diff options
39 files changed, 597 insertions, 812 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 50e04cf80..4e035e725 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -22,6 +22,16 @@ let servers = mkOption { type = with types; attrsOf optionSet; + example = '' + { + "paste.r" = { + defaultPermissions = "read,delete,create"; + }; + "paste.krebsco.de" = { + defaultPermissions = "read"; + }; + } + ''; options = singleton { nginx = mkOption { # TODO use the correct type @@ -30,7 +40,6 @@ let additional nginx configuration. see krebs.nginx for all options ''; }; - secretKey = mkOption { type = types.str; description = '' @@ -39,6 +48,7 @@ let default = ""; }; + # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi workDir = mkOption { type = types.str; @@ -143,25 +153,25 @@ let }; nginx-imp = { - assertions = [{ assertion = config.krebs.nginx.enable; - message = "krebs.nginx.enable must be true"; }]; - - krebs.nginx.servers = mapAttrs' (name: server: - nameValuePair("bepasty-server-${name}") - (mkMerge [ server.nginx { - extraConfig = '' - client_max_body_size 32M; - ''; - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $http_host; - proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock; - '') - (nameValuePair "/static/" '' - alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; - '') - ]; - }])) cfg.servers ; + assertions = [{ assertion = config.services.nginx.enable; + message = "services.nginx.enable must be true"; }]; + + services.nginx.virtualHosts = mapAttrs ( name: server: + (mkMerge [ + server.nginx + { + extraConfig = '' + client_max_body_size 32M; + ''; + locations = { + "/".extraConfig = "proxy_set_header Host $http_host;"; + "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock"; + "/static/".extraConfig = '' + alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; + ''; + }; + }]) + ) cfg.servers ; }; in out diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 20907a3ed..164831846 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -400,29 +400,24 @@ let chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root} ''; - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.r" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; + services.nginx.virtualHosts.cgit = { + serverAliases = [ + "cgit.${config.networking.hostName}" + "cgit.${config.networking.hostName}.r" + "cgit.${config.networking.hostName}.retiolum" + ]; + locations."/".extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + ''; + locations."/static/".extraConfig = '' + root ${pkgs.cgit}/cgit; + rewrite ^/static(/.*)$ $1 break; + ''; }; }; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index ff187b878..c85bf1ccd 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -26,6 +26,31 @@ with import <stockholm/lib>; }; }; }; + fileleech = rec { + cores = 4; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech"; + nets = { + retiolum = { + ip4.addr = "10.243.113.98"; + ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096"; + aliases = [ + "fileleech.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA2W20+jYvuFUjPQ+E+7Xlabf8fW/XSnTTelfo2uRcJ3FMLYQ9H3rF + 8L8StPmxn8Q20FFH/MvRmgW8pU9z4RQ3nAi+utVYqAJQtOYA9FPMxssC08w82r0K + YC6sgc9MeRjnCjQxQrQs4fqA6KpqSLxRf2c6kfNwYRgCxFMns2ncxOiPOoGLZait + nJR3m0cSRm8yCTMbznlGH99+5+3HgvuBE/UYXmmGBs7w8DevaX76butzprZ8fm4z + e5C7R9ofdVW70GGksfSI81y5xODWMbfjTRHKm4OBX7NOCiOTwx1wu8bYDN3EzN6V + UM5PJfU42sViPEZmVuC8cDcP1xemHTkh9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + pnp = { cores = 1; nets = { diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix index bcc52fb6e..0c478aded 100644 --- a/krebs/3modules/rtorrent.nix +++ b/krebs/3modules/rtorrent.nix @@ -73,22 +73,23 @@ let # authentication also applies to rtorrent.rutorrent enable = mkEnableOption "rtorrent nginx web RPC"; - listenAddress = mkOption { - type = types.str; + port = mkOption { + type = types.nullOr types.int; description ='' - nginx listen address for rtorrent web + nginx listen port for rtorrent ''; - default = "localhost:8006"; + default = 8006; }; - enableAuth = mkEnableOption "rutorrent authentication"; - authfile = mkOption { - type = types.path; + basicAuth = mkOption { + type = types.attrsOf types.str ; description = '' - basic authentication file to be used. - Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file. - Only in use if authentication is enabled. + basic authentication to be used. If unset, no authentication will be + enabled. + + Refer to `services.nginx.virtualHosts.<name>.basicAuth` ''; + default = {}; }; }; @@ -104,7 +105,6 @@ let default = pkgs.rutorrent; }; - webdir = mkOption { type = types.path; description = '' @@ -286,36 +286,28 @@ let }; rpcweb-imp = { - krebs.nginx.enable = mkDefault true; - krebs.nginx.servers.rtorrent = { - listen = [ webcfg.listenAddress ]; - server-names = [ "default" ]; - extraConfig = '' - ${optionalString webcfg.enableAuth '' - auth_basic "rtorrent"; - auth_basic_user_file ${webcfg.authfile}; - ''} - ${optionalString rucfg.enable '' - root ${webdir}; - ''} - ''; - locations = [ - (nameValuePair "/RPC2" '' + services.nginx.enable = mkDefault true; + services.nginx.virtualHosts.rtorrent = { + default = mkDefault true; + inherit (webcfg) basicAuth port; + root = optionalString rucfg.enable webdir; + + locations = { + "/RPC2".extraConfig = '' include ${pkgs.nginx}/conf/scgi_params; scgi_param SCRIPT_NAME /RPC2; scgi_pass unix:${cfg.xmlrpc-socket}; - '') - ] ++ (optional rucfg.enable - (nameValuePair "~ \.php$" '' + ''; + } // (optionalAttrs rucfg.enable { + "~ \.php$".extraConfig = '' client_max_body_size 200M; - root ${webdir}; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm-socket}; try_files $uri =404; fastcgi_index index.php; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; - '') + ''; } ); }; }; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 26a51de00..197835e73 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -35,35 +35,28 @@ let nginx = { enable = mkEnableOption "enable tinc_graphs to be served with nginx"; - anonymous = { - server-names = mkOption { - type = with types; listOf str; - description = "hostnames which serve anonymous graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; - }; - - listen = mkOption { - # use the type of the nginx listen option - type = with types; listOf str; - description = "listen address for anonymous graphs"; - default = [ "80" ]; - }; - + anonymous = mkOption { + type = types.attrsOf types.unspecified; + description = '' + nginx virtualHost options to be merged into the anonymous graphs + vhost entry. + ''; + }; + anonymous-domain = mkOption { + type = types.str; + description = '' + external domainname to be used for anonymous graphs + it will be used if you want to enable ACME + ''; + default = "graphs.krebsco.de"; }; - complete = { - server-names = mkOption { - type = with types; listOf str; - description = "hostname which serves complete graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; - }; - - listen = mkOption { - type = with types; listOf str; - description = "listen address for complete graphs"; - default = [ "127.0.0.1:80" ]; - }; - + complete = mkOption { + type = types.attrsOf types.unspecified; + description = '' + nginx virtualHost options to be merged into the complete graphs + vhost entry. + ''; }; }; @@ -134,24 +127,20 @@ let uid = genid "tinc_graphs"; home = "/var/spool/tinc_graphs"; }; - krebs.nginx = mkIf cfg.nginx.enable { + services.nginx = mkIf cfg.nginx.enable { enable = mkDefault true; - servers = { + virtualHosts = { tinc_graphs_complete = mkMerge [ cfg.nginx.complete { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${internal_dir}; - '') - ]; - }] ; - tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${external_dir}; - '') - ]; + locations = { + "/".extraConfig = "autoindex on;"; + "/".root = internal_dir; + }; + }]; + "${cfg.nginx.anonymous-domain}" = mkMerge [ cfg.nginx.anonymous { + locations = { + "/".extraConfig = "autoindex on;"; + "/".root = external_dir; + }; }]; }; }; diff --git a/krebs/5pkgs/rutorrent/default.nix b/krebs/5pkgs/rutorrent/default.nix index 5a2259552..1084e7ce7 100644 --- a/krebs/5pkgs/rutorrent/default.nix +++ b/krebs/5pkgs/rutorrent/default.nix @@ -1,11 +1,11 @@ { pkgs, ... }: pkgs.stdenv.mkDerivation { - name = "rutorrent-src-3.7"; + name = "rutorrent-src_2016-12-09"; src = pkgs.fetchFromGitHub { owner = "Novik"; repo = "rutorrent"; - rev = "b727523a153454d4976f04b0c47336ae57cc50d5"; - sha256 = "0s5wa0jnck781amln9c2p4pc0i5mq3j5693ra151lnwhz63aii4a"; + rev = "580bba8c538b55c1f75f3ad65310ff4ff2a153f7"; + sha256 = "1d9lgrzipy58dnx88z393p152kx6lki0x4aw40k8w9awsci4cx7p"; }; phases = [ "installPhase" ]; diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix new file mode 100644 index 000000000..1eac141dc --- /dev/null +++ b/makefu/1systems/fileleech.nix @@ -0,0 +1,111 @@ +{ config, pkgs, lib, ... }: +let + toMapper = id: "/media/crypt${builtins.toString id}"; + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0"; + rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; + rootPartition = rootDisk + "-part3"; + + dataDisks = let + idpart = dev: byid dev + "-part1"; + in [ + { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";} + { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";} + { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";} + { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";} + { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";} + { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";} + { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";} + { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity + ]; + + disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks; +in { + imports = [ + ../. + ../2configs/tinc/retiolum.nix + ../2configs/disable_v6.nix + ../2configs/torrent.nix + ../2configs/fs/sda-crypto-root.nix + + ../2configs/elchos/irc-token.nix + ../2configs/elchos/log.nix + ../2configs/elchos/search.nix + ../2configs/elchos/stats.nix + + ]; + makefu.server.primary-itf = "enp8s0f0"; + krebs = { + enable = true; + build.host = config.krebs.hosts.fileleech; + }; + # git clone https://github.com/makefu/docker-pyload + # docker build . + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload + + virtualisation.docker.enable = true; # for pyload + networking.firewall.allowedTCPPorts = [ + 51412 # torrent + 8112 # rutorrent-web + 8113 # pyload + 8080 # sabnzbd + 9090 # sabnzbd-ssl + 655 # tinc + ]; + networking.firewall.allowedUDPPorts = [ + 655 # tinc + 51412 # torrent + ]; + + services.sabnzbd.enable = true; + systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + boot.initrd.luks = { + devices = let + usbkey = name: device: { + inherit name device keyFile; + keyFileSize = 4096; + allowDiscards = true; + }; + in builtins.map (x: usbkey x.name x.device) disks; + }; + environment.systemPackages = with pkgs;[ mergerfs ]; + + fileSystems = let + cryptMount = name: + { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; + in cryptMount "crypt0" + // cryptMount "crypt1" + // cryptMount "crypt2" + // cryptMount "crypt3" + // cryptMount "crypt4" + // cryptMount "crypt5" + // cryptMount "crypt6" + // cryptMount "crypt7" + + # this entry sometimes creates issues + // { "/media/cryptX" = { + device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]); + fsType = "mergerfs"; + noCheck = true; + options = [ "defaults" "nofail" "allow_other" "nonempty" ]; }; + } + + ; + makefu.snapraid = { + enable = true; + disks = map toMapper [ 0 1 2 3 4 5 6 ]; + parity = toMapper 7; + }; + + boot.loader.grub.device = rootDisk; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html + boot.extraModprobeConfig = '' + options ixgbe allow_unsupported_sfp=1 + ''; +} diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index e8a368fa2..e7761a642 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -15,6 +15,7 @@ in { ../2configs/git/cgit-retiolum.nix # ../2configs/mattermost-docker.nix ../2configs/nginx/euer.test.nix + ../2configs/nginx/public_html.nix ../2configs/nginx/update.connector.one.nix ../2configs/deployment/mycube.connector.one.nix @@ -31,7 +32,9 @@ in { ]; services.smartd.devices = [ { device = "/dev/sda";} ]; + ###### stable + services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; krebs.tinc.retiolum = { extraConfig = '' @@ -48,10 +51,6 @@ in { makefu.taskserver.enable = true; - krebs.nginx.servers.cgit = { - server-names = [ "cgit.euer.krebsco.de" ]; - listen = [ "${external-ip}:80" "${internal-ip}:80" ]; - }; # access users.users = { @@ -76,9 +75,8 @@ in { services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0" ''; - boot.kernelParams = [ "ipv6.disable=1" ]; + boot.kernelParams = [ ]; networking = { - enableIPv6 = false; firewall = { allowPing = true; logRefusedConnections = false; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 4fbbd653d..609d52134 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -48,12 +48,16 @@ in { ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix - ../2configs/disable_v6.nix + # ../2configs/disable_v6.nix #../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix ../2configs/omo-share.nix ../2configs/tinc/retiolum.nix - ../2configs/torrent.nix + # ../2configs/torrent.nix + + # ../2configs/elchos/search.nix + # ../2configs/elchos/log.nix + # ../2configs/elchos/irc-token.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload @@ -121,7 +125,8 @@ in { // { "/media/cryptX" = { device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]); fsType = "mergerfs"; - options = [ "defaults" "allow_other" ]; + noCheck = true; + options = [ "defaults" "allow_other" "nofail" "nonempty" ]; }; }; diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 17e81f793..81ee37bbe 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -13,7 +13,7 @@ in { ../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/save-diskspace.nix - ../2configs/bepasty-dual.nix + # ../2configs/bepasty-dual.nix ../2configs/iodined.nix ../2configs/backup.nix @@ -21,9 +21,7 @@ in { # other nginx ../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.blog.nix - ../2configs/nginx/euer.test.nix - - #../2configs/elchos/stats.nix + # ../2configs/nginx/euer.test.nix # collectd # ../2configs/collectd/collectd-base.nix @@ -52,7 +50,7 @@ in { krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ]; # prepare graphs - krebs.nginx.enable = true; + services.nginx.enable = true; krebs.retiolum-bootstrap.enable = true; krebs.tinc_graphs = { @@ -61,12 +59,17 @@ in { enable = true; # TODO: remove hard-coded hostname complete = { - listen = [ "${internal-ip}:80" ]; - server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ]; + extraConfig = '' + if ( $server_addr = "${external-ip}" ) { + return 403; + } + ''; + serverAliases = [ "graphs.retiolum" "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ]; }; anonymous = { - listen = [ "${external-ip}:80" ] ; - server-names = [ "graphs.krebsco.de" ]; + enableSSL = true; + forceSSL = true; + enableACME = true; }; }; }; diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index a6be04876..936aaf004 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -20,54 +20,29 @@ let ext-dom = "paste.krebsco.de" ; in { - krebs.nginx.enable = mkDefault true; + services.nginx.enable = mkDefault true; krebs.bepasty = { enable = true; serveNginx= true; servers = { - internal = { + "paste.r" = { nginx = { - server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; + serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; }; - external = { + "${ext-dom}" = { nginx = { - server-names = [ ext-dom ]; - ssl = { - enable = true; - certificate = "${acmepath}/${ext-dom}/fullchain.pem"; - certificate_key = "${acmepath}/${ext-dom}/key.pem"; - # these certs will be needed if acme has not yet created certificates: - #certificate = "${sec}/wildcard.krebsco.de.crt"; - #certificate_key = "${sec}/wildcard.krebsco.de.key"; - ciphers = "RC4:HIGH:!aNULL:!MD5" ; - force_encryption = true; - }; - locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${ext-dom}/; - ''); - extraConfig = '' - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_verify_client off; - proxy_ssl_session_reuse off; - ''; + enableSSL = true; + forceSSL = true; + enableACME = true; }; defaultPermissions = "read"; secretKey = secKey; }; }; }; - security.acme.certs."${ext-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${ext-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains."${ext-dom}" = null ; - }; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 9a2adbc3e..9e3f3eb61 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -22,7 +22,7 @@ with import <stockholm/lib>; user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; - ref = "f52eaf4"; # stable @ 2016-12-12 + ref = "ee13b9af"; # stable @ 2016-12-12 in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then { diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 091b7f21b..379176f78 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -27,23 +27,18 @@ in { }; }; - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - mybox-connector-one = { - listen = [ "${external-ip}:80" ]; - server-names = [ - "mycube.connector.one" - "mybox.connector.one" - ]; - locations = singleton (nameValuePair "/" '' + virtualHosts."mybox.connector.one" = { + locations = { + "/".extraConfig = '' uwsgi_pass unix://${wsgi-sock}; uwsgi_param UWSGI_CHDIR ${pkgs.mycube-flask}/${pkgs.python.sitePackages}; uwsgi_param UWSGI_MODULE mycube.websrv; uwsgi_param UWSGI_CALLABLE app; include ${pkgs.nginx}/conf/uwsgi_params; - ''); + ''; }; }; }; diff --git a/makefu/2configs/disable_v6.nix b/makefu/2configs/disable_v6.nix index 37db172ef..0a8c8d53d 100644 --- a/makefu/2configs/disable_v6.nix +++ b/makefu/2configs/disable_v6.nix @@ -1,4 +1,3 @@ { networking.enableIPv6 = false; - boot.kernelParams = [ "ipv6.disable=1" ]; } diff --git a/makefu/2configs/elchos/irc-token.nix b/makefu/2configs/elchos/irc-token.nix new file mode 100644 index 000000000..3f3c4ffc3 --- /dev/null +++ b/makefu/2configs/elchos/irc-token.nix @@ -0,0 +1,62 @@ +{pkgs, ...}: +with import <stockholm/lib>; +let + secret = (import <secrets/elchos-token.nix>); +in { + systemd.services.elchos-irctoken = { + startAt = "*:0/30"; + serviceConfig = { + RuntimeMaxSec = "20"; + }; + script = '' + set -euf + now=$(date -u +%Y-%m-%dT%H:%M) + sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1) + message="The secret valid for 30 minutes is $sec" + echo "token for $now (UTC) is $sec" + LOGNAME=sec-announcer + HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static) + IRC_SERVER=irc.freenode.net + IRC_PORT=6667 + IRC_NICK=$HOSTNAME-$$ + IRC_CHANNEL='#eloop' + + export IRC_CHANNEL # for privmsg_cat + + echo2() { echo "$*"; echo "$*" >&2; } + + privmsg_cat() { ${pkgs.gawk}/bin/awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$HOSTNAME" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + ${pkgs.gnused}/bin/sed -un '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + printf '%s' "$message" \ + | privmsg_cat + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -un '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin + ''; + }; +} diff --git a/makefu/2configs/elchos/log.nix b/makefu/2configs/elchos/log.nix new file mode 100644 index 000000000..3facd1ceb --- /dev/null +++ b/makefu/2configs/elchos/log.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let +in { + networking.firewall.allowedTCPPorts = [ 80 443 514 ]; + networking.firewall.allowedUDPPorts = [ 80 443 514 ]; + services.logstash = { + enable = true; + enableWeb = true; + inputConfig = '' + syslog { + timezone => "Etc/UTC" + } + ''; + filterConfig = '' + if ( [program] == "proftpd") { + kv { + field_split => " " + } + } + ''; + outputConfig = '' + stdout { + codec => rubydebug + } + elasticsearch { } + ''; + }; + services.elasticsearch = { + enable = true; + }; + services.kibana = { + enable = true; + port = 9332; + }; + services.nginx = { + virtualHosts = { + "log.nsupdate.info" = { + enableACME = true; + forceSSL = true; + basicAuth = import <secrets/kibana-auth.nix>; + locations = { + "/" = { + proxyPass = "http://localhost:9332"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; + }; +} diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix index 5adaa0c6f..5777be373 100644 --- a/makefu/2configs/elchos/search.nix +++ b/makefu/2configs/elchos/search.nix @@ -1,11 +1,12 @@ { config, lib, pkgs, ... }: -# graphite-web on port 8080 -# carbon cache on port 2003 (tcp/udp) +# search also generates ddclient entries for all other logs + with import <stockholm/lib>; let #primary-itf = "eth0"; - primary-itf = "wlp2s0"; + #primary-itf = "wlp2s0"; + primary-itf = config.makefu.server.primary-itf; elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock"; ddclientUser = "ddclient"; sec = toString <secrets>; @@ -14,15 +15,7 @@ let cfg = "${stateDir}/cfg"; ddclientPIDFile = "${stateDir}/ddclient.pid"; - acmepath = "/var/lib/acme/"; - acmechall = acmepath + "/challenges/"; # TODO: correct cert generation requires a `real` internet ip address - stats-dom = "stats.nsupdate.info"; - search-dom = "search.nsupdate.info"; - search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem"; - search_ssl_key = "${acmepath}/${search-dom}/key.pem"; - stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem"; - stats_ssl_key = "${acmepath}/${stats-dom}/key.pem"; gen-cfg = dict: '' ssl=yes @@ -64,75 +57,22 @@ in { }; }; - security.acme.certs = { - "${stats-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${stats-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains = { - "${stats-dom}" = null ; - }; - }; - "${search-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${search-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains = { - "${stats-dom}" = null ; - }; - }; - }; - - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - elch-stats = { - server-names = [ stats-dom ]; - # listen = [ "80" "443 ssl" ]; - ssl = { - enable = true; - certificate = stats_ssl_cert; - certificate_key = stats_ssl_key; - force_encryption = true; + virtualHosts = { + "search.nsupdate.info" = { + enableACME = true; + forceSSL = true; + locations = { + "/".extraConfig = '' + uwsgi_pass unix://${elch-sock}; + uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages}; + uwsgi_param UWSGI_MODULE elchhub.wsgi; + uwsgi_param UWSGI_CALLABLE app; + + include ${pkgs.nginx}/conf/uwsgi_params; + ''; }; - - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:3000/; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${search-dom}/; - '') - ]; - }; - elchhub = { - server-names = [ "search.nsupdate.info" ]; - # listen = [ "80" "443 ssl" ]; - ssl = { - enable = true; - certificate = search_ssl_cert; - certificate_key = search_ssl_key; - force_encryption = true; - }; - locations = [ (nameValuePair "/" '' - uwsgi_pass unix://${elch-sock}; - uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages}; - uwsgi_param UWSGI_MODULE elchhub.wsgi; - uwsgi_param UWSGI_CALLABLE app; - - include ${pkgs.nginx}/conf/uwsgi_params; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${search-dom}/; - '') - ]; }; }; }; @@ -147,7 +87,7 @@ in { ExecStart = "${pkgs.elchhub}/bin/elch-manager"; }; }; - register-elchos-nsupdate = { + ddclient-nsupdate-elchos = { wantedBy = [ "multi-user.target" ]; after = [ "ip-up.target" ]; serviceConfig = { @@ -163,49 +103,8 @@ in { }; }; - services.grafana = { - enable = true; - addr = "127.0.0.1"; - users.allowSignUp = false; - users.allowOrgCreate = false; - users.autoAssignOrg = false; - auth.anonymous.enable = true; - security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} - }; - - services.graphite = { - api = { - enable = true; - listenAddress = "127.0.0.1"; - port = 8080; - }; - carbon = { - enableCache = true; - # save disk usage by restricting to 1 bulk update per second - config = '' - [cache] - MAX_CACHE_SIZE = inf - MAX_UPDATES_PER_SECOND = 1 - MAX_CREATES_PER_MINUTE = 500 - ''; - storageSchemas = '' - [carbon] - pattern = ^carbon\. - retentions = 60:90d - - [elchos] - patterhn = ^elchos\. - retentions = 10s:30d,60s:3y - - [default] - pattern = .* - retentions = 30s:30d,300s:1y - ''; - }; - }; - networking.firewall = { - allowedTCPPorts = [ 2003 80 443 ]; - allowedUDPPorts = [ 2003 ]; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; }; } diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix index 9f27b6647..b6133205f 100644 --- a/makefu/2configs/elchos/stats.nix +++ b/makefu/2configs/elchos/stats.nix @@ -1,73 +1,48 @@ { config, lib, pkgs, ... }: +# requires nsupdate to get correct hostname (from ./search.nix) # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) + with import <stockholm/lib>; -let - sec = toString <secrets>; - acmepath = "/var/lib/acme/"; - acmechall = acmepath + "/challenges/"; - ext-dom = "stats.nsupdate.info"; - #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; - #ssl_key = "${sec}/wildcard.krebsco.de.key"; - ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; - ssl_key = "${acmepath}/${ext-dom}/key.pem"; -in { - networking.firewall = { - allowedTCPPorts = [ 2003 80 443 ]; - allowedUDPPorts = [ 2003 ]; +{ + + services.nginx = { + enable = mkDefault true; + virtualHosts = { + "stats.nsupdate.info" = { + enableACME = true; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://localhost:3000/"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; }; services.grafana = { enable = true; addr = "127.0.0.1"; - extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; }; users.allowSignUp = false; users.allowOrgCreate = false; users.autoAssignOrg = false; + auth.anonymous.enable = true; security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} }; - krebs.nginx = { - enable = true; - servers.elch-stats = { - server-names = [ ext-dom ]; - listen = [ "80" "443 ssl" ]; - ssl = { - enable = true; - # these certs will be needed if acme has not yet created certificates: - certificate = ssl_cert; - certificate_key = ssl_key; - force_encryption = true; - }; - - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:3000/; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${ext-dom}/; - '') - ]; - }; - }; - - security.acme.certs."${ext-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${ext-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains."${ext-dom}" = null ; - }; services.graphite = { - web = { + api = { enable = true; - host = "127.0.0.1"; - port = 8080; + listenAddress = "127.0.0.1"; + port = 18080; }; carbon = { enableCache = true; @@ -85,7 +60,7 @@ in { [elchos] patterhn = ^elchos\. - retention = 10s:30d,60s:1y + retentions = 10s:30d,60s:3y [default] pattern = .* @@ -93,4 +68,9 @@ in { ''; }; }; + + networking.firewall = { + allowedTCPPorts = [ 2003 80 443 ]; + allowedUDPPorts = [ 2003 ]; + }; } diff --git a/makefu/2configs/elchos/test/ftpservers.nix b/makefu/2configs/elchos/test/ftpservers.nix new file mode 100644 index 000000000..bc7517209 --- /dev/null +++ b/makefu/2configs/elchos/test/ftpservers.nix @@ -0,0 +1,7 @@ +{...}: +{ + services.vsftpd.anonymousUser = true; + services.vsftpd.enable = true; + services.vsftpd.chrootlocalUser = true; + networking.firewall.allowedTCPPorts = [ 21 ]; +} diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index ef8a3b88f..e1c3d20ff 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -71,5 +71,15 @@ in { latitude = "48.7"; longitude = "9.1"; }; - + systemd.services.look-up = { + startAt = "*:30"; + serviceConfig = { + ExecStart= pkgs.writeDash "look-up" '' + set -x + eval "export '$(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(${pkgs.procps}/bin/pgrep -u ${user} ${window-manager})/environ)'" + ${pkgs.libnotify}/bin/notify-send -u critical -t 9999999 'look up once in a while' + ''; + User = user; + }; + }; } diff --git a/makefu/2configs/nginx/euer.blog.nix b/makefu/2configs/nginx/euer.blog.nix index b2a965de6..3fb629394 100644 --- a/makefu/2configs/nginx/euer.blog.nix +++ b/makefu/2configs/nginx/euer.blog.nix @@ -3,13 +3,9 @@ with import <stockholm/lib>; let sec = toString <secrets>; - ssl_cert = "${sec}/wildcard.krebsco.de.crt"; - ssl_key = "${sec}/wildcard.krebsco.de.key"; hostname = config.krebs.build.host.name; user = config.services.nginx.user; group = config.services.nginx.group; - external-ip = config.krebs.build.host.nets.internet.ip4.addr; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; base-dir = "/var/www/blog.euer"; in { # Prepare Blog directory @@ -32,24 +28,15 @@ in { }; }; - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - euer-blog = { - listen = [ "${external-ip}:80" "${external-ip}:443 ssl" - "${internal-ip}:80" "${internal-ip}:443 ssl" ]; - server-names = [ "euer.krebsco.de" "blog.euer.krebsco.de" "blog.${hostname}" ]; - extraConfig = '' - gzip on; - gzip_buffers 4 32k; - gzip_types text/plain application/x-javascript text/css; - ssl_certificate ${ssl_cert}; - ssl_certificate_key ${ssl_key}; - default_type text/plain; - ''; - locations = singleton (nameValuePair "/" '' - root ${base-dir}; - ''); + virtualHosts = { + "euer.krebsco.de" = { + #serverAliases = [ "blog.euer.krebsco.de" "blog.${hostname}" ]; + enableSSL = true; + enableACME = true; + forceSSL = true; + root = base-dir; }; }; }; diff --git a/makefu/2configs/nginx/euer.test.nix b/makefu/2configs/nginx/euer.test.nix index bff652daf..40c376130 100644 --- a/makefu/2configs/nginx/euer.test.nix +++ b/makefu/2configs/nginx/euer.test.nix @@ -8,18 +8,16 @@ let external-ip = config.krebs.build.host.nets.internet.ip4.addr; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - euer-share = { - listen = [ ]; - server-names = [ "share.euer.krebsco.de" ]; - locations = singleton (nameValuePair "/" '' + virtualHosts."share.euer.krebsco.de" = { + locations."/" = { + proxyPass = "http://localhost:8000/"; + extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:8000/; - ''); + ''; }; }; }; diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index 9d0b74871..fefdd6dc7 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -4,13 +4,6 @@ with import <stockholm/lib>; let sec = toString <secrets>; ext-dom = "wiki.euer.krebsco.de"; - acmepath = "/var/lib/acme/"; - acmechall = acmepath + "/challenges/"; - - #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; - #ssl_key = "${sec}/wildcard.krebsco.de.key"; - ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; - ssl_key = "${acmepath}/${ext-dom}/key.pem"; user = config.services.nginx.user; group = config.services.nginx.group; @@ -25,8 +18,7 @@ let # user1 = pass1 # userN = passN tw-pass-file = "${sec}/tw-pass.ini"; - external-ip = config.krebs.build.host.nets.internet.ip4.addr; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + in { services.phpfpm = { # phpfpm does not have an enable option @@ -79,24 +71,18 @@ in { }; }; - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - euer-wiki = { - listen = [ "${external-ip}:80" "${external-ip}:443 ssl" - "${internal-ip}:80" "${internal-ip}:443 ssl" ]; - server-names = [ - ext-dom - "wiki.makefu.retiolum" - "wiki.makefu" - ]; - ssl = { - enable = true; - # these certs will be needed if acme has not yet created certificates: - certificate = ssl_cert; - certificate_key = ssl_key; - force_encryption = true; - }; + virtualHosts = { + "${ext-dom}" = { + #serverAliases = [ + # "wiki.makefu.retiolum" + # "wiki.makefu" + #]; + enableSSL = true; + forceSSL = true; + enableACME = true; + # recommendedGzipSettings = true; extraConfig = '' gzip on; gzip_buffers 4 32k; @@ -104,34 +90,26 @@ in { default_type text/plain; ''; - locations = [ - (nameValuePair "/" '' - root ${wiki-dir}; - expires -1; - autoindex on; - '') - (nameValuePair "/store.php" '' - root ${tw-upload}; - client_max_body_size 200M; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${fpm-socket}; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${ext-dom}/; - '') - - ]; + locations = { + "/" = { + root = wiki-dir; + extraConfig = '' + expires -1; + autoindex on; + ''; + }; + "/store.php" = { + root = tw-upload; + extraConfig = '' + client_max_body_size 200M; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm-socket}; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + ''; + }; + }; }; }; }; - security.acme.certs."${ext-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${ext-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains."${ext-dom}" = null ; - }; } diff --git a/makefu/2configs/nginx/icecult.nix b/makefu/2configs/nginx/icecult.nix index ce4f62e55..e817e55d8 100644 --- a/makefu/2configs/nginx/icecult.nix +++ b/makefu/2configs/nginx/icecult.nix @@ -10,19 +10,17 @@ let sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58"; }; in{ - krebs.nginx = { + services.nginx = { enable = true; - servers.default = { - extraConfig = '' - root ${icecult}/app; + virtualHosts.default = { + root = "${icecult}/app"; + locations = { + "/rpc".proxyPass = "http://10.42.22.163:3121"; + "/rpc".extraConfig = '' + rewrite /rpc/(.*) /$1 break; + proxy_http_version 1.1; ''; - locations = [ - (nameValuePair "/rpc" '' - rewrite /rpc/(.*) /$1 break; - proxy_http_version 1.1; - proxy_pass http://10.42.22.163:3121; - '') - ]; + }; }; }; } diff --git a/makefu/2configs/nginx/public_html.nix b/makefu/2configs/nginx/public_html.nix index 9545e98f4..676d1f110 100644 --- a/makefu/2configs/nginx/public_html.nix +++ b/makefu/2configs/nginx/public_html.nix @@ -3,13 +3,16 @@ with import <stockholm/lib>; { - krebs.nginx = { + services.nginx = { enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - autoindex on; - '') - ]; + virtualHosts.default = { + default = true; + locations = { + "~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + autoindex on; + ''; + }; + }; }; } diff --git a/makefu/2configs/nginx/update.connector.one.nix b/makefu/2configs/nginx/update.connector.one.nix index 593f23199..44345dcd8 100644 --- a/makefu/2configs/nginx/update.connector.one.nix +++ b/makefu/2configs/nginx/update.connector.one.nix @@ -1,25 +1,19 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; -let - hostname = config.krebs.build.host.name; - external-ip = config.krebs.build.host.nets.internet.ip4.addr; -in { - krebs.nginx = { +{ + services.nginx = { enable = mkDefault true; - servers = { - update-connector-one = { - listen = [ "${external-ip}:80" ]; - server-names = [ - "update.connector.one" - "firmware.connector.one" - ]; - locations = singleton (nameValuePair "/" '' - autoindex on; - root /var/www/update.connector.one; - sendfile on; - gzip on; - ''); + virtualHosts."update.connector.one" = { + locations = { + "/" = { + root = "/var/www/update.connector.one"; + extraConfig = '' + autoindex on; + sendfile on; + gzip on; + ''; + }; }; }; }; diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix index f2ed42230..d1a9fabd7 100644 --- a/makefu/2configs/omo-share.nix +++ b/makefu/2configs/omo-share.nix @@ -7,38 +7,6 @@ let local-ip = "192.168.1.11"; # local-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { - krebs.nginx = { - enable = mkDefault true; - servers = { - omo-share = { - listen = [ "${local-ip}:80" ]; - locations = singleton (nameValuePair "/" '' - - access_log off; - # sendfile off; - # tcp_nopush on; - # aio on; - sendfile on; - sendfile_max_chunk 512k; - directio 512; - mp4; - autoindex on; - root /media; - limit_rate_after 100m; - limit_rate 5m; - mp4_buffer_size 4M; - mp4_max_buffer_size 10M; - allow all; - access_log off; - keepalive_timeout 65; - keepalive_requests 200; - reset_timedout_connection on; - tcp_nopush on; - gzip off; - ''); - }; - }; - }; # samba share /media/crypt1/share users.users.smbguest = { @@ -68,6 +36,12 @@ in { browseable = "yes"; "guest ok" = "yes"; }; + pyload = { + path = "/media/crypt0/pyload"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; crypt0-rw = { path = "/media/crypt0/"; "read only" = "no"; diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix index 5b9ce6178..f3bc9091b 100644 --- a/makefu/2configs/torrent.nix +++ b/makefu/2configs/torrent.nix @@ -4,7 +4,7 @@ with import <stockholm/lib>; let daemon-user = "tor"; - authfile = <torrent-secrets/authfile>; + basicAuth = import <torrent-secrets/auth.nix>; peer-port = 51412; web-port = 8112; daemon-port = 58846; @@ -53,9 +53,8 @@ in { enable = true; web = { enable = true; - enableAuth = true; - listenAddress = toString web-port; - inherit authfile; + port = web-port; + inherit basicAuth; }; rutorrent.enable = true; enableXMLRPC = true; diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 855e134ab..16215b27a 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -8,6 +8,7 @@ _: ./forward-journal.nix ./opentracker.nix ./ps3netsrv.nix + ./server-config.nix ./snapraid.nix ./taskserver.nix ./udpt.nix diff --git a/makefu/3modules/server-config.nix b/makefu/3modules/server-config.nix new file mode 100644 index 000000000..dbd29d748 --- /dev/null +++ b/makefu/3modules/server-config.nix @@ -0,0 +1,10 @@ +{config, lib, pkgs, ... }: + +with import <stockholm/lib>; +{ + options.makefu.server.primary-itf = lib.mkOption { + type = types.str; + description = "Primary interface of the server"; + }; +} + diff --git a/makefu/6tests/data/secrets/auth.nix b/makefu/6tests/data/secrets/auth.nix new file mode 100644 index 000000000..92d5c34a8 --- /dev/null +++ b/makefu/6tests/data/secrets/auth.nix @@ -0,0 +1,3 @@ +{ + user = "password"; +} diff --git a/makefu/6tests/data/secrets/authfile b/makefu/6tests/data/secrets/authfile deleted file mode 100644 index f5e704702..000000000 --- a/makefu/6tests/data/secrets/authfile +++ /dev/null @@ -1 +0,0 @@ -"derp" diff --git a/tv/1systems/xu-qemu0.nix b/tv/1systems/xu-qemu0.nix deleted file mode 100644 index 8945c1907..000000000 --- a/tv/1systems/xu-qemu0.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.hosts.xu-qemu0 = { - cores = 1; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - # cannot define ssh.pubkey without at least one addr or alias - #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe51rD0ZqlMXNi/YpapnRzvdzCjI0icmxfCyBLSKG04"; - }; - krebs.build.host = config.krebs.hosts.xu-qemu0; - - imports = [ - ../. - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - ]; - - boot.loader.grub.device = "/dev/sda"; - - fileSystems = { - "/boot" = { - device = "/dev/sda1"; - }; - "/" = { - device = "/dev/sda2"; - fsType = "btrfs"; - }; - }; -} diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index b6fe6dc5c..974d820d5 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -17,7 +17,6 @@ with import <stockholm/lib>; ../2configs/retiolum.nix ../2configs/binary-cache ../2configs/xserver - ../2configs/xu-qemu0.nix { environment.systemPackages = with pkgs; [ diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix index 5902f1895..39c944b1a 100644 --- a/tv/2configs/binary-cache/default.nix +++ b/tv/2configs/binary-cache/default.nix @@ -19,15 +19,15 @@ source-path = toString <secrets> + "/nix-serve.key"; }; - krebs.nginx = { + services.nginx = { enable = true; - servers.nix-serve = { - server-names = [ + virtualHosts.nix-serve = { + serverAliases = [ "cache.${config.krebs.build.host.name}.gg23" ]; - locations = singleton (nameValuePair "/" '' + locations."/".extraConfig = '' proxy_pass http://localhost:${toString config.services.nix-serve.port}; - ''); + ''; }; }; } diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index fcaec4925..dc26a6c6f 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import <stockholm/lib>; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "1dd0fb6b5a7c44d1b632466f936ca74268d13298"; + ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4"; }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 39995c052..b0acb9435 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -3,15 +3,26 @@ with import <stockholm/lib>; { - krebs.nginx = { - servers.default.locations = [ - (nameValuePair "= /etc/os-release" '' + services.nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts._http = { + default = true; + extraConfig = '' + return 404; + ''; + }; + + virtualHosts.default = { + locations."= /etc/os-release".extraConfig = '' default_type text/plain; alias /etc/os-release; - '') - ]; + ''; + }; }; - tv.iptables = optionalAttrs config.krebs.nginx.enable { + tv.iptables = { input-retiolum-accept-tcp = singleton "http"; }; } diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index 4c74d2250..9744da1e8 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -3,20 +3,18 @@ with import <stockholm/lib>; { - krebs.nginx = { + services.nginx = { enable = true; - servers.default = { - server-names = [ + virtualHosts.default = { + serverAliases = [ "localhost" "${config.krebs.build.host.name}" "${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.retiolum" ]; - locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + ''; }; }; tv.iptables.input-internet-accept-tcp = singleton "http"; diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix deleted file mode 100644 index 355a36650..000000000 --- a/tv/2configs/xu-qemu0.nix +++ /dev/null @@ -1,250 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - # XXX cannot use config.build.host.name here because infinite recursion when - # defining krebs.hosts.${host-name}.nets.retiolum.aliases below. - host-name = "xu"; -in - -# usage: -# echo set_password vnc correcthorze | xu-qemu0-monitor -# -# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return -# -# http://vnc.xu/vnc_auto.html?port=5701&host=xu&password=correcthorze -# -# make [install] system=xu-qemu0 target_host=10.56.0.101 - -with import <stockholm/lib>; - -{ - networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; - - tv.iptables.extra = { - nat.POSTROUTING = ["-j MASQUERADE"]; - filter.FORWARD = [ - "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" - "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT" - ]; - filter.INPUT = [ - "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT" - "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT" - ]; - }; - - systemd.network.enable = true; - systemd.services.systemd-networkd-wait-online.enable = false; - - services.resolved.enable = mkForce false; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - - systemd.network.networks.qemubr0 = { - matchConfig.Name = "qemubr0"; - address = ["10.56.0.1/24"]; - routes = [{ - routeConfig = { - Gateway = "*"; - Destination = "10.56.0.0"; - }; - }]; - }; - systemd.network.netdevs.qemubr0 = { - netdevConfig = { - Name = "qemubr0"; - Kind = "bridge"; - }; - }; - - users.groups.qemu-users.gid = genid "qemu-users"; - - environment.etc."qemu/bridge.conf".text = '' - allow qemubr0 - ''; - - krebs.per-user.tv.packages = [ - ]; - - users.users.xu-qemu0 = { - createHome = true; - group = "qemu-users"; - home = "/home/xu-qemu0"; - uid = genid "xu-qemu0"; - }; - - systemd.services.xu-qemu0 = let - in { - after = [ "network.target" "systemd-resolved.service" ]; - serviceConfig = { - User = "xu-qemu0"; - SyslogIdentifier = "xu-qemu0"; - ExecStart = pkgs.writeDash "xu-qemu0" '' - set -efu - ${pkgs.coreutils}/bin/mkdir -p "$HOME/tmp" - img=$HOME/tmp/xu-qemu0.raw - if ! test -e "$img"; then - ${pkgs.kvm}/bin/qemu-img create "$img" 10G - fi - exec ${pkgs.kvm}/bin/qemu-kvm \ - -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \ - -boot order=cd \ - -cdrom ${pkgs.fetchurl { - url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso; - sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9"; - }} \ - -m 1024 \ - -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \ - -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \ - -drive file="$img",format=raw \ - -display vnc=:1,websocket=5701,password,lossy \ - -name xu-qemu0 \ - ''; - }; - }; - - krebs.setuid.xu-qemu0-monitor = { - filename = pkgs.writeDash "xu-qemu0-monitor" '' - exec ${pkgs.socat}/bin/socat \ - stdio \ - UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \ - ''; - owner = "xu-qemu0"; - group = "tv"; - }; - - krebs.setuid.qemu-bridge-helper = { - filename = "${pkgs.qemu}/libexec/qemu-bridge-helper"; - group = "qemu-users"; - }; - - users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq"; - - # TODO need custom etc/dbus-1/system.d/dnsmasq.conf for different BusName - services.dbus.packages = [ pkgs.dnsmasq ]; - - systemd.services.qemu-dnsmasq = let - # bind-interfaces - conf = pkgs.writeText "qemu-dnsmasq.conf" '' - listen-address=10.56.0.1 - interface=qemubr0 - dhcp-range=10.56.0.200,10.56.0.250 - dhcp-no-override - dhcp-leasefile=/tmp/qemu-dnsmasq.leases - domain=${host-name}.local - dhcp-host=52:54:00:12:34:56,xu-qemu0,10.56.0.101,1440m - ''; - in { - after = [ "network.target" "systemd-resolved.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "dbus"; - BusName = "uk.org.thekelleys.dnsmasq"; - # -1 --enable-dbus[=uk.org.thekelleys.dnsmasq] - SyslogIdentifier = "qemu-dnsmasq"; - ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -1k -u qemu-dnsmasq -C ${conf}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - PrivateTmp = "true"; - }; - restartTriggers = [ config.environment.etc.hosts.source ]; - }; - - - krebs.nginx.servers.init = { - server-names = [ - "init.${host-name}" - "init.${host-name}.r" - "init.${host-name}.retiolum" - ]; - extraConfig = '' - index init.txt; - root ${pkgs.writeTextFile { - name = "init-pages"; - text = '' - #! /bin/sh - set -efu - - dev=/dev/sda - pttype=dos # gpt - - case $pttype in - dos) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = dos; then - parted -s "$dev" mklabel msdos - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = primary; then - parted -s "$dev" mkpart primary ext4 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - gpt) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = gpt; then - parted -s "$dev" mklabel gpt - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = ESP; then - parted -s "$dev" mkpart ESP fat32 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - *) - echo "Error: bad pttype: $pttype" >&2 - exit -1 - esac - - if ! test "$(blkid -o value -s PARTLABEL "$dev"2)" = primary; then - parted -s "$dev" mkpart primary btrfs 513MiB 100% - fi - if ! test "$(blkid -o value -s TYPE "$dev"1)" = vfat; then - mkfs.vfat "$dev"1 - fi - if ! test "$(blkid -o value -s TYPE "$dev"2)" = btrfs; then - mkfs.btrfs "$dev"2 - fi - - parted "$dev" print - - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"2)" = /mnt; then - mount "$dev"2 /mnt - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"1)" = /mnt/boot; then - mkdir -m 0000 -p /mnt/boot - mount "$dev"1 /mnt/boot - fi - - lsblk "$dev" - - key=${shell.escape config.krebs.users.tv-xu.pubkey} - - if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then - mkdir -p /root/.ssh - echo "$key" > /root/.ssh/authorized_keys - fi - systemctl start sshd - ip route - echo READY. - ''; - destination = "/init.txt"; - }}; - ''; - }; - - - krebs.hosts.${host-name}.nets.retiolum.aliases = [ - "init.${host-name}.r" - "init.${host-name}.retiolum" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - - krebs.nginx.servers.noVNC = { - server-names = [ - "vnc.${host-name}" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - #rewrite ^([^.]*)$ /vnc_auto.html?host=localhost&port=5701; - locations = singleton (nameValuePair "/" '' - index vnc.html; - root ${pkgs.noVNC}; - ''); - }; -} |