makefu/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of gum:stockholm

Browse source
This commit is contained in:
makefu 2016-01-18 12:50:20 +01:00
parent d532b6da79 ec41961125
commit ef57e00914
34 changed files with 485 additions and 814 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
1systems/filepimp.nix
View file

@ -9,28 +9,35 @@
[ # Include the results of the hardware scan.
../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix
../2configs/smart-monitor.nix
];
krebs.build.host = config.krebs.hosts.filepimp;
services.smartd.devices = [
{ device = "/dev/sda"; }
{ device = "/dev/sdb"; }
{ device = "/dev/sdc"; }
{ device = "/dev/sdd"; }
{ device = "/dev/sde"; }
];
# AMD N54L
boot = {
loader.grub.device = "/dev/sda";
loader.grub.device = "/dev/sde";
initrd.availableKernelModules = [
"usb_storage"
"ahci"
"xhci_hcd"
"ata_piix"
"uhci_hcd"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"usb_storage"
"usbhid"
];
kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
}

11
1systems/gum.nix
View file

@ -6,18 +6,22 @@ let
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
imports = [
# TODO: copy this config or move to krebs
../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix
../2configs/fs/simple-swap.nix
../2configs/fs/single-partition-ext4.nix
../2configs/smart-monitor.nix
# ../2configs/iodined.nix
../2configs/git/cgit-retiolum.nix
../2configs/mattermost-docker.nix
../2configs/nginx/euer.test.nix
../2configs/exim-retiolum.nix
../2configs/urlwatch.nix
];
services.smartd.devices = [ { device = "/dev/sda";} ];
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
###### stable
@ -28,6 +32,9 @@ in {
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
krebs.nginx.servers.cgit.server-names = [
"cgit.euer.krebsco.de"
];
# Chat
environment.systemPackages = with pkgs;[

98
1systems/omo.nix
View file

@ -2,36 +2,110 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
{ config, pkgs, lib, ... }:
let
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
cryptDisk2 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WCAZA5548487";
# all physical disks
allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
in {
imports =
[ # Include the results of the hardware scan.
[
# TODO: unlock home partition via ssh
../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix
../2configs/zsh-user.nix
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
../2configs/share-user-sftp.nix
../2configs/nginx/omo-share.nix
../3modules
];
# services.openssh.allowSFTP = false;
krebs.build.host = config.krebs.hosts.omo;
krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
makefu.snapraid = let
toMapper = id: "/media/crypt${builtins.toString id}";
in {
enable = true;
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in {
"/home" = {
device = "/dev/mapper/home";
fsType = "ext4";
};
} // cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2";
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
# AMD E350
boot = {
loader.grub.device = "/dev/sda";
initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
};
in [
(usbkey "home" homePartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
];
};
loader.grub.device = rootDisk;
initrd.availableKernelModules = [
"usb_storage"
"ahci"
"xhci_hcd"
"ata_piix"
"uhci_hcd"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
];
kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
networking.firewall.allowedUDPPorts = [ 655 ];
# 8080: sabnzbd
networking.firewall.allowedTCPPorts = [ 80 655 8080 ];
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
}

67
1systems/pnp.nix
View file

@ -1,62 +1,51 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
# Usage:
# NIX_PATH=secrets=/home/makefu/secrets/wry:nixpkgs=/var/src/nixpkgs nix-build -A users.makefu.pnp.config.system.build.vm
# result/bin/run-pnp-vm -virtfs local,path=/home/makefu/secrets/pnp,security_model=none,mount_tag=secrets
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
# Base
[
../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix
../../krebs/3modules/Reaktor.nix
# HW/FS
# enables virtio kernel modules in initrd
# these will be overwritten by qemu-vm.nix but will be used if the system
# is directly deployed
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/fs/vm-single-partition.nix
# Services
../2configs/git/cgit-retiolum.nix
## Reaktor
## \/ are only plugins, must enable Reaktor explicitly
../2configs/Reaktor/stockholmLentil.nix
../2configs/Reaktor/simpleExtend.nix
../2configs/Reaktor/random-emoji.nix
../2configs/Reaktor/titlebot.nix
../2configs/Reaktor/shack-correct.nix
../2configs/exim-retiolum.nix
../2configs/urlwatch.nix
# ../2configs/graphite-standalone.nix
# config.system.build.vm
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
];
krebs.urlwatch.verbose = true;
krebs.Reaktor.enable = true;
krebs.Reaktor.debug = true;
krebs.Reaktor.nickname = "Reaktor|bot";
krebs.Reaktor.extraEnviron = {
REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
virtualisation.graphics = false;
# also export secrets, see Usage above
fileSystems = pkgs.lib.mkVMOverride {
"${builtins.toString <secrets>}" =
{ device = "secrets";
fsType = "9p";
options = "trans=virtio,version=9p2000.L,cache=loose";
neededForBoot = true;
};
};
krebs.Reaktor = {
enable = true;
debug = true;
extraEnviron = {
REAKTOR_HOST = "cd.retiolum";
};
plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ];
channels = [ "#retiolum" ];
};
krebs.build.host = config.krebs.hosts.pnp;
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
networking.firewall.allowedTCPPorts = [
# nginx runs on 80
80
# graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp
# 8080 2003
# smtp
25
];
# networking.firewall.allowedUDPPorts = [ 2003 ];
}

16
1systems/pornocauster.nix
View file

@ -26,6 +26,7 @@
# services
../2configs/git/brain-retiolum.nix
../2configs/tor.nix
# ../2configs/buildbot-standalone.nix
# hardware specifics are in here
../2configs/hw/tp-x220.nix
@ -34,16 +35,18 @@
# ../2configs/mediawiki.nix
#../2configs/wordpress.nix
];
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.samsungUnifiedLinuxDriver ];
nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre;
buildbot = let
pkgs1509 = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {};
in pkgs1509.buildbot;
};
makefu.buildbot.master.enable = true;
#krebs.Reaktor.enable = true;
#krebs.Reaktor.nickname = "makefu|r";
krebs.Reaktor = {
enable = false;
nickname = "makefu|r";
plugins = with pkgs.ReaktorPlugins; [ nixos-version random-emoji ];
};
# nix.binaryCaches = [ "http://acng.shack/nixos" "https://cache.nixos.org" ];
environment.systemPackages = with pkgs;[
@ -58,6 +61,7 @@
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"}
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"'';
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
25
];

1
1systems/vbob.nix
View file

@ -59,7 +59,6 @@ in {
buildbot
buildbot-slave
get
genid
];
networking.firewall.allowedTCPPorts = [

20
1systems/wry.nix
View file

@ -18,8 +18,6 @@ in {
../2configs/iodined.nix
# Reaktor
../2configs/Reaktor/simpleExtend.nix
# other nginx
../2configs/nginx/euer.wiki.nix
@ -29,9 +27,21 @@ in {
# collectd
../2configs/collectd/collectd-base.nix
];
krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor.enable = true;
krebs.Reaktor = {
nickname = "Reaktor|bot";
channels = [ "#krebs" "#shackspace" "#binaergewitter" ];
enable = true;
plugins = with pkgs.ReaktorPlugins;[
titlebot
# stockholm-issue
nixos-version
shack-correct
sed-plugin
random-emoji ];
};
# bepasty to listen only on the correct interfaces
krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ];
@ -59,11 +69,11 @@ in {
};
networking = {
firewall = {
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [ 53 80 443 ];
allowedUDPPorts = [ 655 ];
allowedUDPPorts = [ 655 53 ];
};
interfaces.enp2s1.ip4 = [{
address = external-ip;

18
2configs/Reaktor/full.nix
View file

@ -1,18 +0,0 @@
_:
{
# implementation of the complete Reaktor bot
imports = [
#./stockholmLentil.nix
./simpleExtend.nix
./random-emoji.nix
./titlebot.nix
./shack-correct.nix
./sed-plugin.nix
];
krebs.Reaktor.nickname = "Reaktor|bot";
krebs.Reaktor.enable = true;
krebs.Reaktor.extraEnviron = {
REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
};
}

26
2configs/Reaktor/random-emoji.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
rpkg = pkgs.substituteAll( {
name="random-emoji";
dir= "bin";
isExecutable=true;
src= ./random-emoji.sh;
});
rpkg-path = lib.makeSearchPath "bin" (with pkgs; [
coreutils
gnused
gnugrep
xmlstarlet
curl]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "emoji",
'pattern' : indirect_pattern.format("emoji"),
'argv' : ["${rpkg}/bin/random-emoji"],
'env' : { 'PATH':'${rpkg-path}' } })
'';
}

6
2configs/Reaktor/random-emoji.sh
View file

@ -1,6 +0,0 @@
#!/bin/sh
curl http://emojicons.com/random -s | \
grep data-text | \
sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
head -n 1 | \
xmlstarlet unesc

20
2configs/Reaktor/random-issue.sh
View file

@ -1,20 +0,0 @@
#! /bin/sh
set -eu
# requires env:
# $state_dir
# $origin
# in PATH: git,lentil,coreutils
subdir=`echo "$1" | tr -dc "[:alnum:]"`
name=`echo "$origin" | tr -dc "[:alnum:]"`
track="$state_dir/$name-checkout"
(if test -e "$track" ;then
cd "$track"
git fetch origin master
git reset --hard origin/master
else
git clone "$origin" "$track"
fi) >&2
cd "$track"
lentil "${subdir:-.}" -f csv | sed 1d | shuf | head -1

18
2configs/Reaktor/sed-plugin.nix
View file

@ -1,18 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
script = ./sed-plugin.py;
in {
#TODO: this will eat up the last regex, fix Reaktor
krebs.Reaktor.extraConfig = ''
public_commands.append({
'capname' : "sed-plugin",
# only support s///gi
'pattern' : '^(?P<args>.*)$$',
'argv' : ["${pkgs.python3}/bin/python3","${script}"],
'env' : { 'state_dir' : workdir,
'PATH':'${lib.makeSearchPath "bin" [pkgs.gnused]}' }})
'';
}

53
2configs/Reaktor/sed-plugin.py
View file

@ -1,53 +0,0 @@
#!/usr/bin/env python3
# Usage:
# _from=krebs state_dir=. python sed-plugin.py 'dick butt'
# _from=krebs state_dir=. python sed-plugin.py 's/t/l/g'
## dick bull
import shelve
from os import environ
from os.path import join
from sys import argv
d = shelve.open(join(environ['state_dir'],'sed-plugin.shelve'),writeback=True)
usr = environ['_from']
import re
def is_regex(line):
myre = re.compile(r'^s/((?:\\/|[^/])+)/((?:\\/|[^/])*)/([ig]*)$')
return myre.match(line)
line = argv[1]
m = is_regex(line)
if m:
f,t,flagstr = m.groups()
fn = f.replace('\/','/')
tn = t.replace('\/','/')
flags = 0
count = 1
if flagstr:
if 'i' in flagstr:
flags = re.IGNORECASE
if 'g' in flagstr:
count = 0
else:
flagstr = ''
last = d.get(usr,None)
if last:
#print(re.sub(fn,tn,last,count=count,flags=flags))
from subprocess import Popen,PIPE
p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
if p.returncode:
print("something went wrong when trying to process your regex: {}".format(se.decode()))
ret = so.decode()
print("\x1b[1m{}\x1b[0m meinte: {}".format(usr,ret.strip()))
if ret:
d[usr] = ret
else:
print("no last message")
else:
d[usr] = line
d.close()

20
2configs/Reaktor/shack-correct.nix
View file

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
script = pkgs.substituteAll ( {
name="shack-correct";
isExecutable=true;
dir = "";
src = ./shack-correct.sh;
});
in {
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "shack-correct",
'pattern' : '^(?P<args>.*Shack.*)$$',
'argv' : ["${script}"],
'env' : { }})
'';
}

6
2configs/Reaktor/shack-correct.sh
View file

@ -1,6 +0,0 @@
#! /bin/sh
set -eu
printf "Sie meinten wohl \""
echo -n $@ | sed 's/Shack/shack/g'
echo "\""
echo "${_from}--"

19
2configs/Reaktor/simpleExtend.nix
View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
nixos-version-script = pkgs.writeScript "nix-version" ''
#! /bin/sh
. /etc/os-release
echo "$PRETTY_NAME"
'';
in {
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "nixos-version",
'pattern' : indirect_pattern.format("nixos-version"),
'argv' : ["${nixos-version-script}"],
'env' : { 'state_dir': workdir } })
'';
}

27
2configs/Reaktor/stockholmLentil.nix
View file

@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
random-issue = pkgs.substituteAll( {
name="random-issue";
dir= "bin";
isExecutable=true;
src= ./random-issue.sh;
});
random-issue-path = lib.makeSearchPath "bin" (with pkgs; [
coreutils
git
gnused
lentil]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "stockholm-issue",
'pattern' : indirect_pattern.format("stockholm-issue"),
'argv' : ["${random-issue}/bin/random-issue"],
'env' : { 'state_dir': workdir,
'PATH':'${random-issue-path}',
'origin':'http://cgit.pnp/stockholm' } })
'';
}

38
2configs/Reaktor/titlebot.nix
View file

@ -1,38 +0,0 @@
{ stdenv,config, lib, pkgs, ... }:
with pkgs;
let
pypkgs = pkgs.python3Packages;
titlebot_cmds = pypkgs.buildPythonPackage {
name = "titlebot_cmds";
propagatedBuildInputs = with pypkgs; [ setuptools ];
src = fetchurl {
# https://github.com/makefu/reaktor-titlebot tag 2.1.0
url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz";
sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6";
};
};
pub_cmds = ["up" "help" "list" "top" "highest" "undo" ];
priv_cmds = [ "clear" ];
in {
# TODO: write identify file in
# {config.users.extraUsers.Reaktor.home}/state/admin.lst
krebs.Reaktor.extraConfig = ''
def titlebot_cmd(cmd):
return {
'capname': cmd,
'env': {
'TITLEDB':
'${config.users.extraUsers.Reaktor.home}/suggestions.json'
},
'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$',
'argv': [ '${titlebot_cmds}/bin/' + cmd ] }
# TODO: for each element in ${titlebot_cmds}/bin/*
public_commands.insert(0,titlebot_cmd('up'))
public_commands.insert(0,titlebot_cmd('help'))
public_commands.insert(0,titlebot_cmd('list'))
public_commands.insert(0,titlebot_cmd('top'))
public_commands.insert(0,titlebot_cmd('new'))
commands.insert(0,titlebot_cmd('clear'))
'';
}

13
2configs/default.nix
View file

@ -13,7 +13,7 @@ with lib;
./vim.nix
];
nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
krebs = {
enable = true;
search-domain = "retiolum";
@ -23,8 +23,8 @@ with lib;
source = {
git.nixpkgs = {
#url = https://github.com/NixOS/nixpkgs;
url = mkDefault https://github.com/makefu/nixpkgs;
rev = mkDefault "3fd2c24685f604edc925f73ed56600b8c66236b3"; # nixos-15.09 + cherry-picking
url = mkDefault https://github.com/nixos/nixpkgs;
rev = mkDefault "93d8671e2c6d1d25f126ed30e5e6f16764330119"; # unstable @ 2015-01-03, tested on filepimp
target-path = "/var/src/nixpkgs";
};
@ -65,7 +65,12 @@ with lib;
time.timeZone = "Europe/Berlin";
#nix.maxJobs = 1;
programs.ssh.startAgent = false;
programs.ssh = {
startAgent = false;
extraConfig = ''
UseRoaming no
'';
};
services.openssh.enable = true;
nix.useChroot = true;

7
2configs/hw/tp-x2x0.nix
View file

@ -24,5 +24,12 @@ with lib;
services.tlp.enable = true;
services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
}

2
2configs/mail-client.nix
View file

@ -7,6 +7,8 @@ with lib;
mutt-kz
notmuch
offlineimap
imapfilter
gnupg
];
}

34
2configs/nginx/omo-share.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.krebs.build.host.name;
# TODO local-ip from the nets config
local-ip = "192.168.1.11";
# local-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
krebs.nginx = {
enable = mkDefault true;
servers = {
omo-share = {
listen = [ "${local-ip}:80" ];
locations = singleton (nameValuePair "/" ''
autoindex on;
root /media;
limit_rate_after 100m;
limit_rate 5m;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
allow all;
access_log off;
keepalive_timeout 65;
keepalive_requests 200;
reset_timedout_connection on;
sendfile on;
tcp_nopush on;
gzip off;
'');
};
};
};
}

21
2configs/share-user-sftp.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, ... }:
{
users.users = {
share = {
uid = 9002;
home = "/var/empty";
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
# we will use internal-sftp to make uncomplicated Chroot work
services.openssh.extraConfig = ''
Match User share
ChrootDirectory /media
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
Match All
'';
}

18
2configs/smart-monitor.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, ... }:
{
krebs.exim-retiolum.enable = lib.mkDefault true;
services.smartd = {
enable = true;
autodetect = false;
notifications = {
mail = {
enable = true;
recipient = config.krebs.users.makefu.mail;
};
};
# short daily, long weekly, check on boot
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
devices = lib.mkDefault [ ];
};
}

20
2configs/urlwatch.nix
View file

@ -1,6 +1,22 @@
{ config, ... }:
{ config, lib, ... }:
{
nixpkgs.config.packageOverrides = pkgs: {
urlwatch = with pkgs.pythonPackages; buildPythonPackage rec {
name = "urlwatch-1.18";
propagatedBuildInputs = [ futures ];
src = pkgs.fetchurl {
url = "http://thp.io/2008/urlwatch/${name}.tar.gz";
sha256 = "090qfgx249ks7103sap6w47f8302ix2k46wxhfssxwsqcqdl25vb";
};
postFixup = ''
wrapProgram "$out/bin/urlwatch" --prefix "PYTHONPATH" : "$PYTHONPATH"
'';
};
};
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
@ -12,7 +28,7 @@
http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
];
};
}

2
2configs/vim.nix
View file

@ -122,7 +122,7 @@ in {
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
vimrcConfig.vam.pluginDictionaries = [
{ names = [ "undotree"
"YouCompleteMe"
# "YouCompleteMe"
"vim-better-whitespace" ]; }
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
];

1
2configs/virtualization.nix
View file

@ -5,4 +5,5 @@ let
in {
virtualisation.libvirtd.enable = true;
users.extraUsers.${mainUser.name}.extraGroups = [ "libvirtd" ];
networking.firewall.checkReversePath = false; # TODO: unsolved issue in nixpkgs:#9067 [bug]
}

36
2configs/wwan.nix
View file

@ -1,33 +1,9 @@
{ config, lib, pkgs, ... }:
_:
#usage: $ wvdial
let
mainUser = config.krebs.build.user;
in {
environment.systemPackages = with pkgs;[
wvdial
];
environment.shellAliases = {
umts = "sudo wvdial netzclub";
{
imports = [ ../3modules ];
makefu.umts = {
enable = true;
modem-device = "/dev/serial/by-id/usb-Lenovo_H5321_gw_2D5A51BA0D3C3A90-if01";
};
# configure for NETZCLUB
environment.wvdial.dialerDefaults = ''
Phone = *99***1#
Dial Command = ATDT
Modem = /dev/ttyACM0
Baud = 460800
Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0'';
users.extraUsers.${mainUser.name}.extraGroups = [ "dialout" ];
}

3
2configs/zsh-user.nix
View file

@ -19,8 +19,7 @@ in
bindkey -e
# shift-tab
bindkey '^[[Z' reverse-menu-complete
autoload -U compinit && compinit
bindkey "\e[3~" delete-char
zstyle ':completion:*' menu select
# load gpg-agent

263
3modules/buildbot/master.nix
View file

@ -1,263 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
buildbot = pkgs.buildbot;
buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
# -*- python -*-
from buildbot.plugins import *
import re
c = BuildmasterConfig = {}
c['slaves'] = []
# TODO: template potential buildslaves
# TODO: set password?
slavenames= [ 'testslave' ]
for i in slavenames:
c['slaves'].append(buildslave.BuildSlave(i, "krebspass"))
c['protocols'] = {'pb': {'port': 9989}}
####### Build Inputs
stockholm_repo = 'http://cgit.gum/stockholm'
c['change_source'] = []
c['change_source'].append(changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
####### Build Scheduler
# TODO: configure scheduler
c['schedulers'] = []
# test the master real quick
fast = schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
name="fast-master-test",
builderNames=["fast-tests"])
force = schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"])
# files everyone depends on or are part of the share branch
def shared_files(change):
r =re.compile("^((krebs|share)/.*|Makefile|default.nix)")
for file in change.files:
if r.match(file):
return True
return False
full = schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
fileIsImportant=shared_files,
name="full-master-test",
builderNames=["full-tests"])
c['schedulers'] = [ fast, force, full ]
###### The actual build
# couple of fast steps:
f = util.BuildFactory()
## fetch repo
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
f.addStep(grab_repo)
# the dependencies which are used by the test script
deps = [ "gnumake", "jq" ]
nixshell = ["nix-shell", "-p" ] + deps + [ "--run" ]
def addShell(f,**kwargs):
f.addStep(steps.ShellCommand(**kwargs))
addShell(f,name="centos7-eval",env={"LOGNAME": "shared",
"get" : "krebs.deploy",
"filter" : "json"
},
command=nixshell + ["make -s eval system=test-centos7"])
addShell(f,name="wolf-eval",env={"LOGNAME": "shared",
"get" : "krebs.deploy",
"filter" : "json"
},
command=nixshell + ["make -s eval system=wolf"])
c['builders'] = []
c['builders'].append(
util.BuilderConfig(name="fast-tests",
slavenames=slavenames,
factory=f))
# TODO slow build
c['builders'].append(
util.BuilderConfig(name="full-tests",
slavenames=slavenames,
factory=f))
####### Status of Builds
c['status'] = []
from buildbot.status import html
from buildbot.status.web import authz, auth
# TODO: configure if http is wanted
authz_cfg=authz.Authz(
# TODO: configure user/pw
auth=auth.BasicAuth([("krebs","bob")]),
gracefulShutdown = False,
forceBuild = 'auth',
forceAllBuilds = 'auth',
pingBuilder = False,
stopBuild = False,
stopAllBuilds = False,
cancelPendingBuild = False,
)
# TODO: configure nginx
c['status'].append(html.WebStatus(http_port=8010, authz=authz_cfg))
from buildbot.status import words
${optionalString (cfg.irc.enable) ''
irc = words.IRC("${cfg.irc.server}", "krebsbuild",
# TODO: multiple channels
channels=["${cfg.irc.channel}"],
notify_events={
#'success': 1,
#'failure': 1,
'exception': 1,
'successToFailure': 1,
'failureToSuccess': 1,
}${optionalString cfg.irc.allowForce ",allowForce=True"})
c['status'].append(irc)
''}
####### PROJECT IDENTITY
c['title'] = "Stockholm"
c['titleURL'] = "http://krebsco.de"
#c['buildbotURL'] = "http://buildbot.krebsco.de/"
# TODO: configure url
c['buildbotURL'] = "http://vbob:8010/"
####### DB URL
c['db'] = {
'db_url' : "sqlite:///state.sqlite",
}
${cfg.extraConfig}
'';
cfg = config.makefu.buildbot.master;
api = {
enable = mkEnableOption "Buildbot Master";
workDir = mkOption {
default = "/var/lib/buildbot/master";
type = types.str;
description = ''
Path to build bot master directory.
Will be created on startup.
'';
};
irc = mkOption {
default = {};
type = types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption "Buildbot Master IRC Status";
channel = mkOption {
default = "nix-buildbot-meetup";
type = types.str;
description = ''
irc channel the bot should connect to
'';
};
allowForce = mkOption {
default = false;
type = types.bool;
description = ''
Determines if builds can be forced via IRC
'';
};
nick = mkOption {
default = "nix-buildbot";
type = types.str;
description = ''
nickname for IRC
'';
};
server = mkOption {
default = "irc.freenode.net";
type = types.str;
description = ''
Buildbot Status IRC Server to connect to
'';
};
};
});
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
extra config appended to the generated master.cfg
'';
};
};
imp = {
users.extraUsers.buildbotMaster = {
uid = 672626386; #genid buildbotMaster
description = "Buildbot Master";
home = cfg.workDir;
createHome = false;
};
users.extraGroups.buildbotMaster = {
gid = 672626386;
};
systemd.services.buildbotMaster = {
description = "Buildbot Master";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.git ];
serviceConfig = let
workdir="${lib.shell.escape cfg.workDir}";
# TODO: check if git is the only dep
in {
PermissionsStartOnly = true;
Type = "forking";
PIDFile = "${workdir}/twistd.pid";
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
#!/bin/sh
set -efux
if [ ! -e ${workdir} ];then
mkdir -p ${workdir}
${buildbot}/bin/buildbot create-master -r -l 10 -f ${workdir}
fi
# always override the master.cfg
cp ${buildbot-master-config} ${workdir}/master.cfg
# sanity
${buildbot}/bin/buildbot checkconfig ${workdir}
# TODO: maybe upgrade? not sure about this
# normally we should write buildbot.tac by our own
# ${buildbot}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${buildbot}/bin/buildbot start ${workdir}";
ExecStop = "${buildbot}/bin/buildbot stop ${workdir}";
ExecReload = "${buildbot}/bin/buildbot reconfig ${workdir}";
PrivateTmp = "true";
User = "buildbotMaster";
Restart = "always";
RestartSec = "10";
};
};
};
in
{
options.makefu.buildbot.master = api;
config = mkIf cfg.enable imp;
}

185
3modules/buildbot/slave.nix
View file

@ -1,185 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
buildbot-slave-init = pkgs.writeText "buildbot-slave.tac" ''
import os
from buildslave.bot import BuildSlave
from twisted.application import service
basedir = '${cfg.workDir}'
rotateLength = 10000000
maxRotatedFiles = 10
application = service.Application('buildslave')
from twisted.python.logfile import LogFile
from twisted.python.log import ILogObserver, FileLogObserver
logfile = LogFile.fromFullPath(os.path.join(basedir, "twistd.log"), rotateLength=rotateLength,
maxRotatedFiles=maxRotatedFiles)
application.setComponent(ILogObserver, FileLogObserver(logfile).emit)
buildmaster_host = '${cfg.masterhost}'
# TODO: masterport?
port = 9989
slavename = '${cfg.username}'
passwd = '${cfg.password}'
keepalive = 600
usepty = 0
umask = None
maxdelay = 300
allow_shutdown = None
${cfg.extraConfig}
s = BuildSlave(buildmaster_host, port, slavename, passwd, basedir,
keepalive, usepty, umask=umask, maxdelay=maxdelay,
allow_shutdown=allow_shutdown)
s.setServiceParent(application)
'';
default-packages = [ pkgs.git pkgs.bash ];
cfg = config.makefu.buildbot.slave;
api = {
enable = mkEnableOption "Buildbot Slave";
workDir = mkOption {
default = "/var/lib/buildbot/slave";
type = types.str;
description = ''
Path to build bot slave directory.
Will be created on startup.
'';
};
masterhost = mkOption {
default = "localhost";
type = types.str;
description = ''
Hostname/IP of the buildbot master
'';
};
username = mkOption {
type = types.str;
description = ''
slavename used to authenticate with master
'';
};
password = mkOption {
type = types.str;
description = ''
slave password used to authenticate with master
'';
};
contact = mkOption {
default = "nix slave <buildslave@${config.networking.hostName}>";
type = types.str;
description = ''
contact to be announced by buildslave
'';
};
description = mkOption {
default = "Nix Generated BuildSlave";
type = types.str;
description = ''
description for hostto be announced by buildslave
'';
};
packages = mkOption {
default = [ pkgs.git ];
type = with types; listOf package;
description = ''
packages which should be in path for buildslave
'';
};
extraEnviron = mkOption {
default = {};
example = {
NIX_PATH = "nixpkgs=/path/to/my/nixpkgs";
};
type = types.attrsOf types.str;
description = ''
extra environment variables to be provided to the buildslave service
if you need nixpkgs, e.g. for running nix-shell you can set NIX_PATH here.
'';
};
extraConfig = mkOption {
default = "";
type = types.lines;
example = ''
port = 443
keepalive = 600
'';
description = ''
extra config evaluated before calling BuildSlave init in .tac file
'';
};
};
imp = {
users.extraUsers.buildbotSlave = {
uid = 1408105834; #genid buildbotMaster
description = "Buildbot Slave";
home = cfg.workDir;
createHome = false;
};
users.extraGroups.buildbotSlave = {
gid = 1408105834;
};
systemd.services."buildbotSlave-${cfg.username}-${cfg.masterhost}" = {
description = "Buildbot Slave for ${cfg.username}@${cfg.masterhost}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = default-packages ++ cfg.packages;
environment = {
NIX_REMOTE="daemon";
} // cfg.extraEnviron;
serviceConfig = let
workdir = "${lib.shell.escape cfg.workDir}";
contact = "${lib.shell.escape cfg.contact}";
description = "${lib.shell.escape cfg.description}";
buildbot = pkgs.buildbot-slave;
# TODO:make this
in {
PermissionsStartOnly = true;
Type = "forking";
PIDFile = "${workdir}/twistd.pid";
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
#!/bin/sh
set -efux
mkdir -p ${workdir}/info
cp ${buildbot-slave-init} ${workdir}/buildbot.tac
echo ${contact} > ${workdir}/info/admin
echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir}
chmod 700 -R ${workdir}
'';
ExecStart = "${buildbot}/bin/buildslave start ${workdir}";
ExecStop = "${buildbot}/bin/buildslave stop ${workdir}";
PrivateTmp = "true";
User = "buildbotSlave";
Restart = "always";
RestartSec = "10";
};
};
};
in
{
options.makefu.buildbot.slave = api;
config = mkIf cfg.enable imp;
}

4
3modules/default.nix
View file

@ -2,8 +2,8 @@ _:
{
imports = [
./buildbot/master.nix
./buildbot/slave.nix
./snapraid.nix
./umts.nix
];
}

125
3modules/snapraid.nix Normal file
View file

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
# returns dirname without / , used as disk name
dname = dir: replaceChars ["/"] [""] (head (reverseList (splitString "/" dir)));
snapraid-conf = ''
# Disks
${concatMapStringsSep "\n" (d: "disk ${dname d} ${d}") cfg.disks}
# Parity
${optionalString (cfg.parity != "") "parity ${cfg.parity}/snapraid.parity"}
# content on Disks
${optionalString cfg.contentOnDisks
concatMapStringsSep "\n" (d: "content ${d}/snapraid.content") cfg.disks}
# content on Parity
${optionalString (cfg.contentOnParity && cfg.parity != "")
"content ${cfg.parity}/snapraid.content"}
# Default content file
content ${cfg.defaultContentFile}
# Extra Configuration
${cfg.extraConfig}
'';
cfg = config.makefu.snapraid;
out = {
options.makefu.snapraid = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "snapraid";
timerConfig = mkOption {
type = types.unspecified;
description = ''
Start snapraid service
'';
default = {
OnCalendar = "daily";
};
};
disks = mkOption {
type = with types;listOf str;
description = ''
Disks to protect. Each disk is a path to the mounted directory of the
disk.
'';
};
parity = mkOption {
type = types.str;
description = ''
Folder to store parity file.
Set to empty string if you want to configure the parity yourself in
extraConfig.
All extra parity files (2,3,z, etc...) should be configured via
extraConfig.
'';
};
contentOnDisks = mkOption {
type = types.bool;
default = true;
description = ''
Store Content file on each Disk to protect.
Set this to false if you do not want this behavior to apply.
'';
};
contentOnParity = mkOption {
type = types.bool;
default = true;
description = ''
Store Content file on parity Disk.
Set this to false if you do not want this behavior to apply.
'';
};
defaultContentFile = mkOption {
type = types.str;
default = "/var/cache/snapraid.content";
description = ''
Path to default content file
Set to empty string if this content file should be written.
'';
};
extraConfig = mkOption {
type = types.string;
default = "";
description = ''
Extra configuration to be appended to the snapraid conf file.
You can configure extra Parity files as well as extra content files.
See `man snapraid` for additional configuration
'';
};
};
imp = {
environment.systemPackages = [
# for scrubbing,fixing
pkgs.snapraid
];
environment.etc."snapraid.conf".text = snapraid-conf;
systemd.timers.snapraid-sync = {
description = "snapraid sync timer";
wantedBy = [ "timers.target" ];
timerConfig = cfg.timerConfig;
};
systemd.services.snapraid-sync = {
description = "Snapraid sync service";
after = [ "network.target" "local-fs.target" ];
serviceConfig = {
Type = "simple";
ExecStartPre = pkgs.writeScript "Snapraid-sync-init" ''
#! /bin/sh
${optionalString (cfg.defaultContentFile != "")
"mkdir -p $(dirname ${cfg.defaultContentFile})"}
'';
ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
};
};
};
in out

76
3modules/umts.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
with lib;
let
# TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
systemctl start umts
trap "systemctl stop umts;trap - INT TERM EXIT;exit" INT TERM EXIT
echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
journalctl -xfu umts
'';
wvdial-defaults = ''
Phone = *99***1#
Dial Command = ATDT
Modem = ${cfg.modem-device}
Baud = 460800
Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0'';
cfg = config.makefu.umts;
out = {
options.makefu.umts = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "umts";
modem-device = mkOption {
default = "/dev/ttyUSB0";
type = types.str;
description = ''
path to modem device, use <filename>/dev/serial/by-id/...</filename>
to avoid race conditions.
'';
};
};
imp = {
environment.shellAliases = {
umts = "sudo ${umts-bin}/bin/umts";
};
environment.systemPackages = [ ];
environment.wvdial.dialerDefaults = wvdial-defaults;
systemd.targets.network-umts = {
description = "System is running on UMTS";
unitConfig.StopWhenUnneeded = true;
};
systemd.services.umts = {
description = "UMTS wvdial Service";
before = [ "network-umts.target" ];
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "4s";
ExecStart = "${pkgs.wvdial}/bin/wvdial -n";
};
};
};
in out