Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2017-04-19 10:02:57 +02:00
commit 0ea25143c9
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
12 changed files with 52 additions and 238 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
krebs/3modules/bepasty-server.nix
View File

@ -37,7 +37,7 @@ let
# TODO use the correct type # TODO use the correct type
type = with types; attrsOf unspecified; type = with types; attrsOf unspecified;
description = '' description = ''
additional nginx configuration. see krebs.nginx for all options Additional nginx configuration.
''; '';
}; };
secretKey = mkOption { secretKey = mkOption {

1
krebs/3modules/buildbot/master.nix
View File

@ -78,7 +78,6 @@ let
# stopAllBuilds = 'auth', # stopAllBuilds = 'auth',
# cancelPendingBuild = 'auth' # cancelPendingBuild = 'auth'
#) #)
# TODO: configure krebs.nginx
c['www'] = dict( c['www'] = dict(
port = ${toString cfg.web.port}, port = ${toString cfg.web.port},
plugins = { 'waterfall_view':{}, 'console_view':{} } plugins = { 'waterfall_view':{}, 'console_view':{} }

1
krebs/3modules/default.nix
View File

@ -26,7 +26,6 @@ let
./kapacitor.nix ./kapacitor.nix
./monit.nix ./monit.nix
./newsbot-js.nix ./newsbot-js.nix
./nginx.nix
./nixpkgs.nix ./nixpkgs.nix
./on-failure.nix ./on-failure.nix
./os-release.nix ./os-release.nix

190
krebs/3modules/nginx.nix
View File

@ -1,190 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.krebs.nginx;
out = {
options.krebs.nginx = api;
config = lib.mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "krebs.nginx";
default404 = mkOption {
type = types.bool;
default = true;
description = ''
By default all requests not directed to an explicit hostname are
replied with a 404 error to avoid accidental exposition of nginx
services.
Set this value to `false` to disable this behavior - you will then be
able to configure a new `default_server` in the listen address entries
again.
'';
};
servers = mkOption {
type = types.attrsOf (types.submodule {
options = {
server-names = mkOption {
type = with types; listOf str;
default =
[config.krebs.build.host.name] ++
concatMap (getAttr "aliases")
(attrValues config.krebs.build.host.nets);
};
listen = mkOption {
type = with types; either str (listOf str);
default = "80";
apply = x:
if typeOf x != "list"
then [x]
else x;
};
locations = mkOption {
type = with types; listOf (attrsOf str);
default = [];
};
extraConfig = mkOption {
type = with types; string;
default = "";
};
ssl = mkOption {
type = with types; submodule ({ config, ... }: {
options = {
enable = mkEnableOption "ssl";
acmeEnable = mkOption {
type = bool;
apply = x:
if x && config.enable
#conflicts because of certificate/certificate_key location
then throw "can't use ssl.enable and ssl.acmeEnable together"
else x;
default = false;
description = ''
enables automatical generation of lets-encrypt certificates and setting them as certificate
conflicts with ssl.enable
'';
};
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
#TODO: check for valid cipher
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
prefer_server_ciphers = mkOption {
type = bool;
default = true;
};
force_encryption = mkOption {
type = bool;
default = false;
description = ''
redirect all `http` traffic to the same domain but with ssl
protocol.
'';
};
protocols = mkOption {
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
default = [ "TLSv1.1" "TLSv1.2" ];
};
};
});
default = {};
};
};
});
default = {};
};
};
imp = {
security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
${optionalString cfg.default404 ''
server {
listen 80 default_server;
server_name _;
return 404;
}''}
${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
'';
};
};
to-acme = { server-names, ssl, ... }:
optionalAttrs ssl.acmeEnable {
email = "lassulus@gmail.com";
webroot = "${config.security.acme.directory}/${head server-names}";
};
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
domain = head server-names;
acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
root ${config.security.acme.certs.${domain}.webroot};
'');
in ''
server {
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent ''
${optionalString ssl.force_encryption ''
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
''}
listen 443 ssl;
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
${optionalString ssl.prefer_server_ciphers ''
ssl_prefer_server_ciphers On;
''}
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
${optionalString ssl.acmeEnable (indent ''
${optionalString ssl.force_encryption ''
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
''}
listen 443 ssl;
ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
${optionalString ssl.prefer_server_ciphers ''
ssl_prefer_server_ciphers On;
''}
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
${indent extraConfig}
${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
${indent (concatMapStrings to-location locations)}
}
'';
in
out

58
krebs/3modules/retiolum-bootstrap.nix
View File

@ -1,53 +1,38 @@
{ config, lib, pkgs, ... }: { config, pkgs, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
let let
cfg = config.krebs.retiolum-bootstrap; cfg = config.krebs.retiolum-bootstrap;
in
out = { {
options.krebs.retiolum-bootstrap = api; options.krebs.retiolum-bootstrap = {
config = lib.mkIf cfg.enable imp; enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}";
}; serverName = mkOption {
api = {
enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
hostname = mkOption {
type = types.str; type = types.str;
description = "hostname which serves tinc boot"; description = "hostname which serves tinc boot";
default = "tinc.krebsco.de" ; default = "tinc.krebsco.de" ;
}; };
listen = mkOption { sslCertificate = mkOption {
type = with types; listOf str;
description = ''Addresses to listen on (nginx-syntax).
ssl will be configured, http will be redirected to ssl.
Make sure to have at least 1 ssl port configured.
'';
default = [ "80" "443 ssl" ] ;
};
ssl_certificate_key = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.key";
};
ssl_certificate = mkOption {
type = types.str; type = types.str;
description = "Certificate file to use for ssl"; description = "Certificate file to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.crt" ; default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
}; };
sslCertificateKey = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.key";
};
# in use: # in use:
# <secrets/tinc.krebsco.de.crt> # <secrets/tinc.krebsco.de.crt>
# <secrets/tinc.krebsco.de.key> # <secrets/tinc.krebsco.de.key>
}; };
imp = { config = mkIf cfg.enable {
krebs.nginx.servers = assert config.krebs.nginx.enable; { services.nginx = {
retiolum-boot-ssl = { enable = mkDefault true;
server-names = singleton cfg.hostname; virtualHosts.retiolum-bootstrap = {
listen = cfg.listen; inherit (cfg) serverName sslCertificate sslCertificateKey;
extraConfig = '' enableSSL = true;
ssl_certificate ${cfg.ssl_certificate}; extraConfig =''
ssl_certificate_key ${cfg.ssl_certificate_key};
if ($scheme = http){ if ($scheme = http){
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
} }
@ -55,10 +40,7 @@ let
root ${pkgs.retiolum-bootstrap}; root ${pkgs.retiolum-bootstrap};
try_files $uri $uri/retiolum.sh; try_files $uri $uri/retiolum.sh;
''; '';
locations = [];
}; };
}; };
}; };
}
in
out

24
lass/1systems/iso.nix
View File

@ -11,6 +11,30 @@ with import <stockholm/lib>;
../2configs/mc.nix ../2configs/mc.nix
../2configs/nixpkgs.nix ../2configs/nixpkgs.nix
../2configs/vim.nix ../2configs/vim.nix
{
# /dev/stderr doesn't work. I don't know why
# /proc/self doesn't seem to work correctly
# /dev/pts is empty except for 1 file
# my life sucks
nixpkgs.config.packageOverrides = super: {
irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> {
pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [
pkgs.coreutils
(pkgs.writeDashBin "tee" ''
if test "$1" = /dev/stderr; then
while read -r line; do
echo "$line"
echo "$line" >&2
done
else
${super.coreutils}/bin/tee "$@"
fi
'')
];};
};
};
boot.kernelParams = [ "copytoram" ];
}
{ {
krebs.enable = true; krebs.enable = true;
krebs.build.user = config.krebs.users.lass; krebs.build.user = config.krebs.users.lass;

2
lass/2configs/baseX.nix
View File

@ -32,8 +32,6 @@ in {
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
virtualisation.libvirtd.enable = true;
programs.ssh.startAgent = false; programs.ssh.startAgent = false;
services.printing = { services.printing = {

2
lass/2configs/buildbot-standalone.nix
View File

@ -20,7 +20,7 @@ in {
}; };
config.krebs.buildbot.master = let config.krebs.buildbot.master = let
stockholm-mirror-url = http://cgit.lassul.us/stockholm ; stockholm-mirror-url = http://cgit.prism.r/stockholm ;
in { in {
workers = { workers = {
testworker = "lasspass"; testworker = "lasspass";

5
lass/2configs/default.nix
View File

@ -64,7 +64,10 @@ with import <stockholm/lib>;
]; ];
} }
{ {
services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy = {
enable = true;
resolverName = "cs-de";
};
networking.extraResolvconfConf = '' networking.extraResolvconfConf = ''
name_servers='127.0.0.1' name_servers='127.0.0.1'
''; '';

2
lass/2configs/fetchWallpaper.nix
View File

@ -6,7 +6,7 @@ in {
krebs.fetchWallpaper = { krebs.fetchWallpaper = {
enable = true; enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/wallpaper.png"; url = "prism/realwallpaper-sat-krebs.png";
maxTime = 10; maxTime = 10;
}; };
} }

2
lass/2configs/nixpkgs.nix
View File

@ -3,6 +3,6 @@
{ {
krebs.build.source.nixpkgs.git = { krebs.build.source.nixpkgs.git = {
url = https://cgit.lassul.us/nixpkgs; url = https://cgit.lassul.us/nixpkgs;
ref = "5acb454"; ref = "c85f39e";
}; };
} }

1
shared/1systems/test-all-krebs-modules.nix
View File

@ -36,7 +36,6 @@ in {
enable = true; enable = true;
tables = {}; tables = {};
}; };
nginx.enable = true;
realwallpaper.enable = true; realwallpaper.enable = true;
tinc.retiolum.enable = true; tinc.retiolum.enable = true;
retiolum-bootstrap.enable = true; retiolum-bootstrap.enable = true;