diff options
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 51 | ||||
| -rw-r--r-- | krebs/3modules/tinc_graphs.nix | 59 | ||||
| -rw-r--r-- | makefu/1systems/darth.nix | 12 | ||||
| -rw-r--r-- | makefu/1systems/pornocauster.nix | 8 | ||||
| -rw-r--r-- | makefu/1systems/shoney.nix | 46 | ||||
| -rw-r--r-- | makefu/1systems/wry.nix | 9 | ||||
| -rw-r--r-- | makefu/2configs/default.nix | 2 | ||||
| -rw-r--r-- | makefu/2configs/save-diskspace.nix | 9 |
8 files changed, 139 insertions, 57 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 14cee8e12..0b58c75cb 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -48,6 +48,12 @@ with config.krebs.lib; -----END RSA PUBLIC KEY----- ''; }; + siem = { + ip4.addr = "10.8.10.2"; + aliases = [ + "darth.siem" + ]; + }; }; }; tsp = { @@ -98,6 +104,12 @@ with config.krebs.lib; -----END RSA PUBLIC KEY----- ''; }; + siem = { + ip4.addr = "10.8.10.4"; + aliases = [ + "arch.siem" + ]; + }; }; ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster"; @@ -184,6 +196,8 @@ with config.krebs.lib; internet = { ip4.addr = "104.233.87.86"; aliases = [ + "wry.i" + "paste.i" "wry.internet" "paste.internet" ]; @@ -194,10 +208,10 @@ with config.krebs.lib; ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad"; aliases = [ "graphs.wry.retiolum" - "graphs.retiolum" + "graphs.r" "graphs.retiolum" "paste.wry.retiolum" - "paste.retiolum" - "wry.retiolum" + "paste.r" "paste.retiolum" + "wry.r" "wry.retiolum" "wiki.makefu.retiolum" "wiki.wry.retiolum" "blog.makefu.retiolum" @@ -343,6 +357,13 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB shoney = rec { cores = 1; nets = { + siem = { + ip4.addr = "10.8.10.1"; + aliases = [ + "sjump.siem" + "graphs.siem" + ]; + }; internet = { ip4.addr = "64.137.234.215"; aliases = [ @@ -456,6 +477,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; + lariat = rec { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.64.7"; + aliases = [ + "lariat.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAqiDzxADQYY8cWBH+R5aKSoxaFHLvPvVMgB7R1Y6QVTqD5YUCuINX + eBLFV9idHnHzdZU+xo/c8EFQf0hvyP0z3bcXaiw+RlpEYdK6tuaypJ3870toqWmA + 269H8ufA3DA0hxlY7dwnhg8Rb7KGIlNN8fy4RMGe73PupF5aAmiDiEhPalv4E0qJ + unmk5y1OHQFPxYm++yLo5SVFlcO89jDtGpvg5papp8JvtxTkrshby1lXf/sph3Cv + d1z6h7S+HgT+BMwTZY5dIrwYAcob/t1sRmWsY62P1n02RbiJFm27wg0t/ZcfsI2o + yBjRTiK5ACJaIdpM99/902gJsuJASPGB2QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + soundflower = rec { cores = 1; nets = { @@ -598,6 +641,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; + } // { # hosts only maintained in stockholm, not owned by me muhbaasu = rec { cores = 1; nets = { @@ -626,7 +670,6 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; }; - } // { # hosts only maintained in stockholm, not owned by me tpsw = { cores = 2; owner = config.krebs.users.ciko; # main laptop diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index dec89d249..0f1bae090 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -20,6 +20,18 @@ let default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat"; }; + hostsPath = mkOption { + type = types.str; + description = "Path to Hosts directory"; + default = "${config.krebs.retiolum.hostsPackage}"; + }; + + network = mkOption { + type = types.str; + description = "Tinc Network to use"; + default = "retiolum"; + }; + nginx = { enable = mkEnableOption "enable tinc_graphs to be served with nginx"; @@ -73,10 +85,10 @@ let }; imp = { - environment.systemPackages = [ pkgs.tinc_graphs]; + environment.systemPackages = [ pkgs.tinc_graphs ]; systemd.timers.tinc_graphs = { description = "Build Tinc Graphs via via timer"; - wantedBy = [ "timers.target"]; + wantedBy = [ "timers.target" ]; timerConfig = cfg.timerConfig; }; systemd.services.tinc_graphs = { @@ -85,7 +97,8 @@ let EXTERNAL_FOLDER = external_dir; INTERNAL_FOLDER = internal_dir; GEODB = cfg.geodbPath; - TINC_HOSTPATH = config.krebs.retiolum.hostsPackage; + TINC_HOSTPATH = cfg.hostsPath; + TINC_NETWORK = cfg.network; }; restartIfChanged = true; @@ -103,7 +116,7 @@ let cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}" fi ''; - ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs"; + ExecStart = ''${pkgs.tinc_graphs}/bin/all-the-graphs "${cfg.network}"''; ExecStartPost = pkgs.writeDash "tinc_graphs-post" '' # TODO: this may break if workingDir is set to something stupid @@ -121,24 +134,26 @@ let uid = genid "tinc_graphs"; home = "/var/spool/tinc_graphs"; }; - - krebs.nginx.servers = mkIf cfg.nginx.enable { - tinc_graphs_complete = mkMerge [ cfg.nginx.complete { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${internal_dir}; - '') - ]; - }] ; - tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${external_dir}; - '') - ]; - }]; + krebs.nginx = mkIf cfg.nginx.enable { + enable = mkDefault true; + servers = { + tinc_graphs_complete = mkMerge [ cfg.nginx.complete { + locations = [ + (nameValuePair "/" '' + autoindex on; + root ${internal_dir}; + '') + ]; + }] ; + tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous { + locations = [ + (nameValuePair "/" '' + autoindex on; + root ${external_dir}; + '') + ]; + }]; + }; }; }; diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 08ac7e66e..5f1d6e121 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -33,16 +33,10 @@ in { firewall = { allowPing = true; logRefusedConnections = false; - allowedUDPPorts = [ 80 655 67 ]; - allowedTCPPorts = [ 80 655 ]; - }; - nat = { - enable = true; - internalIPs = [ "10.8.10.0/24" ]; - #internalInterfaces = [ "tinc.siem" ]; - externalIP = "10.8.8.2"; - externalInterface = "virbr3"; + allowedUDPPorts = [ 80 655 1655 67 ]; + allowedTCPPorts = [ 80 655 1655 ]; }; + # fallback connection to the internal virtual network interfaces.virbr3.ip4 = [{ address = "10.8.8.2"; prefixLength = 24; diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 2fb93798a..7b6c18342 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -44,6 +44,14 @@ # ../2configs/temp/sabnzbd.nix ]; + services.tinc.networks.siem = { + name = "makefu"; + extraConfig = '' + ConnectTo = sdarth + ConnectTo = sjump + ''; + }; + krebs.nginx = { default404 = false; servers.default.listen = [ "80 default_server" ]; diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 48679fe58..1fe8871d2 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: let + tinc-siem-ip = "10.8.10.1"; + ip = "64.137.234.215"; alt-ip = "64.137.234.210"; extra-ip = "64.137.234.114"; #currently unused @@ -7,32 +9,46 @@ let in { imports = [ ../. + ../2configs/save-diskspace.nix ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ]; - services.tinc.networks.siem.name = "sjump"; - # minimal resources - services.nixosManual.enable = false; - programs.man.enable = false; - nix.gc.automatic = true; - nix.gc.dates = "03:10"; + services.tinc.networks.siem.name = "sjump"; krebs = { enable = true; retiolum.enable = true; build.host = config.krebs.hosts.shoney; + nginx.enable = true; + tinc_graphs = { + enable = true; + network = "siem"; + hostsPath = "/etc/tinc/siem/hosts"; + nginx = { + enable = true; + # TODO: remove hard-coded hostname + complete = { + listen = [ "${tinc-siem-ip}:80" ]; + server-names = [ "graphs.siem" ]; + }; + }; + }; }; - networking.interfaces.enp2s1.ip4 = [ - { address = ip; prefixLength = 24; } - { address = alt-ip; prefixLength = 24; } - ]; + networking = { + interfaces.enp2s1.ip4 = [ + { address = ip; prefixLength = 24; } + { address = alt-ip; prefixLength = 24; } + ]; - networking.defaultGateway = gw; - networking.nameservers = [ "8.8.8.8" ]; - networking.firewall.allowedUDPPorts = [ 655 1655 ]; - networking.firewall.allowedTCPPorts = [ 655 1655 ]; + defaultGateway = gw; + nameservers = [ "8.8.8.8" ]; + firewall = { + trustedInterfaces = [ "tinc.siem" ]; + allowedUDPPorts = [ 655 1655 ]; + allowedTCPPorts = [ 655 1655 ]; + }; + }; } diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index ed48c6abe..5788cb654 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -11,7 +11,7 @@ in { # TODO: copy this config or move to krebs ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/headless.nix + ../2configs/save-diskspace.nix ../2configs/bepasty-dual.nix @@ -27,8 +27,7 @@ in { ../2configs/collectd/collectd-base.nix ]; krebs.retiolum.enable = true; - services.nixosManual.enable = false; - programs.man.enable = false; + krebs.build.host = config.krebs.hosts.wry; krebs.Reaktor = { @@ -83,9 +82,5 @@ in { nameservers = [ "8.8.8.8" ]; }; - # small machine - do not forget to gc every day - nix.gc.automatic = true; - nix.gc.dates = "03:10"; - environment.systemPackages = [ ]; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index e7366e182..a753e6777 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -16,6 +16,8 @@ with config.krebs.lib; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); krebs = { enable = true; + + dns.providers.siem = "hosts"; search-domain = "retiolum"; build = { user = config.krebs.users.makefu; diff --git a/makefu/2configs/save-diskspace.nix b/makefu/2configs/save-diskspace.nix new file mode 100644 index 000000000..cc2b29cac --- /dev/null +++ b/makefu/2configs/save-diskspace.nix @@ -0,0 +1,9 @@ +_: +# TODO: do not check out nixpkgs master but fetch revision from github +{ + services.nixosManual.enable = false; + programs.man.enable = false; + services.journald.extraConfig = "SystemMaxUse=50M"; + nix.gc.automatic = true; + nix.gc.dates = "03:10"; +} |