diff options
| author | makefu <github@syntax-fehler.de> | 2017-02-04 14:31:47 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2017-02-04 14:31:47 +0100 |
| commit | d6c9edd9dc860d560d4ea7a727962aaf93d09322 (patch) | |
| tree | aefb49a9372b959cd722bdfcf51001783cda8bb1 | |
| parent | d2df5375e705e55764b4cacd4ea32dffcb4c6041 (diff) | |
| parent | 8daef993dcb6149a02c72a4895d6e808a6c6a8d4 (diff) | |
Merge remote-tracking branch 'lass/master'
26 files changed, 458 insertions, 329 deletions
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index aed5f595c..29c4f50e9 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -38,6 +38,11 @@ let ''; default = {}; }; + maxTime = mkOption { + type = types.int; + default = 0; + description = "Time to wait before download is aborted"; + }; }; fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' @@ -45,7 +50,7 @@ let mkdir -p ${shell.escape cfg.stateDir} cd ${shell.escape cfg.stateDir} - (curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || : + (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || : feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper ''; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 6f79aea0e..d35a9f357 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -93,6 +93,7 @@ with import <stockholm/lib>; "cgit.prism.retiolum" "cgit.prism.r" "cache.prism.r" + "paste.r" "paste.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -119,7 +120,6 @@ with import <stockholm/lib>; ssh.port = 2223; }; }; - ssh.pubkey = "ssh-dss AAAAB3NzaC1kc3MAAAEBAPH5Hcrc2QzIi7KQLf17N+aUuFfwb7uKxuojzmO3kyb3nMdn3s+rfTCJLWTJeHCeKb6yMpDF1XGXZwVN+omWV8CsA9tivOHYzZws3b0QB/JENjYmhHbNkKijm6EWXSyvsJ2RuFj0PC8+cv77ZFx7VTnrwZk6Excv7v51j+qo5BejLL1ZybISld/n3kQWE+GJqBYJ9zp/25XEl7macH02o58lRhfqygunDlKm4yiq34pfkA7FS4eHNzcXGvmtQlAHeDts1APbKq8OAoYoyCo0gjK9nbAwbfm0yqM51+eIo3H6xLWjSBdMI9guqndNJWps9PpKHa3bvM1xFB3vfoQZ6m8AAAAVAKf8ZCwMgP4ZpqwwNw4vIn1AuLnfAAABAQCVfUrpUWFvf/TXPucJde4CuAmtoMOrjpepAiXK7N9dwGyq/PbVxr4tnJ/RTyNGOFmBroc6/n0MnxR0qmkQPJNtM/Yz+kk+BCgwsyu2uenVOIX/eJFuQPQYiUdktTcgAyChMp99WF4yfKKgv1CDdMkpFi8xgBEN03s1sOKCRNwJ5rlpTNqh9LatuRyzWOIjNd7atkEYIQK92idJgqSmleo+UhJFfoOGjYlRbsnRVbvfqh7GVd7SSydhKhdb2eZjj2J8eMBwHNl1FLtqt02cnFW3FQDdXPbYYakN25z3F3sex/CPuBGJ0HRGq+y/Ynj/m99TPq9vLkzSUQPR4MmQ5feoAAABAG5L9ffMc/8T9dTeF7FEPlS54ka73M+pNY/5ehMykrrS9CVjFmvpeclnxkBpvjt3G5IlvkSsjUEE6kMk7mW9EV+USL0TTU/LavxXD8fLCSiIwResfLDRxjixjxVI1ouZeKNQ6B3tPOWOEIKR5nPlc7iy435nS77/NM3yBFH0KGdepr+3ZmdgWAjDLKjQhNyCz4Joc1IH1Vf5Ccvb6rsaJ91ajiq29iI2ZpLXXIQsS1ZYzO1Gr9xBTNgmzEmeLqFMcxDSJ+rLMF4VDjRdL2zz5BSmv/Ffj2nICMgv/gj3zzuk7zcMpnbvGyA3W8VWb6IjJDvww4rJ21Q2gHBC5XCohJs="; }; cloudkrebs = { cores = 1; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 9942ac043..84720859f 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -313,7 +313,6 @@ with import <stockholm/lib>; "graphs.wry.retiolum" "graphs.r" "graphs.retiolum" "paste.wry.retiolum" - "paste.r" "paste.retiolum" "wry.r" "wry.retiolum" "wiki.makefu.retiolum" "wiki.wry.retiolum" diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index dde867eb3..a5eaaed9d 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -31,13 +31,6 @@ with import <stockholm/lib>; ]; } #{ - # services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = "<secrets>/mysql_rootPassword"; - # }; - #} - #{ # services.elasticsearch = { # enable = true; # plugins = [ @@ -83,140 +76,56 @@ with import <stockholm/lib>; { services.redis.enable = true; } - { - virtualisation.libvirtd.enable = true; - } - { - services.nginx = { - enable = mkDefault true; - virtualHosts = { - "stats.mors" = { - locations = { - "/" = { - proxyPass = "http://localhost:3000/"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - }; - }; - }; - }; - - services.grafana = { - enable = true; - addr = "127.0.0.1"; - users.allowSignUp = false; - users.allowOrgCreate = false; - users.autoAssignOrg = false; - auth.anonymous.enable = true; - security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} - }; - - services.graphite = { - api = { - enable = true; - listenAddress = "127.0.0.1"; - port = 18080; - }; - carbon = { - enableCache = true; - # save disk usage by restricting to 1 bulk update per second - config = '' - [cache] - MAX_CACHE_SIZE = inf - MAX_UPDATES_PER_SECOND = 1 - MAX_CREATES_PER_MINUTE = 500 - ''; - storageSchemas = '' - [carbon] - pattern = ^carbon\. - retentions = 60:90d - - [elchos] - patterhn = ^elchos\. - retentions = 10s:30d,60s:3y - - [default] - pattern = .* - retentions = 30s:30d,300s:1y - ''; - }; - }; - - services.collectd = { - enable = true; - include = [ (toString (pkgs.writeText "collectd-graphite-cfg" '' - LoadPlugin write_graphite - <Plugin "write_graphite"> - <Carbon> - Host "localhost" - Port "2003" - EscapeCharacter "_" - StoreRates false - AlwaysAppendDS false - </Carbon> - </Plugin> - '')) - ]; - extraConfig = '' - LoadPlugin interface - LoadPlugin battery - LoadPlugin load - LoadPlugin cpu - LoadPlugin entropy - LoadPlugin write_graphite - <Plugin "interface"> - Interface "et0" - Interface "wl0" - Interface "retiolum" - </Plugin> - ''; - }; - services.graphite.beacon = { - enable = true; - config = { - graphite_url = "http://localhost:18080"; - cli = { - command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' ''; - }; - smtp = { - from = "beacon@mors.r"; - to = [ - "lass@mors.r" - ]; - }; - normal_handlers = [ - "smtp" - "cli" - ]; - warning_handlers = [ - "smtp" - "cli" - ]; - critical_handlers = [ - "smtp" - "cli" - ]; - alerts = [ - { - name = "testbattery"; - query = "*.battery-0.capacity"; - method = "last_value"; - interval = "1minute"; - logging = "info"; - repeat_interval = "5minute"; - rules = [ - "warning: < 30.0" - "critical: < 10.0" - ]; - } - ]; - }; - }; - } + #{ + # #gitit magic + # imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; + # services.gitit = { + # enable = true; + # haskellPackages = pkgs.haskell.packages.ghc7103; + # }; + #} + #{ + # lass.icinga2 = { + # enable = true; + # configFiles = [ + # '' + # template Service "generic-service" { + # max_check_attempts = 3 + # check_interval = 5m + # retry_interval = 1m + # enable_perfdata = true + # } + # apply Service "ping4" { + # } + # '' + # ]; + # }; + # services.mysql = { + # enable = true; + # package = pkgs.mariadb; + # rootPassword = "<secrets>/mysql_rootPassword"; + # }; + # lass.icingaweb2 = { + # enable = true; + # initialRootPasswordHash = "$1$HpWDCehI$ITbAoyfOB6HEN1ftooxZq0"; + # resources = { + # icinga2db = { + # type = "mysql"; + # host = "localhost"; + # user = "icingaweb2"; + # db = "icinga"; + # passfile = <secrets/icinga2-pw>; + # }; + # icingaweb2db = { + # type = "mysql"; + # host = "localhost"; + # user = "icingaweb2"; + # db = "icingaweb2"; + # passfile = <secrets/icinga2-pw>; + # }; + # }; + # }; + #} ]; krebs.build.host = config.krebs.hosts.mors; @@ -229,7 +138,6 @@ with import <stockholm/lib>; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; }; fileSystems = { "/" = { @@ -266,11 +174,6 @@ with import <stockholm/lib>; fsType = "ext4"; }; - "/mnt/public" = { - device = "/dev/big/public"; - fsType = "ext4"; - }; - "/mnt/conf" = { device = "/dev/big/conf"; fsType = "ext4"; diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index d8980a10c..f9654ac4c 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -43,6 +43,17 @@ in { ../2configs/libvirt.nix ../2configs/hfos.nix ../2configs/makefu-sip.nix + ../2configs/monitoring/server.nix + { + imports = [ + ../2configs/bepasty.nix + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories @@ -203,20 +214,6 @@ in { }; } { - services.nginx = { - enable = true; - virtualHosts.public = { - port = 8088; - locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' - alias /home/$1/public_html$2; - ''; - }; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8088"; target = "ACCEPT"; } - ]; - } - { krebs.repo-sync.timerConfig = { OnCalendar = "*:0/5"; }; @@ -227,6 +224,7 @@ in { }; } { + # Nin stuff users.users.nin = { uid = genid "nin"; inherit (config.krebs.users.nin) home; @@ -240,18 +238,6 @@ in { "libvirtd" ]; }; - krebs.git.rules = [ - { - user = [ config.krebs.users.nin ]; - repo = [ config.krebs.git.repos.stockholm ]; - perm = with git; push "refs/heads/nin" [ fast-forward non-fast-forward create delete merge ]; - } - ]; - krebs.repo-sync.repos.stockholm.nin = { - origin.url = "http://cgit.prism/stockholm"; - origin.ref = "heads/nin"; - mirror.url = "git@${config.networking.hostName}:stockholm"; - }; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; } ]; @@ -272,7 +258,6 @@ in { -XFlexibleInstances -XMultiParamTypeClasses \ -XOverloadedStrings -XFunctionalDependencies \''; in [ - sed-plugin url-title (buildSimpleReaktorPlugin "lambdabot-pl" { pattern = "^@pl (?P<args>.*)$$"; @@ -327,16 +312,16 @@ in { script = pkgs.writePython2 "rup" '' #!${pkgs.python2}/bin/python t1 = """ - _. - ;=',_ () - 8===D~~ S" .--`|| - sS \__ || - __.' ( \-->|| - _=/ _./-\/ || - 8===D~~ ((\( /-' -'l || - ) |/ \\ (_)) - \\ \\ - '~ '~ + _. + ;=',_ () + 8===D~~ S" .--`|| + sS \__ || + __.' ( \-->|| + _=/ _./-\/ || + 8===D~~ ((\( /-' -'l || + ) |/ \\ (_)) + \\ \\ + '~ '~ """ print(t1) ''; diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix new file mode 100644 index 000000000..a3c6d0f28 --- /dev/null +++ b/lass/2configs/bepasty.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; + +# secrets used: +# wildcard.krebsco.de.crt +# wildcard.krebsco.de.key +# bepasty-secret.nix <- contains single string + +with import <stockholm/lib>; +let + secKey = import <secrets/bepasty-secret.nix>; + ext-dom = "paste.lassul.us" ; +in { + + services.nginx.enable = mkDefault true; + krebs.bepasty = { + enable = true; + serveNginx= true; + + servers = { + "paste.r" = { + nginx = { + serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + }; + defaultPermissions = "admin,list,create,read,delete"; + secretKey = secKey; + }; + + "${ext-dom}" = { + nginx = { + enableSSL = true; + forceSSL = true; + enableACME = true; + }; + defaultPermissions = "read"; + secretKey = secKey; + }; + }; + }; +} diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 7057d0c3d..c9e2928b3 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -58,6 +58,11 @@ in { "NIX_REMOTE": "daemon", "dummy_secrets": "true", } + env_nin = { + "LOGNAME": "nin", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } env_shared = { "LOGNAME": "shared", "NIX_REMOTE": "daemon", @@ -126,6 +131,18 @@ in { ] ) + for i in [ "hiawatha", "onondaga" ]: + addShell(f,name="build-{}".format(i),env=env_nin, + command=nixshell + \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ + test \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ + method=build \ + system={}".format(i) + ] + ) + bu.append( util.BuilderConfig( name="build-hosts", diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 911b7738a..d1810c00c 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -9,6 +9,7 @@ with import <stockholm/lib>; ../2configs/mc.nix ../2configs/nixpkgs.nix ../2configs/vim.nix + ../2configs/monitoring/client.nix ./backups.nix { users.extraUsers = @@ -98,7 +99,6 @@ with import <stockholm/lib>; # multiple-definition-problem when defining environment.variables.EDITOR environment.extraInit = '' EDITOR=vim - MANPAGER=most ''; nixpkgs.config.allowUnfree = true; diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 27b6d22d5..eb9575018 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -16,6 +16,7 @@ with import <stockholm/lib>; lass.pubkey lass-shodan.pubkey lass-helios.pubkey + lass-icarus.pubkey makefu.pubkey ]; }; diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix index cf084ea8f..29f321994 100644 --- a/lass/2configs/fetchWallpaper.nix +++ b/lass/2configs/fetchWallpaper.nix @@ -7,6 +7,7 @@ in { enable = true; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; url = "prism/wallpaper.png"; + maxTime = 10; }; systemd.services.fetchWallpaper = { after = [ "xmonad.service" ]; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index d7ec39f2d..bdd65ce09 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,7 +57,7 @@ let server = "ni.r"; verbose = config.krebs.build.host.name == "prism"; # TODO define branches in some kind of option per repo - branches = [ "master" "newest" "nin" ]; + branches = [ "master" "newest" ]; }; }; }; diff --git a/lass/2configs/hw/tp-x220.nix b/lass/2configs/hw/tp-x220.nix index ec36fa96a..d551cd44e 100644 --- a/lass/2configs/hw/tp-x220.nix +++ b/lass/2configs/hw/tp-x220.nix @@ -47,12 +47,5 @@ with import <stockholm/lib>; pkgs.vaapiVdpau ]; - services.xserver = { - videoDriver = "intel"; - deviceSection = '' - Option "AccelMethod" "sna" - ''; - }; - security.rngd.enable = true; } diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix new file mode 100644 index 000000000..e879d6960 --- /dev/null +++ b/lass/2configs/monitoring/client.nix @@ -0,0 +1,94 @@ +{pkgs, config, ...}: +with import <stockholm/lib>; +{ + lass.telegraf = { + enable = true; + interval = "1s"; + + + outputs = '' + [outputs.influxdb] + urls = ["http://prism:8086"] + database = "telegraf_db" + user_agent = "telegraf" + ''; + inputs = [ + '' + [cpu] + percpu = false + totalcpu = true + drop = ["cpu_time"] + '' + '' + [[inputs.mem]] + '' + '' + [[inputs.ping]] + urls = ["8.8.8.8"] + '' + '' + [[inputs.net]] + '' + '' + [[inputs.dns_query]] + servers = ["8.8.8.8"] + '' + ]; + }; + systemd.services.telegraf.path = with pkgs; [ + iputils + lm_sensors + ]; + + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + Interval 30.0 + + LoadPlugin interface + <Plugin "interface"> + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + </Plugin> + + LoadPlugin df + <Plugin "df"> + MountPoint "/nix/store" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + </Plugin> + + LoadPlugin cpu + <Plugin cpu> + ReportByCpu true + ReportByState true + ValuesPercentage true + </Plugin> + + LoadPlugin network + <Plugin "network"> + Server "prism" "25826" + </Plugin> + ''; + }; +} diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix new file mode 100644 index 000000000..2e1c15ca1 --- /dev/null +++ b/lass/2configs/monitoring/server.nix @@ -0,0 +1,66 @@ +{pkgs, config, ...}: +with import <stockholm/lib>; +{ + services.influxdb = { + enable = true; + }; + + services.influxdb.extraConfig = { + meta.hostname = config.krebs.build.host.name; + # meta.logging-enabled = true; + http.bind-address = ":8086"; + admin.bind-address = ":8083"; + monitoring = { + enabled = false; + # write-interval = "24h"; + }; + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = "collectd_db"; + port = 25826; + }]; + }; + + lass.kapacitor = + let + echoToIrc = pkgs.writeDash "echo_irc" '' + set -euf + data="$(${pkgs.jq}/bin/jq -r .message)" + export LOGNAME=prism-alarm + ${pkgs.irc-announce}/bin/irc-announce \ + irc.freenode.org 6667 prism-alarm \#krebs-bots "$data" >/dev/null + ''; + in { + enable = true; + alarms = { + test2 = '' + batch + |query(${"'''"} + SELECT mean("usage_user") AS mean + FROM "${config.lass.kapacitor.check_db}"."default"."cpu" + ${"'''"}) + .every(3m) + .period(1m) + .groupBy('host') + |alert() + .crit(lambda: "mean" > 90) + // Whenever we get an alert write it to a file. + .log('/tmp/alerts.log') + .exec('${echoToIrc}') + ''; + }; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; } + { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; } + { predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; } + ]; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + auth.anonymous.enable = true; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; +} diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 27b7c2439..4a1b0379b 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "39098270855c171f0824c09d071b606ae991ff87"; + ref = "5fff5a902594b34471b613eb2babcec923e1e1f1"; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index 765769936..b1a26b171 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -44,6 +44,10 @@ let origin.url = "http://cgit.ni.r/${name}"; mirror.url = "${mirror}${name}"; }; + nin = { + origin.url = "http://cgit.onondaga.r/${name}"; + mirror.url = "${mirror}${name}"; + }; lassulus = { origin.url = "http://cgit.prism/${name}"; mirror.url = "${mirror}${name}"; diff --git a/lass/2configs/tests/dummy-secrets/bepasty-secret.nix b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix new file mode 100644 index 000000000..6e08144d0 --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix @@ -0,0 +1 @@ +"bla" diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e79973a66..66fc681b1 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -66,6 +66,7 @@ in { "karlaskop.ubikmedia.de" "nb.ubikmedia.de" "youthtube.ubikmedia.de" + "joemisch.com" ]) ]; diff --git a/lass/3modules/kapacitor.nix b/lass/3modules/kapacitor.nix index 8524c8198..a1e82b830 100644 --- a/lass/3modules/kapacitor.nix +++ b/lass/3modules/kapacitor.nix @@ -21,6 +21,14 @@ let type = types.str; default = "kapacitor"; }; + alarms = mkOption { + type = with types; attrsOf str; + default = {}; + }; + check_db = mkOption { + type = types.str; + default = "all_data"; + }; config = mkOption { type = types.str; #TODO: find a good default @@ -74,115 +82,7 @@ let [logging] file = "STDERR" - level = "INFO" - - [collectd] - enabled = false - bind-address = ":25826" - database = "collectd" - retention-policy = "" - batch-size = 5000 - batch-pending = 10 - batch-timeout = "10s" - read-buffer = 0 - typesdb = "/usr/share/collectd/types.db" - - [opentsdb] - enabled = false - bind-address = ":4242" - database = "opentsdb" - retention-policy = "" - consistency-level = "one" - tls-enabled = false - certificate = "/etc/ssl/influxdb.pem" - batch-size = 1000 - batch-pending = 5 - batch-timeout = "1s" - log-point-errors = true - - [smtp] - enabled = false - host = "localhost" - port = 25 - username = "" - password = "" - no-verify = false - global = false - state-changes-only = false - from = "" - idle-timeout = "30s" - - [opsgenie] - enabled = false - api-key = "" - url = "https://api.opsgenie.com/v1/json/alert" - recovery_url = "https://api.opsgenie.com/v1/json/alert/note" - global = false - - [victorops] - enabled = false - api-key = "" - routing-key = "" - url = "https://alert.victorops.com/integrations/generic/20131114/alert" - global = false - - [pagerduty] - enabled = false - url = "https://events.pagerduty.com/generic/2010-04-15/create_event.json" - service-key = "" - global = false - - [sensu] - enabled = false - addr = "" - source = "Kapacitor" - - [slack] - enabled = false - url = "" - channel = "" - global = false - state-changes-only = false - - [telegram] - enabled = false - url = "https://api.telegram.org/bot" - token = "" - chat-id = "" - parse-mode = "" - disable-web-page-preview = false - disable-notification = false - global = false - state-changes-only = false - - [hipchat] - enabled = false - url = "" - token = "" - room = "" - global = false - state-changes-only = false - - [alerta] - enabled = false - url = "" - token = "" - environment = "" - origin = "" - - [reporting] - enabled = true - url = "https://usage.influxdata.com" - - [stats] - enabled = true - stats-interval = "10s" - database = "_kapacitor" - retention-policy = "autogen" - timing-sample-rate = 0.1 - timing-movavg-size = 1000 - - [udf] + level = "DEBUG" [deadman] interval = "10s" @@ -190,11 +90,6 @@ let id = "{{ .Group }}:NODE_NAME for task '{{ .TaskName }}'" message = "{{ .ID }} is {{ if eq .Level \"OK\" }}alive{{ else }}dead{{ end }}: {{ index .Fields \"emitted\" | printf \"%0.3f\" }} points/INTERVAL." global = false - - [talk] - enabled = false - url = "" - author_name = "" ''; description = "configuration kapacitor is started with"; }; @@ -216,6 +111,29 @@ let ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${configFile}"; }; }; + + systemd.services.kapacitor-alarms = { + description = "kapacitor-alarms"; + after = [ "kapacitor.service" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.writeDash "add_alarms" '' + ${pkgs.kapacitor}/bin/kapacitor delete tasks \* + ${concatStrings (mapAttrsToList (name: alarm: '' + ${pkgs.kapacitor}/bin/kapacitor define ${name} \ + -type batch \ + -tick ${pkgs.writeText "${name}.tick" alarm} \ + -dbrp ${cfg.check_db}.default + ${pkgs.kapacitor}/bin/kapacitor enable ${name} + '') cfg.alarms)} + ''; + }; + }; + }; in out diff --git a/lass/3modules/telegraf.nix b/lass/3modules/telegraf.nix index 64b323460..0b3be2d69 100644 --- a/lass/3modules/telegraf.nix +++ b/lass/3modules/telegraf.nix @@ -21,26 +21,43 @@ let type = types.str; default = "telegraf"; }; + outputs = mkOption { + type = types.str; + default = '' + [outputs.influxdb] + urls = ["http://localhost:8086"] + database = "telegraf_db" + user_agent = "telegraf" + ''; + }; + inputs = mkOption { + type = with types; listOf str; + default = [ + '' + [cpu] + percpu = false + totalcpu = true + drop = ["cpu_time"] + '' + ]; + }; + interval = mkOption { + type = types.str; + default = "10s"; + }; config = mkOption { type = types.str; #TODO: find a good default default = '' [agent] - interval = "1s" + interval = "${cfg.interval}" [outputs] - # Configuration to send data to InfluxDB. - [outputs.influxdb] - urls = ["http://localhost:8086"] - database = "kapacitor_example" - user_agent = "telegraf" + ${cfg.outputs} + + ${concatStringsSep "\n" cfg.inputs} - # Collect metrics about cpu usage - [cpu] - percpu = false - totalcpu = true - drop = ["cpu_time"] ''; description = "configuration telegraf is started with"; }; diff --git a/nin/1systems/hiawatha.nix b/nin/1systems/hiawatha.nix index 6fa8a3388..af865497e 100644 --- a/nin/1systems/hiawatha.nix +++ b/nin/1systems/hiawatha.nix @@ -11,6 +11,7 @@ with lib; ../. <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ../2configs/retiolum.nix + ../2configs/git.nix ]; krebs.build.host = config.krebs.hosts.hiawatha; @@ -76,15 +77,13 @@ with lib; environment.systemPackages = with pkgs; [ firefox - steam - thunderbird - vim git - hexchat networkmanagerapplet python + steam + thunderbird + vim virtmanager - libvirt ]; nixpkgs.config = { diff --git a/nin/1systems/onondaga.nix b/nin/1systems/onondaga.nix index 59f26c46b..576847032 100644 --- a/nin/1systems/onondaga.nix +++ b/nin/1systems/onondaga.nix @@ -10,6 +10,7 @@ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ../2configs/retiolum.nix ../2configs/weechat.nix + ../2configs/git.nix ]; krebs.build.host = config.krebs.hosts.onondaga; diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix index e181a6041..a1ed76d98 100644 --- a/nin/2configs/default.nix +++ b/nin/2configs/default.nix @@ -46,6 +46,12 @@ with import <stockholm/lib>; SSL_CERT_FILE = ca-bundle; }; }) + { + nix = { + binaryCaches = ["http://cache.prism.r"]; + binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="]; + }; + } ]; networking.hostName = config.krebs.build.host.name; @@ -58,7 +64,10 @@ with import <stockholm/lib>; user = config.krebs.users.nin; source = let inherit (config.krebs.build) host; in { nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix"; - secrets.file = "/home/nin/secrets/${host.name}"; + secrets.file = + if getEnv "dummy_secrets" == "true" + then toString <stockholm/nin/6tests/dummysecrets> + else "/home/nin/secrets/${host.name}"; stockholm.file = getEnv "PWD"; }; }; @@ -82,11 +91,14 @@ with import <stockholm/lib>; # multiple-definition-problem when defining environment.variables.EDITOR environment.extraInit = '' EDITOR=vim - MANPAGER=most ''; nixpkgs.config.allowUnfree = true; + environment.shellAliases = { + gs = "git status"; + }; + environment.systemPackages = with pkgs; [ #stockholm git @@ -95,6 +107,7 @@ with import <stockholm/lib>; proot populate p7zip + termite unzip unrar hashPassword diff --git a/nin/2configs/git.nix b/nin/2configs/git.nix new file mode 100644 index 000000000..39f919e79 --- /dev/null +++ b/nin/2configs/git.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; + +let + + out = { + krebs.git = { + enable = true; + cgit = { + settings = { + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + }; + }; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; + rules = rules; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } + ]; + }; + + repos = public-repos; + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + stockholm = { + cgit.desc = "take all the computers hostage, they'll love you!"; + }; + }; + + make-public-repo = name: { cgit ? {}, ... }: { + inherit cgit name; + public = true; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "ni.r"; + verbose = config.krebs.build.host.name == "onondaga"; + # TODO define branches in some kind of option per repo + branches = [ "master" ]; + }; + }; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = [ nin ]; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = attrValues config.krebs.users; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/nin/6tests/dummysecrets/hashedPasswords.nix b/nin/6tests/dummysecrets/hashedPasswords.nix new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/nin/6tests/dummysecrets/hashedPasswords.nix @@ -0,0 +1 @@ +{} diff --git a/nin/6tests/dummysecrets/ssh.id_ed25519 b/nin/6tests/dummysecrets/ssh.id_ed25519 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/nin/6tests/dummysecrets/ssh.id_ed25519 |