diff options
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 30 | ||||
| -rw-r--r-- | krebs/3modules/rtorrent.nix | 2 | ||||
| -rw-r--r-- | makefu/1systems/filepimp.nix | 5 | ||||
| -rw-r--r-- | makefu/1systems/gum.nix | 1 | ||||
| -rw-r--r-- | makefu/1systems/omo.nix | 1 | ||||
| -rw-r--r-- | makefu/1systems/wbob.nix | 4 | ||||
| -rw-r--r-- | makefu/1systems/wry.nix | 4 | ||||
| -rw-r--r-- | makefu/1systems/x.nix | 3 | ||||
| -rw-r--r-- | makefu/2configs/backup.nix | 8 | ||||
| -rw-r--r-- | makefu/2configs/base-gui.nix | 1 | ||||
| -rw-r--r-- | makefu/2configs/elchos/stats.nix | 96 | ||||
| -rw-r--r-- | makefu/2configs/filepimp-share.nix | 33 | ||||
| -rw-r--r-- | makefu/2configs/hw/tp-x220.nix | 2 | ||||
| -rw-r--r-- | makefu/2configs/hw/tp-x2x0.nix | 4 | ||||
| -rw-r--r-- | makefu/2configs/iodined.nix | 3 | ||||
| -rw-r--r-- | makefu/2configs/nginx/icecult.nix | 28 | ||||
| -rw-r--r-- | makefu/2configs/rad1o.nix | 2 | ||||
| -rw-r--r-- | makefu/2configs/solr.nix | 24 | ||||
| -rw-r--r-- | makefu/2configs/urlwatch.nix | 2 | ||||
| -rw-r--r-- | makefu/5pkgs/mergerfs/default.nix | 4 |
20 files changed, 243 insertions, 14 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index f5190b6ba..e79e54aa6 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -374,8 +374,8 @@ with config.krebs.lib; ''; }; }; - #ssh.privkey.path = <secrets/ssh_host_ed25519_key>; - #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch"; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBGboU/P00yYiwYje53G0oqDFWmcSJ+hIpMsl4f/HH"; }; wbob = rec { cores = 1; @@ -512,6 +512,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; }; + sdev = rec { + cores = 1; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtm6ETzNgLcXNkrKs2VUEiGsTKBmOFpW2fazbzdUfOg sdev"; + nets = { + retiolum = { + ip4.addr = "10.243.83.237"; + ip6.addr = "42:af50:99cf:c185:f1a8:14d5:acb:8101"; + aliases = [ + "sdev.retiolum" + "sdev.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA8BwHwQ4pLZpskVnQONJsmzRPll4ZKMjAC56sY5p+GfT9ZBMkVDn+ + LeH9wuTRiX/ehgtBiyu8w37cz62hz/71H+3mnWJlTm9bbBTc5N0y8l9b+YYeExW4 + XPm4bUbJWKNRG9tHQAns/OREYDsHLsY6UoyNFmB0wTDpgs7egDCoe7E2eT+pG428 + ysCDYlaZaigOyW+bj/HFLj8FSfpF5C/ug7NE/D7QocadsRUiLtVYrJsfmT+KHWf+ + f5rLWLvuFiz1SWf7wZ9sICF3RCaC9Qhz7zplgHbvwbOHtF+Z/6DxduRMkggZUsUD + nm+40Ex1XJTe+s4V4GKLgh/fDKBTS6JwewIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + # non-stockholm diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix index d53482339..bc65739ea 100644 --- a/krebs/3modules/rtorrent.nix +++ b/krebs/3modules/rtorrent.nix @@ -223,7 +223,7 @@ let touch ${systemd-logfile} cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc ''; - ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; + ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; ## you can simply sudo -u rtorrent tmux a if privateTmp is set to false ## otherwise the tmux session is stored in some private folder in /tmp diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index 4037f693d..0fabf6d93 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -24,7 +24,9 @@ in { ../2configs/fs/single-partition-ext4.nix ../2configs/smart-monitor.nix ../2configs/tinc/retiolum.nix + ../2configs/filepimp-share.nix ]; + krebs.build.host = config.krebs.hosts.filepimp; # AMD N54L boot = { @@ -76,6 +78,9 @@ in { (xfsmount "j2" (part1 jDisk2)) // (xfsmount "par0" (part1 jDisk3)) ; + + networking.firewall.trustedInterfaces = [ primary-interface ]; + services.wakeonlan.interfaces = [ { interface = primary-interface; diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 401ec6093..20731c847 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -22,6 +22,7 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ../2configs/torrent.nix + ../2configs/graphite-standalone.nix ../2configs/sabnzbd.nix ../2configs/opentracker.nix diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 71fb85ff6..2e09e345e 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -44,6 +44,7 @@ in { ../2configs/fs/sda-crypto-root.nix ../2configs/zsh-user.nix ../2configs/urlwatch.nix + ../2configs/backup.nix ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index ff176edd9..184f74147 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -55,6 +55,10 @@ in { # rt2870 with nonfree creates wlp2s0 from wlp0s20u2 # not explicitly setting the interface results in wpa_supplicant to crash networking.wireless.interfaces = [ "wlp2s0" ]; + networking.interfaces.virbr1.ip4 = [{ + address = "10.8.8.11"; + prefixLength = 24; + }]; # nuc hardware diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 81cd362e6..238b740a6 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -16,13 +16,15 @@ in { ../2configs/bepasty-dual.nix ../2configs/iodined.nix - + ../2configs/backup.nix # other nginx ../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.blog.nix ../2configs/nginx/euer.test.nix + #../2configs/elchos/stats.nix + # collectd # ../2configs/collectd/collectd-base.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index 0243856ab..00eca87c4 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -63,11 +63,10 @@ # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 ]; + networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ]; networking.firewall.allowedUDPPorts = [ 665 26061 ]; krebs.build.host = config.krebs.hosts.x; - krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix index 6f79ed4f4..57fd7a64d 100644 --- a/makefu/2configs/backup.nix +++ b/makefu/2configs/backup.nix @@ -1,6 +1,10 @@ { config, lib, ... }: with config.krebs.lib; let + # preparation: + # mkdir -p defaultBackupDir/host.name/src + # as root on omo: + # ssh-copy-id root@src startAt = "0,6,12,18:00"; defaultBackupServer = config.krebs.hosts.omo; defaultBackupDir = "/home/backup"; @@ -12,7 +16,7 @@ let }; dst = { host = defaultBackupServer; - path = defaultBackupDir + src; + path = "${defaultBackupDir}/${host.name}${src}"; }; startAt = "0,6,12,18:00"; snapshots = { @@ -25,6 +29,6 @@ let }; in { krebs.backup.plans = { - wry-to-omo_var-www = defaultPull wry "/var/www"; + wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/"; }; } diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index b039c12ca..cbc3efbac 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -82,7 +82,6 @@ in URxvt.perl-ext: default,url-select URxvt.keysym.M-u: perl:url-select:select_next - #URxvt.url-select.launcher: firefox -new-tab URxvt.url-select.launcher: chromium URxvt.url-select.underline: true URxvt.searchable-scrollback: CM-s diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix new file mode 100644 index 000000000..0282b04cf --- /dev/null +++ b/makefu/2configs/elchos/stats.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) +with config.krebs.lib; +let + sec = toString <secrets>; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "stats.nsupdate.info"; + #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + #ssl_key = "${sec}/wildcard.krebsco.de.key"; + ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; + ssl_key = "${acmepath}/${ext-dom}/key.pem"; +in { + networking.firewall = { + allowedTCPPorts = [ 2003 80 443 ]; + allowedUDPPorts = [ 2003 ]; + }; + + services.grafana = { + enable = true; + addr = "127.0.0.1"; + extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; }; + users.allowSignUp = false; + users.allowOrgCreate = false; + users.autoAssignOrg = false; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; + krebs.nginx = { + enable = true; + servers.elch-stats = { + server-names = [ ext-dom ]; + listen = [ "80" "443 ssl" ]; + ssl = { + enable = true; + # these certs will be needed if acme has not yet created certificates: + certificate = ssl_cert; + certificate_key = ssl_key; + force_encryption = true; + }; + + locations = [ + (nameValuePair "/" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:3000/; + '') + (nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + '') + ]; + }; + }; + + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; + + services.graphite = { + web = { + enable = true; + host = "127.0.0.1"; + port = 8080; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 500 + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [elchos] + patterhn = ^elchos\. + retention = 10s:30d,60s:1y + + [default] + pattern = .* + retentions = 30s:30d,300s:1y + ''; + }; + }; +} diff --git a/makefu/2configs/filepimp-share.nix b/makefu/2configs/filepimp-share.nix new file mode 100644 index 000000000..23fa8da08 --- /dev/null +++ b/makefu/2configs/filepimp-share.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + hostname = config.krebs.build.host.name; +in { + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + services.samba = { + enable = true; + shares = { + media = { + path = "/media/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix index 58390e48d..2ec531e56 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x220.nix @@ -5,7 +5,7 @@ with config.krebs.lib; imports = [ ./tp-x2x0.nix ]; boot = { - kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ]; + kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; }; hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 9047cfb66..368465a8b 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -38,4 +38,8 @@ with config.krebs.lib; CPU_MIN_PERF_ON_BAT=0 CPU_MAX_PERF_ON_BAT=30 ''; + + powerManagement.resumeCommands = '' + {pkgs.rfkill}/bin/rfkill unblock all + ''; } diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix index ca489d073..b1446eab4 100644 --- a/makefu/2configs/iodined.nix +++ b/makefu/2configs/iodined.nix @@ -5,8 +5,9 @@ let domain = "io.krebsco.de"; pw = import <secrets/iodinepw.nix>; in { + networking.firewall.allowedUDPPorts = [ 53 ]; - services.iodined = { + services.iodine = { server = { enable = true; domain = domain; diff --git a/makefu/2configs/nginx/icecult.nix b/makefu/2configs/nginx/icecult.nix new file mode 100644 index 000000000..a11f92af7 --- /dev/null +++ b/makefu/2configs/nginx/icecult.nix @@ -0,0 +1,28 @@ +{ config, pkgs, lib, ... }: + +with config.krebs.lib; + +let + icecult = pkgs.fetchFromGitHub { + owner = "kraiz"; + repo = "icecult"; + rev = "1942d43381a97f30111a48725f7532c343a6f4d7"; + sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58"; + }; +in{ + krebs.nginx = { + enable = true; + servers.default = { + extraConfig = '' + root ${icecult}/app; + ''; + locations = [ + (nameValuePair "/rpc" '' + rewrite /rpc/(.*) /$1 break; + proxy_http_version 1.1; + proxy_pass http://10.42.22.163:3121; + '') + ]; + }; + }; +} diff --git a/makefu/2configs/rad1o.nix b/makefu/2configs/rad1o.nix index 03bb9bc7e..6eca69e0c 100644 --- a/makefu/2configs/rad1o.nix +++ b/makefu/2configs/rad1o.nix @@ -3,7 +3,7 @@ { environment.systemPackages = with pkgs; [ - gnuradio-full + gnuradio-with-packages gnuradio-osmosdr gqrx ]; diff --git a/makefu/2configs/solr.nix b/makefu/2configs/solr.nix new file mode 100644 index 000000000..cad9eabc1 --- /dev/null +++ b/makefu/2configs/solr.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) +with config.krebs.lib; +let + solrHome = "/var/db/solr"; +in { + imports = [ ]; + users.users.solr = { + home = solrHome; + uid = genid "solr"; + createHome = true; + group = "solr"; + }; + users.groups.solr.gid = genid "solr"; + + services.solr = { + enable = true; + inherit solrHome; + user = "solr"; + group = "solr"; + }; +} diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix index e0fbefa36..0d8f888fa 100644 --- a/makefu/2configs/urlwatch.nix +++ b/makefu/2configs/urlwatch.nix @@ -14,6 +14,8 @@ https://pypi.python.org/simple/xstatic/ http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ + https://github.com/amadvance/snapraid/releases.atom + https://erdgeist.org/gitweb/opentracker/commit/ ]; }; } diff --git a/makefu/5pkgs/mergerfs/default.nix b/makefu/5pkgs/mergerfs/default.nix index 64e8fc671..cfb7b0ae7 100644 --- a/makefu/5pkgs/mergerfs/default.nix +++ b/makefu/5pkgs/mergerfs/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "mergerfs-${version}"; - version = "2.14.0"; + version = "2.16.1"; # not using fetchFromGitHub because of changelog being built with git log src = fetchgit { url = "https://github.com/trapexit/mergerfs"; rev = "refs/tags/${version}"; - sha256 = "0j5r96xddlj5gp3n1xhfwjmr6yf861xg3hgby4p078c8zfriq5rm"; + sha256 = "12fqgk54fnnibqiq82p4g2k6qnw3iy6dd64csmlf73yi67za5iwf"; deepClone = true; }; |