diff options
47 files changed, 800 insertions, 138 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 438836f52..b4e7f9254 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -108,8 +108,8 @@ let # Implements environment.etc."zones/<zone-name>" environment.etc = let - stripEmptyLines = s: concatStringsSep "\n" - (remove "\n" (remove "" (splitString "\n" s))); + stripEmptyLines = s: (concatStringsSep "\n" + (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; all-zones = foldAttrs (sum: current: sum + "\n" +current ) "" ([cfg.zone-head-config] ++ combined-hosts); combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 498282b03..2ad4353bd 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -33,7 +33,7 @@ let in { hosts = addNames { echelon = { - cores = 4; + cores = 2; dc = "lass"; #dc = "cac"; nets = rec { internet = { @@ -66,6 +66,39 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK"; }; + prism = { + cores = 4; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["213.239.205.240"]; + aliases = [ + "prism.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.0.103"]; + addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; + aliases = [ + "prism.retiolum" + "cgit.prism.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl + kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl + JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I + AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5 + jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j + anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_rsa>; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q=="; + }; fastpoke = { dc = "lass"; nets = rec { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index d328033cc..652527da2 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -164,6 +164,8 @@ with lib; dc = "makefu"; #dc = "cac"; extraZones = { "krebsco.de" = '' + euer IN A ${head nets.internet.addrs4} + wiki.euer IN A ${head nets.internet.addrs4} wry IN A ${head nets.internet.addrs4} io IN NS wry.krebsco.de. graphs IN A ${head nets.internet.addrs4} @@ -185,9 +187,14 @@ with lib; addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"]; aliases = [ "graphs.wry.retiolum" + "graphs.retiolum" "paste.wry.retiolum" "paste.retiolum" "wry.retiolum" + "wiki.makefu.retiolum" + "wiki.wry.retiolum" + "blog.makefu.retiolum" + "blog.wry.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -207,14 +214,37 @@ with lib; }; }; }; + filepimp = rec { + cores = 1; + dc = "makefu"; #nas + + nets = { + retiolum = { + addrs4 = ["10.243.153.102"]; + addrs6 = ["42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"]; + aliases = [ + "filepimp.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY + BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3 + i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7 + 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS + u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa + OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; gum = rec { cores = 1; dc = "online.net"; #root-server extraZones = { "krebsco.de" = '' - omo IN A ${head nets.internet.addrs4} - euer IN A ${head nets.internet.addrs4} + share.euer IN A ${head nets.internet.addrs4} gum IN A ${head nets.internet.addrs4} ''; }; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index a6c628353..e415d20ab 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -95,8 +95,12 @@ let ExecStartPre = pkgs.writeScript "tinc_graphs-init" '' #!/bin/sh + mkdir -p "${internal_dir}" "${external_dir}" if ! test -e "${cfg.workingDir}/internal/index.html"; then - cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}" + cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/." "${internal_dir}" + fi + if ! test -e "${cfg.workingDir}/external/index.html"; then + cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}" fi ''; @@ -118,7 +122,6 @@ let users.extraUsers.tinc_graphs = { uid = 3925439960; #genid tinc_graphs home = "/var/spool/tinc_graphs"; - createHome = true; }; krebs.nginx.servers = mkIf cfg.nginx.enable { diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 80d9f5e93..206bc5697 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -56,6 +56,13 @@ let https://nixos.org/channels/nixos-unstable/git-revision ]; }; + verbose = mkOption { + type = types.bool; + default = false; + description = '' + verbose output of urlwatch + ''; + }; }; urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); @@ -106,7 +113,7 @@ let cd /tmp - urlwatch -e --urls="$urlsFile" > changes 2>&1 || : + urlwatch -e ${optionalString cfg.verbose "-v"} --urls="$urlsFile" > changes || : if test -s changes; then date=$(date -R) diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 94c9b0fb5..182a068ef 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -11,12 +11,28 @@ prepare() {( ;; centos) case $VERSION_ID in + 6) + prepare_centos "$@" + exit + ;; 7) prepare_centos "$@" exit ;; esac ;; + debian) + case $VERSION_ID in + 7) + prepare_debian "$@" + exit + ;; + 8) + prepare_debian "$@" + exit + ;; + esac + ;; esac elif test -e /etc/centos-release; then case $(cat /etc/centos-release) in @@ -31,6 +47,7 @@ prepare() {( )} prepare_arch() { + pacman -Sy type bzip2 2>/dev/null || pacman -S --noconfirm bzip2 type git 2>/dev/null || pacman -S --noconfirm git type rsync 2>/dev/null || pacman -S --noconfirm rsync @@ -44,6 +61,14 @@ prepare_centos() { prepare_common } +prepare_debian() { + apt-get update + type bzip2 2>/dev/null || apt-get install bzip2 + type git 2>/dev/null || apt-get install git + type rsync 2>/dev/null || apt-get install rsync + prepare_common +} + prepare_common() { if ! getent group nixbld >/dev/null; then diff --git a/krebs/5pkgs/bepasty-client-cli/default.nix b/krebs/5pkgs/bepasty-client-cli/default.nix new file mode 100644 index 000000000..990f99af6 --- /dev/null +++ b/krebs/5pkgs/bepasty-client-cli/default.nix @@ -0,0 +1,22 @@ +{ lib, pkgs, pythonPackages, fetchurl, ... }: + +with pythonPackages; buildPythonPackage rec { + name = "bepasty-client-cli-${version}"; + version = "0.3.0"; + propagatedBuildInputs = [ + python_magic + click + requests2 + ]; + + src = fetchurl { + url = "https://pypi.python.org/packages/source/b/bepasty-client-cli/bepasty-client-cli-${version}.tar.gz"; + sha256 = "002kcplyfnmr5pn2ywdfilss0rmbm8wcdzz8hzp03ksy2zr4sdbw"; + }; + + meta = { + homepage = https://github.com/bepasty/bepasty-client-cli; + description = "CLI client for bepasty-server"; + license = lib.licenses.bsd2; + }; +} diff --git a/krebs/5pkgs/collectd-connect-time/default.nix b/krebs/5pkgs/collectd-connect-time/default.nix new file mode 100644 index 000000000..525388029 --- /dev/null +++ b/krebs/5pkgs/collectd-connect-time/default.nix @@ -0,0 +1,15 @@ +{lib, pkgs, pythonPackages, fetchurl, ... }: + +pythonPackages.buildPythonPackage rec { + name = "collectd-connect-time-${version}"; + version = "0.3.0"; + src = fetchurl { + url = "https://pypi.python.org/packages/source/c/collectd-connect-time/collectd-connect-time-${version}.tar.gz"; + sha256 = "0vvrf9py9bwc8hk3scxwg4x2j8jlp2qva0mv4q8d9m4b4mk99c95"; + }; + meta = { + homepage = https://pypi.python.org/pypi/collectd-connect-time/; + description = "TCP Connection time plugin for collectd"; + license = lib.licenses.wtfpl; + }; +} diff --git a/krebs/5pkgs/krebspaste/default.nix b/krebs/5pkgs/krebspaste/default.nix new file mode 100644 index 000000000..fb318af83 --- /dev/null +++ b/krebs/5pkgs/krebspaste/default.nix @@ -0,0 +1,7 @@ +{ writeScriptBin, pkgs }: + +# TODO: use `wrapProgram --add-flags` instead? +writeScriptBin "krebspaste" '' + #! /bin/sh + exec ${pkgs.bepasty-client-cli}/bin/bepasty-cli --url http://paste.retiolum "$@" +'' diff --git a/makefu/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/tinc_graphs/default.nix index 62a787d30..e5f1e40e8 100644 --- a/makefu/5pkgs/tinc_graphs/default.nix +++ b/krebs/5pkgs/tinc_graphs/default.nix @@ -2,14 +2,14 @@ python3Packages.buildPythonPackage rec { name = "tinc_graphs-${version}"; - version = "0.3.6"; + version = "0.3.9"; propagatedBuildInputs = with pkgs;[ python3Packages.pygeoip ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat ]; src = fetchurl { url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz"; - sha256 = "0ghdx9aaipmppvc2b6cgks4nxw6zsb0fhjrmnisbx7rz0vjvzc74"; + sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx"; }; preFixup = with pkgs;'' wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin" diff --git a/krebs/5pkgs/translate-shell/default.nix b/krebs/5pkgs/translate-shell/default.nix new file mode 100644 index 000000000..00ab226e5 --- /dev/null +++ b/krebs/5pkgs/translate-shell/default.nix @@ -0,0 +1,43 @@ +{stdenv, fetchurl,pkgs,... }: +let + s = + rec { + baseName="translate-shell"; + version="0.9.0.9"; + name="${baseName}-${version}"; + url=https://github.com/soimort/translate-shell/archive/v0.9.0.9.tar.gz; + sha256="1269j4yr9dr1d8c5kmysbzfplbgdg8apqnzs5w57d29sd7gz2i34"; + }; + searchpath = with pkgs; stdenv.lib.makeSearchPath "bin" [ + fribidi + gawk + bash + curl + less + ]; + buildInputs = [ + pkgs.makeWrapper + ]; +in +stdenv.mkDerivation { + inherit (s) name version; + inherit buildInputs; + src = fetchurl { + inherit (s) url sha256; + }; + # TODO: maybe mplayer + installPhase = '' + mkdir -p $out/bin + make PREFIX=$out install + wrapProgram $out/bin/trans --suffix PATH : "${searchpath}" + ''; + + meta = { + inherit (s) version; + description = ''translate using google api''; + license = stdenv.lib.licenses.free; + maintainers = [stdenv.lib.maintainers.makefu]; + platforms = stdenv.lib.platforms.linux ; + }; +} + diff --git a/krebs/Zhosts/gum b/krebs/Zhosts/gum index f1eaa4eab..d43bb0d08 100644 --- a/krebs/Zhosts/gum +++ b/krebs/Zhosts/gum @@ -2,7 +2,6 @@ Address= 195.154.108.70 Address= 195.154.108.70 53 Subnet = 10.243.0.211 Subnet = 42:f9f0:0000:0000:0000:0000:0000:70d2 -Aliases = paste -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY diff --git a/krebs/Zhosts/prism b/krebs/Zhosts/prism new file mode 100644 index 000000000..4c875631f --- /dev/null +++ b/krebs/Zhosts/prism @@ -0,0 +1,12 @@ +Address = 213.239.205.240 +Subnet = 10.243.0.103 +Subnet = 42:0000:0000:0000:0000:0000:0000:15ab + +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl +kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl +JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I +AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5 +jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j +anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 94c793b08..dc0ca0274 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -47,6 +47,23 @@ in { { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; } ]; } + { + users.extraUsers = { + satan = { + name = "satan"; + uid = 1338; + home = "/home/satan"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com" + ]; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.echelon; diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index b0b8ff573..7db3f8333 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -156,6 +156,7 @@ get genid teamspeak_client + hashPassword ]; #TODO: fix this shit diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix new file mode 100644 index 000000000..87334c3c2 --- /dev/null +++ b/lass/1systems/prism.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) head; + + ip = (head config.krebs.build.host.nets.internet.addrs4); +in { + imports = [ + ../2configs/base.nix + ../2configs/downloading.nix + ../2configs/git.nix + ../2configs/ts3.nix + { + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; + } + { + networking.interfaces.et0.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = "213.239.205.225"; + networking.nameservers = [ + "8.8.8.8" + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0" + ''; + + } + { + #boot.loader.gummiboot.enable = true; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/pool/nix"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36"; + }; + + fileSystems."/var/download" = { + device = "/dev/pool/download"; + }; + + } + { + sound.enable = false; + } + { + #workaround for server dying after 6-7h + boot.kernelPackages = pkgs.linuxPackages_4_2; + } + { + nixpkgs.config.allowUnfree = true; + } + ]; + + krebs.build.host = config.krebs.hosts.prism; +} diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 6fa9c5b2d..11bc4f089 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -15,8 +15,8 @@ with lib; { users.extraUsers = { root = { - openssh.authorizedKeys.keys = map readFile [ - ../../krebs/Zpubkeys/lass.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey ]; }; mainUser = { @@ -27,11 +27,9 @@ with lib; createHome = true; useDefaultShell = true; extraGroups = [ - "audio" - "wheel" ]; - openssh.authorizedKeys.keys = map readFile [ - ../../krebs/Zpubkeys/lass.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey ]; }; }; @@ -50,7 +48,7 @@ with lib; source = { git.nixpkgs = { url = https://github.com/Lassulus/nixpkgs; - rev = "33bdc011f5360288cd10b9fda90da2950442b2ab"; + rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80"; }; dir.secrets = { host = config.krebs.hosts.mors; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 1f5c3de55..3be3676aa 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -8,6 +8,8 @@ in { ./urxvt.nix ]; + users.extraUsers.mainUser.extraGroups = [ "audio" ]; + time.timeZone = "Europe/Berlin"; virtualisation.libvirtd.enable = true; diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 5052da5c8..e80b74007 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -1,6 +1,10 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: -{ +with lib; + +let + rpc-password = import <secrets/transmission-pw.nix>; +in { imports = [ ../3modules/folderPerms.nix ]; @@ -10,9 +14,13 @@ name = "download"; home = "/var/download"; createHome = true; + useDefaultShell = true; extraGroups = [ "download" ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; }; transmission = { @@ -41,8 +49,8 @@ rpc-authentication-required = true; rpc-whitelist-enabled = false; rpc-username = "download"; - #add rpc-password in secrets - rpc-password = "test123"; + inherit rpc-password; + peer-port = 51413; }; }; @@ -50,6 +58,8 @@ enable = true; tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } + { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } ]; }; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 2164b2e33..7e8fc03c7 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -33,6 +33,8 @@ let web-routes-wai-custom = {}; go = {}; newsbot-js = {}; + kimsufi-check = {}; + realwallpaper = {}; }; restricted-repos = mapAttrs make-restricted-repo ( diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 7f0bcc5e8..d26a2f4c4 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -16,7 +16,7 @@ enable = true; hosts = ../../krebs/Zhosts; connectTo = [ - "fastpoke" + "prism" "cloudkrebs" "echelon" "pigstarter" diff --git a/lass/2configs/ts3.nix b/lass/2configs/ts3.nix new file mode 100644 index 000000000..5b92d0919 --- /dev/null +++ b/lass/2configs/ts3.nix @@ -0,0 +1,19 @@ +{ config, ... }: + +{ + services.teamspeak3 = { + enable = true; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + #voice port + { predicate = "-p tcp --dport 9987"; target = "ACCEPT"; } + { predicate = "-p udp --dport 9987"; target = "ACCEPT"; } + ##file transfer port + #{ predicate = "-p tcp --dport 30033"; target = "ACCEPT"; } + #{ predicate = "-p udp --dport 30033"; target = "ACCEPT"; } + ##query port + #{ predicate = "-p tcp --dport 10011"; target = "ACCEPT"; } + #{ predicate = "-p udp --dport 10011"; target = "ACCEPT"; } + ]; +} diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix new file mode 100644 index 000000000..fb1a57552 --- /dev/null +++ b/makefu/1systems/filepimp.nix @@ -0,0 +1,38 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../2configs/default.nix + ../2configs/fs/vm-single-partition.nix + ../2configs/fs/single-partition-ext4.nix + ../2configs/tinc-basic-retiolum.nix + ]; + krebs.build.host = config.krebs.hosts.filepimp; + + # AMD N54L + boot = { + loader.grub.device = "/dev/sda"; + + initrd.availableKernelModules = [ + "usb_storage" + "ahci" + "xhci_hcd" + "ata_piix" + "uhci_hcd" + "ehci_pci" + ]; + + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; + + networking.firewall.allowPing = true; +} diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix new file mode 100644 index 000000000..85cf4c533 --- /dev/null +++ b/makefu/1systems/gum.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + external-ip = head config.krebs.build.host.nets.internet.addrs4; + internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; +in { + imports = [ + # TODO: copy this config or move to krebs + ../2configs/tinc-basic-retiolum.nix + ../2configs/headless.nix + # ../2configs/iodined.nix + + # Reaktor + ../2configs/Reaktor/simpleExtend.nix + ]; + + krebs.build.host = config.krebs.hosts.gum; + + krebs.Reaktor.enable = true; + + # prepare graphs + krebs.nginx.enable = true; + + networking = { + firewall.allowPing = true; + firewall.allowedTCPPorts = [ 80 443 655 ]; + firewall.allowedUDPPorts = [ 655 ]; + interfaces.enp2s1.ip4 = [{ + address = external-ip; + prefixLength = 24; + }]; + defaultGateway = "195.154.108.1"; + nameservers = [ "8.8.8.8" ]; + }; + + # based on ../../tv/2configs/CAC-Developer-2.nix +} diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index e7ceca60d..161bfa3e9 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -8,11 +8,12 @@ imports = [ # Include the results of the hardware scan. # Base - ../2configs/base.nix - ../2configs/base-sources.nix ../2configs/tinc-basic-retiolum.nix + ../2configs/headless.nix # HW/FS + + # enables virtio kernel modules in initrd <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ../2configs/fs/vm-single-partition.nix @@ -32,6 +33,8 @@ # ../2configs/graphite-standalone.nix ]; + krebs.urlwatch.verbose = true; + krebs.Reaktor.enable = true; krebs.Reaktor.debug = true; krebs.Reaktor.nickname = "Reaktor|bot"; @@ -40,8 +43,6 @@ }; krebs.build.host = config.krebs.hosts.pnp; - krebs.build.user = config.krebs.users.makefu; - krebs.build.target = "root@pnp"; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 97cf86a4e..8624cb2d1 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -6,12 +6,8 @@ { imports = [ # Include the results of the hardware scan. - ../2configs/base.nix ../2configs/main-laptop.nix #< base-gui - # configures sources - ../2configs/base-sources.nix - # Krebs ../2configs/tinc-basic-retiolum.nix #../2configs/disable_v6.nix @@ -23,7 +19,8 @@ ../2configs/exim-retiolum.nix ../2configs/mail-client.nix #../2configs/virtualization.nix - ../2configs/virtualization-virtualbox.nix + ../2configs/virtualization.nix + #../2configs/virtualization-virtualbox.nix ../2configs/wwan.nix # services @@ -34,16 +31,19 @@ ../2configs/hw/tp-x220.nix # mount points ../2configs/fs/sda-crypto-root-home.nix + # ../2configs/mediawiki.nix + #../2configs/wordpress.nix ]; - krebs.Reaktor.enable = true; - krebs.Reaktor.debug = true; - krebs.Reaktor.nickname = "makefu|r"; + #krebs.Reaktor.enable = true; + #krebs.Reaktor.nickname = "makefu|r"; krebs.build.host = config.krebs.hosts.pornocauster; - krebs.build.user = config.krebs.users.makefu; - krebs.build.target = "root@pornocauster"; - environment.systemPackages = with pkgs;[ get ]; + environment.systemPackages = with pkgs;[ + get + virtmanager + gnome3.dconf + ]; services.logind.extraConfig = "HandleLidSwitch=ignore"; # configure pulseAudio to provide a HDMI sink as well diff --git a/makefu/1systems/repunit.nix b/makefu/1systems/repunit.nix index d98ff17c1..a069cc36f 100644 --- a/makefu/1systems/repunit.nix +++ b/makefu/1systems/repunit.nix @@ -8,26 +8,9 @@ imports = [ # Include the results of the hardware scan. <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - ../2configs/base.nix ../2configs/cgit-retiolum.nix ]; krebs.build.host = config.krebs.hosts.repunit; - krebs.build.user = config.krebs.users.makefu; - krebs.build.target = "root@repunit"; - - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - #url = https://github.com/makefu/nixpkgs; - rev = "13576925552b1d0751498fdda22e91a055a1ff6c"; - }; - secrets = { - url = "/home/makefu/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 3c2bb2eda..990db65d2 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -6,7 +6,6 @@ { imports = [ # Include the results of the hardware scan. - ../2configs/base.nix ../2configs/base-gui.nix ../2configs/tinc-basic-retiolum.nix ../2configs/fs/sda-crypto-root.nix @@ -21,19 +20,9 @@ ]; # not working in vm krebs.build.host = config.krebs.hosts.tsp; - krebs.build.user = config.krebs.users.makefu; - krebs.build.target = "root@tsp"; - networking.firewall.allowedTCPPorts = [ 25 ]; - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - #url = https://github.com/makefu/nixpkgs; - rev = "13576925552b1d0751498fdda22e91a055a1ff6c"; - }; - }; } diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 6627d87b5..ba94972fb 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -8,9 +8,10 @@ let in { imports = [ # TODO: copy this config or move to krebs - ../../tv/2configs/CAC-CentOS-7-64bit.nix - ../2configs/base.nix + ../../tv/2configs/hw/CAC.nix + ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/unstable-sources.nix + ../2configs/headless.nix ../2configs/tinc-basic-retiolum.nix ../2configs/bepasty-dual.nix @@ -19,15 +20,16 @@ in { # Reaktor ../2configs/Reaktor/simpleExtend.nix - ]; - krebs.build = { - user = config.krebs.users.makefu; - target = "root@wry"; - host = config.krebs.hosts.wry; - }; + # other nginx + ../2configs/nginx/euer.wiki.nix + ../2configs/nginx/euer.blog.nix + # collectd + ../2configs/collectd/collectd-base.nix + ]; + krebs.build.host = config.krebs.hosts.wry; krebs.Reaktor.enable = true; @@ -47,7 +49,7 @@ in { # TODO: remove hard-coded hostname complete = { listen = [ "${internal-ip}:80" ]; - server-names = [ "graphs.wry" ]; + server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ]; }; anonymous = { listen = [ "${external-ip}:80" ] ; @@ -55,9 +57,11 @@ in { }; }; }; + networking = { firewall.allowPing = true; firewall.allowedTCPPorts = [ 53 80 443 ]; + firewall.allowedUDPPorts = [ 655 ]; interfaces.enp2s1.ip4 = [{ address = external-ip; prefixLength = 24; @@ -66,7 +70,5 @@ in { nameservers = [ "8.8.8.8" ]; }; - - # based on ../../tv/2configs/CAC-Developer-2.nix - sound.enable = false; + environment.systemPackages = [ pkgs.translate-shell ]; } diff --git a/makefu/2configs/base-sources.nix b/makefu/2configs/base-sources.nix deleted file mode 100644 index 7e6bebec3..000000000 --- a/makefu/2configs/base-sources.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.build.source = { - git.nixpkgs = { - #url = https://github.com/NixOS/nixpkgs; - url = https://github.com/makefu/nixpkgs; - rev = "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picked iodine - }; - - dir.secrets = { - host = config.krebs.hosts.pornocauster; - path = "/home/makefu/secrets/${config.krebs.build.host.name}/"; - }; - dir.stockholm = { - host = config.krebs.hosts.pornocauster; - path = toString ../.. ; - }; - }; -} diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index fb170957a..123ae3cf9 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -11,7 +11,11 @@ # bepasty-secret.nix <- contains single string with lib; -{ +let + sec = toString <secrets>; + # secKey is nothing worth protecting on a local machine + secKey = import <secrets/bepasty-secret.nix>; +in { krebs.nginx.enable = mkDefault true; krebs.bepasty = { @@ -24,7 +28,7 @@ with lib; server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; - secretKey = import <secrets/bepasty-secret.nix>; + secretKey = secKey; }; external = { @@ -33,8 +37,8 @@ with lib; extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_certificate /root/secrets/wildcard.krebsco.de.crt; - ssl_certificate_key /root/secrets/wildcard.krebsco.de.key; + ssl_certificate ${sec}/wildcard.krebsco.de.crt; + ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; @@ -45,7 +49,7 @@ with lib; }''; }; defaultPermissions = "read"; - secretKey = import <secrets/bepasty-secret.nix>; + secretKey = secKey; }; }; }; diff --git a/makefu/2configs/collectd/collectd-base.nix b/makefu/2configs/collectd/collectd-base.nix new file mode 100644 index 000000000..7909c1be5 --- /dev/null +++ b/makefu/2configs/collectd/collectd-base.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) +with lib; +let + connect-time-cfg = with pkgs; writeText "collectd-connect-time.cfg" '' + LoadPlugin python + <Plugin python> + ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/" + Import "collectd_connect_time" + <Module collectd_connect_time> + target "wry.retiolum" "localhost" "google.com" + interval 30 + </Module> + </Plugin> + ''; + graphite-cfg = pkgs.writeText "collectd-graphite-cfg" '' + LoadPlugin write_graphite + <Plugin "write_graphite"> + <Carbon> + Host "heidi.retiolum" + Port "2003" + Prefix "retiolum." + EscapeCharacter "_" + StoreRates false + AlwaysAppendDS false + </Carbon> + </Plugin> + ''; +in { + imports = [ ]; + + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + collectd = pkgs.collectd.override { python= pkgs.python; }; + }; + services.collectd = { + enable = true; + include = [ (toString connect-time-cfg) (toString graphite-cfg) ]; + }; + +} diff --git a/makefu/2configs/base.nix b/makefu/2configs/default.nix index 4e38c27f8..3d9174788 100644 --- a/makefu/2configs/base.nix +++ b/makefu/2configs/default.nix @@ -2,6 +2,8 @@ with lib; { + system.stateVersion = "15.09"; + imports = [ { users.extraUsers = @@ -10,10 +12,36 @@ with lib; } ./vim.nix ]; - krebs.enable = true; - krebs.search-domain = "retiolum"; + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + target = mkDefault "root@${config.krebs.build.host.name}"; + user = config.krebs.users.makefu; + source = { + git.nixpkgs = { + #url = https://github.com/NixOS/nixpkgs; + url = mkDefault https://github.com/makefu/nixpkgs; + rev = mkDefault "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picking + target-path = "/var/src/nixpkgs"; + }; + + dir.secrets = { + host = config.krebs.hosts.pornocauster; + path = "/home/makefu/secrets/${config.krebs.build.host.name}/"; + }; + + dir.stockholm = { + host = config.krebs.hosts.pornocauster; + path = "/home/makefu/stockholm" ; + target-path = "/var/src/stockholm"; + }; + }; + }; + }; + users.extraUsers = { root = { openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; @@ -56,7 +84,6 @@ with lib; environment.systemPackages = with pkgs; [ jq git - vim gnumake rxvt_unicode.terminfo htop diff --git a/makefu/2configs/fs/cac-boot-partition.nix b/makefu/2configs/fs/cac-boot-partition.nix index fdf4b89d8..cec004582 100644 --- a/makefu/2configs/fs/cac-boot-partition.nix +++ b/makefu/2configs/fs/cac-boot-partition.nix @@ -18,6 +18,4 @@ with lib; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; - hardware.cpu.amd.updateMicrocode = true; - } diff --git a/makefu/2configs/fs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix index 54db87547..2bfe26960 100644 --- a/makefu/2configs/fs/sda-crypto-root.nix +++ b/makefu/2configs/fs/sda-crypto-root.nix @@ -6,8 +6,8 @@ with lib; { boot = { - loader.grub.enable =true; - loader.grub.version =2; + loader.grub.enable = true; + loader.grub.version = 2; loader.grub.device = "/dev/sda"; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; diff --git a/makefu/2configs/fs/single-partition-ext4.nix b/makefu/2configs/fs/single-partition-ext4.nix new file mode 100644 index 000000000..1970c949f --- /dev/null +++ b/makefu/2configs/fs/single-partition-ext4.nix @@ -0,0 +1,10 @@ +{config, ...}: +{ + boot.loader.grub.enable = assert config.boot.loader.grub.device != ""; true; + boot.loader.grub.version = 2; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; +} diff --git a/makefu/2configs/fs/vm-single-partition.nix b/makefu/2configs/fs/vm-single-partition.nix index 78a5e7175..27e28cb68 100644 --- a/makefu/2configs/fs/vm-single-partition.nix +++ b/makefu/2configs/fs/vm-single-partition.nix @@ -3,18 +3,9 @@ # vda1 ext4 (label nixos) -> only root partition with lib; { - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; + imports = [ + ./single-partition-ext4.nix + ]; boot.loader.grub.device = "/dev/vda"; - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - hardware.cpu.amd.updateMicrocode = true; - - } diff --git a/makefu/2configs/headless.nix b/makefu/2configs/headless.nix new file mode 100644 index 000000000..772ca3771 --- /dev/null +++ b/makefu/2configs/headless.nix @@ -0,0 +1,4 @@ +{lib,... }: +{ + sound.enable = lib.mkForce false; +} diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index aa2fc2050..047895ce6 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -8,6 +8,8 @@ with lib; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; + hardware.cpu.intel.updateMicrocode = true; + zramSwap.enable = true; zramSwap.numDevices = 2; diff --git a/makefu/2configs/nginx/euer.blog.nix b/makefu/2configs/nginx/euer.blog.nix new file mode 100644 index 000000000..c6724c617 --- /dev/null +++ b/makefu/2configs/nginx/euer.blog.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + sec = toString <secrets>; + ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + ssl_key = "${sec}/wildcard.krebsco.de.key"; + hostname = config.krebs.build.host.name; + user = config.services.nginx.user; + group = config.services.nginx.group; + external-ip = head config.krebs.build.host.nets.internet.addrs4; + internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; + base-dir = "/var/www/blog.euer"; +in { + # Prepare Blog directory + systemd.services.prepare-euer-blog = { + wantedBy = [ "local-fs.target" ]; + before = [ "nginx.service" ]; + serviceConfig = { + # do nothing if the base dir already exists + ExecStart = pkgs.writeScript "prepare-euer-blog-service" '' + #!/bin/sh + if ! test -d "${base-dir}" ;then + mkdir -p "${base-dir}" + chown ${user}:${group} "${base-dir}" + chmod 700 "${base-dir}" + fi + ''; + Type = "oneshot"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + }; + }; + + krebs.nginx = { + enable = mkDefault true; + servers = { + euer-blog = { + listen = [ "${external-ip}:80" "${external-ip}:443 ssl" + "${internal-ip}:80" "${internal-ip}:443 ssl" ]; + server-names = [ "euer.krebsco.de" "blog.euer.krebsco.de" "blog.${hostname}" ]; + extraConfig = '' + gzip on; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/css; + ssl_certificate ${ssl_cert}; + ssl_certificate_key ${ssl_key}; + default_type text/plain; + ''; + locations = singleton (nameValuePair "/" '' + root ${base-dir}; + ''); + }; + }; + }; +} diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix new file mode 100644 index 000000000..2b5fa6ead --- /dev/null +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -0,0 +1,118 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + sec = toString <secrets>; + ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + ssl_key = "${sec}/wildcard.krebsco.de.key"; + user = config.services.nginx.user; + group = config.services.nginx.group; + fpm-socket = "/var/run/php5-fpm.sock"; + hostname = config.krebs.build.host.name; + tw-upload = pkgs.tw-upload-plugin; + base-dir = "/var/www/wiki.euer"; + base-cfg = "${base-dir}/twconf.ini"; + wiki-dir = "${base-dir}/store/"; + backup-dir = "${base-dir}/backup/"; + # contains: + # user1 = pass1 + # userN = passN + tw-pass-file = "${sec}/tw-pass.ini"; + external-ip = head config.krebs.build.host.nets.internet.addrs4; + internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; +in { + services.phpfpm = { + # phpfpm does not have an enable option + poolConfigs = { + euer-wiki = '' + user = ${user} + group = ${group} + listen = ${fpm-socket} + listen.owner = ${user} + listen.group = ${group} + env[twconf] = ${base-cfg}; + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + chdir = / + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + }; + + systemd.services.prepare-tw = { + wantedBy = [ "local-fs.target" ]; + before = [ "phpfpm.service" ]; + serviceConfig = { + ExecStart = pkgs.writeScript "prepare-tw-service" '' + #!/bin/sh + if ! test -d "${base-dir}" ;then + mkdir -p "${wiki-dir}" "${backup-dir}" + + # write the base configuration + cat > "${base-cfg}" <<EOF + [users] + $(cat "${tw-pass-file}") + [directories] + backupdir = ${backup-dir} + savedir = ${wiki-dir} + EOF + + chown -R ${user}:${group} "${base-dir}" + chmod 700 -R "${base-dir}" + fi + ''; + Type = "oneshot"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + }; + }; + + krebs.nginx = { + enable = mkDefault true; + servers = { + euer-wiki = { + listen = [ "${external-ip}:80" "${external-ip}:443 ssl" + "${internal-ip}:80" "${internal-ip}:443 ssl" ]; + server-names = [ + "wiki.euer.krebsco.de" + "wiki.makefu.retiolum" + "wiki.makefu" + ]; + extraConfig = '' + gzip on; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/css; + ssl_certificate ${ssl_cert}; + ssl_certificate_key ${ssl_key}; + default_type text/plain; + + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + + ''; + locations = [ + (nameValuePair "/" '' + root ${wiki-dir}; + expires -1; + autoindex on; + '') + (nameValuePair "/store.php" '' + root ${tw-upload}; + client_max_body_size 200M; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm-socket}; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + ]; + }; + }; + }; +} diff --git a/makefu/2configs/unstable-sources.nix b/makefu/2configs/unstable-sources.nix index f2d28dcaf..7a9a8a81c 100644 --- a/makefu/2configs/unstable-sources.nix +++ b/makefu/2configs/unstable-sources.nix @@ -1,19 +1,8 @@ -{ config, lib, pkgs, ... }: +_: { - krebs.build.source = { - git.nixpkgs = { + krebs.build.source.git.nixpkgs = { url = https://github.com/makefu/nixpkgs; - rev = "984d33884d63d404ff2da76920b8bc8b15471552"; + rev = "15b5bbfbd1c8a55e7d9e05dd9058dc102fac04fe"; # cherry-picked collectd }; - - dir.secrets = { - host = config.krebs.hosts.pornocauster; - path = "/home/makefu/secrets/${config.krebs.build.host.name}/"; - }; - dir.stockholm = { - host = config.krebs.hosts.pornocauster; - path = toString ../.. ; - }; - }; } diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix index 933cb93c5..cd05f0114 100644 --- a/makefu/2configs/urlwatch.nix +++ b/makefu/2configs/urlwatch.nix @@ -10,6 +10,8 @@ https://api.github.com/repos/ovh/python-ovh/tags https://api.github.com/repos/embray/d2to1/tags http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release + https://pypi.python.org/simple/bepasty/ + https://pypi.python.org/simple/xstatic/ ]; }; diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 7945b6ebd..436c52fcd 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -7,6 +7,6 @@ in alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";}; alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";}; alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";}; - tinc_graphs = callPackage ./tinc_graphs {}; awesomecfg = callPackage ./awesomecfg {}; + tw-upload-plugin = callPackage ./tw-upload-plugin {}; } diff --git a/makefu/5pkgs/tw-upload-plugin/default.nix b/makefu/5pkgs/tw-upload-plugin/default.nix new file mode 100644 index 000000000..a68dc09dc --- /dev/null +++ b/makefu/5pkgs/tw-upload-plugin/default.nix @@ -0,0 +1,8 @@ +{pkgs}: + +pkgs.fetchFromGitHub { + owner = "makefu"; + repo = "tw-upload-plugin"; + rev = "a00aac"; + sha256 = "0kazqs24kzjxqzr33kg1jbfx8xyvmrnrdxh6g27kgkgbl1d2qknh"; +} diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index aeaeee288..60d1e8ce8 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -5,6 +5,7 @@ with lib; { imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ../2configs/collectd-base.nix ]; krebs.build.host = config.krebs.hosts.wolf; @@ -26,7 +27,7 @@ with lib; krebs.build.source = { git.nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "e916273209560b302ab231606babf5ce1c481f08"; + rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80"; }; dir.secrets = { host = config.krebs.current.host; diff --git a/shared/2configs/collectd-base.nix b/shared/2configs/collectd-base.nix new file mode 100644 index 000000000..3b792bf23 --- /dev/null +++ b/shared/2configs/collectd-base.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +# TODO: krebs.collectd.plugins +with lib; +let + connect-time-cfg = with pkgs; writeText "collectd-connect-time.conf" '' + LoadPlugin python + <Plugin python> + ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/" + Import "collectd_connect_time" + <Module collectd_connect_time> + target "localhost:22" "google.com" "google.de" "gum.retiolum:22" "gum.krebsco.de" "heidi.shack:22" "10.42.0.1:22" "heise.de" "t-online.de" + interval 10 + </Module> + </Plugin> + ''; + graphite-cfg = pkgs.writeText "collectd-graphite.conf" '' + LoadPlugin write_graphite + <Plugin "write_graphite"> + <Carbon> + Host "heidi.shack" + Port "2003" + Prefix "retiolum." + EscapeCharacter "_" + StoreRates false + AlwaysAppendDS false + </Carbon> + </Plugin> + ''; +in { + imports = [ ]; + + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + collectd = pkgs.collectd.override { python= pkgs.python; }; + }; + services.collectd = { + enable = true; + include = [ (toString connect-time-cfg) (toString graphite-cfg) ]; + }; + +} |