Merge remote-tracking branch 'cloudkrebs/master'

2015-10-09 14:48:58 +02:00 · 2015-10-09 14:48:58 +02:00 · 96f4248b65
commit 96f4248b65
parent 694c79a5bc 4072a32f89
30 changed files with 363 additions and 35 deletions
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -14,6 +14,7 @@ let
      ./iptables.nix
      ./nginx.nix
      ./Reaktor.nix
+      ./realwallpaper.nix
      ./retiolum.nix
      ./urlwatch.nix
    ];
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -34,9 +34,11 @@ with import ../../4lib { inherit lib; };
          '';
        };
      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
    };
    fastpoke = {
-      dc = "lass"; #dc = "cac";
+      dc = "lass";
      nets = rec {
        internet = {
          addrs4 = ["193.22.164.36"];
@ -95,6 +97,8 @@ with import ../../4lib { inherit lib; };
          '';
        };
      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7oYx7Lbkc0wPYNp92LQF93DCtxsGzOkVD91FJQzVZl";
    };
    uriel = {
      cores = 1;
@ -119,6 +123,8 @@ with import ../../4lib { inherit lib; };
          '';
        };
      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBryIo/Waw8SWvlQ0+5I+Bd/dJgcMd6iPXtELS6gQXoc";
      secure = true;
    };
    mors = {
@ -145,6 +151,8 @@ with import ../../4lib { inherit lib; };
        };
      };
      secure = true;
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD";
    };

  };
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@ -8,12 +8,10 @@ let
    mkIf
  ;

-  lpkgs = import ../5pkgs { inherit pkgs; };
-
-  cfg = config.lass.realwallpaper;
+  cfg = config.krebs.realwallpaper;

  out = {
-    options.lass.realwallpaper = api;
+    options.krebs.realwallpaper = api;
    config = mkIf cfg.enable imp;
  };

@ -57,13 +55,13 @@ let
  imp = {
    systemd.timers.realwallpaper = {
      description = "real wallpaper generator timer";
+      wantedBy = [ "timers.target" ];

      timerConfig = cfg.timerConfig;
    };

    systemd.services.realwallpaper = {
      description = "real wallpaper generator";
-      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      path = with pkgs; [
@ -85,7 +83,7 @@ let

      serviceConfig = {
        Type = "simple";
-        ExecStart = "${lpkgs.realwallpaper}/realwallpaper.sh";
+        ExecStart = "${pkgs.realwallpaper}/realwallpaper.sh";
        User = "realwallpaper";
      };
    };
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@ -21,7 +21,9 @@ rec {
  nq = callPackage ./nq {};
  posix-array = callPackage ./posix-array {};
  pssh = callPackage ./pssh {};
+  passwdqc-utils = callPackage ./passwdqc-utils {};
  Reaktor = callPackage ./Reaktor {};
+  realwallpaper = callPackage ./realwallpaper.nix {};
  youtube-tools = callPackage ./youtube-tools {};

  execve = name: { filename, argv, envp ? {}, destination ? "" }:
--- a/krebs/5pkgs/passwdqc-utils/default.nix
+++ b/krebs/5pkgs/passwdqc-utils/default.nix
@ -0,0 +1,27 @@
+{stdenv,pam,fetchurl,...}:
+
+stdenv.mkDerivation rec {
+  name = "passwdqc-utils-${version}";
+  version = "1.3.0";
+  buildInputs = [ pam ];
+  src = fetchurl {
+    url = "http://www.openwall.com/passwdqc/passwdqc-${version}.tar.gz";
+    sha256 = "0l3zbrp4pvah0dz33m48aqlz9nx663cc1fqhnlwr0p853b10la93";
+  };
+  buildTargets = "utils";
+  installFlags= [ "BINDIR=$(out)/bin"
+                  "CONFDIR=$(out)/etc"
+                  "SHARED_LIBDIR=$(out)/lib"
+                  "DEVEL_LIBDIR=$(out)/lib"
+                  "SECUREDIR=$(out)/lib/security"
+                  "INCLUDEDIR=$(out)/include"
+                  "MANDIR=$(out)/man"];
+  installTargets = "install_lib install_utils";
+
+  meta = {
+    description = "passwdqc utils (pwqgen,pwqcheck) and library";
+    license = stdenv.lib.licenses.bsd3;
+    maintainers = [ stdenv.lib.maintainers.makefu ];
+    patforms = stdenv.lib.platforms.linux; # more installFlags must be set for Darwin,Solaris
+  };
+}
--- a/krebs/5pkgs/realwallpaper.nix
+++ b/krebs/5pkgs/realwallpaper.nix
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@ -13,6 +13,10 @@ in {
    ../2configs/retiolum.nix
    ../2configs/realwallpaper-server.nix
    ../2configs/privoxy-retiolum.nix
+    ../2configs/git.nix
+    ../2configs/redis.nix
+    ../2configs/go.nix
+    ../2configs/ircd.nix
    {
      networking.interfaces.enp2s1.ip4 = [
        {
@ -43,6 +47,6 @@ in {
    };
  };

-  networking.hostName = "echelon";
+  networking.hostName = config.krebs.build.host.name;

 }
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@ -24,6 +24,7 @@
    ../2configs/bitlbee.nix
    ../2configs/firefoxPatched.nix
    ../2configs/realwallpaper.nix
+    ../2configs/skype.nix
  ];

  krebs.build = {
--- a/lass/2configs/desktop-base.nix
+++ b/lass/2configs/desktop-base.nix
@ -28,14 +28,14 @@ in {
  environment.systemPackages = with pkgs; [

    powertop
+    sxiv
+    much

  #window manager stuff
    haskellPackages.xmobar
    haskellPackages.yeganesh
    dmenu2
    xlibs.fontschumachermisc
-
-    sxiv
  ];

  fonts.fonts = [
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@ -31,6 +31,7 @@ let
    };
    wai-middleware-time = {};
    web-routes-wai-custom = {};
+    go = {};
  };

  restricted-repos = mapAttrs make-restricted-repo (
@ -51,7 +52,7 @@ let
        nick = config.krebs.build.host.name;
        channel = "#retiolum";
        server = "cd.retiolum";
-        verbose = config.krebs.build.host.name == "cloudkrebs";
+        verbose = config.krebs.build.host.name == "echelon";
      };
    };
  };
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../3modules/go.nix
+  ];
+  environment.systemPackages = [
+    pkgs.go
+  ];
+  lass.go = {
+    enable = true;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; }
+  ];
+}
--- a/lass/2configs/ircd.nix
+++ b/lass/2configs/ircd.nix
@ -1,12 +1,15 @@
 { config, pkgs, ... }:

 {
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 6667"; target = "ACCEPT"; }
+  ];
  config.services.charybdis = {
    enable = true;
    config = ''
      serverinfo {
-        name = "ire.irc.retiolum";
-        sid = "4z3";
+        name = "${config.krebs.build.host.name}.irc.retiolum";
+        sid = "1as";
        description = "miep!";
        network_name = "irc.retiolum";
        network_desc = "Retiolum IRC Network";
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@ -1,9 +1,5 @@
 { config, ... }:

 {
-  imports = [
-    ../3modules/realwallpaper.nix
-  ];
-
-  lass.realwallpaper.enable = true;
+  krebs.realwallpaper.enable = true;
 }
--- a/lass/2configs/redis.nix
+++ b/lass/2configs/redis.nix
@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  config.services.redis = {
+    enable = true;
+    bind = "127.0.0.1";
+  };
+}
--- a/lass/2configs/skype.nix
+++ b/lass/2configs/skype.nix
@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.mainUser;
+
+in {
+  imports = [
+    ../3modules/per-user.nix
+  ];
+
+  users.extraUsers = {
+    skype = {
+      name = "skype";
+      uid = 2259819492; #genid skype
+      description = "user for running skype";
+      home = "/home/skype";
+      useDefaultShell = true;
+      extraGroups = [ "audio" "video" ];
+      createHome = true;
+    };
+  };
+
+  lass.per-user.skype.packages = [
+    pkgs.skype
+  ];
+
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(skype) NOPASSWD: ALL
+  '';
+}
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@ -3,6 +3,5 @@ _:
 {
  imports = [
    ./xresources.nix
-    ./realwallpaper.nix
  ];
 }
--- a/lass/3modules/go.nix
+++ b/lass/3modules/go.nix
@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+
+let
+  cfg = config.lass.go;
+
+  out = {
+    options.lass.go = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "Enable go url shortener";
+    port = mkOption {
+      type = types.str;
+      default = "1337";
+      description = "on which port go should run on";
+    };
+    redisKeyPrefix = mkOption {
+      type = types.str;
+      default = "go:";
+      description = "change the Redis key prefix which defaults to `go:`";
+    };
+  };
+
+  imp = {
+    users.extraUsers.go = {
+      name = "go";
+      uid = 42774411; #genid go
+      description = "go url shortener user";
+      home = "/var/lib/go";
+      createHome = true;
+    };
+
+    systemd.services.go = {
+      description = "go url shortener";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        go
+      ];
+
+      environment = {
+        PORT = cfg.port;
+        REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
+      };
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        User = "go";
+        Restart = "always";
+        ExecStart = "${pkgs.go}/bin/go";
+      };
+    };
+  };
+
+in out
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -13,5 +13,5 @@ rec {
    ublock = callPackage ./firefoxPlugins/ublock.nix {};
    vimperator = callPackage ./firefoxPlugins/vimperator.nix {};
  };
-  realwallpaper = callPackage ./realwallpaper.nix {};
+  go = callPackage ./go/default.nix {};
 }
--- a/lass/5pkgs/go/default.nix
+++ b/lass/5pkgs/go/default.nix
@ -0,0 +1,59 @@
+{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
+
+with lib;
+
+let
+  np = nodePackages.override {
+    generated = ./packages.nix;
+    self = np;
+  };
+
+  node_env = buildEnv {
+    name = "node_env";
+    paths = [
+      np.redis
+      np."formidable"
+    ];
+    pathsToLink = [ "/lib" ];
+    ignoreCollisions = true;
+  };
+
+in nodePackages.buildNodePackage {
+  name = "go";
+
+  src = fetchgit {
+    url = "http://cgit.echelon/go/";
+    rev = "05d02740e0adbb36cc461323647f0c1e7f493156";
+    sha256 = "6015c9a93317375ae8099c7ab982df0aa93a59ec2b48972e253887bb6ca0004f";
+  };
+
+  phases = [
+    "unpackPhase"
+    "installPhase"
+  ];
+
+  deps = (filter (v: nixType v == "derivation") (attrValues np));
+
+  buildInputs = [
+    nodejs
+    nodePackages.redis
+    np.formidable
+    makeWrapper
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+
+    cp index.js $out/
+    cat > $out/go << EOF
+      ${nodejs}/bin/node $out/index.js
+    EOF
+    chmod +x $out/go
+
+    wrapProgram $out/go \
+      --prefix NODE_PATH : ${node_env}/lib/node_modules
+
+     ln -s $out/go /$out/bin/go
+  '';
+
+}
--- a/lass/5pkgs/go/packages.nix
+++ b/lass/5pkgs/go/packages.nix
@ -0,0 +1,44 @@
+{ self, fetchurl, fetchgit ? null, lib }:
+
+{
+  by-spec."formidable"."*" =
+    self.by-version."formidable"."1.0.17";
+  by-version."formidable"."1.0.17" = self.buildNodePackage {
+    name = "formidable-1.0.17";
+    version = "1.0.17";
+    bin = false;
+    src = fetchurl {
+      url = "http://registry.npmjs.org/formidable/-/formidable-1.0.17.tgz";
+      name = "formidable-1.0.17.tgz";
+      sha1 = "ef5491490f9433b705faa77249c99029ae348559";
+    };
+    deps = {
+    };
+    optionalDependencies = {
+    };
+    peerDependencies = [];
+    os = [ ];
+    cpu = [ ];
+  };
+  "formidable" = self.by-version."formidable"."1.0.17";
+  by-spec."redis"."*" =
+    self.by-version."redis"."2.1.0";
+  by-version."redis"."2.1.0" = self.buildNodePackage {
+    name = "redis-2.1.0";
+    version = "2.1.0";
+    bin = false;
+    src = fetchurl {
+      url = "http://registry.npmjs.org/redis/-/redis-2.1.0.tgz";
+      name = "redis-2.1.0.tgz";
+      sha1 = "38acb208f90750250f9451219b73ff08ae907f94";
+    };
+    deps = {
+    };
+    optionalDependencies = {
+    };
+    peerDependencies = [];
+    os = [ ];
+    cpu = [ ];
+  };
+  "redis" = self.by-version."redis"."2.1.0";
+}
--- a/makefu/1systems/pnp.nix
+++ b/makefu/1systems/pnp.nix
@ -23,7 +23,9 @@
      ## \/ are only plugins, must enable Reaktor explicitly
      ../2configs/Reaktor/stockholmLentil.nix
      ../2configs/Reaktor/simpleExtend.nix
+      ../2configs/Reaktor/random-emoji.nix
      ../2configs/Reaktor/titlebot.nix
+      ../2configs/Reaktor/shack-correct.nix

      ../2configs/exim-retiolum.nix
      ../2configs/urlwatch.nix
@ -34,7 +36,7 @@
  krebs.Reaktor.debug = true;
  krebs.Reaktor.nickname = "Reaktor|bot";
  krebs.Reaktor.extraEnviron = {
-    REAKTOR_CHANNELS = "#krebs,#binaergewitter";
+    REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
  };

  krebs.build.host = config.krebs.hosts.pnp;
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@ -42,7 +42,7 @@
  krebs.build.user = config.krebs.users.makefu;
  krebs.build.target = "root@pornocauster";

-
+  environment.systemPackages = with pkgs;[ get];
  networking.firewall.allowedTCPPorts = [
    25
  ];
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@ -32,8 +32,8 @@ in {
  makefu.tinc_graphs.enable = true;
  makefu.tinc_graphs.krebsNginx = {
    enable = true;
-    hostnames_complete = [ "graphs.wry" "graphs.wry.retiolum" ];
-    # TODO: remove hard-coded path
+    # TODO: remove hard-coded hostname
+    hostnames_complete  = [ "graphs.wry" ];
    hostnames_anonymous = [ "graphs.krebsco.de" ];
  };
  networking.firewall.allowedTCPPorts = [80];
--- a/makefu/2configs/Reaktor/random-emoji.nix
+++ b/makefu/2configs/Reaktor/random-emoji.nix
@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with pkgs;
+let
+  rpkg = pkgs.substituteAll( {
+    name="random-emoji";
+    dir= "bin";
+    isExecutable=true;
+    src= ./random-emoji.sh;
+    });
+  rpkg-path = lib.makeSearchPath "bin" (with pkgs; [
+                        coreutils
+                        gnused
+                        gnugrep
+                        curl]);
+in {
+  # TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
+  krebs.Reaktor.extraConfig = ''
+  public_commands.insert(0,{
+    'capname' : "emoji",
+    'pattern' : indirect_pattern.format("emoji"),
+    'argv'    : ["${rpkg}/bin/random-emoji"],
+    'env'     : { 'PATH':'${rpkg-path}' } })
+  '';
+}
--- a/makefu/2configs/Reaktor/random-emoji.sh
+++ b/makefu/2configs/Reaktor/random-emoji.sh
@ -0,0 +1,5 @@
+#!/bin/sh
+curl http://emojicons.com/random -s | \
+  grep data-text | \
+  sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
+  head -n 1
--- a/makefu/2configs/Reaktor/shack-correct.nix
+++ b/makefu/2configs/Reaktor/shack-correct.nix
@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+with pkgs;
+let
+  script = pkgs.substituteAll ( {
+    name="shack-correct";
+    isExecutable=true;
+    dir = "";
+    src = ./shack-correct.sh;
+    });
+in {
+  krebs.Reaktor.extraConfig = ''
+  public_commands.insert(0,{
+    'capname' : "shack-correct",
+    'pattern' : '^(?P<args>.*Shack.*)$$',
+    'argv'    : ["${script}"],
+    'env'     : {  }})
+  '';
+}
+
--- a/makefu/2configs/Reaktor/shack-correct.sh
+++ b/makefu/2configs/Reaktor/shack-correct.sh
@ -0,0 +1,6 @@
+#! /bin/sh
+set -eu
+printf "Sie meinten wohl \""
+echo -n $@ | sed 's/Shack/shack/g'
+echo "\""
+echo "${_from}--"
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@ -29,6 +29,7 @@ let
    hooks = {
      post-receive = git.irc-announce {
        nick = config.networking.hostName;
+        verbose = config.krebs.build.host.name == "pnp";
        channel = "#retiolum";
        # TODO remove the hardcoded hostname
        server = "cd.retiolum";
--- a/makefu/3modules/tinc_graphs.nix
+++ b/makefu/3modules/tinc_graphs.nix
@ -24,21 +24,22 @@ let
      # configure krebs nginx to serve the new graphs
      enable = mkEnableOption "tinc_graphs nginx";

-      hostnames_complete = {
+      hostnames_complete = mkOption {
        #TODO: this is not a secure way to serve these graphs,better listen to
        #      the correct interface, krebs.nginx does not support this yet

        type = with types; listOf str;
        description = "hostname which serves complete graphs";
-        default = config.krebs.build.host.name;
+        default = [ "graphs.${config.krebs.build.host.name}" ];
      };

-      hostnames_anonymous = {
+      hostnames_anonymous = mkOption {
        type = with types; listOf str;
        description = ''
          hostname which serves anonymous graphs
          must be different from hostname_complete
        '';
+        default = [ "anongraphs.${config.krebs.build.host.name}" ];
      };
    };

@ -63,29 +64,38 @@ let
    environment.systemPackages = [ pkgs.tinc_graphs];
    systemd.timers.tinc_graphs = {
      description = "Build Tinc Graphs via via timer";
-
+      wantedBy = [ "timers.target"];
      timerConfig = cfg.timerConfig;
    };
    systemd.services.tinc_graphs = {
      description = "Build Tinc Graphs";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
      environment = {
        EXTERNAL_FOLDER = external_dir;
        INTERNAL_FOLDER = internal_dir;
        GEODB = cfg.geodbPath;
+        TINC_HOSTPATH=config.krebs.retiolum.hosts;
      };

      restartIfChanged = true;

      serviceConfig = {
        Type = "simple";
+
        ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
          #!/bin/sh
          mkdir -p "${external_dir}" "${internal_dir}"
        '';
+
        ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
-        User = "root"; # tinc cannot be queried as user, 
+
+        ExecStartPost = pkgs.writeScript "tinc_graphs-post" ''
+          #!/bin/sh
+          # TODO: this may break if workingDir is set to something stupid
+          # this is needed because homedir is created with 700
+          chmod 755  "${cfg.workingDir}"
+        '';
+
+        User = "root"; # tinc cannot be queried as user,
                       #  seems to be a tinc-pre issue
        privateTmp = true;
      };
@ -93,7 +103,7 @@ let

    users.extraUsers.tinc_graphs = {
      uid = 3925439960; #genid tinc_graphs
-      home = "/var/cache/tinc_graphs";
+      home = "/var/spool/tinc_graphs";
      createHome = true;
    };

@ -102,15 +112,16 @@ let
        server-names = cfg.krebsNginx.hostnames_complete;
        locations = [
          (nameValuePair "/" ''
+            autoindex on;
            root ${internal_dir};
          '')
        ];
      };
      tinc_graphs_anonymous = {
        server-names = cfg.krebsNginx.hostnames_anonymous;
-        #server-names = [ "dick" ];
        locations = [
          (nameValuePair "/" ''
+            autoindex on;
            root ${external_dir};
          '')
        ];
--- a/makefu/5pkgs/tinc_graphs/default.nix
+++ b/makefu/5pkgs/tinc_graphs/default.nix
@ -2,14 +2,14 @@

 python3Packages.buildPythonPackage rec {
  name = "tinc_graphs-${version}";
-  version = "0.2.9";
+  version = "0.2.12";
  propagatedBuildInputs = with pkgs;[
    python3Packages.pygeoip
    ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
  ];
  src = fetchurl {
    url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
-    sha256 = "0fm063qhjlb8g1xahwcqqrd2dxgd38wwi55rhl1k5chr7zajsqfz";
+    sha256 = "03jxvxahpcbpnz4668x32b629dwaaz5jcjkyaijm0zzpgcn4cbgp";
  };
  preFixup = with pkgs;''
    wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"