some changes after nix 2.0

2018-02-27 16:31:16 +01:00 · 2018-02-27 16:31:16 +01:00 · ba70783346
parent 7c01fddce1
commit ba70783346
16 changed files with 137 additions and 219 deletions
--- a/4
+++ b/4
@ -15,6 +15,10 @@ stable)
 	export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH"
 	eval ${@:3}
 	;;
+checkout)
+    export NIX_PATH="nixpkgs=`pwd`/../nixpkgs:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH"
+    eval ${@:3}
+    ;;
 channel)
 	export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH"
 	eval ${@:3}
--- a/logical/ascanius.nix
+++ b/logical/ascanius.nix
@ -1,7 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, ... }:

 let secrets = import <secrets>;
@ -13,34 +9,12 @@ in
      ../roles/workstation.nix
    ];

+  system.stateVersion = "17.09";
  # no, not that Ascanius.
  networking.hostName = secrets.hostnames.ascanius;
+  services.tor.hiddenServices.ssh.map = [
+    { port = 22; }
+  ];
+  services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key";

-  nixpkgs.config = {
-    packageOverrides = pkgs : {
-      bluez = pkgs.bluez5;
-      # https://github.com/NixOS/nixpkgs/issues/22099
-      trustedGrub = pkgs.grub2.overrideDerivation (attr: rec {
-        version = "2.x-20170910";
-        name = "trustedGRUB2-${version}";
-        buildInputs = attr.buildInputs ++ (with pkgs;[autoconf automake]);
-        prePatch = ''
-          rm -rf po
-          tar Jxf ${pkgs.grub2.src} grub-2.02/po
-          cp -r grub-2.02/po po
-          ./autogen.sh
-        '';
-        src = pkgs.fetchFromGitHub {
-          repo = "TrustedGRUB2";
-          owner = "Rohde-Schwarz-Cybersecurity";
-          rev = "e656aaabd3bc5abda6c62c8967ebfd0c53ef179b";
-          sha256 = "08lq4prqhn923i8a7q79s4lsfnqgk4jd255xzk1wy12vg45dwlsc";
-        };
-      });
-    };
-  };
-
-
-  services.tor.hiddenServices.ssh.map = [{ port = 22; }];
-  nix.gc.automatic = pkgs.lib.mkOverride 30 false;
 }
--- a/logical/jarvis.nix
+++ b/logical/jarvis.nix
@ -1,7 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, lib, ... }:

 {
@ -23,10 +19,5 @@
  services.xserver.displayManager.sessionCommands = ''
    ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192
  '';
-  nix.gc.automatic = pkgs.lib.mkOverride 30 false;
-  # nix.trustedBinaryCaches = [http://192.168.1.27:5000];
-  # nix.binaryCachePublicKeys = [
-  #   "hydra.example.org-1:NbZfmBIhIevVM5OZ81TbwruSC9etkIrdi1mR6AAdm98="
-  # ];
  virtualisation.virtualbox.host.enable = pkgs.lib.mkOverride 30 false;
 }
--- a/logical/woodhouse.nix
+++ b/logical/woodhouse.nix
@ -1,25 +1,30 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, lib, ... }:
 let
  secrets = import <secrets>;
+mkFuseMount = device: opts: {
+    # todo:  "ServerAliveCountMax=3" "ServerAliveInterval=30"
+
+    device = "${pkgs.sshfsFuse}/bin/sshfs#${device}";
+    fsType = "fuse";
+    options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
+               "defaults" "allow_other" "transform_symlinks" "default_permissions"
+               "uid=1000"
+               "reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts;
+};
 in
 {
  imports =
    [ # Include the results of the hardware scan.
      ../physical/nuc.nix
      ../roles/common.nix
-      ../roles/collectd.nix
-      ../modules/tor-hidden-service.nix
+      # ../roles/collectd.nix
      ../roles/graphical.nix
    ];

  networking.hostName = secrets.hostnames.woodhouse;

  # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "16.09";
+  system.stateVersion = "17.09";


  services.xserver = {
@ -27,42 +32,14 @@ in
  };


-
-  services.tor.hiddenServices = [
-    { name = "ssh";
-      port = 22;
-      hostname = secrets.tor_hostnames."ssh.woodhouse";
-      private_key = "/run/keys/torkeys/ssh.woodhouse.key"; }
-  ];
+  services.tor.hiddenServices.ssh.map = [ {port = 22;} ];
+  services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key";

  system.fsPackages = [ pkgs.sshfsFuse ];
-  fileSystems."/mnt/frumar" = {
-    # todo:  "ServerAliveCountMax=3" "ServerAliveInterval=30"

-    device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@" + secrets.hostnames.frumar + ":/data/yorick";
-    fsType = "fuse";
-    options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
-               "defaults" "allow_other" "transform_symlinks" "default_permissions"
-               "uid=1000"
-               "reconnect" "IdentityFile=/root/.ssh/id_sshfs"];
-  };
-  fileSystems."/mnt/oxygen" = {
-    device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@oxygen.obfusk.ch:";
-    fsType = "fuse";
-    options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
-               "defaults" "allow_other" "transform_symlinks" "default_permissions"
-               "uid=1000"
-               "reconnect" "IdentityFile=/root/.ssh/id_sshfs"];
-  };
-
-  fileSystems."/mnt/nyamsas" = {
-    device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@nyamsas.quezacotl.nl:";
-    fsType = "fuse";
-    options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
-               "defaults" "allow_other" "transform_symlinks" "default_permissions"
-               "uid=1000"
-               "reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=1337"];
-  };
+  fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
+  fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" [];
+  fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"];


  networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi
--- a/modules/tor-hidden-service.nix
+++ b/modules/tor-hidden-service.nix
@ -3,25 +3,15 @@
 with lib;

 let
-  hiddenServices = config.services.tor.hiddenServices;
+  service-keys = config.services.tor.service-keys;
+  torDir = "/var/lib/tor";
 in {
-  options.services.tor = { 
-    hiddenServices = mkOption { default = []; };
+  options.services.tor.service-keys = mkOption {
+    default = {};
+    type = with types; loaOf string;
  };

-  config = mkIf (hiddenServices != []) {
-    assertions = map (hiddenService: {
-      assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService;
-      message   = "all hidden services should define a name and a port..";
-    }) hiddenServices;
-
-    services.tor.enable = true;
-
-    services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: ''
-      HiddenServiceDir /var/lib/tor/${hiddenService.name}
-      HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port}
-    '') hiddenServices);
-
+  config = mkIf (service-keys != {}) {
    systemd.services."install-tor-hidden-service-keys" = {
      wantedBy = ["tor.service"];
      serviceConfig.Type = "oneshot";
@ -29,14 +19,13 @@ in {
      serviceConfig.Group = "keys";
      # TODO: update on change?
      # TODO: better ways to get the keys on the server
-      script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then ''
-        if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then
-          mkdir -p /var/lib/tor/${hiddenService.name}/
-          cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key
-          echo ${hiddenService.hostname} > /var/lib/tor/${hiddenService.name}/hostname
-          chmod -R 700 /var/lib/tor/${hiddenService.name};
+      script = concatStringsSep "\n" (mapAttrsToList (name: keypath: ''
+        if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then
+          mkdir -p ${torDir}/onion/${name}/
+          cp ${keypath} ${torDir}/onion/${name}/private_key
+          chmod -R 700 ${torDir}/onion/${name}
        fi
-      '' else "true") hiddenServices);
+      '') service-keys);
    };
  };
 }
--- a/physical/fractal.nix
+++ b/physical/fractal.nix
@ -9,8 +9,7 @@
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  yorick.cpu = "intel";

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
--- a/physical/hp8570w.nix
+++ b/physical/hp8570w.nix
@ -1,47 +1,27 @@
-# I'm modifying this file anyways.
 { config, lib, pkgs, ... }:

 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-      ./hp8570w/powerdown.nix
-    ];
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ./hp8570w/powerdown.nix
+  ];

-  hardware.cpu.intel.updateMicrocode = true;
+  yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; };

  boot = {
    loader.grub = {
      enable = true;
      device = "/dev/sda";
-      trustedBoot = {
-        enable = true;
-        systemHasTPM = "YES_TPM_is_activated";
-      };
    };
    kernelPackages = pkgs.linuxPackages_latest;
-    kernelModules = ["nvidiabl" "kvm-intel"];
  };
-  services.xserver.videoDrivers = ["nouveau"];
-  services.xserver.synaptics.enable = true;

-  networking.wireless.enable = true;
-  hardware.bluetooth.enable = true;
-
-
-  # ideal... doesn't work.
-  #services.udev.extraRules = ''
-  #   KERNEL=="nvidia_backlight", SUBSYSTEM=="backlight", MODE="666"
-  #'';
-  # for now
-  systemd.services."display-manager".preStart = ''
-   chmod a+w $(realpath /sys/class/backlight/nv_backlight/brightness) || true
-  '';
  # this makes sure my wifi doesn't take a minute to work
  services.udev.extraRules = ''
    SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1"
  '';

-  boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "btrfs" "dm_crypt" ];
+  boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" ];
  boot.initrd.luks.devices = [ {
    name = "nix-root-enc";
    device = "/dev/sdb2";
@ -65,6 +45,6 @@

  nix.maxJobs = 8;

-  services.tcsd.enable = true; # it has a TPM. maybe use this?
-  environment.systemPackages = with pkgs; [btrfs-progs tpm-tools];
+  #services.tcsd.enable = true; # it has a TPM. maybe use this?
+  #environment.systemPackages = with pkgs; [tpm-tools];
 }
--- a/physical/hp8570w/powerdown.nix
+++ b/physical/hp8570w/powerdown.nix
@ -13,15 +13,9 @@ in
    SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}"
  '';

-  systemd.services.powerswitch = {
-    enable = true;
-    wantedBy = [ "multi-user.target" "suspend.target" ];
-    after = [ "suspend.target" "display-manager.service" ];
-    description = "Run powerswitch sometimes";
-    preStart = "sleep 4s";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = powersw;
-    };
-  };
+  powerManagement.powerUpCommands = ''
+    sleep 4s
+    ${powersw}/bin/powerswitch
+  '';
+  
 }
--- a/physical/nuc.nix
+++ b/physical/nuc.nix
@ -9,9 +9,7 @@
    ];

  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-  hardware.cpu.intel.updateMicrocode = true;
+  yorick = { cpu = "intel"; gpu = "intel"; };

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/physical/xps9360.nix
+++ b/physical/xps9360.nix
@ -1,40 +1,22 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+  ];
+  yorick = { cpu = "intel"; gpu = "intel"; laptop = true; };
+
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+  };

  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
  boot.blacklistedKernelModules = ["psmouse"];

-  boot.kernelPackages = pkgs.linuxPackages_latest;
-
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-
-  hardware.cpu.intel.updateMicrocode = true;
-
-
-  services.xserver.libinput.enable = true;
-  services.thermald.enable = true;
-
-  networking.wireless.enable = true;
-  networking.dhcpcd.extraConfig = ''
-    noarp
-  '';
-  hardware.bluetooth.enable = true;
-  # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options
-  # might require linux 4.11 
-  boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2" "intel_iommu=on"];
-  # now we wait until enable_psr=1 is fixed

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62";
@ -57,24 +39,7 @@
    ];

  nix.maxJobs = lib.mkDefault 4;
-
-  environment.systemPackages = [pkgs.btrfs-progs];
  
-  # ideal... doesn't work.
-  #services.udev.extraRules = ''
-  #   KERNEL=="intel_backlight", SUBSYSTEM=="backlight", MODE="666"
-  #'';
-  # for now
-  systemd.services."display-manager".preStart = ''
-   chmod a+w $(realpath /sys/class/backlight/intel_backlight/brightness) || true
-  '';
-  # this makes sure my wifi doesn't take a minute to work
-  services.udev.extraRules = ''
-    SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1"
-  '';
-
-  services.xserver.videoDrivers = ["modesetting"];
-  hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
  # bigger console font
  i18n.consoleFont = "latarcyrheb-sun32";
 }
--- a/roles/collectd.nix
+++ b/roles/collectd.nix
@ -56,11 +56,11 @@ in
      libxml2 = null;
      libtool = null;
      lvm2 = null;
-      libmysql = null;
+      mysql = null;
      protobufc = null;
      python = null;
      rabbitmq-c = null;
-      riemann = null;
+      riemann_c_client = null;
      rrdtool = null;
      varnish = null;
      yajl = null;
--- a/roles/common.nix
+++ b/roles/common.nix
@ -2,7 +2,10 @@ let secrets = import <secrets>;
 in
 { config, pkgs, lib, ...}:
 {
-	imports = [];
+	imports = [
+    ../roles/hardware.nix
+    ../modules/tor-hidden-service.nix
+  ];
 	time.timeZone = "Europe/Amsterdam";
 	users.mutableUsers = false;
 	users.extraUsers.root = {
@ -12,6 +15,7 @@ in

 	};
  services.timesyncd.enable = true;
+  services.fail2ban.enable = true;
 	users.extraUsers.yorick = {
 	  isNormalUser = true;
 	  uid = 1000;
@ -22,6 +26,7 @@ in

  # Nix
  nixpkgs.config.allowUnfree = true;
+  nix.package = pkgs.nixUnstable;


  nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to];
@ -32,10 +37,6 @@ in

  nix.extraOptions = ''
    allow-unsafe-native-code-during-evaluation = true
-    allow-unfree = true
-    #binary-caches-parallel-connections = 3
-    #connect-timeout = 5
-    keep-going = true
  '';

  # Networking
--- a/roles/graphical.nix
+++ b/roles/graphical.nix
@ -8,11 +8,6 @@ in
  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
-    synaptics = {
-      twoFingerScroll = true;
-      horizontalScroll = true;
-      scrollDelta = -107; # inverted scrolling
-    };
    libinput = {
      naturalScrolling = true;
      tappingDragLock = false;
@ -23,16 +18,24 @@ in
    # xkbOptions = "eurosign:e";
    windowManager.i3 = {
      enable = true;
-    } // (if (lib.versionAtLeast config.system.nixosRelease "17.03") then {
      package = pkgs.i3-gaps;
-      } else {});
+    };
  };
-  hardware.opengl = {
-    enable = true;
-    driSupport32Bit = config.yorick.support32bit;
-  };
-  hardware.pulseaudio.enable = true;
-  hardware.pulseaudio.support32Bit = config.yorick.support32bit;
+    hardware.opengl = {
+      enable = true;
+      driSupport32Bit = config.yorick.support32bit;
+    };
+    sound.enable = true;
+    hardware.pulseaudio = {
+      enable = true;
+      support32Bit = config.yorick.support32bit;
+    };
+  users.extraUsers.yorick.extraGroups = ["video"];
+    # fix backlight permissions
+  services.udev.extraRules = ''
+    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
+    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
+  '';

  fonts = {
    enableFontDir = true;
@ -47,8 +50,8 @@ in
    ];
  };
  # spotify
-  networking.firewall.allowedTCPPorts = [57621];
-  networking.firewall.allowedUDPPorts = [57621];
+  networking.firewall.allowedTCPPorts = [55025 57621];
+  networking.firewall.allowedUDPPorts = [55025 57621];

  users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
  services.openssh.forwardX11 = true;
--- a/roles/hardware.nix
+++ b/roles/hardware.nix
@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+let cfg = config.yorick; in
+with lib;
+{
+  options.yorick = {
+    cpu = mkOption {
+      type = types.nullOr (types.enum ["intel"]);
+    };
+    gpu = mkOption {
+      type = types.nullOr (types.enum ["intel" "nvidia"]);
+      default = null;
+    };
+    laptop = mkEnableOption "laptop settings";
+  };
+  config = mkMerge [
+    (mkIf (cfg.gpu == "intel") {
+      # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options
+      boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"];
+      # now we wait until enable_psr=1 is fixed
+      services.xserver.videoDrivers = ["modesetting"];
+      hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
+    })
+    (mkIf (cfg.gpu == "nvidia") {
+      boot.kernelModules = ["nvidiabl"];
+      services.xserver.videoDrivers = ["nvidia"];
+      boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl];
+    })
+    (mkIf (cfg.cpu == "intel") {
+      hardware.cpu.intel.updateMicrocode = true;
+      boot.kernelModules = ["kvm-intel"];
+    })
+    (mkIf (cfg.laptop) {
+      services.xserver.libinput.enable = true;
+      
+      networking.wireless.enable = true;
+      hardware.bluetooth.enable = true;
+      # gotta go faster
+      networking.dhcpcd.extraConfig = ''
+        noarp
+      '';
+      services.thermald.enable = true;
+    })
+  ];
+}
--- a/roles/pub.nix
+++ b/roles/pub.nix
@ -1,6 +1,4 @@
 { config, pkgs, lib, ... }:
-let secrets = import <secrets>;
-in
 {
  #imports = [../modules/nginx.nix];
  config = {
--- a/roles/workstation.nix
+++ b/roles/workstation.nix
@ -25,4 +25,5 @@
  '';
  virtualisation.virtualbox.host.enable = true;
  yorick.support32bit = true;
+  nix.gc.automatic = pkgs.lib.mkOverride 30 false;
 }