Merge remote-tracking branch 'prism/makefu'

This commit is contained in:
tv 2017-04-12 09:24:46 +02:00
commit 0248fce6be
25 changed files with 239 additions and 127 deletions

View File

@ -20,6 +20,7 @@ let
./github-hosts-sync.nix ./github-hosts-sync.nix
./git.nix ./git.nix
./go.nix ./go.nix
./htgen.nix
./iptables.nix ./iptables.nix
./kapacitor.nix ./kapacitor.nix
./monit.nix ./monit.nix

68
krebs/3modules/htgen.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.krebs.htgen;
out = {
options.krebs.htgen = api;
config = imp;
};
api = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption "krebs.htgen-${config.name}";
name = mkOption {
type = types.username;
default = config._module.args.name;
};
port = mkOption {
type = types.uint;
};
script = mkOption {
type = types.str;
};
user = mkOption {
type = types.user;
default = {
name = "htgen-${config.name}";
home = "/var/lib/htgen-${config.name}";
};
};
};
}));
};
imp = {
systemd.services = mapAttrs' (name: htgen:
nameValuePair "htgen-${name}" {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
HTGEN_PORT = toString htgen.port;
HTGEN_SCRIPT = htgen.script;
};
serviceConfig = {
SyslogIdentifier = "htgen";
User = htgen.user.name;
PrivateTmp = true;
Restart = "always";
ExecStart = "${pkgs.htgen}/bin/htgen --serve";
};
}
) cfg;
users.users = mapAttrs' (name: htgen:
nameValuePair htgen.user.name {
inherit (htgen.user) home name uid;
createHome = true;
}
) cfg;
};
in out

View File

@ -285,11 +285,8 @@ with import <stockholm/lib>;
cores = 1; cores = 1;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
wry IN A ${nets.internet.ip4.addr} wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de. io IN NS wry.krebsco.de.
graphs IN A ${nets.internet.ip4.addr}
tinc IN A ${nets.internet.ip4.addr} tinc IN A ${nets.internet.ip4.addr}
''; '';
}; };
@ -307,13 +304,8 @@ with import <stockholm/lib>;
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad"; ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [ aliases = [
"graphs.wry.retiolum" "graphs.wry.retiolum"
"graphs.r" "graphs.retiolum"
"paste.wry.retiolum" "paste.wry.retiolum"
"wry.r" "wry.retiolum" "wry.r" "wry.retiolum"
"wiki.makefu.retiolum"
"wiki.wry.retiolum"
"blog.makefu.retiolum"
"blog.wry.retiolum"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -452,6 +444,9 @@ with import <stockholm/lib>;
cgit.euer IN A ${nets.internet.ip4.addr} cgit.euer IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr} o.euer IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr} dl.euer IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
graphs IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {
@ -464,7 +459,7 @@ with import <stockholm/lib>;
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.0.211"; ip4.addr = "10.243.0.211";
ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2"; # ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2";
aliases = [ aliases = [
"gum.r" "gum.r"
"gum.retiolum" "gum.retiolum"
@ -473,6 +468,12 @@ with import <stockholm/lib>;
"o.gum.retiolum" "o.gum.retiolum"
"tracker.makefu.r" "tracker.makefu.r"
"tracker.makefu.retiolum" "tracker.makefu.retiolum"
"graphs.r" "graphs.retiolum"
"wiki.makefu.retiolum"
"wiki.wry.retiolum"
"blog.makefu.retiolum"
"blog.wry.retiolum"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----

View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "apt-cacher-ng-${version}"; name = "apt-cacher-ng-${version}";
version = "0.9.3.2"; version = "2";
src = fetchurl { src = fetchurl {
url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz"; url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz";
sha256 = "1bvng9mwrggvc93q2alj0x72i56wifnjs2dsycr17mapsv0f2gnc"; sha256 = "0bkc3012vinridl5ch46pwnxjalymx4wf6nxax64nm7bdkcj9azf";
}; };
NIX_LDFLAGS = "-lpthread"; NIX_LDFLAGS = "-lpthread";

View File

@ -0,0 +1,28 @@
{ bash, coreutils, gnused, stdenv, fetchgit, ucspi-tcp }:
with import <stockholm/lib>;
let
version = "1.1";
in stdenv.mkDerivation {
name = "htgen-${version}";
src = fetchgit {
url = "http://cgit.krebsco.de/htgen";
rev = "refs/tags/v${version}";
sha256 = "1zxj0fv9vdrqyl3x2hgq7a6xdlzpclf93akygysrzsqk9wjapp4z";
};
installPhase = ''
mkdir -p $out/bin
{
echo '#! ${bash}/bin/bash'
echo 'export PATH=${makeBinPath [
ucspi-tcp
coreutils
gnused
]}''${PATH+":$PATH"}'
cat htgen
} > $out/bin/htgen
chmod +x $out/bin/htgen
cp -r examples $out
'';
}

View File

@ -32,10 +32,13 @@ let
public-repos = mapAttrs make-public-repo { public-repos = mapAttrs make-public-repo {
stockholm = { stockholm = {
cgit.desc = "take all the computers hostage, they'll love you!"; cgit.desc = "take all the computers hostage, they'll love you!";
cgit.section = "configuration";
}; };
kimsufi-check = {};
} // mapAttrs make-public-repo-silent { } // mapAttrs make-public-repo-silent {
the_playlist = {}; the_playlist = {
cgit.desc = "Good Music collection + tools";
cgit.section = "art";
};
}; };
restricted-repos = mapAttrs make-restricted-repo ( restricted-repos = mapAttrs make-restricted-repo (

View File

@ -10,6 +10,7 @@ let
public = true; public = true;
name = mkDefault "${name}"; name = mkDefault "${name}";
cgit.desc = mkDefault "mirror for ${name}"; cgit.desc = mkDefault "mirror for ${name}";
cgit.section = mkDefault "mirror";
hooks = mkIf announce (mkDefault { hooks = mkIf announce (mkDefault {
post-receive = pkgs.git-hooks.irc-announce { post-receive = pkgs.git-hooks.irc-announce {
nick = config.networking.hostName; nick = config.networking.hostName;

View File

@ -120,6 +120,7 @@ in {
sender_domains = [ sender_domains = [
"jla-trading.com" "jla-trading.com"
"ubikmedia.eu" "ubikmedia.eu"
"ubikmedia.de"
]; ];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem";

View File

@ -29,9 +29,12 @@ in {
../2configs/deployment/owncloud.nix ../2configs/deployment/owncloud.nix
../2configs/nginx/share-download.nix ../2configs/nginx/share-download.nix
../2configs/nginx/euer.test.nix ../2configs/nginx/euer.test.nix
../2configs/nginx/euer.wiki.nix
../2configs/nginx/euer.blog.nix
../2configs/nginx/public_html.nix ../2configs/nginx/public_html.nix
../2configs/nginx/update.connector.one.nix ../2configs/nginx/update.connector.one.nix
../2configs/deployment/mycube.connector.one.nix ../2configs/deployment/mycube.connector.one.nix
../2configs/deployment/graphs.nix
# ../2configs/opentracker.nix # ../2configs/opentracker.nix
../2configs/logging/central-stats-client.nix ../2configs/logging/central-stats-client.nix

View File

@ -43,7 +43,6 @@ in {
# TODO: unlock home partition via ssh # TODO: unlock home partition via ssh
../2configs/fs/sda-crypto-root.nix ../2configs/fs/sda-crypto-root.nix
../2configs/zsh-user.nix ../2configs/zsh-user.nix
../2configs/urlwatch.nix
../2configs/backup.nix ../2configs/backup.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix ../2configs/smart-monitor.nix
@ -182,5 +181,17 @@ in {
zramSwap.enable = true; zramSwap.enable = true;
krebs.Reaktor.reaktor = {
nickname = "Reaktor|bot";
channels = [ "#krebs" "#shackspace" "#binaergewitter" ];
plugins = with pkgs.ReaktorPlugins;[
titlebot
# stockholm-issue
nixos-version
shack-correct
sed-plugin
random-emoji ];
};
krebs.build.host = config.krebs.hosts.omo; krebs.build.host = config.krebs.hosts.omo;
} }

View File

@ -19,8 +19,6 @@ in {
../2configs/backup.nix ../2configs/backup.nix
# other nginx # other nginx
../2configs/nginx/euer.wiki.nix
../2configs/nginx/euer.blog.nix
# ../2configs/nginx/euer.test.nix # ../2configs/nginx/euer.test.nix
# collectd # collectd
@ -33,46 +31,9 @@ in {
krebs.build.host = config.krebs.hosts.wry; krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor.reaktor = {
nickname = "Reaktor|bot";
channels = [ "#krebs" "#shackspace" "#binaergewitter" ];
plugins = with pkgs.ReaktorPlugins;[
titlebot
# stockholm-issue
nixos-version
shack-correct
sed-plugin
random-emoji ];
};
# prepare graphs # prepare graphs
services.nginx.enable = true; services.nginx.enable = true;
krebs.retiolum-bootstrap.enable = true; krebs.retiolum-bootstrap.enable = true;
krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
if ( $server_addr = "${external-ip}" ) {
return 403;
}
'';
krebs.tinc_graphs = {
enable = true;
nginx = {
enable = true;
# TODO: remove hard-coded hostname
complete = {
extraConfig = ''
if ( $server_addr = "${external-ip}" ) {
return 403;
}
'';
serverAliases = [ "graphs.retiolum" "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];
};
anonymous = {
enableSSL = true;
forceSSL = true;
enableACME = true;
};
};
};
networking = { networking = {
firewall = { firewall = {

View File

@ -8,6 +8,7 @@
[ # base [ # base
../. ../.
../2configs/main-laptop.nix ../2configs/main-laptop.nix
../2configs/extra-fonts.nix
../2configs/tools/all.nix ../2configs/tools/all.nix
../2configs/laptop-backup.nix ../2configs/laptop-backup.nix
../2configs/dnscrypt.nix ../2configs/dnscrypt.nix
@ -46,7 +47,7 @@
../2configs/mail-client.nix ../2configs/mail-client.nix
../2configs/printer.nix ../2configs/printer.nix
../2configs/virtualization.nix ../2configs/virtualization.nix
# ../2configs/virtualization-virtualbox.nix ../2configs/virtualization-virtualbox.nix
../2configs/wwan.nix ../2configs/wwan.nix
../2configs/rad1o.nix ../2configs/rad1o.nix

View File

@ -29,7 +29,7 @@ let
}; };
in { in {
krebs.backup.plans = { krebs.backup.plans = {
wry-to-omo_root = defaultPull config.krebs.hosts.wry "/"; # wry-to-omo_root = defaultPull config.krebs.hosts.wry "/";
gum-to-omo_root = defaultPull config.krebs.hosts.gum "/"; gum-to-omo_root = defaultPull config.krebs.hosts.gum "/";
}; };
} }

View File

@ -41,7 +41,7 @@ in
fonts = { fonts = {
enableCoreFonts = true; enableCoreFonts = true;
enableFontDir = true; enableFontDir = true;
enableGhostscriptFonts = false; enableGhostscriptFonts = true;
fonts = [ pkgs.terminus_font ]; fonts = [ pkgs.terminus_font ];
}; };
@ -62,7 +62,7 @@ in
cat |derp <<EOF cat |derp <<EOF
XTerm*background: black XTerm*background: black
XTerm*foreground: white XTerm*foreground: white
XTerm*FaceName : Terminus:pixelsize=14 XTerm*FaceName : xft:xos4 Terminus:pixelsize=14
URxvt*termName: rxvt URxvt*termName: rxvt
URxvt*saveLines: 10000 URxvt*saveLines: 10000
@ -74,7 +74,8 @@ in
URxvt.background: black URxvt.background: black
URxvt.urgentOnBell: true URxvt.urgentOnBell: true
URxvt.visualBell: false URxvt.visualBell: false
URxvt.font : xft:Terminus URxvt.font : xft:xos4 Terminus:size=12
! blue ! blue
URxvt*color4: #268bd2 URxvt*color4: #268bd2

View File

@ -14,7 +14,7 @@ with import <stockholm/lib>;
let let
sec = toString <secrets>; sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine # secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>; secKey = "${secrets}/bepasty-secret";
acmepath = "/var/lib/acme/"; acmepath = "/var/lib/acme/";
acmechall = acmepath + "/challenges/"; acmechall = acmepath + "/challenges/";
ext-dom = "paste.krebsco.de" ; ext-dom = "paste.krebsco.de" ;
@ -31,7 +31,7 @@ in {
serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
}; };
defaultPermissions = "admin,list,create,read,delete"; defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey; secretKeyFile = secKey;
}; };
"${ext-dom}" = { "${ext-dom}" = {
@ -41,7 +41,7 @@ in {
enableACME = true; enableACME = true;
}; };
defaultPermissions = "read"; defaultPermissions = "read";
secretKey = secKey; secretKeyFile = secKey;
}; };
}; };
}; };

View File

@ -22,7 +22,7 @@ with import <stockholm/lib>;
user = config.krebs.users.makefu; user = config.krebs.users.makefu;
source = let source = let
inherit (config.krebs.build) host user; inherit (config.krebs.build) host user;
ref = "53a2baa"; # unstable @ 2017-02-28 ref = "2982661"; # unstable @ 2017-03-31 + cups-dymo + snapraid-11.1
in { in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
{ {

View File

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
hn = config.krebs.build.host.name;
in {
krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
if ( $server_addr = "${external-ip}" ) {
return 403;
}
'';
krebs.tinc_graphs = {
enable = true;
nginx = {
enable = true;
# TODO: remove hard-coded hostname
complete = {
extraConfig = ''
if ( $server_addr = "${external-ip}" ) {
return 403;
}
'';
serverAliases = [
"graphs.r" "graphs.retiolum"
"graphs.${hn}" "graphs.${hn}.retiolum"
];
};
anonymous = {
enableSSL = true;
forceSSL = true;
enableACME = true;
};
};
};
}

View File

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
fonts = {
enableFontDir = true;
enableGhostscriptFonts = true;
fonts = with pkgs; [
inconsolata # monospaced
ubuntu_font_family # Ubuntu fonts
unifont # some international languages
dejavu_fonts
terminus_font
];
};
}

View File

@ -5,7 +5,7 @@
enable = true; enable = true;
drivers = [ drivers = [
pkgs.samsungUnifiedLinuxDriver pkgs.samsungUnifiedLinuxDriver
pkgs.dymo-cups-drivers pkgs.cups-dymo
]; ];
}; };

View File

@ -9,7 +9,7 @@
## nixpkgs maintenance ## nixpkgs maintenance
https://api.github.com/repos/ovh/python-ovh/tags https://api.github.com/repos/ovh/python-ovh/tags
https://api.github.com/repos/embray/d2to1/tags https://api.github.com/repos/embray/d2to1/tags
http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release https://api.github.com/repos/Mic92/vicious/tags
https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
@ -19,6 +19,7 @@
https://api.github.com/repos/embray/d2to1/tags https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/dorimanx/exfat-nofuse/commits https://api.github.com/repos/dorimanx/exfat-nofuse/commits
https://api.github.com/repos/dorimanx/exfat-nofuse/tags https://api.github.com/repos/dorimanx/exfat-nofuse/tags
https://api.github.com/repos/radare/radare2/tags
]; ];
}; };
} }

View File

@ -1,6 +1,7 @@
_: _:
{ {
# TODO: requires in path: amixer, xlock, xbacklight
full = ./full.cfg; full = ./full.cfg;
kiosk = ./kiosk.lua; kiosk = ./kiosk.lua;
} }

View File

@ -1,17 +0,0 @@
{ stdenv, lib, pkgs, fetchurl, cups, ... }:
stdenv.mkDerivation rec {
name = "dymo-cups-drivers-${version}";
version = "1.4.0";
src = fetchurl {
url = "http://download.dymo.com/dymo/Software/Download%20Drivers/Linux/Download/${name}.tar.gz";
sha256 = "0wagsrz3q7yrkzb5ws0m5faq68rqnqfap9p98sgk5jl6x7krf1y6";
};
buildInputs = [ cups ];
makeFlags = [ "cupsfilterdir=$(out)/lib/cups/filter" "cupsmodeldir=$(out)/share/cups/model" ];
# acd_cli gets dumped in bin and gets overwritten by fixupPhase
meta = {
description = "Dymo printer drivers";
};
}

View File

@ -1,43 +0,0 @@
{ stdenv, fetchurl, cmake, libuuid, gnutls, makeWrapper }:
stdenv.mkDerivation rec {
name = "taskserver-${version}";
version = "1.1.0";
enableParallelBuilding = true;
src = fetchurl {
url = "http://www.taskwarrior.org/download/taskd-${version}.tar.gz";
sha256 = "1d110q9vw8g5syzihxymik7hd27z1592wkpz55kya6lphzk8i13v";
};
patchPhase = ''
pkipath=$out/share/taskd/pki
mkdir -p $pkipath
cp -r pki/* $pkipath
echo "patching paths in pki/generate"
sed -i "s#^\.#$pkipath#" $pkipath/generate
for f in $pkipath/generate* ;do
i=$(basename $f)
echo patching $i
sed -i \
-e 's/which/type -p/g' \
-e 's#^\. ./vars#if test -e ./vars;then . ./vars; else echo "cannot find ./vars - copy the template from '$pkipath'/vars into the working directory";exit 1; fi#' $f
echo wrapping $i
makeWrapper $pkipath/$i $out/bin/taskd-pki-$i \
--prefix PATH : ${gnutls}/bin/
done
'';
buildInputs = [ makeWrapper ];
nativeBuildInputs = [ cmake libuuid gnutls ];
meta = {
description = "Server for synchronising Taskwarrior clients";
homepage = http://taskwarrior.org;
license = stdenv.lib.licenses.mit;
platforms = stdenv.lib.platforms.linux;
maintainers = with stdenv.lib.maintainers; [ matthiasbeyer makefu ];
};
}

View File

@ -15,6 +15,7 @@ in
../2configs/cgit-mirror.nix ../2configs/cgit-mirror.nix
../2configs/repo-sync.nix ../2configs/repo-sync.nix
../2configs/graphite.nix ../2configs/graphite.nix
../2configs/share-shack.nix
]; ];
# use your own binary cache, fallback use cache.nixos.org (which is used by # use your own binary cache, fallback use cache.nixos.org (which is used by
# apt-cacher-ng in first place) # apt-cacher-ng in first place)

View File

@ -0,0 +1,38 @@
{config, ... }:{
users.users.smbguest = {
name = "smbguest";
uid = config.ids.uids.smbguest;
group = "share";
description = "smb guest user";
home = "/home/share";
createHome = true;
};
networking.firewall.allowedTCPPorts = [
139 445 # samba
];
networking.firewall.allowedUDPPorts = [
137 138
];
services.samba = {
enable = true;
shares = {
share-home = {
path = "/home/share/";
"read only" = "no";
browseable = "yes";
"guest ok" = "yes";
};
};
extraConfig = ''
guest account = smbguest
map to guest = bad user
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
'';
};
}