summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/bepasty-server.nix2
-rw-r--r--krebs/3modules/buildbot/master.nix1
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/nginx.nix190
-rw-r--r--krebs/3modules/retiolum-bootstrap.nix56
-rw-r--r--lass/1systems/iso.nix24
-rw-r--r--lass/2configs/baseX.nix2
-rw-r--r--lass/2configs/buildbot-standalone.nix2
-rw-r--r--lass/2configs/default.nix5
-rw-r--r--lass/2configs/fetchWallpaper.nix2
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--shared/1systems/test-all-krebs-modules.nix1
12 files changed, 51 insertions, 237 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 4e035e725..0ca13366b 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -37,7 +37,7 @@ let
# TODO use the correct type
type = with types; attrsOf unspecified;
description = ''
- additional nginx configuration. see krebs.nginx for all options
+ Additional nginx configuration.
'';
};
secretKey = mkOption {
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index b31661572..d75e6c880 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -78,7 +78,6 @@ let
# stopAllBuilds = 'auth',
# cancelPendingBuild = 'auth'
#)
- # TODO: configure krebs.nginx
c['www'] = dict(
port = ${toString cfg.web.port},
plugins = { 'waterfall_view':{}, 'console_view':{} }
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 37db5bfe7..d539d4166 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -26,7 +26,6 @@ let
./kapacitor.nix
./monit.nix
./newsbot-js.nix
- ./nginx.nix
./nixpkgs.nix
./on-failure.nix
./os-release.nix
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
deleted file mode 100644
index b28e97e37..000000000
--- a/krebs/3modules/nginx.nix
+++ /dev/null
@@ -1,190 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
- cfg = config.krebs.nginx;
-
- out = {
- options.krebs.nginx = api;
- config = lib.mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "krebs.nginx";
-
- default404 = mkOption {
- type = types.bool;
- default = true;
- description = ''
- By default all requests not directed to an explicit hostname are
- replied with a 404 error to avoid accidental exposition of nginx
- services.
-
- Set this value to `false` to disable this behavior - you will then be
- able to configure a new `default_server` in the listen address entries
- again.
- '';
- };
-
- servers = mkOption {
- type = types.attrsOf (types.submodule {
- options = {
- server-names = mkOption {
- type = with types; listOf str;
- default =
- [config.krebs.build.host.name] ++
- concatMap (getAttr "aliases")
- (attrValues config.krebs.build.host.nets);
- };
- listen = mkOption {
- type = with types; either str (listOf str);
- default = "80";
- apply = x:
- if typeOf x != "list"
- then [x]
- else x;
- };
- locations = mkOption {
- type = with types; listOf (attrsOf str);
- default = [];
- };
- extraConfig = mkOption {
- type = with types; string;
- default = "";
- };
- ssl = mkOption {
- type = with types; submodule ({ config, ... }: {
- options = {
- enable = mkEnableOption "ssl";
- acmeEnable = mkOption {
- type = bool;
- apply = x:
- if x && config.enable
- #conflicts because of certificate/certificate_key location
- then throw "can't use ssl.enable and ssl.acmeEnable together"
- else x;
- default = false;
- description = ''
- enables automatical generation of lets-encrypt certificates and setting them as certificate
- conflicts with ssl.enable
- '';
- };
- certificate = mkOption {
- type = str;
- };
- certificate_key = mkOption {
- type = str;
- };
- #TODO: check for valid cipher
- ciphers = mkOption {
- type = str;
- default = "AES128+EECDH:AES128+EDH";
- };
- prefer_server_ciphers = mkOption {
- type = bool;
- default = true;
- };
- force_encryption = mkOption {
- type = bool;
- default = false;
- description = ''
- redirect all `http` traffic to the same domain but with ssl
- protocol.
- '';
- };
- protocols = mkOption {
- type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
- default = [ "TLSv1.1" "TLSv1.2" ];
-
- };
- };
- });
- default = {};
- };
- };
- });
- default = {};
- };
- };
-
- imp = {
- security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
- services.nginx = {
- enable = true;
- httpConfig = ''
- default_type application/octet-stream;
- sendfile on;
- keepalive_timeout 65;
- gzip on;
-
- ${optionalString cfg.default404 ''
- server {
- listen 80 default_server;
- server_name _;
- return 404;
- }''}
-
- ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
- '';
- };
- };
-
- to-acme = { server-names, ssl, ... }:
- optionalAttrs ssl.acmeEnable {
- email = "lassulus@gmail.com";
- webroot = "${config.security.acme.directory}/${head server-names}";
- };
-
- to-location = { name, value }: ''
- location ${name} {
- ${indent value}
- }
- '';
-
- to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
- domain = head server-names;
- acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
- root ${config.security.acme.certs.${domain}.webroot};
- '');
- in ''
- server {
- server_name ${toString (unique server-names)};
- ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
- ${optionalString ssl.enable (indent ''
- ${optionalString ssl.force_encryption ''
- if ($scheme = http){
- return 301 https://$server_name$request_uri;
- }
- ''}
- listen 443 ssl;
- ssl_certificate ${ssl.certificate};
- ssl_certificate_key ${ssl.certificate_key};
- ${optionalString ssl.prefer_server_ciphers ''
- ssl_prefer_server_ciphers On;
- ''}
- ssl_ciphers ${ssl.ciphers};
- ssl_protocols ${toString ssl.protocols};
- '')}
- ${optionalString ssl.acmeEnable (indent ''
- ${optionalString ssl.force_encryption ''
- if ($scheme = http){
- return 301 https://$server_name$request_uri;
- }
- ''}
- listen 443 ssl;
- ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
- ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
- ${optionalString ssl.prefer_server_ciphers ''
- ssl_prefer_server_ciphers On;
- ''}
- ssl_ciphers ${ssl.ciphers};
- ssl_protocols ${toString ssl.protocols};
- '')}
- ${indent extraConfig}
- ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
- ${indent (concatMapStrings to-location locations)}
- }
- '';
-
-in
-out
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index 4bcd596d4..53b06a702 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -1,53 +1,38 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.krebs.retiolum-bootstrap;
-
- out = {
- options.krebs.retiolum-bootstrap = api;
- config = lib.mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
- hostname = mkOption {
+in
+{
+ options.krebs.retiolum-bootstrap = {
+ enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}";
+ serverName = mkOption {
type = types.str;
description = "hostname which serves tinc boot";
default = "tinc.krebsco.de" ;
};
- listen = mkOption {
- type = with types; listOf str;
- description = ''Addresses to listen on (nginx-syntax).
- ssl will be configured, http will be redirected to ssl.
- Make sure to have at least 1 ssl port configured.
- '';
- default = [ "80" "443 ssl" ] ;
+ sslCertificate = mkOption {
+ type = types.str;
+ description = "Certificate file to use for ssl";
+ default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
};
- ssl_certificate_key = mkOption {
+ sslCertificateKey = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.key";
};
- ssl_certificate = mkOption {
- type = types.str;
- description = "Certificate file to use for ssl";
- default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
- };
# in use:
# <secrets/tinc.krebsco.de.crt>
# <secrets/tinc.krebsco.de.key>
};
- imp = {
- krebs.nginx.servers = assert config.krebs.nginx.enable; {
- retiolum-boot-ssl = {
- server-names = singleton cfg.hostname;
- listen = cfg.listen;
- extraConfig = ''
- ssl_certificate ${cfg.ssl_certificate};
- ssl_certificate_key ${cfg.ssl_certificate_key};
-
+ config = mkIf cfg.enable {
+ services.nginx = {
+ enable = mkDefault true;
+ virtualHosts.retiolum-bootstrap = {
+ inherit (cfg) serverName sslCertificate sslCertificateKey;
+ enableSSL = true;
+ extraConfig =''
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
@@ -55,10 +40,7 @@ let
root ${pkgs.retiolum-bootstrap};
try_files $uri $uri/retiolum.sh;
'';
- locations = [];
};
};
};
-
-in
-out
+}
diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 01d698c4c..99399550c 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -12,6 +12,30 @@ with import <stockholm/lib>;
../2configs/nixpkgs.nix
../2configs/vim.nix
{
+ # /dev/stderr doesn't work. I don't know why
+ # /proc/self doesn't seem to work correctly
+ # /dev/pts is empty except for 1 file
+ # my life sucks
+ nixpkgs.config.packageOverrides = super: {
+ irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> {
+ pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [
+ pkgs.coreutils
+ (pkgs.writeDashBin "tee" ''
+ if test "$1" = /dev/stderr; then
+ while read -r line; do
+ echo "$line"
+ echo "$line" >&2
+ done
+ else
+ ${super.coreutils}/bin/tee "$@"
+ fi
+ '')
+ ];};
+ };
+ };
+ boot.kernelParams = [ "copytoram" ];
+ }
+ {
krebs.enable = true;
krebs.build.user = config.krebs.users.lass;
krebs.build.host = config.krebs.hosts.iso;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 3032e244f..9c51effdc 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -32,8 +32,6 @@ in {
time.timeZone = "Europe/Berlin";
- virtualisation.libvirtd.enable = true;
-
programs.ssh.startAgent = false;
services.printing = {
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index 3006e9dfb..7b38e44c6 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -20,7 +20,7 @@ in {
};
config.krebs.buildbot.master = let
- stockholm-mirror-url = http://cgit.lassul.us/stockholm ;
+ stockholm-mirror-url = http://cgit.prism.r/stockholm ;
in {
workers = {
testworker = "lasspass";
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index b53efa75d..e964704c3 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -64,7 +64,10 @@ with import <stockholm/lib>;
];
}
{
- services.dnscrypt-proxy.enable = true;
+ services.dnscrypt-proxy = {
+ enable = true;
+ resolverName = "cs-de";
+ };
networking.extraResolvconfConf = ''
name_servers='127.0.0.1'
'';
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index 971be9588..31a01c754 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -6,7 +6,7 @@ in {
krebs.fetchWallpaper = {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
- url = "prism/wallpaper.png";
+ url = "prism/realwallpaper-sat-krebs.png";
maxTime = 10;
};
}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 5309c9551..5f9800b0f 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://cgit.lassul.us/nixpkgs;
- ref = "5acb454";
+ ref = "c85f39e";
};
}
diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix
index b42968cfb..39d7c494b 100644
--- a/shared/1systems/test-all-krebs-modules.nix
+++ b/shared/1systems/test-all-krebs-modules.nix
@@ -36,7 +36,6 @@ in {
enable = true;
tables = {};
};
- nginx.enable = true;
realwallpaper.enable = true;
tinc.retiolum.enable = true;
retiolum-bootstrap.enable = true;