stockholm/nin/2configs/default.nix

174 lines
4.4 KiB
Nix
Raw Normal View History

2017-01-12 22:21:21 +01:00
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
2017-01-15 19:54:54 +01:00
../2configs/vim.nix
2017-01-12 22:21:21 +01:00
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
}
{
2017-01-15 19:41:22 +01:00
users.users = {
2017-01-12 22:21:21 +01:00
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.nin.pubkey
];
};
2017-01-15 19:39:25 +01:00
nin = {
2017-01-12 22:21:21 +01:00
name = "nin";
uid = 1337;
home = "/home/nin";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
"audio"
"fuse"
];
openssh.authorizedKeys.keys = [
config.krebs.users.nin.pubkey
];
};
};
}
{
environment.variables = {
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
}
(let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
environment.variables = {
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
})
2017-01-26 22:20:31 +01:00
{
nix = {
binaryCaches = ["http://cache.prism.r"];
binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
};
}
2017-01-12 22:21:21 +01:00
];
networking.hostName = config.krebs.build.host.name;
nix.maxJobs = config.krebs.build.host.cores;
krebs = {
enable = true;
2017-05-23 22:45:52 +02:00
search-domain = "r";
2017-01-12 22:21:21 +01:00
build = {
user = config.krebs.users.nin;
};
};
nix.useSandbox = true;
2017-01-15 19:43:28 +01:00
users.mutableUsers = false;
2017-01-12 22:21:21 +01:00
services.timesyncd.enable = true;
#why is this on in the first place?
services.nscd.enable = false;
boot.tmpOnTmpfs = true;
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -"
];
# multiple-definition-problem when defining environment.variables.EDITOR
environment.extraInit = ''
EDITOR=vim
'';
nixpkgs.config.allowUnfree = true;
2017-01-26 21:25:18 +01:00
environment.shellAliases = {
gs = "git status";
};
2017-01-12 22:21:21 +01:00
environment.systemPackages = with pkgs; [
#stockholm
git
gnumake
jq
proot
populate
p7zip
2017-01-26 22:45:42 +01:00
termite
2017-01-12 22:21:21 +01:00
unzip
unrar
2017-01-19 23:19:32 +01:00
hashPassword
2017-01-12 22:21:21 +01:00
];
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
if test $UID = 0; then
2017-01-15 19:56:17 +01:00
PS1='\[\033[1;31m\]$PWD\[\033[0m\] '
2017-01-12 22:21:21 +01:00
elif test $UID = 1337; then
2017-01-15 19:56:17 +01:00
PS1='\[\033[1;32m\]$PWD\[\033[0m\] '
2017-01-12 22:21:21 +01:00
else
2017-01-15 19:56:17 +01:00
PS1='\[\033[1;33m\]\u@$PWD\[\033[0m\] '
2017-01-12 22:21:21 +01:00
fi
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
fi
'';
};
services.openssh = {
enable = true;
hostKeys = [
# XXX bits here make no science
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
krebs.iptables = {
enable = true;
tables = {
nat.PREROUTING.rules = [
{ predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
];
nat.OUTPUT.rules = [
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
];
};
};
networking.dhcpcd.extraConfig = ''
noipv4ll
'';
}