From 03689799d66e8a58caf340e721e229524091eb2d Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 09:47:06 +0100 Subject: [PATCH 1/5] tv: RIP xu-qemu0 --- tv/1systems/xu-qemu0.nix | 28 ----- tv/1systems/xu.nix | 1 - tv/2configs/xu-qemu0.nix | 250 --------------------------------------- 3 files changed, 279 deletions(-) delete mode 100644 tv/1systems/xu-qemu0.nix delete mode 100644 tv/2configs/xu-qemu0.nix diff --git a/tv/1systems/xu-qemu0.nix b/tv/1systems/xu-qemu0.nix deleted file mode 100644 index 8945c1907..000000000 --- a/tv/1systems/xu-qemu0.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.hosts.xu-qemu0 = { - cores = 1; - ssh.privkey.path = ; - # cannot define ssh.pubkey without at least one addr or alias - #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe51rD0ZqlMXNi/YpapnRzvdzCjI0icmxfCyBLSKG04"; - }; - krebs.build.host = config.krebs.hosts.xu-qemu0; - - imports = [ - ../. - - ]; - - boot.loader.grub.device = "/dev/sda"; - - fileSystems = { - "/boot" = { - device = "/dev/sda1"; - }; - "/" = { - device = "/dev/sda2"; - fsType = "btrfs"; - }; - }; -} diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index b6fe6dc5c..974d820d5 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -17,7 +17,6 @@ with import ; ../2configs/retiolum.nix ../2configs/binary-cache ../2configs/xserver - ../2configs/xu-qemu0.nix { environment.systemPackages = with pkgs; [ diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix deleted file mode 100644 index 355a36650..000000000 --- a/tv/2configs/xu-qemu0.nix +++ /dev/null @@ -1,250 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - # XXX cannot use config.build.host.name here because infinite recursion when - # defining krebs.hosts.${host-name}.nets.retiolum.aliases below. - host-name = "xu"; -in - -# usage: -# echo set_password vnc correcthorze | xu-qemu0-monitor -# -# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return -# -# http://vnc.xu/vnc_auto.html?port=5701&host=xu&password=correcthorze -# -# make [install] system=xu-qemu0 target_host=10.56.0.101 - -with import ; - -{ - networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; - - tv.iptables.extra = { - nat.POSTROUTING = ["-j MASQUERADE"]; - filter.FORWARD = [ - "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" - "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT" - ]; - filter.INPUT = [ - "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT" - "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT" - ]; - }; - - systemd.network.enable = true; - systemd.services.systemd-networkd-wait-online.enable = false; - - services.resolved.enable = mkForce false; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - - systemd.network.networks.qemubr0 = { - matchConfig.Name = "qemubr0"; - address = ["10.56.0.1/24"]; - routes = [{ - routeConfig = { - Gateway = "*"; - Destination = "10.56.0.0"; - }; - }]; - }; - systemd.network.netdevs.qemubr0 = { - netdevConfig = { - Name = "qemubr0"; - Kind = "bridge"; - }; - }; - - users.groups.qemu-users.gid = genid "qemu-users"; - - environment.etc."qemu/bridge.conf".text = '' - allow qemubr0 - ''; - - krebs.per-user.tv.packages = [ - ]; - - users.users.xu-qemu0 = { - createHome = true; - group = "qemu-users"; - home = "/home/xu-qemu0"; - uid = genid "xu-qemu0"; - }; - - systemd.services.xu-qemu0 = let - in { - after = [ "network.target" "systemd-resolved.service" ]; - serviceConfig = { - User = "xu-qemu0"; - SyslogIdentifier = "xu-qemu0"; - ExecStart = pkgs.writeDash "xu-qemu0" '' - set -efu - ${pkgs.coreutils}/bin/mkdir -p "$HOME/tmp" - img=$HOME/tmp/xu-qemu0.raw - if ! test -e "$img"; then - ${pkgs.kvm}/bin/qemu-img create "$img" 10G - fi - exec ${pkgs.kvm}/bin/qemu-kvm \ - -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \ - -boot order=cd \ - -cdrom ${pkgs.fetchurl { - url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso; - sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9"; - }} \ - -m 1024 \ - -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \ - -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \ - -drive file="$img",format=raw \ - -display vnc=:1,websocket=5701,password,lossy \ - -name xu-qemu0 \ - ''; - }; - }; - - krebs.setuid.xu-qemu0-monitor = { - filename = pkgs.writeDash "xu-qemu0-monitor" '' - exec ${pkgs.socat}/bin/socat \ - stdio \ - UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \ - ''; - owner = "xu-qemu0"; - group = "tv"; - }; - - krebs.setuid.qemu-bridge-helper = { - filename = "${pkgs.qemu}/libexec/qemu-bridge-helper"; - group = "qemu-users"; - }; - - users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq"; - - # TODO need custom etc/dbus-1/system.d/dnsmasq.conf for different BusName - services.dbus.packages = [ pkgs.dnsmasq ]; - - systemd.services.qemu-dnsmasq = let - # bind-interfaces - conf = pkgs.writeText "qemu-dnsmasq.conf" '' - listen-address=10.56.0.1 - interface=qemubr0 - dhcp-range=10.56.0.200,10.56.0.250 - dhcp-no-override - dhcp-leasefile=/tmp/qemu-dnsmasq.leases - domain=${host-name}.local - dhcp-host=52:54:00:12:34:56,xu-qemu0,10.56.0.101,1440m - ''; - in { - after = [ "network.target" "systemd-resolved.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "dbus"; - BusName = "uk.org.thekelleys.dnsmasq"; - # -1 --enable-dbus[=uk.org.thekelleys.dnsmasq] - SyslogIdentifier = "qemu-dnsmasq"; - ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -1k -u qemu-dnsmasq -C ${conf}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - PrivateTmp = "true"; - }; - restartTriggers = [ config.environment.etc.hosts.source ]; - }; - - - krebs.nginx.servers.init = { - server-names = [ - "init.${host-name}" - "init.${host-name}.r" - "init.${host-name}.retiolum" - ]; - extraConfig = '' - index init.txt; - root ${pkgs.writeTextFile { - name = "init-pages"; - text = '' - #! /bin/sh - set -efu - - dev=/dev/sda - pttype=dos # gpt - - case $pttype in - dos) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = dos; then - parted -s "$dev" mklabel msdos - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = primary; then - parted -s "$dev" mkpart primary ext4 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - gpt) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = gpt; then - parted -s "$dev" mklabel gpt - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = ESP; then - parted -s "$dev" mkpart ESP fat32 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - *) - echo "Error: bad pttype: $pttype" >&2 - exit -1 - esac - - if ! test "$(blkid -o value -s PARTLABEL "$dev"2)" = primary; then - parted -s "$dev" mkpart primary btrfs 513MiB 100% - fi - if ! test "$(blkid -o value -s TYPE "$dev"1)" = vfat; then - mkfs.vfat "$dev"1 - fi - if ! test "$(blkid -o value -s TYPE "$dev"2)" = btrfs; then - mkfs.btrfs "$dev"2 - fi - - parted "$dev" print - - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"2)" = /mnt; then - mount "$dev"2 /mnt - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"1)" = /mnt/boot; then - mkdir -m 0000 -p /mnt/boot - mount "$dev"1 /mnt/boot - fi - - lsblk "$dev" - - key=${shell.escape config.krebs.users.tv-xu.pubkey} - - if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then - mkdir -p /root/.ssh - echo "$key" > /root/.ssh/authorized_keys - fi - systemctl start sshd - ip route - echo READY. - ''; - destination = "/init.txt"; - }}; - ''; - }; - - - krebs.hosts.${host-name}.nets.retiolum.aliases = [ - "init.${host-name}.r" - "init.${host-name}.retiolum" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - - krebs.nginx.servers.noVNC = { - server-names = [ - "vnc.${host-name}" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - #rewrite ^([^.]*)$ /vnc_auto.html?host=localhost&port=5701; - locations = singleton (nameValuePair "/" '' - index vnc.html; - root ${pkgs.noVNC}; - ''); - }; -} From eafa36c2b10ddf16163007aa58ed5e2444c251b6 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 09:46:32 +0100 Subject: [PATCH 2/5] tv: replace krebs.nginx by services.nginx.virtualHosts --- tv/2configs/binary-cache/default.nix | 10 +++++----- tv/2configs/nginx/default.nix | 12 ++++++------ tv/2configs/nginx/public_html.nix | 14 ++++++-------- 3 files changed, 17 insertions(+), 19 deletions(-) diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix index 5902f1895..39c944b1a 100644 --- a/tv/2configs/binary-cache/default.nix +++ b/tv/2configs/binary-cache/default.nix @@ -19,15 +19,15 @@ source-path = toString + "/nix-serve.key"; }; - krebs.nginx = { + services.nginx = { enable = true; - servers.nix-serve = { - server-names = [ + virtualHosts.nix-serve = { + serverAliases = [ "cache.${config.krebs.build.host.name}.gg23" ]; - locations = singleton (nameValuePair "/" '' + locations."/".extraConfig = '' proxy_pass http://localhost:${toString config.services.nix-serve.port}; - ''); + ''; }; }; } diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 39995c052..277f459f0 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -3,15 +3,15 @@ with import ; { - krebs.nginx = { - servers.default.locations = [ - (nameValuePair "= /etc/os-release" '' + services.nginx = { + virtualHosts.default = { + locations."= /etc/os-release".extraConfig = '' default_type text/plain; alias /etc/os-release; - '') - ]; + ''; + }; }; - tv.iptables = optionalAttrs config.krebs.nginx.enable { + tv.iptables = { input-retiolum-accept-tcp = singleton "http"; }; } diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index 4c74d2250..9744da1e8 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -3,20 +3,18 @@ with import ; { - krebs.nginx = { + services.nginx = { enable = true; - servers.default = { - server-names = [ + virtualHosts.default = { + serverAliases = [ "localhost" "${config.krebs.build.host.name}" "${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.retiolum" ]; - locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + ''; }; }; tv.iptables.input-internet-accept-tcp = singleton "http"; From 7efec736b299d1c0235d2c12064b3afc1e5e13ff Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 10:46:26 +0100 Subject: [PATCH 3/5] tv nginx: return 404 by default --- tv/2configs/nginx/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 277f459f0..0e6c2df0e 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,6 +4,13 @@ with import ; { services.nginx = { + virtualHosts._http = { + default = true; + extraConfig = '' + return 404; + ''; + }; + virtualHosts.default = { locations."= /etc/os-release".extraConfig = '' default_type text/plain; From bece7d9da29adde2c79e49c40d975dc46eed4c1e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 11:09:36 +0100 Subject: [PATCH 4/5] tv nginx: enable recommendations --- tv/2configs/nginx/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 0e6c2df0e..b0acb9435 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,6 +4,10 @@ with import ; { services.nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts._http = { default = true; extraConfig = '' From df7e24c93dc318084322fae3441d1f3f94833041 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 25 Dec 2016 11:23:13 +0100 Subject: [PATCH 5/5] exim: init at 4.88 --- krebs/5pkgs/exim.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 krebs/5pkgs/exim.nix diff --git a/krebs/5pkgs/exim.nix b/krebs/5pkgs/exim.nix new file mode 100644 index 000000000..4bb69267c --- /dev/null +++ b/krebs/5pkgs/exim.nix @@ -0,0 +1,19 @@ +diff --git a/pkgs/servers/mail/exim/default.nix b/pkgs/servers/mail/exim/default.nix +index 0918e30..5b7a587 100644 +--- a/pkgs/servers/mail/exim/default.nix ++++ b/pkgs/servers/mail/exim/default.nix +@@ -1,11 +1,11 @@ + { coreutils, fetchurl, db, openssl, pcre, perl, pkgconfig, stdenv }: + + stdenv.mkDerivation rec { +- name = "exim-4.87"; ++ name = "exim-4.88"; + + src = fetchurl { +- url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2"; +- sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl"; ++ url = "ftp://ftp.exim.org/pub/exim/exim4/${name}.tar.bz2"; ++ sha256 = "0bca3wb45hl7h8m8bpvsmrmqa07jhbhqyigs9pl29hhzwgbmz78i"; + }; + + buildInputs = [ coreutils db openssl pcre perl pkgconfig ];