summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-07-07 23:33:18 +0200
committerlassulus <lass@aidsballs.de>2016-07-07 23:33:18 +0200
commitf4b2262c7eb07a4b66a9352e9851e9e94c13b540 (patch)
tree3c42557a71d240ec242af36cabb3a618aad0665d
parent0ff8c0416ed838a1155ecc015d81708bb72ea1d3 (diff)
parentf7d966043d04d73df719cbe6c13e4c1aa16bb7f7 (diff)
Merge remote-tracking branch 'cd/master'
-rw-r--r--krebs/3modules/tv/default.nix31
-rw-r--r--tv/1systems/cd.nix58
-rw-r--r--tv/1systems/mu.nix5
-rw-r--r--tv/1systems/nomic.nix1
-rw-r--r--tv/1systems/wu.nix6
-rw-r--r--tv/1systems/xu.nix6
-rw-r--r--tv/1systems/zu.nix229
-rw-r--r--tv/2configs/default.nix8
-rw-r--r--tv/2configs/nginx/default.nix4
9 files changed, 309 insertions, 39 deletions
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 2d18a7e8d..075066961 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -358,6 +358,37 @@ with config.krebs.lib;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
};
+ zu = {
+ cores = 4;
+ nets = {
+ #gg23 = {
+ # ip4.addr = "";
+ # aliases = ["zu.gg23"];
+ # ssh.port = 11423;
+ #};
+ retiolum = {
+ ip4.addr = "10.243.13.40";
+ ip6.addr = "42:0:0:0:0:0:0:1340";
+ aliases = [
+ "zu.r"
+ "zu.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d
+ idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u
+ BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a
+ OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj
+ /NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk
+ b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ secure = true;
+ ssh.privkey.path = <secrets/ssh.id_rsa>;
+ ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu";
+ };
};
users = {
mv = {
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index a46edb4d9..2ad4a1505 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -44,20 +44,50 @@ with config.krebs.lib;
"cgit.cd.viljetic.de"
];
# TODO make public_html also available to cd, cd.retiolum (AKA default)
- krebs.nginx.servers.public_html = {
- server-names = singleton "cd.viljetic.de";
- locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '');
+ krebs.nginx.servers."https://viljetic.de" = {
+ server-names = singleton "viljetic.de";
+ listen = mkForce []; # disable default
+ ssl = {
+ enable = true;
+ certificate = "/var/lib/acme/viljetic.de/fullchain.pem";
+ certificate_key = "/var/lib/acme/viljetic.de/key.pem";
+ };
+ locations = [
+ (nameValuePair "/" ''
+ root ${pkgs.viljetic-pages};
+ '')
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
};
- krebs.nginx.servers.viljetic = {
+ krebs.nginx.servers."http://viljetic.de" = {
server-names = singleton "viljetic.de";
- # TODO directly set root (instead via location)
- locations = singleton (nameValuePair "/" ''
- root ${pkgs.viljetic-pages};
- '');
+ locations = [
+ (nameValuePair "/.well-known/acme-challenge/" ''
+ root /var/lib/acme/challenges/viljetic.de/;
+ '')
+ (nameValuePair "/" ''
+ return 301 https://viljetic.de$request_uri;
+ '')
+ ];
+ };
+ security.acme = {
+ certs."viljetic.de" = {
+ email = "tomislav@viljetic.de";
+ webroot = "/var/lib/acme/challenges/viljetic.de";
+ plugins = [
+ "account_key.json"
+ "key.pem"
+ "fullchain.pem"
+ ];
+ user = "nginx";
+ };
};
- tv.iptables.input-internet-accept-tcp = singleton "http";
+ tv.iptables.input-internet-accept-tcp = [
+ "http"
+ "https"
+ ];
}
];
@@ -78,13 +108,7 @@ with config.krebs.lib;
iotop
iptables
nethogs
- ntp # ntpate
rxvt_unicode.terminfo
tcpdump
];
-
- services.journald.extraConfig = ''
- SystemMaxUse=1G
- RuntimeMaxUse=128M
- '';
}
diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix
index ec208a0bd..e7908e299 100644
--- a/tv/1systems/mu.nix
+++ b/tv/1systems/mu.nix
@@ -157,11 +157,6 @@ with config.krebs.lib;
];
};
- services.journald.extraConfig = ''
- SystemMaxUse=1G
- RuntimeMaxUse=128M
- '';
-
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 3696bcdfc..5415e50b1 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -60,7 +60,6 @@ with config.krebs.lib;
esac
'')
gnupg
- ntp # ntpate
rxvt_unicode.terminfo
tmux
];
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index d115e274b..a2e113e18 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -29,7 +29,6 @@ with config.krebs.lib;
# root
cryptsetup
- ntp # ntpate
# tv
bc
@@ -164,11 +163,6 @@ with config.krebs.lib;
services.printing.enable = true;
- services.journald.extraConfig = ''
- SystemMaxUse=1G
- RuntimeMaxUse=128M
- '';
-
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index 7277f5cb7..b832470d0 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -41,7 +41,6 @@ with config.krebs.lib;
# root
cryptsetup
- ntp # ntpate
# tv
bc
@@ -176,11 +175,6 @@ with config.krebs.lib;
services.printing.enable = true;
- services.journald.extraConfig = ''
- SystemMaxUse=1G
- RuntimeMaxUse=128M
- '';
-
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix
new file mode 100644
index 000000000..bfc018cc3
--- /dev/null
+++ b/tv/1systems/zu.nix
@@ -0,0 +1,229 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+{
+ krebs.build.host = config.krebs.hosts.zu;
+
+ imports = [
+ {
+ options.tv.test.sercret-file = mkOption {
+ type = types.secret-file;
+ default = {};
+ };
+ }
+ ../.
+ ../2configs/hw/x220.nix
+ ../2configs/exim-retiolum.nix
+ ../2configs/git.nix
+ ../2configs/mail-client.nix
+ ../2configs/man.nix
+ ../2configs/nginx/public_html.nix
+ ../2configs/pulse.nix
+ ../2configs/retiolum.nix
+ ../2configs/wu-binary-cache/client.nix
+ ../2configs/xserver
+ {
+ environment.systemPackages = with pkgs; [
+
+ # stockholm
+ gnumake
+ hashPassword
+ haskellPackages.lentil
+ parallel
+ (pkgs.writeBashBin "im" ''
+ export PATH=${makeSearchPath "bin" (with pkgs; [
+ tmux
+ gnugrep
+ weechat
+ ])}
+ if tmux list-sessions -F\#S | grep -q '^im''$'; then
+ exec tmux attach -t im
+ else
+ exec tmux new -s im weechat
+ fi
+ '')
+
+ # root
+ cryptsetup
+
+ # tv
+ bc
+ bind # dig
+ cac-api
+ dic
+ file
+ gnupg1compat
+ haskellPackages.hledger
+ htop
+ jq
+ mkpasswd
+ netcat
+ nix-repl
+ nmap
+ p7zip
+ pass
+ q
+ qrencode
+ # XXX fails at systemd.services.dbus.unitConfig
+ #texlive
+ tmux
+
+ #ack
+ #apache-httpd
+ #ascii
+ #emacs
+ #es
+ #esniper
+ #gcc
+ #gptfdisk
+ #graphviz
+ #haskellPackages.cabal2nix
+ #haskellPackages.ghc
+ #haskellPackages.shake
+ #hdparm
+ #i7z
+ #iftop
+ #imagemagick
+ #inotifyTools
+ #iodine
+ #iotop
+ #lshw
+ #lsof
+ #minicom
+ #mtools
+ #ncmpc
+ #nethogs
+ #nix-prefetch-scripts #cvs bug
+ #openssl
+ #openswan
+ #parted
+ #perl
+ #powertop
+ #ppp
+ #proot
+ #pythonPackages.arandr
+ #pythonPackages.youtube-dl
+ #racket
+ #rxvt_unicode-with-plugins
+ #scrot
+ #sec
+ #silver-searcher
+ #sloccount
+ #smartmontools
+ #socat
+ #sshpass
+ #strongswan
+ #sysdig
+ #sysstat
+ #tcpdump
+ #tlsdate
+ #unetbootin
+ #utillinuxCurses
+ #wvdial
+ #xdotool
+ #xkill
+ #xl2tpd
+ #xsel
+
+ unison
+ ];
+ }
+ ];
+
+ boot.initrd.luks = {
+ cryptoModules = [ "aes" "sha512" "xts" ];
+ devices = [
+ { name = "zuca"; device = "/dev/sda2"; }
+ ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/zuvga-root";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
+ "/home" = {
+ device = "/dev/mapper/zuvga-home";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
+ "/boot" = {
+ device = "/dev/sda1";
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = ["nosuid" "nodev" "noatime"];
+ };
+ };
+
+ nixpkgs.config.chromium.enablePepperFlash = true;
+
+ #hardware.bumblebee.enable = true;
+ #hardware.bumblebee.group = "video";
+ hardware.enableAllFirmware = true;
+ #hardware.opengl.driSupport32Bit = true;
+
+ environment.systemPackages = with pkgs; [
+ ethtool
+ tinc_pre
+ iptables
+ #jack2
+
+ gptfdisk
+ ];
+
+ security.setuidPrograms = [
+ "sendmail" # for cron
+ ];
+
+ services.printing.enable = true;
+
+ # see tmpfiles.d(5)
+ systemd.tmpfiles.rules = [
+ "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+ ];
+
+ #services.bitlbee.enable = true;
+ #services.tor.client.enable = true;
+ #services.tor.enable = true;
+ #services.virtualboxHost.enable = true;
+
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+ system.stateVersion = "15.09";
+
+#/*
+#{ host api.doraemon.sg.zalora.net | awk '{print$4" api.zalora.sg"}';
+# host bob.live.sg.zalora.net | awk '{print$4" bob.zalora.sg"}';
+# host www.live.sg.zalora.net | awk '{print$4" www.zalora.sg costa.zalora.sg"}'; }
+#*/
+# networking.extraHosts = optionalString (1 == 1) ''
+#54.255.133.72 api.zalora.sg
+#52.77.12.194 bob.zalora.sg
+#52.74.232.49 www.zalora.sg costa.zalora.sg
+# '';
+
+
+ #services.elasticsearch.enable = true;
+ #services.kibana.enable = true;
+ #services.logstash.enable = true;
+
+ environment.etc."ssh/ssh_config".text = mkForce ''
+ AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
+
+ ${optionalString config.programs.ssh.setXAuthLocation ''
+ XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
+ ''}
+
+ ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"}
+
+ # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
+ #PubkeyAcceptedKeyTypes +ssh-dss
+
+ ${config.programs.ssh.extraConfig}
+ '';
+
+}
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index dcc3edd82..a9ba1eadd 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -153,6 +153,7 @@ with config.krebs.lib;
services.cron.enable = false;
services.nscd.enable = false;
services.ntp.enable = false;
+ services.timesyncd.enable = true;
}
{
@@ -169,6 +170,13 @@ with config.krebs.lib;
}
{
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+ }
+
+ {
services.openssh = {
enable = true;
hostKeys = [
diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 70e25e2e5..d0d07d5ca 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -4,10 +4,6 @@ with config.krebs.lib;
{
krebs.nginx = {
- extraConfig = ''
- events {
- }
- '';
servers.default.locations = [
(nameValuePair "= /etc/os-release" ''
default_type text/plain;