3 files changed, 334 insertions, 0 deletions
diff --git a/labernix/machines/heinrich.nix b/labernix/machines/heinrich.nix
new file mode 100644
index 00000000..8ce69950
--- /dev/null
+++ b/labernix/machines/heinrich.nix
@@ -0,0 +1,143 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  routes = {
+    moritz = {
+      id = 14;
+      address = "192.168.0.12";
+      prefixLength = 24;
+      gateway = "192.168.0.1";
+      destination = "144.76.143.122";
+    };
+
+    hotelturm = {
+      id = 8;
+      address = "10.11.77.5";
+      prefixLength = 24;
+      gateway = "10.11.77.16";
+      destination = "10.11.7.0/24";
+    };
+  };
+
+  internalIf = config.heinrich.internalInterface;
+  externalIf = config.heinrich.externalInterface;
+
+  mkRouteConfig = name: cfg: {
+    key = "routes-${name}";
+
+    networking.vlans.${name} = {
+      inherit (cfg) id;
+      interface = externalIf;
+    };
+
+    networking.interfaces.${name}.ip4 = singleton {
+      inherit (cfg) address prefixLength;
+    };
+
+    systemd.network.networks."40-${name}".routes = singleton {
+      routeConfig.Gateway = cfg.gateway;
+      routeConfig.Destination = cfg.destination;
+    };
+  };
+
+in {
+  imports = singleton ../common.nix ++ mapAttrsToList mkRouteConfig routes;
+
+  options.heinrich = {
+    internalInterface = mkOption {
+      type = types.str;
+      default = "enp7s0";
+      description = ''
+        The internal network interface where Heinrich is serving DHCP and DNS
+        requests.
+      '';
+    };
+
+    externalInterface = mkOption {
+      type = types.str;
+      default = "enp5s0";
+      description = ''
+        The external network interface where Heinrich is connected to the
+        internet.
+      '';
+    };
+  };
+
+  config = {
+    networking.useDHCP = false;
+    networking.interfaces.${externalIf}.ip4 = mkForce [];
+    networking.interfaces.${internalIf}.ip4 = lib.singleton {
+      address = "172.16.0.1";
+      prefixLength = 24;
+    };
+
+    services.dnsmasq.enable = true;
+    services.dnsmasq.resolveLocalQueries = false;
+    services.dnsmasq.extraConfig = ''
+      dhcp-range=172.16.0.100,172.16.0.254,12h
+
+      dhcp-option=3,172.16.0.1 # Gateway
+      dhcp-option=6,172.16.0.1 # DNS-server
+
+      local=/openlab.lan/
+      domain=openlab.lan
+
+      dhcp-leasefile=/var/db/dnsmasq/dhcp.leases
+    '';
+
+    systemd.services.dnsmasq-pre = {
+      description = "Pre-Init DNSMasq";
+      before = [ "dnsmasq.service" ];
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        mkdir -p /var/db/dnsmasq
+        chown dnsmasq:nogroup /var/db/dnsmasq
+      '';
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = true;
+    };
+
+    users.motd = ''
+      0. Never touch a running system.
+      1. Dokumentiere alle trotz 0 erfolgten Änderungen im Github-Repo:
+         https://github.com/openlab-aux/labnetz-doku
+      2. Mit großer Macht geht große Verantwortung einher.
+      3. So weit!
+      4. ...
+      5. Reisst dir Hannes den Arsch auf, wenn Du die Punkte 0-2 ignorierst.
+    '';
+
+    # TODO: This is a dummy, replace it once we know about the real root fs.
+    fileSystems."/".label = "root";
+    boot.loader.grub.device = "nodev";
+
+    networking.useNetworkd = true;
+    networking.firewall.enable = false;
+    networking.nat.enable = true;
+    networking.nat.externalIP = routes.hotelturm.address;
+    networking.nat.externalInterface = "hotelturm";
+    networking.nat.internalIPs = [ "172.16.0.1/24" ];
+    networking.nat.internalInterfaces = [ internalIf ];
+
+    /* TODO!
+    services.openvpn.enable = true;
+    services.openvpn.servers.heinrich.config = ''
+      dev tun0
+      remote 144.76.143.122
+      ifconfig 10.9.8.2 10.9.8.1
+      secret /etc/openvpn/priv.key
+
+      comp-lzo
+
+      keepalive 10 60
+      ping-timer-rem
+      persist-tun
+      persist-key
+
+      route 0.0.0.0 0.0.0.0
+    '';
+    */
+  };
+}
diff --git a/labernix/machines/labtop.nix b/labernix/machines/labtop.nix
new file mode 100644
index 00000000..bf376ba5
--- /dev/null
+++ b/labernix/machines/labtop.nix
@@ -0,0 +1,72 @@
+{ pkgs, ... }:
+
+let
+  greybird = pkgs.stdenv.mkDerivation {
+    name = "greybird-xfce-theme";
+
+    src = pkgs.fetchFromGitHub {
+      repo = "Greybird";
+      owner = "shimmerproject";
+      rev = "61ec18d22780aa87998381599c941e0cf4f7bfb5";
+      sha256 = "03h8hba4lfp337a4drylcplrbggry9gz8dq1f3gjy25fhqkgvq05";
+    };
+
+    phases = [ "unpackPhase" "installPhase" ];
+
+    installPhase = ''
+      mkdir -p "$out/share/themes/Greybird" \
+               "$out/share/themes/Greybird-compact/xfwm4"
+      cp -vrt "$out/share/themes/Greybird" \
+        gtk-* metacity-1 unity xfce-notify-4.0 xfwm4
+      cp -vrt "$out/share/themes/Greybird-compact/xfwm4" \
+        xfwm4_compact/*
+    '';
+  };
+
+in {
+  imports = [ ../common.nix ];
+
+  i18n = {
+    consoleFont = "lat9w-16";
+    consoleKeyMap = "us";
+    defaultLocale = "de_DE.UTF-8";
+  };
+
+  # TODO: This is a dummy, replace it once we know about the real root fs.
+  fileSystems."/".label = "root";
+  boot.loader.grub.device = "nodev";
+
+  environment.systemPackages = [
+    greybird
+    #repetierhost <- TODO
+    pkgs.firefox
+    pkgs.gimp
+    pkgs.freecad
+    pkgs.openscad
+    #pkgs.pronterface <- TODO
+    pkgs.blender
+    pkgs.slic3r
+    pkgs.libreoffice
+    pkgs.inkscape
+    pkgs.filezilla
+    pkgs.gmpc
+    pkgs.vlc
+  ];
+
+  # TODO: Needed for slic3r right now.
+  nixpkgs.config.allowBroken = true;
+
+  services.xserver.enable = true;
+  services.xserver.layout = "us";
+  services.xserver.xkbOptions = "eurosign:e";
+
+  services.xserver.displayManager.auto.enable = true;
+  services.xserver.displayManager.auto.user = "openlab";
+  services.xserver.desktopManager.xfce.enable = true;
+
+  users.mutableUsers = false;
+  users.extraUsers.openlab = {
+    uid = 1000;
+    isNormalUser = true;
+  };
+}
diff --git a/labernix/machines/mailserver.nix b/labernix/machines/mailserver.nix
new file mode 100644
index 00000000..7d4bd397
--- /dev/null
+++ b/labernix/machines/mailserver.nix
@@ -0,0 +1,119 @@
+{ config, pkgs, lib, ... }: let
+  vhostMap = {
+    smtpd_sender_login_maps = [
+      "SELECT username AS allowedUser"
+      "FROM mailbox"
+      "WHERE username='%s' AND active = 1"
+      "UNION SELECT goto FROM alias"
+      "WHERE address='%s' AND active = 1"
+    ];
+
+    virtual_alias_maps = [
+      "SELECT goto"
+      "FROM alias"
+      "WHERE address='%s' AND active = '1'"
+    ];
+
+    virtual_mailbox_domains = [
+      "SELECT domain"
+      "FROM domain"
+      "WHERE domain='%s' AND active = '1'"
+    ];
+
+    virtual_mailbox_maps = [
+      "SELECT maildir"
+      "FROM mailbox"
+      "WHERE username='%s' AND active = '1'"
+    ];
+  };
+
+  mkDbMap = query: "proxy:pgsql:${pkgs.writeText "database.cf" ''
+    hosts = localhost
+    user = postfix
+    dbname = postfix
+    query = ${query}
+  ''}";
+
+in {
+  imports = [ ../common.nix ];
+
+  services.spamassassin.enable = true;
+
+  services.postfix.enable = true;
+  services.postfix.hostname = "mailtest.lan";
+
+  # TODO: This is a dummy, replace it once we know about the real root fs.
+  fileSystems."/".label = "root";
+  boot.loader.grub.device = "nodev";
+
+  labernix.postfix.restrictions = {
+    sender = [
+      "reject_authenticated_sender_login_mismatch"
+      "reject_unknown_sender_domain"
+    ];
+    recipient = [
+      "permit_sasl_authenticated"
+      "permit_mynetworks"
+      "reject_unauth_destination"
+      "reject_invalid_hostname"
+      "reject_non_fqdn_hostname"
+      "reject_non_fqdn_sender"
+      "reject_non_fqdn_recipient"
+      "reject_unknown_reverse_client_hostname"
+    ];
+    helo = [
+      "permit_sasl_authenticated"
+      "permit_mynetworks"
+      "reject_invalid_hostname"
+      "reject_unauth_pipelining"
+      "reject_non_fqdn_hostname"
+    ];
+  };
+
+  services.postfix.extraConfig = ''
+    ${lib.concatStrings (lib.mapAttrsToList (cfgvar: query: ''
+      ${cfgvar} = ${mkDbMap (lib.concatStringsSep " " query)}
+    '') vhostMap)}
+
+    # a bit more spam protection
+    disable_vrfy_command = yes
+
+    smtpd_sasl_type=dovecot
+    smtpd_sasl_path=private/auth_dovecot XXXXXXXXXXXXXXX
+    smtpd_sasl_auth_enable = yes
+    smtpd_sasl_authenticated_header = yes
+    broken_sasl_auth_clients = yes
+
+    proxy_read_maps = ${lib.concatStringsSep " " (map (s: "\$${s}") [
+      "local_recipient_maps" "mydestination" "virtual_alias_maps"
+      "virtual_alias_domains" "virtual_mailbox_maps" "virtual_mailbox_domains"
+      "relay_recipient_maps" "relay_domains" "canonical_maps"
+      "sender_canonical_maps" "recipient_canonical_maps" "relocated_maps"
+      "transport_maps" "mynetworks" "smtpd_sender_login_maps"
+    ])}
+
+    local_transport = virtual
+    virtual_transport = dovecot
+
+    virtual_uid_maps = static:5000 XXXXXXXXXXXX
+    virtual_gid_maps = static:5000 XXXXXXXXXXXX
+
+    smtpd_tls_cert_file=/etc/ssl/mail.crt XXXX: KEYS
+    smtpd_tls_key_file=/etc/ssl/mail.key XXXX: KEYS
+    smtpd_use_tls=yes
+  '';
+
+  services.postfix.extraMasterConf = ''
+    mailman unix - n n - - pipe
+      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ''${nexthop} ''${user}
+      # ^^^ FIXME: maybe not needed!
+
+    dovecot unix - n n - - pipe
+      flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ''${recipient}
+      # ^^^ FIXME: maybe not needed!
+
+    spamassassin unix - n n - - pipe
+      user=${toString config.ids.uids.spamd} argv=${pkgs.spamassassin}/bin/spamc -f -e /var/setuid-wrappers/sendmail -oi -f ''${sender} ''${recipient}
+      # ^^^ FIXME: maybe not needed!
+  '';
+}