diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 50e04cf80..4e035e725 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -22,6 +22,16 @@ let
servers = mkOption {
type = with types; attrsOf optionSet;
+ example = ''
+ {
+ "paste.r" = {
+ defaultPermissions = "read,delete,create";
+ };
+ "paste.krebsco.de" = {
+ defaultPermissions = "read";
+ };
+ }
+ '';
options = singleton {
nginx = mkOption {
# TODO use the correct type
@@ -30,7 +40,6 @@ let
additional nginx configuration. see krebs.nginx for all options
'';
};
-
secretKey = mkOption {
type = types.str;
description = ''
@@ -39,6 +48,7 @@ let
default = "";
};
+
# we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
workDir = mkOption {
type = types.str;
@@ -143,25 +153,25 @@ let
};
nginx-imp = {
- assertions = [{ assertion = config.krebs.nginx.enable;
- message = "krebs.nginx.enable must be true"; }];
+ assertions = [{ assertion = config.services.nginx.enable;
+ message = "services.nginx.enable must be true"; }];
- krebs.nginx.servers = mapAttrs' (name: server:
- nameValuePair("bepasty-server-${name}")
- (mkMerge [ server.nginx {
- extraConfig = ''
- client_max_body_size 32M;
- '';
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $http_host;
- proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
- '')
- (nameValuePair "/static/" ''
- alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
- '')
- ];
- }])) cfg.servers ;
+ services.nginx.virtualHosts = mapAttrs ( name: server:
+ (mkMerge [
+ server.nginx
+ {
+ extraConfig = ''
+ client_max_body_size 32M;
+ '';
+ locations = {
+ "/".extraConfig = "proxy_set_header Host $http_host;";
+ "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock";
+ "/static/".extraConfig = ''
+ alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+ '';
+ };
+ }])
+ ) cfg.servers ;
};
in
out
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 26a51de00..197835e73 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -35,35 +35,28 @@ let
nginx = {
enable = mkEnableOption "enable tinc_graphs to be served with nginx";
- anonymous = {
- server-names = mkOption {
- type = with types; listOf str;
- description = "hostnames which serve anonymous graphs";
- default = [ "graphs.${config.krebs.build.host.name}" ];
- };
-
- listen = mkOption {
- # use the type of the nginx listen option
- type = with types; listOf str;
- description = "listen address for anonymous graphs";
- default = [ "80" ];
- };
-
+ anonymous = mkOption {
+ type = types.attrsOf types.unspecified;
+ description = ''
+ nginx virtualHost options to be merged into the anonymous graphs
+ vhost entry.
+ '';
+ };
+ anonymous-domain = mkOption {
+ type = types.str;
+ description = ''
+ external domainname to be used for anonymous graphs
+ it will be used if you want to enable ACME
+ '';
+ default = "graphs.krebsco.de";
};
- complete = {
- server-names = mkOption {
- type = with types; listOf str;
- description = "hostname which serves complete graphs";
- default = [ "graphs.${config.krebs.build.host.name}" ];
- };
-
- listen = mkOption {
- type = with types; listOf str;
- description = "listen address for complete graphs";
- default = [ "127.0.0.1:80" ];
- };
-
+ complete = mkOption {
+ type = types.attrsOf types.unspecified;
+ description = ''
+ nginx virtualHost options to be merged into the complete graphs
+ vhost entry.
+ '';
};
};
@@ -134,24 +127,20 @@ let
uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs";
};
- krebs.nginx = mkIf cfg.nginx.enable {
+ services.nginx = mkIf cfg.nginx.enable {
enable = mkDefault true;
- servers = {
+ virtualHosts = {
tinc_graphs_complete = mkMerge [ cfg.nginx.complete {
- locations = [
- (nameValuePair "/" ''
- autoindex on;
- root ${internal_dir};
- '')
- ];
- }] ;
- tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
- locations = [
- (nameValuePair "/" ''
- autoindex on;
- root ${external_dir};
- '')
- ];
+ locations = {
+ "/".extraConfig = "autoindex on;";
+ "/".root = internal_dir;
+ };
+ }];
+ "${cfg.nginx.anonymous-domain}" = mkMerge [ cfg.nginx.anonymous {
+ locations = {
+ "/".extraConfig = "autoindex on;";
+ "/".root = external_dir;
+ };
}];
};
};
diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix
index 4d9b37cea..1eac141dc 100644
--- a/makefu/1systems/fileleech.nix
+++ b/makefu/1systems/fileleech.nix
@@ -1,27 +1,111 @@
-{ config, pkgs, ... }:
-{
+{ config, pkgs, lib, ... }:
+let
+ toMapper = id: "/media/crypt${builtins.toString id}";
+ byid = dev: "/dev/disk/by-id/" + dev;
+ keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0";
+ rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
+ rootPartition = rootDisk + "-part3";
+
+ dataDisks = let
+ idpart = dev: byid dev + "-part1";
+ in [
+ { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";}
+ { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";}
+ { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";}
+ { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";}
+ { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";}
+ { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";}
+ { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";}
+ { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity
+ ];
+
+ disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks;
+in {
imports = [
- ../.
- # configure your hw:
- # ../2configs/hw/CAC.nix
- # ../2configs/fs/CAC-CentOS-7-64bit.nix
- ../2configs/save-diskspace.nix
+ ../.
../2configs/tinc/retiolum.nix
+ ../2configs/disable_v6.nix
+ ../2configs/torrent.nix
+ ../2configs/fs/sda-crypto-root.nix
+
+ ../2configs/elchos/irc-token.nix
+ ../2configs/elchos/log.nix
+ ../2configs/elchos/search.nix
+ ../2configs/elchos/stats.nix
];
- krebs = {
- enable = true;
- build.host = config.krebs.hosts.fileleech;
- };
+ makefu.server.primary-itf = "enp8s0f0";
+ krebs = {
+ enable = true;
+ build.host = config.krebs.hosts.fileleech;
+ };
+ # git clone https://github.com/makefu/docker-pyload
+ # docker build .
+ # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload
- boot.loader.grub.enable = true;
- boot.loader.grub.version = 2;
- boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
- fileSystems."/" = {
- device = "/dev/disk/by-id/ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
- };
+ virtualisation.docker.enable = true; # for pyload
+ networking.firewall.allowedTCPPorts = [
+ 51412 # torrent
+ 8112 # rutorrent-web
+ 8113 # pyload
+ 8080 # sabnzbd
+ 9090 # sabnzbd-ssl
+ 655 # tinc
+ ];
+ networking.firewall.allowedUDPPorts = [
+ 655 # tinc
+ 51412 # torrent
+ ];
- boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ];
- boot.kernelModules = [ "kvm-intel" ];
- boot.extraModulePackages = [ ];
+ services.sabnzbd.enable = true;
+ systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+
+ boot.initrd.luks = {
+ devices = let
+ usbkey = name: device: {
+ inherit name device keyFile;
+ keyFileSize = 4096;
+ allowDiscards = true;
+ };
+ in builtins.map (x: usbkey x.name x.device) disks;
+ };
+ environment.systemPackages = with pkgs;[ mergerfs ];
+
+ fileSystems = let
+ cryptMount = name:
+ { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
+ in cryptMount "crypt0"
+ // cryptMount "crypt1"
+ // cryptMount "crypt2"
+ // cryptMount "crypt3"
+ // cryptMount "crypt4"
+ // cryptMount "crypt5"
+ // cryptMount "crypt6"
+ // cryptMount "crypt7"
+
+ # this entry sometimes creates issues
+ // { "/media/cryptX" = {
+ device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]);
+ fsType = "mergerfs";
+ noCheck = true;
+ options = [ "defaults" "nofail" "allow_other" "nonempty" ]; };
+ }
+
+ ;
+ makefu.snapraid = {
+ enable = true;
+ disks = map toMapper [ 0 1 2 3 4 5 6 ];
+ parity = toMapper 7;
+ };
+
+ boot.loader.grub.device = rootDisk;
+
+ boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html
+ boot.extraModprobeConfig = ''
+ options ixgbe allow_unsupported_sfp=1
+ '';
}
diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index e8a368fa2..e7761a642 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -15,6 +15,7 @@ in {
../2configs/git/cgit-retiolum.nix
# ../2configs/mattermost-docker.nix
../2configs/nginx/euer.test.nix
+ ../2configs/nginx/public_html.nix
../2configs/nginx/update.connector.one.nix
../2configs/deployment/mycube.connector.one.nix
@@ -31,7 +32,9 @@ in {
];
services.smartd.devices = [ { device = "/dev/sda";} ];
+
###### stable
+ services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum;
krebs.tinc.retiolum = {
extraConfig = ''
@@ -48,10 +51,6 @@ in {
makefu.taskserver.enable = true;
- krebs.nginx.servers.cgit = {
- server-names = [ "cgit.euer.krebsco.de" ];
- listen = [ "${external-ip}:80" "${internal-ip}:80" ];
- };
# access
users.users = {
@@ -76,9 +75,8 @@ in {
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0"
'';
- boot.kernelParams = [ "ipv6.disable=1" ];
+ boot.kernelParams = [ ];
networking = {
- enableIPv6 = false;
firewall = {
allowPing = true;
logRefusedConnections = false;
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index 4fbbd653d..609d52134 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -48,12 +48,16 @@ in {
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
- ../2configs/disable_v6.nix
+ # ../2configs/disable_v6.nix
#../2configs/graphite-standalone.nix
#../2configs/share-user-sftp.nix
../2configs/omo-share.nix
../2configs/tinc/retiolum.nix
- ../2configs/torrent.nix
+ # ../2configs/torrent.nix
+
+ # ../2configs/elchos/search.nix
+ # ../2configs/elchos/log.nix
+ # ../2configs/elchos/irc-token.nix
## as long as pyload is not in nixpkgs:
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
@@ -121,7 +125,8 @@ in {
// { "/media/cryptX" = {
device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);
fsType = "mergerfs";
- options = [ "defaults" "allow_other" ];
+ noCheck = true;
+ options = [ "defaults" "allow_other" "nofail" "nonempty" ];
};
};
diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 1c5d2352e..96aeb2856 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -21,7 +21,6 @@ in {
krebs = {
enable = true;
build.host = config.krebs.hosts.shoney;
- nginx.enable = true;
tinc_graphs = {
enable = true;
network = "siem";
@@ -29,9 +28,15 @@ in {
nginx = {
enable = true;
# TODO: remove hard-coded hostname
+ anonymous-domain = "localhost.localdomain";
+ anonymous.extraConfig = "return 403;";
complete = {
- listen = [ "${tinc-siem-ip}:80" ];
- server-names = [ "graphs.siem" ];
+ serverAliases = [ "graphs.siem" ];
+ extraConfig = ''
+ if ( $server_addr = "${ip}" ) {
+ return 403;
+ }
+ '';
};
};
};
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 17e81f793..6290ff6e9 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -21,9 +21,7 @@ in {
# other nginx
../2configs/nginx/euer.wiki.nix
../2configs/nginx/euer.blog.nix
- ../2configs/nginx/euer.test.nix
-
- #../2configs/elchos/stats.nix
+ # ../2configs/nginx/euer.test.nix
# collectd
# ../2configs/collectd/collectd-base.nix
@@ -47,26 +45,31 @@ in {
random-emoji ];
};
- # bepasty to listen only on the correct interfaces
- krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ];
- krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
-
# prepare graphs
- krebs.nginx.enable = true;
+ services.nginx.enable = true;
krebs.retiolum-bootstrap.enable = true;
-
+ krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+ if ( $server_addr = "${external-ip}" ) {
+ return 403;
+ }
+ '';
krebs.tinc_graphs = {
enable = true;
nginx = {
enable = true;
# TODO: remove hard-coded hostname
complete = {
- listen = [ "${internal-ip}:80" ];
- server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];
+ extraConfig = ''
+ if ( $server_addr = "${external-ip}" ) {
+ return 403;
+ }
+ '';
+ serverAliases = [ "graphs.retiolum" "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];
};
anonymous = {
- listen = [ "${external-ip}:80" ] ;
- server-names = [ "graphs.krebsco.de" ];
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
};
};
};
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index a6be04876..936aaf004 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -20,54 +20,29 @@ let
ext-dom = "paste.krebsco.de" ;
in {
- krebs.nginx.enable = mkDefault true;
+ services.nginx.enable = mkDefault true;
krebs.bepasty = {
enable = true;
serveNginx= true;
servers = {
- internal = {
+ "paste.r" = {
nginx = {
- server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
+ serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey;
};
- external = {
+ "${ext-dom}" = {
nginx = {
- server-names = [ ext-dom ];
- ssl = {
- enable = true;
- certificate = "${acmepath}/${ext-dom}/fullchain.pem";
- certificate_key = "${acmepath}/${ext-dom}/key.pem";
- # these certs will be needed if acme has not yet created certificates:
- #certificate = "${sec}/wildcard.krebsco.de.crt";
- #certificate_key = "${sec}/wildcard.krebsco.de.key";
- ciphers = "RC4:HIGH:!aNULL:!MD5" ;
- force_encryption = true;
- };
- locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${ext-dom}/;
- '');
- extraConfig = ''
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 10m;
- ssl_verify_client off;
- proxy_ssl_session_reuse off;
- '';
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
};
defaultPermissions = "read";
secretKey = secKey;
};
};
};
- security.acme.certs."${ext-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${ext-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains."${ext-dom}" = null ;
- };
}
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index 9a2adbc3e..9e3f3eb61 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -22,7 +22,7 @@ with import <stockholm/lib>;
user = config.krebs.users.makefu;
source = let
inherit (config.krebs.build) host user;
- ref = "f52eaf4"; # stable @ 2016-12-12
+ ref = "ee13b9af"; # stable @ 2016-12-12
in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
{
diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix
index 091b7f21b..379176f78 100644
--- a/makefu/2configs/deployment/mycube.connector.one.nix
+++ b/makefu/2configs/deployment/mycube.connector.one.nix
@@ -27,23 +27,18 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- mybox-connector-one = {
- listen = [ "${external-ip}:80" ];
- server-names = [
- "mycube.connector.one"
- "mybox.connector.one"
- ];
- locations = singleton (nameValuePair "/" ''
+ virtualHosts."mybox.connector.one" = {
+ locations = {
+ "/".extraConfig = ''
uwsgi_pass unix://${wsgi-sock};
uwsgi_param UWSGI_CHDIR ${pkgs.mycube-flask}/${pkgs.python.sitePackages};
uwsgi_param UWSGI_MODULE mycube.websrv;
uwsgi_param UWSGI_CALLABLE app;
include ${pkgs.nginx}/conf/uwsgi_params;
- '');
+ '';
};
};
};
diff --git a/makefu/2configs/disable_v6.nix b/makefu/2configs/disable_v6.nix
index 37db172ef..0a8c8d53d 100644
--- a/makefu/2configs/disable_v6.nix
+++ b/makefu/2configs/disable_v6.nix
@@ -1,4 +1,3 @@
{
networking.enableIPv6 = false;
- boot.kernelParams = [ "ipv6.disable=1" ];
}
diff --git a/makefu/2configs/elchos/log.nix b/makefu/2configs/elchos/log.nix
new file mode 100644
index 000000000..3facd1ceb
--- /dev/null
+++ b/makefu/2configs/elchos/log.nix
@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+in {
+ networking.firewall.allowedTCPPorts = [ 80 443 514 ];
+ networking.firewall.allowedUDPPorts = [ 80 443 514 ];
+ services.logstash = {
+ enable = true;
+ enableWeb = true;
+ inputConfig = ''
+ syslog {
+ timezone => "Etc/UTC"
+ }
+ '';
+ filterConfig = ''
+ if ( [program] == "proftpd") {
+ kv {
+ field_split => " "
+ }
+ }
+ '';
+ outputConfig = ''
+ stdout {
+ codec => rubydebug
+ }
+ elasticsearch { }
+ '';
+ };
+ services.elasticsearch = {
+ enable = true;
+ };
+ services.kibana = {
+ enable = true;
+ port = 9332;
+ };
+ services.nginx = {
+ virtualHosts = {
+ "log.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+ basicAuth = import <secrets/kibana-auth.nix>;
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:9332";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix
index 5adaa0c6f..5777be373 100644
--- a/makefu/2configs/elchos/search.nix
+++ b/makefu/2configs/elchos/search.nix
@@ -1,11 +1,12 @@
{ config, lib, pkgs, ... }:
-# graphite-web on port 8080
-# carbon cache on port 2003 (tcp/udp)
+# search also generates ddclient entries for all other logs
+
with import <stockholm/lib>;
let
#primary-itf = "eth0";
- primary-itf = "wlp2s0";
+ #primary-itf = "wlp2s0";
+ primary-itf = config.makefu.server.primary-itf;
elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock";
ddclientUser = "ddclient";
sec = toString <secrets>;
@@ -14,15 +15,7 @@ let
cfg = "${stateDir}/cfg";
ddclientPIDFile = "${stateDir}/ddclient.pid";
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
# TODO: correct cert generation requires a `real` internet ip address
- stats-dom = "stats.nsupdate.info";
- search-dom = "search.nsupdate.info";
- search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem";
- search_ssl_key = "${acmepath}/${search-dom}/key.pem";
- stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem";
- stats_ssl_key = "${acmepath}/${stats-dom}/key.pem";
gen-cfg = dict: ''
ssl=yes
@@ -64,75 +57,22 @@ in {
};
};
- security.acme.certs = {
- "${stats-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${stats-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains = {
- "${stats-dom}" = null ;
- };
- };
- "${search-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${search-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains = {
- "${stats-dom}" = null ;
- };
- };
- };
-
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- elch-stats = {
- server-names = [ stats-dom ];
- # listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- certificate = stats_ssl_cert;
- certificate_key = stats_ssl_key;
- force_encryption = true;
- };
+ virtualHosts = {
+ "search.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/".extraConfig = ''
+ uwsgi_pass unix://${elch-sock};
+ uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages};
+ uwsgi_param UWSGI_MODULE elchhub.wsgi;
+ uwsgi_param UWSGI_CALLABLE app;
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:3000/;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${search-dom}/;
- '')
- ];
- };
- elchhub = {
- server-names = [ "search.nsupdate.info" ];
- # listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- certificate = search_ssl_cert;
- certificate_key = search_ssl_key;
- force_encryption = true;
+ include ${pkgs.nginx}/conf/uwsgi_params;
+ '';
};
- locations = [ (nameValuePair "/" ''
- uwsgi_pass unix://${elch-sock};
- uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages};
- uwsgi_param UWSGI_MODULE elchhub.wsgi;
- uwsgi_param UWSGI_CALLABLE app;
-
- include ${pkgs.nginx}/conf/uwsgi_params;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${search-dom}/;
- '')
- ];
};
};
};
@@ -147,7 +87,7 @@ in {
ExecStart = "${pkgs.elchhub}/bin/elch-manager";
};
};
- register-elchos-nsupdate = {
+ ddclient-nsupdate-elchos = {
wantedBy = [ "multi-user.target" ];
after = [ "ip-up.target" ];
serviceConfig = {
@@ -163,49 +103,8 @@ in {
};
};
- services.grafana = {
- enable = true;
- addr = "127.0.0.1";
- users.allowSignUp = false;
- users.allowOrgCreate = false;
- users.autoAssignOrg = false;
- auth.anonymous.enable = true;
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
- };
-
- services.graphite = {
- api = {
- enable = true;
- listenAddress = "127.0.0.1";
- port = 8080;
- };
- carbon = {
- enableCache = true;
- # save disk usage by restricting to 1 bulk update per second
- config = ''
- [cache]
- MAX_CACHE_SIZE = inf
- MAX_UPDATES_PER_SECOND = 1
- MAX_CREATES_PER_MINUTE = 500
- '';
- storageSchemas = ''
- [carbon]
- pattern = ^carbon\.
- retentions = 60:90d
-
- [elchos]
- patterhn = ^elchos\.
- retentions = 10s:30d,60s:3y
-
- [default]
- pattern = .*
- retentions = 30s:30d,300s:1y
- '';
- };
- };
-
networking.firewall = {
- allowedTCPPorts = [ 2003 80 443 ];
- allowedUDPPorts = [ 2003 ];
+ allowedTCPPorts = [ 80 443 ];
+ allowedUDPPorts = [ ];
};
}
diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix
index 9f27b6647..b6133205f 100644
--- a/makefu/2configs/elchos/stats.nix
+++ b/makefu/2configs/elchos/stats.nix
@@ -1,73 +1,48 @@
{ config, lib, pkgs, ... }:
+# requires nsupdate to get correct hostname (from ./search.nix)
# graphite-web on port 8080
# carbon cache on port 2003 (tcp/udp)
+
with import <stockholm/lib>;
-let
- sec = toString <secrets>;
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
- ext-dom = "stats.nsupdate.info";
- #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
- #ssl_key = "${sec}/wildcard.krebsco.de.key";
- ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
- ssl_key = "${acmepath}/${ext-dom}/key.pem";
-in {
- networking.firewall = {
- allowedTCPPorts = [ 2003 80 443 ];
- allowedUDPPorts = [ 2003 ];
+{
+
+ services.nginx = {
+ enable = mkDefault true;
+ virtualHosts = {
+ "stats.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:3000/";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ };
+ };
+ };
};
services.grafana = {
enable = true;
addr = "127.0.0.1";
- extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
users.allowSignUp = false;
users.allowOrgCreate = false;
users.autoAssignOrg = false;
+ auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
- krebs.nginx = {
- enable = true;
- servers.elch-stats = {
- server-names = [ ext-dom ];
- listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- # these certs will be needed if acme has not yet created certificates:
- certificate = ssl_cert;
- certificate_key = ssl_key;
- force_encryption = true;
- };
-
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:3000/;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${ext-dom}/;
- '')
- ];
- };
- };
-
- security.acme.certs."${ext-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${ext-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains."${ext-dom}" = null ;
- };
services.graphite = {
- web = {
+ api = {
enable = true;
- host = "127.0.0.1";
- port = 8080;
+ listenAddress = "127.0.0.1";
+ port = 18080;
};
carbon = {
enableCache = true;
@@ -85,7 +60,7 @@ in {
[elchos]
patterhn = ^elchos\.
- retention = 10s:30d,60s:1y
+ retentions = 10s:30d,60s:3y
[default]
pattern = .*
@@ -93,4 +68,9 @@ in {
'';
};
};
+
+ networking.firewall = {
+ allowedTCPPorts = [ 2003 80 443 ];
+ allowedUDPPorts = [ 2003 ];
+ };
}
diff --git a/makefu/2configs/elchos/test/ftpservers.nix b/makefu/2configs/elchos/test/ftpservers.nix
new file mode 100644
index 000000000..bc7517209
--- /dev/null
+++ b/makefu/2configs/elchos/test/ftpservers.nix
@@ -0,0 +1,7 @@
+{...}:
+{
+ services.vsftpd.anonymousUser = true;
+ services.vsftpd.enable = true;
+ services.vsftpd.chrootlocalUser = true;
+ networking.firewall.allowedTCPPorts = [ 21 ];
+}
diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix
index ef8a3b88f..e1c3d20ff 100644
--- a/makefu/2configs/main-laptop.nix
+++ b/makefu/2configs/main-laptop.nix
@@ -71,5 +71,15 @@ in {
latitude = "48.7";
longitude = "9.1";
};
-
+ systemd.services.look-up = {
+ startAt = "*:30";
+ serviceConfig = {
+ ExecStart= pkgs.writeDash "look-up" ''
+ set -x
+ eval "export '$(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(${pkgs.procps}/bin/pgrep -u ${user} ${window-manager})/environ)'"
+ ${pkgs.libnotify}/bin/notify-send -u critical -t 9999999 'look up once in a while'
+ '';
+ User = user;
+ };
+ };
}
diff --git a/makefu/2configs/nginx/euer.blog.nix b/makefu/2configs/nginx/euer.blog.nix
index b2a965de6..3fb629394 100644
--- a/makefu/2configs/nginx/euer.blog.nix
+++ b/makefu/2configs/nginx/euer.blog.nix
@@ -3,13 +3,9 @@
with import <stockholm/lib>;
let
sec = toString <secrets>;
- ssl_cert = "${sec}/wildcard.krebsco.de.crt";
- ssl_key = "${sec}/wildcard.krebsco.de.key";
hostname = config.krebs.build.host.name;
user = config.services.nginx.user;
group = config.services.nginx.group;
- external-ip = config.krebs.build.host.nets.internet.ip4.addr;
- internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
base-dir = "/var/www/blog.euer";
in {
# Prepare Blog directory
@@ -32,24 +28,15 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- euer-blog = {
- listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
- "${internal-ip}:80" "${internal-ip}:443 ssl" ];
- server-names = [ "euer.krebsco.de" "blog.euer.krebsco.de" "blog.${hostname}" ];
- extraConfig = ''
- gzip on;
- gzip_buffers 4 32k;
- gzip_types text/plain application/x-javascript text/css;
- ssl_certificate ${ssl_cert};
- ssl_certificate_key ${ssl_key};
- default_type text/plain;
- '';
- locations = singleton (nameValuePair "/" ''
- root ${base-dir};
- '');
+ virtualHosts = {
+ "euer.krebsco.de" = {
+ #serverAliases = [ "blog.euer.krebsco.de" "blog.${hostname}" ];
+ enableSSL = true;
+ enableACME = true;
+ forceSSL = true;
+ root = base-dir;
};
};
};
diff --git a/makefu/2configs/nginx/euer.test.nix b/makefu/2configs/nginx/euer.test.nix
index bff652daf..40c376130 100644
--- a/makefu/2configs/nginx/euer.test.nix
+++ b/makefu/2configs/nginx/euer.test.nix
@@ -8,18 +8,16 @@ let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- euer-share = {
- listen = [ ];
- server-names = [ "share.euer.krebsco.de" ];
- locations = singleton (nameValuePair "/" ''
+ virtualHosts."share.euer.krebsco.de" = {
+ locations."/" = {
+ proxyPass = "http://localhost:8000/";
+ extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:8000/;
- '');
+ '';
};
};
};
diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix
index 9d0b74871..fefdd6dc7 100644
--- a/makefu/2configs/nginx/euer.wiki.nix
+++ b/makefu/2configs/nginx/euer.wiki.nix
@@ -4,13 +4,6 @@ with import <stockholm/lib>;
let
sec = toString <secrets>;
ext-dom = "wiki.euer.krebsco.de";
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
-
- #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
- #ssl_key = "${sec}/wildcard.krebsco.de.key";
- ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
- ssl_key = "${acmepath}/${ext-dom}/key.pem";
user = config.services.nginx.user;
group = config.services.nginx.group;
@@ -25,8 +18,7 @@ let
# user1 = pass1
# userN = passN
tw-pass-file = "${sec}/tw-pass.ini";
- external-ip = config.krebs.build.host.nets.internet.ip4.addr;
- internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
+
in {
services.phpfpm = {
# phpfpm does not have an enable option
@@ -79,24 +71,18 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- euer-wiki = {
- listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
- "${internal-ip}:80" "${internal-ip}:443 ssl" ];
- server-names = [
- ext-dom
- "wiki.makefu.retiolum"
- "wiki.makefu"
- ];
- ssl = {
- enable = true;
- # these certs will be needed if acme has not yet created certificates:
- certificate = ssl_cert;
- certificate_key = ssl_key;
- force_encryption = true;
- };
+ virtualHosts = {
+ "${ext-dom}" = {
+ #serverAliases = [
+ # "wiki.makefu.retiolum"
+ # "wiki.makefu"
+ #];
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
+ # recommendedGzipSettings = true;
extraConfig = ''
gzip on;
gzip_buffers 4 32k;
@@ -104,34 +90,26 @@ in {
default_type text/plain;
'';
- locations = [
- (nameValuePair "/" ''
- root ${wiki-dir};
- expires -1;
- autoindex on;
- '')
- (nameValuePair "/store.php" ''
- root ${tw-upload};
- client_max_body_size 200M;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:${fpm-socket};
- include ${pkgs.nginx}/conf/fastcgi_params;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${ext-dom}/;
- '')
-
- ];
+ locations = {
+ "/" = {
+ root = wiki-dir;
+ extraConfig = ''
+ expires -1;
+ autoindex on;
+ '';
+ };
+ "/store.php" = {
+ root = tw-upload;
+ extraConfig = ''
+ client_max_body_size 200M;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass unix:${fpm-socket};
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ '';
+ };
+ };
};
};
};
- security.acme.certs."${ext-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${ext-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains."${ext-dom}" = null ;
- };
}
diff --git a/makefu/2configs/nginx/icecult.nix b/makefu/2configs/nginx/icecult.nix
index ce4f62e55..e817e55d8 100644
--- a/makefu/2configs/nginx/icecult.nix
+++ b/makefu/2configs/nginx/icecult.nix
@@ -10,19 +10,17 @@ let
sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58";
};
in{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default = {
- extraConfig = ''
- root ${icecult}/app;
+ virtualHosts.default = {
+ root = "${icecult}/app";
+ locations = {
+ "/rpc".proxyPass = "http://10.42.22.163:3121";
+ "/rpc".extraConfig = ''
+ rewrite /rpc/(.*) /$1 break;
+ proxy_http_version 1.1;
'';
- locations = [
- (nameValuePair "/rpc" ''
- rewrite /rpc/(.*) /$1 break;
- proxy_http_version 1.1;
- proxy_pass http://10.42.22.163:3121;
- '')
- ];
+ };
};
};
}
diff --git a/makefu/2configs/nginx/public_html.nix b/makefu/2configs/nginx/public_html.nix
index 9545e98f4..676d1f110 100644
--- a/makefu/2configs/nginx/public_html.nix
+++ b/makefu/2configs/nginx/public_html.nix
@@ -3,13 +3,16 @@
with import <stockholm/lib>;
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default.locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- autoindex on;
- '')
- ];
+ virtualHosts.default = {
+ default = true;
+ locations = {
+ "~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ autoindex on;
+ '';
+ };
+ };
};
}
diff --git a/makefu/2configs/nginx/update.connector.one.nix b/makefu/2configs/nginx/update.connector.one.nix
index 593f23199..44345dcd8 100644
--- a/makefu/2configs/nginx/update.connector.one.nix
+++ b/makefu/2configs/nginx/update.connector.one.nix
@@ -1,25 +1,19 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
-let
- hostname = config.krebs.build.host.name;
- external-ip = config.krebs.build.host.nets.internet.ip4.addr;
-in {
- krebs.nginx = {
+{
+ services.nginx = {
enable = mkDefault true;
- servers = {
- update-connector-one = {
- listen = [ "${external-ip}:80" ];
- server-names = [
- "update.connector.one"
- "firmware.connector.one"
- ];
- locations = singleton (nameValuePair "/" ''
- autoindex on;
- root /var/www/update.connector.one;
- sendfile on;
- gzip on;
- '');
+ virtualHosts."update.connector.one" = {
+ locations = {
+ "/" = {
+ root = "/var/www/update.connector.one";
+ extraConfig = ''
+ autoindex on;
+ sendfile on;
+ gzip on;
+ '';
+ };
};
};
};
diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix
index f2ed42230..d1a9fabd7 100644
--- a/makefu/2configs/omo-share.nix
+++ b/makefu/2configs/omo-share.nix
@@ -7,38 +7,6 @@ let
local-ip = "192.168.1.11";
# local-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
- krebs.nginx = {
- enable = mkDefault true;
- servers = {
- omo-share = {
- listen = [ "${local-ip}:80" ];
- locations = singleton (nameValuePair "/" ''
-
- access_log off;
- # sendfile off;
- # tcp_nopush on;
- # aio on;
- sendfile on;
- sendfile_max_chunk 512k;
- directio 512;
- mp4;
- autoindex on;
- root /media;
- limit_rate_after 100m;
- limit_rate 5m;
- mp4_buffer_size 4M;
- mp4_max_buffer_size 10M;
- allow all;
- access_log off;
- keepalive_timeout 65;
- keepalive_requests 200;
- reset_timedout_connection on;
- tcp_nopush on;
- gzip off;
- '');
- };
- };
- };
# samba share /media/crypt1/share
users.users.smbguest = {
@@ -68,6 +36,12 @@ in {
browseable = "yes";
"guest ok" = "yes";
};
+ pyload = {
+ path = "/media/crypt0/pyload";
+ "read only" = "yes";
+ browseable = "yes";
+ "guest ok" = "yes";
+ };
crypt0-rw = {
path = "/media/crypt0/";
"read only" = "no";