From c9032105eb4abe2eecbeeb31df7b62ed082bb6fc Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 8 Nov 2015 14:04:25 +0100 Subject: [PATCH 01/23] Reaktor: bump version --- krebs/5pkgs/Reaktor/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/5pkgs/Reaktor/default.nix b/krebs/5pkgs/Reaktor/default.nix index c38aa6423..c4a362757 100644 --- a/krebs/5pkgs/Reaktor/default.nix +++ b/krebs/5pkgs/Reaktor/default.nix @@ -2,14 +2,14 @@ python3Packages.buildPythonPackage rec { name = "Reaktor-${version}"; - version = "0.5.0"; + version = "0.5.1"; propagatedBuildInputs = with pkgs;[ python3Packages.docopt python3Packages.requests2 ]; src = fetchurl { url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz"; - sha256 = "1npag52xmnyqv56z0anyf6xf00q0smfzsippal0xdbxrfj7s8qim"; + sha256 = "0dn9r0cyxi1sji2pnybsrc4hhaaq7hmf235nlgkrxqlsdb7y6n6n"; }; meta = { homepage = http://krebsco.de/; From 525dff002e7fe360b0c9803f1004ad2c8749c319 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 13 Nov 2015 12:24:29 +0100 Subject: [PATCH 02/23] m 1 gum: disable ipv6, open up fw --- makefu/1systems/gum.nix | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 8dd347b4f..63db7a71c 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -16,7 +16,6 @@ in { krebs.build.target = "root@gum.krebsco.de"; krebs.build.host = config.krebs.hosts.gum; - # Chat environment.systemPackages = with pkgs;[ weechat @@ -33,21 +32,24 @@ in { services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0" ''; + boot.kernelParams = [ "ipv6.disable=1" ]; networking = { - firewall = { - allowPing = true; - allowedTCPPorts = [ - # smtp - 25 - # http - 80 443 - # tinc - 655 - ]; - allowedUDPPorts = [ - # tinc - 655 53 - ]; + enableIPv6 = false; + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ + # smtp + 25 + # http + 80 443 + # tinc + 655 + ]; + allowedUDPPorts = [ + # tinc + 655 53 + ]; }; interfaces.et0.ip4 = [{ address = external-ip; From 383d8750236d58e9b7932a0c88a1245f95824045 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 13 Nov 2015 12:24:43 +0100 Subject: [PATCH 03/23] tinc_graphs: always restart --- krebs/3modules/tinc_graphs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index e415d20ab..20aa385a9 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -89,9 +89,9 @@ let }; restartIfChanged = true; - serviceConfig = { Type = "simple"; + restart = "always"; ExecStartPre = pkgs.writeScript "tinc_graphs-init" '' #!/bin/sh From e0ae8c1a3fe333de8a14b04b4a7e2dd01163b727 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 13 Nov 2015 12:25:18 +0100 Subject: [PATCH 04/23] m 1 {gum,wry}: disable dropped packet logging --- makefu/1systems/wry.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index ba94972fb..cd39b4b9f 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -59,9 +59,12 @@ in { }; networking = { - firewall.allowPing = true; - firewall.allowedTCPPorts = [ 53 80 443 ]; - firewall.allowedUDPPorts = [ 655 ]; + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ 53 80 443 ]; + allowedUDPPorts = [ 655 ]; + }; interfaces.enp2s1.ip4 = [{ address = external-ip; prefixLength = 24; From 78660ea002d5912eb8d06da1895cc6e34bd5e6eb Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 14 Nov 2015 01:48:49 +0100 Subject: [PATCH 05/23] m 1 filepimp: remove legacy imports --- makefu/1systems/filepimp.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index fb1a57552..66ea2ce90 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -7,8 +7,6 @@ { imports = [ # Include the results of the hardware scan. - ../2configs/default.nix - ../2configs/fs/vm-single-partition.nix ../2configs/fs/single-partition-ext4.nix ../2configs/tinc-basic-retiolum.nix ]; From 2b9d7bdda10689e8bd8f7ed39830fd274c02457b Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 14 Nov 2015 01:49:31 +0100 Subject: [PATCH 06/23] m 1 gum: add swap to server config --- makefu/1systems/gum.nix | 1 + makefu/2configs/fs/simple-swap.nix | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 makefu/2configs/fs/simple-swap.nix diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 8dd347b4f..44ab8c6f8 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -9,6 +9,7 @@ in { # TODO: copy this config or move to krebs ../2configs/tinc-basic-retiolum.nix ../2configs/headless.nix + ../2configs/fs/simple-swap.nix ../2configs/fs/single-partition-ext4.nix # ../2configs/iodined.nix diff --git a/makefu/2configs/fs/simple-swap.nix b/makefu/2configs/fs/simple-swap.nix new file mode 100644 index 000000000..8c161b287 --- /dev/null +++ b/makefu/2configs/fs/simple-swap.nix @@ -0,0 +1,11 @@ +_: +{ + # do not swap that often + boot.kernel.sysctl = { + "vm.swappiness" = 25; + }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; +} From 79b890670100d08c3640fffade2caf3eced192d8 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 14 Nov 2015 01:50:24 +0100 Subject: [PATCH 07/23] m 2 vbox: up version number --- makefu/2configs/main-laptop.nix | 2 +- makefu/2configs/virtualization-virtualbox.nix | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index 294ee7510..dfc8c1c07 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -12,7 +12,7 @@ with lib; firefox chromium keepassx - + ntfs3g virtmanager at_spi2_core # dep for virtmanager? ]; diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix index 610b63732..aaabcd50e 100644 --- a/makefu/2configs/virtualization-virtualbox.nix +++ b/makefu/2configs/virtualization-virtualbox.nix @@ -2,11 +2,11 @@ let mainUser = config.krebs.build.user; - version = "5.0.4"; - rev = "102546"; + version = "5.0.6"; + rev = "103037"; vboxguestpkg = pkgs.fetchurl { url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; - sha256 = "1ykwpjvfgj11iwhx70bh2hbxhyy3hg6rnqzl4qac7xzg8xw8wqg4"; + sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; }; in { #inherit vboxguestpkg; From 48c9789141957c0c65dcb4df5a0e22d6002cafd3 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 12:16:51 +0100 Subject: [PATCH 08/23] apt-cacher-ng: init package and module once apt-cacher-ng arrives in nixos stable it will be removed from stockholm --- krebs/3modules/apt-cacher-ng.nix | 155 ++++++++++++++++++++++++++ krebs/5pkgs/apt-cacher-ng/default.nix | 21 ++++ 2 files changed, 176 insertions(+) create mode 100644 krebs/3modules/apt-cacher-ng.nix create mode 100644 krebs/5pkgs/apt-cacher-ng/default.nix diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix new file mode 100644 index 000000000..c2c2f2661 --- /dev/null +++ b/krebs/3modules/apt-cacher-ng.nix @@ -0,0 +1,155 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + acng-config = pkgs.writeTextFile { + name = "acng-configuration"; + destination = "/acng.conf"; + text = '' + ForeGround: 1 + CacheDir: ${cfg.cacheDir} + LogDir: ${cfg.logDir} + PidFile: /var/run/apt-cacher-ng.pid + ExTreshold: ${toString cfg.cacheExpiration} + + Port: ${toString cfg.port} + BindAddress: ${cfg.bindAddress} + + # defaults: + Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian + Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu + Remap-debvol: file:debvol_mirror*.gz /debian-volatile ; file:backends_debvol + Remap-cygwin: file:cygwin_mirrors /cygwin + Remap-sfnet: file:sfnet_mirrors + Remap-alxrep: file:archlx_mirrors /archlinux + Remap-fedora: file:fedora_mirrors + Remap-epel: file:epel_mirrors + Remap-slrep: file:sl_mirrors # Scientific Linux + Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo + + ReportPage: acng-report.html + SupportDir: ${pkgs.apt-cacher-ng}/lib/apt-cacher-ng + LocalDirs: acng-doc ${pkgs.apt-cacher-ng}/share/doc/apt-cacher-ng + + # Nix cache + ${optionalString cfg.enableNixCache '' + Remap-nix: http://cache.nixos.org /nixos ; https://cache.nixos.org + PfilePatternEx: (^|.*?/).*\.narinfo(|\.gz|\.xz|\.bz2)$ + VfilePatternEx: (^|.*?/)nix-cache-info$ + ''} + + ${cfg.extraConfig} + ''; }; + + acng-home = "/var/cache/acng"; + cfg = config.krebs.apt-cacher-ng; + + api = { + enable = mkEnableOption "apt-cacher-ng"; + + cacheDir = mkOption { + default = acng-home + "/cache"; + type = types.str; + description = '' + Path to apt-cacher-ng cache directory. + Will be created and chowned to acng-user + ''; + }; + + logDir = mkOption { + default = acng-home + "/log"; + type = types.str; + description = '' + Path to apt-cacher-ng log directory. + Will be created and chowned to acng-user + ''; + }; + + port = mkOption { + default = 3142; + type = types.int; + description = '' + port of apt-cacher-ng + ''; + }; + + bindAddress = mkOption { + default = ""; + type = types.str; + example = "localhost 192.168.7.254 publicNameOnMainInterface"; + description = '' + listen address of apt-cacher-ng. Defaults to every interface. + ''; + }; + + cacheExpiration = mkOption { + default = 4; + type = types.int; + description = '' + number of days before packages expire in the cache without being + requested. + ''; + }; + + enableNixCache = mkOption { + default = true; + type = types.bool; + description = '' + enable cache.nixos.org caching via PfilePatternEx and VfilePatternEx. + + to use the apt-cacher-ng in your nixos configuration: + nix.binary-cache = [ http://acng-host:port/nixos ]; + + These options cannot be used in extraConfig, use SVfilePattern and + SPfilePattern or disable this option. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + extra config appended to the generated acng.conf + ''; + }; + }; + + imp = { + + users.extraUsers.acng = { + # uid = config.ids.uids.acng; + uid = 897955083; #genid Reaktor + description = "apt-cacher-ng"; + home = acng-home; + createHome = false; + }; + + users.extraGroups.acng = { + gid = 897955083; #genid Reaktor + # gid = config.ids.gids.Reaktor; + }; + + systemd.services.apt-cacher-ng = { + description = "apt-cacher-ng"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + PermissionsStartOnly = true; + ExecStartPre = pkgs.writeScript "acng-init" '' + #!/bin/sh + mkdir -p ${shell.escape cfg.cacheDir} ${shell.escape cfg.logDir} + chown acng:acng ${shell.escape cfg.cacheDir} ${shell.escape cfg.logDir} + ''; + ExecStart = "${pkgs.apt-cacher-ng}/bin/apt-cacher-ng -c ${acng-config}"; + PrivateTmp = "true"; + User = "acng"; + Restart = "always"; + RestartSec = "10"; + }; + }; + }; +in +{ + options.krebs.apt-cacher-ng = api; + config = mkIf cfg.enable imp; +} diff --git a/krebs/5pkgs/apt-cacher-ng/default.nix b/krebs/5pkgs/apt-cacher-ng/default.nix new file mode 100644 index 000000000..f253cdba0 --- /dev/null +++ b/krebs/5pkgs/apt-cacher-ng/default.nix @@ -0,0 +1,21 @@ +{ stdenv, fetchurl, cmake, doxygen, zlib, openssl, bzip2, pkgconfig, libpthreadstubs }: + +stdenv.mkDerivation rec { + name = "apt-cacher-ng-${version}"; + version = "0.8.6"; + + src = fetchurl { + url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz"; + sha256 = "0044dfks8djl11fs28jj8894i4rq424xix3d3fkvzz2i6lnp8nr5"; + }; + + NIX_LDFLAGS = "-lpthread"; + buildInputs = [ doxygen cmake zlib openssl bzip2 pkgconfig libpthreadstubs ]; + + meta = { + description = "A caching proxy specialized for linux distribution files"; + homepage = http://www.unix-ag.uni-kl.de/~bloch/acng/; + license = stdenv.lib.licenses.gpl2; + maintainers = [ stdenv.lib.maintainers.makefu ]; + }; +} From 4c26fb9383a822309c05523774c9f7bebfbb5201 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 13:29:56 +0100 Subject: [PATCH 09/23] k 3 apt-cacher-ng: fix whitespace --- krebs/3modules/apt-cacher-ng.nix | 59 ++++++++++++++++---------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix index c2c2f2661..9224c72a0 100644 --- a/krebs/3modules/apt-cacher-ng.nix +++ b/krebs/3modules/apt-cacher-ng.nix @@ -6,40 +6,41 @@ let name = "acng-configuration"; destination = "/acng.conf"; text = '' - ForeGround: 1 - CacheDir: ${cfg.cacheDir} - LogDir: ${cfg.logDir} - PidFile: /var/run/apt-cacher-ng.pid - ExTreshold: ${toString cfg.cacheExpiration} + ForeGround: 1 + CacheDir: ${cfg.cacheDir} + LogDir: ${cfg.logDir} + PidFile: /var/run/apt-cacher-ng.pid + ExTreshold: ${toString cfg.cacheExpiration} - Port: ${toString cfg.port} - BindAddress: ${cfg.bindAddress} + Port: ${toString cfg.port} + BindAddress: ${cfg.bindAddress} - # defaults: - Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian - Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu - Remap-debvol: file:debvol_mirror*.gz /debian-volatile ; file:backends_debvol - Remap-cygwin: file:cygwin_mirrors /cygwin - Remap-sfnet: file:sfnet_mirrors - Remap-alxrep: file:archlx_mirrors /archlinux - Remap-fedora: file:fedora_mirrors - Remap-epel: file:epel_mirrors - Remap-slrep: file:sl_mirrors # Scientific Linux - Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo + # defaults: + Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian + Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu + Remap-debvol: file:debvol_mirror*.gz /debian-volatile ; file:backends_debvol + Remap-cygwin: file:cygwin_mirrors /cygwin + Remap-sfnet: file:sfnet_mirrors + Remap-alxrep: file:archlx_mirrors /archlinux + Remap-fedora: file:fedora_mirrors + Remap-epel: file:epel_mirrors + Remap-slrep: file:sl_mirrors # Scientific Linux + Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo - ReportPage: acng-report.html - SupportDir: ${pkgs.apt-cacher-ng}/lib/apt-cacher-ng - LocalDirs: acng-doc ${pkgs.apt-cacher-ng}/share/doc/apt-cacher-ng + ReportPage: acng-report.html + SupportDir: ${pkgs.apt-cacher-ng}/lib/apt-cacher-ng + LocalDirs: acng-doc ${pkgs.apt-cacher-ng}/share/doc/apt-cacher-ng - # Nix cache - ${optionalString cfg.enableNixCache '' - Remap-nix: http://cache.nixos.org /nixos ; https://cache.nixos.org - PfilePatternEx: (^|.*?/).*\.narinfo(|\.gz|\.xz|\.bz2)$ - VfilePatternEx: (^|.*?/)nix-cache-info$ - ''} + # Nix cache + ${optionalString cfg.enableNixCache '' + Remap-nix: http://cache.nixos.org /nixos ; https://cache.nixos.org + PfilePatternEx: (^|.*?/).*\.narinfo(|\.gz|\.xz|\.bz2)$ + VfilePatternEx: (^|.*?/)nix-cache-info$ + ''} - ${cfg.extraConfig} - ''; }; + ${cfg.extraConfig} + ''; + }; acng-home = "/var/cache/acng"; cfg = config.krebs.apt-cacher-ng; From 5a450ad787a4738d2338c1e6e2709a680ceeb413 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 13:49:29 +0100 Subject: [PATCH 10/23] apt-cacher-ng is imported by krebs modules --- krebs/3modules/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 6d62b2e38..a627d5657 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./apt-cacher-ng.nix ./bepasty-server.nix ./build.nix ./current.nix From b69dcc6086c16ae996575bb00a1f55a14c26b63e Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 13:54:55 +0100 Subject: [PATCH 11/23] m 1 gum: add ssh repo --- makefu/1systems/gum.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index d8b7ed5f9..63ad18339 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -12,6 +12,7 @@ in { ../2configs/fs/simple-swap.nix ../2configs/fs/single-partition-ext4.nix # ../2configs/iodined.nix + ../2configs/git/cgit-retiolum.nix ]; From 4fec1920fb8fb9392c7a5c363a8392230eb64de8 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 13:55:30 +0100 Subject: [PATCH 12/23] m 2 git: fix library and irc hooks --- makefu/2configs/git/brain-retiolum.nix | 4 +-- makefu/2configs/git/cgit-retiolum.nix | 50 +++++++++++++++++--------- 2 files changed, 35 insertions(+), 19 deletions(-) diff --git a/makefu/2configs/git/brain-retiolum.nix b/makefu/2configs/git/brain-retiolum.nix index 793373859..066d50a28 100644 --- a/makefu/2configs/git/brain-retiolum.nix +++ b/makefu/2configs/git/brain-retiolum.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # TODO: remove tv lib :) -with import ../../../tv/4lib { inherit lib pkgs; }; +with lib; let repos = priv-repos // krebs-repos ; @@ -26,7 +26,7 @@ let inherit name desc; public = false; hooks = { - post-receive = git.irc-announce { + post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; channel = "#retiolum"; # TODO remove the hardcoded hostname diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 189dd66c8..748cd6427 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -1,10 +1,12 @@ { config, lib, pkgs, ... }: # TODO: remove tv lib :) -with import ../../../tv/4lib { inherit lib pkgs; }; +with lib; let - repos = priv-repos // krebs-repos ; - rules = concatMap krebs-rules (attrValues krebs-repos) ++ concatMap priv-rules (attrValues priv-repos); + repos = priv-repos // krebs-repos // connector-repos ; + rules = concatMap krebs-rules (attrValues krebs-repos) + ++ concatMap priv-rules (attrValues priv-repos) + ++ concatMap connector-rules (attrValues connector-repos); krebs-repos = mapAttrs make-krebs-repo { stockholm = { @@ -19,6 +21,10 @@ let autosync = { }; }; + connector-repos = mapAttrs make-priv-repo { + autosync = { }; + }; + # TODO move users to separate module make-priv-repo = name: { desc ? null, ... }: { @@ -40,12 +46,19 @@ let }; }; - set-owners = with git;repo: user: - singleton { - inherit user; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - }; + + + # TODO: get the list of all krebsministers + krebsminister = with config.krebs.users; [ lass tv uriel ]; + all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ]; + exco = with config.krebs.users; [ exco ]; + + priv-rules = repo: set-owners repo all-makefu; + + connector-rules = repo: set-owners repo (all-makefu ++ exco); + + krebs-rules = repo: + set-owners repo all-makefu ++ set-ro-access repo krebsminister; set-ro-access = with git; repo: user: optional repo.public { @@ -54,14 +67,12 @@ let perm = fetch; }; - # TODO: get the list of all krebsministers - krebsminister = with config.krebs.users; [ lass tv uriel ]; - all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ]; - - priv-rules = repo: set-owners repo all-makefu; - - krebs-rules = repo: - set-owners repo all-makefu ++ set-ro-access repo krebsminister; + set-owners = with git;repo: user: + singleton { + inherit user; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + }; in { imports = [{ @@ -73,6 +84,11 @@ in { name = "makefu-tsp" ; pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub; }; + + krebs.users.exco = { + name = "exco" ; + pubkey= with builtins; readFile ../../../krebs/Zpubkeys/exco.ssh.pub; + }; }]; krebs.git = { enable = true; From a4ab19181b312a64a14f7da694e994959ce2b147 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 13:57:43 +0100 Subject: [PATCH 13/23] shared 2 base: add makefu_omo to allowed pubkeys --- shared/2configs/base.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix index c9f4ffa8d..df41eae1a 100644 --- a/shared/2configs/base.nix +++ b/shared/2configs/base.nix @@ -64,6 +64,8 @@ with lib; # TODO config.krebs.users.lass.pubkey config.krebs.users.makefu.pubkey + # TODO HARDER: + (readFile ../../krebs/Zpubkeys/makefu_omo.ssh.pub) config.krebs.users.tv.pubkey ]; From 5aed0a395b2f78216bc02a7178527034bb079d28 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 22:15:07 +0100 Subject: [PATCH 14/23] shared wolf: static ip, fix todo --- krebs/3modules/default.nix | 1 + krebs/3modules/shared/default.nix | 15 ++++++++++----- shared/1systems/wolf.nix | 21 ++++++++++++++++++++- shared/2configs/shack-drivedroid.nix | 18 ++++++++++++++++++ shared/2configs/shack-nix-cacher.nix | 25 +++++++++++++++++++++++++ 5 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 shared/2configs/shack-drivedroid.nix create mode 100644 shared/2configs/shack-nix-cacher.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index a627d5657..ce52c148c 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -86,6 +86,7 @@ let krebs.dns.providers = { de.krebsco = "zones"; gg23 = "hosts"; + shack = "hosts"; internet = "hosts"; retiolum = "hosts"; }; diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index 13aae886b..d5bce469b 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -33,12 +33,17 @@ let in { hosts = addNames { wolf = { - #dc = "shack"; + dc = "shack"; nets = { - #shack = { - # addrs4 = [ TODO ]; - # aliases = ["wolf.shack"]; - #}; + shack = { + addrs4 = [ "10.42.2.136" ]; + aliases = [ + "wolf.shack" + "graphite.shack" + "acng.shack" + "drivedroid.shack" + ]; + }; retiolum = { addrs4 = ["10.243.77.1"]; addrs6 = ["42:0:0:0:0:0:77:1"]; diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 4fe3388c8..30e6e1d07 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -1,12 +1,31 @@ { config, lib, pkgs, ... }: +let + shack-ip = lib.head config.krebs.build.host.nets.shack.addrs4; + internal-ip = lib.head config.krebs.build.host.nets.retiolum.addrs4; +in { imports = [ ../2configs/base.nix ../2configs/collectd-base.nix + ../2configs/shack-nix-cacher.nix + ../2configs/shack-drivedroid.nix ]; + networking = { + interfaces.eth0.ip4 = [{ + address = shack-ip; + prefixLength = 20; + }]; + + defaultGateway = "10.42.0.1"; + nameservers = [ "8.8.8.8" ]; + }; + + ##################### + # uninteresting stuff + ##################### krebs.build.host = config.krebs.hosts.wolf; # TODO rename shared user to "krebs" krebs.build.user = config.krebs.users.shared; @@ -31,7 +50,7 @@ fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; swapDevices = [ - { device = "/dev/disk/by-label/swap"; } + { device = "/dev/disk/by-label/swap"; } ]; time.timeZone = "Europe/Berlin"; diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix new file mode 100644 index 000000000..294f3a369 --- /dev/null +++ b/shared/2configs/shack-drivedroid.nix @@ -0,0 +1,18 @@ +{ pkgs, lib, ... }: + +{ + krebs.nginx = { + enable = lib.mkDefault true; + servers = { + drivedroid-repo = { + server-names = [ "drivedroid.shack" ]; + # TODO: prepare this somehow + locations = lib.singleton (lib.nameValuePair "/" '' + root /var/srv/drivedroid + index main.json + ''); + }; + }; + }; + +} diff --git a/shared/2configs/shack-nix-cacher.nix b/shared/2configs/shack-nix-cacher.nix new file mode 100644 index 000000000..7519bb3ac --- /dev/null +++ b/shared/2configs/shack-nix-cacher.nix @@ -0,0 +1,25 @@ +{ pkgs, lib, ... }: + +{ + krebs.nginx = { + enable = lib.mkDefault true; + servers = { + apt-cacher-ng = { + server-names = [ "acng.shack" ]; + locations = lib.singleton (lib.nameValuePair "/" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:3142/; + ''); + }; + }; + }; + + krebs.apt-cacher-ng = { + enable = true; + port = 3142; + bindAddress = "localhost"; + cacheExpiration = 30; + }; +} From 7346527c4f0444d33f8c6eda353cad94cecd930f Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 22:15:31 +0100 Subject: [PATCH 15/23] pubkeys: add exco --- krebs/Zpubkeys/exco.ssh.pub | 1 + 1 file changed, 1 insertion(+) create mode 100644 krebs/Zpubkeys/exco.ssh.pub diff --git a/krebs/Zpubkeys/exco.ssh.pub b/krebs/Zpubkeys/exco.ssh.pub new file mode 100644 index 000000000..e2afcf3fb --- /dev/null +++ b/krebs/Zpubkeys/exco.ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== christian.stoeveken@gmail.com From b2ac9b092a36c3196469099c73c64c8ca6626be0 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 22:16:55 +0100 Subject: [PATCH 16/23] makefu: fix cgit for wry, add gc to wry --- makefu/1systems/wry.nix | 8 ++++++-- makefu/2configs/git/cgit-retiolum.nix | 23 ++++++++++++----------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index cd39b4b9f..cd2b3f657 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -24,11 +24,11 @@ in { # other nginx ../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.blog.nix + ../2configs/nginx/euer.test.nix # collectd ../2configs/collectd/collectd-base.nix ]; - krebs.build.host = config.krebs.hosts.wry; krebs.Reaktor.enable = true; @@ -73,5 +73,9 @@ in { nameservers = [ "8.8.8.8" ]; }; - environment.systemPackages = [ pkgs.translate-shell ]; + # small machine - do not forget to gc every day + nix.gc.automatic = true; + nix.gc.dates = "03:10"; + + environment.systemPackages = [ ]; } diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 748cd6427..e12827697 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -22,7 +22,7 @@ let }; connector-repos = mapAttrs make-priv-repo { - autosync = { }; + connector = { }; }; @@ -36,7 +36,7 @@ let inherit name desc; public = true; hooks = { - post-receive = git.irc-announce { + post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = config.krebs.build.host.name == "pnp"; channel = "#retiolum"; @@ -51,11 +51,11 @@ let # TODO: get the list of all krebsministers krebsminister = with config.krebs.users; [ lass tv uriel ]; all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ]; - exco = with config.krebs.users; [ exco ]; + all-exco = with config.krebs.users; [ exco ]; priv-rules = repo: set-owners repo all-makefu; - connector-rules = repo: set-owners repo (all-makefu ++ exco); + connector-rules = repo: set-owners repo all-makefu ++ set-owners repo all-exco; krebs-rules = repo: set-owners repo all-makefu ++ set-ro-access repo krebsminister; @@ -76,18 +76,19 @@ let in { imports = [{ - krebs.users.makefu-omo = { + krebs.users = { + makefu-omo = { name = "makefu-omo" ; pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub; - }; - krebs.users.makefu-tsp = { + }; + makefu-tsp = { name = "makefu-tsp" ; pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub; - }; - - krebs.users.exco = { - name = "exco" ; + }; + exco = { + name = "exco"; pubkey= with builtins; readFile ../../../krebs/Zpubkeys/exco.ssh.pub; + }; }; }]; krebs.git = { From 9e2ac199d52d84fd615894068d15edb2a511301f Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 22:18:32 +0100 Subject: [PATCH 17/23] k 5 drivedroid-gen-repo: init at 0.4.2 --- krebs/5pkgs/drivedroid-gen-repo/default.nix | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 krebs/5pkgs/drivedroid-gen-repo/default.nix diff --git a/krebs/5pkgs/drivedroid-gen-repo/default.nix b/krebs/5pkgs/drivedroid-gen-repo/default.nix new file mode 100644 index 000000000..087f97c9a --- /dev/null +++ b/krebs/5pkgs/drivedroid-gen-repo/default.nix @@ -0,0 +1,22 @@ +{stdenv,fetchurl,pkgs,python3Packages, ... }: + +python3Packages.buildPythonPackage rec { + name = "drivedroid-gen-repo-${version}"; + version = "0.4.2"; + + propagatedBuildInputs = with pkgs;[ + python3Packages.docopt + ]; + + src = fetchurl { + url = "https://pypi.python.org/packages/source/d/drivedroid-gen-repo/drivedroid-gen-repo-${version}.tar.gz"; + sha256 = "1w4dqc9ndyiv5kjh2y8n4p4c280vhqyj8s7y6al2klchcp2ab7q7"; + }; + + meta = { + homepage = http://krebsco.de/; + description = "Generate Drivedroid repos"; + license = stdenv.lib.licenses.wtfpl; + }; +} + From b8dea556e9ccaa999ccb8c18cab730ce535cd873 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 22:26:11 +0100 Subject: [PATCH 18/23] k 3 shared: shack ip was already in use --- krebs/3modules/shared/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index d5bce469b..b332676c6 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -36,7 +36,7 @@ in { dc = "shack"; nets = { shack = { - addrs4 = [ "10.42.2.136" ]; + addrs4 = [ "10.42.2.150" ]; aliases = [ "wolf.shack" "graphite.shack" From a3e074094b8c260825b0ae4caeb2170e562019a5 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 23:03:21 +0100 Subject: [PATCH 19/23] k 3 apt-cacher-ng: add CAfile --- krebs/3modules/apt-cacher-ng.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix index 9224c72a0..6f0ff8159 100644 --- a/krebs/3modules/apt-cacher-ng.nix +++ b/krebs/3modules/apt-cacher-ng.nix @@ -11,6 +11,7 @@ let LogDir: ${cfg.logDir} PidFile: /var/run/apt-cacher-ng.pid ExTreshold: ${toString cfg.cacheExpiration} + CAfile: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt Port: ${toString cfg.port} BindAddress: ${cfg.bindAddress} From 0f54a195b7d1a3b02bd70c31c2d05c2a1dc186bd Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 23:11:29 +0100 Subject: [PATCH 20/23] acng: also add nar files to cache --- krebs/3modules/apt-cacher-ng.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix index 6f0ff8159..75296bafb 100644 --- a/krebs/3modules/apt-cacher-ng.nix +++ b/krebs/3modules/apt-cacher-ng.nix @@ -35,7 +35,7 @@ let # Nix cache ${optionalString cfg.enableNixCache '' Remap-nix: http://cache.nixos.org /nixos ; https://cache.nixos.org - PfilePatternEx: (^|.*?/).*\.narinfo(|\.gz|\.xz|\.bz2)$ + PfilePatternEx: (^|.*?/).*\.nar(info)?(|\.gz|\.xz|\.bz2)$ VfilePatternEx: (^|.*?/)nix-cache-info$ ''} From 7e4eefa91bb3d06baf8c2bd53c26d5b5337b66d8 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 23:11:55 +0100 Subject: [PATCH 21/23] s 2 drivedroid: fix syntax error --- shared/2configs/shack-drivedroid.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix index 294f3a369..44b62a807 100644 --- a/shared/2configs/shack-drivedroid.nix +++ b/shared/2configs/shack-drivedroid.nix @@ -8,8 +8,8 @@ server-names = [ "drivedroid.shack" ]; # TODO: prepare this somehow locations = lib.singleton (lib.nameValuePair "/" '' - root /var/srv/drivedroid - index main.json + root /var/srv/drivedroid; + index main.json; ''); }; }; From e4c46c2ec22613830c5839001550f5fa155e260d Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Nov 2015 23:13:09 +0100 Subject: [PATCH 22/23] shared 1 wolf: add self to binaryCache --- shared/1systems/wolf.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 30e6e1d07..8c5295bb3 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -12,8 +12,12 @@ in ../2configs/shack-nix-cacher.nix ../2configs/shack-drivedroid.nix ]; + # use your own binary cache, fallback use cache.nixos.org (which is used by + # apt-cacher-ng in first place) + nix.binaryCaches = [ "http://localhost:3142/nixos" "https://cache.nixos.org" ]; networking = { + firewall.enable = false; interfaces.eth0.ip4 = [{ address = shack-ip; prefixLength = 20; From a8d007868342517c235963a8ab13cff7c0e5d59e Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 18 Nov 2015 14:05:54 +0100 Subject: [PATCH 23/23] unstable -> s 2 shack-drivedroid --- shared/2configs/shack-drivedroid.nix | 30 +++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix index 44b62a807..66940bc08 100644 --- a/shared/2configs/shack-drivedroid.nix +++ b/shared/2configs/shack-drivedroid.nix @@ -1,6 +1,30 @@ -{ pkgs, lib, ... }: - +{ pkgs, lib, config, ... }: +let + repodir = "/var/srv/drivedroid"; + srepodir = lib.shell.escape repodir; +in { + systemd.paths.drivedroid = { + wantedBy = [ "multi-user.target" ]; + Description = "triggers for changes in drivedroid dir"; + pathConfig = { + PathModified = repodir; + }; + }; + + systemd.services.drivedroid = { + ServiceConfig = { + ExecStartPre = pkgs.writeScript "prepare-drivedroid-repo-gen" '' + #!/bin/sh + mkdir -p ${srepodir}/repos + ''; + ExecStart = pkgs.writeScript "start-drivedroid-repo-gen" '' + #!/bin/sh + {pkgs.drivedroid-gen-repo}/bin/drivedroid-gen-repo --chdir "${srepodir}" repos/ > "${srepodir}/main.json" + ''; + }; + }; + krebs.nginx = { enable = lib.mkDefault true; servers = { @@ -8,7 +32,7 @@ server-names = [ "drivedroid.shack" ]; # TODO: prepare this somehow locations = lib.singleton (lib.nameValuePair "/" '' - root /var/srv/drivedroid; + root ${repodir}; index main.json; ''); };