diff options
64 files changed, 613 insertions, 467 deletions
diff --git a/krebs/2configs/binary-cache/prism.nix b/krebs/2configs/binary-cache/prism.nix index 46b386e14..51b4a1afc 100644 --- a/krebs/2configs/binary-cache/prism.nix +++ b/krebs/2configs/binary-cache/prism.nix @@ -3,7 +3,7 @@ { nix = { binaryCaches = [ - "http://cache.prism.r" + "https://cache.krebsco.de" ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix index 056667d8c..74f345614 100644 --- a/krebs/2configs/cache.nsupdate.info.nix +++ b/krebs/2configs/cache.nsupdate.info.nix @@ -1,4 +1,4 @@ -{lib, ... }: +{ pkgs, lib, ... }: with lib; let domain = "cache.nsupdate.info"; @@ -17,9 +17,13 @@ in { }; krebs.cachecache = { enable = true; - enableSSL = false; # disable letsencrypt for testing + enableSSL = true; # disable letsencrypt for testing cacheDir = "/var/cache/nix-cache-cache"; maxSize = "10g"; + indexFile = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html"; + sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0"; + }; # assumes that the domain is reachable from the internet virtualHost = domain; diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix index 989320480..2c2d07ff5 100644 --- a/krebs/3modules/cachecache.nix +++ b/krebs/3modules/cachecache.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: # fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b @@ -59,15 +59,6 @@ in ''; }; - # webRoot = mkOption { - # type = types.str; - # default = "/"; - # description = '' - # Directory on virtual host that serves the cache. Must end in - # <literal>/</literal>. - # ''; - # }; - resolver = mkOption { type = types.str; description = "Address of DNS resolver."; @@ -82,6 +73,13 @@ in Where nginx should store cached data. ''; }; + indexFile = mkOption { + type = types.path; + default = pkgs.writeText "myindex" "<html>hello world</html>"; + description = '' + Path to index.html file. + ''; + }; maxSize = mkOption { type = types.str; @@ -98,6 +96,7 @@ in systemd.services.nginx.preStart = '' mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache + ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html chown ${nginxCfg.user}:${nginxCfg.group} \ ${cfg.cacheDir} /srv/www/nix-cache-cache ''; @@ -143,6 +142,7 @@ in locations."/" = { root = "/srv/www/nix-cache-cache"; + index = "index.html"; extraConfig = '' expires max; add_header Cache-Control $nix_cache_cache_header always; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 0d8513a69..1117dc61c 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,16 +1,14 @@ with import <stockholm/lib>; { config, ... }: let - hostDefaults = hostName: host: flip recursiveUpdate host ({ + hostDefaults = hostName: host: flip recursiveUpdate host { ci = true; monitoring = true; owner = config.krebs.users.lass; - } // optionalAttrs (host.nets?retiolum) { - nets.retiolum.ip6.addr = - (krebs.genipv6 "retiolum" "lass" { inherit hostName; }).address; - }); + }; - wip6 = krebs.genipv6 "wirelum" "lass"; + r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; + w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; in { dns.providers = { @@ -56,6 +54,7 @@ in { retiolum = { via = internet; ip4.addr = "10.243.0.103"; + ip6.addr = r6 "1"; aliases = [ "prism.r" "cache.prism.r" @@ -90,16 +89,16 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { via = internet; ip4.addr = "10.244.1.1"; - ip6.addr = (wip6 "1").address; + ip6.addr = w6 "1"; aliases = [ "prism.w" ]; wireguard = { pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk="; - subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ]; + subnets = [ "10.244.1.0/24" "42:1::/32" ]; }; }; }; @@ -150,6 +149,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.81.176"; + ip6.addr = r6 "1e1"; aliases = [ "uriel.r" "cgit.uriel.r" @@ -175,6 +175,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.0.2"; + ip6.addr = r6 "dea7"; aliases = [ "mors.r" "cgit.mors.r" @@ -190,8 +191,8 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { - ip6.addr = (wip6 "dea7").address; + wiregrill = { + ip6.addr = w6 "dea7"; aliases = [ "mors.w" ]; @@ -207,6 +208,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.0.4"; + ip6.addr = r6 "50da"; aliases = [ "shodan.r" "cgit.shodan.r" @@ -222,12 +224,12 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { - ip6.addr = (wip6 "50da").address; + wiregrill = { + ip6.addr = w6 "50da"; aliases = [ "shodan.w" ]; - wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ="; + wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30="; }; }; secure = true; @@ -239,6 +241,7 @@ in { nets = rec { retiolum = { ip4.addr = "10.243.133.114"; + ip6.addr = r6 "1205"; aliases = [ "icarus.r" "cgit.icarus.r" @@ -254,8 +257,8 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { - ip6.addr = (wip6 "1205").address; + wiregrill = { + ip6.addr = w6 "1205"; aliases = [ "icarus.w" ]; @@ -271,6 +274,7 @@ in { nets = rec { retiolum = { ip4.addr = "10.243.133.115"; + ip6.addr = r6 "dead"; aliases = [ "daedalus.r" "cgit.daedalus.r" @@ -296,6 +300,7 @@ in { nets = rec { retiolum = { ip4.addr = "10.243.133.116"; + ip6.addr = r6 "5ce7"; aliases = [ "skynet.r" "cgit.skynet.r" @@ -321,6 +326,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.133.77"; + ip6.addr = r6 "771e"; aliases = [ "littleT.r" ]; @@ -356,52 +362,13 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; }; - xerxes = { - cores = 2; - nets = rec { - retiolum = { - ip4.addr = "10.243.1.3"; - aliases = [ - "xerxes.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U - MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk - gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W - /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb - mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO - X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj - +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim - hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9 - 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4 - H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5 - JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4 - hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe - SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo - 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe - vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3 - Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO - scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv - jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ - Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u - /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0 - bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ - sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; - }; red = { monitoring = false; cores = 1; nets = { retiolum = { ip4.addr = "10.243.0.13"; + ip6.addr = r6 "12ed"; aliases = [ "red.r" ]; @@ -431,6 +398,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.0.14"; + ip6.addr = r6 "3110"; aliases = [ "yellow.r" ]; @@ -451,8 +419,8 @@ in { -----END PUBLIC KEY----- ''; }; - wirelum = { - ip6.addr = (wip6 "e110").address; + wiregrill = { + ip6.addr = w6 "3110"; aliases = [ "yellow.w" ]; @@ -467,6 +435,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.0.77"; + ip6.addr = r6 "b1ce"; aliases = [ "blue.r" ]; @@ -487,15 +456,22 @@ in { -----END PUBLIC KEY----- ''; }; + wiregrill = { + ip6.addr = w6 "b1ce"; + aliases = [ + "blue.w" + ]; + wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U="; + }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; }; phone = { nets = { - wirelum = { - ip6.addr = (wip6 "a").address; + wiregrill = { ip4.addr = "10.244.1.2"; + ip6.addr = w6 "a"; aliases = [ "phone.w" ]; @@ -510,6 +486,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.0.19"; + ip6.addr = r6 "012f"; aliases = [ "morpheus.r" ]; @@ -529,6 +506,13 @@ in { -----END RSA PUBLIC KEY----- ''; }; + wiregrill = { + ip6.addr = w6 "012f"; + aliases = [ + "morpheus.w" + ]; + wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY="; + }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f "; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index d6c1f0b61..befec2156 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -551,27 +551,28 @@ in { ci = true; extraZones = { "krebsco.de" = '' + boot.euer IN A ${nets.internet.ip4.addr} cache.euer IN A ${nets.internet.ip4.addr} cache.gum IN A ${nets.internet.ip4.addr} - graph IN A ${nets.internet.ip4.addr} + cgit.euer IN A ${nets.internet.ip4.addr} + dl.euer IN A ${nets.internet.ip4.addr} + dockerhub IN A ${nets.internet.ip4.addr} + euer IN A ${nets.internet.ip4.addr} + ghook IN A ${nets.internet.ip4.addr} + git.euer IN A ${nets.internet.ip4.addr} gold IN A ${nets.internet.ip4.addr} + graph IN A ${nets.internet.ip4.addr} + gum IN A ${nets.internet.ip4.addr} iso.euer IN A ${nets.internet.ip4.addr} - wg.euer IN A ${nets.internet.ip4.addr} - photostore IN A ${nets.internet.ip4.addr} - o.euer IN A ${nets.internet.ip4.addr} mon.euer IN A ${nets.internet.ip4.addr} - boot.euer IN A ${nets.internet.ip4.addr} - wiki.euer IN A ${nets.internet.ip4.addr} + netdata.euer IN A ${nets.internet.ip4.addr} + o.euer IN A ${nets.internet.ip4.addr} + photostore IN A ${nets.internet.ip4.addr} pigstarter IN A ${nets.internet.ip4.addr} - cgit.euer IN A ${nets.internet.ip4.addr} - git.euer IN A ${nets.internet.ip4.addr} - euer IN A ${nets.internet.ip4.addr} share.euer IN A ${nets.internet.ip4.addr} - gum IN A ${nets.internet.ip4.addr} + wg.euer IN A ${nets.internet.ip4.addr} + wiki.euer IN A ${nets.internet.ip4.addr} wikisearch IN A ${nets.internet.ip4.addr} - dl.euer IN A ${nets.internet.ip4.addr} - ghook IN A ${nets.internet.ip4.addr} - dockerhub IN A ${nets.internet.ip4.addr} io IN NS gum.krebsco.de. ''; }; @@ -596,24 +597,25 @@ in { via = internet; ip4.addr = "10.243.0.213"; aliases = [ - "nextgum.r" - "graph.r" - "cache.gum.r" - "logs.makefu.r" - "stats.makefu.r" "backup.makefu.r" + "blog.gum.r" + "blog.makefu.r" + "cache.gum.r" + "cgit.gum.r" + "dcpp.gum.r" "dcpp.nextgum.r" + "graph.r" "gum.r" - "cgit.gum.r" + "logs.makefu.r" + "netdata.makefu.r" + "nextgum.r" "o.gum.r" - "tracker.makefu.r" "search.makefu.r" - "wiki.makefu.r" - "wiki.gum.r" - "blog.makefu.r" - "blog.gum.r" - "dcpp.gum.r" + "stats.makefu.r" "torrent.gum.r" + "tracker.makefu.r" + "wiki.gum.r" + "wiki.makefu.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/makefu/ssh/ulrich.pub b/krebs/3modules/makefu/ssh/ulrich.pub index 88313ee7c..8ac69004c 100644 --- a/krebs/3modules/makefu/ssh/ulrich.pub +++ b/krebs/3modules/makefu/ssh/ulrich.pub @@ -1 +1 @@ -AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index 44617d3e7..7fe143c3c 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -6,52 +6,11 @@ with import <stockholm/lib>; <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/backup.nix> - <stockholm/lass/2configs/steam.nix> - { - users.users.blacky = { - uid = genid "blacky"; - home = "/home/blacky"; - group = "users"; - createHome = true; - extraGroups = [ - "audio" - "networkmanager" - "video" - ]; - useDefaultShell = true; - }; - networking.networkmanager.enable = true; - networking.wireless.enable = mkForce false; - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - environment.systemPackages = with pkgs; [ - pavucontrol - chromium - hexchat - networkmanagerapplet - vlc - ]; - services.xserver.enable = true; - services.xserver.displayManager.lightdm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; - services.xserver.layout = "de"; - users.mutableUsers = mkForce true; - services.xserver.synaptics.enable = true; - } - { - #remote control - environment.systemPackages = with pkgs; [ - x11vnc - ]; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; } - ]; - } + <stockholm/lass/2configs/blue-host.nix> ]; + networking.networkmanager.enable = true; + networking.wireless.enable = mkForce false; time.timeZone = "Europe/Berlin"; hardware.trackpoint = { diff --git a/lass/1systems/littleT/physical.nix b/lass/1systems/littleT/physical.nix index 9776211ae..550f058a8 100644 --- a/lass/1systems/littleT/physical.nix +++ b/lass/1systems/littleT/physical.nix @@ -1,7 +1,25 @@ { imports = [ ./config.nix - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> + <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + fileSystems."/" = + { device = "rpool/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5B2E-3734"; + fsType = "vfat"; + }; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.grub.device = "nodev"; + networking.hostId = "584248c6"; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.kernelModules = [ "kvm-intel" ]; + } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 207c7c640..46cdbbb66 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -34,6 +34,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/network-manager.nix> { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index ec3976519..6c454b4ac 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -298,16 +298,18 @@ with import <stockholm/lib>; } { imports = [ - <stockholm/lass/2configs/wirelum.nix> + <stockholm/lass/2configs/wiregrill.nix> + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; - #krebs.iptables.tables.nat.PREROUTING.rules = [ - # { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } - #]; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; } { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } ]; services.dnsmasq = { @@ -315,7 +317,7 @@ with import <stockholm/lib>; resolveLocalQueries = false; extraConfig= '' - listen-address=10.244.1.1 + listen-address=42:1:ce16::1 except-interface=lo interface=wg0 ''; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 13a8b3e41..4b806af7b 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -5,7 +5,6 @@ with import <stockholm/lib>; <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/power-action.nix> { diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix deleted file mode 100644 index 1bd6cf2c5..000000000 --- a/lass/1systems/xerxes/config.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - <stockholm/lass> - - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - <stockholm/lass/2configs/baseX.nix> - <stockholm/lass/2configs/browsers.nix> - <stockholm/lass/2configs/programs.nix> - <stockholm/lass/2configs/fetchWallpaper.nix> - ]; - - krebs.build.host = config.krebs.hosts.xerxes; -} diff --git a/lass/1systems/xerxes/physical.nix b/lass/1systems/xerxes/physical.nix deleted file mode 100644 index 17caccfe6..000000000 --- a/lass/1systems/xerxes/physical.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - imports = [ - ./config.nix - <stockholm/lass/2configs/hw/gpd-pocket.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> - ]; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0" - ''; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/16C8-D053"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358"; - fsType = "btrfs"; - }; - - boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ]; - - networking.wireless.enable = true; -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 53d90ed7d..1b6a1d593 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,7 +9,6 @@ in { ./power-action.nix ./copyq.nix ./urxvt.nix - ./network-manager.nix { hardware.pulseaudio = { enable = true; @@ -65,6 +64,7 @@ in { dic dmenu font-size + fzfmenu gitAndTools.qgit git-preview gnome3.dconf diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 9cf294afd..718a92e9c 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -7,6 +7,7 @@ let "daedalus" "skynet" "prism" + "littleT" ]; remote_hosts = filter (h: h != config.networking.hostName) all_hosts; diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 4d4a92eb9..cdd77e847 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -22,7 +22,9 @@ with (import <stockholm/lib>); krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} + { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";} ]; systemd.services.chat = let diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index 425e0ee13..d214e224d 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -45,7 +45,7 @@ let createFirefoxUser = name: groups: precedence: createUser (pkgs.writeDash name '' - ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@" + ${pkgs.firefox}/bin/firefox "$@" '') name groups precedence 80; createQuteUser = name: groups: precedence: @@ -89,8 +89,8 @@ in { })); }; } - ( createQuteUser "qb" [ "audio" ] 20 ) - ( createFirefoxUser "ff" [ "audio" ] 10 ) + ( createFirefoxUser "ff" [ "audio" ] 11 ) + ( createQuteUser "qb" [ "audio" ] 10 ) ( createChromiumUser "cr" [ "audio" "video" ] 9 ) ( createChromiumUser "gm" [ "video" "audio" ] 8 ) ( createChromiumUser "wk" [ "audio" ] 0 ) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dea32d4d4..62a42baf9 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -10,7 +10,7 @@ with import <stockholm/lib>; ./zsh.nix ./htop.nix ./security-workarounds.nix - ./wirelum.nix + ./wiregrill.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 62173e33f..7650f4294 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -154,7 +154,7 @@ let public = true; }; - make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: { + make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? true, hooks ? {}, ... }: { inherit admins collaborators name; public = false; hooks = { diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 36e797a96..21b9d7b49 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -82,7 +82,7 @@ let source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc set pgp_use_gpg_agent = yes set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D - set crypt_autosign = yes + set crypt_autosign = no set crypt_replyencrypt = yes set crypt_verify_sig = yes set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f" diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 4935268a4..25dac0ac4 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -126,6 +126,7 @@ in { { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } { from = "akayguen@freemonkey.art"; to ="akayguen"; } { from = "bui@freemonkey.art"; to ="bui"; } + { from = "kontakt@alewis.de"; to ="klabusterbeere"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -134,6 +135,7 @@ in { "jla-trading.com" "ubikmedia.eu" "ubikmedia.de" + "alewis.de" ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; @@ -204,5 +206,12 @@ in { createHome = true; }; + users.users.klabusterbeere = { + uid = genid_uint31 "klabusterbeere"; + home = "/home/klabusterbeere"; + useDefaultShell = true; + createHome = true; + }; + } diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix new file mode 100644 index 000000000..b2ee35df3 --- /dev/null +++ b/lass/2configs/wiregrill.nix @@ -0,0 +1,44 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + + self = config.krebs.build.host.nets.wiregrill; + isRouter = !isNull self.via; + +in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv6.conf.all.forwarding" = 1; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ + { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + ]; + + networking.wireguard.interfaces.wiregrill = { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wiregrill.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = if isRouter then + (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ + (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) + else + host.nets.wiregrill.wireguard.subnets + ; + endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; + publicKey = host.nets.wiregrill.wireguard.pubkey; + }) + (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); + }; +} diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix deleted file mode 100644 index cd8a20c6b..000000000 --- a/lass/2configs/wirelum.nix +++ /dev/null @@ -1,44 +0,0 @@ -with import <stockholm/lib>; -{ config, pkgs, ... }: let - - self = config.krebs.build.host.nets.wirelum; - isRouter = !isNull self.via; - -in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) { - #hack for modprobe inside containers - systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [ - (pkgs.writeDashBin "modprobe" ":") - ]); - - boot.kernel.sysctl = mkIf isRouter { - "net.ipv6.conf.all.forwarding" = 1; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ - { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; } - ]; - - networking.wireguard.interfaces.wirelum = { - ips = - (optional (!isNull self.ip4) self.ip4.addr) ++ - (optional (!isNull self.ip6) self.ip6.addr); - listenPort = 51820; - privateKeyFile = (toString <secrets>) + "/wirelum.key"; - allowedIPsAsRoutes = true; - peers = mapAttrsToList - (_: host: { - allowedIPs = if isRouter then - (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++ - (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr) - else - host.nets.wirelum.wireguard.subnets - ; - endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}"); - persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61; - publicKey = host.nets.wirelum.wireguard.pubkey; - }) - (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts); - }; -} diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix index f86a4a69b..79e6416e1 100644 --- a/lass/5pkgs/custom/xmonad-lass/default.nix +++ b/lass/5pkgs/custom/xmonad-lass/default.nix @@ -78,7 +78,7 @@ main = getArgs >>= \case main' :: IO () main' = do handleShutdownEvent <- newShutdownEventHandler - xmonad $ ewmh + launch $ ewmh $ withUrgencyHook LibNotifyUrgencyHook $ def { terminal = myTerm diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index b6cb2ec7e..85b050644 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -8,6 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" '' ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null + ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wiregrill.key + ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wiregrill.pub cat <<EOF > $TMPDIR/hashedPasswords.nix { root = "$HASHED_PASSWORD"; @@ -35,6 +37,15 @@ pkgs.writeDashBin "l-gen-secrets" '' $(cat $TMPDIR/retiolum.rsa_key.pub) ${"''"}; }; + wiregrill = { + ip6.addr = (wip6 "changeme").address; + aliases = [ + "$HOSTNAME.w" + ]; + wireguard.pubkey = ${"''"} + $(cat $TMPDIR/wiregrill.pub) + ${"''"}; + }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; diff --git a/lib/krebs/genipv6.nix b/lib/krebs/genipv6.nix index 1d3f398ec..22a23fcef 100644 --- a/lib/krebs/genipv6.nix +++ b/lib/krebs/genipv6.nix @@ -16,12 +16,12 @@ let { normalize-ip6-addr (appendZeros addressLength netPrefix); netHash = toString { retiolum = 0; - wirelum = 1; + wiregrill = 1; }.${netname}; netPrefix = "42:${netHash}"; netPrefixLength = { retiolum = 32; - wirelum = 32; + wiregrill = 32; }.${netname}; inherit subnetname; diff --git a/makefu/0tests/data/secrets/netdata-stream.conf b/makefu/0tests/data/secrets/netdata-stream.conf new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/makefu/0tests/data/secrets/netdata-stream.conf diff --git a/makefu/0tests/data/secrets/nsupdate-cache.nix b/makefu/0tests/data/secrets/nsupdate-cache.nix new file mode 100644 index 000000000..f5e704702 --- /dev/null +++ b/makefu/0tests/data/secrets/nsupdate-cache.nix @@ -0,0 +1 @@ +"derp" diff --git a/makefu/1systems/full/source.nix b/makefu/1systems/full/source.nix deleted file mode 100644 index 1e36c6e87..000000000 --- a/makefu/1systems/full/source.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - name="gum"; - torrent = true; - clever_kexec = true; -} diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 3d2cbac6f..dcfa3d0e5 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -4,13 +4,14 @@ with import <stockholm/lib>; let external-ip = config.krebs.build.host.nets.internet.ip4.addr; ext-if = config.makefu.server.primary-itf; + allDisks = [ "/dev/sda" "/dev/sdb" ]; in { imports = [ <stockholm/makefu> ./hardware-config.nix { users.users.lass = { - uid = 9002; + uid = 19002; isNormalUser = true; createHome = true; useDefaultShell = true; @@ -20,8 +21,12 @@ in { ]; }; } + # <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/stats/netdata-server.nix> + <stockholm/makefu/2configs/headless.nix> - # <stockholm/makefu/2configs/smart-monitor.nix> + <stockholm/makefu/2configs/smart-monitor.nix> + { services.smartd.devices = builtins.map (x: { device = x; }) allDisks; } # Security <stockholm/makefu/2configs/sshd-totp.nix> @@ -30,6 +35,8 @@ in { <stockholm/makefu/2configs/tools/core.nix> <stockholm/makefu/2configs/tools/dev.nix> <stockholm/makefu/2configs/tools/sec.nix> + <stockholm/makefu/2configs/tools/desktop.nix> + <stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/mosh.nix> # <stockholm/makefu/2configs/gui/xpra.nix> @@ -41,17 +48,47 @@ in { <stockholm/makefu/2configs/iodined.nix> # <stockholm/makefu/2configs/backup.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> + { # bonus retiolum config for connecting more hosts + krebs.tinc.retiolum = { + extraConfig = '' + ListenAddress = ${external-ip} 53 + ListenAddress = ${external-ip} 655 + ListenAddress = ${external-ip} 21031 + ''; + connectTo = [ + "prism" "ni" "enklave" "eve" "archprism" + ]; + }; + networking.firewall = { + allowedTCPPorts = + [ + 53 + 655 + 21031 + ]; + allowedUDPPorts = + [ + 53 + 655 + 21031 + ]; + }; + } # ci # <stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/git/cgit-retiolum.nix> + <stockholm/makefu/2configs/shack/events-publisher> <stockholm/makefu/2configs/shack/gitlab-runner> <stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/taskd.nix> # services - <stockholm/makefu/2configs/sabnzbd.nix> + # <stockholm/makefu/2configs/sabnzbd.nix> <stockholm/makefu/2configs/mail/mail.euer.nix> + { + krebs.exim.enable = mkForce false; + } # sharing <stockholm/makefu/2configs/share/gum.nix> @@ -59,13 +96,6 @@ in { #<stockholm/makefu/2configs/retroshare.nix> ## <stockholm/makefu/2configs/ipfs.nix> #<stockholm/makefu/2configs/syncthing.nix> - { # ncdc - environment.systemPackages = [ pkgs.ncdc ]; - networking.firewall = { - allowedUDPPorts = [ 51411 ]; - allowedTCPPorts = [ 51411 ]; - }; - } # <stockholm/makefu/2configs/opentracker.nix> ## network @@ -91,17 +121,17 @@ in { #<stockholm/makefu/2configs/nginx/public_html.nix> #<stockholm/makefu/2configs/nginx/update.connector.one.nix> <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> - <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> + # <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> <stockholm/makefu/2configs/nginx/iso.euer.nix> - <stockholm/makefu/2configs/shack/events-publisher> + <stockholm/krebs/2configs/cache.nsupdate.info.nix> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/boot-euer.nix> - <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix> + <stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix> + <stockholm/makefu/2configs/bgt/hidden_service.nix> - <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> # sharing @@ -115,7 +145,8 @@ in { # krebs infrastructure services <stockholm/makefu/2configs/stats/server.nix> - ]; + ]; + makefu.dl-dir = "/var/download"; services.openssh.hostKeys = [ @@ -125,70 +156,14 @@ in { services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; - krebs.tinc.retiolum = { - extraConfig = '' - ListenAddress = ${external-ip} 53 - ListenAddress = ${external-ip} 655 - ListenAddress = ${external-ip} 21031 - ''; - connectTo = [ - "prism" "ni" "enklave" "dishfire" "echelon" "hotdog" - ]; - }; - - - # access - users.users = { - root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ]; - makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; - }; - - # Chat - environment.systemPackages = with pkgs;[ - weechat - bepasty-client-cli - tmux - ]; - - # Hardware - # Network networking = { firewall = { allowPing = true; logRefusedConnections = false; - allowedTCPPorts = [ - # smtp - 25 - # http - 80 443 - # httptunnel - 8080 8443 - # tinc - 655 - # tinc-shack - 21032 - # tinc-retiolum - 21031 - # taskserver - 53589 - # temp vnc - 18001 - # temp reverseshell - 31337 - ]; - allowedUDPPorts = [ - # tinc - 655 53 - # tinc-retiolum - 21031 - # tinc-shack - 21032 - ]; }; nameservers = [ "8.8.8.8" ]; }; users.users.makefu.extraGroups = [ "download" "nginx" ]; - boot.tmpOnTmpfs = true; state = [ "/home/makefu/.weechat" ]; } diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix index bfe29b46c..e9670a5a4 100644 --- a/makefu/1systems/gum/hardware-config.nix +++ b/makefu/1systems/gum/hardware-config.nix @@ -46,7 +46,7 @@ in { "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" "xhci_pci" "ehci_pci" "ahci" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ]; hardware.enableRedistributableFirmware = true; fileSystems."/" = { device = "/dev/mapper/nixos-root"; @@ -56,10 +56,19 @@ in { device = "/dev/mapper/nixos-lib"; fsType = "ext4"; }; + fileSystems."/var/log" = { + device = "/dev/mapper/nixos-log"; + fsType = "ext4"; + }; fileSystems."/var/download" = { device = "/dev/mapper/nixos-download"; fsType = "ext4"; }; + fileSystems."/var/www/binaergewitter" = { + device = "/dev/mapper/nixos-binaergewitter"; + fsType = "ext4"; + options = [ "nofail" ]; + }; fileSystems."/var/lib/borgbackup" = { device = "/dev/mapper/nixos-backup"; fsType = "ext4"; diff --git a/makefu/1systems/gum/rescue.txt b/makefu/1systems/gum/rescue.txt index 30276b7db..0a3ed96ee 100644 --- a/makefu/1systems/gum/rescue.txt +++ b/makefu/1systems/gum/rescue.txt @@ -1,10 +1,14 @@ +ssh gum.i -o StrictHostKeyChecking=no + mount /dev/mapper/nixos-root /mnt mount /dev/sda2 /mnt/boot chroot-prepare /mnt chroot /mnt /bin/sh + journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub) +# ... activating ... export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin /nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix index 6940498f1..1e36c6e87 100644 --- a/makefu/1systems/gum/source.nix +++ b/makefu/1systems/gum/source.nix @@ -1,5 +1,5 @@ { - name="nextgum"; + name="gum"; torrent = true; clever_kexec = true; } diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 260f96081..81b1e0ea1 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -44,7 +44,8 @@ in { # <stockholm/makefu/2configs/share/omo-timemachine.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> - + # statistics + <stockholm/makefu/2configs/stats/client.nix> # Logging #influx + grafana <stockholm/makefu/2configs/stats/server.nix> @@ -74,7 +75,8 @@ in { "homeassistant-0.77.2" ]; } - <stockholm/makefu/2configs/deployment/homeautomation> + <stockholm/makefu/2configs/homeautomation> + <stockholm/makefu/2configs/homeautomation/google-muell.nix> { makefu.ps3netsrv = { enable = true; diff --git a/makefu/1systems/omo/hw/omo.nix b/makefu/1systems/omo/hw/omo.nix index 1b618a486..31db335bb 100644 --- a/makefu/1systems/omo/hw/omo.nix +++ b/makefu/1systems/omo/hw/omo.nix @@ -48,9 +48,8 @@ in { makefu.snapraid = { enable = true; - # TODO: 3 is not protected - disks = map toMapper [ 0 1 ]; - parity = toMapper 2; + disks = map toMapper [ 0 2 3 ]; + parity = toMapper 1; }; fileSystems = let cryptMount = name: diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index f2311fb55..3930406b1 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -20,9 +20,6 @@ in { <stockholm/makefu/2configs/mqtt.nix> <stockholm/makefu/2configs/gui/wbob-kiosk.nix> - <stockholm/makefu/2configs/stats/client.nix> - - # <stockholm/makefu/2configs/gui/studio-virtual.nix> # <stockholm/makefu/2configs/audio/jack-on-pulse.nix> # <stockholm/makefu/2configs/audio/realtime-audio.nix> @@ -35,6 +32,8 @@ in { <stockholm/makefu/2configs/bluetooth-mpd.nix> # Sensors + <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/stats/collectd-client.nix> <stockholm/makefu/2configs/stats/telegraf> <stockholm/makefu/2configs/stats/telegraf/airsensor.nix> <stockholm/makefu/2configs/stats/telegraf/europastats.nix> @@ -51,9 +50,9 @@ in { "homeassistant-0.77.2" ]; } - <stockholm/makefu/2configs/deployment/bureautomation> - <stockholm/makefu/2configs/deployment/bureautomation/mpd.nix> - <stockholm/makefu/2configs/deployment/bureautomation/hass.nix> + <stockholm/makefu/2configs/bureautomation> + <stockholm/makefu/2configs/bureautomation/mpd.nix> + <stockholm/makefu/2configs/bureautomation/hass.nix> (let collectd-port = 25826; influx-port = 8086; diff --git a/makefu/2configs/bgt/auphonic.pub b/makefu/2configs/bgt/auphonic.pub new file mode 100644 index 000000000..37b8e0599 --- /dev/null +++ b/makefu/2configs/bgt/auphonic.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx diff --git a/makefu/2configs/nginx/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix index 6b5687e72..6d64848f5 100644 --- a/makefu/2configs/nginx/download.binaergewitter.de.nix +++ b/makefu/2configs/bgt/download.binaergewitter.de.nix @@ -1,12 +1,25 @@ { config, lib, pkgs, ... }: +with import <stockholm/lib>; let - ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519"; + ident = (builtins.readFile ./auphonic.pub); in { - systemd.services.mirrorsync = { - startAt = "08:00:00"; - path = with pkgs; [ rsync openssh ]; - script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter''; + services.openssh = { + allowSFTP = true; + sftpFlags = [ "-l VERBOSE" ]; + extraConfig = '' + Match User auphonic + ForceCommand internal-sftp + AllowTcpForwarding no + X11Forwarding no + PasswordAuthentication no + ''; + }; + users.users.auphonic = { + uid = genid "auphonic"; + group = "nginx"; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ]; }; services.nginx = { enable = lib.mkDefault true; diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/bgt/hidden_service.nix index c1a31b8dc..c1a31b8dc 100644 --- a/makefu/2configs/deployment/bgt/hidden_service.nix +++ b/makefu/2configs/bgt/hidden_service.nix diff --git a/makefu/2configs/binary-cache/lass.nix b/makefu/2configs/binary-cache/lass.nix index 46b386e14..51b4a1afc 100644 --- a/makefu/2configs/binary-cache/lass.nix +++ b/makefu/2configs/binary-cache/lass.nix @@ -3,7 +3,7 @@ { nix = { binaryCaches = [ - "http://cache.prism.r" + "https://cache.krebsco.de" ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" diff --git a/makefu/2configs/bitlbee.nix b/makefu/2configs/bitlbee.nix index 17efa7113..e955384d6 100644 --- a/makefu/2configs/bitlbee.nix +++ b/makefu/2configs/bitlbee.nix @@ -3,6 +3,6 @@ { services.bitlbee = { enable = true; - libpurple_plugins = [ pkgs.telegram-purple ]; + libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb]; }; } diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/bureautomation/default.nix index 3897537ea..3897537ea 100644 --- a/makefu/2configs/deployment/bureautomation/default.nix +++ b/makefu/2configs/bureautomation/default.nix diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/bureautomation/hass.nix index 443484a34..a89a4813f 100644 --- a/makefu/2configs/deployment/bureautomation/hass.nix +++ b/makefu/2configs/bureautomation/hass.nix @@ -112,7 +112,6 @@ in { "temperature" # "temperature_high" "temperature_low" "apparent_temperature" "hourly_summary" # next 24 hours text - "minutely_summary" "humidity" "pressure" "uv_index" ]; @@ -212,27 +211,44 @@ in { to = "on"; }; action = { - service= "homeassistant.turn_on"; - entity_id= "switch.fernseher"; + service = "homeassistant.turn_on"; + entity_id = [ "switch.fernseher" "switch.blitzdings" ]; }; } { alias = "Turn off Fernseher 10 minutes after last movement"; - trigger = { + trigger = [ + { # trigger when movement was detected at the time platform = "state"; entity_id = "binary_sensor.motion"; to = "off"; for.minutes = 10; - }; + } + { # trigger at 20:00 no matter what + # to avoid 'everybody left before 18:00:00' + platform = "time"; + at = "18:00:00"; + } + ]; action = { - service= "homeassistant.turn_off"; - entity_id= "switch.fernseher"; + service = "homeassistant.turn_off"; + entity_id = [ "switch.fernseher" "switch.blitzdings" ]; + }; + condition = + { condition = "and"; + conditions = [ + { + condition = "time"; + before = "06:30:00"; #only turn off between 6:30 and 18:00 + after = "18:00:00"; + # weekday = [ "mon" "tue" "wed" "thu" "fri" ]; + } + { + condition = "state"; + entity_id = "binary_sensor.motion"; + state = "off"; + } + ]; }; - condition = [{ - condition = "time"; - before = "06:30:00"; #only turn off between 6:30 and 18:00 - after = "18:00:00"; - weekday = [ "mon" "tue" "wed" "thu" "fri" ]; - }]; } ]; }; diff --git a/makefu/2configs/deployment/bureautomation/mpd.nix b/makefu/2configs/bureautomation/mpd.nix index 1f5acb357..1f5acb357 100644 --- a/makefu/2configs/deployment/bureautomation/mpd.nix +++ b/makefu/2configs/bureautomation/mpd.nix diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix index 521bfc80a..e7b91e6a8 100644 --- a/makefu/2configs/elchos/search.nix +++ b/makefu/2configs/elchos/search.nix @@ -32,7 +32,7 @@ let ${user} protocol=dyndns2 - usev5=if, if=${primary-itf} + usev6=if, if=${primary-itf} ssl=yes server=ipv6.nsupdate.info login=${user} diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/homeautomation/default.nix index 94799b11d..596d0002a 100644 --- a/makefu/2configs/deployment/homeautomation/default.nix +++ b/makefu/2configs/homeautomation/default.nix @@ -31,7 +31,7 @@ let brightness_scale = 100; # color rgb_state_topic = "/ham/${topic}/stat/Color"; - rgb_command_topic = "/ham/${topic}/cmnd/Color2"; + rgb_command_topic = "/ham/${topic}/cmnd/MEM1"; # use enabled tasmota rule rgb_command_mode = "hex"; rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}"; # effects diff --git a/makefu/2configs/deployment/google-muell.nix b/makefu/2configs/homeautomation/google-muell.nix index 235cc1546..235cc1546 100644 --- a/makefu/2configs/deployment/google-muell.nix +++ b/makefu/2configs/homeautomation/google-muell.nix diff --git a/makefu/2configs/deployment/homeautomation/mqtt.nix b/makefu/2configs/homeautomation/mqtt.nix index cd1c328d7..cd1c328d7 100644 --- a/makefu/2configs/deployment/homeautomation/mqtt.nix +++ b/makefu/2configs/homeautomation/mqtt.nix diff --git a/makefu/2configs/mail/mail.euer.nix b/makefu/2configs/mail/mail.euer.nix index f079d7f41..f8f82e76b 100644 --- a/makefu/2configs/mail/mail.euer.nix +++ b/makefu/2configs/mail/mail.euer.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { imports = [ - (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz") + (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz") ]; mailserver = { diff --git a/makefu/2configs/minimal.nix b/makefu/2configs/minimal.nix index d764e5624..cb2ef09e3 100644 --- a/makefu/2configs/minimal.nix +++ b/makefu/2configs/minimal.nix @@ -7,8 +7,8 @@ # the only true timezone (even after the the removal of DST) time.timeZone = "Europe/Berlin"; - networking.hostName = config.krebs.build.host.name; - nix.buildCores = config.krebs.build.host.cores; + networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; + nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable # we use gpg if necessary (or nothing at all) programs.ssh.startAgent = false; @@ -85,4 +85,6 @@ "net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2; }; + + services.nscd.enable = false; } diff --git a/makefu/2configs/nginx/gum.krebsco.de.nix b/makefu/2configs/nginx/gum.krebsco.de.nix new file mode 100644 index 000000000..3e96e6826 --- /dev/null +++ b/makefu/2configs/nginx/gum.krebsco.de.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let +in { + services.nginx = { + enable = mkDefault true; + virtualHosts."gum.krebsco.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + # proxyPass = "http://localhost:8000/"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # ''; + }; + }; + }; +} diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix index 531d2525e..964e5ccbb 100644 --- a/makefu/2configs/shack/events-publisher/default.nix +++ b/makefu/2configs/shack/events-publisher/default.nix @@ -2,8 +2,8 @@ with import <stockholm/lib>; let shack-announce = pkgs.callPackage (builtins.fetchTarball { - url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz"; - sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd"; + url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz"; + sha256 = "0rn1ykgjbd79zg03maa49kzi6hpzn4xzf4j93qgx5wax7h12qjx0"; }) {} ; home = "/var/lib/shackannounce"; user = "shackannounce"; diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix index e4fef7c3c..ed5066787 100644 --- a/makefu/2configs/share/omo.nix +++ b/makefu/2configs/share/omo.nix @@ -30,6 +30,12 @@ in { browseable = "yes"; "guest ok" = "yes"; }; + audiobook = { + path = "/media/crypt1/audiobooks"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; crypt0 = { path = "/media/crypt0"; "read only" = "yes"; diff --git a/makefu/2configs/share/wbob.nix b/makefu/2configs/share/wbob.nix index 7d3fc38fe..9695751ff 100644 --- a/makefu/2configs/share/wbob.nix +++ b/makefu/2configs/share/wbob.nix @@ -8,6 +8,7 @@ home = "/home/share"; createHome = true; }; + users.groups.mpd.members = [ "makefu" ]; services.samba = { enable = true; enableNmbd = true; @@ -24,6 +25,12 @@ browseable = "yes"; "guest ok" = "yes"; }; + music-rw = { + path = "/data/music"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "no"; + }; }; extraConfig = '' guest account = smbguest diff --git a/makefu/2configs/stats/client.nix b/makefu/2configs/stats/client.nix index cfb5e3fd2..b88515a35 100644 --- a/makefu/2configs/stats/client.nix +++ b/makefu/2configs/stats/client.nix @@ -1,61 +1,7 @@ -{pkgs, config, ...}: { - services.collectd = { + makefu.netdata = { enable = true; - autoLoadPlugin = true; - extraConfig = '' - Hostname ${config.krebs.build.host.name} - LoadPlugin load - LoadPlugin disk - LoadPlugin memory - LoadPlugin df - Interval 30.0 - - LoadPlugin interface - <Plugin "interface"> - Interface "*Link" - Interface "lo" - Interface "vboxnet*" - Interface "virbr*" - IgnoreSelected true - </Plugin> - - LoadPlugin df - <Plugin "df"> - MountPoint "/nix/store" - # MountPoint "/run*" - # MountPoint "/sys*" - # MountPoint "/dev" - # MountPoint "/dev/shm" - # MountPoint "/tmp" - FSType "tmpfs" - FSType "binfmt_misc" - FSType "debugfs" - FSType "tracefs" - FSType "mqueue" - FSType "hugetlbfs" - FSType "systemd-1" - FSType "cgroup" - FSType "securityfs" - FSType "ramfs" - FSType "proc" - FSType "devpts" - FSType "devtmpfs" - MountPoint "/var/lib/docker/devicemapper" - IgnoreSelected true - </Plugin> - - LoadPlugin cpu - <Plugin cpu> - ReportByCpu true - ReportByState true - ValuesPercentage true - </Plugin> - - LoadPlugin network - <Plugin "network"> - Server "${config.makefu.stats-server}" "25826" - </Plugin> - ''; + stream.role = "slave"; + # stream.destination = "netdata.makefu.r"; }; } diff --git a/makefu/2configs/stats/collectd-client.nix b/makefu/2configs/stats/collectd-client.nix new file mode 100644 index 000000000..cfb5e3fd2 --- /dev/null +++ b/makefu/2configs/stats/collectd-client.nix @@ -0,0 +1,61 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + <Plugin "interface"> + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + </Plugin> + + LoadPlugin df + <Plugin "df"> + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "tracefs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + </Plugin> + + LoadPlugin cpu + <Plugin cpu> + ReportByCpu true + ReportByState true + ValuesPercentage true + </Plugin> + + LoadPlugin network + <Plugin "network"> + Server "${config.makefu.stats-server}" "25826" + </Plugin> + ''; + }; +} diff --git a/makefu/2configs/stats/netdata-server.nix b/makefu/2configs/stats/netdata-server.nix new file mode 100644 index 000000000..5fec3583c --- /dev/null +++ b/makefu/2configs/stats/netdata-server.nix @@ -0,0 +1,17 @@ +{ + makefu.netdata = { + enable = true; + stream.role = "master"; + }; + + services.nginx = { + virtualHosts."netdata.euer.krebsco.de" = { + addSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:19999"; + }; + virtualHosts."netdata.makefu.r" = { + locations."/".proxyPass = "http://localhost:19999"; + }; + }; +} diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix index c8e768c99..bb8fd1750 100644 --- a/makefu/2configs/stats/server.nix +++ b/makefu/2configs/stats/server.nix @@ -21,6 +21,13 @@ in { services.influxdb.extraConfig = { meta.hostname = config.krebs.build.host.name; # meta.logging-enabled = true; + logging.level = "info"; + http.log-enabled = true; + http.write-tracing = false; + http.suppress-write-log = true; + data.trace-logging-enabled = false; + data.query-log-enabled = false; + http.bind-address = ":${toString influx-port}"; admin.bind-address = ":8083"; monitoring = { diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix index 98abb2406..0d2774209 100644 --- a/makefu/2configs/tinc/retiolum.nix +++ b/makefu/2configs/tinc/retiolum.nix @@ -1,8 +1,10 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { imports = [ ../binary-cache/lass.nix ]; krebs.tinc.retiolum.enable = true; environment.systemPackages = [ pkgs.tinc ]; + networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; + networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; } diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 7146174fb..65b5a6afd 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -5,6 +5,7 @@ _: ./awesome-extra.nix ./deluge.nix ./forward-journal.nix + ./netdata.nix ./opentracker.nix ./ps3netsrv.nix ./logging-config.nix diff --git a/makefu/3modules/netdata.nix b/makefu/3modules/netdata.nix new file mode 100644 index 000000000..3ed33643c --- /dev/null +++ b/makefu/3modules/netdata.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +# fork of https://github.com/Mic92/dotfiles/blob/master/nixos/vms/modules/netdata.nix +with lib; +let + cfg = config.makefu.netdata; +in +{ + options.makefu.netdata = { + enable = mkEnableOption "netdata"; + + # TODO only apikey from file, set remote host manually + stream.file = mkOption { + type = types.str; + default = toString <secrets/netdata-stream.conf>; + description = "path to stream data file"; + }; + stream.role = mkOption { + type = types.enum [ "master" "slave" ]; + default = "slave"; + description = "Wether to stream data"; + }; + + httpcheck.checks = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + url = mkOption { + type = types.str; + example = "https://thalheim.io"; + description = "Url to check"; + }; + regex = mkOption { + type = types.nullOr types.str; + default = null; + example = "My homepage"; + description = "Regex that is matched against the returned content"; + }; + statusAccepted = mkOption { + type = types.listOf types.int; + default = [ 200 ]; + example = [ 401 ]; + description = "Expected http status code"; + }; + }; + })); + default = {}; + description = '' + httpcheck plugin: https://github.com/netdata/netdata/blob/master/collectors/python.d.plugin/httpcheck/httpcheck.conf + ''; + }; + + portcheck.checks = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Dns name/IP to check"; + }; + port = mkOption { + type = types.int; + description = "Tcp port number"; + }; + }; + })); + default = {}; + description = '' + portcheck plugin: https://github.com/netdata/netdata/tree/master/collectors/python.d.plugin/portcheck + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.netdata = { + requires = [ "secret.service" ]; + after = [ "secret.service" ]; + }; + krebs.secret.files.netdata-stream = { + path = "/run/secret/netdata-stream.conf"; + owner.name = "netdata"; + source-path = cfg.stream.file; + }; + environment.etc."netdata/stream.conf".source = "/run/secret/netdata-stream.conf"; + + services.netdata = { + enable = true; + config = { + global = { + "bind to" = "0.0.0.0:19999 [::]:19999"; + "error log" = "stderr"; + "update every" = "5"; + }; + health.enable = if cfg.stream.role == "master" then "yes" else "no"; + }; + }; + services.netdata.python.extraPackages = ps: [ + ps.psycopg2 ps.docker ps.dnspython + ]; + + makefu.netdata.portcheck.checks.openssh.port = (lib.head config.services.openssh.ports); + + networking.firewall.allowedTCPPorts = [ 19999 ]; + + environment.etc."netdata/python.d/httpcheck.conf".text = '' + update_every: 30 + ${lib.concatStringsSep "\n" (mapAttrsToList (site: options: + '' + ${site}: + url: '${options.url}' + ${optionalString (options.regex != null) "regex: '${options.regex}'"} + status_accepted: [ ${lib.concatStringsSep " " (map toString options.statusAccepted) } ] + '') cfg.httpcheck.checks) + } + ''; + + environment.etc."netdata/python.d/portcheck.conf".text = '' + ${lib.concatStringsSep "\n" (mapAttrsToList (service: options: + '' + ${service}: + host: '${options.host}' + port: ${toString options.port} + '') cfg.portcheck.checks) + } + ''; + systemd.services.netdata.restartTriggers = [ + config.environment.etc."netdata/python.d/httpcheck.conf".source + config.environment.etc."netdata/python.d/portcheck.conf".source + config.environment.etc."netdata/stream.conf".source + ]; + + environment.etc."netdata/health.d/httpcheck.conf".text = '' + # taken from the original but warn only if a request is at least 300ms slow + template: web_service_slow + families: * + on: httpcheck.responsetime + lookup: average -3m unaligned of time + units: ms + every: 10s + warn: ($this > ($1h_web_service_response_time * 4) && $this > 1000) + crit: ($this > ($1h_web_service_response_time * 6) && $this > 1000) + info: average response time over the last 3 minutes, compared to the average over the last hour + delay: down 5m multiplier 1.5 max 1h + options: no-clear-notification + to: webmaster + ''; + + }; + # TODO: notification + # environment.etc."netdata/health_alarm_notify.conf".source = "/run/keys/netdata-pushover.conf"; + +} diff --git a/makefu/5pkgs/libopencm3/default.nix b/makefu/5pkgs/libopencm3/default.nix deleted file mode 100644 index ed35fc639..000000000 --- a/makefu/5pkgs/libopencm3/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, gcc-arm-embedded, python }: -stdenv.mkDerivation rec { - name = "libopencm-${version}"; - version = "2017-04-01"; - - src = fetchFromGitHub { - owner = "libopencm3"; - repo = "libopencm3"; - rev = "383fafc862c0d47f30965f00409d03a328049278"; - sha256 = "0ar67icxl39cf7yb5glx3zd5413vcs7zp1jq0gzv1napvmrv3jv9"; - }; - - buildInputs = [ gcc-arm-embedded python ]; - buildPhase = '' - sed -i 's#/usr/bin/env python#${python}/bin/python#' ./scripts/irq2nvic_h - make - ''; - installPhase = '' - mkdir -p $out - cp -r lib $out/ - ''; - - meta = { - description = "Open Source ARM cortex m microcontroller library"; - homepage = https://github.com/libopencm3/libopencm3; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; - maintainers = with stdenv.lib.maintainers; [ makefu ]; - }; -} diff --git a/makefu/krops.nix b/makefu/krops.nix index 6c510eba3..2a2f70a05 100644 --- a/makefu/krops.nix +++ b/makefu/krops.nix @@ -7,7 +7,6 @@ host-src = { secure = false; - full = false; torrent = false; hw = false; musnix = false; @@ -23,7 +22,11 @@ { # nixos-18.09 @ 2018-09-18 # + uhub/sqlite: 5dd7610401747 - nixpkgs = if test then { + # + hovercraft: 7134801b17d72 + nixpkgs = if host-src.arm6 then { + # TODO: we want to track the unstable channel + symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; + } else { file = { path = toString (pkgs.fetchFromGitHub { owner = "makefu"; @@ -33,14 +36,6 @@ }); useChecksum = true; }; - } else if host-src.full then { - git.ref = nixpkgs-src.rev; - git.url = nixpkgs-src.url; - } else if host-src.arm6 then { - # TODO: we want to track the unstable channel - symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; - } else { - file = "/home/makefu/store/${nixpkgs-src.rev}"; }; nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix"; diff --git a/makefu/update-channel.sh b/makefu/update-channel.sh index 59d3c434f..0899581ec 100755 --- a/makefu/update-channel.sh +++ b/makefu/update-channel.sh @@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --rev refs/heads/master' \ > $dir/nixpkgs.json newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref" +echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'" |