Merge remote-tracking branch 'prism/lassulus'

2017-01-05 19:13:29 +01:00 · 2017-01-05 19:13:29 +01:00 · 62372f917e
commit 62372f917e
parent 0d4911ce2f 2e9d5f604c
12 changed files with 117 additions and 110 deletions
--- a/lass/1systems/icarus.nix
+++ b/lass/1systems/icarus.nix
@ -13,6 +13,7 @@ with import <stockholm/lib>;
    ../2configs/programs.nix
    ../2configs/fetchWallpaper.nix
    ../2configs/backups.nix
+    ../2configs/games.nix
    #{
    #  users.extraUsers = {
    #    root = {
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@ -307,20 +307,16 @@ with import <stockholm/lib>;

    #Runtime PMs
    echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
    echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
  '';
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@ -26,6 +26,7 @@ in {
    ../2configs/iodined.nix
    ../2configs/libvirt.nix
    ../2configs/hfos.nix
+    ../2configs/makefu-sip.nix
    {
      users.extraGroups = {
        # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -7,7 +7,12 @@ in {
    ./xserver
    ./mpv.nix
    ./power-action.nix
-    ./pulse.nix
+    {
+      hardware.pulseaudio = {
+        enable = true;
+        systemWide = true;
+      };
+    }
  ];

  users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@ -22,6 +22,7 @@ with import <stockholm/lib>;
          openssh.authorizedKeys.keys = [
            config.krebs.users.lass.pubkey
            config.krebs.users.lass-shodan.pubkey
+            config.krebs.users.lass-icarus.pubkey
          ];
        };
        mainUser = {
@ -38,6 +39,7 @@ with import <stockholm/lib>;
          openssh.authorizedKeys.keys = [
            config.krebs.users.lass.pubkey
            config.krebs.users.lass-shodan.pubkey
+            config.krebs.users.lass-icarus.pubkey
          ];
        };
      };
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@ -51,6 +51,8 @@ in {
    };
  };

+  hardware.pulseaudio.support32Bit = true;
+
  security.sudo.extraConfig = ''
    ${mainUser.name} ALL=(games) NOPASSWD: ALL
  '';
--- a/lass/2configs/makefu-sip.nix
+++ b/lass/2configs/makefu-sip.nix
@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  users.users.makefu = {
+    uid = genid "makefu";
+    isNormalUser = true;
+    extraGroups = [ "libvirtd" ];
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.makefu.pubkey
+    ];
+  };
+
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
+  ];
+
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+  ];
+}
--- a/lass/2configs/pulse.nix
+++ b/lass/2configs/pulse.nix
@ -1,96 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  pkg = pkgs.pulseaudioLight;
-  runDir = "/run/pulse";
-
-  alsaConf = pkgs.writeText "asound.conf" ''
-    ctl_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
-    }
-    pcm_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
-    }
-    ctl.!default {
-      type pulse
-    }
-    pcm.!default {
-      type pulse
-    }
-  '';
-
-  clientConf = pkgs.writeText "client.conf" ''
-    autospawn=no
-    default-server = unix:${runDir}/socket
-  '';
-
-  daemonConf = pkgs.writeText "daemon.conf" ''
-    exit-idle-time=-1
-    flat-volumes = no
-    default-fragments = 4
-    default-fragment-size-msec = 25
-  '';
-
-  configFile = pkgs.writeText "default.pa" ''
-    .include ${pkg}/etc/pulse/default.pa
-    load-module ${toString [
-      "module-native-protocol-unix"
-      "auth-anonymous=1"
-      "socket=${runDir}/socket"
-    ]}
-  '';
-in
-
-{
-  environment = {
-    etc = {
-      "asound.conf".source = alsaConf;
-      # XXX mkForce is not strong enough (and neither is mkOverride) to create
-      # /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
-      #"pulse/client.conf" = mkForce { source = clientConf; };
-      #"pulse/client.conf".source = mkForce clientConf;
-      "pulse/default.pa".source = configFile;
-      "pulse/daemon.pa".source = daemonConf;
-    };
-    systemPackages = [
-      pkg
-    ] ++ optionals config.services.xserver.enable [
-      pkgs.pavucontrol
-    ];
-  };
-
-  # Allow PulseAudio to get realtime priority using rtkit.
-  security.rtkit.enable = true;
-
-  system.activationScripts.pulseaudio-hack = ''
-    ln -fns ${clientConf} /etc/pulse/client.conf
-  '';
-
-  systemd.services.pulse = {
-    wantedBy = [ "sound.target" ];
-    before = [ "sound.target" ];
-    environment = {
-      PULSE_RUNTIME_PATH = "${runDir}/home";
-    };
-    serviceConfig = {
-      ExecStart = "${pkg}/bin/pulseaudio";
-      ExecStartPre = pkgs.writeDash "pulse-start" ''
-        install -o pulse -g audio -m 0750 -d ${runDir}
-        install -o pulse -g audio -m 0700 -d ${runDir}/home
-      '';
-      PermissionsStartOnly = "true";
-      User = "pulse";
-    };
-  };
-
-  users = {
-    groups.pulse.gid = config.users.users.pulse.uid;
-    users.pulse = {
-      uid = genid "pulse";
-      group = "pulse";
-      extraGroups = [ "audio" ];
-      home = "${runDir}/home";
-    };
-  };
-}
--- a/lass/2configs/tests/dummy-secrets/grafana_security.nix
+++ b/lass/2configs/tests/dummy-secrets/grafana_security.nix
@ -0,0 +1,4 @@
+{
+  adminUser = "bla";
+  adminPassword = "blub";
+}
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@ -23,6 +23,9 @@ let
  '';

 in {
+
+  services.nginx.enable = true;
+
  imports = [
    ./sqlBackup.nix

--- a/makefu/2configs/elchos/irc-token.nix
+++ b/makefu/2configs/elchos/irc-token.nix
@ -3,19 +3,20 @@ with import <stockholm/lib>;
 let
  secret = (import <secrets/elchos-token.nix>);
 in {
-  systemd.services.elchos-irctoken = {
-    startAt = "*:0/30";
+  systemd.services.elchos-irctoken2 = {
+    startAt = "*:0/5";
    serviceConfig = {
      RuntimeMaxSec = "20";
    };
    script = ''
      set -euf
      now=$(date -u +%Y-%m-%dT%H:%M)
-      sec=$(echo -n "${secret}$now" | md5sum | cut -d\  -f1)
-      message="The secret valid for 30 minutes is $sec"
-      echo "token for $now (UTC) is $sec"
+      sleep 5
+      sec=$(cat /tmp/irc-secret)
+      message="The current secret is $sec"
+      echo "$message"
      LOGNAME=sec-announcer
-      HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static)
+      HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --transient)
      IRC_SERVER=irc.freenode.net
      IRC_PORT=6667
      IRC_NICK=$HOSTNAME-$$
@ -59,4 +60,18 @@ in {
        | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin
    '';
  };
+  systemd.services.elchos-create-token = {
+    startAt = "*:0/30";
+    serviceConfig = {
+      RuntimeMaxSec = "20";
+    };
+    script = ''
+      set -euf
+      now=$(date -u +%Y-%m-%dT%H:%M)
+      sec=$(echo -n "${secret}$now" | md5sum | cut -d\  -f1)
+      message="The secret valid for 30 minutes is $sec"
+      echo -n "$sec" > /tmp/irc-secret
+      echo "token for $now (UTC) is $sec"
+    '';
+  };
 }
--- a/makefu/2configs/elchos/stats.nix
+++ b/makefu/2configs/elchos/stats.nix
@ -39,8 +39,57 @@ with import <stockholm/lib>;
  };

  services.graphite = {
-    api = {
+    beacon = {
      enable = true;
+      config = {
+        graphite_url = "http://localhost:18080";
+
+        no_data = "critical";
+        loading_error = "normal";
+
+        prefix = "[elchos]";
+
+        cli = {
+          command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 alert0r \#elchos ' [elchos] ''${level} ''${name} ''${value}' '';
+        };
+        #smtp = {
+        #  from = "beacon@mors.r";
+        #  to = [
+        #    "lass@mors.r"
+        #  ];
+        #};
+        normal_handlers = [
+          # "smtp"
+          "cli"
+        ];
+        warning_handlers = [
+          # "smtp"
+          "cli"
+        ];
+        critical_handlers = [
+          # "smtp"
+          "cli"
+        ];
+        alerts = let
+          high-load = hostid: let
+              host = "elch-${toString hostid}"; in {
+              name = "high-cpu-load-${host}";
+              query = "aliasByNode(perSecond(elchos.${host}.cpu.0.cpu.idle),1)";
+              method = "average";
+              interval = "1minute";
+              logging = "info";
+              repeat_interval = "5minute";
+              rules = [
+  #              "warning: < 30.0"
+                "critical: < 1.0"
+              ];
+            };
+          in map high-load [ 1 2 3 4 5 6 7 8 ];
+      };
+   };
+   api = {
+      enable = true;
+      package = pkgs.graphiteApi;
      listenAddress = "127.0.0.1";
      port = 18080;
    };
@ -50,8 +99,8 @@ with import <stockholm/lib>;
      config = ''
        [cache]
        MAX_CACHE_SIZE = inf
-        MAX_UPDATES_PER_SECOND = 1
-        MAX_CREATES_PER_MINUTE = 500
+        MAX_UPDATES_PER_SECOND = 10
+        MAX_CREATES_PER_MINUTE = 5000
        '';
      storageSchemas = ''
        [carbon]
@ -62,6 +111,10 @@ with import <stockholm/lib>;
        patterhn = ^elchos\.
        retentions = 10s:30d,60s:3y

+
+        [default]
+        pattern = ^krebs\.
+        retentions = 1s:30d,30s:3m,300s:1y
        [default]
        pattern = .*
        retentions = 30s:30d,300s:1y