Merge remote-tracking branch 'prism/master'
This commit is contained in:
commit
c4fabb0bc4
33
krebs/2configs/cache.nsupdate.info.nix
Normal file
33
krebs/2configs/cache.nsupdate.info.nix
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
{lib, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
domain = "cache.nsupdate.info";
|
||||||
|
in {
|
||||||
|
# This only works for a single domain for nsupdate.info as multiple usernames
|
||||||
|
# and passwords are required for multiple domains
|
||||||
|
services.ddclient = {
|
||||||
|
enable = true;
|
||||||
|
server = "ipv4.nsupdate.info";
|
||||||
|
username = domain;
|
||||||
|
password = import ((toString <secrets>) + "/nsupdate-cache.nix");
|
||||||
|
domains = [ domain ];
|
||||||
|
use= "if, if=et0";
|
||||||
|
# use = "web, web=http://ipv4.nsupdate.info/myip";
|
||||||
|
|
||||||
|
};
|
||||||
|
krebs.cachecache = {
|
||||||
|
enable = true;
|
||||||
|
enableSSL = false; # disable letsencrypt for testing
|
||||||
|
cacheDir = "/var/cache/nix-cache-cache";
|
||||||
|
maxSize = "10g";
|
||||||
|
|
||||||
|
# assumes that the domain is reachable from the internet
|
||||||
|
virtualHost = domain;
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernelModules = [ "tcp_bbr" ];
|
||||||
|
|
||||||
|
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
|
boot.kernel.sysctl."net.core.default_qdisc" = "fq";
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
}
|
|
@ -362,7 +362,7 @@ let
|
||||||
# normally we should write buildbot.tac by our own
|
# normally we should write buildbot.tac by our own
|
||||||
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
|
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
|
||||||
|
|
||||||
chmod 700 -R ${workdir}
|
chmod 700 ${workdir}
|
||||||
chown buildbotMaster:buildbotMaster -R ${workdir}
|
chown buildbotMaster:buildbotMaster -R ${workdir}
|
||||||
'';
|
'';
|
||||||
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
|
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
|
||||||
|
|
|
@ -166,7 +166,7 @@ let
|
||||||
echo ${description} > ${workdir}/info/host
|
echo ${description} > ${workdir}/info/host
|
||||||
|
|
||||||
chown buildbotSlave:buildbotSlave -R ${workdir}
|
chown buildbotSlave:buildbotSlave -R ${workdir}
|
||||||
chmod 700 -R ${workdir}
|
chmod 700 ${workdir}
|
||||||
'';
|
'';
|
||||||
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
|
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
|
||||||
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
|
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
|
||||||
|
|
171
krebs/3modules/cachecache.nix
Normal file
171
krebs/3modules/cachecache.nix
Normal file
|
@ -0,0 +1,171 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
|
||||||
|
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
|
||||||
|
# related: https://github.com/nh2/nix-binary-cache-proxy
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
cfg = config.krebs.cachecache;
|
||||||
|
|
||||||
|
nginxCfg = config.services.nginx;
|
||||||
|
|
||||||
|
cacheFallbackConfig = {
|
||||||
|
proxyPass = "$upstream_endpoint";
|
||||||
|
extraConfig = ''
|
||||||
|
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
# Remove the Connection header if the client sends it, it could
|
||||||
|
# be "close" to close a keepalive connection
|
||||||
|
proxy_set_header Connection "";
|
||||||
|
|
||||||
|
# Needed for CloudFront.
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
|
||||||
|
proxy_set_header Host $proxy_host;
|
||||||
|
proxy_cache nix_cache_cache;
|
||||||
|
proxy_cache_valid 200 302 60m;
|
||||||
|
proxy_cache_valid 404 1m;
|
||||||
|
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control $nix_cache_cache_header always;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
krebs.cachecache = {
|
||||||
|
enable = mkEnableOption "Nix binary cache cache";
|
||||||
|
|
||||||
|
virtualHost = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "nix-cache";
|
||||||
|
description = ''
|
||||||
|
Name of the nginx virtualhost to use and setup. If null, do
|
||||||
|
not setup any virtualhost.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
enableSSL = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
enable SSL via letsencrypt. Requires working dns resolution and open
|
||||||
|
internet tls port.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# webRoot = mkOption {
|
||||||
|
# type = types.str;
|
||||||
|
# default = "/";
|
||||||
|
# description = ''
|
||||||
|
# Directory on virtual host that serves the cache. Must end in
|
||||||
|
# <literal>/</literal>.
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
|
||||||
|
resolver = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "Address of DNS resolver.";
|
||||||
|
default = "8.8.8.8 ipv6=off";
|
||||||
|
example = "127.0.0.1 ipv6=off";
|
||||||
|
};
|
||||||
|
|
||||||
|
cacheDir = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/cache/nix-cache-cache";
|
||||||
|
description = ''
|
||||||
|
Where nginx should store cached data.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
maxSize = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "50g";
|
||||||
|
description = "Maximum cache size.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
|
||||||
|
systemd.services.nginx.preStart = ''
|
||||||
|
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
chown ${nginxCfg.user}:${nginxCfg.group} \
|
||||||
|
${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
appendHttpConfig = ''
|
||||||
|
proxy_cache_path ${cfg.cacheDir}
|
||||||
|
levels=1:2
|
||||||
|
keys_zone=nix_cache_cache:100m
|
||||||
|
max_size=${cfg.maxSize}
|
||||||
|
inactive=365d
|
||||||
|
use_temp_path=off;
|
||||||
|
|
||||||
|
# Cache only success status codes; in particular we don't want
|
||||||
|
# to cache 404s. See https://serverfault.com/a/690258/128321.
|
||||||
|
map $status $nix_cache_cache_header {
|
||||||
|
200 "public";
|
||||||
|
302 "public";
|
||||||
|
default "no-cache";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualHosts.${cfg.virtualHost} = {
|
||||||
|
addSSL = cfg.enableSSL;
|
||||||
|
enableACME = cfg.enableSSL;
|
||||||
|
extraConfig = ''
|
||||||
|
# Using a variable for the upstream endpoint to ensure that it is
|
||||||
|
# resolved at runtime as opposed to once when the config file is loaded
|
||||||
|
# and then cached forever (we don't want that):
|
||||||
|
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
|
||||||
|
# This fixes errors like
|
||||||
|
#
|
||||||
|
# nginx: [emerg] host not found in upstream "upstream.example.com"
|
||||||
|
#
|
||||||
|
# when the upstream host is not reachable for a short time when
|
||||||
|
# nginx is started.
|
||||||
|
resolver ${cfg.resolver} valid=10s;
|
||||||
|
set $upstream_endpoint https://cache.nixos.org;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/" =
|
||||||
|
{
|
||||||
|
root = "/srv/www/nix-cache-cache";
|
||||||
|
extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control $nix_cache_cache_header always;
|
||||||
|
|
||||||
|
# Ask the upstream server if a file isn't available
|
||||||
|
# locally.
|
||||||
|
error_page 404 = @fallback;
|
||||||
|
|
||||||
|
# Don't bother logging the above 404.
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
locations."@fallback" = cacheFallbackConfig;
|
||||||
|
|
||||||
|
# We always want to copy cache.nixos.org's nix-cache-info
|
||||||
|
# file, and ignore our own, because `nix-push` by default
|
||||||
|
# generates one without `Priority` field, and thus that file
|
||||||
|
# by default has priority 50 (compared to cache.nixos.org's
|
||||||
|
# `Priority: 40`), which will make download clients prefer
|
||||||
|
# `cache.nixos.org` over our binary cache.
|
||||||
|
locations."= /nix-cache-info" = cacheFallbackConfig;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -26,8 +26,15 @@ let
|
||||||
|
|
||||||
hostname = config.networking.hostName;
|
hostname = config.networking.hostName;
|
||||||
getJobs = pkgs.writeDash "get_jobs" ''
|
getJobs = pkgs.writeDash "get_jobs" ''
|
||||||
|
set -efu
|
||||||
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
|
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
|
||||||
nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
|
js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
|
||||||
|
echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \
|
||||||
|
| while read -r host builder; do
|
||||||
|
gcroot=${shell.escape profileRoot}/$host-builder
|
||||||
|
${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
|
||||||
|
done
|
||||||
|
echo "$js"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
profileRoot = "/nix/var/nix/profiles/ci";
|
profileRoot = "/nix/var/nix/profiles/ci";
|
||||||
|
|
|
@ -14,6 +14,7 @@ let
|
||||||
./buildbot/master.nix
|
./buildbot/master.nix
|
||||||
./buildbot/slave.nix
|
./buildbot/slave.nix
|
||||||
./build.nix
|
./build.nix
|
||||||
|
./cachecache.nix
|
||||||
./charybdis.nix
|
./charybdis.nix
|
||||||
./ci.nix
|
./ci.nix
|
||||||
./current.nix
|
./current.nix
|
||||||
|
|
|
@ -38,11 +38,6 @@ let
|
||||||
'';
|
'';
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
maxTime = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 0;
|
|
||||||
description = "Time to wait before download is aborted";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
|
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
|
||||||
|
@ -51,8 +46,8 @@ let
|
||||||
mkdir -p ${cfg.stateDir}
|
mkdir -p ${cfg.stateDir}
|
||||||
chmod o+rx ${cfg.stateDir}
|
chmod o+rx ${cfg.stateDir}
|
||||||
cd ${cfg.stateDir}
|
cd ${cfg.stateDir}
|
||||||
(curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
|
(curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
|
||||||
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
|
feh --no-fehbg --bg-scale wallpaper
|
||||||
'';
|
'';
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
|
|
|
@ -624,15 +624,16 @@ in {
|
||||||
"blog.makefu.r"
|
"blog.makefu.r"
|
||||||
"blog.gum.r"
|
"blog.gum.r"
|
||||||
"dcpp.gum.r"
|
"dcpp.gum.r"
|
||||||
|
"torrent.gum.r"
|
||||||
];
|
];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8
|
MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
|
||||||
aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO
|
BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
|
||||||
npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh
|
i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
|
||||||
6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF
|
09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
|
||||||
3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN
|
u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
|
||||||
VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB
|
OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
|
||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs-channels",
|
"url": "https://github.com/NixOS/nixpkgs-channels",
|
||||||
"rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c",
|
"rev": "5d4a1a3897e2d674522bcb3aa0026c9e32d8fd7c",
|
||||||
"date": "2018-11-04T19:36:25+01:00",
|
"date": "2018-11-24T00:40:22-05:00",
|
||||||
"sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m",
|
"sha256": "19kryzx9a6x68mpyxks3dajraf92hkbnw1zf952k73s2k4qw9jlq",
|
||||||
"fetchSubmodules": false
|
"fetchSubmodules": false
|
||||||
}
|
}
|
||||||
|
|
|
@ -110,7 +110,6 @@ with import <stockholm/lib>;
|
||||||
<stockholm/lass/2configs/iodined.nix>
|
<stockholm/lass/2configs/iodined.nix>
|
||||||
<stockholm/lass/2configs/paste.nix>
|
<stockholm/lass/2configs/paste.nix>
|
||||||
<stockholm/lass/2configs/syncthing.nix>
|
<stockholm/lass/2configs/syncthing.nix>
|
||||||
<stockholm/lass/2configs/reaktor-coders.nix>
|
|
||||||
<stockholm/lass/2configs/ciko.nix>
|
<stockholm/lass/2configs/ciko.nix>
|
||||||
<stockholm/lass/2configs/container-networking.nix>
|
<stockholm/lass/2configs/container-networking.nix>
|
||||||
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
|
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
|
||||||
|
|
11
lass/1systems/blue/source.nix
Normal file
11
lass/1systems/blue/source.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{ lib, pkgs, ... }:
|
||||||
|
{
|
||||||
|
nixpkgs = lib.mkForce {
|
||||||
|
file = toString (pkgs.fetchFromGitHub {
|
||||||
|
owner = "nixos";
|
||||||
|
repo = "nixpkgs";
|
||||||
|
rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
|
||||||
|
sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
|
||||||
|
});
|
||||||
|
};
|
||||||
|
}
|
|
@ -33,6 +33,7 @@ with import <stockholm/lib>;
|
||||||
<stockholm/lass/2configs/rtl-sdr.nix>
|
<stockholm/lass/2configs/rtl-sdr.nix>
|
||||||
<stockholm/lass/2configs/backup.nix>
|
<stockholm/lass/2configs/backup.nix>
|
||||||
<stockholm/lass/2configs/print.nix>
|
<stockholm/lass/2configs/print.nix>
|
||||||
|
<stockholm/lass/2configs/blue-host.nix>
|
||||||
{
|
{
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
#risk of rain
|
#risk of rain
|
||||||
|
|
|
@ -5,42 +5,35 @@ with import <stockholm/lib>;
|
||||||
<stockholm/lass>
|
<stockholm/lass>
|
||||||
|
|
||||||
<stockholm/lass/2configs/retiolum.nix>
|
<stockholm/lass/2configs/retiolum.nix>
|
||||||
#<stockholm/lass/2configs/exim-retiolum.nix>
|
|
||||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||||
|
<stockholm/lass/2configs/blue-host.nix>
|
||||||
{
|
{
|
||||||
# discordius config
|
|
||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
|
services.xserver.desktopManager.xfce.enable = true;
|
||||||
|
|
||||||
users.users.discordius = {
|
users.users.discordius = {
|
||||||
uid = genid "discordius";
|
uid = genid "diskordius";
|
||||||
home = "/home/discordius";
|
isNormalUser = true;
|
||||||
group = "users";
|
|
||||||
createHome = true;
|
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"audio"
|
"audio"
|
||||||
"networkmanager"
|
"networkmanager"
|
||||||
];
|
];
|
||||||
useDefaultShell = true;
|
|
||||||
};
|
};
|
||||||
networking.networkmanager.enable = true;
|
environment.systemPackages = with pkgs; [
|
||||||
networking.wireless.enable = mkForce false;
|
google-chrome
|
||||||
|
];
|
||||||
hardware.pulseaudio = {
|
hardware.pulseaudio = {
|
||||||
enable = true;
|
enable = true;
|
||||||
systemWide = true;
|
systemWide = true;
|
||||||
};
|
};
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
pavucontrol
|
|
||||||
firefox
|
|
||||||
hexchat
|
|
||||||
networkmanagerapplet
|
|
||||||
];
|
|
||||||
services.xserver.desktopManager.gnome3 = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.skynet;
|
krebs.build.host = config.krebs.hosts.skynet;
|
||||||
|
|
||||||
|
networking.wireless.enable = false;
|
||||||
|
networking.networkmanager.enable = true;
|
||||||
|
|
||||||
services.logind.extraConfig = ''
|
services.logind.extraConfig = ''
|
||||||
HandleLidSwitch=ignore
|
HandleLidSwitch=ignore
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -1,10 +1,27 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./config.nix
|
./config.nix
|
||||||
<stockholm/lass/2configs/hw/x220.nix>
|
<stockholm/krebs/2configs/hw/x220.nix>
|
||||||
<stockholm/lass/2configs/boot/stock-x220.nix>
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.efiSupport = true;
|
||||||
|
boot.loader.grub.efiInstallAsRemovable = true;
|
||||||
|
boot.loader.grub.device = "nodev";
|
||||||
|
|
||||||
|
networking.hostId = "06442b9a";
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "rpool/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/0876-B308";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
services.udev.extraRules = ''
|
services.udev.extraRules = ''
|
||||||
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
|
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
|
||||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
|
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
|
||||||
|
|
|
@ -20,7 +20,14 @@
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts.nix-serve = {
|
virtualHosts.nix-serve = {
|
||||||
serverAliases = [ "cache.prism.r" "cache.krebsco.de" "cache.lassul.us" ];
|
serverAliases = [ "cache.prism.r" ];
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
virtualHosts."cache.krebsco.de" = {
|
||||||
|
serverAliases = [ "cache.lassul.us" ];
|
||||||
|
enableACME = true;
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -1,23 +1,114 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
with import <stockholm/lib>;
|
with import <stockholm/lib>;
|
||||||
|
let
|
||||||
|
all_hosts = [
|
||||||
|
"icarus"
|
||||||
|
"shodan"
|
||||||
|
"daedalus"
|
||||||
|
"skynet"
|
||||||
|
"prism"
|
||||||
|
];
|
||||||
|
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
|
||||||
|
|
||||||
{
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
<stockholm/lass/2configs/container-networking.nix>
|
<stockholm/lass/2configs/container-networking.nix>
|
||||||
];
|
{ #hack for already defined
|
||||||
systemd.services."container@blue".reloadIfChanged = mkForce false;
|
systemd.services."container@blue".reloadIfChanged = mkForce false;
|
||||||
|
systemd.services."container@blue".preStart = ''
|
||||||
|
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
|
||||||
|
'';
|
||||||
|
systemd.services."container@blue".preStop = ''
|
||||||
|
/run/wrappers/bin/fusermount -u /var/lib/containers/blue
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
system.activationScripts.containerPermissions = ''
|
||||||
|
mkdir -p /var/lib/containers
|
||||||
|
chmod 711 /var/lib/containers
|
||||||
|
'';
|
||||||
|
|
||||||
containers.blue = {
|
containers.blue = {
|
||||||
config = { ... }: {
|
config = { ... }: {
|
||||||
environment.systemPackages = [ pkgs.git ];
|
environment.systemPackages = [
|
||||||
|
pkgs.git
|
||||||
|
pkgs.rxvt_unicode.terminfo
|
||||||
|
];
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
autoStart = true;
|
autoStart = false;
|
||||||
enableTun = true;
|
enableTun = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "10.233.2.9";
|
hostAddress = "10.233.2.9";
|
||||||
localAddress = "10.233.2.10";
|
localAddress = "10.233.2.10";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
systemd.services = builtins.listToAttrs (map (host:
|
||||||
|
let
|
||||||
|
in nameValuePair "sync-blue-${host}" {
|
||||||
|
bindsTo = [ "container@blue.service" ];
|
||||||
|
wantedBy = [ "container@blue.service" ];
|
||||||
|
# ssh needed for rsync
|
||||||
|
path = [ pkgs.openssh ];
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = 10;
|
||||||
|
ExecStart = pkgs.writeDash "sync-blue-${host}" ''
|
||||||
|
set -efu
|
||||||
|
#make sure blue is running
|
||||||
|
/run/wrappers/bin/ping -c1 blue.r > /dev/null
|
||||||
|
|
||||||
|
#make sure the container is unlocked
|
||||||
|
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
|
||||||
|
|
||||||
|
#make sure our target is reachable
|
||||||
|
${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
|
||||||
|
|
||||||
|
#start sync
|
||||||
|
${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
|
||||||
|
settings {
|
||||||
|
nodaemon = true,
|
||||||
|
inotifyMode = "CloseWrite or Modify",
|
||||||
|
}
|
||||||
|
sync {
|
||||||
|
default.rsyncssh,
|
||||||
|
source = "/var/lib/containers/.blue",
|
||||||
|
host = "${host}.r",
|
||||||
|
targetdir = "/var/lib/containers/.blue",
|
||||||
|
rsync = {
|
||||||
|
owner = true,
|
||||||
|
group = true,
|
||||||
|
};
|
||||||
|
ssh = {
|
||||||
|
binary = "${pkgs.openssh}/bin/ssh";
|
||||||
|
identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
|
||||||
|
}
|
||||||
|
) remote_hosts);
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
(pkgs.writeDashBin "start-blue" ''
|
||||||
|
set -ef
|
||||||
|
if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
|
||||||
|
${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
|
||||||
|
fi
|
||||||
|
nixos-container start blue
|
||||||
|
nixos-container run blue -- nixos-rebuild -I /var/src dry-build
|
||||||
|
if ping -c1 blue.r >/dev/null; then
|
||||||
|
echo 'blue is already running. bailing out'
|
||||||
|
exit 23
|
||||||
|
fi
|
||||||
|
nixos-container run blue -- nixos-rebuild -I /var/src switch
|
||||||
|
'')
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -92,6 +92,7 @@ with import <stockholm/lib>;
|
||||||
{ from = "ccc@lassul.us"; to = lass.mail; }
|
{ from = "ccc@lassul.us"; to = lass.mail; }
|
||||||
{ from = "neocron@lassul.us"; to = lass.mail; }
|
{ from = "neocron@lassul.us"; to = lass.mail; }
|
||||||
{ from = "osmocom@lassul.us"; to = lass.mail; }
|
{ from = "osmocom@lassul.us"; to = lass.mail; }
|
||||||
|
{ from = "lesswrong@lassul.us"; to = lass.mail; }
|
||||||
];
|
];
|
||||||
system-aliases = [
|
system-aliases = [
|
||||||
{ from = "mailer-daemon"; to = "postmaster"; }
|
{ from = "mailer-daemon"; to = "postmaster"; }
|
||||||
|
|
|
@ -7,7 +7,6 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
|
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
|
||||||
url = "prism/realwallpaper-krebs.png";
|
url = "prism/realwallpaper-krebs.png";
|
||||||
maxTime = 10;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -31,6 +31,7 @@ let
|
||||||
'';
|
'';
|
||||||
|
|
||||||
mailboxes = {
|
mailboxes = {
|
||||||
|
afra = [ "to:afra@afra-berlin.de" ];
|
||||||
c-base = [ "to:c-base.org" ];
|
c-base = [ "to:c-base.org" ];
|
||||||
coins = [
|
coins = [
|
||||||
"to:btce@lassul.us"
|
"to:btce@lassul.us"
|
||||||
|
@ -46,11 +47,14 @@ let
|
||||||
];
|
];
|
||||||
dezentrale = [ "to:dezentrale.space" ];
|
dezentrale = [ "to:dezentrale.space" ];
|
||||||
dhl = [ "to:dhl@lassul.us" ];
|
dhl = [ "to:dhl@lassul.us" ];
|
||||||
|
dn42 = [ "to:dn42@lists.nox.tf" ];
|
||||||
eloop = [ "to:eloop.org" ];
|
eloop = [ "to:eloop.org" ];
|
||||||
github = [ "to:github@lassul.us" ];
|
github = [ "to:github@lassul.us" ];
|
||||||
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
|
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
|
||||||
|
india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
|
||||||
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
|
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
|
||||||
lugs = [ "to:lugs@lug-s.org" ];
|
lugs = [ "to:lugs@lug-s.org" ];
|
||||||
|
meetup = [ "to:meetup@lassul.us" ];
|
||||||
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
|
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
|
||||||
patreon = [ "to:patreon@lassul.us" ];
|
patreon = [ "to:patreon@lassul.us" ];
|
||||||
paypal = [ "to:paypal@lassul.us" ];
|
paypal = [ "to:paypal@lassul.us" ];
|
||||||
|
|
|
@ -177,7 +177,8 @@
|
||||||
addr = "0.0.0.0";
|
addr = "0.0.0.0";
|
||||||
domain = "grafana.example.com";
|
domain = "grafana.example.com";
|
||||||
rootUrl = "https://grafana.example.com/";
|
rootUrl = "https://grafana.example.com/";
|
||||||
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
|
auth.anonymous.enable = true;
|
||||||
|
auth.anonymous.org_role = "Admin";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.logstash = {
|
services.logstash = {
|
||||||
|
|
|
@ -60,10 +60,25 @@ in {
|
||||||
group = "radio";
|
group = "radio";
|
||||||
musicDirectory = "/home/radio/the_playlist/music";
|
musicDirectory = "/home/radio/the_playlist/music";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
audio_output {
|
||||||
|
type "shout"
|
||||||
|
encoding "lame"
|
||||||
|
name "the_playlist_mp3"
|
||||||
|
host "localhost"
|
||||||
|
port "8000"
|
||||||
|
mount "/radio.mp3"
|
||||||
|
password "${source-password}"
|
||||||
|
bitrate "128"
|
||||||
|
|
||||||
|
format "44100:16:2"
|
||||||
|
|
||||||
|
user "source"
|
||||||
|
genre "good music"
|
||||||
|
}
|
||||||
audio_output {
|
audio_output {
|
||||||
type "shout"
|
type "shout"
|
||||||
encoding "ogg"
|
encoding "ogg"
|
||||||
name "the_playlist"
|
name "the_playlist_ogg"
|
||||||
host "localhost"
|
host "localhost"
|
||||||
port "8000"
|
port "8000"
|
||||||
mount "/radio.ogg"
|
mount "/radio.ogg"
|
||||||
|
|
|
@ -139,6 +139,13 @@ in {
|
||||||
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.xanf = {
|
||||||
|
uid = genid_uint31 "xanf";
|
||||||
|
home = "/home/xanf";
|
||||||
|
useDefaultShell = true;
|
||||||
|
createHome = true;
|
||||||
|
};
|
||||||
|
|
||||||
users.users.domsen = {
|
users.users.domsen = {
|
||||||
uid = genid_uint31 "domsen";
|
uid = genid_uint31 "domsen";
|
||||||
description = "maintenance acc for domsen";
|
description = "maintenance acc for domsen";
|
||||||
|
|
|
@ -5,6 +5,12 @@
|
||||||
pkgs
|
pkgs
|
||||||
;
|
;
|
||||||
|
|
||||||
|
host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
|
||||||
|
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
|
||||||
|
else
|
||||||
|
{}
|
||||||
|
;
|
||||||
|
|
||||||
source = { test }: lib.evalSource [
|
source = { test }: lib.evalSource [
|
||||||
krebs-source
|
krebs-source
|
||||||
{
|
{
|
||||||
|
@ -18,15 +24,24 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
host-source
|
||||||
];
|
];
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
|
||||||
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
|
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
|
||||||
source = source { test = false; };
|
source = source { test = false; };
|
||||||
inherit target;
|
inherit target;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
|
||||||
|
populate = { target, force ? false }: pkgs.populate {
|
||||||
|
inherit force;
|
||||||
|
source = source { test = false; };
|
||||||
|
target = lib.mkTarget target;
|
||||||
|
};
|
||||||
|
|
||||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
|
||||||
test = { target }: pkgs.krops.writeTest "${name}-test" {
|
test = { target }: pkgs.krops.writeTest "${name}-test" {
|
||||||
force = true;
|
force = true;
|
||||||
|
|
|
@ -63,9 +63,17 @@ in {
|
||||||
}
|
}
|
||||||
# <stockholm/makefu/2configs/syncthing.nix>
|
# <stockholm/makefu/2configs/syncthing.nix>
|
||||||
<stockholm/makefu/2configs/remote-build/slave.nix>
|
<stockholm/makefu/2configs/remote-build/slave.nix>
|
||||||
<stockholm/makefu/2configs/deployment/google-muell.nix>
|
# TODO:
|
||||||
|
# <stockholm/makefu/2configs/deployment/google-muell.nix>
|
||||||
<stockholm/makefu/2configs/virtualisation/docker.nix>
|
<stockholm/makefu/2configs/virtualisation/docker.nix>
|
||||||
<stockholm/makefu/2configs/bluetooth-mpd.nix>
|
<stockholm/makefu/2configs/bluetooth-mpd.nix>
|
||||||
|
|
||||||
|
{
|
||||||
|
# Risikoübernahme
|
||||||
|
nixpkgs.config.permittedInsecurePackages = [
|
||||||
|
"homeassistant-0.77.2"
|
||||||
|
];
|
||||||
|
}
|
||||||
<stockholm/makefu/2configs/deployment/homeautomation>
|
<stockholm/makefu/2configs/deployment/homeautomation>
|
||||||
{
|
{
|
||||||
makefu.ps3netsrv = {
|
makefu.ps3netsrv = {
|
||||||
|
@ -97,6 +105,7 @@ in {
|
||||||
|
|
||||||
];
|
];
|
||||||
makefu.full-populate = true;
|
makefu.full-populate = true;
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
|
krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
|
||||||
downloadDir = lib.mkForce "/media/cryptX/torrent";
|
downloadDir = lib.mkForce "/media/cryptX/torrent";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
|
|
@ -45,7 +45,12 @@ in {
|
||||||
# <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
|
# <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
|
||||||
{ environment.systemPackages = [ pkgs.vlc ]; }
|
{ environment.systemPackages = [ pkgs.vlc ]; }
|
||||||
|
|
||||||
|
{
|
||||||
|
# Risikoübernahme
|
||||||
|
nixpkgs.config.permittedInsecurePackages = [
|
||||||
|
"homeassistant-0.77.2"
|
||||||
|
];
|
||||||
|
}
|
||||||
<stockholm/makefu/2configs/deployment/bureautomation>
|
<stockholm/makefu/2configs/deployment/bureautomation>
|
||||||
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
|
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
|
||||||
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
|
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
|
||||||
|
|
25
makefu/2configs/nginx/download.binaergewitter.de.nix
Normal file
25
makefu/2configs/nginx/download.binaergewitter.de.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519";
|
||||||
|
in {
|
||||||
|
systemd.services.mirrorsync = {
|
||||||
|
startAt = "08:00:00";
|
||||||
|
path = with pkgs; [ rsync openssh ];
|
||||||
|
script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter'';
|
||||||
|
};
|
||||||
|
services.nginx = {
|
||||||
|
enable = lib.mkDefault true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
virtualHosts."download.binaergewitter.de" = {
|
||||||
|
serverAliases = [ "dl2.binaergewitter.de" ];
|
||||||
|
root = "/var/www/binaergewitter";
|
||||||
|
extraConfig = ''
|
||||||
|
access_log /var/spool/nginx/logs/binaergewitter.access.log combined;
|
||||||
|
error_log /var/spool/nginx/logs/binaergewitter.error.log error;
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
"url": "https://github.com/makefu/nixpkgs",
|
"url": "https://github.com/makefu/nixpkgs",
|
||||||
"rev": "bf46294e4cf20649182f76fc9200a48436f5874a",
|
"rev": "9728b2e83406c76efc734ebb1923f23b8e687819",
|
||||||
"date": "2018-09-18T02:20:45+02:00",
|
"date": "2018-11-19T20:36:35+01:00",
|
||||||
"sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94",
|
"sha256": "0nk75ldppjr6x04hgghgg9vanr1cw4k5xhg699d38g2rpxviz5bp",
|
||||||
"fetchSubmodules": false
|
"fetchSubmodules": false
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue