makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity

Merge branch 'master' of prism:stockholm

Browse source
This commit is contained in:
nin 2017-07-06 20:36:05 +02:00
parent 060ae725c3 438fdd2bd8
commit de8baa21bf
59 changed files with 912 additions and 281 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
Makefile
View file

@ -51,13 +51,23 @@ $(if $(target_user),,$(error unbound variable: target_user))
$(if $(target_port),,$(error unbound variable: target_port))
$(if $(target_path),,$(error unbound variable: target_path))
whatsupnix = \
if type whatsupnix >/dev/null 2>&1; then \
whatsupnix $(1); \
else \
cat; \
fi
build = \
nix-build \
-Q \
--no-out-link \
--show-trace \
-I nixos-config=$(nixos-config) \
-I stockholm=$(stockholm) \
-E "with import <stockholm>; $(1)"
-E "with import <stockholm>; $(1)" \
$(2) \
|& $(call whatsupnix)
evaluate = \
nix-instantiate \
@ -66,7 +76,8 @@ evaluate = \
--show-trace \
-I nixos-config=$(nixos-config) \
-I stockholm=$(stockholm) \
-E "let eval = import <stockholm>; in with eval; $(1)"
-E "let eval = import <stockholm>; in with eval; $(1)" \
$(2)
ifeq ($(MAKECMDGOALS),)
$(error No goals specified)
@ -84,11 +95,7 @@ deploy:
$(ssh) $(target_user)@$(target_host) -p $(target_port) \
env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \
nixos-rebuild -Q $(rebuild-command) --show-trace -I $(target_path) \
|& if type whatsupnix 2>/dev/null; then \
whatsupnix $(target_user)@$(target_host):$(target_port); \
else \
cat; \
fi
|& $(call whatsupnix,$(target_user)@$(target_host):$(target_port))
# usage: make populate system=foo
populate: populate-target = \
@ -126,10 +133,10 @@ install:
# usage: make test system=foo [target=bar] [method={eval,build}]
method ?= eval
ifeq ($(method),build)
test: command = nix-build --no-out-link
test: test = $(call build,$(1),$(2))
else
ifeq ($(method),eval)
test: command ?= nix-instantiate --eval --json --readonly-mode --strict
test: test ?= $(call evaluate,$(1),$(2)) --json --strict | jq -r .
else
$(error bad method: $(method))
endif
@ -141,6 +148,4 @@ else
test: wrapper = $(ssh) $(target_user)@$(target_host) -p $(target_port)
endif
test: populate
$(wrapper) \
$(command) --show-trace -I $(target_path) \
-A config.system.build.toplevel $(target_path)/stockholm
$(wrapper) $(call test,config.system.build.toplevel,-I $(target_path))

53
doc/Commit_Messages_Guideline.md Normal file
View file

@ -0,0 +1,53 @@
# Commit Messages Guideline
Commits SHOULD have the following format:
```
<namespace?> <component>: <change>
<rationale>
(<reference-name>: <reference-id>)?
```
## `<namespace>`
Defines where the change took place. This can be omitted if the
namespace is `krebs`. Namespaces may be shortened to one to four characters (
lassulus -> lass, makefu -> make, tv -> tv, shared -> sha)
## `<component>`
Name of the component which was touched. `component` is
rather fuzzy and may mean different things, just choose what would fit best.
Here are a numbers of samples for defining the component:
* Change `gum` in `krebs/3modules/makefu/default.nix`: `gum.r: change ip`
* Change `prepare.sh` in `krebs/4libs/infest`: `infest: prepare stockholm ISO`
* Remove `concat` in `krebs/5pkgs`: `concat: RIP`, this commit may like some `<rationale>`
* Update `types` in `krebs/3modules`: `lib/types: add managed bool to host type`
* Change host `gum` in `makefu/1systems/gum`: `ma gum.r: add taskserver`
* Change `tinc` module in `krebs/3modules`: `tinc module: add option enableLegacy`
## `<rationale>`
Describe some trivia why the commit was done:
```
whatsupnix: init
Import from https://github.com/NixOS/nix/issues/443#issuecomment-296752535
```
## `<reference>`
Defines external resouces related to the commit:
```
Closes: #123533
CVE: CVE-2016-00001
URL: https://example.com/CVE-2016-00001
```
## Remarks
As a general rule of thumb you can check out: https://www.slideshare.net/TarinGamberini/commit-messages-goodpractices
Of course the pattern not always fits perfectly (for example for refactoring),
just apply some common sense and define a useful commit message,
like `refactor krebs.setuid`.

17
doc/makefu/logbook/install_fileleech.md Normal file
View file

@ -0,0 +1,17 @@
# install fileleech
```
builder$ python3 host.py --create-ssh-keys --create-passwords fileleech
iso$ fdisk /dev/sda # 3 partitions, grub,boot,crypt
iso$ cryptsetup luksFormat /dev/sda3 --cipher aes-xts-plain64 -s 512 -h sha512
iso$ cryptsetup luksAddKey /dev/sda3 hddkey
iso$ cryptsetup luksOpen --keyfile-size=4096 -d /dev/disk/by-id/usb-Intuix_DiskOnKey_09A07360336198F8-0:0 /dev/disk/by-id/ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3 luksroot
iso$ mkfs.ext4 -Lnixboot /dev/sda2
iso$ mkfs.ext4 -Lroot /dev/mapper/luksroot
iso$ echo 1 > /proc/sys/net/ipv6/conf/enp8s0f0/disable_ipv6
iso$ mount /dev/mapper/luksroot /mnt
iso$ mkdir /mnt/boot
iso$ mount /dev/sda2 /mnt/boot
iso$ mkdir -p /mnt/var/src
iso$ touch /mnt/var/src/.populate
```

16
doc/makefu/logbook/transfer_gum.md Normal file
View file

@ -0,0 +1,16 @@
# transfer gum to new hosts
```
builder$ vim krebs/3modules/makefu/default.nix
## update ip
builder$ vim makefu/1systems/gum.nix
## update hardware config
old-gum$ rsync --progress -lprtvzF . <newip>:/mnt/
new-gum$ touch /mnt/var/src/.populate
new-gum$ gdisk /dev/sda r;g;w # gpt to mbr
builder$ make -C ~/stockholm system=gum target=vcygfnhdxyxr47zu.onion install
```

2
krebs/3modules/build.nix
View file

@ -24,4 +24,6 @@ with import <stockholm/lib>;
type = types.user;
};
};
config.krebs.build.source.stockholm.file = mkDefault (toString <stockholm>);
}

2
krebs/3modules/makefu/default.nix
View file

@ -308,7 +308,6 @@ with import <stockholm/lib>;
extraZones = {
"krebsco.de" = ''
wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de.
tinc IN A ${nets.internet.ip4.addr}
'';
};
@ -470,6 +469,7 @@ with import <stockholm/lib>;
wiki.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
nets = rec {

17
krebs/3modules/urlwatch.nix
View file

@ -60,6 +60,7 @@ let
description = "URL to watch.";
example = [
https://nixos.org/channels/nixos-unstable/git-revision
{ url = http://localhost ; filter = "grep:important.*stuff"; }
];
apply = map (x: getAttr (typeOf x) {
set = x;
@ -79,7 +80,8 @@ let
};
urlsFile = pkgs.writeText "urls"
(concatMapStringsSep "\n---\n" toJSON cfg.urls);
(concatMapStringsSep "\n---\n"
(x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls);
hooksFile = cfg.hooksFile;
@ -142,17 +144,6 @@ let
PrivateTmp = "true";
SyslogIdentifier = "urlwatch";
Type = "oneshot";
ExecStartPre =
pkgs.writeDash "urlwatch-prestart" ''
set -euf
dataDir=$HOME
if ! test -e "$dataDir"; then
mkdir -m 0700 -p "$dataDir"
chown ${user.name}: "$dataDir"
fi
'';
ExecStart = pkgs.writeDash "urlwatch" ''
set -euf
@ -185,6 +176,8 @@ let
};
users.extraUsers = singleton {
inherit (user) name uid;
home = cfg.dataDir;
createHome = true;
};
};

15
krebs/5pkgs/simple/ucspi-tcp/chmod.patch Normal file
View file

@ -0,0 +1,15 @@
diff --git a/hier.c b/hier.c
index 5663ada..1d73b84 100644
--- a/hier.c
+++ b/hier.c
@@ -2,8 +2,8 @@
void hier()
{
- h(auto_home,-1,-1,02755);
- d(auto_home,"bin",-1,-1,02755);
+ h(auto_home,-1,-1,0755);
+ d(auto_home,"bin",-1,-1,0755);
c(auto_home,"bin","tcpserver",-1,-1,0755);
c(auto_home,"bin","tcprules",-1,-1,0755);

86
krebs/5pkgs/simple/ucspi-tcp/default.nix Normal file
View file

@ -0,0 +1,86 @@
{ stdenv, fetchurl }:
stdenv.mkDerivation rec {
name = "ucspi-tcp-0.88";
src = fetchurl {
url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz";
sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja";
};
# Plain upstream tarball doesn't build, get patches from Debian
patches = [
(fetchurl {
url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz";
sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6";
})
./chmod.patch
];
# Apply Debian patches
postPatch = ''
for fname in debian/diff/*.diff; do
echo "Applying patch $fname"
patch < "$fname"
done
'';
# The build system is weird; 'make install' doesn't install anything, instead
# it builds an executable called ./install (from C code) which installs
# binaries to the directory given on line 1 in ./conf-home.
#
# Also, assume getgroups and setgroups work, instead of doing a build time
# test that breaks on NixOS (I think because nixbld users lack CAP_SETGID
# capability).
preBuild = ''
echo "$out" > conf-home
echo "main() { return 0; }" > chkshsgr.c
'';
installPhase = ''
mkdir -p "$out/bin"
mkdir -p "$out/share/man/man1"
# run the newly built installer
./install
# Install Debian man pages (upstream has none)
cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1"
'';
meta = with stdenv.lib; {
description = "Command-line tools for building TCP client-server applications";
longDescription = ''
tcpserver waits for incoming connections and, for each connection, runs a
program of your choice. Your program receives environment variables
showing the local and remote host names, IP addresses, and port numbers.
tcpserver offers a concurrency limit to protect you from running out of
processes and memory. When you are handling 40 (by default) simultaneous
connections, tcpserver smoothly defers acceptance of new connections.
tcpserver also provides TCP access control features, similar to
tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules
are compiled into a hashed format with cdb, so it can easily deal with
thousands of different hosts.
This package includes a recordio tool that monitors all the input and
output of a server.
tcpclient makes a TCP connection and runs a program of your choice. It
sets up the same environment variables as tcpserver.
This package includes several sample clients built on top of tcpclient:
who@, date@, finger@, http@, tcpcat, and mconnect.
tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program
Interface, using the TCP protocol. UCSPI tools are available for several
different networks.
'';
homepage = http://cr.yp.to/ucspi-tcp.html;
license = licenses.publicDomain;
platforms = platforms.linux;
maintainers = [ maintainers.bjornfor ];
};
}

9
krebs/5pkgs/simple/whatsupnix/whatsupnix.bash
View file

@ -17,25 +17,22 @@
# 2 Build error; at least one failed derivation could be found.
#
GAWK=${GAWK:-gawk}
NIX_STORE=${NIX_STORE:-nix-store}
failed_drvs=$(mktemp --tmpdir whatsupnix.XXXXXXXX)
trap 'rm -f -- "$failed_drvs"' EXIT
exec >&2
$GAWK -v failed_drvs="$failed_drvs" '
gawk -v failed_drvs="$failed_drvs" '
match($0, /^builder for (\/nix\/store\/[^]+\.drv) failed/, m) {
print m[1] >> failed_drvs
}
{ print $0 }
{ print $0; fflush("/dev/stdout") }
'
case $# in
0)
print_log() {
NIX_PAGER= $NIX_STORE -l "$1"
NIX_PAGER= nix-store -l "$1"
}
;;
1)

17
lass/1systems/icarus.nix
View file

@ -6,9 +6,9 @@ with import <stockholm/lib>;
../.
../2configs/retiolum.nix
../2configs/hw/tp-x220.nix
../2configs/baseX.nix
../2configs/git.nix
../2configs/exim-retiolum.nix
../2configs/baseX.nix
../2configs/browsers.nix
../2configs/programs.nix
../2configs/fetchWallpaper.nix
@ -22,9 +22,9 @@ with import <stockholm/lib>;
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
loader.grub.enableCryptodisk = true;
loader.grub.efiSupport = true;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
};
@ -34,11 +34,14 @@ with import <stockholm/lib>;
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
"/boot" = {
device = "/dev/sda2";
};
#"/bku" = {
# device = "/dev/mapper/pool-bku";
# fsType = "btrfs";
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
#};
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";

47
lass/1systems/mors.nix
View file

@ -96,49 +96,30 @@ with import <stockholm/lib>;
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
loader.grub.efiSupport = true;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
};
fileSystems = {
"/" = {
device = "/dev/big/nix";
fsType = "ext4";
device = "/dev/mapper/pool-root";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
device = "/dev/sda2";
};
"/mnt/loot" = {
device = "/dev/big/loot";
fsType = "ext4";
};
#"/bku" = {
# device = "/dev/mapper/pool-bku";
# fsType = "btrfs";
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
#};
"/home" = {
device = "/dev/big/home";
fsType = "ext4";
};
"/home/lass" = {
device = "/dev/big/home-lass";
fsType = "ext4";
};
"/home/games/.local/share/Steam" = {
device = "/dev/big/steam";
fsType = "ext4";
};
"/home/virtual/virtual" = {
device = "/dev/big/virtual";
fsType = "ext4";
};
"/mnt/conf" = {
device = "/dev/big/conf";
fsType = "ext4";
device = "/dev/mapper/pool-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/tmp" = {
device = "tmpfs";

4
lass/1systems/prism.nix
View file

@ -229,6 +229,10 @@ in {
OnUnitInactiveSec = "2min";
RandomizedDelaySec = "2min";
};
krebs.repo-sync.repos.nixpkgs.timerConfig = {
OnBootSec = "90min";
OnUnitInactiveSec = "24h";
};
}
{
lass.usershadow = {

1
lass/1systems/shodan.nix
View file

@ -13,6 +13,7 @@ with import <stockholm/lib>;
../2configs/programs.nix
../2configs/fetchWallpaper.nix
../2configs/backups.nix
../2configs/wine.nix
#{
# users.extraUsers = {
# root = {

80
lass/2configs/buildbot-standalone.nix
View file

@ -56,51 +56,6 @@ in {
mode='full'
)
# TODO: get nixpkgs/stockholm paths from krebs
env_lass = {
"LOGNAME": "lass",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_makefu = {
"LOGNAME": "makefu",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_nin = {
"LOGNAME": "nin",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_shared = {
"LOGNAME": "shared",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_tv = {
"LOGNAME": "tv",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
# prepare nix-shell
# the dependencies which are used by the test script
deps = [
"gnumake",
"jq",
"nix",
"(import <stockholm>).pkgs.populate",
"openssh"
]
# TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = [
"nix-shell",
"-I", "/var/src",
"-I", "stockholm=.",
"-p"
] + deps + [ "--run" ]
# prepare addShell function
def addShell(factory,**kwargs):
factory.addStep(steps.ShellCommand(**kwargs))
@ -110,30 +65,35 @@ in {
f = util.BuildFactory()
f.addStep(grab_repo)
def build_host(env, host):
addShell(f,name="build-{}".format(i),env=env,
command=nixshell + ["mkdir -p $HOME/$LOGNAME && touch $HOME/$LOGNAME/.populate; \
echo $HOME; echo $LOGNAME; \
test -e $HOME/$LOGNAME/nixpkgs || cp -r /var/src/nixpkgs $HOME/$LOGNAME/; \
make NIX_PATH=$HOME/$LOGNAME:secrets=/var/src/stockholm/null test method=build \
target=buildbotworker@${config.krebs.build.host.name}$HOME/$LOGNAME \
system={}".format(host)]
def build_host(user, host):
addShell(f,
name="{}".format(i),
env={
"LOGNAME": user,
"NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
},
command=[
"nix-shell", "--run",
"test --system={} --target=buildbotworker@${config.krebs.build.host.name}$HOME/$LOGNAME".format(host)
]
)
for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]:
build_host(env_tv, i)
for i in [ "mors", "uriel", "shodan", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]:
build_host(env_lass, i)
build_host("lass", i)
for i in [ "x", "wry", "vbob", "wbob", "shoney" ]:
build_host(env_makefu, i)
build_host("makefu", i)
for i in [ "hiawatha", "onondaga" ]:
build_host(env_nin, i)
build_host("nin", i)
for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]:
build_host(env_shared, i)
build_host("shared", i)
for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]:
build_host("tv", i)
bu.append(
util.BuilderConfig(

1
lass/2configs/default.nix
View file

@ -79,7 +79,6 @@ with import <stockholm/lib>;
if getEnv "dummy_secrets" == "true"
then toString <stockholm/lass/2configs/tests/dummy-secrets>
else "/home/lass/secrets/${host.name}";
stockholm.file = getEnv "PWD";
};
};
};

2
lass/2configs/exim-smarthost.nix
View file

@ -32,6 +32,8 @@ with import <stockholm/lib>;
{ from = "feed@lassul.us"; to = lass.mail; }
{ from = "art@lassul.us"; to = lass.mail; }
{ from = "irgendwas@lassul.us"; to = lass.mail; }
{ from = "polo@lassul.us"; to = lass.mail; }
{ from = "shack@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

2
lass/2configs/mail.nix
View file

@ -48,6 +48,8 @@ let
set use_from=yes
set envelope_from=yes
set sort=threads
set index_format="%4C %Z %?GI?%GI& ? %[%d/%b] %-16.15F %?M?(%3M)& ? %s %> %?g?%g?"
virtual-mailboxes \

2
lass/2configs/nixpkgs.nix
View file

@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://cgit.lassul.us/nixpkgs;
ref = "4847963";
ref = "2e983f1";
};
}

5
lass/2configs/websites/domsen.nix
View file

@ -61,6 +61,11 @@ in {
"karlaskop.ubikmedia.de"
"nb.ubikmedia.de"
"youthtube.ubikmedia.de"
"weirdwednesday.ubikmedia.de"
"weirdwednesday.de"
"www.weirdwednesday.de"
"freemonkey.ubikmedia.de"
"jarugadesign.ubikmedia.de"
])
];

30
lass/5pkgs/init/default.nix
View file

@ -19,14 +19,15 @@ pkgs.writeText "init" ''
disk=${disk}
luksdev=${disk}2
luksdev=${disk}3
luksmap=/dev/mapper/${luksmap}
vgname=${vgname}
bootdev=/dev/sda2
rootdev=/dev/mapper/${vgname}-root
homedev=/dev/mapper/${vgname}-home
bkudev=/dev/mapper/${vgname}-bku
#
#generate keyfile
@ -49,7 +50,8 @@ pkgs.writeText "init" ''
mklabel gpt \
mkpart no-fs 0 1024KiB \
set 1 bios_grub on \
mkpart primary 1025KiB 100%
mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \
mkpart primary 1025MiB 100%
fi
if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then
@ -78,9 +80,8 @@ pkgs.writeText "init" ''
lvchange -a y /dev/mapper/"$vgname"
if ! test -e "$rootdev"; then lvcreate -L 100G -n root "$vgname"; fi
if ! test -e "$homedev"; then lvcreate -L 100G -n home "$vgname"; fi
if ! test -e "$bkudev"; then lvcreate -L 200G -n bku "$vgname"; fi
if ! test -e "$rootdev"; then lvcreate -L 7G -n root "$vgname"; fi
if ! test -e "$homedev"; then lvcreate -L 100M -n home "$vgname"; fi
# lvchange -a n "$vgname"
@ -89,6 +90,10 @@ pkgs.writeText "init" ''
# formatting
#
if ! test "$(blkid -o value -s TYPE "$bootdev")" = vfat; then
mkfs.vfat "$bootdev"
fi
if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then
mkfs.btrfs "$rootdev"
fi
@ -97,22 +102,18 @@ pkgs.writeText "init" ''
mkfs.btrfs "$homedev"
fi
if ! test "$(blkid -o value -s TYPE "$bkudev")" = btrfs; then
mkfs.btrfs "$bkudev"
fi
if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then
mount "$rootdev" /mnt
fi
if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then
mkdir -m 0000 -p /mnt/boot
mount "$bootdev" /mnt/boot
fi
if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then
mkdir -m 0000 -p /mnt/home
mount "$homedev" /mnt/home
fi
if ! test "$(lsblk -n -o MOUNTPOINT "$bkudev")" = /mnt/bku; then
mkdir -m 0000 -p /mnt/bku
mount "$bkudev" /mnt/bku
fi
# umount -R /mnt
@ -122,6 +123,7 @@ pkgs.writeText "init" ''
nix-env -iA nixos.git
# TODO: get sentinal file from target_path
mkdir -p /mnt/var/src
touch /mnt/var/src/.populate

5
makefu/1systems/gum.nix
View file

@ -24,7 +24,10 @@ in {
# ../2configs/disable_v6.nix
../2configs/exim-retiolum.nix
../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix
../2configs/urlwatch
# Security
../2configs/sshd-totp.nix
# Tools
../2configs/tools/core.nix

13
makefu/1systems/vbob.nix
View file

@ -8,14 +8,23 @@
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
../2configs/main-laptop.nix #< base-gui
../2configs/sshd-totp.nix
# Tools
../2configs/tools/core.nix
../2configs/tools/core-gui.nix
../2configs/tools/dev.nix
../2configs/tools/extra-gui.nix
../2configs/tools/sec.nix
# environment
../2configs/tinc/retiolum.nix
../2configs/audio/jack-on-pulse.nix
../2configs/audio/realtime-audio.nix
];
networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
# workaround for https://github.com/NixOS/nixpkgs/issues/16641
services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
nixpkgs.config.allowUnfree = true;
fileSystems."/nix" = {

59
makefu/1systems/x.nix
View file

@ -13,61 +13,56 @@ with import <stockholm/lib>;
../2configs/tools/all.nix
../2configs/laptop-backup.nix
../2configs/dnscrypt.nix
../2configs/avahi.nix
# testing
# ../2configs/openvpn/vpngate.nix
#../2configs/temp/share-samba.nix
# ../2configs/mediawiki.nix
# ../2configs/wordpress.nix
# ../2configs/nginx/public_html.nix
# ../2configs/nginx/icecult.nix
# ../2configs/elchos/irc-token.nix
# ../2configs/elchos/log.nix
#../2configs/elchos/search.nix
#../2configs/elchos/stats.nix
#../2configs/elchos/test/ftpservers.nix
# ../2configs/tinc/siem.nix
#../2configs/torrent.nix
# temporary modules
# ../2configs/torrent.nix
#../2configs/temp/elkstack.nix
# ../2configs/temp/sabnzbd.nix
# Debugging
# ../2configs/disable_v6.nix
# Testing
# ../2configs/lanparty/lancache.nix
# ../2configs/lanparty/lancache-dns.nix
# ../2configs/deployment/dirctator.nix
# ../2configs/vncserver.nix
# ../2configs/deployment/led-fader
# ../2configs/deployment/hound
# development
../2configs/sources
# Krebs
# ../2configs/disable_v6.nix
../2configs/tinc/retiolum.nix
# applications
../2configs/exim-retiolum.nix
../2configs/mail-client.nix
../2configs/printer.nix
../2configs/virtualization.nix
../2configs/virtualization-virtualbox.nix
../2configs/wwan.nix
../2configs/rad1o.nix
../2configs/task-client.nix
# services
# Virtualization
../2configs/virtualization.nix
../2configs/docker.nix
../2configs/virtualization-virtualbox.nix
# Services
../2configs/git/brain-retiolum.nix
../2configs/tor.nix
../2configs/steam.nix
# ../2configs/buildbot-standalone.nix
# hardware specifics are in here
# Hardware
../2configs/hw/tp-x230.nix
../2configs/hw/rtl8812au.nix
../2configs/hw/stk1160.nix
../2configs/hw/exfat-nofuse.nix
../2configs/hw/wwan.nix
# ../2configs/hw/stk1160.nix
# ../2configs/rad1o.nix
# mount points
# Filesystem
../2configs/fs/sda-crypto-root-home.nix
# Security
../2configs/sshd-totp.nix
];
makefu.server.primary-itf = "wlp3s0";
@ -76,10 +71,8 @@ with import <stockholm/lib>;
nixpkgs.config.allowUnfree = true;
boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
environment.systemPackages = [ pkgs.passwdqc-utils ];
virtualisation.docker.enable = true;
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;

5
makefu/2configs/audio/jack-on-pulse.nix
View file

@ -11,7 +11,10 @@ in
package = pulse;
};
environment.systemPackages = with pkgs; [ jack2Full ];
environment.systemPackages = with pkgs; [
jack2Full
jack_capture
];
# from http://anderspapitto.com/posts/2015-11-26-overtone-on-nixos-with-jack-and-pulseaudio.html
systemd.user.services = {

2
makefu/2configs/audio/realtime-audio.nix
View file

@ -10,7 +10,7 @@ in
musnix.enable = true;
musnix.kernel.optimize = true;
musnix.kernel.realtime = true;
# TODO: musnix.kernel.packages = pkgs.linuxPackages_latest_rt;
musnix.kernel.packages = pkgs.linuxPackages_latest_rt;
users.users."${user}".extraGroups = [ "audio" ];
}

2
makefu/2configs/default.nix
View file

@ -22,7 +22,7 @@ with import <stockholm/lib>;
user = config.krebs.users.makefu;
source = let
inherit (config.krebs.build) host user;
ref = "7a7c39c"; # unstable @ 2017-05-09 + graceful requests2 + logstash5
ref = "06734d1"; # unstable @ 2017-07-03 + graceful requests2 (a772c3aa)
in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
{

6
makefu/2configs/deployment/dirctator.nix
View file

@ -25,6 +25,10 @@ in {
stdout { codec => rubydebug }
exec { command => "${runit} '%{message}" }
'';
plugins = [ ];
extraSettings = ''
path.plugins: [ "${pkgs.logstash-output-exec}" ]
'';
## NameError: `@path.plugins' is not allowable as an instance variable name
# plugins = [ pkgs.logstash-output-exec ];
};
}

1
makefu/2configs/deployment/led-fader.nix
View file

@ -31,6 +31,7 @@ in {
};
# after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ];
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
# User = "nobody"; # need a user with permissions to run nix-shell
ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json";

4
makefu/2configs/docker.nix Normal file
View file

@ -0,0 +1,4 @@
{...}:
{
virtualisation.docker.enable = true;
}

4
makefu/2configs/hw/exfat-nofuse.nix Normal file
View file

@ -0,0 +1,4 @@
{ config, ... }:
{
boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
}

3
makefu/2configs/hw/stk1160.nix
View file

@ -1,9 +1,8 @@
{ pkgs, ... }:
{
# TODO: un-pin linuxPackages somehow
boot.kernelPackages = builtins.trace "Warning: overriding kernel Packages with 4.9" pkgs.linuxPackages_4_9;
nixpkgs.config.packageOverrides = pkgs: {
linux_4_9 = pkgs.linux_4_9.override {
linux_latest = pkgs.linux_latest.override {
extraConfig = ''
MEDIA_ANALOG_TV_SUPPORT y
VIDEO_STK1160_COMMON m

3
makefu/2configs/hw/tp-x230.nix
View file

@ -44,8 +44,7 @@ with import <stockholm/lib>;
'';
# enable HDMI output switching with pulseaudio
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"}
hardware.pulseaudio.extraConfig = ''
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"
'';

0
makefu/2configs/wwan.nix → makefu/2configs/hw/wwan.nix
View file

55
makefu/2configs/lanparty/lancache-dns.nix Normal file
View file

@ -0,0 +1,55 @@
{ pkgs, lib, config, ... }:
with import <stockholm/lib>;
let
# see https://github.com/zeropingheroes/lancache for full docs
lancache-dns = pkgs.stdenv.mkDerivation rec {
name = "lancache-dns-2017-06-28";
src = pkgs.fetchFromGitHub {
# forked: https://github.com/zeropingheroes/lancache-dns
repo = "lancache-dns";
owner = "zeropingheroes";
rev = "420aa62";
sha256 = "0ik7by7ripdv2avyy5kk9jp1i7rz9ksc8xmg7n9iik365q9pv94m";
};
phases = [ "unpackPhase" "installPhase" ];
# here we can chance to edit `includes/proxy-cache-paths.conf`
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
};
stateDir = "/var/lib/unbound";
user = "unbound";
upstream-server = "8.8.8.8";
in {
services.unbound = {
enable = true;
allowedAccess = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
interfaces = ["0.0.0.0" "::" ];
forwardAddresses = [ upstream-server ];
extraConfig = ''
include: "${stateDir}/lancache/*.conf"
'';
};
services.dnscrypt-proxy.enable = lib.mkForce false;
virtualisation.libvirtd.enable = lib.mkForce false;
systemd.services.dns-lancache-prepare = {
wantedBy = [ "unbound.service" ];
before = [ "unbound.service" ];
after = [ "network-online.target" ];
partOf= [ "unbound.service" ];
path = [ pkgs.gawk pkgs.iproute pkgs.gnused ];
script = ''
set -xeu
current_ip=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}')
old_ip=10.1.1.250
mkdir -p ${stateDir}
rm -rvf ${stateDir}/lancache
cp -r ${lancache-dns}/upstreams-available ${stateDir}/lancache
sed -i "s/$old_ip/$current_ip/g" ${stateDir}/lancache/*.conf
chown -R unbound ${stateDir}
'';
};
networking.firewall.allowedUDPPorts = [ 53 ];
}

74
makefu/2configs/lanparty/lancache.nix Normal file
View file

@ -0,0 +1,74 @@
{ pkgs, lib, config, ... }:
with import <stockholm/lib>;
let
# see https://github.com/zeropingheroes/lancache for full docs
lancache= pkgs.stdenv.mkDerivation rec {
name = "lancache-2017-06-26";
src = pkgs.fetchFromGitHub {
# origin: https://github.com/multiplay/lancache
# forked: https://github.com/zeropingheroes/lancache
repo = "lancache";
owner = "zeropingheroes";
rev = "143f7bb";
sha256 = "1ra4l7qz3k231j5wabr89s5hh80n1kk8vgd3dsh0xx5mdpjhvdl6";
};
phases = [ "unpackPhase" "installPhase" ];
# here we can chance to edit `includes/proxy-cache-paths.conf`
installPhase = ''
mkdir -p $out
cp -r * $out/
sed -i -e 's/^\(user\).*/\1 ${cfg.user} ${cfg.group};/' \
-e '1 idaemon off;' \
$out/nginx.conf
'';
};
cfg = {
group = "nginx-lancache";
user = "nginx-lancache";
statedir = "/var/lancache";
package = pkgs.stdenv.lib.overrideDerivation pkgs.nginx (old:{
configureFlags = old.configureFlags ++ [
"--with-http_slice_module"
"--with-stream"
"--with-pcre"
];
});
};
in {
systemd.services.nginx-lancache = {
description = "Nginx lancache Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
preStart = ''
mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
PATH_CACHE=$PATH_BASE/cache
PATH_LOGS=$PATH_BASE/logs
mkdir -p cache/{installers,tmp} logs
rm -f conf; ln -s ${lancache} conf
chown -R ${cfg.user}:${cfg.group} .
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "10s";
StartLimitInterval = "1min";
};
};
environment.etc.nginx.source = lancache;
users.extraUsers = (singleton
{ name = cfg.user;
group = cfg.group;
uid = genid cfg.group;
});
users.extraGroups = (singleton
{ name = "${cfg.group}";
gid = genid cfg.group;
});
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

2
makefu/2configs/sources/musnix.nix
View file

@ -1,6 +1,6 @@
{
krebs.build.source.musnix.git = {
url = https://github.com/musnix/musnix.git;
ref = "37a8378";
ref = "f0ec1f3";
};
}

18
makefu/2configs/sshd-totp.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, ... }:
# Enables second factor for ssh password login
## Usage:
# gen-oath-safe <username> totp
## scan the qrcode with google authenticator (or FreeOTP)
## copy last line into secrets/<host>/users.oath (chmod 700)
{
security.pam.oath = {
# enabling it will make it a requisite of `all` services
# enable = true;
digits = 6;
# TODO assert existing
usersFile = (toString <secrets>) + "/users.oath";
};
# I want TFA only active for sshd with password-auth
security.pam.services.sshd.oathAuth = true;
}

14
makefu/2configs/task-client.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
krebs.per-user.makefu.packages = [
pkgs.taskwarrior
];
environment.shellAliases = {
tshack = "task project:shack";
twork = "task project:soc";
tpki = "task project:pki";
tkrebs = "task project:krebs";
t = "task project: ";
};
}

3
makefu/2configs/tools/dev.nix
View file

@ -12,5 +12,8 @@
cac-api
cac-panel
ovh-zone
whatsupnix
brain
gen-oath-safe
];
}

5
makefu/2configs/tools/extra-gui.nix
View file

@ -2,13 +2,16 @@
{
krebs.per-user.makefu.packages = with pkgs;[
# media
gimp
inkscape
libreoffice
saleae-logic
skype
synergy
tdesktop
virtmanager
# Dev
saleae-logic
arduino-user-env
];
}

27
makefu/2configs/urlwatch.nix
View file

@ -1,27 +0,0 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
https://api.github.com/repos/ovh/python-ovh/tags
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/Mic92/vicious/tags
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://github.com/amadvance/snapraid/releases.atom
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/dorimanx/exfat-nofuse/commits
https://api.github.com/repos/dorimanx/exfat-nofuse/tags
https://api.github.com/repos/radare/radare2/tags
https://api.github.com/repos/rapid7/metasploit-framework/tags
];
};
}

45
makefu/2configs/urlwatch/default.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
hooksFile = ./hook.py;
urls = [
## nixpkgs maintenance
# github
## No rate limit
https://github.com/amadvance/snapraid/releases.atom
https://github.com/radare/radare2/releases.atom
https://github.com/ovh/python-ovh/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/Mic92/vicious/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/dorimanx/exfat-nofuse/releases.atom
https://github.com/rapid7/metasploit-framework/releases.atom
## rate limited
# https://api.github.com/repos/dorimanx/exfat-nofuse/commits
# https://api.github.com/repos/mcepl/gen-oath-safe/commits
https://api.github.com/repos/naim94a/udpt/commits
https://api.github.com/repos/dirkvdb/ps3netsrv--/commits
# pypi
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
https://pypi.python.org/simple/devpi-client/
# weird shit
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
{
url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
filter = "grep:Software/Linux/dymo-cups-drivers";
}
# TODO: dymo cups
];
};
}

16
makefu/2configs/urlwatch/hook.py Normal file
View file

@ -0,0 +1,16 @@
import logging
logging.basicConfig(level=logging.INFO)
log = logging.getLogger()
log.setLevel(level=logging.INFO)
import re
import json
from urlwatch import filters
class JsonFilter(filters.RegexMatchFilter):
MATCH = {'url': re.compile('https?://api.github.com/.*')}
def filter(self, data):
return json.dumps(json.loads(data),indent=2,sort_keys=True)

35
makefu/5pkgs/arduino-user-env/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ lib, pkgs, ... }: let
#TODO: make sure env exists prior to running
env_nix = pkgs.writeText "env.nix" ''
{ pkgs ? import <nixpkgs> {} }:
(pkgs.buildFHSUserEnv {
name = "arduino-user-env";
targetPkgs = pkgs: with pkgs; [
coreutils
];
multiPkgs = pkgs: with pkgs; [
arduino
alsaLib
zlib
xorg.libXxf86vm
curl
openal
openssl_1_0_2
xorg.libXext
xorg.libX11
xorg.libXrandr
xorg.libXcursor
xorg.libXinerama
xorg.libXi
mesa_glu
];
runScript = "zsh";
}).env
'';
in pkgs.writeDashBin "arduino-user-env" ''
nix-shell ${env_nix}
''

37
makefu/5pkgs/gen-oath-safe/default.nix Normal file
View file

@ -0,0 +1,37 @@
{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
stdenv.mkDerivation {
name = "geno-oath-safe-2017-06-30";
src = fetchFromGitHub {
owner = "mcepl";
repo = "gen-oath-safe";
rev = "fb53841";
sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m";
};
phases = [
"unpackPhase"
"installPhase"
"fixupPhase"
];
buildInputs = [ makeWrapper ];
installPhase =
let
path = stdenv.lib.makeBinPath [
coreutils
openssl
qrencode
yubikey-manager
libcaca
python
];
in
''
mkdir -p $out/bin
cp gen-oath-safe $out/bin/
wrapProgram $out/bin/gen-oath-safe \
--prefix PATH : ${path}
'';
}

2
shared/2configs/default.nix
View file

@ -11,7 +11,7 @@ with import <stockholm/lib>;
nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix";
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
ref = "58e227052d40021d82d015f3f8da011ae54ea430"; # nixos-17.03 @ 2017-05-24
ref = "72c9ed78d0b1d9d5f531805ddf5bf06bfd447614"; # nixos-17.03 @ 2017-06-17
};
secrets.file =
if getEnv "dummy_secrets" == "true"

186
shell.nix Normal file
View file

@ -0,0 +1,186 @@
let
lib = import ./lib;
pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; };
# usage: deploy --system=SYSTEM [--target=TARGET]
cmds.deploy = pkgs.writeDash "cmds.deploy" ''
set -efu
command=deploy
. ${init.args}
\test -n "''${target-}" || target=$system
. ${init.env}
exec ${utils.deploy}
'';
# usage: test --system=SYSTEM --target=TARGET
cmds.test = pkgs.writeDash "cmds.test" /* sh */ ''
set -efu
command=test
. ${init.args}
. ${init.env}
export dummy_secrets=true
exec ${utils.build} config.system.build.toplevel
'';
init.args = pkgs.writeText "init.args" /* sh */ ''
args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \
-o s:t: \
-l system:,target: \
-- "$@")
if \test $? != 0; then exit 1; fi
eval set -- "$args"
while :; do case $1 in
-s|--system) system=$2; shift 2;;
-t|--target) target=$2; shift 2;;
--) shift; break;;
esac; done
for arg; do echo "$command: bad argument: $arg" >&2; done
if \test $# != 0; then exit 2; fi
'';
init.env = pkgs.writeText "init.env" /* sh */ ''
config=''${config-$LOGNAME/1systems/$system.nix}
export config
export system
export target
export target_object="$(${init.env.parsetarget} $target)"
export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)"
export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
if \test "''${using_proxy-}" != true; then
${init.env.populate}
if \test "$target_local" != true; then
exec ${init.env.proxy} "$command" "$@"
fi
fi
'' // {
parsetarget = pkgs.writeDash "init.env.parsetarget" ''
set -efu
exec ${pkgs.jq}/bin/jq \
-enr \
--arg target "$1" \
-f ${init.env.parsetarget.jq}
'' // {
jq = pkgs.writeText "init.env.parsetarget.jq" ''
def when(c; f): if c then f else . end;
def capturesDef(i; v): .captures[i].string | when(. == null; v);
$target | match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
user: capturesDef(0; "root"),
host: capturesDef(1; env.system),
port: capturesDef(2; "22"),
path: capturesDef(3; "/var/src"),
} | . + {
local: (.user == env.LOGNAME and .host == env.HOSTNAME),
}
'';
};
populate = pkgs.writeDash "init.env.populate" ''
set -efu
${pkgs.nix}/bin/nix-instantiate \
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
-I nixos-config="$config" \
-E 'with import <stockholm>; config.krebs.build.source' \
|
${pkgs.populate}/bin/populate \
"$target_user@$target_host:$target_port$target_path" \
>&2
'';
proxy = pkgs.writeDash "init.env.proxy" ''
set -efu
q() {
${pkgs.jq}/bin/jq -nr --arg x "$*" '$x | @sh "\(.)"'
}
exec ${pkgs.openssh}/bin/ssh \
"$target_user@$target_host" -p "$target_port" \
cd "$target_path/stockholm" \; \
NIX_PATH=$(q "$target_path") \
STOCKHOLM_VERSION=$STOCKHOLM_VERSION \
nix-shell \
--command $(q \
config=$config \
system=$system \
target=$target \
using_proxy=true \
"$*"
)
'';
};
utils.build = pkgs.writeDash "utils.build" ''
set -efu
${pkgs.nix}/bin/nix-build \
-Q \
--no-out-link \
--show-trace \
-E "with import <stockholm>; $1" \
-I "$target_path" \
2>&1 |
${pkgs.whatsupnix}/bin/whatsupnix
'';
utils.deploy = pkgs.writeDash "utils.deploy" ''
set -efu
PATH=/run/current-system/sw/bin nixos-rebuild switch \
-Q \
--show-trace \
-I "$target_path" \
2>&1 |
${pkgs.whatsupnix}/bin/whatsupnix
'';
shell.get-version = pkgs.writeDash "shell.get-version" ''
set -efu
version=git.$(${pkgs.git}/bin/git describe --always --dirty)
case $version in (*-dirty)
version=$version@$HOSTNAME
esac
date=$(${pkgs.coreutils}/bin/date +%y.%m)
echo "$date.$version"
'';
shell.cmdspkg = pkgs.writeOut "shell.cmdspkg" (lib.mapAttrs' (name: link:
lib.nameValuePair "/bin/${name}" { inherit link; }
) cmds);
in pkgs.stdenv.mkDerivation {
name = "stockholm";
shellHook = /* sh */ ''
export NIX_PATH="stockholm=$PWD''${NIX_PATH+:$NIX_PATH}"
export PATH=${lib.makeBinPath [
shell.cmdspkg
]}
eval "$(declare -F | ${pkgs.gnused}/bin/sed s/declare/unset/)"
shopt -u no_empty_cmd_completion
unalias -a
enable -n \
. [ alias bg bind break builtin caller cd command compgen complete \
compopt continue dirs disown eval exec false fc fg getopts hash \
help history jobs kill let local logout mapfile popd printf pushd \
pwd read readarray readonly shift source suspend test times trap \
true typeset ulimit umask unalias wait
exitHandler() {
:
}
export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${shell.get-version})}"
PS1='\[\e[38;5;162m\]\w\[\e[0m\] '
'';
}

2
tv/1systems/alnus.nix
View file

@ -58,7 +58,7 @@ with import <stockholm/lib>;
krebs.build = {
host = config.krebs.hosts.alnus;
user = mkForce config.krebs.users.dv;
source.nixpkgs.git.ref = mkForce "e924319cb6c74aa2a9c943eddeb0caef79db01bc";
source.nixpkgs.git.ref = mkForce "9b948ea439ddbaa26740ce35543e7e35d2aa6d18";
};
networking.networkmanager.enable = true;

1
tv/1systems/cd.nix
View file

@ -25,7 +25,6 @@ with import <stockholm/lib>;
};
environment.systemPackages = with pkgs; [
htop
iftop
iotop
iptables

11
tv/1systems/mu.nix
View file

@ -79,15 +79,12 @@ with import <stockholm/lib>;
gimp
xsane
firefoxWrapper
chromiumDev
chromium
skype
libreoffice
kde4.l10n.de
kde4.plasma-nm
pidgin-with-plugins
pidginotr
kde4.print_manager
#foomatic_filters
#gutenprint
#cups_pdf_filter
@ -101,7 +98,7 @@ with import <stockholm/lib>;
security.wrappers = {
sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron
slock.slock = "${pkgs.slock}/bin/slock";
slock.source = "${pkgs.slock}/bin/slock";
};
security.pam.loginLimits = [
@ -138,7 +135,9 @@ with import <stockholm/lib>;
twoFingerScroll = true;
};
services.xserver.desktopManager.kde4.enable = true;
services.xserver.desktopManager.plasma5 = {
enable = true;
};
services.xserver.displayManager.auto = {
enable = true;
user = "vv";

1
tv/1systems/wu.nix
View file

@ -31,7 +31,6 @@ with import <stockholm/lib>;
get
gnupg1compat
haskellPackages.hledger
htop
jq
mkpasswd
netcat

1
tv/1systems/xu.nix
View file

@ -34,7 +34,6 @@ with import <stockholm/lib>;
file
gnupg1compat
haskellPackages.hledger
htop
jq
krebszones
mkpasswd

1
tv/1systems/zu.nix
View file

@ -36,7 +36,6 @@ with import <stockholm/lib>;
file
gnupg1compat
haskellPackages.hledger
htop
jq
mkpasswd
netcat

21
tv/2configs/default.nix
View file

@ -1,20 +1,20 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
{ config, lib, pkgs, ... }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "tv";
in {
krebs.enable = true;
krebs.build = {
user = config.krebs.users.tv;
source = let inherit (config.krebs.build) host; in {
nixos-config.symlink = "stockholm/tv/1systems/${host.name}.nix";
secrets.file =
if getEnv "dummy_secrets" == "true"
then toString <stockholm/tv/dummy_secrets>
else "/home/tv/secrets/${host.name}";
secrets.file = getAttr builder {
buildbot = toString <stockholm/tv/dummy_secrets>;
tv = "/home/tv/secrets/${host.name}";
};
secrets-common.file = "/home/tv/secrets/common";
stockholm.file = "/home/tv/stockholm";
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
ref = "412b0a17aa2975e092c7ab95a38561c5f82908d4"; # nixos-17.03
@ -158,9 +158,10 @@ with import <stockholm/lib>;
{
environment.systemPackages = [
pkgs.get
pkgs.htop
pkgs.krebspaste
pkgs.ovh-zone
pkgs.nix-prefetch-scripts
pkgs.ovh-zone
pkgs.push
];
}

2
tv/2configs/htop.nix
View file

@ -7,7 +7,6 @@ with import <stockholm/lib>;
htop = pkgs.symlinkJoin {
name = "htop";
paths = [
super.htop
(pkgs.writeDashBin "htop" ''
export HTOPRC=${pkgs.writeText "htoprc" ''
fields=0 48 17 18 38 39 40 2 46 47 49 1
@ -37,6 +36,7 @@ with import <stockholm/lib>;
''}
exec ${super.htop}/bin/htop "$@"
'')
super.htop
];
};
};

2
tv/2configs/vim.nix
View file

@ -300,7 +300,6 @@ let {
vim-wrapper = pkgs.symlinkJoin {
name = "vim";
paths = [
pkgs.vim_configurable
(pkgs.writeDashBin "vim" ''
set -efu
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
@ -310,6 +309,7 @@ let {
# vim-orgmode needs Python, thus vim_configurable instead of just vim
exec ${pkgs.vim_configurable}/bin/vim "$@"
'')
pkgs.vim_configurable
];
};

84
tv/5pkgs/default.nix
View file

@ -1,40 +1,54 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
nixpkgs.config.packageOverrides = super: let
self: super: let
# This callPackage will try to detect obsolete overrides.
callPackage = path: args: let
override = super.callPackage path args;
upstream = optionalAttrs (override ? "name")
(super.${(parseDrvName override.name).name} or {});
in if upstream ? "name" &&
override ? "name" &&
compareVersions upstream.name override.name != -1
then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
else override;
# This callPackage will try to detect obsolete overrides.
callPackage = path: args: let
override = super.callPackage path args;
upstream = optionalAttrs (override ? "name")
(super.${(parseDrvName override.name).name} or {});
in if upstream ? "name" &&
override ? "name" &&
compareVersions upstream.name override.name != -1
then
trace
"Upstream `${upstream.name}' gets overridden by `${override.name}'."
override
else override;
in {}
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir: pathExists (dir + "/default.nix"))
(subdirsOf ./.))
// {
# TODO use XDG_RUNTIME_DIR?
cr = pkgs.writeDashBin "cr" ''
set -efu
export LC_TIME=de_DE.utf8
exec ${pkgs.chromium}/bin/chromium \
--ssl-version-min=tls1 \
--disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \
--disk-cache-size=50000000 \
"$@"
'';
ejabberd = callPackage ./ejabberd {
erlang = pkgs.erlangR16;
};
ff = pkgs.writeDashBin "ff" ''
exec ${pkgs.firefoxWrapper}/bin/firefox "$@"
'';
gnupg = pkgs.gnupg21;
in {
# TODO use XDG_RUNTIME_DIR?
cr = self.writeDashBin "cr" ''
set -efu
export LC_TIME=de_DE.utf8
exec ${self.chromium}/bin/chromium \
--ssl-version-min=tls1 \
--disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \
--disk-cache-size=50000000 \
"$@"
'';
ejabberd = callPackage ./ejabberd {
erlang = self.erlangR16;
};
ff = self.writeDashBin "ff" ''
exec ${self.firefoxWrapper}/bin/firefox "$@"
'';
gnupg = self.gnupg21;
# https://github.com/NixOS/nixpkgs/issues/16113
wvdial = let
nixpkgs-1509 = import (self.fetchFromGitHub {
owner = "NixOS"; repo = "nixpkgs-channels";
rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
in nixpkgs-1509.wvdial;
}
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir: pathExists (dir + "/default.nix"))
(subdirsOf ./.))

4
tv/default.nix
View file

@ -1,9 +1,9 @@
_:
{ pkgs, ... }:
{
imports = [
../krebs
./2configs
./3modules
./5pkgs
];
nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
}