diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index ff0cc8346..756245c0b 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -14,6 +14,7 @@ let ./iptables.nix ./nginx.nix ./Reaktor.nix + ./retiolum-bootstrap.nix ./realwallpaper.nix ./retiolum.nix ./urlwatch.nix diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 4628b2acc..acc5d7dd2 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -127,10 +127,8 @@ with import ../../4lib { inherit lib; }; "krebsco.de" = '' IN MX 10 mx42 euer IN MX 1 aspmx.l.google.com. - io IN NS pigstarter.krebsco.de. pigstarter IN A ${head nets.internet.addrs4} gold IN A ${head nets.internet.addrs4} - tinc IN A ${head nets.internet.addrs4} boot IN A ${head nets.internet.addrs4}''; }; nets = { @@ -166,7 +164,9 @@ with import ../../4lib { inherit lib; }; extraZones = { "krebsco.de" = '' wry IN A ${head nets.internet.addrs4} + io IN NS wry.krebsco.de. graphs IN A ${head nets.internet.addrs4} + tinc IN A ${head nets.internet.addrs4} ''; }; nets = rec { diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix new file mode 100644 index 000000000..eed11642f --- /dev/null +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.krebs.retiolum-bootstrap; + + out = { + options.krebs.retiolum-bootstrap = api; + config = mkIf cfg.enable imp ; + }; + + api = { + enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de"; + hostname = mkOption { + type = types.str; + description = "hostname which serves tinc boot"; + default = "tinc.krebsco.de" ; + }; + ssl_certificate_key = mkOption { + type = types.str; + description = "Certificate key to use for ssl"; + default = "/root/secrets/tinc.krebsco.de.key"; + }; + ssl_certificate = mkOption { + type = types.str; + description = "Certificate file to use for ssl"; + default = "/root/secrets/tinc.krebsco.de.crt" ; + }; + # in use: + # + # + }; + + imp = { + krebs.nginx.servers = assert config.krebs.nginx.enable; { + retiolum-boot-redir = { + server-names = singleton cfg.hostname; + extraConfig = '' + return 301 https://$server_name$request_uri; + ''; + locations = []; + }; + retiolum-boot-ssl = { + server-names = singleton cfg.hostname; + listen = "443 ssl"; + extraConfig = '' + ssl_certificate ${cfg.ssl_certificate}; + ssl_certificate_key ${cfg.ssl_certificate_key}; + root ${pkgs.retiolum-bootstrap}; + try_files $uri $uri/retiolum.sh; + ''; + locations = []; + }; + }; + }; + +in +out diff --git a/krebs/5pkgs/retiolum-bootstrap/default.nix b/krebs/5pkgs/retiolum-bootstrap/default.nix new file mode 100644 index 000000000..331b1cb7f --- /dev/null +++ b/krebs/5pkgs/retiolum-bootstrap/default.nix @@ -0,0 +1,29 @@ +{ stdenv,lib,fetchurl, ... }: +with lib; +stdenv.mkDerivation rec { + name = "retiolum-bootstrap"; + version = "4.2.3"; + + + src = fetchurl { + url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh; + sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s"; + }; + + phases = [ + "installPhase" + ]; + + installPhase = '' + mkdir -p "$out" + cp -a ${src} $out/retiolum.sh + ''; + + meta = { + description = "Retiolum boostrap scripts"; + url = https://github.com/krebscode/painload; + license = licenses.wtfpl; + platforms = platforms.unix; + maintainers = with maintainers; [ makefu ]; + }; +} diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 8f7f5ea7c..97cf86a4e 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -21,6 +21,7 @@ # applications ../2configs/exim-retiolum.nix + ../2configs/mail-client.nix #../2configs/virtualization.nix ../2configs/virtualization-virtualbox.nix ../2configs/wwan.nix diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 819a208ac..a7ed93c43 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -5,38 +5,50 @@ let ip = (lib.head config.krebs.build.host.nets.internet.addrs4); in { imports = [ - ../../tv/2configs/CAC-CentOS-7-64bit.nix - ../2configs/base.nix - ../2configs/base-sources.nix - ../2configs/tinc-basic-retiolum.nix + # TODO: copy this config or move to krebs + ../../tv/2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/base-sources.nix + ../2configs/tinc-basic-retiolum.nix + + ../2configs/iodined.nix + + # Reaktor + ../2configs/Reaktor/simpleExtend.nix ]; + krebs.Reaktor.enable = true; + networking.firewall.allowPing = true; networking.interfaces.enp2s1.ip4 = [ - { - address = ip; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.233.87.1"; - networking.nameservers = [ - "8.8.8.8" - ]; + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.233.87.1"; + networking.nameservers = [ + "8.8.8.8" + ]; # based on ../../tv/2configs/CAC-Developer-2.nix sound.enable = false; # prepare graphs nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + krebs.nginx.enable = true; + krebs.retiolum-bootstrap.enable = true; makefu.tinc_graphs.enable = true; + makefu.tinc_graphs.krebsNginx = { enable = true; # TODO: remove hard-coded hostname hostnames_complete = [ "graphs.wry" ]; hostnames_anonymous = [ "graphs.krebsco.de" ]; }; - networking.firewall.allowedTCPPorts = [80]; + + networking.firewall.allowedTCPPorts = [ 53 80 443 ]; krebs.build = { user = config.krebs.users.makefu; diff --git a/makefu/2configs/base-sources.nix b/makefu/2configs/base-sources.nix index 826cd6fef..7e6bebec3 100644 --- a/makefu/2configs/base-sources.nix +++ b/makefu/2configs/base-sources.nix @@ -3,9 +3,9 @@ { krebs.build.source = { git.nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - #url = https://github.com/makefu/nixpkgs; - rev = "dc18f39bfb2f9d1ba62c7e8ad98544bb15cb26b2"; # nixos-15.09 + #url = https://github.com/NixOS/nixpkgs; + url = https://github.com/makefu/nixpkgs; + rev = "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picked iodine }; dir.secrets = { diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 1277a014e..189dd66c8 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -10,6 +10,9 @@ let stockholm = { desc = "Make all the systems into 1systems!"; }; + tinc_graphs = { + desc = "Tinc Advanced Graph Generation"; + }; }; priv-repos = mapAttrs make-priv-repo { diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix new file mode 100644 index 000000000..db8a1bfed --- /dev/null +++ b/makefu/2configs/iodined.nix @@ -0,0 +1,16 @@ +{ services,builtins,environment,pkgs, ... }: + +let + # TODO: make this a parameter + domain = "io.krebsco.de"; + pw = import ; +in { + + services.iodined = { + enable = true; + domain = domain; + ip = "172.16.10.1/24"; + extraConfig = "-P ${pw}"; + }; + +} diff --git a/makefu/2configs/mail-client.nix b/makefu/2configs/mail-client.nix new file mode 100644 index 000000000..a6ae33d2f --- /dev/null +++ b/makefu/2configs/mail-client.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + environment.systemPackages = with pkgs; [ + msmtp + mutt-kz + notmuch + offlineimap + ]; + +} diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix new file mode 100644 index 000000000..d970652a4 --- /dev/null +++ b/makefu/3modules/bepasty-server.nix @@ -0,0 +1,160 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + gunicorn = pkgs.pythonPackages.gunicorn; + bepasty = pkgs.pythonPackages.bepasty-server; + gevent = pkgs.pythonPackages.gevent; + python = pkgs.pythonPackages.python; + cfg = config.makefu.bepasty-server; + + out = { + options.makefu.bepasty-server = api; + config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ; + }; + + api = { + enable = mkEnableOption "Bepasty Servers"; + serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx"; + + servers = mkOption { + type = with types; attrsOf optionSet; + options = singleton { + nginxCfg = mkOption { + # TODO use the correct type + type = with types; attrsOf unspecified; + description = '' + additional nginx configuration. see krebs.nginx for all options + '' ; + }; + debug = mkOption { + type = types.bool; + description = '' + run server in debug mode + ''; + default = false; + }; + + # TODO: assert secretKey + secretKey = mkOption { + type = types.str; + description = '' + server secret for safe session cookies, must be set. + ''; + }; + + # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi + workDir = mkOption { + type = types.str; + description = '' + Path to the working directory (used for sockets and pidfile). + Defaults to the users home directory. Must be accessible to nginx, + permissions will be set to 755 + ''; + default = config.users.extraUsers.bepasty.home; + }; + + dataDir = mkOption { + type = types.str; + description = '' + Defaults to the new users home dir which defaults to + /var/lib/bepasty-server/data + ''; + default = "${config.users.extraUsers.bepasty.home}/data"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + example = '' + PERMISSIONS = { + 'myadminsecret': 'admin,list,create,read,delete', + } + MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000 + ''; + }; + + defaultPermissions = mkOption { + type = types.str; + default = "list"; + }; + + }; + default = {}; + }; + + }; + + imp = { + # Configures systemd services for each configured server + # environment.systemPackages = [ bepasty gunicorn gevent ]; + systemd.services = mapAttrs' (name: server: + nameValuePair ("bepasty-server-${name}") + ({ + description = "Bepasty Server ${name}"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartIfChanged = true; + environment = { + BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf"; + PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages"; + }; + serviceConfig = { + Type = "simple"; + PrivateTmp = true; + ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" '' + #!/bin/sh + chmod 755 ${server.workDir} + mkdir -p ${server.dataDir} + cat > ${server.workDir}/bepasty-${name}.conf <