From 3006c2b13637bd2038a3e7baac42d016ae56a41f Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:39:14 +0200 Subject: [PATCH 01/15] m 3 opentracker: init --- makefu/3modules/opentracker.nix | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 makefu/3modules/opentracker.nix diff --git a/makefu/3modules/opentracker.nix b/makefu/3modules/opentracker.nix new file mode 100644 index 000000000..8847fc09a --- /dev/null +++ b/makefu/3modules/opentracker.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + cfg = config.makefu.opentracker; + + out = { + options.makefu.opentracker = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "opentracker"; + + package = mkOption { + type = types.package; + default = pkgs.opentracker; + }; + + args = mkOption { + type = types.string; + description = '' + see https://erdgeist.org/arts/software/opentracker/ for all params + ''; + default = ""; + }; + + user = mkOption { + description = '' + user which will run opentracker. by default opentracker drops all + privileges and runs in chroot after starting up as root. + ''; + type = types.str; + default = "root"; + }; + }; + + imp = { + systemd.services.opentracker = { + description = "opentracker server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + serviceConfig = { + Type = "simple"; + ExecStart = "${cfg.package}/bin/opentracker ${cfg.args}"; + PrivateTmp = true; + WorkingDirectory = "/tmp"; + User = "${cfg.user}"; + }; + }; + }; +in +out + From 16049954816bc2484c15ee6dd889e55be5ba6253 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:39:25 +0200 Subject: [PATCH 02/15] m 3 rtorrent: init --- makefu/3modules/rtorrent.nix | 311 +++++++++++++++++++++++++++++++++++ 1 file changed, 311 insertions(+) create mode 100644 makefu/3modules/rtorrent.nix diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix new file mode 100644 index 000000000..404c9d4f0 --- /dev/null +++ b/makefu/3modules/rtorrent.nix @@ -0,0 +1,311 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + nginx-user = config.services.nginx.user; + nginx-group = config.services.nginx.group; + rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ + (if config.nixpkgs.config.allowUnfree then + trace "enabling unfree packages for rutorrent" [ unrar unzip ] else + trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []) +; + rutorrent = pkgs.stdenv.mkDerivation { + name = "rutorrent-src-3.7"; + src = pkgs.fetchFromGitHub { + owner = "Novik"; + repo = "rutorrent"; + rev = "b727523a153454d4976f04b0c47336ae57cc50d5"; + sha256 = "0s5wa0jnck781amln9c2p4pc0i5mq3j5693ra151lnwhz63aii4a"; + }; + phases = [ "installPhase" ]; + installPhase = '' + cp -r $src $out + ''; + }; + fpm-socket = "/var/run/php5-fpm.sock"; + systemd-logfile = cfg.workDir + "/rtorrent-systemd.log"; + configFile = pkgs.writeText "rtorrent-config" '' + # THIS FILE IS AUTOGENERATED + ${optionalString (cfg.listenPort != null) '' + port_range = ${toString cfg.listenPort}-${toString cfg.listenPort} + port_random = no + ''} + + ${optionalString (cfg.watchDir != null) '' + schedule = watch_directory,5,5load_start=${cfg.watchDir}/*.torrent + ''} + + directory = ${cfg.downloadDir} + session = ${cfg.sessionDir} + + ${optionalString (cfg.xmlrpc != null) '' + scgi_port = ${cfg.xmlrpc} + ''} + + system.file_allocate.set = ${if cfg.preAllocate then "yes" else "no"} + + # Prepare systemd logging + log.open_file = "rtorrent-systemd", ${systemd-logfile} + log.add_output = "warn", "rtorrent-systemd" + log.add_output = "notice", "rtorrent-systemd" + log.add_output = "info", "rtorrent-systemd" + # log.add_output = "debug", "rtorrent-systemd" + log.execute = ${systemd-logfile}.execute + log.xmlrpc = ${systemd-logfile}.xmlrpc + ${cfg.extraConfig} + ''; + + cfg = config.makefu.rtorrent; + webcfg = config.makefu.rtorrent.web; + out = { + options.makefu.rtorrent = api; + config = lib.recursiveUpdate (lib.mkIf cfg.enable imp) (lib.mkIf cfg.web.enable web-imp); + }; + + api = { + enable = mkEnableOption "rtorrent"; + + web = { + enable = mkEnableOption "rtorrent"; + + package = mkOption { + type = types.package; + description = '' + path to rutorrent package + ''; + default = rutorrent; + }; + + listenAddress = mkOption { + type = types.str; + description ='' + nginx listen address + ''; + default = "localhost:8005"; + }; + + webdir = mkOption { + type = types.path; + description = '' + rutorrent php files will be written to this folder. + when using nginx, be aware that the the folder should be readable by nginx. + because rutorrent does not hold mutable data in a separate folder + these files must be writable. + ''; + default = "/var/lib/rutorrent"; + }; + }; + + package = mkOption { + type = types.package; + default = pkgs.rtorrent; + }; + + xmlrpc = mkOption { + type = with types; nullOr str; + description = '' + enable xmlrpc at given interface and port. + + for documentation see: + https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC + ''; + example = "localhost:5000"; + default = null; + }; + preAllocate = mkOption { + type = types.bool; + description = '' + Pre-Allocate torrent files + ''; + default = true; + }; + + logLevel = mkOption { + type = types.str; + description = '' + Log level to be used for systemd log + ''; + default = "warn"; + }; + + downloadDir = mkOption { + type = types.path; + description = '' + directory where torrents are stored + ''; + default = cfg.workDir + "/downloads"; + }; + + sessionDir = mkOption { + type = types.path; + description = '' + directory where torrent progress is stored + ''; + default = cfg.workDir + "/rtorrent-session"; + }; + + watchDir = mkOption { + type = with types; nullOr str; + description = '' + directory to watch for torrent files. + If unset, no watch directory will be configured + ''; + default = null; + }; + + listenPort = mkOption { + type = with types; nullOr int; + description ='' + listening port. if you want multiple ports, use extraConfig port_range + ''; + }; + + extraConfig = mkOption { + type = types.string; + description = '' + config to be placed into ${cfg.workDir}/.rtorrent.rc + + see ${cfg.package}/share/doc/rtorrent/rtorrent.rc + ''; + default = ""; + }; + + user = mkOption { + description = '' + user which will run rtorrent. if kept default a new user will be created + ''; + type = types.str; + default = "rtorrent"; + }; + + workDir = mkOption { + description = '' + working directory. rtorrent will search in HOME for `.rtorrent.rc` + ''; + type = types.str; + default = "/var/lib/rtorrent"; + }; + + }; + + imp = { + systemd.services.rtorrent-daemon = { + description = "rtorrent headless"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + serviceConfig = { + Type = "forking"; + ExecStartPre = pkgs.writeDash "prepare-folder" '' + mkdir -p ${cfg.workDir} ${cfg.sessionDir} + touch ${systemd-logfile} + cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc + ''; + ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; + + # PrivateTmp = true; + ## now you can simply sudo -u rtorrent tmux a + ## otherwise the tmux session is stored in some private folder in /tmp + WorkingDirectory = cfg.workDir; + Restart = "on-failure"; + User = "${cfg.user}"; + }; + + }; + systemd.services.rtorrent-log = { + after = [ "rtorrent-daemon.service" ]; + bindsTo = [ "rtorrent-daemon.service" ]; + wantedBy = [ "rtorrent-daemon.service" ]; + serviceConfig = { + ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; + User = "${cfg.user}"; + }; + }; + + users = lib.mkIf (cfg.user == "rtorrent") { + users.rtorrent = { + uid = genid "rtorrent"; + home = cfg.workDir; + group = nginx-group; + shell = "/bin/sh"; #required for tmux + createHome = true; + }; + groups.rtorrent.gid = genid "rtorrent"; + }; + }; + web-imp = { + systemd.services.rutorrent-prepare = { + after = [ "rtorrent-daemon.service" ]; + serviceConfig = { + Type = "oneshot"; + # we create the folder and set the permissions to allow nginx + # TODO: update files if the version of rutorrent changed + ExecStart = pkgs.writeDash "create-webconfig-dir" '' + if [ ! -e ${webcfg.webdir} ];then + echo "creating webconfiguration directory for rutorrent: ${webcfg.webdir}" + cp -r ${webcfg.package} ${webcfg.webdir} + chown -R ${cfg.user}:${nginx-group} ${webcfg.webdir} + chmod -R 770 ${webcfg.webdir} + else + echo "not overwriting ${webcfg.webdir}" + fi + ''; + }; + }; + krebs.nginx.enable = true; + krebs.nginx.servers.rutorrent = { + listen = [ webcfg.listenAddress ]; + extraConfig = "root ${webcfg.webdir};"; + # TODO: authentication + locations = [ + # auth_basic "Restricted"; ##auth zone - whatever you want to use + # auth_basic_user_file torpasswd; ##auth file - relative to /etc/nginx/. + + (nameValuePair "/RPC2" '' + scgi_pass localhost:5000; + include ${pkgs.nginx}/conf/scgi_params; + '') + (nameValuePair "~ \.php$" '' + root ${webcfg.webdir}; + client_max_body_size 200M; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm-socket}; + try_files $uri =404; + fastcgi_index index.php; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + + ]; + }; + services.phpfpm = { + # phpfpm does not have an enable option + poolConfigs = let + user = config.services.nginx.user; + group = config.services.nginx.group; + fpm-socket = "/var/run/php5-fpm.sock"; + in { + rutorrent = '' + user = ${user} + group = ${group} + listen = ${fpm-socket} + listen.owner = ${user} + listen.group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + chdir = / + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + env[PATH] = ${makeBinPath rutorrent-deps} + ''; + }; + }; + }; +in +out + From 0bccd0007853f01e467746258fe2c8bf7f8d907c Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:39:50 +0200 Subject: [PATCH 03/15] m 2 opentracker: init --- makefu/2configs/opentracker.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 makefu/2configs/opentracker.nix diff --git a/makefu/2configs/opentracker.nix b/makefu/2configs/opentracker.nix new file mode 100644 index 000000000..f98105625 --- /dev/null +++ b/makefu/2configs/opentracker.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: + +let + daemon-port = 16969; + cfgfile = pkgs.writeText "opentracker-cfg" '' + ''; +in { + # Opentracker does not support local IPs (10.0.0.0/8 ) + makefu.opentracker = { + enable = true; + args = "-p ${toString daemon-port} -P ${toString daemon-port}"; + }; + networking.firewall.allowedTCPPorts = [ daemon-port ]; + networking.firewall.allowedUDPPorts = [ daemon-port ]; + +} From d8af71e9a076480e10274b5d6cd586a0ad0faafc Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:40:38 +0200 Subject: [PATCH 04/15] m 3 default: enable opentracker and rtorrent --- makefu/3modules/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 031ef1bc2..bddd96aa4 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -6,7 +6,9 @@ _: ./awesome-extra.nix ./deluge.nix ./forward-journal.nix + ./opentracker.nix ./ps3netsrv.nix + ./rtorrent.nix ./snapraid.nix ./taskserver.nix ./udpt.nix From f75a11a2da87ebd5e8735f77cebb61ebd0f8bfae Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:41:07 +0200 Subject: [PATCH 05/15] k 3 m: move tracker.makefu.r to gum --- krebs/3modules/makefu/default.nix | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index e45d907d3..de5be964f 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -360,7 +360,6 @@ with config.krebs.lib; ip6.addr = "42:f9f0::10"; aliases = [ "omo.retiolum" - "tracker.makefu.r" "omo.r" ]; tinc.pubkey = '' @@ -446,6 +445,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB "gum.r" "gum.retiolum" "cgit.gum.retiolum" + "tracker.makefu.r" + "tracker.makefu.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -761,6 +762,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; }; + tcac-0-1 = rec { + cores = 1; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcX7rlGmGp1zCStrERXZ3XuT/j69FDBXV4ceLn9RXsG tcac-0-1 + "; + nets = { + retiolum = { + ip4.addr = "10.243.144.142"; + ip6.addr = "42:4bf8:94b:eec5:69e2:c837:686e:f278"; + aliases = [ + "tcac-0-1.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+3zuZa8FhFBcUNdNGyTQph6Jes0WDQB4CDcEcnK9okP60Z0ONq8j + 7sKmxzQ43WFm04fd992Aa/KLbYBbXmGtYuu68DQwQGwk3HVNksp6ha7uVK1ibgNs + zJIKizpFqK4NAYit0OfAy7ugVSvtyIxg9CDhnASDZ5NRq8/OLhvo5M4c3r3lGOlO + Hv1nf4Tl2IYRln3c+AJEiw2369K46mRlt28yHeKUw1ur6hrbahnkYW+bjeliROIs + QLp8J8Jl6evtPOyZpgyGHLQ/WPsQRK5svVA9ou17R//m4KNL1kBjTfxs7GaJWHLl + HpSZTqRKsuK6K9R6kzu7NU81Wz0HXxw/qwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + } // { # hosts only maintained in stockholm, not owned by me muhbaasu = rec { From 5557ae25660e3934582050865e8dcfc0f93f5856 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:41:42 +0200 Subject: [PATCH 06/15] m 2 torrent: update config for otpimized seeding --- makefu/2configs/torrent.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix index c18db9fa3..09f3ca059 100644 --- a/makefu/2configs/torrent.nix +++ b/makefu/2configs/torrent.nix @@ -55,20 +55,21 @@ in { autoadd_enable = true; download_location = dl-dir + "/finished"; torrentfiles_location = dl-dir + "/torrents"; copy_torrent_file = true; - lsd = true; - dht = true; - upnp = true; - natpmp = true; + lsd = false; + dht = false; + upnp = false; + natpmp = false; add_paused = false; allow_remote = true; remove_seed_at_ratio = false; move_completed = false; daemon_port = daemon-port; + random_port = false; + random_outgoing_ports = true; listen_ports = [ peer-port peer-port ]; - outgoing_ports = [ peer-port peer-port ]; # performance tuning cache_expiry = 3600; - stop_seed_at_ratio = true; + stop_seed_at_ratio = false; }; }; From 3853da411a98002388ca03c8c730db768b89f91f Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:42:03 +0200 Subject: [PATCH 07/15] m 2 rtorrent: initial config with rutorrent --- makefu/2configs/rtorrent.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 makefu/2configs/rtorrent.nix diff --git a/makefu/2configs/rtorrent.nix b/makefu/2configs/rtorrent.nix new file mode 100644 index 000000000..d024ded97 --- /dev/null +++ b/makefu/2configs/rtorrent.nix @@ -0,0 +1,13 @@ +_: +let + listenPort = 60123; + xml-port = 5000; +in { + makefu.rtorrent = { + enable = true; + web.enable = true; + xmlrpc = "localhost:${toString xml-port}"; + logLevel = "debug"; + inherit listenPort; + }; +} From 6c487331532019db5c3382edc0b18ab4fe892609 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:43:38 +0200 Subject: [PATCH 08/15] m 1 omo: configure deluge --- makefu/1systems/omo.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 3aa5e943e..96f7be9fc 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -50,11 +50,24 @@ in { #../2configs/share-user-sftp.nix ../2configs/omo-share.nix ../2configs/tinc/retiolum.nix + ../2configs/torrent.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; + makefu.full-populate = true; + makefu.deluge.cfg = { + max_active_seeding = 1; + stop_seed_ratio = 1; + natpmp = true; + upnp = true; + max_upload_speed = 200; + }; + users.groups.share = { + gid = config.krebs.lib.genid "share"; + members = [ "makefu" "misa" ]; + }; networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files From c8f2a171eb0335847bb4574c76a2c0a448272d09 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:44:12 +0200 Subject: [PATCH 09/15] m 1 gum: enable opentracker --- makefu/1systems/gum.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 0d8ac0053..ab369d192 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -22,6 +22,7 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ../2configs/torrent.nix + ../2configs/opentracker.nix ]; services.smartd.devices = [ { device = "/dev/sda";} ]; From 7761a15e57fe63112de01b232b7d67c3fe16df72 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Aug 2016 18:44:29 +0200 Subject: [PATCH 10/15] m 3 rtorrent: add TODO --- makefu/3modules/rtorrent.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix index 404c9d4f0..8550d54b0 100644 --- a/makefu/3modules/rtorrent.nix +++ b/makefu/3modules/rtorrent.nix @@ -101,6 +101,7 @@ let default = pkgs.rtorrent; }; + # TODO: enable xmlrpc with web.enable xmlrpc = mkOption { type = with types; nullOr str; description = '' From d73d55209619c996e6e71dbc282fe188f11de805 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 23 Aug 2016 13:09:16 +0200 Subject: [PATCH 11/15] m rtorrent: split web rpc and rutorrent functionality --- makefu/2configs/rtorrent.nix | 10 ++- makefu/3modules/rtorrent.nix | 136 ++++++++++++++++++++++++----------- 2 files changed, 103 insertions(+), 43 deletions(-) diff --git a/makefu/2configs/rtorrent.nix b/makefu/2configs/rtorrent.nix index d024ded97..9e2990cab 100644 --- a/makefu/2configs/rtorrent.nix +++ b/makefu/2configs/rtorrent.nix @@ -2,11 +2,17 @@ _: let listenPort = 60123; xml-port = 5000; + authfile = ; in { makefu.rtorrent = { enable = true; - web.enable = true; - xmlrpc = "localhost:${toString xml-port}"; + web = { + enable = true; + enableAuth = true; + inherit authfile; + }; + rutorrent.enable = true; + enableXMLRPC = true; logLevel = "debug"; inherit listenPort; }; diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix index 8550d54b0..2532e1f52 100644 --- a/makefu/3modules/rtorrent.nix +++ b/makefu/3modules/rtorrent.nix @@ -2,6 +2,10 @@ with config.krebs.lib; let + cfg = config.makefu.rtorrent; + webcfg = config.makefu.rtorrent.web; + rucfg = config.makefu.rtorrent.rutorrent; + nginx-user = config.services.nginx.user; nginx-group = config.services.nginx.group; rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ @@ -17,9 +21,17 @@ let rev = "b727523a153454d4976f04b0c47336ae57cc50d5"; sha256 = "0s5wa0jnck781amln9c2p4pc0i5mq3j5693ra151lnwhz63aii4a"; }; - phases = [ "installPhase" ]; + phases = [ "patchPhase" "installPhase" ]; + patchPhase = '' + cp -r $src src/ + chmod u+w -R src/ + sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \ + -e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \ + "src/conf/config.php" + ''; installPhase = '' - cp -r $src $out + cp -r src/ $out + echo "replacing scgi port and host variable in conf/config.php" ''; }; fpm-socket = "/var/run/php5-fpm.sock"; @@ -38,8 +50,12 @@ let directory = ${cfg.downloadDir} session = ${cfg.sessionDir} - ${optionalString (cfg.xmlrpc != null) '' - scgi_port = ${cfg.xmlrpc} + ${optionalString (cfg.enableXMLRPC ) '' + # prepare socket and set permissions. rtorrent user is part of group nginx + # TODO: configure a shared torrent group + execute_nothrow = rm,${cfg.xmlrpc-socket} + scgi_local = ${cfg.xmlrpc-socket} + schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}" ''} system.file_allocate.set = ${if cfg.preAllocate then "yes" else "no"} @@ -55,35 +71,52 @@ let ${cfg.extraConfig} ''; - cfg = config.makefu.rtorrent; - webcfg = config.makefu.rtorrent.web; out = { options.makefu.rtorrent = api; - config = lib.recursiveUpdate (lib.mkIf cfg.enable imp) (lib.mkIf cfg.web.enable web-imp); + config = lib.recursiveUpdate (lib.mkIf cfg.enable imp) + ( lib.recursiveUpdate (lib.mkIf cfg.web.enable rpcweb-imp) + (lib.mkIf cfg.rutorrent.enable rutorrent-imp)); }; api = { enable = mkEnableOption "rtorrent"; web = { - enable = mkEnableOption "rtorrent"; - - package = mkOption { - type = types.package; - description = '' - path to rutorrent package - ''; - default = rutorrent; - }; + # configure NGINX to provide /RPC2 for listen address + # authentication also applies to rtorrent.rutorrent + enable = mkEnableOption "rtorrent nginx web RPC"; listenAddress = mkOption { type = types.str; description ='' - nginx listen address + nginx listen address for rtorrent web ''; default = "localhost:8005"; }; + enableAuth = mkEnableOption "rutorrent authentication"; + authfile = mkOption { + type = types.path; + description = '' + basic authentication file to be used. + Use `${pkgs.apacheHttpd}/bin/htpasswd -c ` to create the file. + Only in use if authentication is enabled. + ''; + }; + }; + + rutorrent = { + enable = mkEnableOption "rutorrent"; + package = mkOption { + type = types.package; + description = '' + path to rutorrent package. When using your own ruTorrent package, + make sure you patch the scgi_port and scgi_host. + ''; + default = rutorrent; + }; + + webdir = mkOption { type = types.path; description = '' @@ -94,6 +127,7 @@ let ''; default = "/var/lib/rutorrent"; }; + }; package = mkOption { @@ -102,17 +136,18 @@ let }; # TODO: enable xmlrpc with web.enable - xmlrpc = mkOption { - type = with types; nullOr str; + enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket"; + xmlrpc-socket = mkOption { + type = types.str; description = '' - enable xmlrpc at given interface and port. + enable xmlrpc at given socket. Required for web-interface. for documentation see: https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC ''; - example = "localhost:5000"; - default = null; + default = cfg.workDir + "/rtorrent.sock"; }; + preAllocate = mkOption { type = types.bool; description = '' @@ -234,41 +269,60 @@ let groups.rtorrent.gid = genid "rtorrent"; }; }; - web-imp = { + + rpcweb-imp = { + krebs.nginx.enable = mkDefault true; + krebs.nginx.servers.rtorrent = { + listen = [ webcfg.listenAddress ]; + server-names = [ "default" ]; + extraConfig = '' + ${optionalString webcfg.enableAuth '' + auth_basic "rtorrent"; + auth_basic_user_file ${webcfg.authfile}; + ''} + ''; + locations = [ + (nameValuePair "/RPC2" '' + include ${pkgs.nginx}/conf/scgi_params; + scgi_param SCRIPT_NAME /RPC2; + scgi_pass unix:${cfg.xmlrpc-socket}; + '') + ]; + }; + }; + + rutorrent-imp = let + webdir = rucfg.webdir; + in { systemd.services.rutorrent-prepare = { after = [ "rtorrent-daemon.service" ]; + bindsTo = [ "rtorrent-daemon.service" ]; + wantedBy = [ "rtorrent-daemon.service" ]; serviceConfig = { Type = "oneshot"; # we create the folder and set the permissions to allow nginx # TODO: update files if the version of rutorrent changed ExecStart = pkgs.writeDash "create-webconfig-dir" '' - if [ ! -e ${webcfg.webdir} ];then - echo "creating webconfiguration directory for rutorrent: ${webcfg.webdir}" - cp -r ${webcfg.package} ${webcfg.webdir} - chown -R ${cfg.user}:${nginx-group} ${webcfg.webdir} - chmod -R 770 ${webcfg.webdir} + if [ ! -e ${webdir} ];then + echo "creating webconfiguration directory for rutorrent: ${webdir}" + cp -r ${rucfg.package} ${webdir} + chown -R ${cfg.user}:${nginx-group} ${webdir} + chmod -R 770 ${webdir} else - echo "not overwriting ${webcfg.webdir}" + echo "not overwriting ${webdir}" fi ''; }; }; - krebs.nginx.enable = true; - krebs.nginx.servers.rutorrent = { - listen = [ webcfg.listenAddress ]; - extraConfig = "root ${webcfg.webdir};"; - # TODO: authentication + krebs.nginx.servers.rtorrent = { + extraConfig = '' + root ${webdir}; + ''; locations = [ - # auth_basic "Restricted"; ##auth zone - whatever you want to use - # auth_basic_user_file torpasswd; ##auth file - relative to /etc/nginx/. - (nameValuePair "/RPC2" '' - scgi_pass localhost:5000; - include ${pkgs.nginx}/conf/scgi_params; - '') (nameValuePair "~ \.php$" '' - root ${webcfg.webdir}; client_max_body_size 200M; + root ${webdir}; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm-socket}; try_files $uri =404; From 7110552e30785daa4d3ff393614793de0fe4ef27 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 23 Aug 2016 19:13:50 +0200 Subject: [PATCH 12/15] m 1 wbob: use xfce instead of awesome --- makefu/1systems/wbob.nix | 65 ++++++++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 23 deletions(-) diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index ff593ab35..ff176edd9 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -1,32 +1,53 @@ -{ config, pkgs, ... }: -let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; +{ config, pkgs, lib, ... }: +let + rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; + datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F"; in { - makefu.awesome = { - modkey = "Mod1"; - #TODO: integrate kiosk config into full config by templating the autostart - baseConfig = pkgs.awesomecfg.kiosk; - }; imports = [ # Include the results of the hardware scan. ../. - ../2configs/main-laptop.nix + ../2configs/zsh-user.nix + ../2configs/base-gui.nix + ../2configs/laptop-utils.nix ../2configs/virtualization.nix ../2configs/tinc/retiolum.nix ]; + krebs = { enable = true; build.host = config.krebs.hosts.wbob; }; - networking.firewall.allowedUDPPorts = [ 1655 ]; - networking.firewall.allowedTCPPorts = [ 1655 49152 ]; - services.tinc.networks.siem = { - name = "display"; - extraConfig = '' - ConnectTo = sjump + + swapDevices = [ { device = "/var/swap"; } ]; + + services.xserver = { + layout = lib.mkForce "de"; + + windowManager = lib.mkForce { + awesome.enable = false; + default = "none"; + }; + desktopManager.xfce.enable = true; + + # xrandrHeads = [ "HDMI1" "HDMI2" ]; + # prevent screen from turning off, disable dpms + displayManager.sessionCommands = '' + xset s off -dpms + xrandr --output HDMI2 --right-of HDMI1 ''; }; + networking.firewall.allowedUDPPorts = [ 655 ]; + networking.firewall.allowedTCPPorts = [ 655 49152 ]; + #services.tinc.networks.siem = { + # name = "display"; + # extraConfig = '' + # ConnectTo = sjump + # Port = 1655 + # ''; + #}; + # rt2870.bin wifi card, part of linux-unfree hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -41,20 +62,18 @@ in { hardware.cpu.intel.updateMicrocode = true; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; - fileSystems."/" = { + fileSystems = { + "/" = { device = rootdisk + "-part1"; fsType = "ext4"; + }; + "/data" = { + device = datadisk + "-part1"; + fsType = "ext4"; + }; }; # DualHead on NUC - services.xserver = { - # xrandrHeads = [ "HDMI1" "HDMI2" ]; - # prevent screen from turning off, disable dpms - displayManager.sessionCommands = '' - xset s off -dpms - xrandr --output HDMI2 --right-of HDMI1 - ''; - }; # TODO: update synergy package with these extras (username) # TODO: add crypto layer systemd.services."synergy-client" = { From 5231d21dfbfd0e1aead9d654831e40aa481181a4 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 24 Aug 2016 00:14:43 +0200 Subject: [PATCH 13/15] m 3 rtorrent: mkIf, recursiveUpdate and multiple changes in systemd.services and nginx config do not work well together it seems --- makefu/3modules/rtorrent.nix | 158 +++++++++++++++++------------------ 1 file changed, 78 insertions(+), 80 deletions(-) diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix index 2532e1f52..98eb5f10f 100644 --- a/makefu/3modules/rtorrent.nix +++ b/makefu/3modules/rtorrent.nix @@ -8,8 +8,11 @@ let nginx-user = config.services.nginx.user; nginx-group = config.services.nginx.group; + fpm-socket = "/var/run/php5-fpm-rutorrent.sock"; + + webdir = rucfg.webdir; rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ - (if config.nixpkgs.config.allowUnfree then + (if (config.nixpkgs.config.allowUnfree or false) then trace "enabling unfree packages for rutorrent" [ unrar unzip ] else trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []) ; @@ -34,7 +37,6 @@ let echo "replacing scgi port and host variable in conf/config.php" ''; }; - fpm-socket = "/var/run/php5-fpm.sock"; systemd-logfile = cfg.workDir + "/rtorrent-systemd.log"; configFile = pkgs.writeText "rtorrent-config" '' # THIS FILE IS AUTOGENERATED @@ -73,9 +75,12 @@ let out = { options.makefu.rtorrent = api; - config = lib.recursiveUpdate (lib.mkIf cfg.enable imp) - ( lib.recursiveUpdate (lib.mkIf cfg.web.enable rpcweb-imp) - (lib.mkIf cfg.rutorrent.enable rutorrent-imp)); + # This only works because none of the attrsets returns the same key + config = with lib; mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf webcfg.enable rpcweb-imp) + (lib.mkIf rucfg.enable rutorrent-imp) + imp + ]); }; api = { @@ -91,7 +96,7 @@ let description ='' nginx listen address for rtorrent web ''; - default = "localhost:8005"; + default = "localhost:8006"; }; enableAuth = mkEnableOption "rutorrent authentication"; @@ -225,38 +230,62 @@ let }; imp = { - systemd.services.rtorrent-daemon = { - description = "rtorrent headless"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; - serviceConfig = { - Type = "forking"; - ExecStartPre = pkgs.writeDash "prepare-folder" '' - mkdir -p ${cfg.workDir} ${cfg.sessionDir} - touch ${systemd-logfile} - cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc - ''; - ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; + systemd.services = { + rtorrent-daemon = { + description = "rtorrent headless"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + serviceConfig = { + Type = "forking"; + ExecStartPre = pkgs.writeDash "prepare-folder" '' + mkdir -p ${cfg.workDir} ${cfg.sessionDir} + chmod 770 ${cfg.workDir} ${cfg.sessionDir} + touch ${systemd-logfile} + cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc + ''; + ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; - # PrivateTmp = true; - ## now you can simply sudo -u rtorrent tmux a - ## otherwise the tmux session is stored in some private folder in /tmp - WorkingDirectory = cfg.workDir; - Restart = "on-failure"; - User = "${cfg.user}"; + # PrivateTmp = true; + ## now you can simply sudo -u rtorrent tmux a + ## otherwise the tmux session is stored in some private folder in /tmp + WorkingDirectory = cfg.workDir; + Restart = "on-failure"; + User = "${cfg.user}"; + }; }; - - }; - systemd.services.rtorrent-log = { - after = [ "rtorrent-daemon.service" ]; - bindsTo = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; - User = "${cfg.user}"; + rtorrent-log = { + after = [ "rtorrent-daemon.service" ]; + bindsTo = [ "rtorrent-daemon.service" ]; + wantedBy = [ "rtorrent-daemon.service" ]; + serviceConfig = { + ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; + User = "${cfg.user}"; + }; }; - }; + } // (optionalAttrs webcfg.enable { + rutorrent-prepare = { + after = [ "rtorrent-daemon.service" ]; + bindsTo = [ "rtorrent-daemon.service" ]; + wantedBy = [ "rtorrent-daemon.service" ]; + serviceConfig = { + Type = "oneshot"; + # we create the folder and set the permissions to allow nginx + # TODO: update files if the version of rutorrent changed + ExecStart = pkgs.writeDash "create-webconfig-dir" '' + if [ ! -e ${webdir} ];then + echo "creating webconfiguration directory for rutorrent: ${webdir}" + cp -r ${rucfg.package} ${webdir} + chown -R ${cfg.user}:${nginx-group} ${webdir} + chmod -R 770 ${webdir} + else + echo "not overwriting ${webdir}" + fi + ''; + }; + }; + }) + // (optionalAttrs rucfg.enable { }); users = lib.mkIf (cfg.user == "rtorrent") { users.rtorrent = { @@ -264,6 +293,7 @@ let home = cfg.workDir; group = nginx-group; shell = "/bin/sh"; #required for tmux + isSystemUser = true; createHome = true; }; groups.rtorrent.gid = genid "rtorrent"; @@ -280,6 +310,9 @@ let auth_basic "rtorrent"; auth_basic_user_file ${webcfg.authfile}; ''} + ${optionalString rucfg.enable '' + root ${webdir}; + ''} ''; locations = [ (nameValuePair "/RPC2" '' @@ -287,39 +320,7 @@ let scgi_param SCRIPT_NAME /RPC2; scgi_pass unix:${cfg.xmlrpc-socket}; '') - ]; - }; - }; - - rutorrent-imp = let - webdir = rucfg.webdir; - in { - systemd.services.rutorrent-prepare = { - after = [ "rtorrent-daemon.service" ]; - bindsTo = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - Type = "oneshot"; - # we create the folder and set the permissions to allow nginx - # TODO: update files if the version of rutorrent changed - ExecStart = pkgs.writeDash "create-webconfig-dir" '' - if [ ! -e ${webdir} ];then - echo "creating webconfiguration directory for rutorrent: ${webdir}" - cp -r ${rucfg.package} ${webdir} - chown -R ${cfg.user}:${nginx-group} ${webdir} - chmod -R 770 ${webdir} - else - echo "not overwriting ${webdir}" - fi - ''; - }; - }; - krebs.nginx.servers.rtorrent = { - extraConfig = '' - root ${webdir}; - ''; - locations = [ - + ] ++ (optional rucfg.enable (nameValuePair "~ \.php$" '' client_max_body_size 200M; root ${webdir}; @@ -330,22 +331,20 @@ let include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; '') - - ]; + ); }; + }; + + rutorrent-imp = { services.phpfpm = { # phpfpm does not have an enable option - poolConfigs = let - user = config.services.nginx.user; - group = config.services.nginx.group; - fpm-socket = "/var/run/php5-fpm.sock"; - in { + poolConfigs = { rutorrent = '' - user = ${user} - group = ${group} + user = ${nginx-user} + group = ${nginx-group} listen = ${fpm-socket} - listen.owner = ${user} - listen.group = ${group} + listen.owner = ${nginx-user} + listen.group = ${nginx-group} pm = dynamic pm.max_children = 5 pm.start_servers = 2 @@ -356,7 +355,6 @@ let php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes - env[PATH] = ${makeBinPath rutorrent-deps} ''; }; }; From 5f61d1f92f8c9fa0c69ec0aceea1884b05b6e666 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 24 Aug 2016 00:19:01 +0200 Subject: [PATCH 14/15] m 3 rtorrent: only buidl rutorrent if webcfg is enabled as well --- makefu/3modules/rtorrent.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix index 98eb5f10f..02c922516 100644 --- a/makefu/3modules/rtorrent.nix +++ b/makefu/3modules/rtorrent.nix @@ -78,7 +78,8 @@ let # This only works because none of the attrsets returns the same key config = with lib; mkIf cfg.enable (lib.mkMerge [ (lib.mkIf webcfg.enable rpcweb-imp) - (lib.mkIf rucfg.enable rutorrent-imp) + # only build rutorrent-imp if webcfg is enabled as well + (lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp) imp ]); }; @@ -111,7 +112,8 @@ let }; rutorrent = { - enable = mkEnableOption "rutorrent"; + enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable + package = mkOption { type = types.package; description = '' From 56e8681fd2d5a77fe539e5506b4b8f23bc0f4261 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 24 Aug 2016 00:27:45 +0200 Subject: [PATCH 15/15] m 3 rtorrent:for rss plugin to work - phpfpm user needs curl in path --- makefu/3modules/rtorrent.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix index 02c922516..441707727 100644 --- a/makefu/3modules/rtorrent.nix +++ b/makefu/3modules/rtorrent.nix @@ -357,6 +357,7 @@ let php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes + env[PATH] = ${makeBinPath rutorrent-deps} ''; }; };