From 0696c3ff38ff629ad5f184bc458392de748a87b6 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 21 Oct 2015 09:10:21 +0200 Subject: m 2 mail: remove client packages from server config --- makefu/2configs/exim-retiolum.nix | 4 ---- 1 file changed, 4 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/exim-retiolum.nix b/makefu/2configs/exim-retiolum.nix index cebfd7cea..b8c5c5236 100644 --- a/makefu/2configs/exim-retiolum.nix +++ b/makefu/2configs/exim-retiolum.nix @@ -5,10 +5,6 @@ with lib; krebs.exim-retiolum.enable = true; environment.systemPackages = with pkgs; [ msmtp - mutt-kz - notmuch - # TODO: put this somewhere else - offlineimap ]; } -- cgit v1.2.3 From 90683369be019254c2b86bfc4ca3c8de3b441ff0 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 21 Oct 2015 09:11:01 +0200 Subject: m 3 bepasty-server: fix escape --- makefu/3modules/bepasty-server.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'makefu') diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix index d970652a4..bc7158d8d 100644 --- a/makefu/3modules/bepasty-server.nix +++ b/makefu/3modules/bepasty-server.nix @@ -104,12 +104,12 @@ let PrivateTmp = true; ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" '' #!/bin/sh - chmod 755 ${server.workDir} - mkdir -p ${server.dataDir} + chmod 755 "${server.workDir}" + mkdir -p "${server.dataDir}" cat > ${server.workDir}/bepasty-${name}.conf < Date: Wed, 21 Oct 2015 17:13:12 +0200 Subject: m 3 tinc_graphs: new api for nginx --- makefu/3modules/tinc_graphs.nix | 51 ++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 21 deletions(-) (limited to 'makefu') diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix index ff2f55873..42b08d62a 100644 --- a/makefu/3modules/tinc_graphs.nix +++ b/makefu/3modules/tinc_graphs.nix @@ -20,26 +20,37 @@ let default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat"; }; - krebsNginx = { - # configure krebs nginx to serve the new graphs - enable = mkEnableOption "tinc_graphs nginx"; + nginx = { + enable = mkEnableOption "enable tinc_graphs to be served with nginx"; + + anonymous = { + server-names = mkOption { + type = with types; listOf str; + description = "hostnames which serve anonymous graphs"; + default = [ "graphs.${config.krebs.build.host.name}" ]; + }; + + listen = mkOption { + type = with types; listOf str; + description = "listen address for anonymous graphs"; + default = [ "80" ]; + }; - hostnames_complete = mkOption { - #TODO: this is not a secure way to serve these graphs,better listen to - # the correct interface, krebs.nginx does not support this yet - - type = with types; listOf str; - description = "hostname which serves complete graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; }; - hostnames_anonymous = mkOption { - type = with types; listOf str; - description = '' - hostname which serves anonymous graphs - must be different from hostname_complete - ''; - default = [ "anongraphs.${config.krebs.build.host.name}" ]; + complete = { + server-names = mkOption { + type = with types; listOf str; + description = "hostname which serves complete graphs"; + default = [ "graphs.${config.krebs.build.host.name}" ]; + }; + + listen = mkOption { + type = with types; listOf str; + description = "listen address for complete graphs"; + default = [ "127.0.0.1:80" ]; + }; + }; }; @@ -110,8 +121,7 @@ let }; krebs.nginx.servers = mkIf cfg.krebsNginx.enable { - tinc_graphs_complete = { - server-names = cfg.krebsNginx.hostnames_complete; + tinc_graphs_complete = cfg.nginx.complete { locations = [ (nameValuePair "/" '' autoindex on; @@ -119,8 +129,7 @@ let '') ]; }; - tinc_graphs_anonymous = { - server-names = cfg.krebsNginx.hostnames_anonymous; + tinc_graphs_anonymous = cfg.nginx.anonymous // { locations = [ (nameValuePair "/" '' autoindex on; -- cgit v1.2.3 From 506f1c0c382a66f3f2e17519004875f793e489f1 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 21 Oct 2015 18:45:32 +0200 Subject: m 2 unstable-sources: sources to unstable nixpkgs --- makefu/2configs/unstable-sources.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 makefu/2configs/unstable-sources.nix (limited to 'makefu') diff --git a/makefu/2configs/unstable-sources.nix b/makefu/2configs/unstable-sources.nix new file mode 100644 index 000000000..f2d28dcaf --- /dev/null +++ b/makefu/2configs/unstable-sources.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +{ + krebs.build.source = { + git.nixpkgs = { + url = https://github.com/makefu/nixpkgs; + rev = "984d33884d63d404ff2da76920b8bc8b15471552"; + }; + + dir.secrets = { + host = config.krebs.hosts.pornocauster; + path = "/home/makefu/secrets/${config.krebs.build.host.name}/"; + }; + dir.stockholm = { + host = config.krebs.hosts.pornocauster; + path = toString ../.. ; + }; + }; +} -- cgit v1.2.3 From 49b8d341f64b039448a21feeaed777573574549d Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 21 Oct 2015 18:47:26 +0200 Subject: m 3 tinc_graphs: merge instead of override nginx config --- makefu/3modules/tinc_graphs.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'makefu') diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix index 42b08d62a..1f87f00cc 100644 --- a/makefu/3modules/tinc_graphs.nix +++ b/makefu/3modules/tinc_graphs.nix @@ -31,6 +31,7 @@ let }; listen = mkOption { + # use the type of the nginx listen option type = with types; listOf str; description = "listen address for anonymous graphs"; default = [ "80" ]; @@ -120,23 +121,23 @@ let createHome = true; }; - krebs.nginx.servers = mkIf cfg.krebsNginx.enable { - tinc_graphs_complete = cfg.nginx.complete { + krebs.nginx.servers = mkIf cfg.nginx.enable { + tinc_graphs_complete = mkMerge [ cfg.nginx.complete { locations = [ (nameValuePair "/" '' autoindex on; root ${internal_dir}; '') ]; - }; - tinc_graphs_anonymous = cfg.nginx.anonymous // { + }] ; + tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous { locations = [ (nameValuePair "/" '' autoindex on; root ${external_dir}; '') ]; - }; + }]; }; }; -- cgit v1.2.3 From 34fd2ceb299d55b5edff124f86adf0883101197c Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 21 Oct 2015 18:48:13 +0200 Subject: m 3 bepasty-server: finishing touches --- makefu/3modules/bepasty-server.nix | 48 +++++++++++++++++++++----------------- makefu/3modules/default.nix | 1 + 2 files changed, 27 insertions(+), 22 deletions(-) (limited to 'makefu') diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix index bc7158d8d..ff32eea60 100644 --- a/makefu/3modules/bepasty-server.nix +++ b/makefu/3modules/bepasty-server.nix @@ -6,10 +6,10 @@ let bepasty = pkgs.pythonPackages.bepasty-server; gevent = pkgs.pythonPackages.gevent; python = pkgs.pythonPackages.python; - cfg = config.makefu.bepasty-server; + cfg = config.krebs.bepasty; out = { - options.makefu.bepasty-server = api; + options.krebs.bepasty = api; config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ; }; @@ -20,27 +20,20 @@ let servers = mkOption { type = with types; attrsOf optionSet; options = singleton { - nginxCfg = mkOption { + nginx = mkOption { # TODO use the correct type type = with types; attrsOf unspecified; description = '' additional nginx configuration. see krebs.nginx for all options '' ; }; - debug = mkOption { - type = types.bool; - description = '' - run server in debug mode - ''; - default = false; - }; - # TODO: assert secretKey secretKey = mkOption { type = types.str; description = '' server secret for safe session cookies, must be set. ''; + default = ""; }; # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi @@ -66,6 +59,7 @@ let extraConfig = mkOption { type = types.str; default = ""; + # TODO configure permissions in separate example = '' PERMISSIONS = { 'myadminsecret': 'admin,list,create,read,delete', @@ -75,8 +69,13 @@ let }; defaultPermissions = mkOption { + # TODO: listOf str type = types.str; - default = "list"; + description = '' + default permissions for all unauthenticated users. + ''; + example = "read,create,delete"; + default = "read"; }; }; @@ -102,21 +101,22 @@ let serviceConfig = { Type = "simple"; PrivateTmp = true; - ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" '' + + ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" '' #!/bin/sh - chmod 755 "${server.workDir}" - mkdir -p "${server.dataDir}" - cat > ${server.workDir}/bepasty-${name}.conf < "${server.workDir}/bepasty-${name}.conf" < Date: Wed, 21 Oct 2015 18:49:20 +0200 Subject: wry: is the new provider for paste.krebsco.de --- makefu/1systems/wry.nix | 73 +++++++++++++++++++++++----------------- makefu/2configs/bepasty-dual.nix | 52 ++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 30 deletions(-) create mode 100644 makefu/2configs/bepasty-dual.nix (limited to 'makefu') diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index a7ed93c43..63b1f47f7 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -1,59 +1,72 @@ { config, lib, pkgs, ... }: +with lib; let - ip = (lib.head config.krebs.build.host.nets.internet.addrs4); + external-ip = head config.krebs.build.host.nets.internet.addrs4; + internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; in { imports = [ # TODO: copy this config or move to krebs ../../tv/2configs/CAC-CentOS-7-64bit.nix ../2configs/base.nix - ../2configs/base-sources.nix + ../2configs/unstable-sources.nix ../2configs/tinc-basic-retiolum.nix + ../2configs/bepasty-dual.nix + ../2configs/iodined.nix # Reaktor ../2configs/Reaktor/simpleExtend.nix ]; - krebs.Reaktor.enable = true; + krebs.build = { + user = config.krebs.users.makefu; + target = "root@wry"; + host = config.krebs.hosts.wry; + }; - networking.firewall.allowPing = true; - networking.interfaces.enp2s1.ip4 = [ - { - address = ip; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.233.87.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - # based on ../../tv/2configs/CAC-Developer-2.nix - sound.enable = false; - # prepare graphs - nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + krebs.Reaktor.enable = true; + + # bepasty to listen only on the correct interfaces + krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ]; + krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ]; + # prepare graphs krebs.nginx.enable = true; krebs.retiolum-bootstrap.enable = true; - makefu.tinc_graphs.enable = true; - makefu.tinc_graphs.krebsNginx = { + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + makefu.tinc_graphs = { enable = true; - # TODO: remove hard-coded hostname - hostnames_complete = [ "graphs.wry" ]; - hostnames_anonymous = [ "graphs.krebsco.de" ]; + nginx = { + enable = true; + # TODO: remove hard-coded hostname + complete = { + listen = [ "${internal-ip}:80" ]; + server-names = [ "graphs.wry" ]; + }; + anonymous = { + listen = [ "${external-ip}:80" ] ; + server-names = [ "graphs.krebsco.de" ]; + }; + }; }; - - networking.firewall.allowedTCPPorts = [ 53 80 443 ]; - - krebs.build = { - user = config.krebs.users.makefu; - target = "root@${ip}"; - host = config.krebs.hosts.wry; + networking = { + firewall.allowPing = true; + firewall.allowedTCPPorts = [ 53 80 443 ]; + interfaces.enp2s1.ip4 = [{ + address = external-ip; + prefixLength = 24; + }]; + defaultGateway = "104.233.87.1"; + nameservers = [ "8.8.8.8" ]; }; + + # based on ../../tv/2configs/CAC-Developer-2.nix + sound.enable = false; } diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix new file mode 100644 index 000000000..fb170957a --- /dev/null +++ b/makefu/2configs/bepasty-dual.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +# 1systems should configure itself: +# krebs.bepasty.servers.internal.nginx.listen = [ "80" ] +# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ] +# 80 is redirected to 443 ssl + +# secrets used: +# wildcard.krebsco.de.crt +# wildcard.krebsco.de.key +# bepasty-secret.nix <- contains single string + +with lib; +{ + + krebs.nginx.enable = mkDefault true; + krebs.bepasty = { + enable = true; + serveNginx= true; + + servers = { + internal = { + nginx = { + server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + }; + defaultPermissions = "admin,list,create,read,delete"; + secretKey = import ; + }; + + external = { + nginx = { + server-names = [ "paste.krebsco.de" ]; + extraConfig = '' + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_certificate /root/secrets/wildcard.krebsco.de.crt; + ssl_certificate_key /root/secrets/wildcard.krebsco.de.key; + ssl_verify_client off; + proxy_ssl_session_reuse off; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + if ($scheme = http){ + return 301 https://$server_name$request_uri; + }''; + }; + defaultPermissions = "read"; + secretKey = import ; + }; + }; + }; +} -- cgit v1.2.3