Merge remote-tracking branch 'cd/master'
This commit is contained in:
commit
718c672e7c
|
@ -79,6 +79,7 @@ let
|
|||
imp = mkMerge [
|
||||
{ krebs = import ./lass { inherit lib; }; }
|
||||
{ krebs = import ./makefu { inherit lib; }; }
|
||||
{ krebs = import ./mv { inherit lib; }; }
|
||||
{ krebs = import ./shared { inherit lib; }; }
|
||||
{ krebs = import ./tv { inherit lib; }; }
|
||||
{
|
||||
|
|
39
krebs/3modules/mv/default.nix
Normal file
39
krebs/3modules/mv/default.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{ lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
hosts = addNames {
|
||||
stro = {
|
||||
cores = 4;
|
||||
dc = "mv";
|
||||
nets = {
|
||||
retiolum = {
|
||||
addrs4 = ["10.243.111.111"];
|
||||
addrs6 = ["42:0:0:0:0:0:111:111"];
|
||||
aliases = [
|
||||
"stro.retiolum"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b
|
||||
vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb
|
||||
FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg
|
||||
ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG
|
||||
oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq
|
||||
XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
||||
'';
|
||||
};
|
||||
};
|
||||
ssh.privkey.path = <secrets/ssh.ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+7Qa51l0NSkBiaK2s8vQEoeObV3UPZyEzMxfUK/ZAO root@stro";
|
||||
};
|
||||
};
|
||||
users = addNames {
|
||||
mv_stro = {
|
||||
mail = "mv@stro.retiolum";
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxM34g1GUm5EtU00DAOlGSx8MsCWunhGTrozurj460QT7EdUbZvj0AcrQC0lP9kaZyhX+KueTjmLC+ICsnlHYeg4zoSEnSAUkccuyZxfgynVc4wrpfNAc1nHjDhDb/ulnC+8wNxvxUpI0XlBgu/Y7AbbChZj3ofv6uGGHJKfG3uSyCkt9VTCi1KwydHpe9P252N8NbopnbnkT0EMkRHruh7ICEKr4/ivmUL/IUrbFicEeCy4SeRAl8+00x4WqqvbBPzgdXn0AIjKLvus3dBoQubJNpUoXnyXJbElnit5a7QcgZJNLMbV0kf9zzCGduxkADzHkAFB9D4PuSMYt62iy12QlGbm80A9ncuwaSyJf7hPTvNbU8VyCblyfRz/SCaudUrfk5Xbxxu26FHi4hZqr3IUQt4T8pD8JWYGl4n2ZKnD8hHz/jrmNBK8h9d+VFafU9t1hRxlFsW1AhMEM+kfWClyhfTcKBKbml2a657lgUEVmlZt+18kwwsivM1QhHNTgxn5urRXRkh1VQ40UQroVuV1OUmvAngyAthF441VPGc5z7kEI+D4qjmUjSy6k4dvEy/RGfsAgJCf63zilRuUbL68f2OpxE8aeZZUXPvgdLml284pry7+C5sjlnCDoJfCj/yhdVx6mU9pWUd/Q97CLQewbsYhMzsqlBlIkXuipkDQ== mv@stro";
|
||||
};
|
||||
};
|
||||
}
|
10
krebs/Zhosts/stro
Normal file
10
krebs/Zhosts/stro
Normal file
|
@ -0,0 +1,10 @@
|
|||
Subnet = 10.243.111.111/32
|
||||
Subnet = 42:0:0:0:0:0:111:111/128
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b
|
||||
vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb
|
||||
FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg
|
||||
ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG
|
||||
oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq
|
||||
XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
245
mv/1systems/stro.nix
Normal file
245
mv/1systems/stro.nix
Normal file
|
@ -0,0 +1,245 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
krebs.build.host = config.krebs.hosts.stro;
|
||||
|
||||
krebs.build.source.git.nixpkgs.rev =
|
||||
"7ae05edcdd14f6ace83ead9bf0d114e97c89a83a";
|
||||
|
||||
krebs.build.target = "lolwat";
|
||||
|
||||
imports = [
|
||||
../2configs/hw/x220.nix
|
||||
../2configs/mail-client.nix
|
||||
../2configs/xserver
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
# stockholm
|
||||
genid
|
||||
gnumake
|
||||
hashPassword
|
||||
lentil
|
||||
parallel
|
||||
(pkgs.writeScriptBin "im" ''
|
||||
#! ${pkgs.bash}/bin/bash
|
||||
export PATH=${makeSearchPath "bin" (with pkgs; [
|
||||
tmux
|
||||
gnugrep
|
||||
weechat
|
||||
])}
|
||||
if tmux list-sessions -F\#S | grep -q '^im''$'; then
|
||||
exec tmux attach -t im
|
||||
else
|
||||
exec tmux new -s im weechat
|
||||
fi
|
||||
'')
|
||||
|
||||
# root
|
||||
cryptsetup
|
||||
ntp # ntpate
|
||||
|
||||
# tv
|
||||
bc
|
||||
bind # dig
|
||||
#cac
|
||||
dic
|
||||
file
|
||||
gnupg21
|
||||
haskellPackages.hledger
|
||||
htop
|
||||
jq
|
||||
manpages
|
||||
mkpasswd
|
||||
netcat
|
||||
nix-repl
|
||||
nmap
|
||||
nq
|
||||
p7zip
|
||||
pass
|
||||
posix_man_pages
|
||||
qrencode
|
||||
texLive
|
||||
tmux
|
||||
|
||||
#ack
|
||||
#apache-httpd
|
||||
#ascii
|
||||
#emacs
|
||||
#es
|
||||
#esniper
|
||||
#gcc
|
||||
#gptfdisk
|
||||
#graphviz
|
||||
#haskellPackages.cabal2nix
|
||||
#haskellPackages.ghc
|
||||
#haskellPackages.shake
|
||||
#hdparm
|
||||
#i7z
|
||||
#iftop
|
||||
#imagemagick
|
||||
#inotifyTools
|
||||
#iodine
|
||||
#iotop
|
||||
#lshw
|
||||
#lsof
|
||||
#minicom
|
||||
#mtools
|
||||
#ncmpc
|
||||
#nethogs
|
||||
#nix-prefetch-scripts #cvs bug
|
||||
#openssl
|
||||
#openswan
|
||||
#parted
|
||||
#perl
|
||||
#powertop
|
||||
#ppp
|
||||
#proot
|
||||
#pythonPackages.arandr
|
||||
#pythonPackages.youtube-dl
|
||||
#racket
|
||||
#rxvt_unicode-with-plugins
|
||||
#scrot
|
||||
#sec
|
||||
#silver-searcher
|
||||
#sloccount
|
||||
#smartmontools
|
||||
#socat
|
||||
#sshpass
|
||||
#strongswan
|
||||
#sysdig
|
||||
#sysstat
|
||||
#tcpdump
|
||||
#tlsdate
|
||||
#unetbootin
|
||||
#utillinuxCurses
|
||||
#wvdial
|
||||
#xdotool
|
||||
#xkill
|
||||
#xl2tpd
|
||||
#xsel
|
||||
|
||||
unison
|
||||
];
|
||||
}
|
||||
{
|
||||
tv.iptables = {
|
||||
enable = true;
|
||||
input-internet-accept-new-tcp = [
|
||||
"ssh"
|
||||
"http"
|
||||
"tinc"
|
||||
"smtp"
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
krebs.exim-retiolum.enable = true;
|
||||
}
|
||||
{
|
||||
krebs.nginx = {
|
||||
enable = true;
|
||||
servers.default.locations = [
|
||||
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
|
||||
alias /home/$1/public_html$2;
|
||||
'')
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
krebs.retiolum = {
|
||||
enable = true;
|
||||
connectTo = [
|
||||
"cd"
|
||||
"gum"
|
||||
"pigstarter"
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
boot.initrd.luks = {
|
||||
cryptoModules = [ "aes" "sha512" "xts" ];
|
||||
devices = [
|
||||
{ name = "xuca"; device = "/dev/sda2"; }
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/mapper/xuvga-root";
|
||||
fsType = "btrfs";
|
||||
options = "defaults,noatime,ssd,compress=lzo";
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/xuvga-home";
|
||||
fsType = "btrfs";
|
||||
options = "defaults,noatime,ssd,compress=lzo";
|
||||
};
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
};
|
||||
"/tmp" = {
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = "nosuid,nodev,noatime";
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config.chromium.enablePepperFlash = true;
|
||||
|
||||
#nixpkgs.config.allowUnfreePredicate = pkg:
|
||||
# pkgs.lib.hasPrefix "virtualbox" pkg.name;
|
||||
|
||||
#nixpkgs.config.allowUnfree = true;
|
||||
#hardware.bumblebee.enable = true;
|
||||
#hardware.bumblebee.group = "video";
|
||||
hardware.enableAllFirmware = true;
|
||||
#hardware.opengl.driSupport32Bit = true;
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
#xlibs.fontschumachermisc
|
||||
#slock
|
||||
ethtool
|
||||
#firefoxWrapper # with plugins
|
||||
#chromiumDevWrapper
|
||||
tinc
|
||||
iptables
|
||||
#jack2
|
||||
|
||||
gptfdisk
|
||||
];
|
||||
|
||||
security.setuidPrograms = [
|
||||
"sendmail" # for cron
|
||||
];
|
||||
|
||||
services.printing.enable = true;
|
||||
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=1G
|
||||
RuntimeMaxUse=128M
|
||||
'';
|
||||
|
||||
# see tmpfiles.d(5)
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
|
||||
];
|
||||
|
||||
#virtualisation.libvirtd.enable = true;
|
||||
|
||||
#services.bitlbee.enable = true;
|
||||
#services.tor.client.enable = true;
|
||||
#services.tor.enable = true;
|
||||
|
||||
#nixpkgs.config.virtualbox.enableExtensionPack = true;
|
||||
|
||||
# XXX Enable for maximum slowness:
|
||||
virtualisation.virtualbox.host.enable = true;
|
||||
|
||||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "15.09";
|
||||
}
|
194
mv/2configs/default.nix
Normal file
194
mv/2configs/default.nix
Normal file
|
@ -0,0 +1,194 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
krebs.enable = true;
|
||||
|
||||
krebs.build = {
|
||||
user = config.krebs.users.tv;
|
||||
target = mkDefault "root@${config.krebs.build.host.name}";
|
||||
source = {
|
||||
git.nixpkgs = {
|
||||
url = mkDefault https://github.com/NixOS/nixpkgs;
|
||||
rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613";
|
||||
target-path = mkDefault "/var/src/nixpkgs";
|
||||
};
|
||||
dir.secrets = {
|
||||
path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}";
|
||||
};
|
||||
dir.stockholm = {
|
||||
path = mkDefault "/home/tv/stockholm";
|
||||
target-path = mkDefault "/var/src/stockholm";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.hostName = config.krebs.build.host.name;
|
||||
|
||||
imports = [
|
||||
<secrets>
|
||||
./vim.nix
|
||||
{
|
||||
# stockholm dependencies
|
||||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
];
|
||||
}
|
||||
{
|
||||
users = {
|
||||
defaultUserShell = "/run/current-system/sw/bin/bash";
|
||||
mutableUsers = false;
|
||||
users = {
|
||||
tv = {
|
||||
isNormalUser = true;
|
||||
uid = 1337;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
security.sudo.extraConfig = ''
|
||||
Defaults mailto="${config.krebs.users.tv.mail}"
|
||||
'';
|
||||
time.timeZone = "Europe/Berlin";
|
||||
}
|
||||
{
|
||||
# TODO check if both are required:
|
||||
nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
|
||||
|
||||
nix.trustedBinaryCaches = [
|
||||
"https://cache.nixos.org"
|
||||
"http://cache.nixos.org"
|
||||
"http://hydra.nixos.org"
|
||||
];
|
||||
|
||||
nix.useChroot = true;
|
||||
}
|
||||
{
|
||||
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
rxvt_unicode.terminfo
|
||||
];
|
||||
|
||||
environment.shellAliases = mkForce {
|
||||
# alias cal='cal -m3'
|
||||
gp = "${pkgs.pari}/bin/gp -q";
|
||||
df = "df -h";
|
||||
du = "du -h";
|
||||
# alias grep='grep --color=auto'
|
||||
|
||||
# TODO alias cannot contain #\'
|
||||
# "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
|
||||
|
||||
# alias la='ls -lA'
|
||||
lAtr = "ls -lAtr";
|
||||
# alias ll='ls -l'
|
||||
ls = "ls -h --color=auto --group-directories-first";
|
||||
dmesg = "dmesg -L --reltime";
|
||||
view = "vim -R";
|
||||
|
||||
reload = "systemctl reload";
|
||||
restart = "systemctl restart";
|
||||
start = "systemctl start";
|
||||
status = "systemctl status";
|
||||
stop = "systemctl stop";
|
||||
};
|
||||
|
||||
environment.variables = {
|
||||
NIX_PATH =
|
||||
with config.krebs.build.source; with dir; with git;
|
||||
mkForce (concatStringsSep ":" [
|
||||
"nixpkgs=${nixpkgs.target-path}"
|
||||
"secrets=${stockholm.target-path}/null"
|
||||
]);
|
||||
};
|
||||
|
||||
programs.bash = {
|
||||
interactiveShellInit = ''
|
||||
HISTCONTROL='erasedups:ignorespace'
|
||||
HISTSIZE=65536
|
||||
HISTFILESIZE=$HISTSIZE
|
||||
|
||||
shopt -s checkhash
|
||||
shopt -s histappend histreedit histverify
|
||||
shopt -s no_empty_cmd_completion
|
||||
complete -d cd
|
||||
|
||||
${readFile ./bash_completion.sh}
|
||||
|
||||
# TODO source bridge
|
||||
'';
|
||||
promptInit = ''
|
||||
case $UID in
|
||||
0)
|
||||
PS1='\[\e[1;31m\]\w\[\e[0m\] '
|
||||
;;
|
||||
1337)
|
||||
PS1='\[\e[1;32m\]\w\[\e[0m\] '
|
||||
;;
|
||||
*)
|
||||
PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
|
||||
;;
|
||||
esac
|
||||
if test -n "$SSH_CLIENT"; then
|
||||
PS1='\[\e[35m\]\h'" $PS1"
|
||||
fi
|
||||
if test -n "$SSH_AGENT_PID"; then
|
||||
PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
programs.ssh.startAgent = false;
|
||||
}
|
||||
|
||||
{
|
||||
services.cron.enable = false;
|
||||
services.nscd.enable = false;
|
||||
services.ntp.enable = false;
|
||||
}
|
||||
|
||||
{
|
||||
boot.kernel.sysctl = {
|
||||
# Enable IPv6 Privacy Extensions
|
||||
"net.ipv6.conf.all.use_tempaddr" = 2;
|
||||
"net.ipv6.conf.default.use_tempaddr" = 2;
|
||||
};
|
||||
}
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
hostKeys = [
|
||||
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
||||
];
|
||||
};
|
||||
}
|
||||
|
||||
{
|
||||
# TODO: exim
|
||||
security.setuidPrograms = [
|
||||
"sendmail" # for sudo
|
||||
];
|
||||
}
|
||||
{
|
||||
environment.systemPackages = [
|
||||
pkgs.get
|
||||
pkgs.krebszones
|
||||
pkgs.nix-prefetch-scripts
|
||||
pkgs.push
|
||||
];
|
||||
}
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = let
|
||||
forUsers = flip map users;
|
||||
isUser = { group, ... }: hasSuffix "users" group;
|
||||
users = filter isUser (mapAttrsToList (_: id) config.users.users);
|
||||
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
|
||||
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
|
||||
}
|
||||
];
|
||||
}
|
77
mv/2configs/hw/x220.nix
Normal file
77
mv/2configs/hw/x220.nix
Normal file
|
@ -0,0 +1,77 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../smartd.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"aesni-intel"
|
||||
"ahci"
|
||||
"fbcon"
|
||||
"i915"
|
||||
];
|
||||
boot.kernelModules = [
|
||||
"kvm-intel"
|
||||
"msr"
|
||||
"tp-smapi"
|
||||
];
|
||||
|
||||
boot.extraModulePackages = [
|
||||
config.boot.kernelPackages.tp_smapi
|
||||
];
|
||||
|
||||
# disabled for fbcon and i915 to kick in or to disable the kernelParams
|
||||
# XXX: investigate
|
||||
boot.vesa = false;
|
||||
|
||||
boot.loader.gummiboot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.wireless.enable = true;
|
||||
|
||||
#hardware.enableAllFirmware = true;
|
||||
#nixpkgs.config.allowUnfree = true;
|
||||
#zramSwap.enable = true;
|
||||
#zramSwap.numDevices = 2;
|
||||
|
||||
hardware.trackpoint = {
|
||||
enable = true;
|
||||
sensitivity = 220;
|
||||
speed = 0;
|
||||
emulateWheel = true;
|
||||
};
|
||||
|
||||
services.tlp.enable = true;
|
||||
services.tlp.extraConfig = ''
|
||||
START_CHARGE_THRESH_BAT0=80
|
||||
'';
|
||||
|
||||
nix = {
|
||||
buildCores = 2;
|
||||
maxJobs = 2;
|
||||
daemonIONiceLevel = 1;
|
||||
daemonNiceLevel = 1;
|
||||
};
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleHibernateKey=ignore
|
||||
HandleLidSwitch=ignore
|
||||
HandlePowerKey=ignore
|
||||
HandleSuspendKey=ignore
|
||||
'';
|
||||
|
||||
services.xserver = {
|
||||
videoDriver = "intel";
|
||||
#vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
|
||||
#deviceSection = ''
|
||||
# Option "AccelMethod" "sna"
|
||||
#'';
|
||||
};
|
||||
|
||||
#services.xserver.displayManager.sessionCommands =''
|
||||
# xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1
|
||||
# xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2
|
||||
# xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
|
||||
#'';
|
||||
}
|
13
mv/2configs/mail-client.nix
Normal file
13
mv/2configs/mail-client.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
with pkgs;
|
||||
{
|
||||
environment.systemPackages = [
|
||||
much
|
||||
msmtp
|
||||
notmuch
|
||||
pythonPackages.alot
|
||||
qprint
|
||||
w3m
|
||||
];
|
||||
}
|
17
mv/2configs/smartd.nix
Normal file
17
mv/2configs/smartd.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.smartd = {
|
||||
enable = true;
|
||||
devices = [
|
||||
{
|
||||
device = "DEVICESCAN";
|
||||
options = toString [
|
||||
"-a"
|
||||
"-m ${config.krebs.users.tv.mail}"
|
||||
"-s (O/../.././09|S/../.././04|L/../../6/05)"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
123
mv/2configs/vim.nix
Normal file
123
mv/2configs/vim.nix
Normal file
|
@ -0,0 +1,123 @@
|
|||
{ lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
out = {
|
||||
environment.systemPackages = [
|
||||
pkgs.vim
|
||||
];
|
||||
|
||||
# Nano really is just a stupid name for Vim.
|
||||
nixpkgs.config.packageOverrides = pkgs: {
|
||||
nano = pkgs.vim;
|
||||
};
|
||||
|
||||
environment.etc.vimrc.source = vimrc;
|
||||
|
||||
environment.variables.EDITOR = mkForce "vim";
|
||||
environment.variables.VIMINIT = ":so /etc/vimrc";
|
||||
};
|
||||
|
||||
extra-runtimepath = concatStringsSep "," [
|
||||
"${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree"
|
||||
];
|
||||
|
||||
vimrc = pkgs.writeText "vimrc" ''
|
||||
set nocompatible
|
||||
|
||||
set autoindent
|
||||
set backspace=indent,eol,start
|
||||
set backup
|
||||
set backupdir=$HOME/.vim/backup/
|
||||
set directory=$HOME/.vim/cache//
|
||||
set hlsearch
|
||||
set incsearch
|
||||
set mouse=a
|
||||
set noruler
|
||||
set pastetoggle=<INS>
|
||||
set runtimepath=${extra-runtimepath},$VIMRUNTIME
|
||||
set shortmess+=I
|
||||
set showcmd
|
||||
set showmatch
|
||||
set ttimeoutlen=0
|
||||
set undodir=$HOME/.vim/undo
|
||||
set undofile
|
||||
set undolevels=1000000
|
||||
set undoreload=1000000
|
||||
set viminfo='20,<1000,s100,h,n$HOME/.vim/cache/info
|
||||
set visualbell
|
||||
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
|
||||
set wildmenu
|
||||
set wildmode=longest,full
|
||||
|
||||
set et ts=2 sts=2 sw=2
|
||||
|
||||
filetype plugin indent on
|
||||
|
||||
set t_Co=256
|
||||
colorscheme industry
|
||||
syntax on
|
||||
|
||||
au Syntax * syn match Tabstop containedin=ALL /\t\+/
|
||||
\ | hi Tabstop ctermbg=16
|
||||
\ | syn match TrailingSpace containedin=ALL /\s\+$/
|
||||
\ | hi TrailingSpace ctermbg=88
|
||||
\ | hi Normal ctermfg=White
|
||||
|
||||
au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" ''
|
||||
syn region String start=+\[[[:alnum:]]*|+ end=+|]+
|
||||
''}
|
||||
|
||||
au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" ''
|
||||
setf nix
|
||||
set isk=@,48-57,_,192-255,-,'
|
||||
|
||||
" Ref <nix/src/libexpr/lexer.l>
|
||||
syn match INT /\<[0-9]\+\>/
|
||||
syn match PATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
|
||||
syn match HPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
|
||||
syn match SPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
|
||||
syn match URI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
|
||||
hi link INT Constant
|
||||
hi link PATH Constant
|
||||
hi link HPATH Constant
|
||||
hi link SPATH Constant
|
||||
hi link URI Constant
|
||||
|
||||
syn match String /"\([^\\"]\|\\.\)*"/
|
||||
syn match Comment /\(^\|\s\)#.*/
|
||||
''}
|
||||
|
||||
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
|
||||
|
||||
nmap <esc>q :buffer
|
||||
nmap <M-q> :buffer
|
||||
|
||||
cnoremap <C-A> <Home>
|
||||
|
||||
noremap <C-c> :q<cr>
|
||||
|
||||
nnoremap <esc>[5^ :tabp<cr>
|
||||
nnoremap <esc>[6^ :tabn<cr>
|
||||
nnoremap <esc>[5@ :tabm -1<cr>
|
||||
nnoremap <esc>[6@ :tabm +1<cr>
|
||||
|
||||
nnoremap <f1> :tabp<cr>
|
||||
nnoremap <f2> :tabn<cr>
|
||||
inoremap <f1> <esc>:tabp<cr>
|
||||
inoremap <f2> <esc>:tabn<cr>
|
||||
|
||||
" <C-{Up,Down,Right,Left>
|
||||
noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
|
||||
noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
|
||||
noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
|
||||
noremap <esc>Od <nop> | noremap! <esc>Od <nop>
|
||||
" <[C]S-{Up,Down,Right,Left>
|
||||
noremap <esc>[a <nop> | noremap! <esc>[a <nop>
|
||||
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
|
||||
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
|
||||
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
|
||||
vnoremap u <nop>
|
||||
'';
|
||||
in
|
||||
out
|
215
mv/2configs/xserver/Xresources.nix
Normal file
215
mv/2configs/xserver/Xresources.nix
Normal file
|
@ -0,0 +1,215 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
pkgs.writeText "Xresources" ''
|
||||
!URxvt*background: #050505
|
||||
|
||||
! 2013-02-25 \e was reas escape before
|
||||
! *VT100.Translations: #override\
|
||||
! :<Btn4Down>: string("\e[5~")\n\
|
||||
! :<Btn5Down>: string("\e[6~")
|
||||
|
||||
! XTerm*VT100*Translations: #override \
|
||||
! Shift<Key>Return: string(" &") string(0x0A) \n\
|
||||
! Meta<Key>Return: string(" | less") string(0x0A) \n\
|
||||
! ~Shift<Key>Prior: scroll-back(1,page) \n\
|
||||
! ~Shift<Key>Next: scroll-forw(1,page) \n\
|
||||
! Shift<Key>Prior: scroll-back(1) \n\
|
||||
! Shift<Key>Next: scroll-forw(1) \n\
|
||||
! <Key>Delete: string(0x1b) string("[2~")
|
||||
! \n\
|
||||
! <Key>BackSpace: string(0x7f)
|
||||
|
||||
! 2013-02-2013-02-25
|
||||
! ! <M-c>: load bash-completion (if not already)
|
||||
! URxvt*VT100*Translations: #override\
|
||||
! Meta<KeyPress>c:\
|
||||
! string("\eOH# \eOF\n+compl\n\eOA\eOA\eOH\e[3~\e[3~\eOF")\
|
||||
! string(0x7)\n
|
||||
|
||||
! do not scroll automatically on output:
|
||||
! XTerm*scrollTtyOutput: false
|
||||
URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}‘’"
|
||||
! URxvt*secondaryScreen: false
|
||||
|
||||
! URxvt*loginShell: true
|
||||
|
||||
URxvt*eightBitInput: false
|
||||
! *eightBitOutput: 1
|
||||
! URxvt*decTerminalID: 220
|
||||
! URxvt*utf8: 1
|
||||
! URxvt*locale: UTF-8
|
||||
! XTerm*customization: -color
|
||||
URxvt*SaveLines: 4096
|
||||
URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
|
||||
URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
|
||||
|
||||
! 2013-05-23 if this does not work try
|
||||
! xset +fp /usr/share/fonts/local/
|
||||
! xset fp rehash
|
||||
! URxvt*font: -*-termsynu-edium-*-*-*-12-*-*-*-*-*-iso10646-1
|
||||
! URxvt*boldFont: -*-termsynu-bold-*-*-*-12-*-*-*-*-*-iso10646-1
|
||||
!
|
||||
!-misc-termsynu-medium-r-normal--12-87-100-100-c-70-iso10646-1
|
||||
|
||||
! XTerm*font: -misc-fixed-medium-r-normal--13-120-75-75-c-80-iso10646-1
|
||||
URxvt*scrollBar: false
|
||||
|
||||
! XTerm*font:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1
|
||||
! URxvt*boldFont:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1
|
||||
|
||||
URxvt*background: #050505
|
||||
! URxvt*background: #041204
|
||||
|
||||
!URxvt.depth: 32
|
||||
!URxvt*background: rgba:0500/0500/0500/cccc
|
||||
|
||||
! URxvt*background: #080810
|
||||
URxvt*foreground: #d0d7d0
|
||||
! URxvt*background: black
|
||||
! URxvt*foreground: white
|
||||
! URxvt*background: rgb:00/00/40
|
||||
! URxvt*foreground: rgb:a0/a0/d0
|
||||
! XTerm*cursorColor: rgb:00/00/60
|
||||
URxvt*cursorColor: #f042b0
|
||||
URxvt*cursorColor2: #f0b000
|
||||
URxvt*cursorBlink: off
|
||||
! URxvt*cursorUnderline: true
|
||||
! URxvt*highlightColor: #232323
|
||||
! URxvt*highlightTextColor: #b0ffb0
|
||||
|
||||
URxvt*.pointerBlank: true
|
||||
URxvt*.pointerBlankDelay: 987654321
|
||||
URxvt*.pointerColor: #f042b0
|
||||
URxvt*.pointerColor2: #050505
|
||||
|
||||
! URxvt*fading: 50
|
||||
! URxvt*fadeColor: #0f0f0f
|
||||
|
||||
! XTerm*colorMode: on
|
||||
! URxvt*dynamicColors: on
|
||||
! URxvt*boldColors: off
|
||||
|
||||
URxvt*jumpScroll: true
|
||||
|
||||
! allow synthetic events for fvwm, so pass window specific keys
|
||||
! XTerm*allowSendEvents: true
|
||||
URxvt*allowSendEvents: false
|
||||
|
||||
! better double/tripple clicking in xterms
|
||||
! Format: csv, [low-]high:value
|
||||
!
|
||||
! extend character class 48 due they are used in urls
|
||||
! (see: man xterm; /CHARACTER CLASSES)
|
||||
! ! % -./ @ & = ?
|
||||
URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48
|
||||
URxvt*cutNewline: False
|
||||
URxvt*cutToBeginningOfLine: False
|
||||
|
||||
! BLACK for indigo background
|
||||
URxvt*color0: #232342
|
||||
|
||||
! TODO: man xterm; /ACTIONS
|
||||
|
||||
! *VT100*colorULMode: on
|
||||
! XTerm*underLine: on
|
||||
!
|
||||
! URxvt*color0: black
|
||||
! URxvt*color1: red3
|
||||
! URxvt*color2: green3
|
||||
! URxvt*color3: yellow3
|
||||
! URxvt*color4: blue2
|
||||
! URxvt*color5: magenta3
|
||||
! URxvt*color6: cyan3
|
||||
! URxvt*color7: gray90
|
||||
! URxvt*color8: burlywood1
|
||||
! URxvt*color9: sienna1
|
||||
! URxvt*color10: PaleVioletRed1
|
||||
! URxvt*color11: LightSkyBlue
|
||||
! URxvt*color12: white
|
||||
! URxvt*color13: white
|
||||
! URxvt*color14: white
|
||||
! URxvt*color33: #f0b0f0
|
||||
|
||||
|
||||
! URxvt*color0: #000000
|
||||
! URxvt*color1: #c00000
|
||||
! URxvt*color2: #80c070
|
||||
URxvt*color3: #c07000
|
||||
! URxvt*color4: #0000c0
|
||||
URxvt*color4: #4040c0
|
||||
! URxvt*color5: #c000c0
|
||||
! URxvt*color6: #008080
|
||||
URxvt*color7: #c0c0c0
|
||||
|
||||
URxvt*color8: #707070
|
||||
URxvt*color9: #ff6060
|
||||
URxvt*color10: #70ff70
|
||||
URxvt*color11: #ffff70
|
||||
URxvt*color12: #7070ff
|
||||
URxvt*color13: #ff50ff
|
||||
URxvt*color14: #70ffff
|
||||
URxvt*color15: #ffffff
|
||||
|
||||
! XTerm*color91: #000070
|
||||
! XTerm*color92: #000080
|
||||
! XTerm*color93: #000090
|
||||
! XTerm*color94: #0000a0
|
||||
! XTerm*color95: #0000b0
|
||||
! XTerm*color96: #0000c0
|
||||
! XTerm*color97: #0000d0
|
||||
! XTerm*color98: #0000e0
|
||||
! XTerm*color99: #0000f0
|
||||
|
||||
! !! vim-create-colorscheme {{{
|
||||
! !! Question cterm=none
|
||||
! XTerm*color20: #f0b000
|
||||
! !! }}}
|
||||
!
|
||||
!
|
||||
! #include ".xrdb/look-zenburn.xrdb"
|
||||
! #include ".xrdb/xterm.xrdb"
|
||||
|
||||
|
||||
|
||||
! URxvt.perl-ext: matcher
|
||||
! URxvt.urlLauncher: cr
|
||||
! URxvt.underlineColor: blue
|
||||
|
||||
! URxvt.matcher.button: 1
|
||||
! URxvt.perl-ext: default,matcher
|
||||
! URxvt.urlLauncher: cr
|
||||
! URxvt.matcher.pattern.1: \\bwww\\.[\\w-]+\\.[\\w./?&@#-]*[\\w/-]
|
||||
! URxvt.underlineColor: blue
|
||||
|
||||
! 2014-05-12 von lass
|
||||
!URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select
|
||||
!URxvt.url-select.launcher: /home/tv/bin/ff -new-tab
|
||||
!URxvt.url-select.underline: true
|
||||
!URxvt.keysym.M-u: perl:url-select:select_next
|
||||
!URxvt.keysym.M-Escape: perl:keyboard-select:activate
|
||||
!URxvt.keysym.M-s: perl:keyboard-select:search
|
||||
|
||||
|
||||
|
||||
|
||||
! 2013-02-25 I neve use this
|
||||
URxvt*iso14755: False
|
||||
|
||||
URxvt*urgentOnBell: True
|
||||
URxvt*visualBell: True
|
||||
|
||||
! ref https://github.com/muennich/urxvt-perls
|
||||
URxvt*perl-ext: default,url-select
|
||||
URxvt*keysym.M-u: perl:url-select:select_next
|
||||
URxvt*url-select.launcher: ${pkgs.ff}/bin/ff -new-tab
|
||||
URxvt*url-select.underline: true
|
||||
URxvt*colorUL: #4682B4
|
||||
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
|
||||
|
||||
root-urxvt*background: #230000
|
||||
root-urxvt*foreground: #e0c0c0
|
||||
root-urxvt*BorderColor: #400000
|
||||
root-urxvt*color0: #800000
|
||||
''
|
153
mv/2configs/xserver/default.nix
Normal file
153
mv/2configs/xserver/default.nix
Normal file
|
@ -0,0 +1,153 @@
|
|||
{ config, lib, pkgs, ... }@args:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
# TODO krebs.build.user
|
||||
user = config.users.users.tv;
|
||||
|
||||
out = {
|
||||
services.xserver.display = 11;
|
||||
services.xserver.tty = 11;
|
||||
|
||||
services.xserver.synaptics = {
|
||||
enable = true;
|
||||
twoFingerScroll = true;
|
||||
accelFactor = "0.035";
|
||||
};
|
||||
|
||||
fonts.fonts = [
|
||||
pkgs.xlibs.fontschumachermisc
|
||||
];
|
||||
|
||||
systemd.services.urxvtd = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
reloadIfChanged = true;
|
||||
serviceConfig = {
|
||||
ExecReload = need-reload "urxvtd.service";
|
||||
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
||||
Restart = "always";
|
||||
RestartSec = "2s";
|
||||
StartLimitBurst = 0;
|
||||
User = user.name;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.ff
|
||||
pkgs.gitAndTools.qgit
|
||||
pkgs.mpv
|
||||
pkgs.pavucontrol
|
||||
pkgs.slock
|
||||
pkgs.sxiv
|
||||
pkgs.xsel
|
||||
pkgs.zathura
|
||||
];
|
||||
|
||||
security.setuidPrograms = [
|
||||
"slock"
|
||||
];
|
||||
|
||||
systemd.services.display-manager = mkForce {};
|
||||
|
||||
services.xserver.enable = true;
|
||||
|
||||
systemd.services.xmonad = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "xserver.service" ];
|
||||
environment = xmonad-environment;
|
||||
serviceConfig = {
|
||||
ExecStart = "${xmonad-start}/bin/xmonad";
|
||||
ExecStop = "${xmonad-stop}/bin/xmonad-stop";
|
||||
User = user.name;
|
||||
WorkingDirectory = user.home;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.xserver = {
|
||||
after = [
|
||||
"systemd-udev-settle.service"
|
||||
"local-fs.target"
|
||||
"acpid.service"
|
||||
];
|
||||
reloadIfChanged = true;
|
||||
environment = xserver-environment;
|
||||
serviceConfig = {
|
||||
ExecReload = need-reload "xserver.service";
|
||||
ExecStart = "${xserver}/bin/xserver";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
xmonad-environment = {
|
||||
DISPLAY = ":${toString config.services.xserver.display}";
|
||||
XMONAD_STATE = "/tmp/xmonad.state";
|
||||
|
||||
# XXX JSON is close enough :)
|
||||
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
|
||||
"Dashboard" # we start here
|
||||
"23"
|
||||
"cr"
|
||||
"ff"
|
||||
"hack"
|
||||
"im"
|
||||
"mail"
|
||||
"stockholm"
|
||||
"za" "zh" "zj" "zs"
|
||||
]);
|
||||
};
|
||||
|
||||
xmonad-start = pkgs.writeScriptBin "xmonad" ''
|
||||
#! ${pkgs.bash}/bin/bash
|
||||
set -efu
|
||||
export PATH; PATH=${makeSearchPath "bin" [
|
||||
pkgs.rxvt_unicode
|
||||
]}:/var/setuid-wrappers
|
||||
settle() {(
|
||||
# Use PATH for a clean journal
|
||||
command=''${1##*/}
|
||||
PATH=''${1%/*}; export PATH
|
||||
shift
|
||||
until "$command" "$@"; do
|
||||
${pkgs.coreutils}/bin/sleep 1
|
||||
done
|
||||
)&}
|
||||
settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
|
||||
settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args}
|
||||
settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c'
|
||||
exec ${pkgs.xmonad-tv}/bin/xmonad
|
||||
'';
|
||||
|
||||
xmonad-stop = pkgs.writeScriptBin "xmonad-stop" ''
|
||||
#! /bin/sh
|
||||
exec ${pkgs.xmonad-tv}/bin/xmonad --shutdown
|
||||
'';
|
||||
|
||||
xserver-environment = {
|
||||
XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
|
||||
XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
|
||||
LD_LIBRARY_PATH = concatStringsSep ":" (
|
||||
[ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
|
||||
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
|
||||
};
|
||||
|
||||
xserver = pkgs.writeScriptBin "xserver" ''
|
||||
#! /bin/sh
|
||||
set -efu
|
||||
exec ${pkgs.xorg.xorgserver}/bin/X \
|
||||
:${toString config.services.xserver.display} \
|
||||
vt${toString config.services.xserver.tty} \
|
||||
-config ${import ./xserver.conf.nix args} \
|
||||
-logfile /var/log/X.${toString config.services.xserver.display}.log \
|
||||
-nolisten tcp \
|
||||
-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \
|
||||
'';
|
||||
|
||||
need-reload = s: let
|
||||
pkg = pkgs.writeScriptBin "need-reload" ''
|
||||
#! /bin/sh
|
||||
echo "$*"
|
||||
'';
|
||||
in "${pkg}/bin/need-reload ${s}";
|
||||
|
||||
in out
|
40
mv/2configs/xserver/xserver.conf.nix
Normal file
40
mv/2configs/xserver/xserver.conf.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.xserver;
|
||||
in
|
||||
|
||||
pkgs.stdenv.mkDerivation {
|
||||
name = "xserver.conf";
|
||||
|
||||
xfs = optionalString (cfg.useXFS != false)
|
||||
''FontPath "${toString cfg.useXFS}"'';
|
||||
|
||||
inherit (cfg) config;
|
||||
|
||||
buildCommand =
|
||||
''
|
||||
echo 'Section "Files"' >> $out
|
||||
echo $xfs >> $out
|
||||
|
||||
for i in ${toString config.fonts.fonts}; do
|
||||
if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
|
||||
for j in $(find $i -name fonts.dir); do
|
||||
echo " FontPath \"$(dirname $j)\"" >> $out
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
for i in $(find ${toString cfg.modules} -type d); do
|
||||
if test $(echo $i/*.so* | wc -w) -ne 0; then
|
||||
echo " ModulePath \"$i\"" >> $out
|
||||
fi
|
||||
done
|
||||
|
||||
echo 'EndSection' >> $out
|
||||
|
||||
echo "$config" >> $out
|
||||
'';
|
||||
}
|
7
mv/3modules/default.nix
Normal file
7
mv/3modules/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
_:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./iptables.nix
|
||||
];
|
||||
}
|
126
mv/3modules/iptables.nix
Normal file
126
mv/3modules/iptables.nix
Normal file
|
@ -0,0 +1,126 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
let
|
||||
cfg = config.tv.iptables;
|
||||
|
||||
out = {
|
||||
options.tv.iptables = api;
|
||||
config = mkIf cfg.enable imp;
|
||||
};
|
||||
|
||||
api = {
|
||||
enable = mkEnableOption "tv.iptables";
|
||||
|
||||
input-internet-accept-new-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-retiolum-accept-new-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
|
||||
imp = {
|
||||
networking.firewall.enable = false;
|
||||
|
||||
systemd.services.tv-iptables = {
|
||||
description = "tv-iptables";
|
||||
wantedBy = [ "network-pre.target" ];
|
||||
before = [ "network-pre.target" ];
|
||||
after = [ "systemd-modules-load.service" ];
|
||||
|
||||
path = with pkgs; [
|
||||
iptables
|
||||
];
|
||||
|
||||
restartIfChanged = true;
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
RemainAfterExit = true;
|
||||
Restart = "always";
|
||||
ExecStart = "@${startScript} tv-iptables_start";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
accept-new-tcp = port:
|
||||
"-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
|
||||
|
||||
rules = iptables-version:
|
||||
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]
|
||||
++ [
|
||||
"! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
|
||||
"-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
|
||||
]
|
||||
)}
|
||||
COMMIT
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:Retiolum - [0:0]
|
||||
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
|
||||
++ [
|
||||
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
|
||||
"-i lo -j ACCEPT"
|
||||
]
|
||||
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
|
||||
++ ["-i retiolum -j Retiolum"]
|
||||
)}
|
||||
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
|
||||
++ {
|
||||
ip4tables = [
|
||||
"-p icmp -m icmp --icmp-type echo-request -j ACCEPT"
|
||||
];
|
||||
ip6tables = [
|
||||
"-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"
|
||||
];
|
||||
}."ip${toString iptables-version}tables"
|
||||
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
|
||||
++ {
|
||||
ip4tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
"-p udp -j REJECT --reject-with icmp-port-unreachable"
|
||||
"-j REJECT --reject-with icmp-proto-unreachable"
|
||||
];
|
||||
ip6tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
|
||||
"-j REJECT"
|
||||
];
|
||||
}."ip${toString iptables-version}tables"
|
||||
)}
|
||||
COMMIT
|
||||
'';
|
||||
|
||||
startScript = pkgs.writeScript "tv-iptables_start" ''
|
||||
#! /bin/sh
|
||||
set -euf
|
||||
iptables-restore < ${rules 4}
|
||||
ip6tables-restore < ${rules 6}
|
||||
'';
|
||||
|
||||
in
|
||||
out
|
||||
|
||||
#let
|
||||
# cfg = config.tv.iptables;
|
||||
# arg' = arg // { inherit cfg; };
|
||||
#in
|
||||
#
|
||||
#{
|
||||
# options.tv.iptables = import ./options.nix arg';
|
||||
# config = lib.mkIf cfg.enable (import ./config.nix arg');
|
||||
#}
|
Loading…
Reference in a new issue