makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'gum/master'

Browse source
This commit is contained in:
lassulus 2016-10-19 12:37:05 +02:00
parent cbd83bb95f 7ebecdc99c
commit 7aa9fb7eff
20 changed files with 243 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
krebs/3modules/makefu/default.nix
View file

@ -374,8 +374,8 @@ with config.krebs.lib;
'';
};
};
#ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
#ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBGboU/P00yYiwYje53G0oqDFWmcSJ+hIpMsl4f/HH";
};
wbob = rec {
cores = 1;
@ -512,6 +512,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
};
sdev = rec {
cores = 1;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtm6ETzNgLcXNkrKs2VUEiGsTKBmOFpW2fazbzdUfOg sdev";
nets = {
retiolum = {
ip4.addr = "10.243.83.237";
ip6.addr = "42:af50:99cf:c185:f1a8:14d5:acb:8101";
aliases = [
"sdev.retiolum"
"sdev.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA8BwHwQ4pLZpskVnQONJsmzRPll4ZKMjAC56sY5p+GfT9ZBMkVDn+
LeH9wuTRiX/ehgtBiyu8w37cz62hz/71H+3mnWJlTm9bbBTc5N0y8l9b+YYeExW4
XPm4bUbJWKNRG9tHQAns/OREYDsHLsY6UoyNFmB0wTDpgs7egDCoe7E2eT+pG428
ysCDYlaZaigOyW+bj/HFLj8FSfpF5C/ug7NE/D7QocadsRUiLtVYrJsfmT+KHWf+
f5rLWLvuFiz1SWf7wZ9sICF3RCaC9Qhz7zplgHbvwbOHtF+Z/6DxduRMkggZUsUD
nm+40Ex1XJTe+s4V4GKLgh/fDKBTS6JwewIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
# non-stockholm

2
krebs/3modules/rtorrent.nix
View file

@ -223,7 +223,7 @@ let
touch ${systemd-logfile}
cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc
'';
ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'";
ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'";
## you can simply sudo -u rtorrent tmux a if privateTmp is set to false
## otherwise the tmux session is stored in some private folder in /tmp

5
makefu/1systems/filepimp.nix
View file

@ -24,7 +24,9 @@ in {
../2configs/fs/single-partition-ext4.nix
../2configs/smart-monitor.nix
../2configs/tinc/retiolum.nix
../2configs/filepimp-share.nix
];
krebs.build.host = config.krebs.hosts.filepimp;
# AMD N54L
boot = {
@ -76,6 +78,9 @@ in {
(xfsmount "j2" (part1 jDisk2)) //
(xfsmount "par0" (part1 jDisk3))
;
networking.firewall.trustedInterfaces = [ primary-interface ];
services.wakeonlan.interfaces = [
{
interface = primary-interface;

1
makefu/1systems/gum.nix
View file

@ -22,6 +22,7 @@ in {
../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix
../2configs/torrent.nix
../2configs/graphite-standalone.nix
../2configs/sabnzbd.nix
../2configs/opentracker.nix

1
makefu/1systems/omo.nix
View file

@ -44,6 +44,7 @@ in {
../2configs/fs/sda-crypto-root.nix
../2configs/zsh-user.nix
../2configs/urlwatch.nix
../2configs/backup.nix
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix

4
makefu/1systems/wbob.nix
View file

@ -55,6 +55,10 @@ in {
# rt2870 with nonfree creates wlp2s0 from wlp0s20u2
# not explicitly setting the interface results in wpa_supplicant to crash
networking.wireless.interfaces = [ "wlp2s0" ];
networking.interfaces.virbr1.ip4 = [{
address = "10.8.8.11";
prefixLength = 24;
}];
# nuc hardware

4
makefu/1systems/wry.nix
View file

@ -16,13 +16,15 @@ in {
../2configs/bepasty-dual.nix
../2configs/iodined.nix
../2configs/backup.nix
# other nginx
../2configs/nginx/euer.wiki.nix
../2configs/nginx/euer.blog.nix
../2configs/nginx/euer.test.nix
#../2configs/elchos/stats.nix
# collectd
# ../2configs/collectd/collectd-base.nix

3
makefu/1systems/x.nix
View file

@ -63,11 +63,10 @@
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 ];
networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ];
networking.firewall.allowedUDPPorts = [ 665 26061 ];
krebs.build.host = config.krebs.hosts.x;
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];

8
makefu/2configs/backup.nix
View file

@ -1,6 +1,10 @@
{ config, lib, ... }:
with config.krebs.lib;
let
# preparation:
# mkdir -p defaultBackupDir/host.name/src
# as root on omo:
# ssh-copy-id root@src
startAt = "0,6,12,18:00";
defaultBackupServer = config.krebs.hosts.omo;
defaultBackupDir = "/home/backup";
@ -12,7 +16,7 @@ let
};
dst = {
host = defaultBackupServer;
path = defaultBackupDir + src;
path = "${defaultBackupDir}/${host.name}${src}";
};
startAt = "0,6,12,18:00";
snapshots = {
@ -25,6 +29,6 @@ let
};
in {
krebs.backup.plans = {
wry-to-omo_var-www = defaultPull wry "/var/www";
wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/";
};
}

1
makefu/2configs/base-gui.nix
View file

@ -82,7 +82,6 @@ in
URxvt.perl-ext: default,url-select
URxvt.keysym.M-u: perl:url-select:select_next
#URxvt.url-select.launcher: firefox -new-tab
URxvt.url-select.launcher: chromium
URxvt.url-select.underline: true
URxvt.searchable-scrollback: CM-s

96
makefu/2configs/elchos/stats.nix Normal file
View file

@ -0,0 +1,96 @@
{ config, lib, pkgs, ... }:
# graphite-web on port 8080
# carbon cache on port 2003 (tcp/udp)
with config.krebs.lib;
let
sec = toString <secrets>;
acmepath = "/var/lib/acme/";
acmechall = acmepath + "/challenges/";
ext-dom = "stats.nsupdate.info";
#ssl_cert = "${sec}/wildcard.krebsco.de.crt";
#ssl_key = "${sec}/wildcard.krebsco.de.key";
ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
ssl_key = "${acmepath}/${ext-dom}/key.pem";
in {
networking.firewall = {
allowedTCPPorts = [ 2003 80 443 ];
allowedUDPPorts = [ 2003 ];
};
services.grafana = {
enable = true;
addr = "127.0.0.1";
extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
users.allowSignUp = false;
users.allowOrgCreate = false;
users.autoAssignOrg = false;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
krebs.nginx = {
enable = true;
servers.elch-stats = {
server-names = [ ext-dom ];
listen = [ "80" "443 ssl" ];
ssl = {
enable = true;
# these certs will be needed if acme has not yet created certificates:
certificate = ssl_cert;
certificate_key = ssl_key;
force_encryption = true;
};
locations = [
(nameValuePair "/" ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3000/;
'')
(nameValuePair "/.well-known/acme-challenge" ''
root ${acmechall}/${ext-dom}/;
'')
];
};
};
security.acme.certs."${ext-dom}" = {
email = "acme@syntax-fehler.de";
webroot = "${acmechall}/${ext-dom}/";
group = "nginx";
allowKeysForGroup = true;
postRun = "systemctl reload nginx.service";
extraDomains."${ext-dom}" = null ;
};
services.graphite = {
web = {
enable = true;
host = "127.0.0.1";
port = 8080;
};
carbon = {
enableCache = true;
# save disk usage by restricting to 1 bulk update per second
config = ''
[cache]
MAX_CACHE_SIZE = inf
MAX_UPDATES_PER_SECOND = 1
MAX_CREATES_PER_MINUTE = 500
'';
storageSchemas = ''
[carbon]
pattern = ^carbon\.
retentions = 60:90d
[elchos]
patterhn = ^elchos\.
retention = 10s:30d,60s:1y
[default]
pattern = .*
retentions = 30s:30d,300s:1y
'';
};
};
}

33
makefu/2configs/filepimp-share.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
hostname = config.krebs.build.host.name;
in {
users.users.smbguest = {
name = "smbguest";
uid = config.ids.uids.smbguest;
description = "smb guest user";
home = "/var/empty";
};
services.samba = {
enable = true;
shares = {
media = {
path = "/media/";
"read only" = "no";
browseable = "yes";
"guest ok" = "yes";
};
};
extraConfig = ''
guest account = smbguest
map to guest = bad user
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
'';
};
}

2
makefu/2configs/hw/tp-x220.nix
View file

@ -5,7 +5,7 @@ with config.krebs.lib;
imports = [ ./tp-x2x0.nix ];
boot = {
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
};
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];

4
makefu/2configs/hw/tp-x2x0.nix
View file

@ -38,4 +38,8 @@ with config.krebs.lib;
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
powerManagement.resumeCommands = ''
{pkgs.rfkill}/bin/rfkill unblock all
'';
}

3
makefu/2configs/iodined.nix
View file

@ -5,8 +5,9 @@ let
domain = "io.krebsco.de";
pw = import <secrets/iodinepw.nix>;
in {
networking.firewall.allowedUDPPorts = [ 53 ];
services.iodined = {
services.iodine = {
server = {
enable = true;
domain = domain;

28
makefu/2configs/nginx/icecult.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, lib, ... }:
with config.krebs.lib;
let
icecult = pkgs.fetchFromGitHub {
owner = "kraiz";
repo = "icecult";
rev = "1942d43381a97f30111a48725f7532c343a6f4d7";
sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58";
};
in{
krebs.nginx = {
enable = true;
servers.default = {
extraConfig = ''
root ${icecult}/app;
'';
locations = [
(nameValuePair "/rpc" ''
rewrite /rpc/(.*) /$1 break;
proxy_http_version 1.1;
proxy_pass http://10.42.22.163:3121;
'')
];
};
};
}

2
makefu/2configs/rad1o.nix
View file

@ -3,7 +3,7 @@
{
environment.systemPackages = with pkgs; [
gnuradio-full
gnuradio-with-packages
gnuradio-osmosdr
gqrx
];

24
makefu/2configs/solr.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
# graphite-web on port 8080
# carbon cache on port 2003 (tcp/udp)
with config.krebs.lib;
let
solrHome = "/var/db/solr";
in {
imports = [ ];
users.users.solr = {
home = solrHome;
uid = genid "solr";
createHome = true;
group = "solr";
};
users.groups.solr.gid = genid "solr";
services.solr = {
enable = true;
inherit solrHome;
user = "solr";
group = "solr";
};
}

2
makefu/2configs/urlwatch.nix
View file

@ -14,6 +14,8 @@
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://github.com/amadvance/snapraid/releases.atom
https://erdgeist.org/gitweb/opentracker/commit/
];
};
}

4
makefu/5pkgs/mergerfs/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
name = "mergerfs-${version}";
version = "2.14.0";
version = "2.16.1";
# not using fetchFromGitHub because of changelog being built with git log
src = fetchgit {
url = "https://github.com/trapexit/mergerfs";
rev = "refs/tags/${version}";
sha256 = "0j5r96xddlj5gp3n1xhfwjmr6yf861xg3hgby4p078c8zfriq5rm";
sha256 = "12fqgk54fnnibqiq82p4g2k6qnw3iy6dd64csmlf73yi67za5iwf";
deepClone = true;
};