Merge remote-tracking branch 'lass/master'

This commit is contained in:
makefu 2018-05-03 18:45:55 +02:00
commit 8156ab9237
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
43 changed files with 409 additions and 599 deletions

View File

@ -1,13 +1,15 @@
{ config, lib, pkgs, ... }:
# bln config file
{
imports =
[ <stockholm/jeschli>
<stockholm/jeschli/2configs/virtualbox.nix>
<stockholm/jeschli/2configs/urxvt.nix>
<stockholm/jeschli/2configs/emacs.nix>
./hardware-configuration.nix
];
imports = [
./hardware-configuration.nix
<stockholm/jeschli>
<stockholm/jeschli/2configs/virtualbox.nix>
<stockholm/jeschli/2configs/urxvt.nix>
<stockholm/jeschli/2configs/emacs.nix>
<stockholm/jeschli/2configs/xdg.nix>
<stockholm/jeschli/2configs/xserver>
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@ -91,14 +93,14 @@
services.printing.drivers = [ pkgs.postscript-lexmark ];
# Enable the X11 windowing system.
services.xserver.enable = true;
# services.xserver.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.xmonad.enableContribAndExtras = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.dpi = 100;
fonts.fontconfig.dpi = 100;
# services.xserver.windowManager.xmonad.enable = true;
# services.xserver.windowManager.xmonad.enableContribAndExtras = true;
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.dpi = 100;
# fonts.fontconfig.dpi = 100;
users.extraUsers.jeschli = {
isNormalUser = true;

View File

@ -43,7 +43,10 @@ in {
enable = true;
display = 11;
tty = 11;
dpi = 100;
videoDrivers = [ "nvidia" ];
synaptics = {
enable = true;
twoFingerScroll = true;

View File

@ -44,6 +44,7 @@ import XMonad.Layout.Reflect (reflectVert)
import XMonad.Layout.FixedColumn (FixedColumn(..))
import XMonad.Hooks.Place (placeHook, smart)
import XMonad.Hooks.FloatNext (floatNextHook)
import XMonad.Hooks.SetWMName
import XMonad.Actions.PerWorkspaceKeys (chooseAction)
import XMonad.Layout.PerWorkspace (onWorkspace)
--import XMonad.Layout.BinarySpacePartition
@ -86,7 +87,8 @@ mainNoArgs = do
-- , handleEventHook = myHandleEventHooks <+> handleTimerEvent
--, handleEventHook = handleTimerEvent
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
, startupHook =
, startupHook = do
setWMName "LG3D"
whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
(\path -> forkFile path [] Nothing)
, normalBorderColor = "#1c1c1c"
@ -217,7 +219,7 @@ myKeys conf = Map.fromList $
pagerConfig :: PagerConfig
pagerConfig = def
{ pc_font = myFont
, pc_cellwidth = 64
, pc_cellwidth = 256
--, pc_cellheight = 36 -- TODO automatically keep screen aspect
--, pc_borderwidth = 1
--, pc_matchcolor = "#f0b000"

View File

@ -21,4 +21,5 @@
boot.isContainer = true;
networking.useDHCP = false;
krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
environment.variables.NIX_REMOTE = "daemon";
}

View File

@ -2,6 +2,7 @@
{
krebs.newsbot-js.news-spam = {
urlShortenerHost = "go.lassul.us";
feeds = pkgs.writeText "feeds" ''
[SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
[SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews

View File

@ -9,6 +9,7 @@ with import <stockholm/lib>;
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
ci = true;
monitoring = true;
}) {
dishfire = {
cores = 4;
@ -43,39 +44,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
};
echelon = {
cores = 2;
nets = rec {
internet = {
ip4.addr = "64.137.242.41";
aliases = [
"echelon.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.206.103";
ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763";
aliases = [
"echelon.r"
"cgit.echelon.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ
oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX
MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f
4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA
n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p
do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
};
prism = rec {
cores = 4;
extraZones = {
@ -86,14 +54,17 @@ with import <stockholm/lib>;
"lassul.us" = ''
$TTL 3600
@ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN TXT v=spf1 mx a:lassul.us -all
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN TXT v=spf1 mx a:lassul.us -all
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
@ -149,6 +120,7 @@ with import <stockholm/lib>;
};
domsen-nas = {
ci = false;
monitoring = false;
external = true;
nets = rec {
internet = {
@ -161,6 +133,7 @@ with import <stockholm/lib>;
};
};
uriel = {
monitoring = false;
cores = 1;
nets = {
gg23 = {
@ -399,10 +372,12 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
};
iso = {
monitoring = false;
ci = false;
cores = 1;
};
sokrateslaptop = {
monitoring = false;
ci = false;
external = true;
nets = {
@ -426,6 +401,7 @@ with import <stockholm/lib>;
};
};
turingmachine = {
monitoring = false;
ci = false;
external = true;
nets = {
@ -454,6 +430,7 @@ with import <stockholm/lib>;
};
};
eddie = {
monitoring = false;
ci = false;
external = true;
nets = rec {
@ -494,6 +471,7 @@ with import <stockholm/lib>;
};
};
borg = {
monitoring = false;
ci = false;
external = true;
nets = {
@ -521,6 +499,7 @@ with import <stockholm/lib>;
};
};
inspector = {
monitoring = false;
ci = false;
external = true;
nets = rec {
@ -552,6 +531,7 @@ with import <stockholm/lib>;
};
};
dpdkm = {
monitoring = false;
ci = false;
external = true;
nets = rec {
@ -659,6 +639,37 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
};
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
ip6.addr = "42:0:0:0:0:0:0:12ed";
aliases = [
"red.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF
Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI
phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0
FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox
TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa
mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w
oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE
cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ
7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa
5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW
ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
};
};
users = {
lass = {

View File

@ -13,7 +13,7 @@
krebs-source = {
nixpkgs.git = {
ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3";
ref = "b50443b5c4ac0f382c49352a892b9d5d970eb4e7";
url = https://github.com/NixOS/nixpkgs;
};
stockholm.file = toString ../.;

View File

@ -13,9 +13,9 @@
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/AP.nix>
];
krebs.build.host = config.krebs.hosts.cabal;

View File

@ -8,9 +8,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/coreboot.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/backup.nix>
{
# bubsy config
users.users.bubsy = {

View File

@ -1,50 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway;
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/git.nix>
{
networking.interfaces.enp2s1.ip4 = [
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = getDefaultGateway ip;
networking.nameservers = [
"8.8.8.8"
];
}
{
sound.enable = false;
}
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
];
};
};
}
];
krebs.build.host = config.krebs.hosts.echelon;
}

View File

@ -17,6 +17,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/dcso-dev.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{ # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
@ -137,35 +138,14 @@ with import <stockholm/lib>;
networking.hostName = lib.mkForce "BLN02NB0162";
security.pki.certificateFiles = [
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
(pkgs.writeText "minio.cert" ''
-----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
-----END CERTIFICATE-----
'')
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
];
programs.adb.enable = true;

View File

@ -14,9 +14,9 @@
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
];
krebs.build.host = config.krebs.hosts.icarus;

View File

@ -8,7 +8,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/steam.nix>
{
users.users.blacky = {

View File

@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@ -140,6 +141,8 @@ with import <stockholm/lib>;
dpass
dnsutils
woeusb
l-gen-secrets
generate-secrets
(pkgs.writeDashBin "btc-coinbase" ''
${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
@ -186,6 +189,10 @@ with import <stockholm/lib>;
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true;
services.redshift = {
enable = true;
provider = "geoclue2";
};
lass.restic = genAttrs [
"daedalus"

View File

@ -104,6 +104,7 @@ in {
];
}
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
uid = genid "riot";
isNormalUser = true;
@ -189,26 +190,6 @@ in {
localAddress = "10.233.2.2";
};
}
{
#kaepsele
systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
containers.kaepsele = {
config = { ... }: {
imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
tv.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
}
{
#onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false;
@ -237,13 +218,12 @@ in {
<stockholm/lass/2configs/repo-sync.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/monitoring/server.nix>
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix
imports = [
<stockholm/lass/2configs/bepasty.nix>
@ -324,6 +304,35 @@ in {
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/go.nix>
{
environment.systemPackages = [ pkgs.cryptsetup ];
systemd.services."container@red".reloadIfChanged = mkForce false;
containers.red = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
services.nginx.virtualHosts."rote-allez-fraktion.de" = {
enableACME = true;
addSSL = true;
locations."/" = {
extraConfig = ''
proxy_set_header Host rote-allez-fraktion.de;
proxy_pass http://10.233.2.4;
'';
};
};
}
];
krebs.build.host = config.krebs.hosts.prism;

View File

@ -0,0 +1,31 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
servephpBB
;
in
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/websites>
<stockholm/lass/2configs/websites/sqlBackup.nix>
(servephpBB [ "rote-allez-fraktion.de" ])
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
];
krebs.build.host = config.krebs.hosts.red;
boot.isContainer = true;
networking.useDHCP = false;
services.nginx.enable = true;
environment.variables.NIX_REMOTE = "daemon";
environment.systemPackages = [
pkgs.mk_sql_pair
];
}

View File

@ -1,3 +1,4 @@
import <stockholm/lass/source.nix> {
name = "echelon";
name = "red";
secure = true;
}

View File

@ -15,9 +15,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
];
krebs.build.host = config.krebs.hosts.shodan;

View File

@ -9,7 +9,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
{
# discordius config
services.xserver.enable = true;

View File

@ -2,10 +2,4 @@ with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "xerxes";
secure = true;
override = {
nixpkgs.git = mkForce {
url = https://github.com/lassulus/nixpkgs;
ref = "3eccd0b";
};
};
}

77
lass/2configs/AP.nix Normal file
View File

@ -0,0 +1,77 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
wifi = "wlp0s29u1u2";
in {
boot.extraModulePackages = [
pkgs.linuxPackages.rtl8814au
];
networking.networkmanager.unmanaged = [ wifi ];
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
wantedBy = [ "network.target" ];
after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=a
channel=36
ieee80211d=1
country_code=DE
ieee80211n=1
ieee80211ac=1
wmm_enabled=1
# 5ghz
ssid=krebsing
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=aidsballz
''}";
Restart = "always";
};
};
networking.interfaces.${wifi}.ipv4.addresses = [
{ address = "10.99.0.1"; prefixLength = 24; }
];
services.dhcpd4 = {
enable = true;
interfaces = [ wifi ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.99.0.1;
option domain-name-servers 1.1.1.1, 8.8.8.8;
subnet 10.99.0.0 netmask 255.255.255.0 {
range 10.99.0.100 10.99.0.200;
}
'';
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about?
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
}

20
lass/2configs/backup.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
fileSystems = {
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
users.users.backup = {
useDefaultShell = true;
home = "/backups";
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.hosts; [
mors.ssh.pubkey
prism.ssh.pubkey
];
};
}

View File

@ -1,173 +0,0 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
# TODO add timerConfig to krebs.backup and randomize startup
# TODO define plans more abstract
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
dishfire-http-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
startAt = "03:00";
};
dishfire-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
startAt = "03:05";
};
dishfire-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-sql-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
startAt = "03:15";
};
dishfire-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
dishfire-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
startAt = "03:20";
};
dishfire-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
prism-bitlbee-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-chat-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-chat-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
startAt = "03:30";
};
prism-chat-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
startAt = "03:40";
};
prism-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; };
startAt = "03:55";
};
prism-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
startAt = "03:50";
};
prism-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
startAt = "03:55";
};
icarus-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; };
startAt = "05:00";
};
icarus-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; };
startAt = "05:00";
};
mors-home-icarus = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; };
startAt = "05:00";
};
mors-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
startAt = "05:00";
};
shodan-home-icarus = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; };
startAt = "04:00";
};
shodan-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
startAt = "04:00";
};
};
}

View File

@ -9,7 +9,6 @@ in {
./power-action.nix
./copyq.nix
./livestream.nix
./dns-stuff.nix
./urxvt.nix
./network-manager.nix
{

View File

@ -10,9 +10,6 @@ in {
krebs.per-user.bitcoin.packages = [
pkgs.electrum
];
krebs.per-user.ethereum.packages = [
pkgs.go-ethereum
];
users.extraUsers = {
bch = {
name = "bch";
@ -28,13 +25,6 @@ in {
useDefaultShell = true;
createHome = true;
};
ethereum = {
name = "ethereum";
description = "user for ethereum stuff";
home = "/home/ethereum";
useDefaultShell = true;
createHome = true;
};
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL

View File

@ -9,6 +9,7 @@ in {
dev = {
name = "dev";
uid = genid "dev";
extraGroups = [ "docker" ];
description = "user for collaborative development";
home = "/home/dev";
useDefaultShell = true;

View File

@ -6,10 +6,9 @@ with import <stockholm/lib>;
./gc.nix
./mc.nix
./vim.nix
./monitoring/client.nix
./monitoring/node-exporter.nix
./zsh.nix
./htop.nix
./backups.nix
./security-workarounds.nix
{
users.extraUsers =

View File

@ -1,16 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
services.dnscrypt-proxy = {
enable = true;
localAddress = "127.1.0.1";
customResolver = {
address = config.krebs.hosts.gum.nets.internet.ip4.addr;
port = 15251;
name = "2.dnscrypt-cert.euer.krebsco.de";
key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
};
};
services.resolved.enable = true;
services.resolved.fallbackDns = [ "127.1.0.1" ];
}

View File

@ -79,6 +79,7 @@ with import <stockholm/lib>;
{ from = "ovh@lassul.us"; to = lass.mail; }
{ from = "hetzner@lassul.us"; to = lass.mail; }
{ from = "allygator@lassul.us"; to = lass.mail; }
{ from = "immoscout@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

View File

@ -3,6 +3,6 @@
with import <stockholm/lib>;
{
nix.gc = {
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer);
};
}

View File

@ -57,6 +57,16 @@ let
cgit.desc = "Fork of nix-user-chroot my lethalman";
cgit.section = "software";
};
nixos-aws = {
collaborators = [ {
name = "fabio";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
} ];
};
krops = {
cgit.desc = "krebs deployment";
cgit.section = "software";
};
} // mapAttrs make-public-repo-silent {
};
@ -70,8 +80,8 @@ let
import <secrets/repos.nix> { inherit config lib pkgs; }
);
make-public-repo = name: { cgit ? {}, ... }: {
inherit cgit name;
make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: {
inherit cgit collaborators name;
public = true;
hooks = {
post-receive = pkgs.git-hooks.irc-announce {

19
lass/2configs/go.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
krebs.go = {
enable = true;
};
services.nginx = {
enable = true;
virtualHosts.go = {
locations."/".extraConfig = ''
proxy_set_header Host go.lassul.us;
proxy_pass http://localhost:1337;
'';
serverAliases = [
"go.lassul.us"
];
};
};
}

View File

@ -206,8 +206,11 @@ in {
msmtp
mutt
pkgs.much
pkgs.notmuch
tag-new-mails
tag-old-mails
];
nixpkgs.config.packageOverrides = opkgs: {
notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
};
}

View File

@ -1,26 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.telegraf = {
enable = true;
extraConfig = {
agent.interval = "1s";
outputs = {
influxdb = {
urls = ["http://prism:8086"];
database = "telegraf_db";
user_agent = "telegraf";
};
};
inputs = {
cpu = {
percpu = false;
totalcpu = true;
};
mem = {};
net = {};
};
};
};
}

View File

@ -1,44 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
let
echoToIrc = msg:
pkgs.writeDash "echo_irc" ''
set -euf
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
'';
in {
krebs.monit = {
enable = true;
http.enable = true;
alarms = {
nirwanabluete = {
test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'";
alarm = echoToIrc "test nirwanabluete failed";
};
ubik = {
test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'";
alarm = echoToIrc "test ubik failed";
};
cac-panel = {
test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'";
alarm = echoToIrc "test cac-panel failed";
};
radio = {
test = pkgs.writeBash "check_stream" ''
${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \
| ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \
| ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}"
'';
alarm = echoToIrc "test radio failed";
};
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
];
}

View File

@ -1,7 +1,9 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 9100 ];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; }
{ predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; }
];
services.prometheus.exporters = {
node = {
enable = true;

View File

@ -9,6 +9,12 @@
# useDHCP = true;
#};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; }
];
services = {
prometheus = {
enable = true;
@ -124,11 +130,10 @@
static_configs = [
{
targets = [
"localhost:9100"
];
labels = {
alias = "prometheus.example.com";
};
] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts));
#labels = {
# alias = "prometheus.example.com";
#};
}
];
}
@ -159,7 +164,7 @@
];
"webhook_configs" = [
{
"url" = "https://example.com/prometheus-alerts";
"url" = "http://127.0.0.1:14813/prometheus-alerts";
"send_resolved" = true;
}
];
@ -176,4 +181,37 @@
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
};
services.logstash = {
enable = true;
inputConfig = ''
http {
port => 14813
host => "127.0.0.1"
}
'';
filterConfig = ''
if ([alerts]) {
ruby {
code => '
lines = []
event["alerts"].each {|p|
lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}"
}
event["output"] = lines.join("\n")
'
}
}
'';
outputConfig = ''
file { path => "/tmp/logs.json" codec => "json_lines" }
irc {
channels => [ "#noise" ]
host => "irc.r"
nick => "alarm"
codec => "json_lines"
format => "%{output}"
}
'';
#plugins = [ ];
};
}

View File

@ -1,87 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.influxdb.enable = true;
services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true;
http.bind-address = ":8086";
admin.bind-address = ":8083";
http.log-enabled = false;
monitoring = {
enabled = false;
# write-interval = "24h";
};
collectd = [{
enabled = true;
typesdb = "${pkgs.collectd}/share/collectd/types.db";
database = "collectd_db";
port = 25826;
}];
};
krebs.kapacitor =
let
db = "telegraf_db";
echoToIrc = pkgs.writeDash "echo_irc" ''
set -euf
data="$(${pkgs.jq}/bin/jq -r .message)"
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.r 6667 prism-alarm \#noise "$data" >/dev/null
'';
in {
enable = true;
alarms = {
cpu = {
database = db;
text = ''
var data = batch
|query(${"'''"}
SELECT mean("usage_user") AS mean
FROM "${db}"."default"."cpu"
${"'''"})
.period(10m)
.every(1m)
.groupBy('host')
data |alert()
.crit(lambda: "mean" > 90)
.exec('${echoToIrc}')
data |deadman(1.0,5m)
.stateChangesOnly()
.exec('${echoToIrc}')
'';
};
ram = {
database = db;
text = ''
var data = batch
|query(${"'''"}
SELECT mean("used_percent") AS mean
FROM "${db}"."default"."mem"
${"'''"})
.period(10m)
.every(1m)
.groupBy('host')
data |alert()
.crit(lambda: "mean" > 90)
.exec('${echoToIrc}')
'';
};
};
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; }
{ predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; }
{ predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; }
];
}

View File

@ -6,66 +6,10 @@ let
genid
;
servephpBB = domains:
let
domain = head domains;
in {
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
serverAliases = domains;
extraConfig = ''
index index.php;
root /srv/http/${domain}/;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
user = nginx
group = nginx
pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 20
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
in {
imports = [
./default.nix
../git.nix
(servephpBB [ "rote-allez-fraktion.de" ])
];
security.acme = {

View File

@ -28,6 +28,59 @@ rec {
};
};
servephpBB = domains:
let
domain = head domains;
in {
services.nginx.virtualHosts."${domain}" = {
serverAliases = domains;
extraConfig = ''
index index.php;
root /srv/http/${domain}/;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
user = nginx
group = nginx
pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 20
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
serveOwncloud = domains:
let
domain = head domains;

View File

@ -54,8 +54,8 @@
eval $(dircolors -b ${pkgs.fetchFromGitHub {
owner = "trapd00r";
repo = "LS_COLORS";
rev = "master";
sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp";
rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0";
sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4";
}}/LS_COLORS)
alias ls='ls --color'
zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}

View File

@ -50,6 +50,14 @@ rec {
default = false;
};
monitoring = mkOption {
description = ''
Whether the host should be monitored by monitoring tools like Prometheus.
'';
type = bool;
default = false;
};
owner = mkOption {
type = user;
};

View File

@ -349,6 +349,7 @@ let
let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,'
set bg=dark
'';
in
out