Merge remote-tracking branch 'prism/master'
This commit is contained in:
commit
c4fabb0bc4
33
krebs/2configs/cache.nsupdate.info.nix
Normal file
33
krebs/2configs/cache.nsupdate.info.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
domain = "cache.nsupdate.info";
|
||||
in {
|
||||
# This only works for a single domain for nsupdate.info as multiple usernames
|
||||
# and passwords are required for multiple domains
|
||||
services.ddclient = {
|
||||
enable = true;
|
||||
server = "ipv4.nsupdate.info";
|
||||
username = domain;
|
||||
password = import ((toString <secrets>) + "/nsupdate-cache.nix");
|
||||
domains = [ domain ];
|
||||
use= "if, if=et0";
|
||||
# use = "web, web=http://ipv4.nsupdate.info/myip";
|
||||
|
||||
};
|
||||
krebs.cachecache = {
|
||||
enable = true;
|
||||
enableSSL = false; # disable letsencrypt for testing
|
||||
cacheDir = "/var/cache/nix-cache-cache";
|
||||
maxSize = "10g";
|
||||
|
||||
# assumes that the domain is reachable from the internet
|
||||
virtualHost = domain;
|
||||
};
|
||||
|
||||
boot.kernelModules = [ "tcp_bbr" ];
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||
boot.kernel.sysctl."net.core.default_qdisc" = "fq";
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
}
|
|
@ -362,7 +362,7 @@ let
|
|||
# normally we should write buildbot.tac by our own
|
||||
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
|
||||
|
||||
chmod 700 -R ${workdir}
|
||||
chmod 700 ${workdir}
|
||||
chown buildbotMaster:buildbotMaster -R ${workdir}
|
||||
'';
|
||||
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
|
||||
|
|
|
@ -166,7 +166,7 @@ let
|
|||
echo ${description} > ${workdir}/info/host
|
||||
|
||||
chown buildbotSlave:buildbotSlave -R ${workdir}
|
||||
chmod 700 -R ${workdir}
|
||||
chmod 700 ${workdir}
|
||||
'';
|
||||
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
|
||||
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
|
||||
|
|
171
krebs/3modules/cachecache.nix
Normal file
171
krebs/3modules/cachecache.nix
Normal file
|
@ -0,0 +1,171 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
|
||||
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
|
||||
# related: https://github.com/nh2/nix-binary-cache-proxy
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.krebs.cachecache;
|
||||
|
||||
nginxCfg = config.services.nginx;
|
||||
|
||||
cacheFallbackConfig = {
|
||||
proxyPass = "$upstream_endpoint";
|
||||
extraConfig = ''
|
||||
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# Remove the Connection header if the client sends it, it could
|
||||
# be "close" to close a keepalive connection
|
||||
proxy_set_header Connection "";
|
||||
|
||||
# Needed for CloudFront.
|
||||
proxy_ssl_server_name on;
|
||||
|
||||
proxy_set_header Host $proxy_host;
|
||||
proxy_cache nix_cache_cache;
|
||||
proxy_cache_valid 200 302 60m;
|
||||
proxy_cache_valid 404 1m;
|
||||
|
||||
expires max;
|
||||
add_header Cache-Control $nix_cache_cache_header always;
|
||||
'';
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
krebs.cachecache = {
|
||||
enable = mkEnableOption "Nix binary cache cache";
|
||||
|
||||
virtualHost = mkOption {
|
||||
type = types.str;
|
||||
default = "nix-cache";
|
||||
description = ''
|
||||
Name of the nginx virtualhost to use and setup. If null, do
|
||||
not setup any virtualhost.
|
||||
'';
|
||||
};
|
||||
enableSSL = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
enable SSL via letsencrypt. Requires working dns resolution and open
|
||||
internet tls port.
|
||||
'';
|
||||
};
|
||||
|
||||
# webRoot = mkOption {
|
||||
# type = types.str;
|
||||
# default = "/";
|
||||
# description = ''
|
||||
# Directory on virtual host that serves the cache. Must end in
|
||||
# <literal>/</literal>.
|
||||
# '';
|
||||
# };
|
||||
|
||||
resolver = mkOption {
|
||||
type = types.str;
|
||||
description = "Address of DNS resolver.";
|
||||
default = "8.8.8.8 ipv6=off";
|
||||
example = "127.0.0.1 ipv6=off";
|
||||
};
|
||||
|
||||
cacheDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/cache/nix-cache-cache";
|
||||
description = ''
|
||||
Where nginx should store cached data.
|
||||
'';
|
||||
};
|
||||
|
||||
maxSize = mkOption {
|
||||
type = types.str;
|
||||
default = "50g";
|
||||
description = "Maximum cache size.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
|
||||
systemd.services.nginx.preStart = ''
|
||||
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||
chown ${nginxCfg.user}:${nginxCfg.group} \
|
||||
${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||
'';
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
appendHttpConfig = ''
|
||||
proxy_cache_path ${cfg.cacheDir}
|
||||
levels=1:2
|
||||
keys_zone=nix_cache_cache:100m
|
||||
max_size=${cfg.maxSize}
|
||||
inactive=365d
|
||||
use_temp_path=off;
|
||||
|
||||
# Cache only success status codes; in particular we don't want
|
||||
# to cache 404s. See https://serverfault.com/a/690258/128321.
|
||||
map $status $nix_cache_cache_header {
|
||||
200 "public";
|
||||
302 "public";
|
||||
default "no-cache";
|
||||
}
|
||||
'';
|
||||
|
||||
virtualHosts.${cfg.virtualHost} = {
|
||||
addSSL = cfg.enableSSL;
|
||||
enableACME = cfg.enableSSL;
|
||||
extraConfig = ''
|
||||
# Using a variable for the upstream endpoint to ensure that it is
|
||||
# resolved at runtime as opposed to once when the config file is loaded
|
||||
# and then cached forever (we don't want that):
|
||||
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
|
||||
# This fixes errors like
|
||||
#
|
||||
# nginx: [emerg] host not found in upstream "upstream.example.com"
|
||||
#
|
||||
# when the upstream host is not reachable for a short time when
|
||||
# nginx is started.
|
||||
resolver ${cfg.resolver} valid=10s;
|
||||
set $upstream_endpoint https://cache.nixos.org;
|
||||
'';
|
||||
|
||||
locations."/" =
|
||||
{
|
||||
root = "/srv/www/nix-cache-cache";
|
||||
extraConfig = ''
|
||||
expires max;
|
||||
add_header Cache-Control $nix_cache_cache_header always;
|
||||
|
||||
# Ask the upstream server if a file isn't available
|
||||
# locally.
|
||||
error_page 404 = @fallback;
|
||||
|
||||
# Don't bother logging the above 404.
|
||||
log_not_found off;
|
||||
'';
|
||||
};
|
||||
|
||||
locations."@fallback" = cacheFallbackConfig;
|
||||
|
||||
# We always want to copy cache.nixos.org's nix-cache-info
|
||||
# file, and ignore our own, because `nix-push` by default
|
||||
# generates one without `Priority` field, and thus that file
|
||||
# by default has priority 50 (compared to cache.nixos.org's
|
||||
# `Priority: 40`), which will make download clients prefer
|
||||
# `cache.nixos.org` over our binary cache.
|
||||
locations."= /nix-cache-info" = cacheFallbackConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -26,8 +26,15 @@ let
|
|||
|
||||
hostname = config.networking.hostName;
|
||||
getJobs = pkgs.writeDash "get_jobs" ''
|
||||
set -efu
|
||||
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
|
||||
nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
|
||||
js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
|
||||
echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \
|
||||
| while read -r host builder; do
|
||||
gcroot=${shell.escape profileRoot}/$host-builder
|
||||
${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
|
||||
done
|
||||
echo "$js"
|
||||
'';
|
||||
|
||||
profileRoot = "/nix/var/nix/profiles/ci";
|
||||
|
|
|
@ -14,6 +14,7 @@ let
|
|||
./buildbot/master.nix
|
||||
./buildbot/slave.nix
|
||||
./build.nix
|
||||
./cachecache.nix
|
||||
./charybdis.nix
|
||||
./ci.nix
|
||||
./current.nix
|
||||
|
|
|
@ -38,11 +38,6 @@ let
|
|||
'';
|
||||
default = {};
|
||||
};
|
||||
maxTime = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
description = "Time to wait before download is aborted";
|
||||
};
|
||||
};
|
||||
|
||||
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
|
||||
|
@ -51,8 +46,8 @@ let
|
|||
mkdir -p ${cfg.stateDir}
|
||||
chmod o+rx ${cfg.stateDir}
|
||||
cd ${cfg.stateDir}
|
||||
(curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
|
||||
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
|
||||
(curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
|
||||
feh --no-fehbg --bg-scale wallpaper
|
||||
'';
|
||||
|
||||
imp = {
|
||||
|
|
|
@ -624,15 +624,16 @@ in {
|
|||
"blog.makefu.r"
|
||||
"blog.gum.r"
|
||||
"dcpp.gum.r"
|
||||
"torrent.gum.r"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8
|
||||
aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO
|
||||
npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh
|
||||
6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF
|
||||
3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN
|
||||
VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB
|
||||
MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
|
||||
BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
|
||||
i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
|
||||
09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
|
||||
u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
|
||||
OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
||||
'';
|
||||
};
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs-channels",
|
||||
"rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c",
|
||||
"date": "2018-11-04T19:36:25+01:00",
|
||||
"sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m",
|
||||
"rev": "5d4a1a3897e2d674522bcb3aa0026c9e32d8fd7c",
|
||||
"date": "2018-11-24T00:40:22-05:00",
|
||||
"sha256": "19kryzx9a6x68mpyxks3dajraf92hkbnw1zf952k73s2k4qw9jlq",
|
||||
"fetchSubmodules": false
|
||||
}
|
||||
|
|
|
@ -110,7 +110,6 @@ with import <stockholm/lib>;
|
|||
<stockholm/lass/2configs/iodined.nix>
|
||||
<stockholm/lass/2configs/paste.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/reaktor-coders.nix>
|
||||
<stockholm/lass/2configs/ciko.nix>
|
||||
<stockholm/lass/2configs/container-networking.nix>
|
||||
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
|
||||
|
|
11
lass/1systems/blue/source.nix
Normal file
11
lass/1systems/blue/source.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
nixpkgs = lib.mkForce {
|
||||
file = toString (pkgs.fetchFromGitHub {
|
||||
owner = "nixos";
|
||||
repo = "nixpkgs";
|
||||
rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
|
||||
sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
|
||||
});
|
||||
};
|
||||
}
|
|
@ -33,6 +33,7 @@ with import <stockholm/lib>;
|
|||
<stockholm/lass/2configs/rtl-sdr.nix>
|
||||
<stockholm/lass/2configs/backup.nix>
|
||||
<stockholm/lass/2configs/print.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
{
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
#risk of rain
|
||||
|
|
|
@ -5,42 +5,35 @@ with import <stockholm/lib>;
|
|||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
#<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
{
|
||||
# discordius config
|
||||
services.xserver.enable = true;
|
||||
services.xserver.desktopManager.xfce.enable = true;
|
||||
|
||||
users.users.discordius = {
|
||||
uid = genid "discordius";
|
||||
home = "/home/discordius";
|
||||
group = "users";
|
||||
createHome = true;
|
||||
uid = genid "diskordius";
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"networkmanager"
|
||||
];
|
||||
useDefaultShell = true;
|
||||
};
|
||||
networking.networkmanager.enable = true;
|
||||
networking.wireless.enable = mkForce false;
|
||||
environment.systemPackages = with pkgs; [
|
||||
google-chrome
|
||||
];
|
||||
hardware.pulseaudio = {
|
||||
enable = true;
|
||||
systemWide = true;
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
pavucontrol
|
||||
firefox
|
||||
hexchat
|
||||
networkmanagerapplet
|
||||
];
|
||||
services.xserver.desktopManager.gnome3 = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.skynet;
|
||||
|
||||
networking.wireless.enable = false;
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleLidSwitch=ignore
|
||||
'';
|
||||
|
|
|
@ -1,10 +1,27 @@
|
|||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<stockholm/lass/2configs/hw/x220.nix>
|
||||
<stockholm/lass/2configs/boot/stock-x220.nix>
|
||||
<stockholm/krebs/2configs/hw/x220.nix>
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.loader.grub.device = "nodev";
|
||||
|
||||
networking.hostId = "06442b9a";
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/0876-B308";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
|
||||
|
|
|
@ -20,7 +20,14 @@
|
|||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.nix-serve = {
|
||||
serverAliases = [ "cache.prism.r" "cache.krebsco.de" "cache.lassul.us" ];
|
||||
serverAliases = [ "cache.prism.r" ];
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||
'';
|
||||
};
|
||||
virtualHosts."cache.krebsco.de" = {
|
||||
serverAliases = [ "cache.lassul.us" ];
|
||||
enableACME = true;
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||
'';
|
||||
|
|
|
@ -1,23 +1,114 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
let
|
||||
all_hosts = [
|
||||
"icarus"
|
||||
"shodan"
|
||||
"daedalus"
|
||||
"skynet"
|
||||
"prism"
|
||||
];
|
||||
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
|
||||
|
||||
{
|
||||
in {
|
||||
imports = [
|
||||
<stockholm/lass/2configs/container-networking.nix>
|
||||
{ #hack for already defined
|
||||
systemd.services."container@blue".reloadIfChanged = mkForce false;
|
||||
systemd.services."container@blue".preStart = ''
|
||||
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
|
||||
'';
|
||||
systemd.services."container@blue".preStop = ''
|
||||
/run/wrappers/bin/fusermount -u /var/lib/containers/blue
|
||||
'';
|
||||
}
|
||||
];
|
||||
systemd.services."container@blue".reloadIfChanged = mkForce false;
|
||||
|
||||
system.activationScripts.containerPermissions = ''
|
||||
mkdir -p /var/lib/containers
|
||||
chmod 711 /var/lib/containers
|
||||
'';
|
||||
|
||||
containers.blue = {
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [ pkgs.git ];
|
||||
environment.systemPackages = [
|
||||
pkgs.git
|
||||
pkgs.rxvt_unicode.terminfo
|
||||
];
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
autoStart = true;
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.233.2.9";
|
||||
localAddress = "10.233.2.10";
|
||||
};
|
||||
|
||||
|
||||
systemd.services = builtins.listToAttrs (map (host:
|
||||
let
|
||||
in nameValuePair "sync-blue-${host}" {
|
||||
bindsTo = [ "container@blue.service" ];
|
||||
wantedBy = [ "container@blue.service" ];
|
||||
# ssh needed for rsync
|
||||
path = [ pkgs.openssh ];
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
ExecStart = pkgs.writeDash "sync-blue-${host}" ''
|
||||
set -efu
|
||||
#make sure blue is running
|
||||
/run/wrappers/bin/ping -c1 blue.r > /dev/null
|
||||
|
||||
#make sure the container is unlocked
|
||||
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
|
||||
|
||||
#make sure our target is reachable
|
||||
${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
|
||||
|
||||
#start sync
|
||||
${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
|
||||
settings {
|
||||
nodaemon = true,
|
||||
inotifyMode = "CloseWrite or Modify",
|
||||
}
|
||||
sync {
|
||||
default.rsyncssh,
|
||||
source = "/var/lib/containers/.blue",
|
||||
host = "${host}.r",
|
||||
targetdir = "/var/lib/containers/.blue",
|
||||
rsync = {
|
||||
owner = true,
|
||||
group = true,
|
||||
};
|
||||
ssh = {
|
||||
binary = "${pkgs.openssh}/bin/ssh";
|
||||
identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
|
||||
},
|
||||
}
|
||||
''}
|
||||
'';
|
||||
};
|
||||
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
|
||||
}
|
||||
) remote_hosts);
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeDashBin "start-blue" ''
|
||||
set -ef
|
||||
if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
|
||||
${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
|
||||
fi
|
||||
nixos-container start blue
|
||||
nixos-container run blue -- nixos-rebuild -I /var/src dry-build
|
||||
if ping -c1 blue.r >/dev/null; then
|
||||
echo 'blue is already running. bailing out'
|
||||
exit 23
|
||||
fi
|
||||
nixos-container run blue -- nixos-rebuild -I /var/src switch
|
||||
'')
|
||||
];
|
||||
}
|
||||
|
|
|
@ -92,6 +92,7 @@ with import <stockholm/lib>;
|
|||
{ from = "ccc@lassul.us"; to = lass.mail; }
|
||||
{ from = "neocron@lassul.us"; to = lass.mail; }
|
||||
{ from = "osmocom@lassul.us"; to = lass.mail; }
|
||||
{ from = "lesswrong@lassul.us"; to = lass.mail; }
|
||||
];
|
||||
system-aliases = [
|
||||
{ from = "mailer-daemon"; to = "postmaster"; }
|
||||
|
|
|
@ -7,7 +7,6 @@ in {
|
|||
enable = true;
|
||||
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
|
||||
url = "prism/realwallpaper-krebs.png";
|
||||
maxTime = 10;
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -31,6 +31,7 @@ let
|
|||
'';
|
||||
|
||||
mailboxes = {
|
||||
afra = [ "to:afra@afra-berlin.de" ];
|
||||
c-base = [ "to:c-base.org" ];
|
||||
coins = [
|
||||
"to:btce@lassul.us"
|
||||
|
@ -46,11 +47,14 @@ let
|
|||
];
|
||||
dezentrale = [ "to:dezentrale.space" ];
|
||||
dhl = [ "to:dhl@lassul.us" ];
|
||||
dn42 = [ "to:dn42@lists.nox.tf" ];
|
||||
eloop = [ "to:eloop.org" ];
|
||||
github = [ "to:github@lassul.us" ];
|
||||
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
|
||||
india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
|
||||
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
|
||||
lugs = [ "to:lugs@lug-s.org" ];
|
||||
meetup = [ "to:meetup@lassul.us" ];
|
||||
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
|
||||
patreon = [ "to:patreon@lassul.us" ];
|
||||
paypal = [ "to:paypal@lassul.us" ];
|
||||
|
|
|
@ -177,7 +177,8 @@
|
|||
addr = "0.0.0.0";
|
||||
domain = "grafana.example.com";
|
||||
rootUrl = "https://grafana.example.com/";
|
||||
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
|
||||
auth.anonymous.enable = true;
|
||||
auth.anonymous.org_role = "Admin";
|
||||
};
|
||||
};
|
||||
services.logstash = {
|
||||
|
|
|
@ -60,10 +60,25 @@ in {
|
|||
group = "radio";
|
||||
musicDirectory = "/home/radio/the_playlist/music";
|
||||
extraConfig = ''
|
||||
audio_output {
|
||||
type "shout"
|
||||
encoding "lame"
|
||||
name "the_playlist_mp3"
|
||||
host "localhost"
|
||||
port "8000"
|
||||
mount "/radio.mp3"
|
||||
password "${source-password}"
|
||||
bitrate "128"
|
||||
|
||||
format "44100:16:2"
|
||||
|
||||
user "source"
|
||||
genre "good music"
|
||||
}
|
||||
audio_output {
|
||||
type "shout"
|
||||
encoding "ogg"
|
||||
name "the_playlist"
|
||||
name "the_playlist_ogg"
|
||||
host "localhost"
|
||||
port "8000"
|
||||
mount "/radio.ogg"
|
||||
|
|
|
@ -139,6 +139,13 @@ in {
|
|||
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
||||
};
|
||||
|
||||
users.users.xanf = {
|
||||
uid = genid_uint31 "xanf";
|
||||
home = "/home/xanf";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
};
|
||||
|
||||
users.users.domsen = {
|
||||
uid = genid_uint31 "domsen";
|
||||
description = "maintenance acc for domsen";
|
||||
|
|
|
@ -5,6 +5,12 @@
|
|||
pkgs
|
||||
;
|
||||
|
||||
host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
|
||||
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
|
||||
else
|
||||
{}
|
||||
;
|
||||
|
||||
source = { test }: lib.evalSource [
|
||||
krebs-source
|
||||
{
|
||||
|
@ -18,15 +24,24 @@
|
|||
};
|
||||
};
|
||||
}
|
||||
host-source
|
||||
];
|
||||
|
||||
in {
|
||||
|
||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
|
||||
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
|
||||
source = source { test = false; };
|
||||
inherit target;
|
||||
};
|
||||
|
||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
|
||||
populate = { target, force ? false }: pkgs.populate {
|
||||
inherit force;
|
||||
source = source { test = false; };
|
||||
target = lib.mkTarget target;
|
||||
};
|
||||
|
||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
|
||||
test = { target }: pkgs.krops.writeTest "${name}-test" {
|
||||
force = true;
|
||||
|
|
|
@ -63,9 +63,17 @@ in {
|
|||
}
|
||||
# <stockholm/makefu/2configs/syncthing.nix>
|
||||
<stockholm/makefu/2configs/remote-build/slave.nix>
|
||||
<stockholm/makefu/2configs/deployment/google-muell.nix>
|
||||
# TODO:
|
||||
# <stockholm/makefu/2configs/deployment/google-muell.nix>
|
||||
<stockholm/makefu/2configs/virtualisation/docker.nix>
|
||||
<stockholm/makefu/2configs/bluetooth-mpd.nix>
|
||||
|
||||
{
|
||||
# Risikoübernahme
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"homeassistant-0.77.2"
|
||||
];
|
||||
}
|
||||
<stockholm/makefu/2configs/deployment/homeautomation>
|
||||
{
|
||||
makefu.ps3netsrv = {
|
||||
|
@ -97,6 +105,7 @@ in {
|
|||
|
||||
];
|
||||
makefu.full-populate = true;
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
|
||||
downloadDir = lib.mkForce "/media/cryptX/torrent";
|
||||
extraConfig = ''
|
||||
|
|
|
@ -45,7 +45,12 @@ in {
|
|||
# <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
|
||||
{ environment.systemPackages = [ pkgs.vlc ]; }
|
||||
|
||||
|
||||
{
|
||||
# Risikoübernahme
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"homeassistant-0.77.2"
|
||||
];
|
||||
}
|
||||
<stockholm/makefu/2configs/deployment/bureautomation>
|
||||
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
|
||||
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
|
||||
|
|
25
makefu/2configs/nginx/download.binaergewitter.de.nix
Normal file
25
makefu/2configs/nginx/download.binaergewitter.de.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519";
|
||||
in {
|
||||
systemd.services.mirrorsync = {
|
||||
startAt = "08:00:00";
|
||||
path = with pkgs; [ rsync openssh ];
|
||||
script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter'';
|
||||
};
|
||||
services.nginx = {
|
||||
enable = lib.mkDefault true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
virtualHosts."download.binaergewitter.de" = {
|
||||
serverAliases = [ "dl2.binaergewitter.de" ];
|
||||
root = "/var/www/binaergewitter";
|
||||
extraConfig = ''
|
||||
access_log /var/spool/nginx/logs/binaergewitter.access.log combined;
|
||||
error_log /var/spool/nginx/logs/binaergewitter.error.log error;
|
||||
autoindex on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"url": "https://github.com/makefu/nixpkgs",
|
||||
"rev": "bf46294e4cf20649182f76fc9200a48436f5874a",
|
||||
"date": "2018-09-18T02:20:45+02:00",
|
||||
"sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94",
|
||||
"rev": "9728b2e83406c76efc734ebb1923f23b8e687819",
|
||||
"date": "2018-11-19T20:36:35+01:00",
|
||||
"sha256": "0nk75ldppjr6x04hgghgg9vanr1cw4k5xhg699d38g2rpxviz5bp",
|
||||
"fetchSubmodules": false
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue