''; + +in +out + +#let +# cfg = config.tv.iptables; +# arg' = arg // { inherit cfg; }; +#in +# +#{ +# options.tv.iptables = import ./options.nix arg'; +# config = lib.mkIf cfg.enable (import ./config.nix arg'); +#} diff --git a/tv/pkgs/charybdis/default.nix b/tv/pkgs/charybdis/default.nix new file mode 100644 index 000000000..f3e6be40e --- /dev/null +++ b/tv/pkgs/charybdis/default.nix @@ -0,0 +1,34 @@ +{ stdenv, fetchgit, bison, flex, openssl }: + +stdenv.mkDerivation rec { + name = "charybdis-3.5.0-rc1"; + + src = fetchgit { + url = "https://github.com/atheme/charybdis.git"; + rev = "61815bf9324e872f51255e09fe37a8c595f94a60"; + sha256 = "0zsd6xk2cnspc1cvryy2296p3ix4hwjd9k24wmgbh5wzks0wahwy"; + }; + + patches = [ + ./remove-setenv.patch + ]; + + configureFlags = [ + "--enable-epoll" + "--enable-ipv6" + "--enable-openssl=${openssl}" + "--enable-small-net" + "--with-program-prefix=charybdis-" + "--sysconfdir=/tmp" + ]; + + buildInputs = [ bison flex openssl ]; + + meta = { + description = "An extremely scalable ircd with some cooperation with the ratbox and ircu guys"; + homepage = https://github.com/atheme/charybdis; + license = stdenv.lib.licenses.gpl2; + maintainers = [ stdenv.lib.maintainers.lassulus ]; + platforms = stdenv.lib.platforms.linux; + }; +} diff --git a/tv/pkgs/charybdis/remove-setenv.patch b/tv/pkgs/charybdis/remove-setenv.patch new file mode 100644 index 000000000..bbaf95e19 --- /dev/null +++ b/tv/pkgs/charybdis/remove-setenv.patch @@ -0,0 +1,12 @@ +diff --git a/src/bandbi.c b/src/bandbi.c +index 03dd907..3698e85 100644 +--- a/src/bandbi.c ++++ b/src/bandbi.c +@@ -82,7 +82,6 @@ start_bandb(void) + const char *suffix = ""; + #endif + +- rb_setenv("BANDB_DBPATH", PKGLOCALSTATEDIR "/ban.db", 1); + if(bandb_path == NULL) + { + rb_snprintf(fullpath, sizeof(fullpath), "%s/bandb%s", PKGLIBEXECDIR, suffix); diff --git a/tv/pkgs/default.nix b/tv/pkgs/default.nix new file mode 100644 index 000000000..50625f868 --- /dev/null +++ b/tv/pkgs/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +let + inherit (pkgs) callPackage; + krebs = import ../../Zpkgs/krebs { inherit pkgs; }; +in + +krebs // { + charybdis = callPackage ./charybdis {}; + lentil = callPackage ./lentil {}; + much = callPackage ./much.nix {}; + viljetic-pages = callPackage ./viljetic-pages {}; +} diff --git a/tv/pkgs/lentil/1.patch b/tv/pkgs/lentil/1.patch new file mode 100644 index 000000000..1ed9818c7 --- /dev/null +++ b/tv/pkgs/lentil/1.patch @@ -0,0 +1,39 @@ +diff -rN -u old-lentil/src/Lentil/File.hs new-lentil/src/Lentil/File.hs +--- old-lentil/src/Lentil/File.hs 2015-07-20 22:43:23.177620724 +0200 ++++ new-lentil/src/Lentil/File.hs 2015-07-20 22:43:23.177620724 +0200 +@@ -13,10 +13,13 @@ + import Lentil.Types + import Lentil.Parse.Run + ++import System.Directory + import System.FilePath + import System.FilePath.Find ++import Data.Either + import Data.Monoid + import Control.Applicative ++import Control.Exception.Base + + import qualified Data.List as L + +@@ -36,7 +39,12 @@ + -------------- + + findIssues :: [FilePath] -> [FilePath] -> IO [Issue] +-findIssues is xs = find always (findClause is xs) "." >>= issueFinder ++findIssues is xs = ++ (mapM (try . canonicalizePath) is :: IO [Either SomeException FilePath]) >>= ++ return . rights >>= ++ mapM (\i -> find always (findClause [i] xs) i) >>= ++ return . concat >>= ++ issueFinder + + -- fp to include, fp to exclude, clause + findClause :: [FilePath] -> [FilePath] -> FindClause Bool +@@ -47,6 +55,6 @@ + (not <$> fmap getAny xc) + where + fp2fc :: FilePath -> FindClause Any +- fp2fc f = Any . L.isPrefixOf (combine "." f) <$> filePath ++ fp2fc f = Any . L.isPrefixOf f <$> filePath + -- TODO: combine funziona su windows? [feature:intermediate] + diff --git a/tv/pkgs/lentil/default.nix b/tv/pkgs/lentil/default.nix new file mode 100644 index 000000000..1385cbd4d --- /dev/null +++ b/tv/pkgs/lentil/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: + +(pkgs.haskellngPackages.override { + overrides = self: super: { + lentil = super.lentil.override { + mkDerivation = (attrs: self.mkDerivation (attrs // { + version = "0.1.2.7"; + sha256 = "1g3if2y41li6wyg7ffvpybqvbywiq8bf5b5fb6pz499hinzahb9d"; + patches = [ + ./1.patch + ./syntaxes.patch + ]; + doCheck = false; + })); + }; + }; +}).lentil diff --git a/tv/pkgs/lentil/syntaxes.patch b/tv/pkgs/lentil/syntaxes.patch new file mode 100644 index 000000000..a9390ae51 --- /dev/null +++ b/tv/pkgs/lentil/syntaxes.patch @@ -0,0 +1,11 @@ +diff -rN -u old-lentil/src/Lentil/Parse/Syntaxes.hs new-lentil/src/Lentil/Parse/Syntaxes.hs +--- old-lentil/src/Lentil/Parse/Syntaxes.hs 2015-07-20 23:15:38.600539779 +0200 ++++ new-lentil/src/Lentil/Parse/Syntaxes.hs 2015-07-20 23:15:38.600539779 +0200 +@@ -30,6 +30,7 @@ + | ext `elem` [".pas", ".pp", ".inc"] = Just pascal + | ext `elem` [".py"] = Just python + | ext `elem` [".rb"] = Just ruby ++ | ext `elem` [".nix"] = Just perl -- Nix + | ext `elem` [".pl", ".pm", ".t"] = Just perl + | ext `elem` [".sh"] = Just perl -- shell + | ext `elem` [".txt"] = Just text diff --git a/tv/pkgs/much.nix b/tv/pkgs/much.nix new file mode 100644 index 000000000..82586b422 --- /dev/null +++ b/tv/pkgs/much.nix @@ -0,0 +1,64 @@ +{ pkgs, ... }: + +let + hspkgs = pkgs.haskellngPackages.override { + overrides = self: super: { + email-header = self.callPackage ( +{ mkDerivation, attoparsec, base, base64-bytestring, bytestring +, case-insensitive, containers, exceptions, fetchgit, QuickCheck +, stdenv, tasty, tasty-quickcheck, text, text-icu, time +}: +mkDerivation { + pname = "email-header"; + version = "0.3.0"; + src = fetchgit { + url = "https://github.com/4z3/email-header"; + sha256 = "f33fba567a39b1f2448869b269c26c40d8007599c23ab83bde5b4dfd9fd76ebc"; + rev = "7b179bd31192ead8afe7a0b6e34bcad4039deaa8"; + }; + buildDepends = [ + attoparsec base base64-bytestring bytestring case-insensitive + containers exceptions text text-icu time + ]; + testDepends = [ + base bytestring case-insensitive containers QuickCheck tasty + tasty-quickcheck text time + ]; + jailbreak = true; + homepage = "http://github.com/knrafto/email-header"; + description = "Parsing and rendering of email and MIME headers"; + license = stdenv.lib.licenses.bsd3; +} +) {}; + }; + }; +in + +hspkgs.callPackage ( +{ mkDerivation, aeson, attoparsec, base, base64-bytestring +, blaze-builder, bytestring, case-insensitive, containers, deepseq +, directory, docopt, email-header, fetchgit, filepath +, friendly-time, hyphenation, linebreak, old-locale, process +, random, rosezipper, safe, split, stdenv, terminal-size, text +, time, transformers, transformers-compat, unix, vector +}: +mkDerivation { + pname = "much"; + version = "0.0.0.0"; + src = fetchgit { + url = "http://cgit.nomic/much"; + sha256 = "f0bcc34456cb876d3439694d1e16db414a540e13f476fa3ff1ad70d1d3caccb2"; + rev = "bfd854e05207a073eaa983c49f27c37555ccfce5"; + }; + isLibrary = false; + isExecutable = true; + buildDepends = [ + aeson attoparsec base base64-bytestring blaze-builder bytestring + case-insensitive containers deepseq directory docopt email-header + filepath friendly-time hyphenation linebreak old-locale process + random rosezipper safe split terminal-size text time transformers + transformers-compat unix vector + ]; + license = stdenv.lib.licenses.mit; +} +) {} diff --git a/tv/pkgs/viljetic-pages/default.nix b/tv/pkgs/viljetic-pages/default.nix new file mode 100644 index 000000000..1ae55cca7 --- /dev/null +++ b/tv/pkgs/viljetic-pages/default.nix @@ -0,0 +1,16 @@ +{ pkgs, stdenv, ... }: + +stdenv.mkDerivation { + name = "viljetic-pages-0"; + phases = [ + "installPhase" + ]; + buildInputs = with pkgs; [ + imagemagick + ]; + installPhase = '' + mkdir -p $out + cp ${./index.html} $out/index.html + convert ${./logo.xpm} $out/favicon2.png + ''; +} diff --git a/tv/pkgs/viljetic-pages/index.html b/tv/pkgs/viljetic-pages/index.html new file mode 100644 index 000000000..c06b3f97b --- /dev/null +++ b/tv/pkgs/viljetic-pages/index.html @@ -0,0 +1,10 @@ + +blank page + +This page intentionally left blank. + diff --git a/tv/pkgs/viljetic-pages/logo.xpm b/tv/pkgs/viljetic-pages/logo.xpm new file mode 100644 index 000000000..bb263dad9 --- /dev/null +++ b/tv/pkgs/viljetic-pages/logo.xpm @@ -0,0 +1,24 @@ +/* XPM */ +static char *meh[] = { +/* columns rows colors chars-per-pixel */ +"16 16 2 1 ", +" c black", +". c None", +/* pixels */ +"................", +". ...... .", +". .. ...... .. .", +". .. ...... .. .", +". ...... .", +"................", +". . . .", +". .. . .. . .", +". .. . .. . .", +". . . .", +"................", +"...... . .", +"...... . .", +"...... . .", +"...... . .", +"................" +}; diff --git a/tv/systems/cd.nix b/tv/systems/cd.nix new file mode 100644 index 000000000..461fbc71e --- /dev/null +++ b/tv/systems/cd.nix @@ -0,0 +1,127 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + tvpkgs = import ../pkgs { inherit pkgs; }; +in + +{ + krebs.build.host = config.krebs.hosts.cd; + + imports = [ + ../configs/CAC-Developer-2.nix + ../configs/CAC-CentOS-7-64bit.nix + ../configs/base.nix + ../configs/consul-server.nix + ../configs/exim-smarthost.nix + ../configs/git.nix + { + imports = [ ../configs/charybdis.nix ]; + tv.charybdis = { + enable = true; + sslCert = ../../Zcerts/charybdis_cd.crt.pem; + }; + } + { + tv.ejabberd = { + enable = true; + hosts = [ "jabber.viljetic.de" ]; + }; + } + { + krebs.github-hosts-sync.enable = true; + tv.iptables.input-internet-accept-new-tcp = + singleton config.krebs.github-hosts-sync.port; + } + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + tv.iptables.input-internet-accept-new-tcp = singleton "http"; + krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; + } + { + # TODO make public_html also available to cd, cd.retiolum (AKA default) + tv.iptables.input-internet-accept-new-tcp = singleton "http"; + krebs.nginx.servers.public_html = { + server-names = singleton "cd.viljetic.de"; + locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + ''); + }; + } + { + krebs.nginx.servers.viljetic = { + server-names = singleton "viljetic.de"; + # TODO directly set root (instead via location) + locations = singleton (nameValuePair "/" '' + root ${tvpkgs.viljetic-pages}; + ''); + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + users.extraUsers = { + mv = { + uid = 1338; + group = "users"; + home = "/home/mv"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.mv.pubkey + ]; + }; + }; +} diff --git a/tv/systems/mkdir.nix b/tv/systems/mkdir.nix new file mode 100644 index 000000000..a88e9812e --- /dev/null +++ b/tv/systems/mkdir.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + krebs.build.host = config.krebs.hosts.mkdir; + + imports = [ + ../configs/CAC-Developer-1.nix + ../configs/CAC-CentOS-7-64bit.nix + ../configs/base.nix + ../configs/consul-server.nix + ../configs/exim-smarthost.nix + ../configs/git.nix + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "cd" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.248.167.241"; # TODO + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.248.167.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; +} diff --git a/tv/systems/nomic.nix b/tv/systems/nomic.nix new file mode 100644 index 000000000..02bdafc15 --- /dev/null +++ b/tv/systems/nomic.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + krebs.build.host = config.krebs.hosts.nomic; + + imports = [ + ../configs/AO753.nix + ../configs/base.nix + ../configs/consul-server.nix + ../configs/exim-retiolum.nix + ../configs/git.nix + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha1" "xts" ]; + devices = [ + { + name = "luks1"; + device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4"; + } + ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; + fsType = "ext4"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; + fsType = "btrfs"; + }; + + swapDevices = [ ]; + + nix = { + buildCores = 2; + maxJobs = 2; + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + + # TODO base + boot.tmpOnTmpfs = true; + + environment.systemPackages = with pkgs; [ + (writeScriptBin "play" '' + #! /bin/sh + set -euf + mpv() { exec ${mpv}/bin/mpv "$@"; } + case $1 in + deepmix) mpv http://deepmix.ru/deepmix128.pls;; + groovesalad) mpv http://somafm.com/play/groovesalad;; + ntslive) mpv http://listen2.ntslive.co.uk/listen.pls;; + *) + echo "$0: bad argument: $*" >&2 + exit 23 + esac + '') + rxvt_unicode.terminfo + tmux + ]; +} diff --git a/tv/systems/rmdir.nix b/tv/systems/rmdir.nix new file mode 100644 index 000000000..eebe3e677 --- /dev/null +++ b/tv/systems/rmdir.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + krebs.build.host = config.krebs.hosts.rmdir; + + imports = [ + ../configs/CAC-Developer-1.nix + ../configs/CAC-CentOS-7-64bit.nix + ../configs/base.nix + ../configs/consul-server.nix + ../configs/exim-smarthost.nix + ../configs/git.nix + { + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + krebs.retiolum = { + enable = true; + connectTo = [ + "cd" + "mkdir" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + networking.interfaces.enp2s1.ip4 = [ + { + address = "167.88.44.94"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "167.88.44.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; +} diff --git a/tv/systems/wu.nix b/tv/systems/wu.nix new file mode 100644 index 000000000..f0835db7d --- /dev/null +++ b/tv/systems/wu.nix @@ -0,0 +1,393 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + tvpkgs = import ../pkgs { inherit pkgs; }; +in + +{ + krebs.build.host = config.krebs.hosts.wu; + + imports = [ + ../configs/w110er.nix + ../configs/base.nix + ../configs/consul-client.nix + ../configs/exim-retiolum.nix + ../configs/git.nix + ../configs/mail-client.nix + ../configs/xserver.nix + ../configs/synaptics.nix # TODO w110er if xserver is enabled + ../configs/urlwatch.nix + { + environment.systemPackages = with pkgs; [ + + # stockholm + git + gnumake + parallel + tvpkgs.genid + tvpkgs.hashPassword + tvpkgs.lentil + (pkgs.writeScriptBin "ff" '' + #! ${pkgs.bash}/bin/bash + exec sudo -u ff -i <