Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
d6c9edd9dc
|
@ -38,6 +38,11 @@ let
|
|||
'';
|
||||
default = {};
|
||||
};
|
||||
maxTime = mkOption {
|
||||
type = types.int;
|
||||
default = 0;
|
||||
description = "Time to wait before download is aborted";
|
||||
};
|
||||
};
|
||||
|
||||
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
|
||||
|
@ -45,7 +50,7 @@ let
|
|||
|
||||
mkdir -p ${shell.escape cfg.stateDir}
|
||||
cd ${shell.escape cfg.stateDir}
|
||||
(curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || :
|
||||
(curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || :
|
||||
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
|
||||
'';
|
||||
|
||||
|
|
|
@ -93,6 +93,7 @@ with import <stockholm/lib>;
|
|||
"cgit.prism.retiolum"
|
||||
"cgit.prism.r"
|
||||
"cache.prism.r"
|
||||
"paste.r" "paste.retiolum"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
|
@ -119,7 +120,6 @@ with import <stockholm/lib>;
|
|||
ssh.port = 2223;
|
||||
};
|
||||
};
|
||||
ssh.pubkey = "ssh-dss AAAAB3NzaC1kc3MAAAEBAPH5Hcrc2QzIi7KQLf17N+aUuFfwb7uKxuojzmO3kyb3nMdn3s+rfTCJLWTJeHCeKb6yMpDF1XGXZwVN+omWV8CsA9tivOHYzZws3b0QB/JENjYmhHbNkKijm6EWXSyvsJ2RuFj0PC8+cv77ZFx7VTnrwZk6Excv7v51j+qo5BejLL1ZybISld/n3kQWE+GJqBYJ9zp/25XEl7macH02o58lRhfqygunDlKm4yiq34pfkA7FS4eHNzcXGvmtQlAHeDts1APbKq8OAoYoyCo0gjK9nbAwbfm0yqM51+eIo3H6xLWjSBdMI9guqndNJWps9PpKHa3bvM1xFB3vfoQZ6m8AAAAVAKf8ZCwMgP4ZpqwwNw4vIn1AuLnfAAABAQCVfUrpUWFvf/TXPucJde4CuAmtoMOrjpepAiXK7N9dwGyq/PbVxr4tnJ/RTyNGOFmBroc6/n0MnxR0qmkQPJNtM/Yz+kk+BCgwsyu2uenVOIX/eJFuQPQYiUdktTcgAyChMp99WF4yfKKgv1CDdMkpFi8xgBEN03s1sOKCRNwJ5rlpTNqh9LatuRyzWOIjNd7atkEYIQK92idJgqSmleo+UhJFfoOGjYlRbsnRVbvfqh7GVd7SSydhKhdb2eZjj2J8eMBwHNl1FLtqt02cnFW3FQDdXPbYYakN25z3F3sex/CPuBGJ0HRGq+y/Ynj/m99TPq9vLkzSUQPR4MmQ5feoAAABAG5L9ffMc/8T9dTeF7FEPlS54ka73M+pNY/5ehMykrrS9CVjFmvpeclnxkBpvjt3G5IlvkSsjUEE6kMk7mW9EV+USL0TTU/LavxXD8fLCSiIwResfLDRxjixjxVI1ouZeKNQ6B3tPOWOEIKR5nPlc7iy435nS77/NM3yBFH0KGdepr+3ZmdgWAjDLKjQhNyCz4Joc1IH1Vf5Ccvb6rsaJ91ajiq29iI2ZpLXXIQsS1ZYzO1Gr9xBTNgmzEmeLqFMcxDSJ+rLMF4VDjRdL2zz5BSmv/Ffj2nICMgv/gj3zzuk7zcMpnbvGyA3W8VWb6IjJDvww4rJ21Q2gHBC5XCohJs=";
|
||||
};
|
||||
cloudkrebs = {
|
||||
cores = 1;
|
||||
|
|
|
@ -313,7 +313,6 @@ with import <stockholm/lib>;
|
|||
"graphs.wry.retiolum"
|
||||
"graphs.r" "graphs.retiolum"
|
||||
"paste.wry.retiolum"
|
||||
"paste.r" "paste.retiolum"
|
||||
"wry.r" "wry.retiolum"
|
||||
"wiki.makefu.retiolum"
|
||||
"wiki.wry.retiolum"
|
||||
|
|
|
@ -31,13 +31,6 @@ with import <stockholm/lib>;
|
|||
];
|
||||
}
|
||||
#{
|
||||
# services.mysql = {
|
||||
# enable = true;
|
||||
# package = pkgs.mariadb;
|
||||
# rootPassword = "<secrets>/mysql_rootPassword";
|
||||
# };
|
||||
#}
|
||||
#{
|
||||
# services.elasticsearch = {
|
||||
# enable = true;
|
||||
# plugins = [
|
||||
|
@ -83,140 +76,56 @@ with import <stockholm/lib>;
|
|||
{
|
||||
services.redis.enable = true;
|
||||
}
|
||||
{
|
||||
virtualisation.libvirtd.enable = true;
|
||||
}
|
||||
{
|
||||
services.nginx = {
|
||||
enable = mkDefault true;
|
||||
virtualHosts = {
|
||||
"stats.mors" = {
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://localhost:3000/";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
addr = "127.0.0.1";
|
||||
users.allowSignUp = false;
|
||||
users.allowOrgCreate = false;
|
||||
users.autoAssignOrg = false;
|
||||
auth.anonymous.enable = true;
|
||||
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
|
||||
};
|
||||
|
||||
services.graphite = {
|
||||
api = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
port = 18080;
|
||||
};
|
||||
carbon = {
|
||||
enableCache = true;
|
||||
# save disk usage by restricting to 1 bulk update per second
|
||||
config = ''
|
||||
[cache]
|
||||
MAX_CACHE_SIZE = inf
|
||||
MAX_UPDATES_PER_SECOND = 1
|
||||
MAX_CREATES_PER_MINUTE = 500
|
||||
'';
|
||||
storageSchemas = ''
|
||||
[carbon]
|
||||
pattern = ^carbon\.
|
||||
retentions = 60:90d
|
||||
|
||||
[elchos]
|
||||
patterhn = ^elchos\.
|
||||
retentions = 10s:30d,60s:3y
|
||||
|
||||
[default]
|
||||
pattern = .*
|
||||
retentions = 30s:30d,300s:1y
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.collectd = {
|
||||
enable = true;
|
||||
include = [ (toString (pkgs.writeText "collectd-graphite-cfg" ''
|
||||
LoadPlugin write_graphite
|
||||
<Plugin "write_graphite">
|
||||
<Carbon>
|
||||
Host "localhost"
|
||||
Port "2003"
|
||||
EscapeCharacter "_"
|
||||
StoreRates false
|
||||
AlwaysAppendDS false
|
||||
</Carbon>
|
||||
</Plugin>
|
||||
''))
|
||||
];
|
||||
extraConfig = ''
|
||||
LoadPlugin interface
|
||||
LoadPlugin battery
|
||||
LoadPlugin load
|
||||
LoadPlugin cpu
|
||||
LoadPlugin entropy
|
||||
LoadPlugin write_graphite
|
||||
<Plugin "interface">
|
||||
Interface "et0"
|
||||
Interface "wl0"
|
||||
Interface "retiolum"
|
||||
</Plugin>
|
||||
'';
|
||||
};
|
||||
services.graphite.beacon = {
|
||||
enable = true;
|
||||
config = {
|
||||
graphite_url = "http://localhost:18080";
|
||||
cli = {
|
||||
command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' '';
|
||||
};
|
||||
smtp = {
|
||||
from = "beacon@mors.r";
|
||||
to = [
|
||||
"lass@mors.r"
|
||||
];
|
||||
};
|
||||
normal_handlers = [
|
||||
"smtp"
|
||||
"cli"
|
||||
];
|
||||
warning_handlers = [
|
||||
"smtp"
|
||||
"cli"
|
||||
];
|
||||
critical_handlers = [
|
||||
"smtp"
|
||||
"cli"
|
||||
];
|
||||
alerts = [
|
||||
{
|
||||
name = "testbattery";
|
||||
query = "*.battery-0.capacity";
|
||||
method = "last_value";
|
||||
interval = "1minute";
|
||||
logging = "info";
|
||||
repeat_interval = "5minute";
|
||||
rules = [
|
||||
"warning: < 30.0"
|
||||
"critical: < 10.0"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
#{
|
||||
# #gitit magic
|
||||
# imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];
|
||||
# services.gitit = {
|
||||
# enable = true;
|
||||
# haskellPackages = pkgs.haskell.packages.ghc7103;
|
||||
# };
|
||||
#}
|
||||
#{
|
||||
# lass.icinga2 = {
|
||||
# enable = true;
|
||||
# configFiles = [
|
||||
# ''
|
||||
# template Service "generic-service" {
|
||||
# max_check_attempts = 3
|
||||
# check_interval = 5m
|
||||
# retry_interval = 1m
|
||||
# enable_perfdata = true
|
||||
# }
|
||||
# apply Service "ping4" {
|
||||
# }
|
||||
# ''
|
||||
# ];
|
||||
# };
|
||||
# services.mysql = {
|
||||
# enable = true;
|
||||
# package = pkgs.mariadb;
|
||||
# rootPassword = "<secrets>/mysql_rootPassword";
|
||||
# };
|
||||
# lass.icingaweb2 = {
|
||||
# enable = true;
|
||||
# initialRootPasswordHash = "$1$HpWDCehI$ITbAoyfOB6HEN1ftooxZq0";
|
||||
# resources = {
|
||||
# icinga2db = {
|
||||
# type = "mysql";
|
||||
# host = "localhost";
|
||||
# user = "icingaweb2";
|
||||
# db = "icinga";
|
||||
# passfile = <secrets/icinga2-pw>;
|
||||
# };
|
||||
# icingaweb2db = {
|
||||
# type = "mysql";
|
||||
# host = "localhost";
|
||||
# user = "icingaweb2";
|
||||
# db = "icingaweb2";
|
||||
# passfile = <secrets/icinga2-pw>;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
#}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.mors;
|
||||
|
@ -229,7 +138,6 @@ with import <stockholm/lib>;
|
|||
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
|
||||
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
|
||||
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
|
||||
#kernelModules = [ "kvm-intel" "msr" ];
|
||||
};
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
|
@ -266,11 +174,6 @@ with import <stockholm/lib>;
|
|||
fsType = "ext4";
|
||||
};
|
||||
|
||||
"/mnt/public" = {
|
||||
device = "/dev/big/public";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
"/mnt/conf" = {
|
||||
device = "/dev/big/conf";
|
||||
fsType = "ext4";
|
||||
|
|
|
@ -43,6 +43,17 @@ in {
|
|||
../2configs/libvirt.nix
|
||||
../2configs/hfos.nix
|
||||
../2configs/makefu-sip.nix
|
||||
../2configs/monitoring/server.nix
|
||||
{
|
||||
imports = [
|
||||
../2configs/bepasty.nix
|
||||
];
|
||||
krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
|
||||
if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
|
||||
return 403;
|
||||
}
|
||||
'';
|
||||
}
|
||||
{
|
||||
users.extraGroups = {
|
||||
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
|
||||
|
@ -202,20 +213,6 @@ in {
|
|||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.public = {
|
||||
port = 8088;
|
||||
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
|
||||
alias /home/$1/public_html$2;
|
||||
'';
|
||||
};
|
||||
};
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 8088"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
{
|
||||
krebs.repo-sync.timerConfig = {
|
||||
OnCalendar = "*:0/5";
|
||||
|
@ -227,6 +224,7 @@ in {
|
|||
};
|
||||
}
|
||||
{
|
||||
# Nin stuff
|
||||
users.users.nin = {
|
||||
uid = genid "nin";
|
||||
inherit (config.krebs.users.nin) home;
|
||||
|
@ -240,18 +238,6 @@ in {
|
|||
"libvirtd"
|
||||
];
|
||||
};
|
||||
krebs.git.rules = [
|
||||
{
|
||||
user = [ config.krebs.users.nin ];
|
||||
repo = [ config.krebs.git.repos.stockholm ];
|
||||
perm = with git; push "refs/heads/nin" [ fast-forward non-fast-forward create delete merge ];
|
||||
}
|
||||
];
|
||||
krebs.repo-sync.repos.stockholm.nin = {
|
||||
origin.url = "http://cgit.prism/stockholm";
|
||||
origin.ref = "heads/nin";
|
||||
mirror.url = "git@${config.networking.hostName}:stockholm";
|
||||
};
|
||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
|
||||
];
|
||||
|
@ -272,7 +258,6 @@ in {
|
|||
-XFlexibleInstances -XMultiParamTypeClasses \
|
||||
-XOverloadedStrings -XFunctionalDependencies \'';
|
||||
in [
|
||||
sed-plugin
|
||||
url-title
|
||||
(buildSimpleReaktorPlugin "lambdabot-pl" {
|
||||
pattern = "^@pl (?P<args>.*)$$";
|
||||
|
@ -327,16 +312,16 @@ in {
|
|||
script = pkgs.writePython2 "rup" ''
|
||||
#!${pkgs.python2}/bin/python
|
||||
t1 = """
|
||||
_.
|
||||
;=',_ ()
|
||||
8===D~~ S" .--`||
|
||||
sS \__ ||
|
||||
__.' ( \-->||
|
||||
_=/ _./-\/ ||
|
||||
8===D~~ ((\( /-' -'l ||
|
||||
) |/ \\ (_))
|
||||
\\ \\
|
||||
'~ '~
|
||||
_.
|
||||
;=',_ ()
|
||||
8===D~~ S" .--`||
|
||||
sS \__ ||
|
||||
__.' ( \-->||
|
||||
_=/ _./-\/ ||
|
||||
8===D~~ ((\( /-' -'l ||
|
||||
) |/ \\ (_))
|
||||
\\ \\
|
||||
'~ '~
|
||||
"""
|
||||
print(t1)
|
||||
'';
|
||||
|
|
40
lass/2configs/bepasty.nix
Normal file
40
lass/2configs/bepasty.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
{ config, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
|
||||
# secrets used:
|
||||
# wildcard.krebsco.de.crt
|
||||
# wildcard.krebsco.de.key
|
||||
# bepasty-secret.nix <- contains single string
|
||||
|
||||
with import <stockholm/lib>;
|
||||
let
|
||||
secKey = import <secrets/bepasty-secret.nix>;
|
||||
ext-dom = "paste.lassul.us" ;
|
||||
in {
|
||||
|
||||
services.nginx.enable = mkDefault true;
|
||||
krebs.bepasty = {
|
||||
enable = true;
|
||||
serveNginx= true;
|
||||
|
||||
servers = {
|
||||
"paste.r" = {
|
||||
nginx = {
|
||||
serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
|
||||
};
|
||||
defaultPermissions = "admin,list,create,read,delete";
|
||||
secretKey = secKey;
|
||||
};
|
||||
|
||||
"${ext-dom}" = {
|
||||
nginx = {
|
||||
enableSSL = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
defaultPermissions = "read";
|
||||
secretKey = secKey;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -58,6 +58,11 @@ in {
|
|||
"NIX_REMOTE": "daemon",
|
||||
"dummy_secrets": "true",
|
||||
}
|
||||
env_nin = {
|
||||
"LOGNAME": "nin",
|
||||
"NIX_REMOTE": "daemon",
|
||||
"dummy_secrets": "true",
|
||||
}
|
||||
env_shared = {
|
||||
"LOGNAME": "shared",
|
||||
"NIX_REMOTE": "daemon",
|
||||
|
@ -126,6 +131,18 @@ in {
|
|||
]
|
||||
)
|
||||
|
||||
for i in [ "hiawatha", "onondaga" ]:
|
||||
addShell(f,name="build-{}".format(i),env=env_nin,
|
||||
command=nixshell + \
|
||||
["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \
|
||||
make \
|
||||
test \
|
||||
target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \
|
||||
method=build \
|
||||
system={}".format(i)
|
||||
]
|
||||
)
|
||||
|
||||
bu.append(
|
||||
util.BuilderConfig(
|
||||
name="build-hosts",
|
||||
|
|
|
@ -9,6 +9,7 @@ with import <stockholm/lib>;
|
|||
../2configs/mc.nix
|
||||
../2configs/nixpkgs.nix
|
||||
../2configs/vim.nix
|
||||
../2configs/monitoring/client.nix
|
||||
./backups.nix
|
||||
{
|
||||
users.extraUsers =
|
||||
|
@ -98,7 +99,6 @@ with import <stockholm/lib>;
|
|||
# multiple-definition-problem when defining environment.variables.EDITOR
|
||||
environment.extraInit = ''
|
||||
EDITOR=vim
|
||||
MANPAGER=most
|
||||
'';
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
|
|
@ -16,6 +16,7 @@ with import <stockholm/lib>;
|
|||
lass.pubkey
|
||||
lass-shodan.pubkey
|
||||
lass-helios.pubkey
|
||||
lass-icarus.pubkey
|
||||
makefu.pubkey
|
||||
];
|
||||
};
|
||||
|
|
|
@ -7,6 +7,7 @@ in {
|
|||
enable = true;
|
||||
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
|
||||
url = "prism/wallpaper.png";
|
||||
maxTime = 10;
|
||||
};
|
||||
systemd.services.fetchWallpaper = {
|
||||
after = [ "xmonad.service" ];
|
||||
|
|
|
@ -57,7 +57,7 @@ let
|
|||
server = "ni.r";
|
||||
verbose = config.krebs.build.host.name == "prism";
|
||||
# TODO define branches in some kind of option per repo
|
||||
branches = [ "master" "newest" "nin" ];
|
||||
branches = [ "master" "newest" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -47,12 +47,5 @@ with import <stockholm/lib>;
|
|||
pkgs.vaapiVdpau
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
videoDriver = "intel";
|
||||
deviceSection = ''
|
||||
Option "AccelMethod" "sna"
|
||||
'';
|
||||
};
|
||||
|
||||
security.rngd.enable = true;
|
||||
}
|
||||
|
|
94
lass/2configs/monitoring/client.nix
Normal file
94
lass/2configs/monitoring/client.nix
Normal file
|
@ -0,0 +1,94 @@
|
|||
{pkgs, config, ...}:
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
lass.telegraf = {
|
||||
enable = true;
|
||||
interval = "1s";
|
||||
|
||||
|
||||
outputs = ''
|
||||
[outputs.influxdb]
|
||||
urls = ["http://prism:8086"]
|
||||
database = "telegraf_db"
|
||||
user_agent = "telegraf"
|
||||
'';
|
||||
inputs = [
|
||||
''
|
||||
[cpu]
|
||||
percpu = false
|
||||
totalcpu = true
|
||||
drop = ["cpu_time"]
|
||||
''
|
||||
''
|
||||
[[inputs.mem]]
|
||||
''
|
||||
''
|
||||
[[inputs.ping]]
|
||||
urls = ["8.8.8.8"]
|
||||
''
|
||||
''
|
||||
[[inputs.net]]
|
||||
''
|
||||
''
|
||||
[[inputs.dns_query]]
|
||||
servers = ["8.8.8.8"]
|
||||
''
|
||||
];
|
||||
};
|
||||
systemd.services.telegraf.path = with pkgs; [
|
||||
iputils
|
||||
lm_sensors
|
||||
];
|
||||
|
||||
services.collectd = {
|
||||
enable = true;
|
||||
autoLoadPlugin = true;
|
||||
extraConfig = ''
|
||||
Hostname ${config.krebs.build.host.name}
|
||||
LoadPlugin load
|
||||
LoadPlugin disk
|
||||
LoadPlugin memory
|
||||
Interval 30.0
|
||||
|
||||
LoadPlugin interface
|
||||
<Plugin "interface">
|
||||
Interface "*Link"
|
||||
Interface "lo"
|
||||
Interface "vboxnet*"
|
||||
Interface "virbr*"
|
||||
IgnoreSelected true
|
||||
</Plugin>
|
||||
|
||||
LoadPlugin df
|
||||
<Plugin "df">
|
||||
MountPoint "/nix/store"
|
||||
FSType "tmpfs"
|
||||
FSType "binfmt_misc"
|
||||
FSType "debugfs"
|
||||
FSType "mqueue"
|
||||
FSType "hugetlbfs"
|
||||
FSType "systemd-1"
|
||||
FSType "cgroup"
|
||||
FSType "securityfs"
|
||||
FSType "ramfs"
|
||||
FSType "proc"
|
||||
FSType "devpts"
|
||||
FSType "devtmpfs"
|
||||
MountPoint "/var/lib/docker/devicemapper"
|
||||
IgnoreSelected true
|
||||
</Plugin>
|
||||
|
||||
LoadPlugin cpu
|
||||
<Plugin cpu>
|
||||
ReportByCpu true
|
||||
ReportByState true
|
||||
ValuesPercentage true
|
||||
</Plugin>
|
||||
|
||||
LoadPlugin network
|
||||
<Plugin "network">
|
||||
Server "prism" "25826"
|
||||
</Plugin>
|
||||
'';
|
||||
};
|
||||
}
|
66
lass/2configs/monitoring/server.nix
Normal file
66
lass/2configs/monitoring/server.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{pkgs, config, ...}:
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
services.influxdb = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
services.influxdb.extraConfig = {
|
||||
meta.hostname = config.krebs.build.host.name;
|
||||
# meta.logging-enabled = true;
|
||||
http.bind-address = ":8086";
|
||||
admin.bind-address = ":8083";
|
||||
monitoring = {
|
||||
enabled = false;
|
||||
# write-interval = "24h";
|
||||
};
|
||||
collectd = [{
|
||||
enabled = true;
|
||||
typesdb = "${pkgs.collectd}/share/collectd/types.db";
|
||||
database = "collectd_db";
|
||||
port = 25826;
|
||||
}];
|
||||
};
|
||||
|
||||
lass.kapacitor =
|
||||
let
|
||||
echoToIrc = pkgs.writeDash "echo_irc" ''
|
||||
set -euf
|
||||
data="$(${pkgs.jq}/bin/jq -r .message)"
|
||||
export LOGNAME=prism-alarm
|
||||
${pkgs.irc-announce}/bin/irc-announce \
|
||||
irc.freenode.org 6667 prism-alarm \#krebs-bots "$data" >/dev/null
|
||||
'';
|
||||
in {
|
||||
enable = true;
|
||||
alarms = {
|
||||
test2 = ''
|
||||
batch
|
||||
|query(${"'''"}
|
||||
SELECT mean("usage_user") AS mean
|
||||
FROM "${config.lass.kapacitor.check_db}"."default"."cpu"
|
||||
${"'''"})
|
||||
.every(3m)
|
||||
.period(1m)
|
||||
.groupBy('host')
|
||||
|alert()
|
||||
.crit(lambda: "mean" > 90)
|
||||
// Whenever we get an alert write it to a file.
|
||||
.log('/tmp/alerts.log')
|
||||
.exec('${echoToIrc}')
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; }
|
||||
{ predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; }
|
||||
];
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
addr = "0.0.0.0";
|
||||
auth.anonymous.enable = true;
|
||||
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
|
||||
};
|
||||
}
|
|
@ -3,6 +3,6 @@
|
|||
{
|
||||
krebs.build.source.nixpkgs.git = {
|
||||
url = https://github.com/nixos/nixpkgs;
|
||||
ref = "39098270855c171f0824c09d071b606ae991ff87";
|
||||
ref = "5fff5a902594b34471b613eb2babcec923e1e1f1";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -44,6 +44,10 @@ let
|
|||
origin.url = "http://cgit.ni.r/${name}";
|
||||
mirror.url = "${mirror}${name}";
|
||||
};
|
||||
nin = {
|
||||
origin.url = "http://cgit.onondaga.r/${name}";
|
||||
mirror.url = "${mirror}${name}";
|
||||
};
|
||||
lassulus = {
|
||||
origin.url = "http://cgit.prism/${name}";
|
||||
mirror.url = "${mirror}${name}";
|
||||
|
|
1
lass/2configs/tests/dummy-secrets/bepasty-secret.nix
Normal file
1
lass/2configs/tests/dummy-secrets/bepasty-secret.nix
Normal file
|
@ -0,0 +1 @@
|
|||
"bla"
|
|
@ -66,6 +66,7 @@ in {
|
|||
"karlaskop.ubikmedia.de"
|
||||
"nb.ubikmedia.de"
|
||||
"youthtube.ubikmedia.de"
|
||||
"joemisch.com"
|
||||
])
|
||||
];
|
||||
|
||||
|
|
|
@ -21,6 +21,14 @@ let
|
|||
type = types.str;
|
||||
default = "kapacitor";
|
||||
};
|
||||
alarms = mkOption {
|
||||
type = with types; attrsOf str;
|
||||
default = {};
|
||||
};
|
||||
check_db = mkOption {
|
||||
type = types.str;
|
||||
default = "all_data";
|
||||
};
|
||||
config = mkOption {
|
||||
type = types.str;
|
||||
#TODO: find a good default
|
||||
|
@ -74,115 +82,7 @@ let
|
|||
|
||||
[logging]
|
||||
file = "STDERR"
|
||||
level = "INFO"
|
||||
|
||||
[collectd]
|
||||
enabled = false
|
||||
bind-address = ":25826"
|
||||
database = "collectd"
|
||||
retention-policy = ""
|
||||
batch-size = 5000
|
||||
batch-pending = 10
|
||||
batch-timeout = "10s"
|
||||
read-buffer = 0
|
||||
typesdb = "/usr/share/collectd/types.db"
|
||||
|
||||
[opentsdb]
|
||||
enabled = false
|
||||
bind-address = ":4242"
|
||||
database = "opentsdb"
|
||||
retention-policy = ""
|
||||
consistency-level = "one"
|
||||
tls-enabled = false
|
||||
certificate = "/etc/ssl/influxdb.pem"
|
||||
batch-size = 1000
|
||||
batch-pending = 5
|
||||
batch-timeout = "1s"
|
||||
log-point-errors = true
|
||||
|
||||
[smtp]
|
||||
enabled = false
|
||||
host = "localhost"
|
||||
port = 25
|
||||
username = ""
|
||||
password = ""
|
||||
no-verify = false
|
||||
global = false
|
||||
state-changes-only = false
|
||||
from = ""
|
||||
idle-timeout = "30s"
|
||||
|
||||
[opsgenie]
|
||||
enabled = false
|
||||
api-key = ""
|
||||
url = "https://api.opsgenie.com/v1/json/alert"
|
||||
recovery_url = "https://api.opsgenie.com/v1/json/alert/note"
|
||||
global = false
|
||||
|
||||
[victorops]
|
||||
enabled = false
|
||||
api-key = ""
|
||||
routing-key = ""
|
||||
url = "https://alert.victorops.com/integrations/generic/20131114/alert"
|
||||
global = false
|
||||
|
||||
[pagerduty]
|
||||
enabled = false
|
||||
url = "https://events.pagerduty.com/generic/2010-04-15/create_event.json"
|
||||
service-key = ""
|
||||
global = false
|
||||
|
||||
[sensu]
|
||||
enabled = false
|
||||
addr = ""
|
||||
source = "Kapacitor"
|
||||
|
||||
[slack]
|
||||
enabled = false
|
||||
url = ""
|
||||
channel = ""
|
||||
global = false
|
||||
state-changes-only = false
|
||||
|
||||
[telegram]
|
||||
enabled = false
|
||||
url = "https://api.telegram.org/bot"
|
||||
token = ""
|
||||
chat-id = ""
|
||||
parse-mode = ""
|
||||
disable-web-page-preview = false
|
||||
disable-notification = false
|
||||
global = false
|
||||
state-changes-only = false
|
||||
|
||||
[hipchat]
|
||||
enabled = false
|
||||
url = ""
|
||||
token = ""
|
||||
room = ""
|
||||
global = false
|
||||
state-changes-only = false
|
||||
|
||||
[alerta]
|
||||
enabled = false
|
||||
url = ""
|
||||
token = ""
|
||||
environment = ""
|
||||
origin = ""
|
||||
|
||||
[reporting]
|
||||
enabled = true
|
||||
url = "https://usage.influxdata.com"
|
||||
|
||||
[stats]
|
||||
enabled = true
|
||||
stats-interval = "10s"
|
||||
database = "_kapacitor"
|
||||
retention-policy = "autogen"
|
||||
timing-sample-rate = 0.1
|
||||
timing-movavg-size = 1000
|
||||
|
||||
[udf]
|
||||
level = "DEBUG"
|
||||
|
||||
[deadman]
|
||||
interval = "10s"
|
||||
|
@ -190,11 +90,6 @@ let
|
|||
id = "{{ .Group }}:NODE_NAME for task '{{ .TaskName }}'"
|
||||
message = "{{ .ID }} is {{ if eq .Level \"OK\" }}alive{{ else }}dead{{ end }}: {{ index .Fields \"emitted\" | printf \"%0.3f\" }} points/INTERVAL."
|
||||
global = false
|
||||
|
||||
[talk]
|
||||
enabled = false
|
||||
url = ""
|
||||
author_name = ""
|
||||
'';
|
||||
description = "configuration kapacitor is started with";
|
||||
};
|
||||
|
@ -216,6 +111,29 @@ let
|
|||
ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${configFile}";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kapacitor-alarms = {
|
||||
description = "kapacitor-alarms";
|
||||
after = [ "kapacitor.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
restartIfChanged = true;
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeDash "add_alarms" ''
|
||||
${pkgs.kapacitor}/bin/kapacitor delete tasks \*
|
||||
${concatStrings (mapAttrsToList (name: alarm: ''
|
||||
${pkgs.kapacitor}/bin/kapacitor define ${name} \
|
||||
-type batch \
|
||||
-tick ${pkgs.writeText "${name}.tick" alarm} \
|
||||
-dbrp ${cfg.check_db}.default
|
||||
${pkgs.kapacitor}/bin/kapacitor enable ${name}
|
||||
'') cfg.alarms)}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
in out
|
||||
|
|
|
@ -21,26 +21,43 @@ let
|
|||
type = types.str;
|
||||
default = "telegraf";
|
||||
};
|
||||
outputs = mkOption {
|
||||
type = types.str;
|
||||
default = ''
|
||||
[outputs.influxdb]
|
||||
urls = ["http://localhost:8086"]
|
||||
database = "telegraf_db"
|
||||
user_agent = "telegraf"
|
||||
'';
|
||||
};
|
||||
inputs = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [
|
||||
''
|
||||
[cpu]
|
||||
percpu = false
|
||||
totalcpu = true
|
||||
drop = ["cpu_time"]
|
||||
''
|
||||
];
|
||||
};
|
||||
interval = mkOption {
|
||||
type = types.str;
|
||||
default = "10s";
|
||||
};
|
||||
config = mkOption {
|
||||
type = types.str;
|
||||
#TODO: find a good default
|
||||
default = ''
|
||||
[agent]
|
||||
interval = "1s"
|
||||
interval = "${cfg.interval}"
|
||||
|
||||
[outputs]
|
||||
|
||||
# Configuration to send data to InfluxDB.
|
||||
[outputs.influxdb]
|
||||
urls = ["http://localhost:8086"]
|
||||
database = "kapacitor_example"
|
||||
user_agent = "telegraf"
|
||||
${cfg.outputs}
|
||||
|
||||
${concatStringsSep "\n" cfg.inputs}
|
||||
|
||||
# Collect metrics about cpu usage
|
||||
[cpu]
|
||||
percpu = false
|
||||
totalcpu = true
|
||||
drop = ["cpu_time"]
|
||||
'';
|
||||
description = "configuration telegraf is started with";
|
||||
};
|
||||
|
|
|
@ -11,6 +11,7 @@ with lib;
|
|||
../.
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
../2configs/retiolum.nix
|
||||
../2configs/git.nix
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.hiawatha;
|
||||
|
@ -76,15 +77,13 @@ with lib;
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
firefox
|
||||
git
|
||||
networkmanagerapplet
|
||||
python
|
||||
steam
|
||||
thunderbird
|
||||
vim
|
||||
git
|
||||
hexchat
|
||||
networkmanagerapplet
|
||||
python
|
||||
virtmanager
|
||||
libvirt
|
||||
];
|
||||
|
||||
nixpkgs.config = {
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
||||
../2configs/retiolum.nix
|
||||
../2configs/weechat.nix
|
||||
../2configs/git.nix
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.onondaga;
|
||||
|
|
|
@ -46,6 +46,12 @@ with import <stockholm/lib>;
|
|||
SSL_CERT_FILE = ca-bundle;
|
||||
};
|
||||
})
|
||||
{
|
||||
nix = {
|
||||
binaryCaches = ["http://cache.prism.r"];
|
||||
binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
networking.hostName = config.krebs.build.host.name;
|
||||
|
@ -58,7 +64,10 @@ with import <stockholm/lib>;
|
|||
user = config.krebs.users.nin;
|
||||
source = let inherit (config.krebs.build) host; in {
|
||||
nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix";
|
||||
secrets.file = "/home/nin/secrets/${host.name}";
|
||||
secrets.file =
|
||||
if getEnv "dummy_secrets" == "true"
|
||||
then toString <stockholm/nin/6tests/dummysecrets>
|
||||
else "/home/nin/secrets/${host.name}";
|
||||
stockholm.file = getEnv "PWD";
|
||||
};
|
||||
};
|
||||
|
@ -82,11 +91,14 @@ with import <stockholm/lib>;
|
|||
# multiple-definition-problem when defining environment.variables.EDITOR
|
||||
environment.extraInit = ''
|
||||
EDITOR=vim
|
||||
MANPAGER=most
|
||||
'';
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
environment.shellAliases = {
|
||||
gs = "git status";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
#stockholm
|
||||
git
|
||||
|
@ -95,6 +107,7 @@ with import <stockholm/lib>;
|
|||
proot
|
||||
populate
|
||||
p7zip
|
||||
termite
|
||||
unzip
|
||||
unrar
|
||||
hashPassword
|
||||
|
|
70
nin/2configs/git.nix
Normal file
70
nin/2configs/git.nix
Normal file
|
@ -0,0 +1,70 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
|
||||
let
|
||||
|
||||
out = {
|
||||
krebs.git = {
|
||||
enable = true;
|
||||
cgit = {
|
||||
settings = {
|
||||
root-title = "public repositories at ${config.krebs.build.host.name}";
|
||||
root-desc = "keep calm and engage";
|
||||
};
|
||||
};
|
||||
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
|
||||
rules = rules;
|
||||
};
|
||||
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
|
||||
repos = public-repos;
|
||||
|
||||
rules = concatMap make-rules (attrValues repos);
|
||||
|
||||
public-repos = mapAttrs make-public-repo {
|
||||
stockholm = {
|
||||
cgit.desc = "take all the computers hostage, they'll love you!";
|
||||
};
|
||||
};
|
||||
|
||||
make-public-repo = name: { cgit ? {}, ... }: {
|
||||
inherit cgit name;
|
||||
public = true;
|
||||
hooks = {
|
||||
post-receive = pkgs.git-hooks.irc-announce {
|
||||
# TODO make nick = config.krebs.build.host.name the default
|
||||
nick = config.krebs.build.host.name;
|
||||
channel = "#retiolum";
|
||||
server = "ni.r";
|
||||
verbose = config.krebs.build.host.name == "onondaga";
|
||||
# TODO define branches in some kind of option per repo
|
||||
branches = [ "master" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
make-rules =
|
||||
with git // config.krebs.users;
|
||||
repo:
|
||||
singleton {
|
||||
user = [ nin ];
|
||||
repo = [ repo ];
|
||||
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||
} ++
|
||||
optional repo.public {
|
||||
user = attrValues config.krebs.users;
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
} ++
|
||||
optional (length (repo.collaborators or []) > 0) {
|
||||
user = repo.collaborators;
|
||||
repo = [ repo ];
|
||||
perm = fetch;
|
||||
};
|
||||
|
||||
in out
|
1
nin/6tests/dummysecrets/hashedPasswords.nix
Normal file
1
nin/6tests/dummysecrets/hashedPasswords.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{}
|
0
nin/6tests/dummysecrets/ssh.id_ed25519
Normal file
0
nin/6tests/dummysecrets/ssh.id_ed25519
Normal file
Loading…
Reference in a new issue