Merge remote-tracking branch 'pnp/master'

This commit is contained in:
lassulus 2015-10-20 23:47:39 +02:00
commit 114bbe669a
11 changed files with 311 additions and 19 deletions

View file

@ -14,6 +14,7 @@ let
./iptables.nix
./nginx.nix
./Reaktor.nix
./retiolum-bootstrap.nix
./realwallpaper.nix
./retiolum.nix
./urlwatch.nix

View file

@ -127,10 +127,8 @@ with import ../../4lib { inherit lib; };
"krebsco.de" = ''
IN MX 10 mx42
euer IN MX 1 aspmx.l.google.com.
io IN NS pigstarter.krebsco.de.
pigstarter IN A ${head nets.internet.addrs4}
gold IN A ${head nets.internet.addrs4}
tinc IN A ${head nets.internet.addrs4}
boot IN A ${head nets.internet.addrs4}'';
};
nets = {
@ -166,7 +164,9 @@ with import ../../4lib { inherit lib; };
extraZones = {
"krebsco.de" = ''
wry IN A ${head nets.internet.addrs4}
io IN NS wry.krebsco.de.
graphs IN A ${head nets.internet.addrs4}
tinc IN A ${head nets.internet.addrs4}
'';
};
nets = rec {

View file

@ -0,0 +1,58 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.krebs.retiolum-bootstrap;
out = {
options.krebs.retiolum-bootstrap = api;
config = mkIf cfg.enable imp ;
};
api = {
enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
hostname = mkOption {
type = types.str;
description = "hostname which serves tinc boot";
default = "tinc.krebsco.de" ;
};
ssl_certificate_key = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
default = "/root/secrets/tinc.krebsco.de.key";
};
ssl_certificate = mkOption {
type = types.str;
description = "Certificate file to use for ssl";
default = "/root/secrets/tinc.krebsco.de.crt" ;
};
# in use:
# <secrets/tinc.krebsco.de.crt>
# <secrets/tinc.krebsco.de.key>
};
imp = {
krebs.nginx.servers = assert config.krebs.nginx.enable; {
retiolum-boot-redir = {
server-names = singleton cfg.hostname;
extraConfig = ''
return 301 https://$server_name$request_uri;
'';
locations = [];
};
retiolum-boot-ssl = {
server-names = singleton cfg.hostname;
listen = "443 ssl";
extraConfig = ''
ssl_certificate ${cfg.ssl_certificate};
ssl_certificate_key ${cfg.ssl_certificate_key};
root ${pkgs.retiolum-bootstrap};
try_files $uri $uri/retiolum.sh;
'';
locations = [];
};
};
};
in
out

View file

@ -0,0 +1,29 @@
{ stdenv,lib,fetchurl, ... }:
with lib;
stdenv.mkDerivation rec {
name = "retiolum-bootstrap";
version = "4.2.3";
src = fetchurl {
url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh;
sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s";
};
phases = [
"installPhase"
];
installPhase = ''
mkdir -p "$out"
cp -a ${src} $out/retiolum.sh
'';
meta = {
description = "Retiolum boostrap scripts";
url = https://github.com/krebscode/painload;
license = licenses.wtfpl;
platforms = platforms.unix;
maintainers = with maintainers; [ makefu ];
};
}

View file

@ -21,6 +21,7 @@
# applications
../2configs/exim-retiolum.nix
../2configs/mail-client.nix
#../2configs/virtualization.nix
../2configs/virtualization-virtualbox.nix
../2configs/wwan.nix

View file

@ -5,38 +5,50 @@ let
ip = (lib.head config.krebs.build.host.nets.internet.addrs4);
in {
imports = [
../../tv/2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/base-sources.nix
../2configs/tinc-basic-retiolum.nix
# TODO: copy this config or move to krebs
../../tv/2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/base-sources.nix
../2configs/tinc-basic-retiolum.nix
../2configs/iodined.nix
# Reaktor
../2configs/Reaktor/simpleExtend.nix
];
krebs.Reaktor.enable = true;
networking.firewall.allowPing = true;
networking.interfaces.enp2s1.ip4 = [
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = "104.233.87.1";
networking.nameservers = [
"8.8.8.8"
];
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = "104.233.87.1";
networking.nameservers = [
"8.8.8.8"
];
# based on ../../tv/2configs/CAC-Developer-2.nix
sound.enable = false;
# prepare graphs
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
krebs.nginx.enable = true;
krebs.retiolum-bootstrap.enable = true;
makefu.tinc_graphs.enable = true;
makefu.tinc_graphs.krebsNginx = {
enable = true;
# TODO: remove hard-coded hostname
hostnames_complete = [ "graphs.wry" ];
hostnames_anonymous = [ "graphs.krebsco.de" ];
};
networking.firewall.allowedTCPPorts = [80];
networking.firewall.allowedTCPPorts = [ 53 80 443 ];
krebs.build = {
user = config.krebs.users.makefu;

View file

@ -3,9 +3,9 @@
{
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
#url = https://github.com/makefu/nixpkgs;
rev = "dc18f39bfb2f9d1ba62c7e8ad98544bb15cb26b2"; # nixos-15.09
#url = https://github.com/NixOS/nixpkgs;
url = https://github.com/makefu/nixpkgs;
rev = "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picked iodine
};
dir.secrets = {

View file

@ -10,6 +10,9 @@ let
stockholm = {
desc = "Make all the systems into 1systems!";
};
tinc_graphs = {
desc = "Tinc Advanced Graph Generation";
};
};
priv-repos = mapAttrs make-priv-repo {

View file

@ -0,0 +1,16 @@
{ services,builtins,environment,pkgs, ... }:
let
# TODO: make this a parameter
domain = "io.krebsco.de";
pw = import <secrets/iodinepw.nix>;
in {
services.iodined = {
enable = true;
domain = domain;
ip = "172.16.10.1/24";
extraConfig = "-P ${pw}";
};
}

View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
with lib;
{
environment.systemPackages = with pkgs; [
msmtp
mutt-kz
notmuch
offlineimap
];
}

View file

@ -0,0 +1,160 @@
{ config, lib, pkgs, ... }:
with lib;
let
gunicorn = pkgs.pythonPackages.gunicorn;
bepasty = pkgs.pythonPackages.bepasty-server;
gevent = pkgs.pythonPackages.gevent;
python = pkgs.pythonPackages.python;
cfg = config.makefu.bepasty-server;
out = {
options.makefu.bepasty-server = api;
config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
};
api = {
enable = mkEnableOption "Bepasty Servers";
serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx";
servers = mkOption {
type = with types; attrsOf optionSet;
options = singleton {
nginxCfg = mkOption {
# TODO use the correct type
type = with types; attrsOf unspecified;
description = ''
additional nginx configuration. see krebs.nginx for all options
'' ;
};
debug = mkOption {
type = types.bool;
description = ''
run server in debug mode
'';
default = false;
};
# TODO: assert secretKey
secretKey = mkOption {
type = types.str;
description = ''
server secret for safe session cookies, must be set.
'';
};
# we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
workDir = mkOption {
type = types.str;
description = ''
Path to the working directory (used for sockets and pidfile).
Defaults to the users home directory. Must be accessible to nginx,
permissions will be set to 755
'';
default = config.users.extraUsers.bepasty.home;
};
dataDir = mkOption {
type = types.str;
description = ''
Defaults to the new users home dir which defaults to
/var/lib/bepasty-server/data
'';
default = "${config.users.extraUsers.bepasty.home}/data";
};
extraConfig = mkOption {
type = types.str;
default = "";
example = ''
PERMISSIONS = {
'myadminsecret': 'admin,list,create,read,delete',
}
MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
'';
};
defaultPermissions = mkOption {
type = types.str;
default = "list";
};
};
default = {};
};
};
imp = {
# Configures systemd services for each configured server
# environment.systemPackages = [ bepasty gunicorn gevent ];
systemd.services = mapAttrs' (name: server:
nameValuePair ("bepasty-server-${name}")
({
description = "Bepasty Server ${name}";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
environment = {
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
};
serviceConfig = {
Type = "simple";
PrivateTmp = true;
ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" ''
#!/bin/sh
chmod 755 ${server.workDir}
mkdir -p ${server.dataDir}
cat > ${server.workDir}/bepasty-${name}.conf <<EOF
SITENAME="${name}"
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
SECRET_KEY="${escapeShellArg server.secretKey}"
DEFAULT_PERMISSIONS="${server.defaultPermissions}"
${server.extraConfig}
EOF
'';
Directory = "${bepasty}/lib/${python.libPrefix}/site-packages";
# we use Gunicorn to start a wsgi server
ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
--workers 3 --log-level=info \
--bind=unix:${server.workDir}/gunicorn-${name}.sock \
--pid ${server.workDir}/gunicorn-${name}.pid \
-k gevent
'';
};
})
) cfg.servers;
users.extraUsers.bepasty = {
uid = 2796546855; #genid bepasty
home = "/var/lib/bepasty-server";
createHome = true;
};
};
nginx-imp = {
assertions = [ { assertion = config.krebs.nginx.enable;
message = "krebs.nginx.enable must be true"; }];
krebs.nginx.servers = mapAttrs' (name: server:
nameValuePair("bepasty-server-${name}")
(server.nginxCfg // {
extraConfig = ''
client_max_body_size 32M;
'';
locations = [
(nameValuePair ("/")
(''
proxy_set_header Host $http_host;
proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
''))
(nameValuePair ("/static/")
(''
alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
''))
];
})
) cfg.servers ;
};
in
out