Merge remote-tracking branch 'gum/master'
This commit is contained in:
commit
9e9bc01fc9
|
@ -60,6 +60,12 @@ let
|
|||
};
|
||||
|
||||
imp = {
|
||||
krebs.on-failure.plans =
|
||||
listToAttrs (map (plan: nameValuePair "backup.${plan.name}" {
|
||||
}) (filter (plan: build-host-is "pull" "dst" plan ||
|
||||
build-host-is "push" "src" plan)
|
||||
enabled-plans));
|
||||
|
||||
systemd.services =
|
||||
listToAttrs (map (plan: nameValuePair "backup.${plan.name}" {
|
||||
# TODO if there is plan.user, then use its privkey
|
||||
|
|
|
@ -24,6 +24,7 @@ let
|
|||
./newsbot-js.nix
|
||||
./nginx.nix
|
||||
./nixpkgs.nix
|
||||
./on-failure.nix
|
||||
./os-release.nix
|
||||
./per-user.nix
|
||||
./Reaktor.nix
|
||||
|
|
51
krebs/3modules/makefu/brain.pgp
Normal file
51
krebs/3modules/makefu/brain.pgp
Normal file
|
@ -0,0 +1,51 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v2
|
||||
|
||||
mQINBFXn/k4BEACmXMbhoAKsMC/gFqBrQq2mgvo8+FnUe4F6JznVh7NiPH0PUdDw
|
||||
jRnK2EEpD+NoDt3A0jtq6C+wnr1V+p/jYAPxRcvv8a7ym+xuA4sBIPrlW1fQIuWF
|
||||
EjYnUVnN16Qa1xJiQQyEDeleAxgg0luOdqBZ0myT84a9O0deN8JM+zwqT/+sLY9c
|
||||
2fVGNv496/mt7Ct294QbS6cfdR26r8PZ1Wfo8cr8UhFfFft0TE267HJdoJ8NBvH/
|
||||
BSEcoaS3kaxk2YyOdAJ1RgEoQY2w1/jeZv5IUyO7azAQUhbqBK7nVbgUd2l3nf4v
|
||||
qmgNvvtcAlccY6L2M8BR6TI4Yw2hfbLOHPVTNjFlMXXX/MDYFFF9+GqmYOjyy5dy
|
||||
8m4qA4ZEoHG9XT+xsZAsHJRFPBacSp2ydoVdlkJsEQnabb78NXLusgBBxhOmvVHe
|
||||
5SeIvsrpn83/aIeHpLUQbzUdK3osERZUBTp9Pr0+dB+UkqThjE3MPntKcawm4cGN
|
||||
dXY6iNXH4gGPOjb5ed0OzDiRS2bVyb0/F2wYXvIPE2e0CwJ0io2rRT410HfpFkWD
|
||||
OPENdlNYb6FCXc4fpGxdtFL0hE6RZqBvwQAN9iDkEj+DxEwUc+yyroFRI25y+T1z
|
||||
68T0xqVfKXUqcOmsACKtjlQ5QcikCj8kC9bNDln7v1Q9argSEJXJDdf3cwARAQAB
|
||||
tBhwdyB1c2VyIDxyb290QGxvY2FsaG9zdD6JAjgEEwECACIFAlXn/k4CGwMGCwkI
|
||||
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEDtOh4EJ4fmcIecP/1+HMD22wilyb3hQ
|
||||
QLKz+Wx37ZM6w0p9o0lMEeeUpcYPtWeVBqID6vxmqFwIOU5LtkHiE0yO8AcW7TYx
|
||||
14Ql3mPWd594fKXr04mN9RM9wTr09S0P4nqKuq0cR3x5s4C30DoKoUqt3ZKSZRW/
|
||||
4suhvebfYiTjlE5joH4lZy7bMaH2HpvLacZXGcyH7cmYfLuZekf1kNXRDh40IgrH
|
||||
uzsXFoflhLEZouKWiV3mWFo1iIckvTDrFNHuJj5oHP2D3J1RYdbPNP+5yOu/34mt
|
||||
wPK/R6MxXY+zKWZWU59Ll5nx+2wUkIP/MaE9Ubx1W0UdeB4In/Y/HhV2fwd9DFsq
|
||||
cbKofeDRblEdaaTjiqc1MjSxyhPplApgG4389gXX4vszAuyxBq6AecJobYkzmVek
|
||||
EOJVVqDFoT+a70p5hWMP5nQV7dE3jyy1esm6cjF9iv0cRf/GqZAIiNdeo9av56OO
|
||||
H5uwamTwcRrDsy4xWzowUfJDB+nJzlXw08aQRTfczCZ3n5hXvqqxuoweH08hfm/S
|
||||
oa0gU95mCkHYbscaxjXnkEgbuvCiVRhDqd8rZpi5WxNV63zHIaoeXIPVJH0zswIJ
|
||||
MT2LofWB8W8in48rmRvUdzZlm/++c/9+evNyNyAyOmdRk6fP0nHdRmuINyeKc67P
|
||||
0BrVstk/cywbNbpNBt+2uUJCemBBuQINBFXn/k4BEADQYsT81uL8XE9homHLRai0
|
||||
3Xo/gVe5lwXWouzzVImEQIICvmBCjdzA1nPfKvdBcFsBfOro6aefETq/cZeL16It
|
||||
zJKhh2HDJ/7oCuJM0OufkwoSBwJ4f0I+0zXsPZV0+P1ijPaKunYW+YpoFm3z8rLc
|
||||
iX/kxYRgo13jCNphL/TKOoq3ZTREzDcBk9QR8yLTV5i0j1qrlIsAx7iTv1jrC1L6
|
||||
fBZm40+wn0ahz9IgBWWv588i+1f7ekKQBYXi9n2+hSfMQ0ebhW14xG72eXDzV14Q
|
||||
Yra+FNMOCeKhmHH9PnVw0NkwRPbtL92ZySeFMHxhYnBPckqBUuEO12TXUMWA9fzj
|
||||
rpBjJWEtCRCeaSLAe5Nzleb09NKO3z4ghwedef/Cz8XZ+XDIpE/1yTQy0lSuLosw
|
||||
ScmwG9UPYxpWWqJmC+H6GQ0qQmCgmPYG8b20JvnqROmsLooC/xmf4seT8J+fYpKt
|
||||
fkQiuOd8RecW+1jyfr7qy2S3roNgNl7hyzlIHmtGnn3rYC4uCe4VjosvcPmnXP6N
|
||||
Jcck3dQnFxmE+/JS1zdH47nDGJsn5fFrArdfU9DLGjU/L7BJt99vIvif89B2FF/n
|
||||
0cR7bLeY72P1oJw+tgrsjo9uaS9u9vk/J8+Rhf3TIqbHfFh7/42sdkgk3Mqha+Bn
|
||||
wAOpUP3tjdDTwow9/2iYjQARAQABiQIfBBgBAgAJBQJV5/5OAhsMAAoJEDtOh4EJ
|
||||
4fmcTy8P/03eVL9GoarIjwRxYY8U23fU4xNIypkNrjspjJHVRcKJFCyA2/R9toKf
|
||||
0XGJIM2fwBo6beH0rinq8Xm8hrT/gFIWupuDLSTR/km0UD6CtfFOIt+5jw3c5mMR
|
||||
u9DbSWAiRYGzQKYYZUy5mdMG/kokDRSm5D0lO+YnLZtpECZn/Zi5rPKzbGyMus+a
|
||||
fm8a/eNko+Eg6j8FSYBm+d8SKYdoLJN3R7hYji7JuERMs+UZMsuriSAn2Af2Jn1I
|
||||
hc7fiwotrMdNifyWCtYqiFvcrsm8K8EC2J0KsieydBHwCuamlqTrjqVejbITD8Jl
|
||||
ghTGNHe/crP7/XKTjKva+1+VJAHDLylZgcArQSKa+SsWB/GoKB0x9UEWThJ1DLi4
|
||||
j2GhNlCIYZtPBQMu3+2btDj0A3IUQp4aW0nd5+0zz0H7JVrl+pI37uUxTiXCZG9X
|
||||
fjXrcP3niJhraHTG8mWD1v8+cG3NXpv/IZN82Z+sQlpabwjpybag2CeTfhEoFtEl
|
||||
V6ez9wpgBKeDsLDLOB8VRgpsikw9f6H8GAUZe2PjKUwiDtptqa37nU+3A6wPiO2s
|
||||
AWT/7D6vhMpDncp7E9DcsmsU9LNt7D+ISqi4uLKYJcfmqbJOui2YFo3zsYP8TqQD
|
||||
JTZ1lSpFpipJpi6mAzQUS4P3H+aUjeW/LWiSS/YNmGIOAUeB6Y3c
|
||||
=rEQB
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -582,17 +582,19 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
|
|||
makefu = {
|
||||
mail = "makefu@pornocauster.retiolum";
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster";
|
||||
pgp.pubkeys.default = builtins.readFile ./default.pgp;
|
||||
pgp.pubkeys.brain = builtins.readFile ./brain.pgp;
|
||||
};
|
||||
makefu-omo = {
|
||||
inherit (makefu) mail;
|
||||
inherit (makefu) mail pgp;
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtDhAxjiCH0SmTGNDqmlKPug9qTf+IFOVjdXfk01lAV2KMVW00CgNo2d5kl5+6pM99K7zZO7Uo7pmSFLSCAg8J6cMRI3v5OxFsnQfcJ9TeGLZt/ua7F8YsyIIr5wtqKtFbujqve31q9xJMypEpiX4np3nLiHfYwcWu7AFAUY8UHcCNl4JXm6hsmPe+9f6Mg2jICOdkfMMn0LtW+iq1KZpw1Nka2YUSiE2YuUtV+V+YaVMzdcjknkVkZNqcVk6tbJ1ZyZKM+bFEnE4VkHJYDABZfELpcgBAszfWrVG0QpEFjVCUq5atpIVHJcWWDx072r0zgdTPcBuzsHHC5PRfVBLEw== makefu@servarch";
|
||||
};
|
||||
makefu-tsp = {
|
||||
inherit (makefu) mail;
|
||||
inherit (makefu) mail pgp;
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1srWa67fcsw3r64eqgIuHbMbrj6Ywd9AwzCM+2dfXqYQZblchzH4Q4oydjdFOnV9LaA1LfNcWEjV/gVQKA2/xLSyXSDwzTxQDyOAZaqseKVg1F0a7wAF20+LiegQj6KXE29wcTW1RjcPncmagTBv5/vYbo1eDLKZjwGpEnG0+s+TRftrAhrgtbsuwR1GWWYACxk1CbxbcV+nIZ1RF9E1Fngbl4C4WjXDvsASi8s24utCd/XxgKwKcSFv7EWNfXlNzlETdTqyNVdhA7anc3N7d/TGrQuzCdtrvBFq4WbD3IRhSk79PXaB3L6xJ7LS8DyOSzfPyiJPK65Zw5s4BC07Z makefu@tsp";
|
||||
};
|
||||
makefu-vbob = {
|
||||
inherit (makefu) mail;
|
||||
inherit (makefu) mail pgp;
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob";
|
||||
};
|
||||
exco = {
|
||||
|
|
64
krebs/3modules/makefu/default.pgp
Normal file
64
krebs/3modules/makefu/default.pgp
Normal file
|
@ -0,0 +1,64 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v2
|
||||
|
||||
mQINBE6quoQBEACemTuY0Ujeygxdyds3ugPbKuIsJMCQSdXAKsCkH4vV5qam8rQP
|
||||
AabpYyQfew9nCUCJa4NkKFrLnGz4d7rl1u5ihVqMctYeJqZdtX88DqqNKQXoqKQv
|
||||
crF5hcZmUtbGe5eyoMV55hiODPVPTVra6pbxWwhqa0pYeXEyDy1BPoqgcP0DUFho
|
||||
yBeoyw71ujgdJZvl5rq6ZVjTGuToNKHn5UBDMu6n0rl9Ha7ukL4Gx8hOhmK8yv87
|
||||
zuUzBRQkTgoC48JA3Bt0kb15ghbOV7D411ZhmhEqWwE/OBk3//6MOGu24Mm0OG8J
|
||||
+tbEMysck0LYe5q5U/2cmGsqlwV6FXLmnPOj6H4XtdTBDVXo/Hp6A8mVR1sSDopc
|
||||
/2TnTwv0cdGOIS1CgxUc/qS6a8h+2UGaLSPnuPBWom163YbO/vgj8Th5q3N2DiRO
|
||||
EP+mGCKn1/cghU7WjMny8z59A7SeZ0rRN8KaMlFEZMlgtQf7/6EjL5Ulo5H0vb2m
|
||||
G5lAfW5xz55Y6M06sEl2wJ4pkgt+jeWRItKQvyqcdFEfiJfuP0+ESmQIMvz2ZnDC
|
||||
ZJzpmjP5uDwqu5THcTHvJ/ptSHRtXEiqqwrpQ0dqtwxLMJtIdgOohVoPAUNTTXcy
|
||||
XmL0qZsLFI2We2v0jgYMcYw1gswsksMLLmnVWlAsBqCALRyu4Ptxrkg9NwARAQAB
|
||||
tB5tYWtlZnUgPHJvb3RAc3ludGF4LWZlaGxlci5kZT6JAjgEEwECACIFAk6quoQC
|
||||
GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMk6uSvVJeKfr5UP/3vvBlZQ
|
||||
9DjLRBx9YUjbq34LDl/wdDX7Fwsdb+TccUiOgKW2RAXbdnff2r5VRn4VSDUYoFfN
|
||||
qtDrxKl04IWeVwiaTjCJdXp6veSpov5GcmARgPUow8v9Eu2gZw0o1LvW7NFP5e3u
|
||||
YxmSTrlVGZMTCkwIkYoaETseCE0qsahWD0zCM19rAEuTkwKOQo58mXFUzNq829Ex
|
||||
OAv4zIQE6V7SKKOZzXhvBu3s1ql1SDfmciaszMlwwPtwgFBkg1HrFvuimU7zqGkf
|
||||
wQpWt91j8kJZdAC8iUf/7UNh/VZu+n9jtmynunRrY2PgPh6LgeDmiaTbVfHX51/3
|
||||
R01dzzTk0dnqwosNoc1u8Xsb/rTs9LDsncteUGKgiEh+LRjouGGh/C1g58dkF0wP
|
||||
S00dgnEhI9d8ui/yTPa47l3zDSa/m6Nq6oEGVbZDivNDuTV1jfhrs0v3kx50aK0O
|
||||
y+exKMmgxoxeCMZs53iHXiXAcsHSj+Gue6W2jDvRjaPqfxnM3GNd7y9ix8IF43R6
|
||||
n1oAZo7zWA4a5iq8yvBTjKqyDJAKu8C4kYM/9FMJlDgUjWYvNI4BiG1iw0iGVAjt
|
||||
JHz/QEM/7Mg7fw1rtJB/A9ezLJGyiDcc5GwrLIVl6U8stNWF0ZqgtwWKF1lm0Faj
|
||||
mPRDdOVZNTPw61YNqHJGdHVBD0usx3Xg/4V6tC5GZWxpeCBSaWNodGVyIDxGZWxp
|
||||
eC5SaWNodGVyQHN5bnRheC1mZWhsZXIuZGU+iQI4BBMBAgAiBQJSpxSDAhsDBgsJ
|
||||
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDJOrkr1SXin4w8D/9QY5oTvCmFERHR
|
||||
uUgGyU1hPomIE6RrSxoeqHsMUhUuqNeWYk0T/Oju/sZLlWUuBZHLTXeGPyFEe0/n
|
||||
6ys4cqTSwCKUdB0kQO3GAzPKGmC6C5trQaMpY+A6yVi3He6rN37+XjfjrY+o7Rbl
|
||||
s8K6S3jR/f/MSODjRnGNPTLsuDYKo+d4RwlWv2G+RFHueh4/aef0s3lzoDbmdJiW
|
||||
zXaTqiCKgG34GzQO4hs6MsyG9mJo05qXvMAGgCyRDJkbcmwjgQonlEi6TIJyQ3J2
|
||||
CNLrl2UW5eUFKnZbWGZYL7Ojsq0UnRna6z1L4sxk1kCLxn1Gz8RiisJ1bUOM85vZ
|
||||
dTyFTb9+iC43c2IbLpF139ic+hb6dYJC392cOwrT2UgfUuzqocY2V/HXjVsqsNtL
|
||||
t4tnoZkZhjFMaUe5FQbUYwtA2IqqrqD7iC7ULtclYa2tvW2HIAs4VjocWxfbgY4b
|
||||
He99Ma5xSNL171a34n2ZayjsI8cbYtHvVPTZ8Zs6xqsz8D+o+m0bBxGobOAkb6yN
|
||||
UUdZjo5Jdcr2AxAITEgzgzcWR0sCbn+6Jj7XJuz2SYEtOhZBrY7tONoOkrysCtJD
|
||||
fKOp2RCq60ZHMqoBTyyxtQ6LG/I0bZs7a2/6Wc3O3VhSIGgjSOan7N4G13CJqfFA
|
||||
FfMATGPnK+nYxmVAQ2VR0GxscvjdBLkCDQROqrqEARAAzYUNba4eFVDLlF2SzSra
|
||||
VMyV9eNBdi64tNQVTFDH+bj2KgcPKZXBUXDz+hizOb3jegaBojlbf6LYUgzQMQ96
|
||||
uHcE/mlBhtU1nUYKEH82kblA6UVOrtSyK/2MIX/aoK7C+pKFSIEkl2/V4NtPQ6Ay
|
||||
H+UQ8c6uOP6Z0raaawjZ/rzvxIlVPD0Ou0PtJf6l0UtMQRWpYcwNl3O6JgMFhqP4
|
||||
LipP40aYEuxr9RUynWBb8HzXj1R5imPgF+F47L8EPKDgIqEr6OLWigQ6pBpKM8xP
|
||||
lMQByGvv5Xi35rqMwn2porHwYE5BIUIQcSSSdhSxgwB0G/hlpucX7wtUMheAUFTj
|
||||
sVVK5jirMf30h4NUlpyO1hNblIM+oex96yir8PRZwQFkZ8CFeMDXjsNYUhcqyAJC
|
||||
Lr64XiaX7VdIshcIF07tC/Rjd7qKOs21phzIJ7FkYYFkhh607q6rzH7pBsnckJnX
|
||||
ydFIo412ig4dac2f2FSgZXPYyZ9T6y9raL3Aq1WigOncG+ajpN60/r1pXXggoIgr
|
||||
ZuSMXpklr3z7DZ+M5Vk7EjpTZqfUkcBuS9ObsfX/oIpVaY5MCZobjw4iBEee/t+f
|
||||
4YigdPTWWxoHA259S2dH3MdWzIH515VWjUD4E7Jf9iEoYygT98u3fV/1GHjBsQTg
|
||||
2CTXRCG3xpHnPliLvwkt6z8AEQEAAYkCHwQYAQIACQUCTqq6hAIbDAAKCRDJOrkr
|
||||
1SXin9vjD/46juH2MLa/iyXzbz4QxEHt5/USZ+RFh8Bt5iBEGVvKY97QlOJ6Eq8Z
|
||||
9BMA1z+QpdkU2Rx7H2l9ohA5Kznlz80KUGzkkEwCZTqycLLX2/oq825dqF0H6hJu
|
||||
9R95ltC8xIYvW0KPunnyU4HO+RyVM544vR1KKBTXV/+ojHD2BviDQ41bFNfYjo+N
|
||||
uInrJWCgsxAC1fhnxLjQH74BkBSMF0S85y68EnHbJ/4IAud24shb6blsF1Sjf1CK
|
||||
UX0ZWwbBWj7cMg0pfkczdl7Y7pHJqOr/UrC40jHVO4CX0JrxhOT7u4cvhv0E4Y3O
|
||||
y9+Js7+fM6Ua+YF6TuArOorOCH8vzx6xvM1AW2U5jS3iMglIi6fXEYRuQB9ygPTc
|
||||
wJ/ByBApEKC7O0kA0PhwEF4FTgZntThlaJ+2rsUseONAXqZTJaX+CXtQdw6IVa8n
|
||||
SmXN01YsZzW1qFhbBSYHowqbOxbW9WH0ObtL+bxfJbG8HrVoXZJ5pcytzIDsGbtE
|
||||
1M2AQPZ4CaaWDGEvnM3REo1OOAf3f4Vf9C59suPoKVWqalBb94AhQqka8nZ81jL9
|
||||
tXDt0Yuaj2xroCNstmRFOgXJBWWx59kVdU9yoC2K0AWNrMdHAuyevgscAHsKkXq5
|
||||
4C1xL0RuUlNZ1qcX7Ev7kcLJ1RxRyXZQCbpIUi+UAWuNgEwMEHo1eQ==
|
||||
=rHPd
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -12,6 +12,20 @@ let
|
|||
api = {
|
||||
enable = mkEnableOption "krebs.nginx";
|
||||
|
||||
default404 = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
By default all requests not directed to an explicit hostname are
|
||||
replied with a 404 error to avoid accidental exposition of nginx
|
||||
services.
|
||||
|
||||
Set this value to `false` to disable this behavior - you will then be
|
||||
able to configure a new `default_server` in the listen address entries
|
||||
again.
|
||||
'';
|
||||
};
|
||||
|
||||
servers = mkOption {
|
||||
type = types.attrsOf (types.submodule {
|
||||
options = {
|
||||
|
@ -20,6 +34,7 @@ let
|
|||
# TODO use identity
|
||||
default = [
|
||||
"${config.networking.hostName}"
|
||||
"${config.networking.hostName}.r"
|
||||
"${config.networking.hostName}.retiolum"
|
||||
];
|
||||
};
|
||||
|
@ -81,17 +96,19 @@ let
|
|||
sendfile on;
|
||||
keepalive_timeout 65;
|
||||
gzip on;
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 404;
|
||||
}
|
||||
|
||||
${optionalString cfg.default404 ''
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 404;
|
||||
}''}
|
||||
|
||||
${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
indent = replaceChars ["\n"] ["\n "];
|
||||
|
||||
to-location = { name, value }: ''
|
||||
|
|
91
krebs/3modules/on-failure.nix
Normal file
91
krebs/3modules/on-failure.nix
Normal file
|
@ -0,0 +1,91 @@
|
|||
{ config, lib, pkgs, ... }: with config.krebs.lib; let
|
||||
out = {
|
||||
options.krebs.on-failure = api;
|
||||
config = lib.mkIf cfg.enable imp;
|
||||
};
|
||||
|
||||
cfg = config.krebs.on-failure;
|
||||
|
||||
api = {
|
||||
enable = mkEnableOption "krebs.on-failure" // {
|
||||
default = cfg.plans != {};
|
||||
};
|
||||
plans = mkOption {
|
||||
default = {};
|
||||
type = let
|
||||
inherit (config) krebs;
|
||||
in types.attrsOf (types.submodule ({ config, ... }: {
|
||||
options = {
|
||||
enable = mkEnableOption "krebs.on-failure.${config.name}" // {
|
||||
default = true;
|
||||
};
|
||||
journalctl = {
|
||||
lines = mkOption {
|
||||
type = types.int;
|
||||
default = 100;
|
||||
};
|
||||
output = mkOption {
|
||||
type = types.enum [
|
||||
"cat"
|
||||
"export"
|
||||
"json"
|
||||
"json-pretty"
|
||||
"json-sse"
|
||||
"short"
|
||||
"short-iso"
|
||||
"short-precise"
|
||||
"verbose"
|
||||
];
|
||||
default = "short-iso";
|
||||
};
|
||||
};
|
||||
mailto = mkOption {
|
||||
type = types.str;
|
||||
default = krebs.build.user.mail;
|
||||
description = "Mail address to send journal extract to.";
|
||||
};
|
||||
subject = mkOption {
|
||||
type = types.str;
|
||||
default = "[${krebs.build.host.name}] ${config.name} has failed";
|
||||
};
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
default = config._module.args.name;
|
||||
description = "Name of the to-be-monitored service.";
|
||||
};
|
||||
};
|
||||
}));
|
||||
};
|
||||
sendmail = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/setuid-wrappers/sendmail";
|
||||
};
|
||||
};
|
||||
|
||||
imp = {
|
||||
systemd.services = foldl (a: b: a // b) {} (map to-services enabled-plans);
|
||||
};
|
||||
|
||||
enabled-plans = filter (getAttr "enable") (attrValues cfg.plans);
|
||||
|
||||
to-services = plan: {
|
||||
"${plan.name}".unitConfig.OnFailure = "on-failure.${plan.name}.service";
|
||||
"on-failure.${plan.name}".serviceConfig = rec {
|
||||
ExecStart = start plan;
|
||||
SyslogIdentifier = ExecStart.name;
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
|
||||
start = plan: pkgs.writeDash "on-failure.${plan.name}" ''
|
||||
{ echo Subject: ${shell.escape plan.subject}
|
||||
echo To: ${shell.escape plan.mailto}
|
||||
echo
|
||||
${pkgs.systemd}/bin/journalctl \
|
||||
--lines=${toString plan.journalctl.lines} \
|
||||
--output=${plan.journalctl.output} \
|
||||
--unit=${shell.escape plan.name}.service
|
||||
} | ${shell.escape cfg.sendmail} -t
|
||||
'';
|
||||
|
||||
in out
|
|
@ -357,6 +357,35 @@ with config.krebs.lib;
|
|||
};
|
||||
tv = {
|
||||
mail = "tv@nomic.retiolum";
|
||||
pgp.pubkeys.default = ''
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
mQINBFbJ/B0BEADZx8l5gRurzhEHcc3PbBepdZqDJQZ2cGHixi8VEk9iN25qJO5y
|
||||
HB0q5sQRsh7oNCbzKp6qRhaG9kXmEda+Uu+qbHWxE32QcT76+W8npH73qthaFwC/
|
||||
5RA8KcSE8/XFxVBnVb14PNVHyAVxPHawawbhsOeaiZcHrq5IF6sVzcsc2KN87sIE
|
||||
SthR4E01LBK4AFeFuKxga9OKFQV5WJNrihu+6H4wZwUfMpbE552N1rggxT4CouqZ
|
||||
RocSg+el/aPRj3Jk9jDe/JFv4HU7KfioOD+NO8xLAkyw3aLsu/bv9nfUvcvTGeRp
|
||||
z31UOjpNYpT3PS0+lNCUKQKUadAmhwU95V/0GdhadgxCFcS65qNO7ZZYDJqMIT2y
|
||||
YH1d9MaVPDQD9W2v0ITCJcrks9p47o+C8zzDlcVr2VEGrTSngRDkWVNYjKwd3L8w
|
||||
HuaTarqOprLzeZ6yblcLVOrW8tGTmxum0jB4Fn3enpTyJNzCfp6c0CoYp/ZziQ82
|
||||
2jgLWuqKv3EKhX9aCUUgbeDFhnsM3GzdT5qYupX7UyWTLfiUlAEUQUgtyM7yBUNN
|
||||
PsD5OeYeRQ/xFzUO30kglbjXOOUQpm7kyX38OJA01JdOOhXNI7BTvkFZsJzBLoVM
|
||||
AdK3LvF4Rjau3HzYqL1Cr0ai1Y9jZVXP3vimcvUcI9bTRg9pMfD8LekiQQARAQAB
|
||||
tAl0diA8dHZAcj6JAj0EEwEIACcFAlbJ/B0CGwMFCQHhM4AFCwkIBwIGFQgJCgsC
|
||||
BBYCAwECHgECF4AACgkQJdgKWiyu47Xwow//ZS6Y1UcTDxHa066AQxL5UWL86Jj4
|
||||
pIw3k630384VrUlStP+OcwOSwa4igvyIUPrOhVLynkijNsutg6KAVi8BrtSZ8ZcP
|
||||
58gnyCPCQG4Ir0cSanp/GxMxfHKdEMyfMOopTLusLBa55VPr7sYrNi7WY20aojjJ
|
||||
05bviSrFv0+u9dEJGmCChLDv+IhHJDe4zXHbmwspGDMwlhy/E/clSZG7a1yoJjLf
|
||||
DpqRVn8KmICqMX0lvBP6fsS51pSD0n82kCpedLZmnwYEHCp+Bkx/Cla7aS33N1+n
|
||||
5CUAR6HQvPT91LsLK/h/BKZ+SHAg4j7hANSfMFO+/0A5pby3JBo6Fck0LvrEMyog
|
||||
6oGedzszZztO1eSJ5h0UQlowD4g0Y7wlWrR8znvdO1gBxQpGIjZXKqGRcuIPNZpu
|
||||
lgqIXw/pX6b0CWh2GsbHGE0FfIkBkgW2A2akA8cGEiKqOdp/kP4o7VGCLI5iZXZA
|
||||
ZY405gOo3ePTTRJ3zxF7YFRzjMhTlc6KtLiA9/Wps67lrOU0w/O8Dd+zYxmZoani
|
||||
lnXaqOj32/UCW76fZ+ovUzKP2lav5wf3tpJeekjV5Zs5dNpAYmrK6EuW7LvUg5lm
|
||||
7i5yz8yuD/xU6R3o1FycogDU6H0JtdFDYTJI9gd5EzNe3UNUEzBJF1yqQFwiW6xY
|
||||
3yFvks3C6e58YNE=
|
||||
=Sqyp
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
'';
|
||||
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu";
|
||||
uid = 1337; # TODO use default
|
||||
};
|
||||
|
|
|
@ -17,7 +17,7 @@ let out = rec {
|
|||
|
||||
types = import ./types.nix {
|
||||
inherit config;
|
||||
lib = lib // { inherit genid; };
|
||||
lib = lib // { inherit genid optionalTrace; };
|
||||
};
|
||||
|
||||
dir.has-default-nix = path: pathExists (path + "/default.nix");
|
||||
|
@ -41,7 +41,10 @@ let out = rec {
|
|||
mapAttrs (name: _: path + "/${name}")
|
||||
(filterAttrs (_: eq "directory") (readDir path));
|
||||
|
||||
getAttrDef = name: set: set.${name} or set.default or null;
|
||||
mapAttrValues = f: mapAttrs (_: f);
|
||||
setAttr = name: value: set: set // { ${name} = value; };
|
||||
|
||||
optionalTrace = c: msg: x: if c then trace msg x else x;
|
||||
|
||||
}; in out
|
||||
|
|
|
@ -6,7 +6,7 @@ with types;
|
|||
|
||||
let
|
||||
# Inherited attributes are used in submodules that have their own `config`.
|
||||
inherit (config.krebs) users;
|
||||
inherit (config.krebs) build users;
|
||||
in
|
||||
|
||||
types // rec {
|
||||
|
@ -47,33 +47,15 @@ types // rec {
|
|||
};
|
||||
|
||||
ssh.pubkey = mkOption {
|
||||
type = nullOr str;
|
||||
type = nullOr ssh-pubkey;
|
||||
default = null;
|
||||
apply = x:
|
||||
if x != null
|
||||
then x
|
||||
else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null;
|
||||
optionalTrace (x == null && config.owner.name == build.user.name)
|
||||
"The option `krebs.hosts.${config.name}.ssh.pubkey' is unused."
|
||||
x;
|
||||
};
|
||||
ssh.privkey = mkOption {
|
||||
type = nullOr (submodule {
|
||||
options = {
|
||||
bits = mkOption {
|
||||
type = nullOr (enum ["4096"]);
|
||||
default = null;
|
||||
};
|
||||
path = mkOption {
|
||||
type = either path str;
|
||||
apply = x: {
|
||||
path = toString x;
|
||||
string = x;
|
||||
}.${typeOf x};
|
||||
};
|
||||
type = mkOption {
|
||||
type = enum ["rsa" "ed25519"];
|
||||
default = "ed25519";
|
||||
};
|
||||
};
|
||||
});
|
||||
type = nullOr ssh-privkey;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
|
@ -129,7 +111,7 @@ types // rec {
|
|||
);
|
||||
};
|
||||
pubkey = mkOption {
|
||||
type = str;
|
||||
type = tinc-pubkey;
|
||||
};
|
||||
};
|
||||
}));
|
||||
|
@ -183,8 +165,18 @@ types // rec {
|
|||
type = username;
|
||||
default = config._module.args.name;
|
||||
};
|
||||
pgp.pubkeys = mkOption {
|
||||
type = attrsOf pgp-pubkey;
|
||||
default = {};
|
||||
description = ''
|
||||
Set of user's PGP public keys.
|
||||
|
||||
Modules supporting PGP may use well-known key names to define option
|
||||
defaults, e.g. using `getAttrDef well-known-name pubkeys`.
|
||||
'';
|
||||
};
|
||||
pubkey = mkOption {
|
||||
type = nullOr str;
|
||||
type = nullOr ssh-pubkey;
|
||||
default = null;
|
||||
};
|
||||
uid = mkOption {
|
||||
|
@ -199,6 +191,31 @@ types // rec {
|
|||
addr4 = str;
|
||||
addr6 = str;
|
||||
|
||||
pgp-pubkey = str;
|
||||
|
||||
ssh-pubkey = str;
|
||||
ssh-privkey = submodule {
|
||||
options = {
|
||||
bits = mkOption {
|
||||
type = nullOr (enum ["4096"]);
|
||||
default = null;
|
||||
};
|
||||
path = mkOption {
|
||||
type = either path str;
|
||||
apply = x: {
|
||||
path = toString x;
|
||||
string = x;
|
||||
}.${typeOf x};
|
||||
};
|
||||
type = mkOption {
|
||||
type = enum ["rsa" "ed25519"];
|
||||
default = "ed25519";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
tinc-pubkey = str;
|
||||
|
||||
krebs.file-location = types.submodule {
|
||||
options = {
|
||||
# TODO user
|
||||
|
|
|
@ -1,17 +1,39 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with config.krebs.lib;
|
||||
{
|
||||
let
|
||||
byid = dev: "/dev/disk/by-id/" + dev;
|
||||
rootDisk = byid "ata-ADATA_SSD_S599_64GB_10460000000000000039";
|
||||
auxDisk = byid "ata-HGST_HTS721010A9E630_JR10006PH3A02F";
|
||||
dataPartition = auxDisk + "-part1";
|
||||
|
||||
allDisks = [ rootDisk auxDisk ];
|
||||
in {
|
||||
imports = [
|
||||
../.
|
||||
../2configs/fs/single-partition-ext4.nix
|
||||
../2configs/zsh-user.nix
|
||||
../.
|
||||
../2configs/smart-monitor.nix
|
||||
];
|
||||
|
||||
# virtualisation.nova.enableSingleNode = true;
|
||||
krebs.retiolum.enable = true;
|
||||
|
||||
boot.loader.grub.device = "/dev/disk/by-id/ata-ADATA_SSD_S599_64GB_10460000000000000039";
|
||||
# TODO smartd omo darth gum all-in-one
|
||||
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
|
||||
zramSwap.enable = true;
|
||||
|
||||
fileSystems."/data" = {
|
||||
device = dataPartition;
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
boot.loader.grub.device = rootDisk;
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.makefu-omo.pubkey
|
||||
config.krebs.users.makefu-vbob.pubkey
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.darth;
|
||||
}
|
||||
|
|
|
@ -45,6 +45,12 @@ in {
|
|||
"cgit.euer.krebsco.de"
|
||||
];
|
||||
|
||||
# access
|
||||
users.users = {
|
||||
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
|
||||
makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ];
|
||||
};
|
||||
|
||||
# Chat
|
||||
environment.systemPackages = with pkgs;[
|
||||
weechat
|
||||
|
|
|
@ -11,7 +11,7 @@ let
|
|||
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
|
||||
# cryptsetup luksAddKey $dev tmpkey
|
||||
# cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
|
||||
# mkfs.ext4 /dev/mapper/crypt0 -L crypt0 -T largefile
|
||||
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
|
||||
|
||||
# omo Chassis:
|
||||
# __FRONT_
|
||||
|
@ -30,6 +30,8 @@ let
|
|||
cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
|
||||
# cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
|
||||
# all physical disks
|
||||
|
||||
# TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
|
||||
allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
|
||||
in {
|
||||
imports =
|
||||
|
|
|
@ -125,6 +125,7 @@ with config.krebs.lib;
|
|||
|
||||
nixpkgs.config.packageOverrides = pkgs: {
|
||||
nano = pkgs.runCommand "empty" {} "mkdir -p $out";
|
||||
tinc = pkgs.tinc_pre;
|
||||
};
|
||||
|
||||
services.cron.enable = false;
|
||||
|
|
Loading…
Reference in a new issue