Merge remote-tracking branch 'prism/lassulus'

lass/1systems/icarus.nix

@@ -13,6 +13,7 @@ with import <stockholm/lib>;
     ../2configs/programs.nix
     ../2configs/fetchWallpaper.nix
     ../2configs/backups.nix
+    ../2configs/games.nix
     #{
     #  users.extraUsers = {
     #    root = {

lass/1systems/mors.nix

@@ -307,20 +307,16 @@ with import <stockholm/lib>;
 
     #Runtime PMs
     echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
   '';

lass/1systems/prism.nix

@@ -26,6 +26,7 @@ in {
     ../2configs/iodined.nix
     ../2configs/libvirt.nix
     ../2configs/hfos.nix
+    ../2configs/makefu-sip.nix
     {
       users.extraGroups = {
         # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories

lass/2configs/baseX.nix

@@ -7,7 +7,12 @@ in {
     ./xserver
     ./mpv.nix
     ./power-action.nix
-    ./pulse.nix
+    {
+      hardware.pulseaudio = {
+        enable = true;
+        systemWide = true;
+      };
+    }
   ];
 
   users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];

lass/2configs/default.nix

@@ -22,6 +22,7 @@ with import <stockholm/lib>;
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-shodan.pubkey
+            config.krebs.users.lass-icarus.pubkey
           ];
         };
         mainUser = {
@@ -38,6 +39,7 @@ with import <stockholm/lib>;
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-shodan.pubkey
+            config.krebs.users.lass-icarus.pubkey
           ];
         };
       };

lass/2configs/games.nix

@@ -51,6 +51,8 @@ in {
     };
   };
 
+  hardware.pulseaudio.support32Bit = true;
+
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(games) NOPASSWD: ALL
   '';

lass/2configs/makefu-sip.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  users.users.makefu = {
+    uid = genid "makefu";
+    isNormalUser = true;
+    extraGroups = [ "libvirtd" ];
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.makefu.pubkey
+    ];
+  };
+
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
+  ];
+
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+  ];
+}

lass/2configs/pulse.nix

@@ -1,96 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  pkg = pkgs.pulseaudioLight;
-  runDir = "/run/pulse";
-
-  alsaConf = pkgs.writeText "asound.conf" ''
-    ctl_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
-    }
-    pcm_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
-    }
-    ctl.!default {
-      type pulse
-    }
-    pcm.!default {
-      type pulse
-    }
-  '';
-
-  clientConf = pkgs.writeText "client.conf" ''
-    autospawn=no
-    default-server = unix:${runDir}/socket
-  '';
-
-  daemonConf = pkgs.writeText "daemon.conf" ''
-    exit-idle-time=-1
-    flat-volumes = no
-    default-fragments = 4
-    default-fragment-size-msec = 25
-  '';
-
-  configFile = pkgs.writeText "default.pa" ''
-    .include ${pkg}/etc/pulse/default.pa
-    load-module ${toString [
-      "module-native-protocol-unix"
-      "auth-anonymous=1"
-      "socket=${runDir}/socket"
-    ]}
-  '';
-in
-
-{
-  environment = {
-    etc = {
-      "asound.conf".source = alsaConf;
-      # XXX mkForce is not strong enough (and neither is mkOverride) to create
-      # /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
-      #"pulse/client.conf" = mkForce { source = clientConf; };
-      #"pulse/client.conf".source = mkForce clientConf;
-      "pulse/default.pa".source = configFile;
-      "pulse/daemon.pa".source = daemonConf;
-    };
-    systemPackages = [
-      pkg
-    ] ++ optionals config.services.xserver.enable [
-      pkgs.pavucontrol
-    ];
-  };
-
-  # Allow PulseAudio to get realtime priority using rtkit.
-  security.rtkit.enable = true;
-
-  system.activationScripts.pulseaudio-hack = ''
-    ln -fns ${clientConf} /etc/pulse/client.conf
-  '';
-
-  systemd.services.pulse = {
-    wantedBy = [ "sound.target" ];
-    before = [ "sound.target" ];
-    environment = {
-      PULSE_RUNTIME_PATH = "${runDir}/home";
-    };
-    serviceConfig = {
-      ExecStart = "${pkg}/bin/pulseaudio";
-      ExecStartPre = pkgs.writeDash "pulse-start" ''
-        install -o pulse -g audio -m 0750 -d ${runDir}
-        install -o pulse -g audio -m 0700 -d ${runDir}/home
-      '';
-      PermissionsStartOnly = "true";
-      User = "pulse";
-    };
-  };
-
-  users = {
-    groups.pulse.gid = config.users.users.pulse.uid;
-    users.pulse = {
-      uid = genid "pulse";
-      group = "pulse";
-      extraGroups = [ "audio" ];
-      home = "${runDir}/home";
-    };
-  };
-}

lass/2configs/tests/dummy-secrets/grafana_security.nix

@@ -0,0 +1,4 @@
+{
+  adminUser = "bla";
+  adminPassword = "blub";
+}

lass/2configs/websites/fritz.nix

@@ -23,6 +23,9 @@ let
   '';
 
 in {
+
+  services.nginx.enable = true;
+
   imports = [
     ./sqlBackup.nix
 

makefu/2configs/elchos/irc-token.nix

@@ -3,19 +3,20 @@ with import <stockholm/lib>;
 let
   secret = (import <secrets/elchos-token.nix>);
 in {
-  systemd.services.elchos-irctoken = {
+  systemd.services.elchos-irctoken2 = {
-    startAt = "*:0/30";
+    startAt = "*:0/5";
     serviceConfig = {
       RuntimeMaxSec = "20";
     };
     script = ''
       set -euf
       now=$(date -u +%Y-%m-%dT%H:%M)
-      sec=$(echo -n "${secret}$now" | md5sum | cut -d\  -f1)
+      sleep 5
-      message="The secret valid for 30 minutes is $sec"
+      sec=$(cat /tmp/irc-secret)
-      echo "token for $now (UTC) is $sec"
+      message="The current secret is $sec"
+      echo "$message"
       LOGNAME=sec-announcer
-      HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static)
+      HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --transient)
       IRC_SERVER=irc.freenode.net
       IRC_PORT=6667
       IRC_NICK=$HOSTNAME-$$
@@ -59,4 +60,18 @@ in {
         | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin
     '';
   };
+  systemd.services.elchos-create-token = {
+    startAt = "*:0/30";
+    serviceConfig = {
+      RuntimeMaxSec = "20";
+    };
+    script = ''
+      set -euf
+      now=$(date -u +%Y-%m-%dT%H:%M)
+      sec=$(echo -n "${secret}$now" | md5sum | cut -d\  -f1)
+      message="The secret valid for 30 minutes is $sec"
+      echo -n "$sec" > /tmp/irc-secret
+      echo "token for $now (UTC) is $sec"
+    '';
+  };
 }

makefu/2configs/elchos/stats.nix

@@ -39,8 +39,57 @@ with import <stockholm/lib>;
   };
 
   services.graphite = {
-    api = {
+    beacon = {
       enable = true;
+      config = {
+        graphite_url = "http://localhost:18080";
+
+        no_data = "critical";
+        loading_error = "normal";
+
+        prefix = "[elchos]";
+
+        cli = {
+          command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 alert0r \#elchos ' [elchos] ''${level} ''${name} ''${value}' '';
+        };
+        #smtp = {
+        #  from = "beacon@mors.r";
+        #  to = [
+        #    "lass@mors.r"
+        #  ];
+        #};
+        normal_handlers = [
+          # "smtp"
+          "cli"
+        ];
+        warning_handlers = [
+          # "smtp"
+          "cli"
+        ];
+        critical_handlers = [
+          # "smtp"
+          "cli"
+        ];
+        alerts = let
+          high-load = hostid: let
+              host = "elch-${toString hostid}"; in {
+              name = "high-cpu-load-${host}";
+              query = "aliasByNode(perSecond(elchos.${host}.cpu.0.cpu.idle),1)";
+              method = "average";
+              interval = "1minute";
+              logging = "info";
+              repeat_interval = "5minute";
+              rules = [
+  #              "warning: < 30.0"
+                "critical: < 1.0"
+              ];
+            };
+          in map high-load [ 1 2 3 4 5 6 7 8 ];
+      };
+   };
+   api = {
+      enable = true;
+      package = pkgs.graphiteApi;
       listenAddress = "127.0.0.1";
       port = 18080;
     };
@@ -50,8 +99,8 @@ with import <stockholm/lib>;
       config = ''
         [cache]
         MAX_CACHE_SIZE = inf
-        MAX_UPDATES_PER_SECOND = 1
+        MAX_UPDATES_PER_SECOND = 10
-        MAX_CREATES_PER_MINUTE = 500
+        MAX_CREATES_PER_MINUTE = 5000
         '';
       storageSchemas = ''
         [carbon]
@@ -62,6 +111,10 @@ with import <stockholm/lib>;
         patterhn = ^elchos\.
         retentions = 10s:30d,60s:3y
 
+
+        [default]
+        pattern = ^krebs\.
+        retentions = 1s:30d,30s:3m,300s:1y
         [default]
         pattern = .*
         retentions = 30s:30d,300s:1y