Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'gum/master'

Browse Source
This commit is contained in:
lassulus 2016-08-24 08:49:16 +02:00
commit 662222f8c4
10 changed files with 550 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
krebs/3modules/makefu/default.nix
View File

@ -360,7 +360,6 @@ with config.krebs.lib;
ip6.addr = "42:f9f0::10";
aliases = [
"omo.retiolum"
"tracker.makefu.r"
"omo.r"
];
tinc.pubkey = ''
@ -446,6 +445,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
"gum.r"
"gum.retiolum"
"cgit.gum.retiolum"
"tracker.makefu.r"
"tracker.makefu.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -761,6 +762,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
};
tcac-0-1 = rec {
cores = 1;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcX7rlGmGp1zCStrERXZ3XuT/j69FDBXV4ceLn9RXsG tcac-0-1
";
nets = {
retiolum = {
ip4.addr = "10.243.144.142";
ip6.addr = "42:4bf8:94b:eec5:69e2:c837:686e:f278";
aliases = [
"tcac-0-1.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA+3zuZa8FhFBcUNdNGyTQph6Jes0WDQB4CDcEcnK9okP60Z0ONq8j
7sKmxzQ43WFm04fd992Aa/KLbYBbXmGtYuu68DQwQGwk3HVNksp6ha7uVK1ibgNs
zJIKizpFqK4NAYit0OfAy7ugVSvtyIxg9CDhnASDZ5NRq8/OLhvo5M4c3r3lGOlO
Hv1nf4Tl2IYRln3c+AJEiw2369K46mRlt28yHeKUw1ur6hrbahnkYW+bjeliROIs
QLp8J8Jl6evtPOyZpgyGHLQ/WPsQRK5svVA9ou17R//m4KNL1kBjTfxs7GaJWHLl
HpSZTqRKsuK6K9R6kzu7NU81Wz0HXxw/qwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
} // { # hosts only maintained in stockholm, not owned by me
muhbaasu = rec {

1
makefu/1systems/gum.nix
View File

@ -22,6 +22,7 @@ in {
../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix
../2configs/torrent.nix
../2configs/opentracker.nix
];
services.smartd.devices = [ { device = "/dev/sda";} ];

13
makefu/1systems/omo.nix
View File

@ -50,11 +50,24 @@ in {
#../2configs/share-user-sftp.nix
../2configs/omo-share.nix
../2configs/tinc/retiolum.nix
../2configs/torrent.nix
## as long as pyload is not in nixpkgs:
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
];
makefu.full-populate = true;
makefu.deluge.cfg = {
max_active_seeding = 1;
stop_seed_ratio = 1;
natpmp = true;
upnp = true;
max_upload_speed = 200;
};
users.groups.share = {
gid = config.krebs.lib.genid "share";
members = [ "makefu" "misa" ];
};
networking.firewall.trustedInterfaces = [ primaryInterface ];
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
# tcp:80 - nginx for sharing files

65
makefu/1systems/wbob.nix
View File

@ -1,32 +1,53 @@
{ config, pkgs, ... }:
let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
{ config, pkgs, lib, ... }:
let
rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F";
in {
makefu.awesome = {
modkey = "Mod1";
#TODO: integrate kiosk config into full config by templating the autostart
baseConfig = pkgs.awesomecfg.kiosk;
};
imports =
[ # Include the results of the hardware scan.
../.
../2configs/main-laptop.nix
../2configs/zsh-user.nix
../2configs/base-gui.nix
../2configs/laptop-utils.nix
../2configs/virtualization.nix
../2configs/tinc/retiolum.nix
];
krebs = {
enable = true;
build.host = config.krebs.hosts.wbob;
};
networking.firewall.allowedUDPPorts = [ 1655 ];
networking.firewall.allowedTCPPorts = [ 1655 49152 ];
services.tinc.networks.siem = {
name = "display";
extraConfig = ''
ConnectTo = sjump
swapDevices = [ { device = "/var/swap"; } ];
services.xserver = {
layout = lib.mkForce "de";
windowManager = lib.mkForce {
awesome.enable = false;
default = "none";
};
desktopManager.xfce.enable = true;
# xrandrHeads = [ "HDMI1" "HDMI2" ];
# prevent screen from turning off, disable dpms
displayManager.sessionCommands = ''
xset s off -dpms
xrandr --output HDMI2 --right-of HDMI1
'';
};
networking.firewall.allowedUDPPorts = [ 655 ];
networking.firewall.allowedTCPPorts = [ 655 49152 ];
#services.tinc.networks.siem = {
# name = "display";
# extraConfig = ''
# ConnectTo = sjump
# Port = 1655
# '';
#};
# rt2870.bin wifi card, part of linux-unfree
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
@ -41,20 +62,18 @@ in {
hardware.cpu.intel.updateMicrocode = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = {
fileSystems = {
"/" = {
device = rootdisk + "-part1";
fsType = "ext4";
};
"/data" = {
device = datadisk + "-part1";
fsType = "ext4";
};
};
# DualHead on NUC
services.xserver = {
# xrandrHeads = [ "HDMI1" "HDMI2" ];
# prevent screen from turning off, disable dpms
displayManager.sessionCommands = ''
xset s off -dpms
xrandr --output HDMI2 --right-of HDMI1
'';
};
# TODO: update synergy package with these extras (username)
# TODO: add crypto layer
systemd.services."synergy-client" = {

16
makefu/2configs/opentracker.nix Normal file
View File

@ -0,0 +1,16 @@
{pkgs, ...}:
let
daemon-port = 16969;
cfgfile = pkgs.writeText "opentracker-cfg" ''
'';
in {
# Opentracker does not support local IPs (10.0.0.0/8 )
makefu.opentracker = {
enable = true;
args = "-p ${toString daemon-port} -P ${toString daemon-port}";
};
networking.firewall.allowedTCPPorts = [ daemon-port ];
networking.firewall.allowedUDPPorts = [ daemon-port ];
}

19
makefu/2configs/rtorrent.nix Normal file
View File

@ -0,0 +1,19 @@
_:
let
listenPort = 60123;
xml-port = 5000;
authfile = <torrent-secrets/authfile>;
in {
makefu.rtorrent = {
enable = true;
web = {
enable = true;
enableAuth = true;
inherit authfile;
};
rutorrent.enable = true;
enableXMLRPC = true;
logLevel = "debug";
inherit listenPort;
};
}

13
makefu/2configs/torrent.nix
View File

@ -55,20 +55,21 @@ in {
autoadd_enable = true;
download_location = dl-dir + "/finished";
torrentfiles_location = dl-dir + "/torrents"; copy_torrent_file = true;
lsd = true;
dht = true;
upnp = true;
natpmp = true;
lsd = false;
dht = false;
upnp = false;
natpmp = false;
add_paused = false;
allow_remote = true;
remove_seed_at_ratio = false;
move_completed = false;
daemon_port = daemon-port;
random_port = false;
random_outgoing_ports = true;
listen_ports = [ peer-port peer-port ];
outgoing_ports = [ peer-port peer-port ];
# performance tuning
cache_expiry = 3600;
stop_seed_at_ratio = true;
stop_seed_at_ratio = false;
};
};

2
makefu/3modules/default.nix
View File

@ -6,7 +6,9 @@ _:
./awesome-extra.nix
./deluge.nix
./forward-journal.nix
./opentracker.nix
./ps3netsrv.nix
./rtorrent.nix
./snapraid.nix
./taskserver.nix
./udpt.nix

55
makefu/3modules/opentracker.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
cfg = config.makefu.opentracker;
out = {
options.makefu.opentracker = api;
config = lib.mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "opentracker";
package = mkOption {
type = types.package;
default = pkgs.opentracker;
};
args = mkOption {
type = types.string;
description = ''
see https://erdgeist.org/arts/software/opentracker/ for all params
'';
default = "";
};
user = mkOption {
description = ''
user which will run opentracker. by default opentracker drops all
privileges and runs in chroot after starting up as root.
'';
type = types.str;
default = "root";
};
};
imp = {
systemd.services.opentracker = {
description = "opentracker server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/opentracker ${cfg.args}";
PrivateTmp = true;
WorkingDirectory = "/tmp";
User = "${cfg.user}";
};
};
};
in
out

367
makefu/3modules/rtorrent.nix Normal file
View File

@ -0,0 +1,367 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
let
cfg = config.makefu.rtorrent;
webcfg = config.makefu.rtorrent.web;
rucfg = config.makefu.rtorrent.rutorrent;
nginx-user = config.services.nginx.user;
nginx-group = config.services.nginx.group;
fpm-socket = "/var/run/php5-fpm-rutorrent.sock";
webdir = rucfg.webdir;
rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++
(if (config.nixpkgs.config.allowUnfree or false) then
trace "enabling unfree packages for rutorrent" [ unrar unzip ] else
trace "not enabling unfree packages for rutorrent because allowUnfree is unset" [])
;
rutorrent = pkgs.stdenv.mkDerivation {
name = "rutorrent-src-3.7";
src = pkgs.fetchFromGitHub {
owner = "Novik";
repo = "rutorrent";
rev = "b727523a153454d4976f04b0c47336ae57cc50d5";
sha256 = "0s5wa0jnck781amln9c2p4pc0i5mq3j5693ra151lnwhz63aii4a";
};
phases = [ "patchPhase" "installPhase" ];
patchPhase = ''
cp -r $src src/
chmod u+w -R src/
sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \
-e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \
"src/conf/config.php"
'';
installPhase = ''
cp -r src/ $out
echo "replacing scgi port and host variable in conf/config.php"
'';
};
systemd-logfile = cfg.workDir + "/rtorrent-systemd.log";
configFile = pkgs.writeText "rtorrent-config" ''
# THIS FILE IS AUTOGENERATED
${optionalString (cfg.listenPort != null) ''
port_range = ${toString cfg.listenPort}-${toString cfg.listenPort}
port_random = no
''}
${optionalString (cfg.watchDir != null) ''
schedule = watch_directory,5,5load_start=${cfg.watchDir}/*.torrent
''}
directory = ${cfg.downloadDir}
session = ${cfg.sessionDir}
${optionalString (cfg.enableXMLRPC ) ''
# prepare socket and set permissions. rtorrent user is part of group nginx
# TODO: configure a shared torrent group
execute_nothrow = rm,${cfg.xmlrpc-socket}
scgi_local = ${cfg.xmlrpc-socket}
schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}"
''}
system.file_allocate.set = ${if cfg.preAllocate then "yes" else "no"}
# Prepare systemd logging
log.open_file = "rtorrent-systemd", ${systemd-logfile}
log.add_output = "warn", "rtorrent-systemd"
log.add_output = "notice", "rtorrent-systemd"
log.add_output = "info", "rtorrent-systemd"
# log.add_output = "debug", "rtorrent-systemd"
log.execute = ${systemd-logfile}.execute
log.xmlrpc = ${systemd-logfile}.xmlrpc
${cfg.extraConfig}
'';
out = {
options.makefu.rtorrent = api;
# This only works because none of the attrsets returns the same key
config = with lib; mkIf cfg.enable (lib.mkMerge [
(lib.mkIf webcfg.enable rpcweb-imp)
# only build rutorrent-imp if webcfg is enabled as well
(lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp)
imp
]);
};
api = {
enable = mkEnableOption "rtorrent";
web = {
# configure NGINX to provide /RPC2 for listen address
# authentication also applies to rtorrent.rutorrent
enable = mkEnableOption "rtorrent nginx web RPC";
listenAddress = mkOption {
type = types.str;
description =''
nginx listen address for rtorrent web
'';
default = "localhost:8006";
};
enableAuth = mkEnableOption "rutorrent authentication";
authfile = mkOption {
type = types.path;
description = ''
basic authentication file to be used.
Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file.
Only in use if authentication is enabled.
'';
};
};
rutorrent = {
enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable
package = mkOption {
type = types.package;
description = ''
path to rutorrent package. When using your own ruTorrent package,
make sure you patch the scgi_port and scgi_host.
'';
default = rutorrent;
};
webdir = mkOption {
type = types.path;
description = ''
rutorrent php files will be written to this folder.
when using nginx, be aware that the the folder should be readable by nginx.
because rutorrent does not hold mutable data in a separate folder
these files must be writable.
'';
default = "/var/lib/rutorrent";
};
};
package = mkOption {
type = types.package;
default = pkgs.rtorrent;
};
# TODO: enable xmlrpc with web.enable
enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket";
xmlrpc-socket = mkOption {
type = types.str;
description = ''
enable xmlrpc at given socket. Required for web-interface.
for documentation see:
https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC
'';
default = cfg.workDir + "/rtorrent.sock";
};
preAllocate = mkOption {
type = types.bool;
description = ''
Pre-Allocate torrent files
'';
default = true;
};
logLevel = mkOption {
type = types.str;
description = ''
Log level to be used for systemd log
'';
default = "warn";
};
downloadDir = mkOption {
type = types.path;
description = ''
directory where torrents are stored
'';
default = cfg.workDir + "/downloads";
};
sessionDir = mkOption {
type = types.path;
description = ''
directory where torrent progress is stored
'';
default = cfg.workDir + "/rtorrent-session";
};
watchDir = mkOption {
type = with types; nullOr str;
description = ''
directory to watch for torrent files.
If unset, no watch directory will be configured
'';
default = null;
};
listenPort = mkOption {
type = with types; nullOr int;
description =''
listening port. if you want multiple ports, use extraConfig port_range
'';
};
extraConfig = mkOption {
type = types.string;
description = ''
config to be placed into ${cfg.workDir}/.rtorrent.rc
see ${cfg.package}/share/doc/rtorrent/rtorrent.rc
'';
default = "";
};
user = mkOption {
description = ''
user which will run rtorrent. if kept default a new user will be created
'';
type = types.str;
default = "rtorrent";
};
workDir = mkOption {
description = ''
working directory. rtorrent will search in HOME for `.rtorrent.rc`
'';
type = types.str;
default = "/var/lib/rtorrent";
};
};
imp = {
systemd.services = {
rtorrent-daemon = {
description = "rtorrent headless";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
serviceConfig = {
Type = "forking";
ExecStartPre = pkgs.writeDash "prepare-folder" ''
mkdir -p ${cfg.workDir} ${cfg.sessionDir}
chmod 770 ${cfg.workDir} ${cfg.sessionDir}
touch ${systemd-logfile}
cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc
'';
ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'";
# PrivateTmp = true;
## now you can simply sudo -u rtorrent tmux a
## otherwise the tmux session is stored in some private folder in /tmp
WorkingDirectory = cfg.workDir;
Restart = "on-failure";
User = "${cfg.user}";
};
};
rtorrent-log = {
after = [ "rtorrent-daemon.service" ];
bindsTo = [ "rtorrent-daemon.service" ];
wantedBy = [ "rtorrent-daemon.service" ];
serviceConfig = {
ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}";
User = "${cfg.user}";
};
};
} // (optionalAttrs webcfg.enable {
rutorrent-prepare = {
after = [ "rtorrent-daemon.service" ];
bindsTo = [ "rtorrent-daemon.service" ];
wantedBy = [ "rtorrent-daemon.service" ];
serviceConfig = {
Type = "oneshot";
# we create the folder and set the permissions to allow nginx
# TODO: update files if the version of rutorrent changed
ExecStart = pkgs.writeDash "create-webconfig-dir" ''
if [ ! -e ${webdir} ];then
echo "creating webconfiguration directory for rutorrent: ${webdir}"
cp -r ${rucfg.package} ${webdir}
chown -R ${cfg.user}:${nginx-group} ${webdir}
chmod -R 770 ${webdir}
else
echo "not overwriting ${webdir}"
fi
'';
};
};
})
// (optionalAttrs rucfg.enable { });
users = lib.mkIf (cfg.user == "rtorrent") {
users.rtorrent = {
uid = genid "rtorrent";
home = cfg.workDir;
group = nginx-group;
shell = "/bin/sh"; #required for tmux
isSystemUser = true;
createHome = true;
};
groups.rtorrent.gid = genid "rtorrent";
};
};
rpcweb-imp = {
krebs.nginx.enable = mkDefault true;
krebs.nginx.servers.rtorrent = {
listen = [ webcfg.listenAddress ];
server-names = [ "default" ];
extraConfig = ''
${optionalString webcfg.enableAuth ''
auth_basic "rtorrent";
auth_basic_user_file ${webcfg.authfile};
''}
${optionalString rucfg.enable ''
root ${webdir};
''}
'';
locations = [
(nameValuePair "/RPC2" ''
include ${pkgs.nginx}/conf/scgi_params;
scgi_param SCRIPT_NAME /RPC2;
scgi_pass unix:${cfg.xmlrpc-socket};
'')
] ++ (optional rucfg.enable
(nameValuePair "~ \.php$" ''
client_max_body_size 200M;
root ${webdir};
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${fpm-socket};
try_files $uri =404;
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'')
);
};
};
rutorrent-imp = {
services.phpfpm = {
# phpfpm does not have an enable option
poolConfigs = {
rutorrent = ''
user = ${nginx-user}
group = ${nginx-group}
listen = ${fpm-socket}
listen.owner = ${nginx-user}
listen.group = ${nginx-group}
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
# errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
env[PATH] = ${makeBinPath rutorrent-deps}
'';
};
};
};
in
out