From dba0db28d96978d51284512c6b57a48fbfa9f492 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 17 Nov 2015 19:04:32 +0100
Subject: [PATCH] mv: init
---
krebs/3modules/default.nix | 1 +
krebs/3modules/mv/default.nix | 39 +++++
mv/1systems/stro.nix | 245 +++++++++++++++++++++++++++
mv/2configs/default.nix | 194 +++++++++++++++++++++
mv/2configs/hw/x220.nix | 77 +++++++++
mv/2configs/mail-client.nix | 13 ++
mv/2configs/smartd.nix | 17 ++
mv/2configs/vim.nix | 123 ++++++++++++++
mv/2configs/xserver/Xresources.nix | 215 +++++++++++++++++++++++
mv/2configs/xserver/default.nix | 153 +++++++++++++++++
mv/2configs/xserver/xserver.conf.nix | 40 +++++
mv/3modules/default.nix | 7 +
mv/3modules/iptables.nix | 126 ++++++++++++++
13 files changed, 1250 insertions(+)
create mode 100644 krebs/3modules/mv/default.nix
create mode 100644 mv/1systems/stro.nix
create mode 100644 mv/2configs/default.nix
create mode 100644 mv/2configs/hw/x220.nix
create mode 100644 mv/2configs/mail-client.nix
create mode 100644 mv/2configs/smartd.nix
create mode 100644 mv/2configs/vim.nix
create mode 100644 mv/2configs/xserver/Xresources.nix
create mode 100644 mv/2configs/xserver/default.nix
create mode 100644 mv/2configs/xserver/xserver.conf.nix
create mode 100644 mv/3modules/default.nix
create mode 100644 mv/3modules/iptables.nix
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index b4e7f9254..a908d437b 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -78,6 +78,7 @@ let
imp = mkMerge [
{ krebs = import ./lass { inherit lib; }; }
{ krebs = import ./makefu { inherit lib; }; }
+ { krebs = import ./mv { inherit lib; }; }
{ krebs = import ./shared { inherit lib; }; }
{ krebs = import ./tv { inherit lib; }; }
{
diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix
new file mode 100644
index 000000000..446caf454
--- /dev/null
+++ b/krebs/3modules/mv/default.nix
@@ -0,0 +1,39 @@
+{ lib, ... }:
+
+with lib;
+
+{
+ hosts = addNames {
+ stro = {
+ cores = 4;
+ dc = "mv";
+ nets = {
+ retiolum = {
+ addrs4 = ["10.243.111.111"];
+ addrs6 = ["42:0:0:0:0:0:111:111"];
+ aliases = [
+ "stro.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b
+ vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb
+ FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg
+ ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG
+ oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq
+ XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+7Qa51l0NSkBiaK2s8vQEoeObV3UPZyEzMxfUK/ZAO root@stro";
+ };
+ };
+ users = addNames {
+ mv_stro = {
+ mail = "mv@stro.retiolum";
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxM34g1GUm5EtU00DAOlGSx8MsCWunhGTrozurj460QT7EdUbZvj0AcrQC0lP9kaZyhX+KueTjmLC+ICsnlHYeg4zoSEnSAUkccuyZxfgynVc4wrpfNAc1nHjDhDb/ulnC+8wNxvxUpI0XlBgu/Y7AbbChZj3ofv6uGGHJKfG3uSyCkt9VTCi1KwydHpe9P252N8NbopnbnkT0EMkRHruh7ICEKr4/ivmUL/IUrbFicEeCy4SeRAl8+00x4WqqvbBPzgdXn0AIjKLvus3dBoQubJNpUoXnyXJbElnit5a7QcgZJNLMbV0kf9zzCGduxkADzHkAFB9D4PuSMYt62iy12QlGbm80A9ncuwaSyJf7hPTvNbU8VyCblyfRz/SCaudUrfk5Xbxxu26FHi4hZqr3IUQt4T8pD8JWYGl4n2ZKnD8hHz/jrmNBK8h9d+VFafU9t1hRxlFsW1AhMEM+kfWClyhfTcKBKbml2a657lgUEVmlZt+18kwwsivM1QhHNTgxn5urRXRkh1VQ40UQroVuV1OUmvAngyAthF441VPGc5z7kEI+D4qjmUjSy6k4dvEy/RGfsAgJCf63zilRuUbL68f2OpxE8aeZZUXPvgdLml284pry7+C5sjlnCDoJfCj/yhdVx6mU9pWUd/Q97CLQewbsYhMzsqlBlIkXuipkDQ== mv@stro";
+ };
+ };
+}
diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix
new file mode 100644
index 000000000..9edcea007
--- /dev/null
+++ b/mv/1systems/stro.nix
@@ -0,0 +1,245 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ krebs.build.host = config.krebs.hosts.stro;
+
+ krebs.build.source.git.nixpkgs.rev =
+ "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a";
+
+ krebs.build.target = "lolwat";
+
+ imports = [
+ ../2configs/hw/x220.nix
+ ../2configs/mail-client.nix
+ ../2configs/xserver
+ {
+ environment.systemPackages = with pkgs; [
+
+ # stockholm
+ genid
+ gnumake
+ hashPassword
+ lentil
+ parallel
+ (pkgs.writeScriptBin "im" ''
+ #! ${pkgs.bash}/bin/bash
+ export PATH=${makeSearchPath "bin" (with pkgs; [
+ tmux
+ gnugrep
+ weechat
+ ])}
+ if tmux list-sessions -F\#S | grep -q '^im''$'; then
+ exec tmux attach -t im
+ else
+ exec tmux new -s im weechat
+ fi
+ '')
+
+ # root
+ cryptsetup
+ ntp # ntpate
+
+ # tv
+ bc
+ bind # dig
+ #cac
+ dic
+ file
+ gnupg21
+ haskellPackages.hledger
+ htop
+ jq
+ manpages
+ mkpasswd
+ netcat
+ nix-repl
+ nmap
+ nq
+ p7zip
+ pass
+ posix_man_pages
+ qrencode
+ texLive
+ tmux
+
+ #ack
+ #apache-httpd
+ #ascii
+ #emacs
+ #es
+ #esniper
+ #gcc
+ #gptfdisk
+ #graphviz
+ #haskellPackages.cabal2nix
+ #haskellPackages.ghc
+ #haskellPackages.shake
+ #hdparm
+ #i7z
+ #iftop
+ #imagemagick
+ #inotifyTools
+ #iodine
+ #iotop
+ #lshw
+ #lsof
+ #minicom
+ #mtools
+ #ncmpc
+ #nethogs
+ #nix-prefetch-scripts #cvs bug
+ #openssl
+ #openswan
+ #parted
+ #perl
+ #powertop
+ #ppp
+ #proot
+ #pythonPackages.arandr
+ #pythonPackages.youtube-dl
+ #racket
+ #rxvt_unicode-with-plugins
+ #scrot
+ #sec
+ #silver-searcher
+ #sloccount
+ #smartmontools
+ #socat
+ #sshpass
+ #strongswan
+ #sysdig
+ #sysstat
+ #tcpdump
+ #tlsdate
+ #unetbootin
+ #utillinuxCurses
+ #wvdial
+ #xdotool
+ #xkill
+ #xl2tpd
+ #xsel
+
+ unison
+ ];
+ }
+ {
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "http"
+ "tinc"
+ "smtp"
+ ];
+ };
+ }
+ {
+ krebs.exim-retiolum.enable = true;
+ }
+ {
+ krebs.nginx = {
+ enable = true;
+ servers.default.locations = [
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ }
+ {
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [
+ "cd"
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
+ ];
+
+ boot.initrd.luks = {
+ cryptoModules = [ "aes" "sha512" "xts" ];
+ devices = [
+ { name = "xuca"; device = "/dev/sda2"; }
+ ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/xuvga-root";
+ fsType = "btrfs";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/home" = {
+ device = "/dev/mapper/xuvga-home";
+ fsType = "btrfs";
+ options = "defaults,noatime,ssd,compress=lzo";
+ };
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = "nosuid,nodev,noatime";
+ };
+ };
+
+ nixpkgs.config.chromium.enablePepperFlash = true;
+
+ #nixpkgs.config.allowUnfreePredicate = pkg:
+ # pkgs.lib.hasPrefix "virtualbox" pkg.name;
+
+ #nixpkgs.config.allowUnfree = true;
+ #hardware.bumblebee.enable = true;
+ #hardware.bumblebee.group = "video";
+ hardware.enableAllFirmware = true;
+ #hardware.opengl.driSupport32Bit = true;
+ hardware.pulseaudio.enable = true;
+
+ environment.systemPackages = with pkgs; [
+ #xlibs.fontschumachermisc
+ #slock
+ ethtool
+ #firefoxWrapper # with plugins
+ #chromiumDevWrapper
+ tinc
+ iptables
+ #jack2
+
+ gptfdisk
+ ];
+
+ security.setuidPrograms = [
+ "sendmail" # for cron
+ ];
+
+ services.printing.enable = true;
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ # see tmpfiles.d(5)
+ systemd.tmpfiles.rules = [
+ "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+ ];
+
+ #virtualisation.libvirtd.enable = true;
+
+ #services.bitlbee.enable = true;
+ #services.tor.client.enable = true;
+ #services.tor.enable = true;
+
+ #nixpkgs.config.virtualbox.enableExtensionPack = true;
+
+ # XXX Enable for maximum slowness:
+ virtualisation.virtualbox.host.enable = true;
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+ system.stateVersion = "15.09";
+}
diff --git a/mv/2configs/default.nix b/mv/2configs/default.nix
new file mode 100644
index 000000000..f5b647558
--- /dev/null
+++ b/mv/2configs/default.nix
@@ -0,0 +1,194 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ krebs.enable = true;
+
+ krebs.build = {
+ user = config.krebs.users.tv;
+ target = mkDefault "root@${config.krebs.build.host.name}";
+ source = {
+ git.nixpkgs = {
+ url = mkDefault https://github.com/NixOS/nixpkgs;
+ rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613";
+ target-path = mkDefault "/var/src/nixpkgs";
+ };
+ dir.secrets = {
+ path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}";
+ };
+ dir.stockholm = {
+ path = mkDefault "/home/tv/stockholm";
+ target-path = mkDefault "/var/src/stockholm";
+ };
+ };
+ };
+
+ networking.hostName = config.krebs.build.host.name;
+
+ imports = [
+ <secrets>
+ ./vim.nix
+ {
+ # stockholm dependencies
+ environment.systemPackages = with pkgs; [
+ git
+ ];
+ }
+ {
+ users = {
+ defaultUserShell = "/run/current-system/sw/bin/bash";
+ mutableUsers = false;
+ users = {
+ tv = {
+ isNormalUser = true;
+ uid = 1337;
+ };
+ };
+ };
+ }
+ {
+ security.sudo.extraConfig = ''
+ Defaults mailto="${config.krebs.users.tv.mail}"
+ '';
+ time.timeZone = "Europe/Berlin";
+ }
+ {
+ # TODO check if both are required:
+ nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+
+ nix.trustedBinaryCaches = [
+ "https://cache.nixos.org"
+ "http://cache.nixos.org"
+ "http://hydra.nixos.org"
+ ];
+
+ nix.useChroot = true;
+ }
+ {
+ environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
+
+ environment.systemPackages = with pkgs; [
+ rxvt_unicode.terminfo
+ ];
+
+ environment.shellAliases = mkForce {
+ # alias cal='cal -m3'
+ gp = "${pkgs.pari}/bin/gp -q";
+ df = "df -h";
+ du = "du -h";
+ # alias grep='grep --color=auto'
+
+ # TODO alias cannot contain #\'
+ # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
+
+ # alias la='ls -lA'
+ lAtr = "ls -lAtr";
+ # alias ll='ls -l'
+ ls = "ls -h --color=auto --group-directories-first";
+ dmesg = "dmesg -L --reltime";
+ view = "vim -R";
+
+ reload = "systemctl reload";
+ restart = "systemctl restart";
+ start = "systemctl start";
+ status = "systemctl status";
+ stop = "systemctl stop";
+ };
+
+ environment.variables = {
+ NIX_PATH =
+ with config.krebs.build.source; with dir; with git;
+ mkForce (concatStringsSep ":" [
+ "nixpkgs=${nixpkgs.target-path}"
+ "secrets=${stockholm.target-path}/null"
+ ]);
+ };
+
+ programs.bash = {
+ interactiveShellInit = ''
+ HISTCONTROL='erasedups:ignorespace'
+ HISTSIZE=65536
+ HISTFILESIZE=$HISTSIZE
+
+ shopt -s checkhash
+ shopt -s histappend histreedit histverify
+ shopt -s no_empty_cmd_completion
+ complete -d cd
+
+ ${readFile ./bash_completion.sh}
+
+ # TODO source bridge
+ '';
+ promptInit = ''
+ case $UID in
+ 0)
+ PS1='\[\e[1;31m\]\w\[\e[0m\] '
+ ;;
+ 1337)
+ PS1='\[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ *)
+ PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
+ ;;
+ esac
+ if test -n "$SSH_CLIENT"; then
+ PS1='\[\e[35m\]\h'" $PS1"
+ fi
+ if test -n "$SSH_AGENT_PID"; then
+ PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
+ fi
+ '';
+ };
+
+ programs.ssh.startAgent = false;
+ }
+
+ {
+ services.cron.enable = false;
+ services.nscd.enable = false;
+ services.ntp.enable = false;
+ }
+
+ {
+ boot.kernel.sysctl = {
+ # Enable IPv6 Privacy Extensions
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+ }
+
+ {
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ };
+ }
+
+ {
+ # TODO: exim
+ security.setuidPrograms = [
+ "sendmail" # for sudo
+ ];
+ }
+ {
+ environment.systemPackages = [
+ pkgs.get
+ pkgs.krebszones
+ pkgs.nix-prefetch-scripts
+ pkgs.push
+ ];
+ }
+
+ {
+ systemd.tmpfiles.rules = let
+ forUsers = flip map users;
+ isUser = { group, ... }: hasSuffix "users" group;
+ users = filter isUser (mapAttrsToList (_: id) config.users.users);
+ in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
+ environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
+ }
+ ];
+}
diff --git a/mv/2configs/hw/x220.nix b/mv/2configs/hw/x220.nix
new file mode 100644
index 000000000..7426555df
--- /dev/null
+++ b/mv/2configs/hw/x220.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ../smartd.nix
+ ];
+
+ boot.initrd.availableKernelModules = [
+ "aesni-intel"
+ "ahci"
+ "fbcon"
+ "i915"
+ ];
+ boot.kernelModules = [
+ "kvm-intel"
+ "msr"
+ "tp-smapi"
+ ];
+
+ boot.extraModulePackages = [
+ config.boot.kernelPackages.tp_smapi
+ ];
+
+ # disabled for fbcon and i915 to kick in or to disable the kernelParams
+ # XXX: investigate
+ boot.vesa = false;
+
+ boot.loader.gummiboot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.wireless.enable = true;
+
+ #hardware.enableAllFirmware = true;
+ #nixpkgs.config.allowUnfree = true;
+ #zramSwap.enable = true;
+ #zramSwap.numDevices = 2;
+
+ hardware.trackpoint = {
+ enable = true;
+ sensitivity = 220;
+ speed = 0;
+ emulateWheel = true;
+ };
+
+ services.tlp.enable = true;
+ services.tlp.extraConfig = ''
+ START_CHARGE_THRESH_BAT0=80
+ '';
+
+ nix = {
+ buildCores = 2;
+ maxJobs = 2;
+ daemonIONiceLevel = 1;
+ daemonNiceLevel = 1;
+ };
+
+ services.logind.extraConfig = ''
+ HandleHibernateKey=ignore
+ HandleLidSwitch=ignore
+ HandlePowerKey=ignore
+ HandleSuspendKey=ignore
+ '';
+
+ services.xserver = {
+ videoDriver = "intel";
+ #vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
+ #deviceSection = ''
+ # Option "AccelMethod" "sna"
+ #'';
+ };
+
+ #services.xserver.displayManager.sessionCommands =''
+ # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1
+ # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2
+ # xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
+ #'';
+}
diff --git a/mv/2configs/mail-client.nix b/mv/2configs/mail-client.nix
new file mode 100644
index 000000000..8b6f8bbcd
--- /dev/null
+++ b/mv/2configs/mail-client.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+with pkgs;
+{
+ environment.systemPackages = [
+ much
+ msmtp
+ notmuch
+ pythonPackages.alot
+ qprint
+ w3m
+ ];
+}
diff --git a/mv/2configs/smartd.nix b/mv/2configs/smartd.nix
new file mode 100644
index 000000000..9c4d8b2d8
--- /dev/null
+++ b/mv/2configs/smartd.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+
+{
+ services.smartd = {
+ enable = true;
+ devices = [
+ {
+ device = "DEVICESCAN";
+ options = toString [
+ "-a"
+ "-m ${config.krebs.users.tv.mail}"
+ "-s (O/../.././09|S/../.././04|L/../../6/05)"
+ ];
+ }
+ ];
+ };
+}
diff --git a/mv/2configs/vim.nix b/mv/2configs/vim.nix
new file mode 100644
index 000000000..a961b6b26
--- /dev/null
+++ b/mv/2configs/vim.nix
@@ -0,0 +1,123 @@
+{ lib, pkgs, ... }:
+
+with lib;
+let
+ out = {
+ environment.systemPackages = [
+ pkgs.vim
+ ];
+
+ # Nano really is just a stupid name for Vim.
+ nixpkgs.config.packageOverrides = pkgs: {
+ nano = pkgs.vim;
+ };
+
+ environment.etc.vimrc.source = vimrc;
+
+ environment.variables.EDITOR = mkForce "vim";
+ environment.variables.VIMINIT = ":so /etc/vimrc";
+ };
+
+ extra-runtimepath = concatStringsSep "," [
+ "${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree"
+ ];
+
+ vimrc = pkgs.writeText "vimrc" ''
+ set nocompatible
+
+ set autoindent
+ set backspace=indent,eol,start
+ set backup
+ set backupdir=$HOME/.vim/backup/
+ set directory=$HOME/.vim/cache//
+ set hlsearch
+ set incsearch
+ set mouse=a
+ set noruler
+ set pastetoggle=<INS>
+ set runtimepath=${extra-runtimepath},$VIMRUNTIME
+ set shortmess+=I
+ set showcmd
+ set showmatch
+ set ttimeoutlen=0
+ set undodir=$HOME/.vim/undo
+ set undofile
+ set undolevels=1000000
+ set undoreload=1000000
+ set viminfo='20,<1000,s100,h,n$HOME/.vim/cache/info
+ set visualbell
+ set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
+ set wildmenu
+ set wildmode=longest,full
+
+ set et ts=2 sts=2 sw=2
+
+ filetype plugin indent on
+
+ set t_Co=256
+ colorscheme industry
+ syntax on
+
+ au Syntax * syn match Tabstop containedin=ALL /\t\+/
+ \ | hi Tabstop ctermbg=16
+ \ | syn match TrailingSpace containedin=ALL /\s\+$/
+ \ | hi TrailingSpace ctermbg=88
+ \ | hi Normal ctermfg=White
+
+ au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" ''
+ syn region String start=+\[[[:alnum:]]*|+ end=+|]+
+ ''}
+
+ au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" ''
+ setf nix
+ set isk=@,48-57,_,192-255,-,'
+
+ " Ref <nix/src/libexpr/lexer.l>
+ syn match INT /\<[0-9]\+\>/
+ syn match PATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+ syn match HPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+ syn match SPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
+ syn match URI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
+ hi link INT Constant
+ hi link PATH Constant
+ hi link HPATH Constant
+ hi link SPATH Constant
+ hi link URI Constant
+
+ syn match String /"\([^\\"]\|\\.\)*"/
+ syn match Comment /\(^\|\s\)#.*/
+ ''}
+
+ au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
+
+ nmap <esc>q :buffer
+ nmap <M-q> :buffer
+
+ cnoremap <C-A> <Home>
+
+ noremap <C-c> :q<cr>
+
+ nnoremap <esc>[5^ :tabp<cr>
+ nnoremap <esc>[6^ :tabn<cr>
+ nnoremap <esc>[5@ :tabm -1<cr>
+ nnoremap <esc>[6@ :tabm +1<cr>
+
+ nnoremap <f1> :tabp<cr>
+ nnoremap <f2> :tabn<cr>
+ inoremap <f1> <esc>:tabp<cr>
+ inoremap <f2> <esc>:tabn<cr>
+
+ " <C-{Up,Down,Right,Left>
+ noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
+ noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
+ noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
+ noremap <esc>Od <nop> | noremap! <esc>Od <nop>
+ " <[C]S-{Up,Down,Right,Left>
+ noremap <esc>[a <nop> | noremap! <esc>[a <nop>
+ noremap <esc>[b <nop> | noremap! <esc>[b <nop>
+ noremap <esc>[c <nop> | noremap! <esc>[c <nop>
+ noremap <esc>[d <nop> | noremap! <esc>[d <nop>
+ vnoremap u <nop>
+ '';
+in
+out
diff --git a/mv/2configs/xserver/Xresources.nix b/mv/2configs/xserver/Xresources.nix
new file mode 100644
index 000000000..f287bf206
--- /dev/null
+++ b/mv/2configs/xserver/Xresources.nix
@@ -0,0 +1,215 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+pkgs.writeText "Xresources" ''
+ !URxvt*background: #050505
+
+ ! 2013-02-25 \e was reas escape before
+ ! *VT100.Translations: #override\
+ ! :<Btn4Down>: string("\e[5~")\n\
+ ! :<Btn5Down>: string("\e[6~")
+
+ ! XTerm*VT100*Translations: #override \
+ ! Shift<Key>Return: string(" &") string(0x0A) \n\
+ ! Meta<Key>Return: string(" | less") string(0x0A) \n\
+ ! ~Shift<Key>Prior: scroll-back(1,page) \n\
+ ! ~Shift<Key>Next: scroll-forw(1,page) \n\
+ ! Shift<Key>Prior: scroll-back(1) \n\
+ ! Shift<Key>Next: scroll-forw(1) \n\
+ ! <Key>Delete: string(0x1b) string("[2~")
+ ! \n\
+ ! <Key>BackSpace: string(0x7f)
+
+ ! 2013-02-2013-02-25
+ ! ! <M-c>: load bash-completion (if not already)
+ ! URxvt*VT100*Translations: #override\
+ ! Meta<KeyPress>c:\
+ ! string("\eOH# \eOF\n+compl\n\eOA\eOA\eOH\e[3~\e[3~\eOF")\
+ ! string(0x7)\n
+
+ ! do not scroll automatically on output:
+ ! XTerm*scrollTtyOutput: false
+ URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}‘’"
+ ! URxvt*secondaryScreen: false
+
+ ! URxvt*loginShell: true
+
+ URxvt*eightBitInput: false
+ ! *eightBitOutput: 1
+ ! URxvt*decTerminalID: 220
+ ! URxvt*utf8: 1
+ ! URxvt*locale: UTF-8
+ ! XTerm*customization: -color
+ URxvt*SaveLines: 4096
+ URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
+ URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
+
+ ! 2013-05-23 if this does not work try
+ ! xset +fp /usr/share/fonts/local/
+ ! xset fp rehash
+ ! URxvt*font: -*-termsynu-edium-*-*-*-12-*-*-*-*-*-iso10646-1
+ ! URxvt*boldFont: -*-termsynu-bold-*-*-*-12-*-*-*-*-*-iso10646-1
+ !
+ !-misc-termsynu-medium-r-normal--12-87-100-100-c-70-iso10646-1
+
+ ! XTerm*font: -misc-fixed-medium-r-normal--13-120-75-75-c-80-iso10646-1
+ URxvt*scrollBar: false
+
+ ! XTerm*font:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1
+ ! URxvt*boldFont:-nil-profont-medium-r-normal--11-110-72-72-c-60-iso8859-1
+
+ URxvt*background: #050505
+ ! URxvt*background: #041204
+
+ !URxvt.depth: 32
+ !URxvt*background: rgba:0500/0500/0500/cccc
+
+ ! URxvt*background: #080810
+ URxvt*foreground: #d0d7d0
+ ! URxvt*background: black
+ ! URxvt*foreground: white
+ ! URxvt*background: rgb:00/00/40
+ ! URxvt*foreground: rgb:a0/a0/d0
+ ! XTerm*cursorColor: rgb:00/00/60
+ URxvt*cursorColor: #f042b0
+ URxvt*cursorColor2: #f0b000
+ URxvt*cursorBlink: off
+ ! URxvt*cursorUnderline: true
+ ! URxvt*highlightColor: #232323
+ ! URxvt*highlightTextColor: #b0ffb0
+
+ URxvt*.pointerBlank: true
+ URxvt*.pointerBlankDelay: 987654321
+ URxvt*.pointerColor: #f042b0
+ URxvt*.pointerColor2: #050505
+
+ ! URxvt*fading: 50
+ ! URxvt*fadeColor: #0f0f0f
+
+ ! XTerm*colorMode: on
+ ! URxvt*dynamicColors: on
+ ! URxvt*boldColors: off
+
+ URxvt*jumpScroll: true
+
+ ! allow synthetic events for fvwm, so pass window specific keys
+ ! XTerm*allowSendEvents: true
+ URxvt*allowSendEvents: false
+
+ ! better double/tripple clicking in xterms
+ ! Format: csv, [low-]high:value
+ !
+ ! extend character class 48 due they are used in urls
+ ! (see: man xterm; /CHARACTER CLASSES)
+ ! ! % -./ @ & = ?
+ URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48
+ URxvt*cutNewline: False
+ URxvt*cutToBeginningOfLine: False
+
+ ! BLACK for indigo background
+ URxvt*color0: #232342
+
+ ! TODO: man xterm; /ACTIONS
+
+ ! *VT100*colorULMode: on
+ ! XTerm*underLine: on
+ !
+ ! URxvt*color0: black
+ ! URxvt*color1: red3
+ ! URxvt*color2: green3
+ ! URxvt*color3: yellow3
+ ! URxvt*color4: blue2
+ ! URxvt*color5: magenta3
+ ! URxvt*color6: cyan3
+ ! URxvt*color7: gray90
+ ! URxvt*color8: burlywood1
+ ! URxvt*color9: sienna1
+ ! URxvt*color10: PaleVioletRed1
+ ! URxvt*color11: LightSkyBlue
+ ! URxvt*color12: white
+ ! URxvt*color13: white
+ ! URxvt*color14: white
+ ! URxvt*color33: #f0b0f0
+
+
+ ! URxvt*color0: #000000
+ ! URxvt*color1: #c00000
+ ! URxvt*color2: #80c070
+ URxvt*color3: #c07000
+ ! URxvt*color4: #0000c0
+ URxvt*color4: #4040c0
+ ! URxvt*color5: #c000c0
+ ! URxvt*color6: #008080
+ URxvt*color7: #c0c0c0
+
+ URxvt*color8: #707070
+ URxvt*color9: #ff6060
+ URxvt*color10: #70ff70
+ URxvt*color11: #ffff70
+ URxvt*color12: #7070ff
+ URxvt*color13: #ff50ff
+ URxvt*color14: #70ffff
+ URxvt*color15: #ffffff
+
+ ! XTerm*color91: #000070
+ ! XTerm*color92: #000080
+ ! XTerm*color93: #000090
+ ! XTerm*color94: #0000a0
+ ! XTerm*color95: #0000b0
+ ! XTerm*color96: #0000c0
+ ! XTerm*color97: #0000d0
+ ! XTerm*color98: #0000e0
+ ! XTerm*color99: #0000f0
+
+ ! !! vim-create-colorscheme {{{
+ ! !! Question cterm=none
+ ! XTerm*color20: #f0b000
+ ! !! }}}
+ !
+ !
+ ! #include ".xrdb/look-zenburn.xrdb"
+ ! #include ".xrdb/xterm.xrdb"
+
+
+
+ ! URxvt.perl-ext: matcher
+ ! URxvt.urlLauncher: cr
+ ! URxvt.underlineColor: blue
+
+ ! URxvt.matcher.button: 1
+ ! URxvt.perl-ext: default,matcher
+ ! URxvt.urlLauncher: cr
+ ! URxvt.matcher.pattern.1: \\bwww\\.[\\w-]+\\.[\\w./?&@#-]*[\\w/-]
+ ! URxvt.underlineColor: blue
+
+ ! 2014-05-12 von lass
+ !URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select
+ !URxvt.url-select.launcher: /home/tv/bin/ff -new-tab
+ !URxvt.url-select.underline: true
+ !URxvt.keysym.M-u: perl:url-select:select_next
+ !URxvt.keysym.M-Escape: perl:keyboard-select:activate
+ !URxvt.keysym.M-s: perl:keyboard-select:search
+
+
+
+
+ ! 2013-02-25 I neve use this
+ URxvt*iso14755: False
+
+ URxvt*urgentOnBell: True
+ URxvt*visualBell: True
+
+ ! ref https://github.com/muennich/urxvt-perls
+ URxvt*perl-ext: default,url-select
+ URxvt*keysym.M-u: perl:url-select:select_next
+ URxvt*url-select.launcher: ${pkgs.ff}/bin/ff -new-tab
+ URxvt*url-select.underline: true
+ URxvt*colorUL: #4682B4
+ URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
+
+ root-urxvt*background: #230000
+ root-urxvt*foreground: #e0c0c0
+ root-urxvt*BorderColor: #400000
+ root-urxvt*color0: #800000
+''
diff --git a/mv/2configs/xserver/default.nix b/mv/2configs/xserver/default.nix
new file mode 100644
index 000000000..afc2d699c
--- /dev/null
+++ b/mv/2configs/xserver/default.nix
@@ -0,0 +1,153 @@
+{ config, lib, pkgs, ... }@args:
+
+with lib;
+
+let
+ # TODO krebs.build.user
+ user = config.users.users.tv;
+
+ out = {
+ services.xserver.display = 11;
+ services.xserver.tty = 11;
+
+ services.xserver.synaptics = {
+ enable = true;
+ twoFingerScroll = true;
+ accelFactor = "0.035";
+ };
+
+ fonts.fonts = [
+ pkgs.xlibs.fontschumachermisc
+ ];
+
+ systemd.services.urxvtd = {
+ wantedBy = [ "multi-user.target" ];
+ reloadIfChanged = true;
+ serviceConfig = {
+ ExecReload = need-reload "urxvtd.service";
+ ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+ Restart = "always";
+ RestartSec = "2s";
+ StartLimitBurst = 0;
+ User = user.name;
+ };
+ };
+
+ environment.systemPackages = [
+ pkgs.ff
+ pkgs.gitAndTools.qgit
+ pkgs.mpv
+ pkgs.pavucontrol
+ pkgs.slock
+ pkgs.sxiv
+ pkgs.xsel
+ pkgs.zathura
+ ];
+
+ security.setuidPrograms = [
+ "slock"
+ ];
+
+ systemd.services.display-manager = mkForce {};
+
+ services.xserver.enable = true;
+
+ systemd.services.xmonad = {
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "xserver.service" ];
+ environment = xmonad-environment;
+ serviceConfig = {
+ ExecStart = "${xmonad-start}/bin/xmonad";
+ ExecStop = "${xmonad-stop}/bin/xmonad-stop";
+ User = user.name;
+ WorkingDirectory = user.home;
+ };
+ };
+
+ systemd.services.xserver = {
+ after = [
+ "systemd-udev-settle.service"
+ "local-fs.target"
+ "acpid.service"
+ ];
+ reloadIfChanged = true;
+ environment = xserver-environment;
+ serviceConfig = {
+ ExecReload = need-reload "xserver.service";
+ ExecStart = "${xserver}/bin/xserver";
+ };
+ };
+ };
+
+ xmonad-environment = {
+ DISPLAY = ":${toString config.services.xserver.display}";
+ XMONAD_STATE = "/tmp/xmonad.state";
+
+ # XXX JSON is close enough :)
+ XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+ "Dashboard" # we start here
+ "23"
+ "cr"
+ "ff"
+ "hack"
+ "im"
+ "mail"
+ "stockholm"
+ "za" "zh" "zj" "zs"
+ ]);
+ };
+
+ xmonad-start = pkgs.writeScriptBin "xmonad" ''
+ #! ${pkgs.bash}/bin/bash
+ set -efu
+ export PATH; PATH=${makeSearchPath "bin" [
+ pkgs.rxvt_unicode
+ ]}:/var/setuid-wrappers
+ settle() {(
+ # Use PATH for a clean journal
+ command=''${1##*/}
+ PATH=''${1%/*}; export PATH
+ shift
+ until "$command" "$@"; do
+ ${pkgs.coreutils}/bin/sleep 1
+ done
+ )&}
+ settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
+ settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args}
+ settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c'
+ exec ${pkgs.xmonad-tv}/bin/xmonad
+ '';
+
+ xmonad-stop = pkgs.writeScriptBin "xmonad-stop" ''
+ #! /bin/sh
+ exec ${pkgs.xmonad-tv}/bin/xmonad --shutdown
+ '';
+
+ xserver-environment = {
+ XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
+ XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
+ LD_LIBRARY_PATH = concatStringsSep ":" (
+ [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
+ ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
+ };
+
+ xserver = pkgs.writeScriptBin "xserver" ''
+ #! /bin/sh
+ set -efu
+ exec ${pkgs.xorg.xorgserver}/bin/X \
+ :${toString config.services.xserver.display} \
+ vt${toString config.services.xserver.tty} \
+ -config ${import ./xserver.conf.nix args} \
+ -logfile /var/log/X.${toString config.services.xserver.display}.log \
+ -nolisten tcp \
+ -xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \
+ '';
+
+ need-reload = s: let
+ pkg = pkgs.writeScriptBin "need-reload" ''
+ #! /bin/sh
+ echo "$*"
+ '';
+ in "${pkg}/bin/need-reload ${s}";
+
+in out
diff --git a/mv/2configs/xserver/xserver.conf.nix b/mv/2configs/xserver/xserver.conf.nix
new file mode 100644
index 000000000..e8a997a99
--- /dev/null
+++ b/mv/2configs/xserver/xserver.conf.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.services.xserver;
+in
+
+pkgs.stdenv.mkDerivation {
+ name = "xserver.conf";
+
+ xfs = optionalString (cfg.useXFS != false)
+ ''FontPath "${toString cfg.useXFS}"'';
+
+ inherit (cfg) config;
+
+ buildCommand =
+ ''
+ echo 'Section "Files"' >> $out
+ echo $xfs >> $out
+
+ for i in ${toString config.fonts.fonts}; do
+ if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
+ for j in $(find $i -name fonts.dir); do
+ echo " FontPath \"$(dirname $j)\"" >> $out
+ done
+ fi
+ done
+
+ for i in $(find ${toString cfg.modules} -type d); do
+ if test $(echo $i/*.so* | wc -w) -ne 0; then
+ echo " ModulePath \"$i\"" >> $out
+ fi
+ done
+
+ echo 'EndSection' >> $out
+
+ echo "$config" >> $out
+ '';
+}
diff --git a/mv/3modules/default.nix b/mv/3modules/default.nix
new file mode 100644
index 000000000..963f108b2
--- /dev/null
+++ b/mv/3modules/default.nix
@@ -0,0 +1,7 @@
+_:
+
+{
+ imports = [
+ ./iptables.nix
+ ];
+}
diff --git a/mv/3modules/iptables.nix b/mv/3modules/iptables.nix
new file mode 100644
index 000000000..cbf49f577
--- /dev/null
+++ b/mv/3modules/iptables.nix
@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+let
+ cfg = config.tv.iptables;
+
+ out = {
+ options.tv.iptables = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "tv.iptables";
+
+ input-internet-accept-new-tcp = mkOption {
+ type = with types; listOf (either int str);
+ default = [];
+ };
+
+ input-retiolum-accept-new-tcp = mkOption {
+ type = with types; listOf (either int str);
+ default = [];
+ };
+ };
+
+ imp = {
+ networking.firewall.enable = false;
+
+ systemd.services.tv-iptables = {
+ description = "tv-iptables";
+ wantedBy = [ "network-pre.target" ];
+ before = [ "network-pre.target" ];
+ after = [ "systemd-modules-load.service" ];
+
+ path = with pkgs; [
+ iptables
+ ];
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ Type = "simple";
+ RemainAfterExit = true;
+ Restart = "always";
+ ExecStart = "@${startScript} tv-iptables_start";
+ };
+ };
+ };
+
+
+ accept-new-tcp = port:
+ "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+
+ rules = iptables-version:
+ pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
+ *nat
+ :PREROUTING ACCEPT [0:0]
+ :INPUT ACCEPT [0:0]
+ :OUTPUT ACCEPT [0:0]
+ :POSTROUTING ACCEPT [0:0]
+ ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]
+ ++ [
+ "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
+ "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
+ ]
+ )}
+ COMMIT
+ *filter
+ :INPUT DROP [0:0]
+ :FORWARD DROP [0:0]
+ :OUTPUT ACCEPT [0:0]
+ :Retiolum - [0:0]
+ ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
+ ++ [
+ "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+ "-i lo -j ACCEPT"
+ ]
+ ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
+ ++ ["-i retiolum -j Retiolum"]
+ )}
+ ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
+ ++ {
+ ip4tables = [
+ "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"
+ ];
+ ip6tables = [
+ "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"
+ ];
+ }."ip${toString iptables-version}tables"
+ ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
+ ++ {
+ ip4tables = [
+ "-p tcp -j REJECT --reject-with tcp-reset"
+ "-p udp -j REJECT --reject-with icmp-port-unreachable"
+ "-j REJECT --reject-with icmp-proto-unreachable"
+ ];
+ ip6tables = [
+ "-p tcp -j REJECT --reject-with tcp-reset"
+ "-p udp -j REJECT --reject-with icmp6-port-unreachable"
+ "-j REJECT"
+ ];
+ }."ip${toString iptables-version}tables"
+ )}
+ COMMIT
+ '';
+
+ startScript = pkgs.writeScript "tv-iptables_start" ''
+ #! /bin/sh
+ set -euf
+ iptables-restore < ${rules 4}
+ ip6tables-restore < ${rules 6}
+ '';
+
+in
+out
+
+#let
+# cfg = config.tv.iptables;
+# arg' = arg // { inherit cfg; };
+#in
+#
+#{
+# options.tv.iptables = import ./options.nix arg';
+# config = lib.mkIf cfg.enable (import ./config.nix arg');
+#}