diff options
| -rw-r--r-- | 0make/lass/cloudkrebs.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/cd.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/mkdir.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/nomic.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/rmdir.makefile | 4 | ||||
| -rw-r--r-- | 0make/tv/wu.makefile | 4 | ||||
| -rw-r--r-- | 2configs/lass/git-repos.nix | 140 | ||||
| -rw-r--r-- | 2configs/lass/mors/retiolum.nix | 21 | ||||
| -rw-r--r-- | 4lib/krebs/default.nix | 33 | ||||
| -rw-r--r-- | 4lib/tv/default.nix | 52 | ||||
| -rw-r--r-- | Makefile | 85 | ||||
| -rw-r--r-- | Zpkgs/tv/lentil/1.patch | 39 | ||||
| -rw-r--r-- | default.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/default.nix (renamed from 3modules/krebs/default.nix) | 251 | ||||
| -rw-r--r-- | krebs/3modules/git.nix (renamed from 3modules/krebs/git.nix) | 6 | ||||
| -rw-r--r-- | krebs/3modules/github-hosts-sync.nix (renamed from 3modules/krebs/github-hosts-sync.nix) | 6 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix (renamed from 3modules/krebs/nginx.nix) | 0 | ||||
| -rw-r--r-- | krebs/3modules/retiolum.nix (renamed from 3modules/krebs/retiolum.nix) | 0 | ||||
| -rw-r--r-- | krebs/3modules/urlwatch.nix (renamed from 3modules/krebs/urlwatch.nix) | 4 | ||||
| -rw-r--r-- | krebs/4lib/default.nix | 18 | ||||
| -rw-r--r-- | krebs/4lib/dns.nix | 31 | ||||
| -rw-r--r-- | krebs/4lib/listset.nix | 11 | ||||
| -rw-r--r-- | krebs/4lib/tree.nix | 13 | ||||
| -rw-r--r-- | krebs/4lib/types.nix (renamed from 4lib/krebs/types.nix) | 9 | ||||
| -rw-r--r-- | krebs/5pkgs/default.nix (renamed from Zpkgs/krebs/default.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/dic.nix (renamed from Zpkgs/krebs/dic.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/genid.nix (renamed from Zpkgs/krebs/genid.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/github-hosts-sync.nix (renamed from Zpkgs/krebs/github-hosts-sync.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/github-known_hosts.nix (renamed from Zpkgs/krebs/github-known_hosts.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/hashPassword.nix (renamed from Zpkgs/krebs/hashPassword.nix) | 0 | ||||
| -rw-r--r-- | lass/1systems/cloudkrebs.nix | 46 | ||||
| -rw-r--r-- | lass/1systems/mors.nix (renamed from 1systems/lass/mors.nix) | 94 | ||||
| -rw-r--r-- | lass/1systems/uriel.nix (renamed from 1systems/lass/uriel.nix) | 69 | ||||
| -rw-r--r-- | lass/2configs/base.nix (renamed from 2configs/lass/base.nix) | 77 | ||||
| -rw-r--r-- | lass/2configs/binary-caches.nix (renamed from 2configs/lass/binary-caches.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/bird.nix (renamed from 2configs/lass/bird.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/bitcoin.nix (renamed from 2configs/lass/bitcoin.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/browsers.nix (renamed from 2configs/lass/browsers.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/chromium-patched.nix (renamed from 2configs/lass/chromium-patched.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/desktop-base.nix (renamed from 2configs/lass/desktop-base.nix) | 6 | ||||
| -rw-r--r-- | lass/2configs/elster.nix (renamed from 2configs/lass/elster.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/fastpoke-pages.nix | 97 | ||||
| -rw-r--r-- | lass/2configs/games.nix (renamed from 2configs/lass/games.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/gitolite-base.nix (renamed from 2configs/lass/gitolite-base.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/identity.nix | 50 | ||||
| -rw-r--r-- | lass/2configs/ircd.nix (renamed from 2configs/lass/ircd.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/mors/repos.nix (renamed from 2configs/lass/mors/repos.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/new-repos.nix | 77 | ||||
| -rw-r--r-- | lass/2configs/pass.nix (renamed from 2configs/lass/pass.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/programs.nix (renamed from 2configs/lass/programs.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/retiolum.nix | 28 | ||||
| -rw-r--r-- | lass/2configs/sshkeys.nix (renamed from 2configs/lass/sshkeys.nix) | 2 | ||||
| -rw-r--r-- | lass/2configs/steam.nix (renamed from 2configs/lass/steam.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/texlive.nix (renamed from 2configs/lass/texlive.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/urxvt.nix (renamed from 2configs/lass/urxvt.nix) | 4 | ||||
| -rw-r--r-- | lass/2configs/vim.nix (renamed from 2configs/lass/vim.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/virtualbox.nix (renamed from 2configs/lass/virtualbox.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/wine.nix (renamed from 2configs/lass/wine.nix) | 0 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 8 | ||||
| -rw-r--r-- | lass/3modules/iptables.nix (renamed from 3modules/lass/iptables.nix) | 2 | ||||
| -rw-r--r-- | lass/3modules/sshkeys.nix (renamed from 3modules/lass/sshkeys.nix) | 0 | ||||
| -rw-r--r-- | lass/3modules/urxvtd.nix (renamed from 3modules/lass/urxvtd.nix) | 0 | ||||
| -rw-r--r-- | lass/3modules/xresources.nix (renamed from 3modules/lass/xresources.nix) | 2 | ||||
| -rw-r--r-- | tv/1systems/cd.nix (renamed from 1systems/tv/cd.nix) | 34 | ||||
| -rw-r--r-- | tv/1systems/mkdir.nix (renamed from 1systems/tv/mkdir.nix) | 28 | ||||
| -rw-r--r-- | tv/1systems/nomic.nix (renamed from 1systems/tv/nomic.nix) | 26 | ||||
| -rw-r--r-- | tv/1systems/rmdir.nix (renamed from 1systems/tv/rmdir.nix) | 28 | ||||
| -rw-r--r-- | tv/1systems/wu.nix (renamed from 1systems/tv/wu.nix) | 120 | ||||
| -rw-r--r-- | tv/2configs/AO753.nix (renamed from 2configs/tv/AO753.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/CAC-CentOS-7-64bit.nix (renamed from 2configs/tv/CAC-CentOS-7-64bit.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/CAC-Developer-1.nix (renamed from 2configs/tv/CAC-Developer-1.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/CAC-Developer-2.nix (renamed from 2configs/tv/CAC-Developer-2.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/base.nix (renamed from 2configs/tv/base.nix) | 1 | ||||
| -rw-r--r-- | tv/2configs/bash_completion.sh (renamed from 2configs/tv/bash_completion.sh) | 0 | ||||
| -rw-r--r-- | tv/2configs/charybdis.nix (renamed from 2configs/tv/charybdis.nix) | 136 | ||||
| -rw-r--r-- | tv/2configs/consul-client.nix (renamed from 2configs/tv/consul-client.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/consul-server.nix (renamed from 2configs/tv/consul-server.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/cryptoroot.nix (renamed from 2configs/tv/cryptoroot.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/exim-retiolum.nix (renamed from 2configs/tv/exim-retiolum.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/exim-smarthost.nix (renamed from 2configs/tv/exim-smarthost.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/git.nix (renamed from 2configs/tv/git.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/mail-client.nix (renamed from 2configs/tv/mail-client.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/smartd.nix (renamed from 2configs/tv/smartd.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/synaptics.nix (renamed from 2configs/tv/synaptics.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/urlwatch.nix (renamed from 2configs/tv/urlwatch.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/urxvt.nix (renamed from 2configs/tv/urxvt.nix) | 0 | ||||
| -rw-r--r-- | tv/2configs/w110er.nix (renamed from 2configs/tv/w110er.nix) | 2 | ||||
| -rw-r--r-- | tv/2configs/xserver.nix (renamed from 2configs/tv/xserver.nix) | 2 | ||||
| -rw-r--r-- | tv/3modules/consul.nix (renamed from 3modules/tv/consul.nix) | 2 | ||||
| -rw-r--r-- | tv/3modules/default.nix (renamed from 3modules/tv/default.nix) | 0 | ||||
| -rw-r--r-- | tv/3modules/ejabberd.nix (renamed from 3modules/tv/ejabberd.nix) | 0 | ||||
| -rw-r--r-- | tv/3modules/iptables.nix (renamed from 3modules/tv/iptables.nix) | 4 | ||||
| -rw-r--r-- | tv/4lib/default.nix | 27 | ||||
| -rw-r--r-- | tv/4lib/git.nix (renamed from 4lib/tv/git.nix) | 0 | ||||
| -rw-r--r-- | tv/4lib/modules.nix (renamed from 4lib/tv/modules.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/charybdis/default.nix (renamed from Zpkgs/tv/charybdis/default.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/charybdis/remove-setenv.patch (renamed from Zpkgs/tv/charybdis/remove-setenv.patch) | 2 | ||||
| -rw-r--r-- | tv/5pkgs/default.nix (renamed from Zpkgs/tv/default.nix) | 4 | ||||
| -rw-r--r-- | tv/5pkgs/lentil/default.nix (renamed from Zpkgs/tv/lentil/default.nix) | 6 | ||||
| -rw-r--r-- | tv/5pkgs/lentil/syntaxes.patch (renamed from Zpkgs/tv/lentil/syntaxes.patch) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/much.nix (renamed from Zpkgs/tv/much.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/viljetic-pages/default.nix (renamed from Zpkgs/tv/viljetic-pages/default.nix) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/viljetic-pages/index.html (renamed from Zpkgs/tv/viljetic-pages/index.html) | 0 | ||||
| -rw-r--r-- | tv/5pkgs/viljetic-pages/logo.xpm (renamed from Zpkgs/tv/viljetic-pages/logo.xpm) | 0 |
104 files changed, 988 insertions, 755 deletions
diff --git a/0make/lass/cloudkrebs.makefile b/0make/lass/cloudkrebs.makefile new file mode 100644 index 000000000..baf7660b4 --- /dev/null +++ b/0make/lass/cloudkrebs.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cloudkrebs +nixpkgs_url := https://github.com/Lassulus/nixpkgs +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b +secrets_dir := /home/lass/secrets/cloudkrebs diff --git a/0make/tv/cd.makefile b/0make/tv/cd.makefile deleted file mode 100644 index e021423f4..000000000 --- a/0make/tv/cd.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@cd-global -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 -secrets_dir := /home/tv/secrets/cd diff --git a/0make/tv/mkdir.makefile b/0make/tv/mkdir.makefile deleted file mode 100644 index b10398a07..000000000 --- a/0make/tv/mkdir.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@mkdir -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 -secrets_dir := /home/tv/secrets/mkdir diff --git a/0make/tv/nomic.makefile b/0make/tv/nomic.makefile deleted file mode 100644 index 9e0b8671b..000000000 --- a/0make/tv/nomic.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@nomic.gg23 -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696 -secrets_dir := /home/tv/secrets/nomic diff --git a/0make/tv/rmdir.makefile b/0make/tv/rmdir.makefile deleted file mode 100644 index 6075bd3d4..000000000 --- a/0make/tv/rmdir.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@rmdir -nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 -secrets_dir := /home/tv/secrets/rmdir diff --git a/0make/tv/wu.makefile b/0make/tv/wu.makefile deleted file mode 100644 index ef7e51194..000000000 --- a/0make/tv/wu.makefile +++ /dev/null @@ -1,4 +0,0 @@ -deploy_host := root@wu -nixpkgs_url := /home/tv/src/nixpkgs -nixpkgs_rev := 7725eb1d3ed85fc34edde3c3a7907ab234933a68 -secrets_dir := /home/tv/secrets/wu diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix deleted file mode 100644 index c0c305b85..000000000 --- a/2configs/lass/git-repos.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - - x-repos = [ - (krebs-private "brain") - - (public "painload") - (public "shitment") - (public "wai-middleware-time") - (public "web-routes-wai-custom") - - (secret "pass") - - (tv-lass "emse-drywall") - (tv-lass "emse-hsdb") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); - - rules = concatMap ({ rules, ... }: rules) x-repos; - - krebs-private = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - secret = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - tv-lass = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ../../3modules/lass/iptables.nix - ]; - - tv.git = { - enable = true; - inherit repos rules users; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - }; - -} diff --git a/2configs/lass/mors/retiolum.nix b/2configs/lass/mors/retiolum.nix deleted file mode 100644 index 1148bee9c..000000000 --- a/2configs/lass/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = <retiolum-hosts>; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix deleted file mode 100644 index 0c42a5de3..000000000 --- a/4lib/krebs/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -builtins // lib // rec { - - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - types = import ./types.nix { inherit lib; }; - - - # listset k v = set k [v] - - # listset-insert : k -> v -> listset k v -> listset k v - listset-insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; - - # tree k v = set k (either v (tree k v)) - - # tree-get : [k] -> tree k v -> v - tree-get = path: x: - let - y = x.${last path}; - in - if typeOf y != "set" - then y - else tree-get (init path) y; - -} diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix deleted file mode 100644 index 16888c214..000000000 --- a/4lib/tv/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ lib, pkgs, ... }: - -let - krebs = import ../../4lib/krebs { inherit lib; }; -in - -with krebs; - -krebs // rec { - - git = import ./git.nix { - lib = lib // { - inherit addNames; - }; - inherit pkgs; - }; - - # "7.4.335" -> "74" - majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - - concat = xs : - if xs == [] - then "" - else head xs + concat (tail xs) - ; - - flip = f : x : y : f y x; - - # isSuffixOf :: String -> String -> Bool - isSuffixOf = - s : xs : - let - sn = stringLength s; - xsn = stringLength xs; - in - xsn >= sn && substring (xsn - sn) sn xs == s ; - - # setMap :: (String -> a -> b) -> Set String a -> [b] - #setMap = f: xs: map (k : f k (getAttr k xs)) (attrNames xs); - - # setToList :: Set k a -> [a] - #setToList = setMap (_: v: v); - - shell-escape = - let - isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; - in - stringAsChars (c: - if isSafeChar c then c - else if c == "\n" then "'\n'" - else "\\${c}"); -} @@ -2,7 +2,7 @@ # usage: # make system=foo # make systems='foo bar' -# make eval system=foo get=config.networking.extraHosts +# make eval system=foo get=config.networking.extraHosts [filter=json] # .ONESHELL: @@ -17,91 +17,30 @@ $(systems): --tagstring {} \ -q make systems= system={} ::: $(systems) else ifdef system -include 0make/$(LOGNAME)/$(system).makefile .PHONY: deploy deploy:;@ - system_name=$(system) - deploy_host=$(deploy_host) - nixpkgs_url=$(nixpkgs_url) - nixpkgs_rev=$(nixpkgs_rev) - secrets_dir=$(secrets_dir) - - prepush(){( - dst=$$1 - src=$$2 - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --rsync-path="mkdir -p \"$$dst\" && rsync" \ - --usermap=\*:0 \ - --groupmap=\*:0 \ - --delete-excluded \ - -vrLptgoD \ - "$$src/" "$$deploy_host:$$dst" - )} - - prepush /root/src/stockholm "$$PWD" - prepush /root/src/secrets "$$secrets_dir" - - ssh -S none "$$deploy_host" -T env \ - nixpkgs_url="$$nixpkgs_url" \ - nixpkgs_rev="$$nixpkgs_rev" \ - system_name="$$system_name" \ - user_name="$$LOGNAME" \ - sh -euf \ - <<-\EOF - prefetch(){( - dst=$$1 - url=$$2 - rev=$$3 - mkdir -p "$$dst" - cd "$$dst" - if ! test -e .git; then - git init - fi - if ! cur_url=$$(git config remote.origin.url 2>/dev/null); then - git remote add origin "$$url" - elif test "$$cur_url" != "$$url"; then - git remote set-url origin "$$url" - fi - if test "$$(git rev-parse --verify HEAD 2>/dev/null)" != "$$rev"; then - git fetch origin - git checkout "$$rev" -- . - git checkout -q "$$rev" - git submodule init - git submodule update - fi - git clean -dxf - )} - - prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" - - echo build system... - NIX_PATH=/root/src \ - nix-build \ - -Q \ - -A system \ - '<stockholm>' \ - --argstr user-name "$$user_name" \ - --argstr system-name "$$system_name" - - result/bin/switch-to-configuration switch - EOF + make eval system=$(system) get=config.krebs.build.script filter=json | sh .PHONY: eval eval: @ +ifeq ($(filter),json) + extraArgs=--json + filter() { jq -r .; } +else + filter() { cat; } +endif NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ nix-instantiate \ - --json \ + $${extraArgs-} \ + $${json+--json} \ + $${json+--strict} \ --eval \ - --strict \ -A "$$get" \ '<stockholm>' \ --argstr user-name "$$LOGNAME" \ --argstr system-name "$$system" \ - | jq -r . + | filter else $(error unbound variable: system[s]) endif diff --git a/Zpkgs/tv/lentil/1.patch b/Zpkgs/tv/lentil/1.patch deleted file mode 100644 index 6e5a00c73..000000000 --- a/Zpkgs/tv/lentil/1.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -rN -u old-lentil/src/Lentil/File.hs new-lentil/src/Lentil/File.hs ---- old-lentil/src/Lentil/File.hs 2015-07-20 22:43:23.177620724 +0200 -+++ new-lentil/src/Lentil/File.hs 2015-07-20 22:43:23.177620724 +0200 -@@ -13,10 +13,13 @@ - import Lentil.Types - import Lentil.Parse.Run - -+import System.Directory - import System.FilePath - import System.FilePath.Find -+import Data.Either - import Data.Monoid - import Control.Applicative -+import Control.Exception.Base - - import qualified Data.List as L - -@@ -36,7 +39,12 @@ - -------------- - - findIssues :: [FilePath] -> [FilePath] -> IO [Issue] --findIssues is xs = find always (findClause is xs) "." >>= issueFinder -+findIssues is xs = -+ (mapM (try . canonicalizePath) is :: IO [Either SomeException FilePath]) >>= -+ return . rights >>= -+ mapM (\i -> find always (findClause [i] xs) i) >>= -+ return . concat >>= -+ issueFinder - - -- fp to include, fp to exclude, clause - findClause :: [FilePath] -> [FilePath] -> FindClause Bool -@@ -47,6 +55,6 @@ - (not <$> fmap getAny xc) - where - fp2fc :: FilePath -> FindClause Any -- fp2fc f = Any . L.isPrefixOf (combine "." f) <$> filePath -+ fp2fc f = Any . L.isPrefixOf f <$> filePath - -- TODO: combine funziona su windows? [feature:intermediate] - diff --git a/default.nix b/default.nix index 49e889924..59a76f81b 100644 --- a/default.nix +++ b/default.nix @@ -4,10 +4,10 @@ let eval = import <nixpkgs/nixos/lib/eval-config.nix> { system = builtins.currentSystem; - modules = [ - (./1systems + "/${user-name}/${system-name}.nix") - (./3modules/krebs) - (./3modules + "/${user-name}") + modules = map (p: ./. + "/${p}") [ + "${user-name}/1systems/${system-name}.nix" + "${user-name}/3modules" + "krebs/3modules" ]; }; diff --git a/3modules/krebs/default.nix b/krebs/3modules/default.nix index 3c2f7c9cb..668d66ccf 100644 --- a/3modules/krebs/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../../4lib/krebs { inherit lib; }; +with import ../4lib { inherit lib; }; let cfg = config.krebs; @@ -20,8 +20,108 @@ let enable = mkEnableOption "krebs"; build = mkOption { - type = types.submodule { + type = types.submodule ({ config, ... }: { options = { + target = mkOption { + type = with types; nullOr str; + default = null; + }; + deps = mkOption { + type = with types; attrsOf (submodule { + options = { + url = mkOption { + type = str; + }; + rev = mkOption { + type = nullOr str; + default = null; + }; + }; + }); + default = {}; + }; + script = mkOption { + type = types.str; + default = '' + #! /bin/sh + set -efux + + target=${escapeShellArg cfg.build.target} + + push(){( + src=$1/ + dst=$target:$2 + rsync \ + --exclude .git \ + --exclude .graveyard \ + --exclude old \ + --rsync-path="mkdir -p \"$dst\" && rsync" \ + --usermap=\*:0 \ + --groupmap=\*:0 \ + --delete-excluded \ + -vrLptgoD \ + "$src" "$dst" + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev == null) '' + push ${toString (map escapeShellArg [ + "${url}" + "/root/src/${name}" + ])} + '') config.deps)} + + exec ssh -S none "$target" /bin/sh <<\EOF + set -efux + fetch(){( + url=$1 + rev=$2 + dst=$3 + mkdir -p "$dst" + cd "$dst" + if ! test -e .git; then + git init + fi + if ! cur_url=$(git config remote.origin.url 2>/dev/null); then + git remote add origin "$url" + elif test "$cur_url" != "$url"; then + git remote set-url origin "$url" + fi + if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then + git fetch origin + git checkout "$rev" -- . + git checkout -q "$rev" + git submodule init + git submodule update + fi + git clean -dxf + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev != null) '' + fetch ${toString (map escapeShellArg [ + url + rev + "/root/src/${name}" + ])} + '') config.deps)} + + echo build system... + profile=/nix/var/nix/profiles/system + NIX_PATH=/root/src \ + nix-env \ + -Q \ + -p "$profile" \ + -f '<stockholm>' \ + --set \ + -A system \ + --argstr user-name ${escapeShellArg cfg.build.user.name} \ + --argstr system-name ${escapeShellArg cfg.build.host.name} + + exec "$profile"/bin/switch-to-configuration switch + EOF + ''; + }; host = mkOption { type = types.host; }; @@ -29,11 +129,19 @@ let type = types.user; }; }; - }; + }); # Define defaul value, so unset values of the submodule get reported. default = {}; }; + dns = { + providers = mkOption { + # TODO with types; tree dns.label dns.provider, so we can merge. + # Currently providers can only be merged if aliases occur just once. + type = with types; attrsOf unspecified; + }; + }; + hosts = mkOption { type = with types; attrsOf host; }; @@ -46,8 +154,7 @@ let # TODO search-domains :: listOf hostname search-domain = mkOption { type = types.hostname; - default = ""; - example = "retiolum"; + default = "retiolum"; }; }; @@ -56,43 +163,112 @@ let { krebs = makefu-imp; } { krebs = tv-imp; } { - # XXX This overlaps with krebs.retiolum - networking.extraHosts = - let - # TODO move domain name providers to a dedicated module - # providers : tree label providername - providers = { - internet = "hosts"; - retiolum = "hosts"; - de.viljetic = "regfish"; - de.krebsco = "ovh"; - }; - - # splitByProvider : [alias] -> listset providername alias - splitByProvider = foldl (acc: alias: listset-insert (providerOf alias) alias acc) {}; + krebs.dns.providers = { + de.krebsco = "ovh"; + internet = "hosts"; + retiolum = "hosts"; + }; - # providerOf : alias -> providername - providerOf = alias: - tree-get (splitString "." alias) providers; - in - concatStringsSep "\n" (flatten ( - # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - longs = (splitByProvider net.aliases).hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) config.krebs.hosts - )); + # XXX This overlaps with krebs.retiolum + networking.extraHosts = concatStringsSep "\n" (flatten ( + mapAttrsToList (hostname: host: + mapAttrsToList (netname: net: + let + aliases = toString (unique (longs ++ shorts)); + providers = dns.split-by-provider net.aliases cfg.dns.providers; + longs = providers.hosts; + shorts = map (removeSuffix ".${cfg.search-domain}") longs; + in + map (addr: "${addr} ${aliases}") net.addrs + ) host.nets + ) cfg.hosts + )); } ]; lass-imp = { hosts = addNames { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + uriel = { + cores = 1; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.81.176"]; + addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + aliases = [ + "uriel.retiolum" + "cgit.uriel.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR + duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb + MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME + m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx + uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo + u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mors = { + cores = 2; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.2"]; + addrs6 = ["42:0:0:0:0:0:0:dea7"]; + aliases = [ + "mors.retiolum" + "cgit.mors.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; users = addNames { lass = { @@ -140,6 +316,9 @@ let }; tv-imp = { + dns.providers = { + de.viljetic = "regfish"; + }; hosts = addNames { cd = { cores = 2; diff --git a/3modules/krebs/git.nix b/krebs/3modules/git.nix index 604645189..64b7820b2 100644 --- a/3modules/krebs/git.nix +++ b/krebs/3modules/git.nix @@ -6,15 +6,11 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../../4lib/krebs { inherit lib; }; +with import ../4lib { inherit lib; }; let cfg = config.krebs.git; out = { - # TODO don't import krebs.nginx here - imports = [ - ../../3modules/krebs/nginx.nix - ]; options.krebs.git = api; config = mkIf cfg.enable (mkMerge [ (mkIf cfg.cgit cgit-imp) diff --git a/3modules/krebs/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index c3b56ef94..0274b9d15 100644 --- a/3modules/krebs/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -61,9 +61,9 @@ let ${cfg.ssh-identity-file} \ "$ssh_identity_file_target" - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts + ln -snf ${kpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; + ExecStart = "${kpkgs.github-hosts-sync}/bin/github-hosts-sync"; }; }; @@ -78,6 +78,6 @@ let uid = 3220554646; # genid github-hosts-sync }; - Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in out diff --git a/3modules/krebs/nginx.nix b/krebs/3modules/nginx.nix index 702e8a7f6..702e8a7f6 100644 --- a/3modules/krebs/nginx.nix +++ b/krebs/3modules/nginx.nix diff --git a/3modules/krebs/retiolum.nix b/krebs/3modules/retiolum.nix index 481d6565c..481d6565c 100644 --- a/3modules/krebs/retiolum.nix +++ b/krebs/3modules/retiolum.nix diff --git a/3modules/krebs/urlwatch.nix b/krebs/3modules/urlwatch.nix index 58de72fc6..39d9fec54 100644 --- a/3modules/krebs/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -35,20 +35,22 @@ let }; mailto = mkOption { type = types.str; + default = config.krebs.build.user.mail; description = '' Content of the To: header of the generated mails. [AKA recipient :)] ''; }; onCalendar = mkOption { type = types.str; + default = "04:23"; description = '' Run urlwatch at this interval. The format is described in systemd.time(7), CALENDAR EVENTS. ''; - example = "04:23"; }; urls = mkOption { type = with types; listOf str; + default = []; description = "URL to watch."; example = [ https://nixos.org/channels/nixos-unstable/git-revision diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix new file mode 100644 index 000000000..b67585335 --- /dev/null +++ b/krebs/4lib/default.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +with builtins; +with lib; + +builtins // lib // rec { + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; + + types = import ./types.nix { inherit lib; }; + + dns = import ./dns.nix { inherit lib; }; + listset = import ./listset.nix { inherit lib; }; + tree = import ./tree.nix { inherit lib; }; +} diff --git a/krebs/4lib/dns.nix b/krebs/4lib/dns.nix new file mode 100644 index 000000000..b2cf3c24c --- /dev/null +++ b/krebs/4lib/dns.nix @@ -0,0 +1,31 @@ +{ lib, ... }: + +let + listset = import ./listset.nix { inherit lib; }; +in + +with builtins; +with lib; + +rec { + # label = string + + # TODO does it make sense to have alias = list label? + + # split-by-provider : + # [[label]] -> tree label provider -> listset provider alias + split-by-provider = as: providers: + foldl (m: a: listset.insert (provider-of a providers) a m) {} as; + + # provider-of : alias -> tree label provider -> provider + # Note that we cannot use tree.get here, because path can be longer + # than the tree depth. + provider-of = a: + let + go = path: tree: + if typeOf tree == "string" + then tree + else go (tail path) tree.${head path}; + in + go (reverseList (splitString "." a)); +} diff --git a/krebs/4lib/listset.nix b/krebs/4lib/listset.nix new file mode 100644 index 000000000..3aae22f20 --- /dev/null +++ b/krebs/4lib/listset.nix @@ -0,0 +1,11 @@ +{ lib, ... }: + +with lib; + +rec { + # listset k v = set k [v] + + # insert : k -> v -> listset k v -> listset k v + insert = name: value: set: + set // { ${name} = set.${name} or [] ++ [value]; }; +} diff --git a/krebs/4lib/tree.nix b/krebs/4lib/tree.nix new file mode 100644 index 000000000..1cd83b3f6 --- /dev/null +++ b/krebs/4lib/tree.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +with lib; + +rec { + # tree k v = set k (either v (tree k v)) + + # get : [k] -> tree k v -> v + get = path: tree: + if length path > 0 + then get (tail path) tree.${head path} # TODO check if elem exists + else tree; +} diff --git a/4lib/krebs/types.nix b/krebs/4lib/types.nix index 3d3d75a65..92410dd58 100644 --- a/4lib/krebs/types.nix +++ b/krebs/4lib/types.nix @@ -55,7 +55,7 @@ types // rec { type = listOf hostname; }; tinc = mkOption { - type = let net-config = config; in submodule ({ config, ... }: { + type = let net-config = config; in nullOr (submodule ({ config, ... }: { options = { config = mkOption { type = str; @@ -70,7 +70,8 @@ types // rec { type = str; }; }; - }); + })); + default = null; }; }; }); @@ -92,6 +93,10 @@ types // rec { pubkey = mkOption { type = str; }; + pubkeys = mkOption { + type = attrsOf str; + default = {}; + }; }; }; diff --git a/Zpkgs/krebs/default.nix b/krebs/5pkgs/default.nix index 231fda797..231fda797 100644 --- a/Zpkgs/krebs/default.nix +++ b/krebs/5pkgs/default.nix diff --git a/Zpkgs/krebs/dic.nix b/krebs/5pkgs/dic.nix index 571773d22..571773d22 100644 --- a/Zpkgs/krebs/dic.nix +++ b/krebs/5pkgs/dic.nix diff --git a/Zpkgs/krebs/genid.nix b/krebs/5pkgs/genid.nix index c75bec317..c75bec317 100644 --- a/Zpkgs/krebs/genid.nix +++ b/krebs/5pkgs/genid.nix diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/krebs/5pkgs/github-hosts-sync.nix index d69b2b12b..d69b2b12b 100644 --- a/Zpkgs/krebs/github-hosts-sync.nix +++ b/krebs/5pkgs/github-hosts-sync.nix diff --git a/Zpkgs/krebs/github-known_hosts.nix b/krebs/5pkgs/github-known_hosts.nix index 302fdd8d5..302fdd8d5 100644 --- a/Zpkgs/krebs/github-known_hosts.nix +++ b/krebs/5pkgs/github-known_hosts.nix diff --git a/Zpkgs/krebs/hashPassword.nix b/krebs/5pkgs/hashPassword.nix index a10340cc4..a10340cc4 100644 --- a/Zpkgs/krebs/hashPassword.nix +++ b/krebs/5pkgs/hashPassword.nix diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix new file mode 100644 index 000000000..515810e44 --- /dev/null +++ b/lass/1systems/cloudkrebs.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../tv/2configs/CAC-Developer-2.nix + ../../tv/2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/retiolum.nix + ../2configs/fastpoke-pages.nix + ../2configs/new-repos.nix + { + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + } + ]; + + krebs.build = { + user = config.krebs.users.lass; + target = "root@cloudkrebs"; + host = config.krebs.hosts.cloudkrebs; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + + networking.hostName = "cloudkrebs"; + +} diff --git a/1systems/lass/mors.nix b/lass/1systems/mors.nix index 940dc4fdb..5bef56682 100644 --- a/1systems/lass/mors.nix +++ b/lass/1systems/mors.nix @@ -2,44 +2,43 @@ { imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/git-repos.nix - ../../2configs/tv/synaptics.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; + ../2configs/desktop-base.nix + ../2configs/programs.nix + ../2configs/bitcoin.nix + ../2configs/browsers.nix + ../2configs/games.nix + ../2configs/pass.nix + ../2configs/virtualbox.nix + ../2configs/elster.nix + ../2configs/urxvt.nix + ../2configs/steam.nix + ../2configs/wine.nix + ../2configs/texlive.nix + ../2configs/binary-caches.nix + ../2configs/ircd.nix + ../2configs/chromium-patched.nix + ../2configs/new-repos.nix + #../../2configs/tv/synaptics.nix + ../2configs/retiolum.nix + ]; + + krebs.build = { + user = config.krebs.users.lass; + target = "root@mors"; + host = config.krebs.hosts.mors; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; }; - } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; }; - } - ]; + stockholm = { + url = toString ../..; + }; + }; + }; networking.hostName = "mors"; networking.wireless.enable = true; @@ -168,21 +167,6 @@ ''; }; - users.extraUsers = { - #main user - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - extraGroups = [ "wheel" "audio" ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; @@ -217,4 +201,12 @@ services.mongodb = { enable = true; }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } + ]; + }; + }; } diff --git a/1systems/lass/uriel.nix b/lass/1systems/uriel.nix index 25745d055..74d995560 100644 --- a/1systems/lass/uriel.nix +++ b/lass/1systems/uriel.nix @@ -1,38 +1,48 @@ { config, pkgs, ... }: +with builtins; { imports = [ ../../2configs/lass/desktop-base.nix ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix - ../../2configs/lass/git-repos.nix + ../../2configs/lass/new-repos.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/tv/exim-retiolum.nix + ../../2configs/lass/retiolum.nix { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/uriel.ssh.pub + ]; + }; }; } ]; + krebs.build = { + user = config.krebs.users.lass; + target = "root@uriel"; + host = config.krebs.hosts.uriel; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "961fcbabd7643171ea74bd550fee1ce5c13c2e90"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + networking.hostName = "uriel"; + networking.wireless.enable = true; nix.maxJobs = 2; @@ -87,29 +97,6 @@ ''; }; - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" "audio" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/2configs/lass/base.nix b/lass/2configs/base.nix index 5e5b8a7b1..8379f14e4 100644 --- a/2configs/lass/base.nix +++ b/lass/2configs/base.nix @@ -3,16 +3,44 @@ with lib; { imports = [ - ./sshkeys.nix - ../../3modules/lass/iptables.nix + ../3modules/iptables.nix + ../2configs/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } - + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } ]; + krebs = { + enable = true; + search-domain = "retiolum"; + }; + nix.useChroot = true; users.mutableUsers = false; @@ -30,6 +58,8 @@ with lib; ''; environment.systemPackages = with pkgs; [ + nmap + git most rxvt_unicode.terminfo @@ -77,11 +107,11 @@ with lib; "sendmail" ]; - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; services.openssh = { enable = true; @@ -102,35 +132,12 @@ with lib; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } ]; }; }; - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; } diff --git a/2configs/lass/binary-caches.nix b/lass/2configs/binary-caches.nix index c2727520d..c2727520d 100644 --- a/2configs/lass/binary-caches.nix +++ b/lass/2configs/binary-caches.nix diff --git a/2configs/lass/bird.nix b/lass/2configs/bird.nix index 3fc265cd7..3fc265cd7 100644 --- a/2configs/lass/bird.nix +++ b/lass/2configs/bird.nix diff --git a/2configs/lass/bitcoin.nix b/lass/2configs/bitcoin.nix index d3bccbf5c..d3bccbf5c 100644 --- a/2configs/lass/bitcoin.nix +++ b/lass/2configs/bitcoin.nix diff --git a/2configs/lass/browsers.nix b/lass/2configs/browsers.nix index 8aecea925..8aecea925 100644 --- a/2configs/lass/browsers.nix +++ b/lass/2configs/browsers.nix diff --git a/2configs/lass/chromium-patched.nix b/lass/2configs/chromium-patched.nix index 715181778..715181778 100644 --- a/2configs/lass/chromium-patched.nix +++ b/lass/2configs/chromium-patched.nix diff --git a/2configs/lass/desktop-base.nix b/lass/2configs/desktop-base.nix index ee7a94bc9..9b98e4a8b 100644 --- a/2configs/lass/desktop-base.nix +++ b/lass/2configs/desktop-base.nix @@ -55,11 +55,9 @@ in { displayManager.auto.enable = true; displayManager.auto.user = mainUser.name; - layout = "us,de"; + layout = "us"; xkbModel = "evdev"; - xkbVariant = "altgr-intl,nodeadkeys"; - xkbOptions = "grp:caps_toggle"; - + xkbVariant = "altgr-intl"; }; } diff --git a/2configs/lass/elster.nix b/lass/2configs/elster.nix index 1edd01896..1edd01896 100644 --- a/2configs/lass/elster.nix +++ b/lass/2configs/elster.nix diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix new file mode 100644 index 000000000..1f997eb6a --- /dev/null +++ b/lass/2configs/fastpoke-pages.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + createStaticPage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/${domain}; + '') + ]; + }; + #networking.extraHosts = '' + # 10.243.206.102 ${domain} + #''; + }; + +in { + imports = [ + ../3modules/iptables.nix + ] ++ map createStaticPage [ + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + + krebs.nginx = { + enable = true; + servers = { + + #"habsys.de" = { + # server-names = [ + # "habsys.de" + # "www.habsys.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/habsys.de; + # '') + # ]; + #}; + + #"karlaskop.de" = { + # server-names = [ + # "karlaskop.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + #"pixelpocket.de" = { + # server-names = [ + # "pixelpocket.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + }; + }; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} diff --git a/2configs/lass/games.nix b/lass/2configs/games.nix index 6043a8759..6043a8759 100644 --- a/2configs/lass/games.nix +++ b/lass/2configs/games.nix diff --git a/2configs/lass/gitolite-base.nix b/lass/2configs/gitolite-base.nix index b47629956..b47629956 100644 --- a/2configs/lass/gitolite-base.nix +++ b/lass/2configs/gitolite-base.nix diff --git a/lass/2configs/identity.nix b/lass/2configs/identity.nix new file mode 100644 index 000000000..e712b16ac --- /dev/null +++ b/lass/2configs/identity.nix @@ -0,0 +1,50 @@ +{ config, ... }: + +{ + imports = [ + ../../tv/3modules/identity.nix + ]; + tv.identity = { + enable = true; + search = "retiolum"; + hosts = { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + }; +} diff --git a/2configs/lass/ircd.nix b/lass/2configs/ircd.nix index f71b769fd..f71b769fd 100644 --- a/2configs/lass/ircd.nix +++ b/lass/2configs/ircd.nix diff --git a/2configs/lass/mors/repos.nix b/lass/2configs/mors/repos.nix index 1f7f33456..1f7f33456 100644 --- a/2configs/lass/mors/repos.nix +++ b/lass/2configs/mors/repos.nix diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix new file mode 100644 index 000000000..64e9a7f14 --- /dev/null +++ b/lass/2configs/new-repos.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with import ../../tv/4lib { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/2configs/lass/pass.nix b/lass/2configs/pass.nix index 33eca0a17..33eca0a17 100644 --- a/2configs/lass/pass.nix +++ b/lass/2configs/pass.nix diff --git a/2configs/lass/programs.nix b/lass/2configs/programs.nix index 41d241bac..41d241bac 100644 --- a/2configs/lass/programs.nix +++ b/lass/2configs/programs.nix diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix new file mode 100644 index 000000000..b8a9cec72 --- /dev/null +++ b/lass/2configs/retiolum.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + imports = [ + ../3modules/iptables.nix + ../../tv/2configs/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} diff --git a/2configs/lass/sshkeys.nix b/lass/2configs/sshkeys.nix index 114a2596b..f6081cf37 100644 --- a/2configs/lass/sshkeys.nix +++ b/lass/2configs/sshkeys.nix @@ -2,7 +2,7 @@ { imports = [ - ../../3modules/lass/sshkeys.nix + ../3modules/sshkeys.nix ]; config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; diff --git a/2configs/lass/steam.nix b/lass/2configs/steam.nix index 7d088fc6a..7d088fc6a 100644 --- a/2configs/lass/steam.nix +++ b/lass/2configs/steam.nix diff --git a/2configs/lass/texlive.nix b/lass/2configs/texlive.nix index 295df31cd..295df31cd 100644 --- a/2configs/lass/texlive.nix +++ b/lass/2configs/texlive.nix diff --git a/2configs/lass/urxvt.nix b/lass/2configs/urxvt.nix index a2074ba02..1358dde7a 100644 --- a/2configs/lass/urxvt.nix +++ b/lass/2configs/urxvt.nix @@ -7,8 +7,8 @@ in { imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix + ../3modules/urxvtd.nix + ../3modules/xresources.nix ]; services.urxvtd = { diff --git a/2configs/lass/vim.nix b/lass/2configs/vim.nix index 3fe45e1d1..3fe45e1d1 100644 --- a/2configs/lass/vim.nix +++ b/lass/2configs/vim.nix diff --git a/2configs/lass/virtualbox.nix b/lass/2configs/virtualbox.nix index 026203124..026203124 100644 --- a/2configs/lass/virtualbox.nix +++ b/lass/2configs/virtualbox.nix diff --git a/2configs/lass/wine.nix b/lass/2configs/wine.nix index 8d55da7fd..8d55da7fd 100644 --- a/2configs/lass/wine.nix +++ b/lass/2configs/wine.nix diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix new file mode 100644 index 000000000..d4e231ec7 --- /dev/null +++ b/lass/3modules/default.nix @@ -0,0 +1,8 @@ +_: + +{ + imports = [ + ./xresources.nix + ./iptables.nix + ]; +} diff --git a/3modules/lass/iptables.nix b/lass/3modules/iptables.nix index c97b9f730..8c6ad3fa1 100644 --- a/3modules/lass/iptables.nix +++ b/lass/3modules/iptables.nix @@ -106,7 +106,7 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; in #TODO: double check should be unneccessary, refactor! diff --git a/3modules/lass/sshkeys.nix b/lass/3modules/sshkeys.nix index 5f1c60668..5f1c60668 100644 --- a/3modules/lass/sshkeys.nix +++ b/lass/3modules/sshkeys.nix diff --git a/3modules/lass/urxvtd.nix b/lass/3modules/urxvtd.nix index 469616a9f..469616a9f 100644 --- a/3modules/lass/urxvtd.nix +++ b/lass/3modules/urxvtd.nix diff --git a/3modules/lass/xresources.nix b/lass/3modules/xresources.nix index 15c5b8b74..074963022 100644 --- a/3modules/lass/xresources.nix +++ b/lass/3modules/xresources.nix @@ -12,7 +12,7 @@ with lib; let - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (import ../../tv/4lib { inherit pkgs lib; }) shell-escape; inherit (pkgs) writeScript; in diff --git a/1systems/tv/cd.nix b/tv/1systems/cd.nix index 6913508b5..54292eb83 100644 --- a/1systems/tv/cd.nix +++ b/tv/1systems/cd.nix @@ -3,21 +3,37 @@ with lib; let - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; + tvpkgs = import ../5pkgs { inherit pkgs; }; in { krebs.build.host = config.krebs.hosts.cd; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@cd.internet"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/CAC-Developer-2.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git.nix + ../2configs/CAC-Developer-2.nix + ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-smarthost.nix + ../2configs/git.nix { - imports = [ ../../2configs/tv/charybdis.nix ]; + imports = [ ../2configs/charybdis.nix ]; tv.charybdis = { enable = true; sslCert = ../../Zcerts/charybdis_cd.crt.pem; @@ -68,7 +84,7 @@ in server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) locations = singleton (nameValuePair "/" '' - root ${Zpkgs.viljetic-pages}; + root ${tvpkgs.viljetic-pages}; ''); }; } diff --git a/1systems/tv/mkdir.nix b/tv/1systems/mkdir.nix index 7542ad0ce..cd3d3b5c4 100644 --- a/1systems/tv/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -4,14 +4,30 @@ with lib; { krebs.build.host = config.krebs.hosts.mkdir; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@mkdir.internet"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/CAC-Developer-1.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git.nix + ../2configs/CAC-Developer-1.nix + ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-smarthost.nix + ../2configs/git.nix { tv.iptables = { enable = true; diff --git a/1systems/tv/nomic.nix b/tv/1systems/nomic.nix index cd6e02596..b9a10cb4f 100644 --- a/1systems/tv/nomic.nix +++ b/tv/1systems/nomic.nix @@ -4,13 +4,29 @@ with lib; { krebs.build.host = config.krebs.hosts.nomic; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@nomic.gg23"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/AO753.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git.nix + ../2configs/AO753.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix { tv.iptables = { enable = true; diff --git a/1systems/tv/rmdir.nix b/tv/1systems/rmdir.nix index 9233014ba..c8ac43e4c 100644 --- a/1systems/tv/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -4,14 +4,30 @@ with lib; { krebs.build.host = config.krebs.hosts.rmdir; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@rmdir.internet"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/CAC-Developer-1.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-server.nix - ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git.nix + ../2configs/CAC-Developer-1.nix + ../2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/consul-server.nix + ../2configs/exim-smarthost.nix + ../2configs/git.nix { tv.iptables = { enable = true; diff --git a/1systems/tv/wu.nix b/tv/1systems/wu.nix index 192b65b9d..27691ec56 100644 --- a/1systems/tv/wu.nix +++ b/tv/1systems/wu.nix @@ -3,22 +3,38 @@ with lib; let - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; + tvpkgs = import ../5pkgs { inherit pkgs; }; in { krebs.build.host = config.krebs.hosts.wu; + krebs.build.user = config.krebs.users.tv; + + krebs.build.target = "root@wu"; + + krebs.build.deps = { + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + }; + secrets = { + url = "/home/tv/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; imports = [ - ../../2configs/tv/w110er.nix - ../../2configs/tv/base.nix - ../../2configs/tv/consul-client.nix - ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git.nix - ../../2configs/tv/mail-client.nix - ../../2configs/tv/xserver.nix - ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled - ../../2configs/tv/urlwatch.nix + ../2configs/w110er.nix + ../2configs/base.nix + ../2configs/consul-client.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix + ../2configs/mail-client.nix + ../2configs/xserver.nix + ../2configs/synaptics.nix # TODO w110er if xserver is enabled + ../2configs/urlwatch.nix { environment.systemPackages = with pkgs; [ @@ -26,9 +42,9 @@ in git gnumake parallel - Zpkgs.genid - Zpkgs.hashPassword - Zpkgs.lentil + tvpkgs.genid + tvpkgs.hashPassword + tvpkgs.lentil (pkgs.writeScriptBin "ff" '' #! ${pkgs.bash}/bin/bash exec sudo -u ff -i <<EOF @@ -75,8 +91,8 @@ in sxiv texLive tmux + tvpkgs.dic zathura - Zpkgs.dic #ack #apache-httpd @@ -169,19 +185,21 @@ in } { users.extraGroups = { - tv-sub.gid = 1337; + tv.gid = 1337; + slaves.gid = 3799582008; # genid slaves }; users.extraUsers = - mapAttrs (name: user: user // { + mapAttrs (name: user@{ extraGroups ? [], ... }: user // { inherit name; home = "/home/${name}"; createHome = true; useDefaultShell = true; + group = "tv"; + extraGroups = ["slaves"] ++ extraGroups; }) { ff = { uid = 13378001; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -190,17 +208,6 @@ in cr = { uid = 13378002; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - vimb = { - uid = 13378003; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -210,47 +217,38 @@ in fa = { uid = 2300001; - group = "tv-sub"; }; rl = { uid = 2300002; - group = "tv-sub"; }; tief = { uid = 2300702; - group = "tv-sub"; }; btc-bitcoind = { uid = 2301001; - group = "tv-sub"; }; btc-electrum = { uid = 2301002; - group = "tv-sub"; }; ltc-litecoind = { uid = 2301101; - group = "tv-sub"; }; eth = { uid = 2302001; - group = "tv-sub"; }; emse-hsdb = { uid = 4200101; - group = "tv-sub"; }; wine = { uid = 13370400; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -258,21 +256,8 @@ in ]; }; - # dwarffortress df = { uid = 13370401; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined - FTL = { - uid = 13370402; - #group = "tv-sub"; extraGroups = [ "audio" "video" @@ -280,14 +265,8 @@ in ]; }; - freeciv = { - uid = 13370403; - group = "tv-sub"; - }; - xr = { uid = 13370061; - group = "tv-sub"; extraGroups = [ "audio" "video" @@ -296,26 +275,14 @@ in "23" = { uid = 13370023; - group = "tv-sub"; }; electrum = { uid = 13370102; - group = "tv-sub"; - }; - - Reaktor = { - uid = 4230010; - group = "tv-sub"; - }; - - gitolite = { - uid = 7700; }; skype = { uid = 6660001; - group = "tv-sub"; extraGroups = [ "audio" ]; @@ -323,12 +290,10 @@ in onion = { uid = 6660010; - group = "tv-sub"; }; zalora = { uid = 1000301; - group = "tv-sub"; extraGroups = [ "audio" # TODO remove vboxusers when hardening is active @@ -340,17 +305,12 @@ in security.sudo.extraConfig = let - inherit (import ../../4lib/tv { inherit lib pkgs; }) - isSuffixOf; - - hasMaster = { group ? "", ... }: - isSuffixOf "-sub" group; - - masterOf = user : removeSuffix "-sub" user.group; + isSlave = u: elem "slaves" u.extraGroups; + masterOf = u: u.group; + slaves = filterAttrs (_: isSlave) config.users.extraUsers; + toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL"; in - concatStringsSep "\n" - (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL") - (filter hasMaster (attrValues config.users.extraUsers))); + concatMapStringsSep "\n" toSudoers (attrValues slaves); } ]; diff --git a/2configs/tv/AO753.nix b/tv/2configs/AO753.nix index 70eae1786..96167ce01 100644 --- a/2configs/tv/AO753.nix +++ b/tv/2configs/AO753.nix @@ -2,7 +2,7 @@ { imports = [ - ../../2configs/tv/smartd.nix + ../2configs/smartd.nix ]; boot.loader.grub = { diff --git a/2configs/tv/CAC-CentOS-7-64bit.nix b/tv/2configs/CAC-CentOS-7-64bit.nix index 95c6e815c..168d1d97b 100644 --- a/2configs/tv/CAC-CentOS-7-64bit.nix +++ b/tv/2configs/CAC-CentOS-7-64bit.nix @@ -33,7 +33,7 @@ _: # man:systemd-tmpfiles(8) # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) # Main PID: 19272 (code=exited, status=1/FAILURE) - # + # # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. diff --git a/2configs/tv/CAC-Developer-1.nix b/tv/2configs/CAC-Developer-1.nix index 37bc32afb..37bc32afb 100644 --- a/2configs/tv/CAC-Developer-1.nix +++ b/tv/2configs/CAC-Developer-1.nix diff --git a/2configs/tv/CAC-Developer-2.nix b/tv/2configs/CAC-Developer-2.nix index fedb808df..fedb808df 100644 --- a/2configs/tv/CAC-Developer-2.nix +++ b/tv/2configs/CAC-Developer-2.nix diff --git a/2configs/tv/base.nix b/tv/2configs/base.nix index 06f83ea9e..997d4c235 100644 --- a/2configs/tv/base.nix +++ b/tv/2configs/base.nix @@ -10,7 +10,6 @@ in { krebs.enable = true; - krebs.search-domain = "retiolum"; networking.hostName = config.krebs.build.host.name; diff --git a/2configs/tv/bash_completion.sh b/tv/2configs/bash_completion.sh index 537484fb9..537484fb9 100644 --- a/2configs/tv/bash_completion.sh +++ b/tv/2configs/bash_completion.sh diff --git a/2configs/tv/charybdis.nix b/tv/2configs/charybdis.nix index d78e162cb..bf45bf294 100644 --- a/2configs/tv/charybdis.nix +++ b/tv/2configs/charybdis.nix @@ -1,5 +1,9 @@ { config, lib, pkgs, ... }: +let + tvpkgs = import ../5pkgs { inherit pkgs; }; +in + with builtins; with lib; let @@ -59,7 +63,7 @@ let ExecStart = pkgs.writeScript "charybdis-service" '' #! /bin/sh set -euf - exec ${Zpkgs.charybdis}/bin/charybdis-ircd \ + exec ${tvpkgs.charybdis}/bin/charybdis-ircd \ -foreground \ -logfile /dev/stderr \ -configfile ${configFile} @@ -88,7 +92,7 @@ let * * See reference.conf for more information. */ - + /* Extensions */ #loadmodule "extensions/chm_operonly_compat.so"; #loadmodule "extensions/chm_quietunreg_compat.so"; @@ -111,17 +115,17 @@ let #loadmodule "extensions/sno_globaloper.so"; #loadmodule "extensions/sno_whois.so"; loadmodule "extensions/override.so"; - + /* * IP cloaking extensions: use ip_cloaking_4.0 * if you're linking 3.2 and later, otherwise use * ip_cloaking.so, for compatibility with older 3.x * releases. */ - + #loadmodule "extensions/ip_cloaking_4.0.so"; #loadmodule "extensions/ip_cloaking.so"; - + serverinfo { name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; sid = "4z3"; @@ -129,23 +133,23 @@ let network_name = "irc.retiolum"; #network_desc = "Retiolum IRC Network"; hub = yes; - + /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; /* for IPv6 */ vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; - + /* ssl_private_key: our ssl private key */ ssl_private_key = "/tmp/ssl.key"; - + /* ssl_cert: certificate for our ssl server */ ssl_cert = ${toJSON cfg.sslCert}; - + /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ ssl_dh_params = "/tmp/dh.pem"; - + /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of * cpu/cpu cores you have might be useful. A number greater than one @@ -153,20 +157,20 @@ let * two file descriptors per SSL connection. */ ssld_count = 1; - + /* default max clients: the default maximum number of clients * allowed to connect. This can be changed once ircd has started by * issuing: * /quote set maxclients <limit> */ default_max_clients = 1024; - + /* nicklen: enforced nickname length (for this server only; must not * be longer than the maximum length set while building). */ nicklen = 30; }; - + admin { name = "tv"; description = "peer"; @@ -184,11 +188,11 @@ let fname_operspylog = "/dev/stderr"; fname_ioerrorlog = "/dev/stderr"; }; - + /* class {} blocks MUST be specified before anything that uses them. That * means they must be defined before auth {} and before connect {}. */ - + class "krebs" { ping_time = 2 minutes; number_per_ident = 10; @@ -200,7 +204,7 @@ let max_number = 3000; sendq = 1 megabyte; }; - + class "users" { ping_time = 2 minutes; number_per_ident = 10; @@ -212,21 +216,21 @@ let max_number = 3000; sendq = 400 kbytes; }; - + class "opers" { ping_time = 5 minutes; number_per_ip = 10; max_number = 1000; sendq = 1 megabyte; }; - + class "server" { ping_time = 5 minutes; connectfreq = 5 minutes; max_number = 1; sendq = 4 megabytes; }; - + listen { /* defer_accept: wait for clients to send IRC handshake data before * accepting them. if you intend to use software which depends on the @@ -234,7 +238,7 @@ let * otherwise, you probably want to leave it on. */ defer_accept = yes; - + /* If you want to listen on a specific IP only, specify host. * host definitions apply only to the following port line. */ @@ -245,7 +249,7 @@ let port = 6667; sslport = 6697; }; - + /* auth {}: allow users to connect to the ircd (OLD I:) * auth {} blocks MUST be specified in order of precedence. The first one * that matches a user will be used. So place spoofs first, then specials, @@ -260,21 +264,21 @@ let */ user = "*@10.243.0.0/12"; user = "*@42::/16"; - + /* password: an optional password that is required to use this block. * By default this is not encrypted, specify the flag "encrypted" in * flags = ...; below if it is. */ #password = "letmein"; - + /* spoof: fake the users user@host to be be this. You may either * specify a host or a user@host to spoof to. This is free-form, * just do everyone a favour and dont abuse it. (OLD I: = flag) */ #spoof = "I.still.hate.packets"; - + /* Possible flags in auth: - * + * * encrypted | password is encrypted with mkpasswd * spoof_notice | give a notice when spoofing hosts * exceed_limit (old > flag) | allow user to exceed class user limits @@ -293,88 +297,88 @@ let * need_sasl | require SASL id for user in this class */ flags = kline_exempt, exceed_limit, flood_exempt; - + /* class: the class the user is placed in */ class = "krebs"; }; - + auth { user = "*@*"; class = "users"; }; - + /* privset {} blocks MUST be specified before anything that uses them. That * means they must be defined before operator {}. */ privset "local_op" { privs = oper:local_kill, oper:operwall; }; - + privset "server_bot" { extends = "local_op"; privs = oper:kline, oper:remoteban, snomask:nick_changes; }; - + privset "global_op" { extends = "local_op"; privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline, oper:resv, oper:mass_notice, oper:remoteban; }; - + privset "admin" { extends = "global_op"; privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override; }; - + privset "aids" { privs = oper:override, oper:rehash; }; - + operator "aids" { user = "*@10.243.*"; privset = "aids"; flags = ~encrypted; password = "balls"; }; - + operator "god" { /* name: the name of the oper must go above */ - + /* user: the user@host required for this operator. CIDR *is* * supported now. auth{} spoofs work here, other spoofs do not. * multiple user="" lines are supported. */ user = "*god@127.0.0.1"; - + /* password: the password required to oper. Unless ~encrypted is - * contained in flags = ...; this will need to be encrypted using + * contained in flags = ...; this will need to be encrypted using * mkpasswd, MD5 is supported */ password = "5"; - + /* rsa key: the public key for this oper when using Challenge. - * A password should not be defined when this is used, see + * A password should not be defined when this is used, see * doc/challenge.txt for more information. */ #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub"; - + /* umodes: the specific umodes this oper gets when they oper. * If this is specified an oper will not be given oper_umodes * These are described above oper_only_umodes in general {}; */ #umodes = locops, servnotice, operwall, wallop; - + /* fingerprint: if specified, the oper's client certificate * fingerprint will be checked against the specified fingerprint * below. */ #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b"; - + /* snomask: specific server notice mask on oper up. * If this is specified an oper will not be given oper_snomask. */ snomask = "+Zbfkrsuy"; - + /* flags: misc options for the operator. You may prefix an option * with ~ to disable it, e.g. ~encrypted. * @@ -386,30 +390,30 @@ let * need_ssl: must be using SSL/TLS to oper up */ flags = encrypted; - + /* privset: privileges set to grant */ privset = "admin"; }; - + service { name = "services.int"; }; - + cluster { name = "*"; flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; }; - + shared { oper = "*@*", "*"; flags = all, rehash; }; - + /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ exempt { ip = "127.0.0.1"; }; - + channel { use_invex = yes; use_except = yes; @@ -431,14 +435,14 @@ let channel_target_change = yes; disable_local_channels = no; }; - + serverhide { flatten_links = yes; links_delay = 5 minutes; hidden = no; disable_hidden = no; }; - + /* These are the blacklist settings. * You can have multiple combinations of host and rejection reasons. * They are used in pairs of one host/rejection reason. @@ -471,7 +475,7 @@ let host = "rbl.efnetrbl.org"; type = ipv4; reject_reason = "''${nick}, your IP (''${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=''${ip}"; - + # host = "ircbl.ahbl.org"; # type = ipv4; # reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for having an open proxy. In order to protect ''${network-name} from abuse, we are not allowing connections with open proxies to connect."; @@ -485,43 +489,43 @@ let # type = ipv4, ipv6; # reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for some reason. In order to protect ''${network-name} from abuse, we are not allowing connections listed in ''${dnsbl-host} to connect"; }; - + alias "NickServ" { target = "NickServ"; }; - + alias "ChanServ" { target = "ChanServ"; }; - + alias "OperServ" { target = "OperServ"; }; - + alias "MemoServ" { target = "MemoServ"; }; - + alias "NS" { target = "NickServ"; }; - + alias "CS" { target = "ChanServ"; }; - + alias "OS" { target = "OperServ"; }; - + alias "MS" { target = "MemoServ"; }; - + general { hide_error_messages = opers; hide_spoof_ips = yes; - + /* * default_umodes: umodes to enable on connect. * If you have enabled the new ip_cloaking_4.0 module, and you want @@ -533,7 +537,7 @@ let * default_umodes = "+ih"; */ default_umodes = "+i"; - + default_operstring = "is an IRC Operator"; default_adminstring = "is a Server Administrator"; servicestring = "is a Network Service"; @@ -587,17 +591,15 @@ let max_ratelimit_tokens = 30; away_interval = 30; }; - + modules { path = "modules"; path = "modules/autoload"; }; - + exempt { ip = "10.243.0.0/16"; }; ''; - - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; in out diff --git a/2configs/tv/consul-client.nix b/tv/2configs/consul-client.nix index 0a8bf4d75..0a8bf4d75 100644 --- a/2configs/tv/consul-client.nix +++ b/tv/2configs/consul-client.nix diff --git a/2configs/tv/consul-server.nix b/tv/2configs/consul-server.nix index d10f9ea75..d10f9ea75 100644 --- a/2configs/tv/consul-server.nix +++ b/tv/2configs/consul-server.nix diff --git a/2configs/tv/cryptoroot.nix b/tv/2configs/cryptoroot.nix index 04618ac4a..04618ac4a 100644 --- a/2configs/tv/cryptoroot.nix +++ b/tv/2configs/cryptoroot.nix diff --git a/2configs/tv/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 851a0c625..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix diff --git a/2configs/tv/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index c93189b8a..c93189b8a 100644 --- a/2configs/tv/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix diff --git a/2configs/tv/git.nix b/tv/2configs/git.nix index 2c0cc6b14..ecb98cef2 100644 --- a/2configs/tv/git.nix +++ b/tv/2configs/git.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../4lib/tv { inherit lib pkgs; }; +with import ../4lib { inherit lib pkgs; }; let out = { diff --git a/2configs/tv/mail-client.nix b/tv/2configs/mail-client.nix index 00f9a961a..a632cf7c4 100644 --- a/2configs/tv/mail-client.nix +++ b/tv/2configs/mail-client.nix @@ -1,6 +1,6 @@ { pkgs, ... }: -with import ../../Zpkgs/tv { inherit pkgs; }; +with import ../5pkgs { inherit pkgs; }; { environment.systemPackages = [ diff --git a/2configs/tv/smartd.nix b/tv/2configs/smartd.nix index 9c4d8b2d8..9c4d8b2d8 100644 --- a/2configs/tv/smartd.nix +++ b/tv/2configs/smartd.nix diff --git a/2configs/tv/synaptics.nix b/tv/2configs/synaptics.nix index c47cb9deb..c47cb9deb 100644 --- a/2configs/tv/synaptics.nix +++ b/tv/2configs/synaptics.nix diff --git a/2configs/tv/urlwatch.nix b/tv/2configs/urlwatch.nix index a69b1519c..a69b1519c 100644 --- a/2configs/tv/urlwatch.nix +++ b/tv/2configs/urlwatch.nix diff --git a/2configs/tv/urxvt.nix b/tv/2configs/urxvt.nix index 89bb421aa..89bb421aa 100644 --- a/2configs/tv/urxvt.nix +++ b/tv/2configs/urxvt.nix diff --git a/2configs/tv/w110er.nix b/tv/2configs/w110er.nix index 7ef0e6e9d..e580b2161 100644 --- a/2configs/tv/w110er.nix +++ b/tv/2configs/w110er.nix @@ -2,7 +2,7 @@ { imports = [ - ../../2configs/tv/smartd.nix + ../2configs/smartd.nix ]; boot.extraModprobeConfig = '' diff --git a/2configs/tv/xserver.nix b/tv/2configs/xserver.nix index 4a3de482a..7fc07f927 100644 --- a/2configs/tv/xserver.nix +++ b/tv/2configs/xserver.nix @@ -2,7 +2,7 @@ { imports = [ - ../../2configs/tv/urxvt.nix # TODO via xserver + ../2configs/urxvt.nix # TODO via xserver ]; services.xserver.enable = true; diff --git a/3modules/tv/consul.nix b/tv/3modules/consul.nix index 4e54c2ab0..82a15c024 100644 --- a/3modules/tv/consul.nix +++ b/tv/3modules/consul.nix @@ -5,7 +5,7 @@ # TODO consul-bootstrap HOST that actually does is # TODO tools to inspect state of a cluster in outage state -with import ../../4lib/tv { inherit lib pkgs; }; +with import ../4lib { inherit lib pkgs; }; let cfg = config.tv.consul; diff --git a/3modules/tv/default.nix b/tv/3modules/default.nix index bb10d8261..bb10d8261 100644 --- a/3modules/tv/default.nix +++ b/tv/3modules/default.nix diff --git a/3modules/tv/ejabberd.nix b/tv/3modules/ejabberd.nix index 2910a9a69..2910a9a69 100644 --- a/3modules/tv/ejabberd.nix +++ b/tv/3modules/ejabberd.nix diff --git a/3modules/tv/iptables.nix b/tv/3modules/iptables.nix index 173e5826d..cbf49f577 100644 --- a/3modules/tv/iptables.nix +++ b/tv/3modules/iptables.nix @@ -36,9 +36,9 @@ let path = with pkgs; [ iptables ]; - + restartIfChanged = true; - + serviceConfig = { Type = "simple"; RemainAfterExit = true; diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix new file mode 100644 index 000000000..352689af4 --- /dev/null +++ b/tv/4lib/default.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, ... }: + +let + krebs = import ../../krebs/4lib { inherit lib; }; +in + +with krebs; + +krebs // rec { + + git = import ./git.nix { + lib = krebs; + inherit pkgs; + }; + + # "7.4.335" -> "74" + majmin = with lib; x : concatStrings (take 2 (splitString "." x)); + + shell-escape = + let + isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; + in + stringAsChars (c: + if isSafeChar c then c + else if c == "\n" then "'\n'" + else "\\${c}"); +} diff --git a/4lib/tv/git.nix b/tv/4lib/git.nix index 2b25debdc..2b25debdc 100644 --- a/4lib/tv/git.nix +++ b/tv/4lib/git.nix diff --git a/4lib/tv/modules.nix b/tv/4lib/modules.nix index 248e638ea..248e638ea 100644 --- a/4lib/tv/modules.nix +++ b/tv/4lib/modules.nix diff --git a/Zpkgs/tv/charybdis/default.nix b/tv/5pkgs/charybdis/default.nix index f3e6be40e..f3e6be40e 100644 --- a/Zpkgs/tv/charybdis/default.nix +++ b/tv/5pkgs/charybdis/default.nix diff --git a/Zpkgs/tv/charybdis/remove-setenv.patch b/tv/5pkgs/charybdis/remove-setenv.patch index c53c1ff29..bbaf95e19 100644 --- a/Zpkgs/tv/charybdis/remove-setenv.patch +++ b/tv/5pkgs/charybdis/remove-setenv.patch @@ -5,7 +5,7 @@ index 03dd907..3698e85 100644 @@ -82,7 +82,6 @@ start_bandb(void) const char *suffix = ""; #endif - + - rb_setenv("BANDB_DBPATH", PKGLOCALSTATEDIR "/ban.db", 1); if(bandb_path == NULL) { diff --git a/Zpkgs/tv/default.nix b/tv/5pkgs/default.nix index 50625f868..7b5d10a60 100644 --- a/Zpkgs/tv/default.nix +++ b/tv/5pkgs/default.nix @@ -2,10 +2,10 @@ let inherit (pkgs) callPackage; - krebs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in -krebs // { +kpkgs // { charybdis = callPackage ./charybdis {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; diff --git a/Zpkgs/tv/lentil/default.nix b/tv/5pkgs/lentil/default.nix index 1385cbd4d..fc9b4fd31 100644 --- a/Zpkgs/tv/lentil/default.nix +++ b/tv/5pkgs/lentil/default.nix @@ -4,13 +4,11 @@ overrides = self: super: { lentil = super.lentil.override { mkDerivation = (attrs: self.mkDerivation (attrs // { - version = "0.1.2.7"; - sha256 = "1g3if2y41li6wyg7ffvpybqvbywiq8bf5b5fb6pz499hinzahb9d"; + version = "0.1.3.0"; + sha256 = "0xa59avh0bvfg69xh9p5b8dppfhx29mvfq8v41sk9j7qbcnzjivg"; patches = [ - ./1.patch ./syntaxes.patch ]; - doCheck = false; })); }; }; diff --git a/Zpkgs/tv/lentil/syntaxes.patch b/tv/5pkgs/lentil/syntaxes.patch index a9390ae51..a9390ae51 100644 --- a/Zpkgs/tv/lentil/syntaxes.patch +++ b/tv/5pkgs/lentil/syntaxes.patch diff --git a/Zpkgs/tv/much.nix b/tv/5pkgs/much.nix index 82586b422..82586b422 100644 --- a/Zpkgs/tv/much.nix +++ b/tv/5pkgs/much.nix diff --git a/Zpkgs/tv/viljetic-pages/default.nix b/tv/5pkgs/viljetic-pages/default.nix index 1ae55cca7..1ae55cca7 100644 --- a/Zpkgs/tv/viljetic-pages/default.nix +++ b/tv/5pkgs/viljetic-pages/default.nix diff --git a/Zpkgs/tv/viljetic-pages/index.html b/tv/5pkgs/viljetic-pages/index.html index c06b3f97b..c06b3f97b 100644 --- a/Zpkgs/tv/viljetic-pages/index.html +++ b/tv/5pkgs/viljetic-pages/index.html diff --git a/Zpkgs/tv/viljetic-pages/logo.xpm b/tv/5pkgs/viljetic-pages/logo.xpm index bb263dad9..bb263dad9 100644 --- a/Zpkgs/tv/viljetic-pages/logo.xpm +++ b/tv/5pkgs/viljetic-pages/logo.xpm |