Merge remote-tracking branch 'cd/master'

This commit is contained in:
lassulus 2015-11-17 23:22:02 +01:00
commit 718c672e7c
14 changed files with 1260 additions and 0 deletions

View file

@ -79,6 +79,7 @@ let
imp = mkMerge [
{ krebs = import ./lass { inherit lib; }; }
{ krebs = import ./makefu { inherit lib; }; }
{ krebs = import ./mv { inherit lib; }; }
{ krebs = import ./shared { inherit lib; }; }
{ krebs = import ./tv { inherit lib; }; }
{

View file

@ -0,0 +1,39 @@
{ lib, ... }:
with lib;
{
hosts = addNames {
stro = {
cores = 4;
dc = "mv";
nets = {
retiolum = {
addrs4 = ["10.243.111.111"];
addrs6 = ["42:0:0:0:0:0:111:111"];
aliases = [
"stro.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b
vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb
FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg
ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG
oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq
XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+7Qa51l0NSkBiaK2s8vQEoeObV3UPZyEzMxfUK/ZAO root@stro";
};
};
users = addNames {
mv_stro = {
mail = "mv@stro.retiolum";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxM34g1GUm5EtU00DAOlGSx8MsCWunhGTrozurj460QT7EdUbZvj0AcrQC0lP9kaZyhX+KueTjmLC+ICsnlHYeg4zoSEnSAUkccuyZxfgynVc4wrpfNAc1nHjDhDb/ulnC+8wNxvxUpI0XlBgu/Y7AbbChZj3ofv6uGGHJKfG3uSyCkt9VTCi1KwydHpe9P252N8NbopnbnkT0EMkRHruh7ICEKr4/ivmUL/IUrbFicEeCy4SeRAl8+00x4WqqvbBPzgdXn0AIjKLvus3dBoQubJNpUoXnyXJbElnit5a7QcgZJNLMbV0kf9zzCGduxkADzHkAFB9D4PuSMYt62iy12QlGbm80A9ncuwaSyJf7hPTvNbU8VyCblyfRz/SCaudUrfk5Xbxxu26FHi4hZqr3IUQt4T8pD8JWYGl4n2ZKnD8hHz/jrmNBK8h9d+VFafU9t1hRxlFsW1AhMEM+kfWClyhfTcKBKbml2a657lgUEVmlZt+18kwwsivM1QhHNTgxn5urRXRkh1VQ40UQroVuV1OUmvAngyAthF441VPGc5z7kEI+D4qjmUjSy6k4dvEy/RGfsAgJCf63zilRuUbL68f2OpxE8aeZZUXPvgdLml284pry7+C5sjlnCDoJfCj/yhdVx6mU9pWUd/Q97CLQewbsYhMzsqlBlIkXuipkDQ== mv@stro";
};
};
}

10
krebs/Zhosts/stro Normal file
View file

@ -0,0 +1,10 @@
Subnet = 10.243.111.111/32
Subnet = 42:0:0:0:0:0:111:111/128
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b
vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb
FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg
ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG
oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq
XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB
-----END RSA PUBLIC KEY-----

245
mv/1systems/stro.nix Normal file
View file

@ -0,0 +1,245 @@
{ config, lib, pkgs, ... }:
with lib;
{
krebs.build.host = config.krebs.hosts.stro;
krebs.build.source.git.nixpkgs.rev =
"7ae05edcdd14f6ace83ead9bf0d114e97c89a83a";
krebs.build.target = "lolwat";
imports = [
../2configs/hw/x220.nix
../2configs/mail-client.nix
../2configs/xserver
{
environment.systemPackages = with pkgs; [
# stockholm
genid
gnumake
hashPassword
lentil
parallel
(pkgs.writeScriptBin "im" ''
#! ${pkgs.bash}/bin/bash
export PATH=${makeSearchPath "bin" (with pkgs; [
tmux
gnugrep
weechat
])}
if tmux list-sessions -F\#S | grep -q '^im''$'; then
exec tmux attach -t im
else
exec tmux new -s im weechat
fi
'')
# root
cryptsetup
ntp # ntpate
# tv
bc
bind # dig
#cac
dic
file
gnupg21
haskellPackages.hledger
htop
jq
manpages
mkpasswd
netcat
nix-repl
nmap
nq
p7zip
pass
posix_man_pages
qrencode
texLive
tmux
#ack
#apache-httpd
#ascii
#emacs
#es
#esniper
#gcc
#gptfdisk
#graphviz
#haskellPackages.cabal2nix
#haskellPackages.ghc
#haskellPackages.shake
#hdparm
#i7z
#iftop
#imagemagick
#inotifyTools
#iodine
#iotop
#lshw
#lsof
#minicom
#mtools
#ncmpc
#nethogs
#nix-prefetch-scripts #cvs bug
#openssl
#openswan
#parted
#perl
#powertop
#ppp
#proot
#pythonPackages.arandr
#pythonPackages.youtube-dl
#racket
#rxvt_unicode-with-plugins
#scrot
#sec
#silver-searcher
#sloccount
#smartmontools
#socat
#sshpass
#strongswan
#sysdig
#sysstat
#tcpdump
#tlsdate
#unetbootin
#utillinuxCurses
#wvdial
#xdotool
#xkill
#xl2tpd
#xsel
unison
];
}
{
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
"ssh"
"http"
"tinc"
"smtp"
];
};
}
{
krebs.exim-retiolum.enable = true;
}
{
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
};
}
{
krebs.retiolum = {
enable = true;
connectTo = [
"cd"
"gum"
"pigstarter"
];
};
}
];
boot.initrd.luks = {
cryptoModules = [ "aes" "sha512" "xts" ];
devices = [
{ name = "xuca"; device = "/dev/sda2"; }
];
};
fileSystems = {
"/" = {
device = "/dev/mapper/xuvga-root";
fsType = "btrfs";
options = "defaults,noatime,ssd,compress=lzo";
};
"/home" = {
device = "/dev/mapper/xuvga-home";
fsType = "btrfs";
options = "defaults,noatime,ssd,compress=lzo";
};
"/boot" = {
device = "/dev/sda1";
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = "nosuid,nodev,noatime";
};
};
nixpkgs.config.chromium.enablePepperFlash = true;
#nixpkgs.config.allowUnfreePredicate = pkg:
# pkgs.lib.hasPrefix "virtualbox" pkg.name;
#nixpkgs.config.allowUnfree = true;
#hardware.bumblebee.enable = true;
#hardware.bumblebee.group = "video";
hardware.enableAllFirmware = true;
#hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.enable = true;
environment.systemPackages = with pkgs; [
#xlibs.fontschumachermisc
#slock
ethtool
#firefoxWrapper # with plugins
#chromiumDevWrapper
tinc
iptables
#jack2
gptfdisk
];
security.setuidPrograms = [
"sendmail" # for cron
];
services.printing.enable = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
];
#virtualisation.libvirtd.enable = true;
#services.bitlbee.enable = true;
#services.tor.client.enable = true;
#services.tor.enable = true;
#nixpkgs.config.virtualbox.enableExtensionPack = true;
# XXX Enable for maximum slowness:
virtualisation.virtualbox.host.enable = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
}

194
mv/2configs/default.nix Normal file
View file

@ -0,0 +1,194 @@
{ config, lib, pkgs, ... }:
with lib;
{
krebs.enable = true;
krebs.build = {
user = config.krebs.users.tv;
target = mkDefault "root@${config.krebs.build.host.name}";
source = {
git.nixpkgs = {
url = mkDefault https://github.com/NixOS/nixpkgs;
rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613";
target-path = mkDefault "/var/src/nixpkgs";
};
dir.secrets = {
path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}";
};
dir.stockholm = {
path = mkDefault "/home/tv/stockholm";
target-path = mkDefault "/var/src/stockholm";
};
};
};
networking.hostName = config.krebs.build.host.name;
imports = [
<secrets>
./vim.nix
{
# stockholm dependencies
environment.systemPackages = with pkgs; [
git
];
}
{
users = {
defaultUserShell = "/run/current-system/sw/bin/bash";
mutableUsers = false;
users = {
tv = {
isNormalUser = true;
uid = 1337;
};
};
};
}
{
security.sudo.extraConfig = ''
Defaults mailto="${config.krebs.users.tv.mail}"
'';
time.timeZone = "Europe/Berlin";
}
{
# TODO check if both are required:
nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
nix.trustedBinaryCaches = [
"https://cache.nixos.org"
"http://cache.nixos.org"
"http://hydra.nixos.org"
];
nix.useChroot = true;
}
{
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
environment.systemPackages = with pkgs; [
rxvt_unicode.terminfo
];
environment.shellAliases = mkForce {
# alias cal='cal -m3'
gp = "${pkgs.pari}/bin/gp -q";
df = "df -h";
du = "du -h";
# alias grep='grep --color=auto'
# TODO alias cannot contain #\'
# "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
# alias la='ls -lA'
lAtr = "ls -lAtr";
# alias ll='ls -l'
ls = "ls -h --color=auto --group-directories-first";
dmesg = "dmesg -L --reltime";
view = "vim -R";
reload = "systemctl reload";
restart = "systemctl restart";
start = "systemctl start";
status = "systemctl status";
stop = "systemctl stop";
};
environment.variables = {
NIX_PATH =
with config.krebs.build.source; with dir; with git;
mkForce (concatStringsSep ":" [
"nixpkgs=${nixpkgs.target-path}"
"secrets=${stockholm.target-path}/null"
]);
};
programs.bash = {
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
${readFile ./bash_completion.sh}
# TODO source bridge
'';
promptInit = ''
case $UID in
0)
PS1='\[\e[1;31m\]\w\[\e[0m\] '
;;
1337)
PS1='\[\e[1;32m\]\w\[\e[0m\] '
;;
*)
PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
;;
esac
if test -n "$SSH_CLIENT"; then
PS1='\[\e[35m\]\h'" $PS1"
fi
if test -n "$SSH_AGENT_PID"; then
PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
fi
'';
};
programs.ssh.startAgent = false;
}
{
services.cron.enable = false;
services.nscd.enable = false;
services.ntp.enable = false;
}
{
boot.kernel.sysctl = {
# Enable IPv6 Privacy Extensions
"net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = 2;
};
}
{
services.openssh = {
enable = true;
hostKeys = [
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
}
{
# TODO: exim
security.setuidPrograms = [
"sendmail" # for sudo
];
}
{
environment.systemPackages = [
pkgs.get
pkgs.krebszones
pkgs.nix-prefetch-scripts
pkgs.push
];
}
{
systemd.tmpfiles.rules = let
forUsers = flip map users;
isUser = { group, ... }: hasSuffix "users" group;
users = filter isUser (mapAttrsToList (_: id) config.users.users);
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
}
];
}

77
mv/2configs/hw/x220.nix Normal file
View file

@ -0,0 +1,77 @@
{ config, pkgs, ... }:
{
imports = [
../smartd.nix
];
boot.initrd.availableKernelModules = [
"aesni-intel"
"ahci"
"fbcon"
"i915"
];
boot.kernelModules = [
"kvm-intel"
"msr"
"tp-smapi"
];
boot.extraModulePackages = [
config.boot.kernelPackages.tp_smapi
];
# disabled for fbcon and i915 to kick in or to disable the kernelParams
# XXX: investigate
boot.vesa = false;
boot.loader.gummiboot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.wireless.enable = true;
#hardware.enableAllFirmware = true;
#nixpkgs.config.allowUnfree = true;
#zramSwap.enable = true;
#zramSwap.numDevices = 2;
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.tlp.enable = true;
services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80
'';
nix = {
buildCores = 2;
maxJobs = 2;
daemonIONiceLevel = 1;
daemonNiceLevel = 1;
};
services.logind.extraConfig = ''
HandleHibernateKey=ignore
HandleLidSwitch=ignore
HandlePowerKey=ignore
HandleSuspendKey=ignore
'';
services.xserver = {
videoDriver = "intel";
#vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
#deviceSection = ''
# Option "AccelMethod" "sna"
#'';
};
#services.xserver.displayManager.sessionCommands =''
# xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1
# xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2
# xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
#'';
}

View file

@ -0,0 +1,13 @@
{ pkgs, ... }:
with pkgs;
{
environment.systemPackages = [
much
msmtp
notmuch
pythonPackages.alot
qprint
w3m
];
}

17
mv/2configs/smartd.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, pkgs, ... }:
{
services.smartd = {
enable = true;
devices = [
{
device = "DEVICESCAN";
options = toString [
"-a"
"-m ${config.krebs.users.tv.mail}"
"-s (O/../.././09|S/../.././04|L/../../6/05)"
];
}
];
};
}

123
mv/2configs/vim.nix Normal file
View file

@ -0,0 +1,123 @@
{ lib, pkgs, ... }:
with lib;
let
out = {
environment.systemPackages = [
pkgs.vim
];
# Nano really is just a stupid name for Vim.
nixpkgs.config.packageOverrides = pkgs: {
nano = pkgs.vim;
};
environment.etc.vimrc.source = vimrc;
environment.variables.EDITOR = mkForce "vim";
environment.variables.VIMINIT = ":so /etc/vimrc";
};
extra-runtimepath = concatStringsSep "," [
"${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree"
];
vimrc = pkgs.writeText "vimrc" ''
set nocompatible
set autoindent
set backspace=indent,eol,start
set backup
set backupdir=$HOME/.vim/backup/
set directory=$HOME/.vim/cache//
set hlsearch
set incsearch
set mouse=a
set noruler
set pastetoggle=<INS>
set runtimepath=${extra-runtimepath},$VIMRUNTIME
set shortmess+=I
set showcmd
set showmatch
set ttimeoutlen=0
set undodir=$HOME/.vim/undo
set undofile
set undolevels=1000000
set undoreload=1000000
set viminfo='20,<1000,s100,h,n$HOME/.vim/cache/info
set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu
set wildmode=longest,full
set et ts=2 sts=2 sw=2
filetype plugin indent on
set t_Co=256
colorscheme industry
syntax on
au Syntax * syn match Tabstop containedin=ALL /\t\+/
\ | hi Tabstop ctermbg=16
\ | syn match TrailingSpace containedin=ALL /\s\+$/
\ | hi TrailingSpace ctermbg=88
\ | hi Normal ctermfg=White
au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" ''
syn region String start=+\[[[:alnum:]]*|+ end=+|]+
''}
au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" ''
setf nix
set isk=@,48-57,_,192-255,-,'
" Ref <nix/src/libexpr/lexer.l>
syn match INT /\<[0-9]\+\>/
syn match PATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match HPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match SPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
syn match URI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
hi link INT Constant
hi link PATH Constant
hi link HPATH Constant
hi link SPATH Constant
hi link URI Constant
syn match String /"\([^\\"]\|\\.\)*"/
syn match Comment /\(^\|\s\)#.*/
''}
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
nmap <esc>q :buffer
nmap <M-q> :buffer
cnoremap <C-A> <Home>
noremap <C-c> :q<cr>
nnoremap <esc>[5^ :tabp<cr>
nnoremap <esc>[6^ :tabn<cr>
nnoremap <esc>[5@ :tabm -1<cr>
nnoremap <esc>[6@ :tabm +1<cr>
nnoremap <f1> :tabp<cr>
nnoremap <f2> :tabn<cr>
inoremap <f1> <esc>:tabp<cr>
inoremap <f2> <esc>:tabn<cr>
" <C-{Up,Down,Right,Left>
noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
noremap <esc>Od <nop> | noremap! <esc>Od <nop>
" <[C]S-{Up,Down,Right,Left>
noremap <esc>[a <nop> | noremap! <esc>[a <nop>
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
vnoremap u <nop>
'';
in
out

View file

@ -0,0 +1,215 @@
{ config, lib, pkgs, ... }:
with lib;
pkgs.writeText "Xresources" ''
!URxvt*background: #050505
! 2013-02-25 \e was reas escape before
! *VT100.Translations: #override\
! :<Btn4Down>: string("\e[5~")\n\
! :<Btn5Down>: string("\e[6~")
! XTerm*VT100*Translations: #override \
! Shift<Key>Return: string(" &") string(0x0A) \n\
! Meta<Key>Return: string(" | less") string(0x0A) \n\
! ~Shift<Key>Prior: scroll-back(1,page) \n\
! ~Shift<Key>Next: scroll-forw(1,page) \n\
! Shift<Key>Prior: scroll-back(1) \n\
! Shift<Key>Next: scroll-forw(1) \n\
! <Key>Delete: string(0x1b) string("[2~")
! \n\
! <Key>BackSpace: string(0x7f)
! 2013-02-2013-02-25
! ! <M-c>: load bash-completion (if not already)
! URxvt*VT100*Translations: #override\
! Meta<KeyPress>c:\
! string("\eOH# \eOF\n+compl\n\eOA\eOA\eOH\e[3~\e[3~\eOF")\
! string(0x7)\n
! do not scroll automatically on output:
! XTerm*scrollTtyOutput: false
URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}"
! URxvt*secondaryScreen: false
! URxvt*loginShell: true
URxvt*eightBitInput: false
! *eightBitOutput: 1
! URxvt*decTerminalID: 220
! URxvt*utf8: 1
! URxvt*locale: UTF-8
! XTerm*customization: -color
URxvt*SaveLines: 4096
URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
! 2013-05-23 if this does not work try
! xset +fp /usr/share/fonts/local/
! xset fp rehash
! URxvt*font: -*-termsynu-edium-*-*-*-12-*-*-*-*-*-iso10646-1
! URxvt*boldFont: -*-termsynu-bold-*-*-*-12-*-*-*-*-*-iso10646-1
!
!-misc-termsynu-medium-r-normal--12-87-100-100-c-70-iso10646-1
! XTerm*font: -misc-fixed-medium-r-normal--13-120-75-75-c-80-iso10646-1
URxvt*scrollBar: false
! XTerm*font:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1
! URxvt*boldFont:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1
URxvt*background: #050505
! URxvt*background: #041204
!URxvt.depth: 32
!URxvt*background: rgba:0500/0500/0500/cccc
! URxvt*background: #080810
URxvt*foreground: #d0d7d0
! URxvt*background: black
! URxvt*foreground: white
! URxvt*background: rgb:00/00/40
! URxvt*foreground: rgb:a0/a0/d0
! XTerm*cursorColor: rgb:00/00/60
URxvt*cursorColor: #f042b0
URxvt*cursorColor2: #f0b000
URxvt*cursorBlink: off
! URxvt*cursorUnderline: true
! URxvt*highlightColor: #232323
! URxvt*highlightTextColor: #b0ffb0
URxvt*.pointerBlank: true
URxvt*.pointerBlankDelay: 987654321
URxvt*.pointerColor: #f042b0
URxvt*.pointerColor2: #050505
! URxvt*fading: 50
! URxvt*fadeColor: #0f0f0f
! XTerm*colorMode: on
! URxvt*dynamicColors: on
! URxvt*boldColors: off
URxvt*jumpScroll: true
! allow synthetic events for fvwm, so pass window specific keys
! XTerm*allowSendEvents: true
URxvt*allowSendEvents: false
! better double/tripple clicking in xterms
! Format: csv, [low-]high:value
!
! extend character class 48 due they are used in urls
! (see: man xterm; /CHARACTER CLASSES)
! ! % -./ @ & = ?
URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48
URxvt*cutNewline: False
URxvt*cutToBeginningOfLine: False
! BLACK for indigo background
URxvt*color0: #232342
! TODO: man xterm; /ACTIONS
! *VT100*colorULMode: on
! XTerm*underLine: on
!
! URxvt*color0: black
! URxvt*color1: red3
! URxvt*color2: green3
! URxvt*color3: yellow3
! URxvt*color4: blue2
! URxvt*color5: magenta3
! URxvt*color6: cyan3
! URxvt*color7: gray90
! URxvt*color8: burlywood1
! URxvt*color9: sienna1
! URxvt*color10: PaleVioletRed1
! URxvt*color11: LightSkyBlue
! URxvt*color12: white
! URxvt*color13: white
! URxvt*color14: white
! URxvt*color33: #f0b0f0
! URxvt*color0: #000000
! URxvt*color1: #c00000
! URxvt*color2: #80c070
URxvt*color3: #c07000
! URxvt*color4: #0000c0
URxvt*color4: #4040c0
! URxvt*color5: #c000c0
! URxvt*color6: #008080
URxvt*color7: #c0c0c0
URxvt*color8: #707070
URxvt*color9: #ff6060
URxvt*color10: #70ff70
URxvt*color11: #ffff70
URxvt*color12: #7070ff
URxvt*color13: #ff50ff
URxvt*color14: #70ffff
URxvt*color15: #ffffff
! XTerm*color91: #000070
! XTerm*color92: #000080
! XTerm*color93: #000090
! XTerm*color94: #0000a0
! XTerm*color95: #0000b0
! XTerm*color96: #0000c0
! XTerm*color97: #0000d0
! XTerm*color98: #0000e0
! XTerm*color99: #0000f0
! !! vim-create-colorscheme {{{
! !! Question cterm=none
! XTerm*color20: #f0b000
! !! }}}
!
!
! #include ".xrdb/look-zenburn.xrdb"
! #include ".xrdb/xterm.xrdb"
! URxvt.perl-ext: matcher
! URxvt.urlLauncher: cr
! URxvt.underlineColor: blue
! URxvt.matcher.button: 1
! URxvt.perl-ext: default,matcher
! URxvt.urlLauncher: cr
! URxvt.matcher.pattern.1: \\bwww\\.[\\w-]+\\.[\\w./?&@#-]*[\\w/-]
! URxvt.underlineColor: blue
! 2014-05-12 von lass
!URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select
!URxvt.url-select.launcher: /home/tv/bin/ff -new-tab
!URxvt.url-select.underline: true
!URxvt.keysym.M-u: perl:url-select:select_next
!URxvt.keysym.M-Escape: perl:keyboard-select:activate
!URxvt.keysym.M-s: perl:keyboard-select:search
! 2013-02-25 I neve use this
URxvt*iso14755: False
URxvt*urgentOnBell: True
URxvt*visualBell: True
! ref https://github.com/muennich/urxvt-perls
URxvt*perl-ext: default,url-select
URxvt*keysym.M-u: perl:url-select:select_next
URxvt*url-select.launcher: ${pkgs.ff}/bin/ff -new-tab
URxvt*url-select.underline: true
URxvt*colorUL: #4682B4
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
root-urxvt*background: #230000
root-urxvt*foreground: #e0c0c0
root-urxvt*BorderColor: #400000
root-urxvt*color0: #800000
''

View file

@ -0,0 +1,153 @@
{ config, lib, pkgs, ... }@args:
with lib;
let
# TODO krebs.build.user
user = config.users.users.tv;
out = {
services.xserver.display = 11;
services.xserver.tty = 11;
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
accelFactor = "0.035";
};
fonts.fonts = [
pkgs.xlibs.fontschumachermisc
];
systemd.services.urxvtd = {
wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
serviceConfig = {
ExecReload = need-reload "urxvtd.service";
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
Restart = "always";
RestartSec = "2s";
StartLimitBurst = 0;
User = user.name;
};
};
environment.systemPackages = [
pkgs.ff
pkgs.gitAndTools.qgit
pkgs.mpv
pkgs.pavucontrol
pkgs.slock
pkgs.sxiv
pkgs.xsel
pkgs.zathura
];
security.setuidPrograms = [
"slock"
];
systemd.services.display-manager = mkForce {};
services.xserver.enable = true;
systemd.services.xmonad = {
wantedBy = [ "multi-user.target" ];
requires = [ "xserver.service" ];
environment = xmonad-environment;
serviceConfig = {
ExecStart = "${xmonad-start}/bin/xmonad";
ExecStop = "${xmonad-stop}/bin/xmonad-stop";
User = user.name;
WorkingDirectory = user.home;
};
};
systemd.services.xserver = {
after = [
"systemd-udev-settle.service"
"local-fs.target"
"acpid.service"
];
reloadIfChanged = true;
environment = xserver-environment;
serviceConfig = {
ExecReload = need-reload "xserver.service";
ExecStart = "${xserver}/bin/xserver";
};
};
};
xmonad-environment = {
DISPLAY = ":${toString config.services.xserver.display}";
XMONAD_STATE = "/tmp/xmonad.state";
# XXX JSON is close enough :)
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
"Dashboard" # we start here
"23"
"cr"
"ff"
"hack"
"im"
"mail"
"stockholm"
"za" "zh" "zj" "zs"
]);
};
xmonad-start = pkgs.writeScriptBin "xmonad" ''
#! ${pkgs.bash}/bin/bash
set -efu
export PATH; PATH=${makeSearchPath "bin" [
pkgs.rxvt_unicode
]}:/var/setuid-wrappers
settle() {(
# Use PATH for a clean journal
command=''${1##*/}
PATH=''${1%/*}; export PATH
shift
until "$command" "$@"; do
${pkgs.coreutils}/bin/sleep 1
done
)&}
settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args}
settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c'
exec ${pkgs.xmonad-tv}/bin/xmonad
'';
xmonad-stop = pkgs.writeScriptBin "xmonad-stop" ''
#! /bin/sh
exec ${pkgs.xmonad-tv}/bin/xmonad --shutdown
'';
xserver-environment = {
XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
LD_LIBRARY_PATH = concatStringsSep ":" (
[ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
xserver = pkgs.writeScriptBin "xserver" ''
#! /bin/sh
set -efu
exec ${pkgs.xorg.xorgserver}/bin/X \
:${toString config.services.xserver.display} \
vt${toString config.services.xserver.tty} \
-config ${import ./xserver.conf.nix args} \
-logfile /var/log/X.${toString config.services.xserver.display}.log \
-nolisten tcp \
-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \
'';
need-reload = s: let
pkg = pkgs.writeScriptBin "need-reload" ''
#! /bin/sh
echo "$*"
'';
in "${pkg}/bin/need-reload ${s}";
in out

View file

@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver;
in
pkgs.stdenv.mkDerivation {
name = "xserver.conf";
xfs = optionalString (cfg.useXFS != false)
''FontPath "${toString cfg.useXFS}"'';
inherit (cfg) config;
buildCommand =
''
echo 'Section "Files"' >> $out
echo $xfs >> $out
for i in ${toString config.fonts.fonts}; do
if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
for j in $(find $i -name fonts.dir); do
echo " FontPath \"$(dirname $j)\"" >> $out
done
fi
done
for i in $(find ${toString cfg.modules} -type d); do
if test $(echo $i/*.so* | wc -w) -ne 0; then
echo " ModulePath \"$i\"" >> $out
fi
done
echo 'EndSection' >> $out
echo "$config" >> $out
'';
}

7
mv/3modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
_:
{
imports = [
./iptables.nix
];
}

126
mv/3modules/iptables.nix Normal file
View file

@ -0,0 +1,126 @@
{ config, lib, pkgs, ... }:
with builtins;
with lib;
let
cfg = config.tv.iptables;
out = {
options.tv.iptables = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.iptables";
input-internet-accept-new-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-retiolum-accept-new-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
};
imp = {
networking.firewall.enable = false;
systemd.services.tv-iptables = {
description = "tv-iptables";
wantedBy = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = with pkgs; [
iptables
];
restartIfChanged = true;
serviceConfig = {
Type = "simple";
RemainAfterExit = true;
Restart = "always";
ExecStart = "@${startScript} tv-iptables_start";
};
};
};
accept-new-tcp = port:
"-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
rules = iptables-version:
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]
++ [
"! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
"-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]
)}
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Retiolum - [0:0]
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
++ [
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"-i lo -j ACCEPT"
]
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
++ ["-i retiolum -j Retiolum"]
)}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ {
ip4tables = [
"-p icmp -m icmp --icmp-type echo-request -j ACCEPT"
];
ip6tables = [
"-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"
];
}."ip${toString iptables-version}tables"
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp-port-unreachable"
"-j REJECT --reject-with icmp-proto-unreachable"
];
ip6tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
"-j REJECT"
];
}."ip${toString iptables-version}tables"
)}
COMMIT
'';
startScript = pkgs.writeScript "tv-iptables_start" ''
#! /bin/sh
set -euf
iptables-restore < ${rules 4}
ip6tables-restore < ${rules 6}
'';
in
out
#let
# cfg = config.tv.iptables;
# arg' = arg // { inherit cfg; };
#in
#
#{
# options.tv.iptables = import ./options.nix arg';
# config = lib.mkIf cfg.enable (import ./config.nix arg');
#}