From d629bee9546fa6ed6a018f2b6d491a851ad12738 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Mon, 13 Jul 2015 13:39:49 +0200
Subject: [PATCH] "rebase"
---
old/modules/cloudkrebs/default.nix | 8 +-
.../retiolum.nix} | 4 +-
old/modules/lass/base.nix | 61 ++++--
old/modules/lass/desktop-base.nix | 30 ++-
old/modules/lass/iptables/config.nix | 119 +++++++++++
old/modules/lass/iptables/default.nix | 11 ++
old/modules/lass/iptables/options.nix | 44 +++++
old/modules/lass/ircd.nix | 31 +--
old/modules/lass/retiolum-uriel.nix | 21 --
old/modules/lass/vim.nix | 2 +
old/modules/lass/xserver-lass.nix | 43 ----
old/modules/mors/default.nix | 25 ++-
old/modules/mors/git.nix | 185 ++++++++++++------
old/modules/mors/paths.nix | 12 ++
old/modules/mors/repos.nix | 9 +
.../retiolum-mors.nix => mors/retiolum.nix} | 6 +-
old/modules/uriel/default.nix | 10 +-
old/modules/uriel/git.nix | 130 ++++++++++++
old/modules/uriel/retiolum.nix | 31 +++
19 files changed, 602 insertions(+), 180 deletions(-)
rename old/modules/{lass/retiolum-cloudkrebs.nix => cloudkrebs/retiolum.nix} (87%)
create mode 100644 old/modules/lass/iptables/config.nix
create mode 100644 old/modules/lass/iptables/default.nix
create mode 100644 old/modules/lass/iptables/options.nix
delete mode 100644 old/modules/lass/retiolum-uriel.nix
delete mode 100644 old/modules/lass/xserver-lass.nix
create mode 100644 old/modules/mors/paths.nix
rename old/modules/{lass/retiolum-mors.nix => mors/retiolum.nix} (81%)
create mode 100644 old/modules/uriel/git.nix
create mode 100644 old/modules/uriel/retiolum.nix
diff --git a/old/modules/cloudkrebs/default.nix b/old/modules/cloudkrebs/default.nix
index 938447e0e..135b662f9 100644
--- a/old/modules/cloudkrebs/default.nix
+++ b/old/modules/cloudkrebs/default.nix
@@ -3,7 +3,7 @@
{
imports = [
../tv/base-cac-CentOS-7-64bit.nix
- ../lass/retiolum-cloudkrebs.nix
+ ./retiolum.nix
./networking.nix
../../secrets/cloudkrebs-pw.nix
../lass/sshkeys.nix
@@ -18,8 +18,10 @@
nix.maxJobs = 1;
- #activationScripts
- #split up and move into base
+ #tmpfiles Unknown group 'lock' workaround:
+ users.extraGroups = {
+ lock.gid = 10001;
+ };
#TODO move into modules
users.extraUsers = {
diff --git a/old/modules/lass/retiolum-cloudkrebs.nix b/old/modules/cloudkrebs/retiolum.nix
similarity index 87%
rename from old/modules/lass/retiolum-cloudkrebs.nix
rename to old/modules/cloudkrebs/retiolum.nix
index 1f035271d..1caa9246e 100644
--- a/old/modules/lass/retiolum-cloudkrebs.nix
+++ b/old/modules/cloudkrebs/retiolum.nix
@@ -2,10 +2,10 @@
{
imports = [
- ../tv/retiolum.nix
+ ../tv/retiolum
];
- services.retiolum = {
+ tv.retiolum = {
enable = true;
hosts = ../../hosts;
privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv";
diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix
index 3a8d879eb..159372a24 100644
--- a/old/modules/lass/base.nix
+++ b/old/modules/lass/base.nix
@@ -3,6 +3,7 @@
{
imports = [
./sshkeys.nix
+ ./iptables
];
nix.useChroot = true;
@@ -65,6 +66,10 @@
'';
};
+ security.setuidPrograms = [
+ "sendmail"
+ ];
+
services.gitolite = {
enable = true;
dataDir = "/home/gitolite";
@@ -84,27 +89,41 @@
RuntimeMaxUse=128M
'';
- networking.firewall = {
+ lass.iptables = {
enable = true;
-
- allowedTCPPorts = [
- 22
- ];
-
- extraCommands = ''
- iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- iptables -A INPUT -j ACCEPT -i lo
- iptables -A INPUT -j ACCEPT -p icmp
-
- #iptables -N Retiolum
- iptables -A INPUT -j Retiolum -i retiolum
- iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
- iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
- iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
- iptables -A Retiolum -j REJECT
- '';
-
- extraStopCommands = "iptables -F";
+ tables = {
+ filter.INPUT.policy = "DROP";
+ filter.FORWARD.policy = "DROP";
+ filter.INPUT.rules = [
+ { predicate = "-i lo"; target = "ACCEPT"; }
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { predicate = "-p icmp"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
+ ];
+ };
};
+
+ #Networking.firewall = {
+ # enable = true;
+
+ # allowedTCPPorts = [
+ # 22
+ # ];
+
+ # extraCommands = ''
+ # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ # iptables -A INPUT -j ACCEPT -i lo
+ # #http://serverfault.com/questions/84963/why-not-block-icmp
+ # iptables -A INPUT -j ACCEPT -p icmp
+
+ # #TODO: fix Retiolum firewall
+ # #iptables -N RETIOLUM
+ # #iptables -A INPUT -j RETIOLUM -i retiolum
+ # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset
+ # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable
+ # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable
+ # #iptables -A RETIOLUM -j REJECT
+ # '';
+ #};
}
diff --git a/old/modules/lass/desktop-base.nix b/old/modules/lass/desktop-base.nix
index 94184548e..ee7a94bc9 100644
--- a/old/modules/lass/desktop-base.nix
+++ b/old/modules/lass/desktop-base.nix
@@ -1,6 +1,8 @@
{ config, pkgs, ... }:
-{
+let
+ mainUser = config.users.extraUsers.mainUser;
+in {
imports = [
./base.nix
];
@@ -34,4 +36,30 @@
xlibs.fontschumachermisc
];
+ fonts.fonts = [
+ pkgs.xlibs.fontschumachermisc
+ ];
+
+ services.xserver = {
+ enable = true;
+
+ windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
+ X11-xshape
+ ];
+ windowManager.xmonad.enable = true;
+ windowManager.xmonad.enableContribAndExtras = true;
+ windowManager.default = "xmonad";
+ desktopManager.default = "none";
+ desktopManager.xterm.enable = false;
+ displayManager.slim.enable = true;
+ displayManager.auto.enable = true;
+ displayManager.auto.user = mainUser.name;
+
+ layout = "us,de";
+ xkbModel = "evdev";
+ xkbVariant = "altgr-intl,nodeadkeys";
+ xkbOptions = "grp:caps_toggle";
+
+ };
+
}
diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix
new file mode 100644
index 000000000..be521feb9
--- /dev/null
+++ b/old/modules/lass/iptables/config.nix
@@ -0,0 +1,119 @@
+{ cfg, lib, pkgs, ... }:
+
+let
+ inherit (pkgs) writeScript writeText;
+ inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr;
+
+#===== new api v4
+
+ #buildTable :: iptablesAttrSet` -> str
+ #todo: differentiate by iptables-version
+ buildTables = iptv: ts:
+ let
+ declareChain = t: cn:
+ #TODO: find out what to do whit these count numbers
+ ":${cn} ${t."${cn}".policy} [0:0]";
+
+ buildChain = tn: cn:
+ #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
+
+ #TODO: sort by precedence
+ #TODO: double check should be unneccessary, refactor!
+ if (hasAttr "rules" ts."${tn}"."${cn}") then
+ if (ts."${tn}"."${cn}".rules == null) then
+ ""
+ else
+ concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+ ++ map buildRule ts."${tn}"."${cn}".rules
+ )
+ else
+ ""
+ ;
+
+
+ buildRule = rule:
+ #TODO implement rule validation-test here
+ #
+ #target:
+ #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
+
+ #predicate:
+ #maybe use iptables-test
+ #TODO: howto exit with evaluation error by shellscript?
+ #apperantly not possible from nix because evalatution wouldn't be deterministic.
+ "${rule.predicate} -j ${rule.target}";
+
+ buildTable = tn:
+ "*${tn}\n" +
+ concatStringsSep "\n" ([]
+ ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
+ ) +
+ #this looks dirty, find a better way to do this (maybe optionalString)
+ concatStringsSep "" ([]
+ ++ map (buildChain tn) (attrNames ts."${tn}")
+ ) +
+ "\nCOMMIT";
+ in
+ concatStringsSep "\n" ([]
+ ++ map buildTable (attrNames ts)
+ );
+
+#=====
+
+ rules4 = iptables-version:
+ let
+ #TODO: find out good defaults.
+ tables-defaults = {
+ nat.PREROUTING.policy = "ACCEPT";
+ nat.INPUT.policy = "ACCEPT";
+ nat.OUTPUT.policy = "ACCEPT";
+ nat.POSTROUTING.policy = "ACCEPT";
+ filter.INPUT.policy = "ACCEPT";
+ filter.FORWARD.policy = "ACCEPT";
+ filter.OUTPUT.policy = "ACCEPT";
+
+ #if someone specifies any other rules on this chain, the default rules get lost.
+ #is this wanted beahiviour or a bug?
+ #TODO: implement abstraction of rules
+ filter.INPUT.rules = [
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ ];
+ };
+ tables = tables-defaults // cfg.tables;
+
+ in
+ writeText "lass-iptables-rules${toString iptables-version}" ''
+ ${buildTables iptables-version tables}
+ '';
+
+ startScript = writeScript "lass-iptables_start" ''
+ #! /bin/sh
+ set -euf
+ iptables-restore < ${rules4 4}
+ ip6tables-restore < ${rules4 6}
+ '';
+in
+
+{
+ networking.firewall.enable = false;
+
+ systemd.services.lass-iptables = {
+ description = "lass-iptables";
+ wantedBy = [ "network-pre.target" ];
+ before = [ "network-pre.target" ];
+ after = [ "systemd-modules-load.service" ];
+
+ path = with pkgs; [
+ iptables
+ ];
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ Type = "simple";
+ RemainAfterExit = true;
+ Restart = "always";
+ ExecStart = "@${startScript} lass-iptables_start";
+ };
+ };
+}
diff --git a/old/modules/lass/iptables/default.nix b/old/modules/lass/iptables/default.nix
new file mode 100644
index 000000000..7d46d4563
--- /dev/null
+++ b/old/modules/lass/iptables/default.nix
@@ -0,0 +1,11 @@
+arg@{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.lass.iptables;
+ arg' = arg // { inherit cfg; };
+in
+
+{
+ options.lass.iptables = import ./options.nix arg';
+ config = lib.mkIf cfg.enable (import ./config.nix arg');
+}
diff --git a/old/modules/lass/iptables/options.nix b/old/modules/lass/iptables/options.nix
new file mode 100644
index 000000000..eb3bfc011
--- /dev/null
+++ b/old/modules/lass/iptables/options.nix
@@ -0,0 +1,44 @@
+{ lib, ... }:
+
+let
+ inherit (lib) mkEnableOption mkOption types;
+in
+
+{
+ enable = mkEnableOption "iptables";
+
+ #tables.filter.INPUT = {
+ # policy = "DROP";
+ # rules = [
+ # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
+ # ];
+ #};
+ #new api
+ tables = mkOption {
+ type = with types; attrsOf (attrsOf (submodule ({
+ options = {
+ policy = mkOption {
+ type = str;
+ default = "-";
+ };
+ rules = mkOption {
+ type = nullOr (listOf (submodule ({
+ options = {
+ predicate = mkOption {
+ type = str;
+ };
+ target = mkOption {
+ type = str;
+ };
+ precedence = mkOption {
+ type = int;
+ default = 0;
+ };
+ };
+ })));
+ default = null;
+ };
+ };
+ })));
+ };
+}
diff --git a/old/modules/lass/ircd.nix b/old/modules/lass/ircd.nix
index 3c9e25718..c57f7dd5c 100644
--- a/old/modules/lass/ircd.nix
+++ b/old/modules/lass/ircd.nix
@@ -20,7 +20,7 @@
#ssl_dh_params = "etc/dh.pem";
#ssld_count = 1;
- #default_max_clients = 1024;
+ default_max_clients = 10000;
#nicklen = 30;
};
@@ -40,21 +40,26 @@
sslport = 9999;
};
+ class "users" {
+ ping_time = 2 minutes;
+ number_per_ident = 200;
+ number_per_ip = 200;
+ number_per_ip_global = 500;
+ cidr_ipv4_bitlen = 24;
+ cidr_ipv6_bitlen = 64;
+ number_per_cidr = 9000;
+ max_number = 10000;
+ sendq = 400 kbytes;
+ };
+
+ exempt {
+ ip = "127.0.0.1";
+ };
+
auth {
user = "*@*";
class = "users";
- };
-
- class "users" {
- ping_time = 2 minutes;
- number_per_ident = 10;
- number_per_ip = 10;
- number_per_ip_global = 50;
- cidr_ipv4_bitlen = 24;
- cidr_ipv6_bitlen = 64;
- number_per_cidr = 200;
- max_number = 3000;
- sendq = 400 kbytes;
+ flags = exceed_limit;
};
channel {
diff --git a/old/modules/lass/retiolum-uriel.nix b/old/modules/lass/retiolum-uriel.nix
deleted file mode 100644
index 11dc61c11..000000000
--- a/old/modules/lass/retiolum-uriel.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
- ../tv/retiolum.nix
- ];
-
- services.retiolum = {
- enable = true;
- hosts = ../../hosts;
- privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv";
- connectTo = [
- "fastpoke"
- "gum"
- "ire"
- ];
- };
-
- networking.firewall.allowedTCPPorts = [ 655 ];
- networking.firewall.allowedUDPPorts = [ 655 ];
-}
diff --git a/old/modules/lass/vim.nix b/old/modules/lass/vim.nix
index e1cff0d24..3fe45e1d1 100644
--- a/old/modules/lass/vim.nix
+++ b/old/modules/lass/vim.nix
@@ -56,6 +56,8 @@ in {
vnoremap < <gv
vnoremap > >gv
+ nmap <esc>q :buffer
+
"Tabwidth
set ts=2 sts=2 sw=2 et
diff --git a/old/modules/lass/xserver-lass.nix b/old/modules/lass/xserver-lass.nix
deleted file mode 100644
index 5c2d169bb..000000000
--- a/old/modules/lass/xserver-lass.nix
+++ /dev/null
@@ -1,43 +0,0 @@
-{ config, pkgs, ... }:
-
-let
- mainUser = config.users.extraUsers.mainUser;
-
-in {
- services.xserver.enable = true;
-
-
- #fonts.enableFontConfig = true;
- #fonts.enableFontDir = true;
- fonts.fonts = [
- pkgs.xlibs.fontschumachermisc
- ];
- #services.xfs.enable = true;
- #services.xserver.useXFS = "unix/:7100";
-
- #services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;
-
- #services.xserver.display = 11;
- #services.xserver.tty = 11;
- # services.xserver.layout = "us";
- # services.xserver.xkbOptions = "eurosign:e";
-
- #services.xserver.multitouch.enable = true;
-
- services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
- X11-xshape
- ];
- services.xserver.windowManager.xmonad.enable = true;
- services.xserver.windowManager.xmonad.enableContribAndExtras = true;
- services.xserver.windowManager.default = "xmonad";
- services.xserver.desktopManager.default = "none";
- services.xserver.desktopManager.xterm.enable = false;
-
- services.xserver.displayManager.slim.enable = true;
- services.xserver.displayManager.auto.enable = true;
- services.xserver.displayManager.auto.user = mainUser.name;
- #services.xserver.displayManager.job.logsXsession = true;
-
- services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
-
-}
diff --git a/old/modules/mors/default.nix b/old/modules/mors/default.nix
index d83d6abc9..8ba052d60 100644
--- a/old/modules/mors/default.nix
+++ b/old/modules/mors/default.nix
@@ -5,8 +5,7 @@
../lass/xresources.nix
../lass/desktop-base.nix
../lass/programs.nix
- ../lass/retiolum-mors.nix
- ../lass/xserver-lass.nix
+ ./retiolum.nix
../tv/synaptics.nix
../lass/bitcoin.nix
../lass/browsers.nix
@@ -31,7 +30,7 @@
nixpkgs = {
url = "https://github.com/Lassulus/nixpkgs";
- rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
+ rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
};
networking.hostName = "mors";
@@ -110,6 +109,7 @@
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
'';
+ #TODO activationScripts seem broken, fix them!
#activationScripts
#split up and move into base
system.activationScripts.powertopTunables = ''
@@ -141,10 +141,18 @@
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
'';
- system.activationScripts.trackpoint = ''
- echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
- echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
- '';
+
+ hardware.trackpoint = {
+ enable = true;
+ sensitivity = 220;
+ speed = 0;
+ emulateWheel = true;
+ };
+
+ #system.activationScripts.trackpoint = ''
+ # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
+ # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
+ #'';
services.xserver = {
videoDriver = "intel";
@@ -201,6 +209,9 @@
];
};
+ services.mongodb = {
+ enable = true;
+ };
#services.ircdHybrid = {
# enable = true;
diff --git a/old/modules/mors/git.nix b/old/modules/mors/git.nix
index 1dd61d164..375064868 100644
--- a/old/modules/mors/git.nix
+++ b/old/modules/mors/git.nix
@@ -1,71 +1,130 @@
{ config, lib, pkgs, ... }:
+let
+ inherit (builtins) map readFile;
+ inherit (lib) concatMap listToAttrs;
+ # TODO lib should already include our stuff
+ inherit (import ../../lib { inherit lib pkgs; }) addNames git;
+
+ x-repos = [
+ (krebs-private "brain")
+
+ (public "painload")
+ (public "shitment")
+ (public "wai-middleware-time")
+ (public "web-routes-wai-custom")
+
+ (secret "pass")
+
+ (tv-lass "emse-drywall")
+ (tv-lass "emse-hsdb")
+ ];
+
+ users = addNames {
+ tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };
+ lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
+ uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };
+ makefu = { pubkey = "xxx"; };
+ };
+
+ repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos);
+
+ rules = concatMap ({ rules, ... }: rules) x-repos;
+
+ krebs-private = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#retiolum";
+ server = "ire.retiolum";
+ };
+ };
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv makefu uriel ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+ public = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#retiolum";
+ server = "ire.retiolum";
+ };
+ };
+ public = true;
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv makefu uriel ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+ secret = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {};
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ uriel ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+ tv-lass = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {};
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+in
+
{
imports = [
../tv/git
];
- services.git =
- let
- inherit (builtins) readFile;
- # TODO lib should already include our stuff
- inherit (import ../../lib { inherit lib pkgs; }) addNames git;
-
- krebs-private = name: desc:
- {
- inherit desc;
- hooks = {
- post-receive = git.irc-announce {
- nick = config.networking.hostName; # TODO make this the default
- channel = "#retiolum";
- server = "ire.retiolum";
- };
- };
- }
- in rec {
- enable = true;
-
- users = addNames {
- tv = { pubkey = readFile <pubkeys/tv.ssh.pub>; };
- lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
- uriel = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
- makefu = { pubkey = "xxx"; };
- };
-
- repos = addNames {
- shitment = {
- desc = "shitment repository";
- hooks = {
- post-receive = git.irc-announce {
- nick = config.networking.hostName; # TODO make this the default
- channel = "#retiolum";
- server = "ire.retiolum";
- };
- };
- public = true;
- };
- testing = {
- desc = "testing repository";
- hooks = {
- post-receive = git.irc-announce {
- nick = config.networking.hostName; # TODO make this the default
- channel = "#repository";
- server = "ire.retiolum";
- };
- };
- public = true;
- };
- };
-
- rules = with git; with users; with repos; [
- { user = lass;
- repo = [ testing shitment ];
- perm = push master [ non-fast-forward create delete merge ];
- }
- { user = [ tv uriel makefu ];
- repo = [ testing shitment ];
- perm = fetch;
- }
- ];
- };
+ tv.git = {
+ enable = true;
+ inherit repos rules users;
+ };
}
diff --git a/old/modules/mors/paths.nix b/old/modules/mors/paths.nix
new file mode 100644
index 000000000..153356a7e
--- /dev/null
+++ b/old/modules/mors/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/Lassulus/nixpkgs;
+ rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets;
+}
diff --git a/old/modules/mors/repos.nix b/old/modules/mors/repos.nix
index e31ba9481..1f7f33456 100644
--- a/old/modules/mors/repos.nix
+++ b/old/modules/mors/repos.nix
@@ -35,6 +35,15 @@
extraConfig = "option hook.post-receive = irc-announce";
};
+ emse-drywall = {
+ users = {
+ lass = "RW+";
+ uriel = "R";
+ tv = "R";
+ };
+ extraConfig = "option hook.post-receive = irc-announce";
+ };
+
emse-hsdb = {
users = {
lass = "RW+";
diff --git a/old/modules/lass/retiolum-mors.nix b/old/modules/mors/retiolum.nix
similarity index 81%
rename from old/modules/lass/retiolum-mors.nix
rename to old/modules/mors/retiolum.nix
index 61a7856c1..1148bee9c 100644
--- a/old/modules/lass/retiolum-mors.nix
+++ b/old/modules/mors/retiolum.nix
@@ -2,12 +2,12 @@
{
imports = [
- ../tv/retiolum.nix
+ ../tv/retiolum
];
- services.retiolum = {
+ tv.retiolum = {
enable = true;
- hosts = ../../hosts;
+ hosts = <retiolum-hosts>;
privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv";
connectTo = [
"fastpoke"
diff --git a/old/modules/uriel/default.nix b/old/modules/uriel/default.nix
index 7f2b9032b..eb0f3e906 100644
--- a/old/modules/uriel/default.nix
+++ b/old/modules/uriel/default.nix
@@ -3,8 +3,7 @@
{
imports = [
../lass/desktop-base.nix
- ../lass/retiolum-uriel.nix
- ../lass/xserver-lass.nix
+ ./retiolum.nix
../lass/browsers.nix
../lass/programs.nix
../lass/games.nix
@@ -18,11 +17,12 @@
../lass/bird.nix
./repos.nix
../lass/chromium-patched.nix
+ ./git.nix
];
nixpkgs = {
url = "https://github.com/Lassulus/nixpkgs";
- rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
+ rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
};
networking.hostName = "uriel";
@@ -106,6 +106,10 @@
environment.systemPackages = with pkgs; [
];
+ #for google hangout
+
+ users.extraUsers.google.extraGroups = [ "audio" "video" ];
+
#users.extraGroups = {
# loot = {
diff --git a/old/modules/uriel/git.nix b/old/modules/uriel/git.nix
new file mode 100644
index 000000000..375064868
--- /dev/null
+++ b/old/modules/uriel/git.nix
@@ -0,0 +1,130 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (builtins) map readFile;
+ inherit (lib) concatMap listToAttrs;
+ # TODO lib should already include our stuff
+ inherit (import ../../lib { inherit lib pkgs; }) addNames git;
+
+ x-repos = [
+ (krebs-private "brain")
+
+ (public "painload")
+ (public "shitment")
+ (public "wai-middleware-time")
+ (public "web-routes-wai-custom")
+
+ (secret "pass")
+
+ (tv-lass "emse-drywall")
+ (tv-lass "emse-hsdb")
+ ];
+
+ users = addNames {
+ tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };
+ lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
+ uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };
+ makefu = { pubkey = "xxx"; };
+ };
+
+ repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos);
+
+ rules = concatMap ({ rules, ... }: rules) x-repos;
+
+ krebs-private = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#retiolum";
+ server = "ire.retiolum";
+ };
+ };
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv makefu uriel ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+ public = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {
+ post-receive = git.irc-announce {
+ nick = config.networking.hostName; # TODO make this the default
+ channel = "#retiolum";
+ server = "ire.retiolum";
+ };
+ };
+ public = true;
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv makefu uriel ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+ secret = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {};
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ uriel ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+ tv-lass = repo-name:
+ rec {
+ repo = {
+ name = repo-name;
+ hooks = {};
+ };
+ rules = with git; with users; [
+ { user = lass;
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ }
+ { user = [ tv ];
+ repo = [ repo ];
+ perm = fetch;
+ }
+ ];
+ };
+
+in
+
+{
+ imports = [
+ ../tv/git
+ ];
+
+ tv.git = {
+ enable = true;
+ inherit repos rules users;
+ };
+}
diff --git a/old/modules/uriel/retiolum.nix b/old/modules/uriel/retiolum.nix
new file mode 100644
index 000000000..1e90083fc
--- /dev/null
+++ b/old/modules/uriel/retiolum.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ../tv/retiolum
+ ../lass/iptables
+ ];
+
+ tv.retiolum = {
+ enable = true;
+ hosts = ../../hosts;
+ privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv";
+ connectTo = [
+ "fastpoke"
+ "gum"
+ "ire"
+ ];
+ };
+
+ #networking.firewall.allowedTCPPorts = [ 655 ];
+ #networking.firewall.allowedUDPPorts = [ 655 ];
+ #lass.iptables = {
+ # #input-internet-accept-new-tcp = [ "tinc" ];
+ # #input-internet-accept-new-udp = [ "tinc" ];
+ # tables.retiolum = {
+ # interfaces = [ "retiolum" "wl0" ];
+ # allowed-tcp = [ "tinc" ];
+ # allowed-udp = [ "tinc" ];
+ # };
+ #};
+}