diff options
Diffstat (limited to 'makefu')
38 files changed, 414 insertions, 215 deletions
diff --git a/makefu/0tests/data/secrets/netdata-stream.conf b/makefu/0tests/data/secrets/netdata-stream.conf new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/makefu/0tests/data/secrets/netdata-stream.conf diff --git a/makefu/0tests/data/secrets/nsupdate-cache.nix b/makefu/0tests/data/secrets/nsupdate-cache.nix new file mode 100644 index 000000000..f5e704702 --- /dev/null +++ b/makefu/0tests/data/secrets/nsupdate-cache.nix @@ -0,0 +1 @@ +"derp" diff --git a/makefu/1systems/full/source.nix b/makefu/1systems/full/source.nix deleted file mode 100644 index 1e36c6e87..000000000 --- a/makefu/1systems/full/source.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - name="gum"; - torrent = true; - clever_kexec = true; -} diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 3d2cbac6f..dcfa3d0e5 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -4,13 +4,14 @@ with import <stockholm/lib>; let external-ip = config.krebs.build.host.nets.internet.ip4.addr; ext-if = config.makefu.server.primary-itf; + allDisks = [ "/dev/sda" "/dev/sdb" ]; in { imports = [ <stockholm/makefu> ./hardware-config.nix { users.users.lass = { - uid = 9002; + uid = 19002; isNormalUser = true; createHome = true; useDefaultShell = true; @@ -20,8 +21,12 @@ in { ]; }; } + # <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/stats/netdata-server.nix> + <stockholm/makefu/2configs/headless.nix> - # <stockholm/makefu/2configs/smart-monitor.nix> + <stockholm/makefu/2configs/smart-monitor.nix> + { services.smartd.devices = builtins.map (x: { device = x; }) allDisks; } # Security <stockholm/makefu/2configs/sshd-totp.nix> @@ -30,6 +35,8 @@ in { <stockholm/makefu/2configs/tools/core.nix> <stockholm/makefu/2configs/tools/dev.nix> <stockholm/makefu/2configs/tools/sec.nix> + <stockholm/makefu/2configs/tools/desktop.nix> + <stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/mosh.nix> # <stockholm/makefu/2configs/gui/xpra.nix> @@ -41,17 +48,47 @@ in { <stockholm/makefu/2configs/iodined.nix> # <stockholm/makefu/2configs/backup.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> + { # bonus retiolum config for connecting more hosts + krebs.tinc.retiolum = { + extraConfig = '' + ListenAddress = ${external-ip} 53 + ListenAddress = ${external-ip} 655 + ListenAddress = ${external-ip} 21031 + ''; + connectTo = [ + "prism" "ni" "enklave" "eve" "archprism" + ]; + }; + networking.firewall = { + allowedTCPPorts = + [ + 53 + 655 + 21031 + ]; + allowedUDPPorts = + [ + 53 + 655 + 21031 + ]; + }; + } # ci # <stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/git/cgit-retiolum.nix> + <stockholm/makefu/2configs/shack/events-publisher> <stockholm/makefu/2configs/shack/gitlab-runner> <stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/taskd.nix> # services - <stockholm/makefu/2configs/sabnzbd.nix> + # <stockholm/makefu/2configs/sabnzbd.nix> <stockholm/makefu/2configs/mail/mail.euer.nix> + { + krebs.exim.enable = mkForce false; + } # sharing <stockholm/makefu/2configs/share/gum.nix> @@ -59,13 +96,6 @@ in { #<stockholm/makefu/2configs/retroshare.nix> ## <stockholm/makefu/2configs/ipfs.nix> #<stockholm/makefu/2configs/syncthing.nix> - { # ncdc - environment.systemPackages = [ pkgs.ncdc ]; - networking.firewall = { - allowedUDPPorts = [ 51411 ]; - allowedTCPPorts = [ 51411 ]; - }; - } # <stockholm/makefu/2configs/opentracker.nix> ## network @@ -91,17 +121,17 @@ in { #<stockholm/makefu/2configs/nginx/public_html.nix> #<stockholm/makefu/2configs/nginx/update.connector.one.nix> <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> - <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> + # <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> <stockholm/makefu/2configs/nginx/iso.euer.nix> - <stockholm/makefu/2configs/shack/events-publisher> + <stockholm/krebs/2configs/cache.nsupdate.info.nix> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/boot-euer.nix> - <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix> + <stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix> + <stockholm/makefu/2configs/bgt/hidden_service.nix> - <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> # sharing @@ -115,7 +145,8 @@ in { # krebs infrastructure services <stockholm/makefu/2configs/stats/server.nix> - ]; + ]; + makefu.dl-dir = "/var/download"; services.openssh.hostKeys = [ @@ -125,70 +156,14 @@ in { services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; - krebs.tinc.retiolum = { - extraConfig = '' - ListenAddress = ${external-ip} 53 - ListenAddress = ${external-ip} 655 - ListenAddress = ${external-ip} 21031 - ''; - connectTo = [ - "prism" "ni" "enklave" "dishfire" "echelon" "hotdog" - ]; - }; - - - # access - users.users = { - root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ]; - makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; - }; - - # Chat - environment.systemPackages = with pkgs;[ - weechat - bepasty-client-cli - tmux - ]; - - # Hardware - # Network networking = { firewall = { allowPing = true; logRefusedConnections = false; - allowedTCPPorts = [ - # smtp - 25 - # http - 80 443 - # httptunnel - 8080 8443 - # tinc - 655 - # tinc-shack - 21032 - # tinc-retiolum - 21031 - # taskserver - 53589 - # temp vnc - 18001 - # temp reverseshell - 31337 - ]; - allowedUDPPorts = [ - # tinc - 655 53 - # tinc-retiolum - 21031 - # tinc-shack - 21032 - ]; }; nameservers = [ "8.8.8.8" ]; }; users.users.makefu.extraGroups = [ "download" "nginx" ]; - boot.tmpOnTmpfs = true; state = [ "/home/makefu/.weechat" ]; } diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix index bfe29b46c..e9670a5a4 100644 --- a/makefu/1systems/gum/hardware-config.nix +++ b/makefu/1systems/gum/hardware-config.nix @@ -46,7 +46,7 @@ in { "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" "xhci_pci" "ehci_pci" "ahci" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ]; hardware.enableRedistributableFirmware = true; fileSystems."/" = { device = "/dev/mapper/nixos-root"; @@ -56,10 +56,19 @@ in { device = "/dev/mapper/nixos-lib"; fsType = "ext4"; }; + fileSystems."/var/log" = { + device = "/dev/mapper/nixos-log"; + fsType = "ext4"; + }; fileSystems."/var/download" = { device = "/dev/mapper/nixos-download"; fsType = "ext4"; }; + fileSystems."/var/www/binaergewitter" = { + device = "/dev/mapper/nixos-binaergewitter"; + fsType = "ext4"; + options = [ "nofail" ]; + }; fileSystems."/var/lib/borgbackup" = { device = "/dev/mapper/nixos-backup"; fsType = "ext4"; diff --git a/makefu/1systems/gum/rescue.txt b/makefu/1systems/gum/rescue.txt index 30276b7db..0a3ed96ee 100644 --- a/makefu/1systems/gum/rescue.txt +++ b/makefu/1systems/gum/rescue.txt @@ -1,10 +1,14 @@ +ssh gum.i -o StrictHostKeyChecking=no + mount /dev/mapper/nixos-root /mnt mount /dev/sda2 /mnt/boot chroot-prepare /mnt chroot /mnt /bin/sh + journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub) +# ... activating ... export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin /nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix index 6940498f1..1e36c6e87 100644 --- a/makefu/1systems/gum/source.nix +++ b/makefu/1systems/gum/source.nix @@ -1,5 +1,5 @@ { - name="nextgum"; + name="gum"; torrent = true; clever_kexec = true; } diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 260f96081..81b1e0ea1 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -44,7 +44,8 @@ in { # <stockholm/makefu/2configs/share/omo-timemachine.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> - + # statistics + <stockholm/makefu/2configs/stats/client.nix> # Logging #influx + grafana <stockholm/makefu/2configs/stats/server.nix> @@ -74,7 +75,8 @@ in { "homeassistant-0.77.2" ]; } - <stockholm/makefu/2configs/deployment/homeautomation> + <stockholm/makefu/2configs/homeautomation> + <stockholm/makefu/2configs/homeautomation/google-muell.nix> { makefu.ps3netsrv = { enable = true; diff --git a/makefu/1systems/omo/hw/omo.nix b/makefu/1systems/omo/hw/omo.nix index 1b618a486..31db335bb 100644 --- a/makefu/1systems/omo/hw/omo.nix +++ b/makefu/1systems/omo/hw/omo.nix @@ -48,9 +48,8 @@ in { makefu.snapraid = { enable = true; - # TODO: 3 is not protected - disks = map toMapper [ 0 1 ]; - parity = toMapper 2; + disks = map toMapper [ 0 2 3 ]; + parity = toMapper 1; }; fileSystems = let cryptMount = name: diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index f2311fb55..3930406b1 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -20,9 +20,6 @@ in { <stockholm/makefu/2configs/mqtt.nix> <stockholm/makefu/2configs/gui/wbob-kiosk.nix> - <stockholm/makefu/2configs/stats/client.nix> - - # <stockholm/makefu/2configs/gui/studio-virtual.nix> # <stockholm/makefu/2configs/audio/jack-on-pulse.nix> # <stockholm/makefu/2configs/audio/realtime-audio.nix> @@ -35,6 +32,8 @@ in { <stockholm/makefu/2configs/bluetooth-mpd.nix> # Sensors + <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/stats/collectd-client.nix> <stockholm/makefu/2configs/stats/telegraf> <stockholm/makefu/2configs/stats/telegraf/airsensor.nix> <stockholm/makefu/2configs/stats/telegraf/europastats.nix> @@ -51,9 +50,9 @@ in { "homeassistant-0.77.2" ]; } - <stockholm/makefu/2configs/deployment/bureautomation> - <stockholm/makefu/2configs/deployment/bureautomation/mpd.nix> - <stockholm/makefu/2configs/deployment/bureautomation/hass.nix> + <stockholm/makefu/2configs/bureautomation> + <stockholm/makefu/2configs/bureautomation/mpd.nix> + <stockholm/makefu/2configs/bureautomation/hass.nix> (let collectd-port = 25826; influx-port = 8086; diff --git a/makefu/2configs/bgt/auphonic.pub b/makefu/2configs/bgt/auphonic.pub new file mode 100644 index 000000000..37b8e0599 --- /dev/null +++ b/makefu/2configs/bgt/auphonic.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx diff --git a/makefu/2configs/nginx/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix index 6b5687e72..6d64848f5 100644 --- a/makefu/2configs/nginx/download.binaergewitter.de.nix +++ b/makefu/2configs/bgt/download.binaergewitter.de.nix @@ -1,12 +1,25 @@ { config, lib, pkgs, ... }: +with import <stockholm/lib>; let - ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519"; + ident = (builtins.readFile ./auphonic.pub); in { - systemd.services.mirrorsync = { - startAt = "08:00:00"; - path = with pkgs; [ rsync openssh ]; - script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter''; + services.openssh = { + allowSFTP = true; + sftpFlags = [ "-l VERBOSE" ]; + extraConfig = '' + Match User auphonic + ForceCommand internal-sftp + AllowTcpForwarding no + X11Forwarding no + PasswordAuthentication no + ''; + }; + users.users.auphonic = { + uid = genid "auphonic"; + group = "nginx"; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ]; }; services.nginx = { enable = lib.mkDefault true; diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/bgt/hidden_service.nix index c1a31b8dc..c1a31b8dc 100644 --- a/makefu/2configs/deployment/bgt/hidden_service.nix +++ b/makefu/2configs/bgt/hidden_service.nix diff --git a/makefu/2configs/binary-cache/lass.nix b/makefu/2configs/binary-cache/lass.nix index 46b386e14..51b4a1afc 100644 --- a/makefu/2configs/binary-cache/lass.nix +++ b/makefu/2configs/binary-cache/lass.nix @@ -3,7 +3,7 @@ { nix = { binaryCaches = [ - "http://cache.prism.r" + "https://cache.krebsco.de" ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" diff --git a/makefu/2configs/bitlbee.nix b/makefu/2configs/bitlbee.nix index 17efa7113..e955384d6 100644 --- a/makefu/2configs/bitlbee.nix +++ b/makefu/2configs/bitlbee.nix @@ -3,6 +3,6 @@ { services.bitlbee = { enable = true; - libpurple_plugins = [ pkgs.telegram-purple ]; + libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb]; }; } diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/bureautomation/default.nix index 3897537ea..3897537ea 100644 --- a/makefu/2configs/deployment/bureautomation/default.nix +++ b/makefu/2configs/bureautomation/default.nix diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/bureautomation/hass.nix index 443484a34..a89a4813f 100644 --- a/makefu/2configs/deployment/bureautomation/hass.nix +++ b/makefu/2configs/bureautomation/hass.nix @@ -112,7 +112,6 @@ in { "temperature" # "temperature_high" "temperature_low" "apparent_temperature" "hourly_summary" # next 24 hours text - "minutely_summary" "humidity" "pressure" "uv_index" ]; @@ -212,27 +211,44 @@ in { to = "on"; }; action = { - service= "homeassistant.turn_on"; - entity_id= "switch.fernseher"; + service = "homeassistant.turn_on"; + entity_id = [ "switch.fernseher" "switch.blitzdings" ]; }; } { alias = "Turn off Fernseher 10 minutes after last movement"; - trigger = { + trigger = [ + { # trigger when movement was detected at the time platform = "state"; entity_id = "binary_sensor.motion"; to = "off"; for.minutes = 10; - }; + } + { # trigger at 20:00 no matter what + # to avoid 'everybody left before 18:00:00' + platform = "time"; + at = "18:00:00"; + } + ]; action = { - service= "homeassistant.turn_off"; - entity_id= "switch.fernseher"; + service = "homeassistant.turn_off"; + entity_id = [ "switch.fernseher" "switch.blitzdings" ]; + }; + condition = + { condition = "and"; + conditions = [ + { + condition = "time"; + before = "06:30:00"; #only turn off between 6:30 and 18:00 + after = "18:00:00"; + # weekday = [ "mon" "tue" "wed" "thu" "fri" ]; + } + { + condition = "state"; + entity_id = "binary_sensor.motion"; + state = "off"; + } + ]; }; - condition = [{ - condition = "time"; - before = "06:30:00"; #only turn off between 6:30 and 18:00 - after = "18:00:00"; - weekday = [ "mon" "tue" "wed" "thu" "fri" ]; - }]; } ]; }; diff --git a/makefu/2configs/deployment/bureautomation/mpd.nix b/makefu/2configs/bureautomation/mpd.nix index 1f5acb357..1f5acb357 100644 --- a/makefu/2configs/deployment/bureautomation/mpd.nix +++ b/makefu/2configs/bureautomation/mpd.nix diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix index 521bfc80a..e7b91e6a8 100644 --- a/makefu/2configs/elchos/search.nix +++ b/makefu/2configs/elchos/search.nix @@ -32,7 +32,7 @@ let ${user} protocol=dyndns2 - usev5=if, if=${primary-itf} + usev6=if, if=${primary-itf} ssl=yes server=ipv6.nsupdate.info login=${user} diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/homeautomation/default.nix index 94799b11d..596d0002a 100644 --- a/makefu/2configs/deployment/homeautomation/default.nix +++ b/makefu/2configs/homeautomation/default.nix @@ -31,7 +31,7 @@ let brightness_scale = 100; # color rgb_state_topic = "/ham/${topic}/stat/Color"; - rgb_command_topic = "/ham/${topic}/cmnd/Color2"; + rgb_command_topic = "/ham/${topic}/cmnd/MEM1"; # use enabled tasmota rule rgb_command_mode = "hex"; rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}"; # effects diff --git a/makefu/2configs/deployment/google-muell.nix b/makefu/2configs/homeautomation/google-muell.nix index 235cc1546..235cc1546 100644 --- a/makefu/2configs/deployment/google-muell.nix +++ b/makefu/2configs/homeautomation/google-muell.nix diff --git a/makefu/2configs/deployment/homeautomation/mqtt.nix b/makefu/2configs/homeautomation/mqtt.nix index cd1c328d7..cd1c328d7 100644 --- a/makefu/2configs/deployment/homeautomation/mqtt.nix +++ b/makefu/2configs/homeautomation/mqtt.nix diff --git a/makefu/2configs/mail/mail.euer.nix b/makefu/2configs/mail/mail.euer.nix index f079d7f41..f8f82e76b 100644 --- a/makefu/2configs/mail/mail.euer.nix +++ b/makefu/2configs/mail/mail.euer.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { imports = [ - (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz") + (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz") ]; mailserver = { diff --git a/makefu/2configs/minimal.nix b/makefu/2configs/minimal.nix index d764e5624..cb2ef09e3 100644 --- a/makefu/2configs/minimal.nix +++ b/makefu/2configs/minimal.nix @@ -7,8 +7,8 @@ # the only true timezone (even after the the removal of DST) time.timeZone = "Europe/Berlin"; - networking.hostName = config.krebs.build.host.name; - nix.buildCores = config.krebs.build.host.cores; + networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; + nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable # we use gpg if necessary (or nothing at all) programs.ssh.startAgent = false; @@ -85,4 +85,6 @@ "net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2; }; + + services.nscd.enable = false; } diff --git a/makefu/2configs/nginx/gum.krebsco.de.nix b/makefu/2configs/nginx/gum.krebsco.de.nix new file mode 100644 index 000000000..3e96e6826 --- /dev/null +++ b/makefu/2configs/nginx/gum.krebsco.de.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let +in { + services.nginx = { + enable = mkDefault true; + virtualHosts."gum.krebsco.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + # proxyPass = "http://localhost:8000/"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # ''; + }; + }; + }; +} diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix index 531d2525e..964e5ccbb 100644 --- a/makefu/2configs/shack/events-publisher/default.nix +++ b/makefu/2configs/shack/events-publisher/default.nix @@ -2,8 +2,8 @@ with import <stockholm/lib>; let shack-announce = pkgs.callPackage (builtins.fetchTarball { - url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz"; - sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd"; + url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz"; + sha256 = "0rn1ykgjbd79zg03maa49kzi6hpzn4xzf4j93qgx5wax7h12qjx0"; }) {} ; home = "/var/lib/shackannounce"; user = "shackannounce"; diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix index e4fef7c3c..ed5066787 100644 --- a/makefu/2configs/share/omo.nix +++ b/makefu/2configs/share/omo.nix @@ -30,6 +30,12 @@ in { browseable = "yes"; "guest ok" = "yes"; }; + audiobook = { + path = "/media/crypt1/audiobooks"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; crypt0 = { path = "/media/crypt0"; "read only" = "yes"; diff --git a/makefu/2configs/share/wbob.nix b/makefu/2configs/share/wbob.nix index 7d3fc38fe..9695751ff 100644 --- a/makefu/2configs/share/wbob.nix +++ b/makefu/2configs/share/wbob.nix @@ -8,6 +8,7 @@ home = "/home/share"; createHome = true; }; + users.groups.mpd.members = [ "makefu" ]; services.samba = { enable = true; enableNmbd = true; @@ -24,6 +25,12 @@ browseable = "yes"; "guest ok" = "yes"; }; + music-rw = { + path = "/data/music"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "no"; + }; }; extraConfig = '' guest account = smbguest diff --git a/makefu/2configs/stats/client.nix b/makefu/2configs/stats/client.nix index cfb5e3fd2..b88515a35 100644 --- a/makefu/2configs/stats/client.nix +++ b/makefu/2configs/stats/client.nix @@ -1,61 +1,7 @@ -{pkgs, config, ...}: { - services.collectd = { + makefu.netdata = { enable = true; - autoLoadPlugin = true; - extraConfig = '' - Hostname ${config.krebs.build.host.name} - LoadPlugin load - LoadPlugin disk - LoadPlugin memory - LoadPlugin df - Interval 30.0 - - LoadPlugin interface - <Plugin "interface"> - Interface "*Link" - Interface "lo" - Interface "vboxnet*" - Interface "virbr*" - IgnoreSelected true - </Plugin> - - LoadPlugin df - <Plugin "df"> - MountPoint "/nix/store" - # MountPoint "/run*" - # MountPoint "/sys*" - # MountPoint "/dev" - # MountPoint "/dev/shm" - # MountPoint "/tmp" - FSType "tmpfs" - FSType "binfmt_misc" - FSType "debugfs" - FSType "tracefs" - FSType "mqueue" - FSType "hugetlbfs" - FSType "systemd-1" - FSType "cgroup" - FSType "securityfs" - FSType "ramfs" - FSType "proc" - FSType "devpts" - FSType "devtmpfs" - MountPoint "/var/lib/docker/devicemapper" - IgnoreSelected true - </Plugin> - - LoadPlugin cpu - <Plugin cpu> - ReportByCpu true - ReportByState true - ValuesPercentage true - </Plugin> - - LoadPlugin network - <Plugin "network"> - Server "${config.makefu.stats-server}" "25826" - </Plugin> - ''; + stream.role = "slave"; + # stream.destination = "netdata.makefu.r"; }; } diff --git a/makefu/2configs/stats/collectd-client.nix b/makefu/2configs/stats/collectd-client.nix new file mode 100644 index 000000000..cfb5e3fd2 --- /dev/null +++ b/makefu/2configs/stats/collectd-client.nix @@ -0,0 +1,61 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + <Plugin "interface"> + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + </Plugin> + + LoadPlugin df + <Plugin "df"> + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "tracefs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + </Plugin> + + LoadPlugin cpu + <Plugin cpu> + ReportByCpu true + ReportByState true + ValuesPercentage true + </Plugin> + + LoadPlugin network + <Plugin "network"> + Server "${config.makefu.stats-server}" "25826" + </Plugin> + ''; + }; +} diff --git a/makefu/2configs/stats/netdata-server.nix b/makefu/2configs/stats/netdata-server.nix new file mode 100644 index 000000000..5fec3583c --- /dev/null +++ b/makefu/2configs/stats/netdata-server.nix @@ -0,0 +1,17 @@ +{ + makefu.netdata = { + enable = true; + stream.role = "master"; + }; + + services.nginx = { + virtualHosts."netdata.euer.krebsco.de" = { + addSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:19999"; + }; + virtualHosts."netdata.makefu.r" = { + locations."/".proxyPass = "http://localhost:19999"; + }; + }; +} diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix index c8e768c99..bb8fd1750 100644 --- a/makefu/2configs/stats/server.nix +++ b/makefu/2configs/stats/server.nix @@ -21,6 +21,13 @@ in { services.influxdb.extraConfig = { meta.hostname = config.krebs.build.host.name; # meta.logging-enabled = true; + logging.level = "info"; + http.log-enabled = true; + http.write-tracing = false; + http.suppress-write-log = true; + data.trace-logging-enabled = false; + data.query-log-enabled = false; + http.bind-address = ":${toString influx-port}"; admin.bind-address = ":8083"; monitoring = { diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix index 98abb2406..0d2774209 100644 --- a/makefu/2configs/tinc/retiolum.nix +++ b/makefu/2configs/tinc/retiolum.nix @@ -1,8 +1,10 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { imports = [ ../binary-cache/lass.nix ]; krebs.tinc.retiolum.enable = true; environment.systemPackages = [ pkgs.tinc ]; + networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; + networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; } diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 7146174fb..65b5a6afd 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -5,6 +5,7 @@ _: ./awesome-extra.nix ./deluge.nix ./forward-journal.nix + ./netdata.nix ./opentracker.nix ./ps3netsrv.nix ./logging-config.nix diff --git a/makefu/3modules/netdata.nix b/makefu/3modules/netdata.nix new file mode 100644 index 000000000..3ed33643c --- /dev/null +++ b/makefu/3modules/netdata.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +# fork of https://github.com/Mic92/dotfiles/blob/master/nixos/vms/modules/netdata.nix +with lib; +let + cfg = config.makefu.netdata; +in +{ + options.makefu.netdata = { + enable = mkEnableOption "netdata"; + + # TODO only apikey from file, set remote host manually + stream.file = mkOption { + type = types.str; + default = toString <secrets/netdata-stream.conf>; + description = "path to stream data file"; + }; + stream.role = mkOption { + type = types.enum [ "master" "slave" ]; + default = "slave"; + description = "Wether to stream data"; + }; + + httpcheck.checks = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + url = mkOption { + type = types.str; + example = "https://thalheim.io"; + description = "Url to check"; + }; + regex = mkOption { + type = types.nullOr types.str; + default = null; + example = "My homepage"; + description = "Regex that is matched against the returned content"; + }; + statusAccepted = mkOption { + type = types.listOf types.int; + default = [ 200 ]; + example = [ 401 ]; + description = "Expected http status code"; + }; + }; + })); + default = {}; + description = '' + httpcheck plugin: https://github.com/netdata/netdata/blob/master/collectors/python.d.plugin/httpcheck/httpcheck.conf + ''; + }; + + portcheck.checks = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Dns name/IP to check"; + }; + port = mkOption { + type = types.int; + description = "Tcp port number"; + }; + }; + })); + default = {}; + description = '' + portcheck plugin: https://github.com/netdata/netdata/tree/master/collectors/python.d.plugin/portcheck + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.netdata = { + requires = [ "secret.service" ]; + after = [ "secret.service" ]; + }; + krebs.secret.files.netdata-stream = { + path = "/run/secret/netdata-stream.conf"; + owner.name = "netdata"; + source-path = cfg.stream.file; + }; + environment.etc."netdata/stream.conf".source = "/run/secret/netdata-stream.conf"; + + services.netdata = { + enable = true; + config = { + global = { + "bind to" = "0.0.0.0:19999 [::]:19999"; + "error log" = "stderr"; + "update every" = "5"; + }; + health.enable = if cfg.stream.role == "master" then "yes" else "no"; + }; + }; + services.netdata.python.extraPackages = ps: [ + ps.psycopg2 ps.docker ps.dnspython + ]; + + makefu.netdata.portcheck.checks.openssh.port = (lib.head config.services.openssh.ports); + + networking.firewall.allowedTCPPorts = [ 19999 ]; + + environment.etc."netdata/python.d/httpcheck.conf".text = '' + update_every: 30 + ${lib.concatStringsSep "\n" (mapAttrsToList (site: options: + '' + ${site}: + url: '${options.url}' + ${optionalString (options.regex != null) "regex: '${options.regex}'"} + status_accepted: [ ${lib.concatStringsSep " " (map toString options.statusAccepted) } ] + '') cfg.httpcheck.checks) + } + ''; + + environment.etc."netdata/python.d/portcheck.conf".text = '' + ${lib.concatStringsSep "\n" (mapAttrsToList (service: options: + '' + ${service}: + host: '${options.host}' + port: ${toString options.port} + '') cfg.portcheck.checks) + } + ''; + systemd.services.netdata.restartTriggers = [ + config.environment.etc."netdata/python.d/httpcheck.conf".source + config.environment.etc."netdata/python.d/portcheck.conf".source + config.environment.etc."netdata/stream.conf".source + ]; + + environment.etc."netdata/health.d/httpcheck.conf".text = '' + # taken from the original but warn only if a request is at least 300ms slow + template: web_service_slow + families: * + on: httpcheck.responsetime + lookup: average -3m unaligned of time + units: ms + every: 10s + warn: ($this > ($1h_web_service_response_time * 4) && $this > 1000) + crit: ($this > ($1h_web_service_response_time * 6) && $this > 1000) + info: average response time over the last 3 minutes, compared to the average over the last hour + delay: down 5m multiplier 1.5 max 1h + options: no-clear-notification + to: webmaster + ''; + + }; + # TODO: notification + # environment.etc."netdata/health_alarm_notify.conf".source = "/run/keys/netdata-pushover.conf"; + +} diff --git a/makefu/5pkgs/libopencm3/default.nix b/makefu/5pkgs/libopencm3/default.nix deleted file mode 100644 index ed35fc639..000000000 --- a/makefu/5pkgs/libopencm3/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, gcc-arm-embedded, python }: -stdenv.mkDerivation rec { - name = "libopencm-${version}"; - version = "2017-04-01"; - - src = fetchFromGitHub { - owner = "libopencm3"; - repo = "libopencm3"; - rev = "383fafc862c0d47f30965f00409d03a328049278"; - sha256 = "0ar67icxl39cf7yb5glx3zd5413vcs7zp1jq0gzv1napvmrv3jv9"; - }; - - buildInputs = [ gcc-arm-embedded python ]; - buildPhase = '' - sed -i 's#/usr/bin/env python#${python}/bin/python#' ./scripts/irq2nvic_h - make - ''; - installPhase = '' - mkdir -p $out - cp -r lib $out/ - ''; - - meta = { - description = "Open Source ARM cortex m microcontroller library"; - homepage = https://github.com/libopencm3/libopencm3; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; - maintainers = with stdenv.lib.maintainers; [ makefu ]; - }; -} diff --git a/makefu/krops.nix b/makefu/krops.nix index 6c510eba3..2a2f70a05 100644 --- a/makefu/krops.nix +++ b/makefu/krops.nix @@ -7,7 +7,6 @@ host-src = { secure = false; - full = false; torrent = false; hw = false; musnix = false; @@ -23,7 +22,11 @@ { # nixos-18.09 @ 2018-09-18 # + uhub/sqlite: 5dd7610401747 - nixpkgs = if test then { + # + hovercraft: 7134801b17d72 + nixpkgs = if host-src.arm6 then { + # TODO: we want to track the unstable channel + symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; + } else { file = { path = toString (pkgs.fetchFromGitHub { owner = "makefu"; @@ -33,14 +36,6 @@ }); useChecksum = true; }; - } else if host-src.full then { - git.ref = nixpkgs-src.rev; - git.url = nixpkgs-src.url; - } else if host-src.arm6 then { - # TODO: we want to track the unstable channel - symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; - } else { - file = "/home/makefu/store/${nixpkgs-src.rev}"; }; nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix"; diff --git a/makefu/update-channel.sh b/makefu/update-channel.sh index 59d3c434f..0899581ec 100755 --- a/makefu/update-channel.sh +++ b/makefu/update-channel.sh @@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --rev refs/heads/master' \ > $dir/nixpkgs.json newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref" +echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'" |