Merge remote-tracking branch 'gum/master'

This commit is contained in:
lassulus 2018-12-14 19:24:26 +01:00
commit 9a9a6d0a90
43 changed files with 464 additions and 259 deletions

View File

@ -3,7 +3,7 @@
{ {
nix = { nix = {
binaryCaches = [ binaryCaches = [
"http://cache.prism.r" "https://cache.krebsco.de"
]; ];
binaryCachePublicKeys = [ binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="

View File

@ -1,4 +1,4 @@
{lib, ... }: { pkgs, lib, ... }:
with lib; with lib;
let let
domain = "cache.nsupdate.info"; domain = "cache.nsupdate.info";
@ -17,9 +17,13 @@ in {
}; };
krebs.cachecache = { krebs.cachecache = {
enable = true; enable = true;
enableSSL = false; # disable letsencrypt for testing enableSSL = true; # disable letsencrypt for testing
cacheDir = "/var/cache/nix-cache-cache"; cacheDir = "/var/cache/nix-cache-cache";
maxSize = "10g"; maxSize = "10g";
indexFile = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html";
sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0";
};
# assumes that the domain is reachable from the internet # assumes that the domain is reachable from the internet
virtualHost = domain; virtualHost = domain;

View File

@ -1,4 +1,4 @@
{ config, lib, ... }: { pkgs, config, lib, ... }:
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b # fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
@ -59,15 +59,6 @@ in
''; '';
}; };
# webRoot = mkOption {
# type = types.str;
# default = "/";
# description = ''
# Directory on virtual host that serves the cache. Must end in
# <literal>/</literal>.
# '';
# };
resolver = mkOption { resolver = mkOption {
type = types.str; type = types.str;
description = "Address of DNS resolver."; description = "Address of DNS resolver.";
@ -82,6 +73,13 @@ in
Where nginx should store cached data. Where nginx should store cached data.
''; '';
}; };
indexFile = mkOption {
type = types.path;
default = pkgs.writeText "myindex" "<html>hello world</html>";
description = ''
Path to index.html file.
'';
};
maxSize = mkOption { maxSize = mkOption {
type = types.str; type = types.str;
@ -98,6 +96,7 @@ in
systemd.services.nginx.preStart = '' systemd.services.nginx.preStart = ''
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html
chown ${nginxCfg.user}:${nginxCfg.group} \ chown ${nginxCfg.user}:${nginxCfg.group} \
${cfg.cacheDir} /srv/www/nix-cache-cache ${cfg.cacheDir} /srv/www/nix-cache-cache
''; '';
@ -143,6 +142,7 @@ in
locations."/" = locations."/" =
{ {
root = "/srv/www/nix-cache-cache"; root = "/srv/www/nix-cache-cache";
index = "index.html";
extraConfig = '' extraConfig = ''
expires max; expires max;
add_header Cache-Control $nix_cache_cache_header always; add_header Cache-Control $nix_cache_cache_header always;

View File

@ -551,27 +551,28 @@ in {
ci = true; ci = true;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
boot.euer IN A ${nets.internet.ip4.addr}
cache.euer IN A ${nets.internet.ip4.addr} cache.euer IN A ${nets.internet.ip4.addr}
cache.gum IN A ${nets.internet.ip4.addr} cache.gum IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
wg.euer IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr} cgit.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
share.euer IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr} dl.euer IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr} dockerhub IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
netdata.euer IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
share.euer IN A ${nets.internet.ip4.addr}
wg.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de. io IN NS gum.krebsco.de.
''; '';
}; };
@ -596,24 +597,25 @@ in {
via = internet; via = internet;
ip4.addr = "10.243.0.213"; ip4.addr = "10.243.0.213";
aliases = [ aliases = [
"nextgum.r"
"graph.r"
"cache.gum.r"
"logs.makefu.r"
"stats.makefu.r"
"backup.makefu.r" "backup.makefu.r"
"dcpp.nextgum.r"
"gum.r"
"cgit.gum.r"
"o.gum.r"
"tracker.makefu.r"
"search.makefu.r"
"wiki.makefu.r"
"wiki.gum.r"
"blog.makefu.r"
"blog.gum.r" "blog.gum.r"
"blog.makefu.r"
"cache.gum.r"
"cgit.gum.r"
"dcpp.gum.r" "dcpp.gum.r"
"dcpp.nextgum.r"
"graph.r"
"gum.r"
"logs.makefu.r"
"netdata.makefu.r"
"nextgum.r"
"o.gum.r"
"search.makefu.r"
"stats.makefu.r"
"torrent.gum.r" "torrent.gum.r"
"tracker.makefu.r"
"wiki.gum.r"
"wiki.makefu.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----

View File

@ -1 +1 @@
AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de

View File

@ -0,0 +1 @@
"derp"

View File

@ -1,5 +0,0 @@
{
name="gum";
torrent = true;
clever_kexec = true;
}

View File

@ -4,13 +4,14 @@ with import <stockholm/lib>;
let let
external-ip = config.krebs.build.host.nets.internet.ip4.addr; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
ext-if = config.makefu.server.primary-itf; ext-if = config.makefu.server.primary-itf;
allDisks = [ "/dev/sda" "/dev/sdb" ];
in { in {
imports = [ imports = [
<stockholm/makefu> <stockholm/makefu>
./hardware-config.nix ./hardware-config.nix
{ {
users.users.lass = { users.users.lass = {
uid = 9002; uid = 19002;
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;
useDefaultShell = true; useDefaultShell = true;
@ -20,8 +21,12 @@ in {
]; ];
}; };
} }
# <stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/stats/netdata-server.nix>
<stockholm/makefu/2configs/headless.nix> <stockholm/makefu/2configs/headless.nix>
# <stockholm/makefu/2configs/smart-monitor.nix> <stockholm/makefu/2configs/smart-monitor.nix>
{ services.smartd.devices = builtins.map (x: { device = x; }) allDisks; }
# Security # Security
<stockholm/makefu/2configs/sshd-totp.nix> <stockholm/makefu/2configs/sshd-totp.nix>
@ -30,6 +35,8 @@ in {
<stockholm/makefu/2configs/tools/core.nix> <stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/tools/dev.nix> <stockholm/makefu/2configs/tools/dev.nix>
<stockholm/makefu/2configs/tools/sec.nix> <stockholm/makefu/2configs/tools/sec.nix>
<stockholm/makefu/2configs/tools/desktop.nix>
<stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/mosh.nix> <stockholm/makefu/2configs/mosh.nix>
# <stockholm/makefu/2configs/gui/xpra.nix> # <stockholm/makefu/2configs/gui/xpra.nix>
@ -41,17 +48,47 @@ in {
<stockholm/makefu/2configs/iodined.nix> <stockholm/makefu/2configs/iodined.nix>
# <stockholm/makefu/2configs/backup.nix> # <stockholm/makefu/2configs/backup.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix> <stockholm/makefu/2configs/tinc/retiolum.nix>
{ # bonus retiolum config for connecting more hosts
krebs.tinc.retiolum = {
extraConfig = ''
ListenAddress = ${external-ip} 53
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
connectTo = [
"prism" "ni" "enklave" "eve" "archprism"
];
};
networking.firewall = {
allowedTCPPorts =
[
53
655
21031
];
allowedUDPPorts =
[
53
655
21031
];
};
}
# ci # ci
# <stockholm/makefu/2configs/exim-retiolum.nix> # <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix> <stockholm/makefu/2configs/git/cgit-retiolum.nix>
<stockholm/makefu/2configs/shack/events-publisher>
<stockholm/makefu/2configs/shack/gitlab-runner> <stockholm/makefu/2configs/shack/gitlab-runner>
<stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/taskd.nix> <stockholm/makefu/2configs/taskd.nix>
# services # services
<stockholm/makefu/2configs/sabnzbd.nix> # <stockholm/makefu/2configs/sabnzbd.nix>
<stockholm/makefu/2configs/mail/mail.euer.nix> <stockholm/makefu/2configs/mail/mail.euer.nix>
{
krebs.exim.enable = mkForce false;
}
# sharing # sharing
<stockholm/makefu/2configs/share/gum.nix> <stockholm/makefu/2configs/share/gum.nix>
@ -59,13 +96,6 @@ in {
#<stockholm/makefu/2configs/retroshare.nix> #<stockholm/makefu/2configs/retroshare.nix>
## <stockholm/makefu/2configs/ipfs.nix> ## <stockholm/makefu/2configs/ipfs.nix>
#<stockholm/makefu/2configs/syncthing.nix> #<stockholm/makefu/2configs/syncthing.nix>
{ # ncdc
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}
# <stockholm/makefu/2configs/opentracker.nix> # <stockholm/makefu/2configs/opentracker.nix>
## network ## network
@ -91,17 +121,17 @@ in {
#<stockholm/makefu/2configs/nginx/public_html.nix> #<stockholm/makefu/2configs/nginx/public_html.nix>
#<stockholm/makefu/2configs/nginx/update.connector.one.nix> #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
<stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> # <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
<stockholm/makefu/2configs/nginx/iso.euer.nix> <stockholm/makefu/2configs/nginx/iso.euer.nix>
<stockholm/makefu/2configs/shack/events-publisher> <stockholm/krebs/2configs/cache.nsupdate.info.nix>
<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
<stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/graphs.nix>
<stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/owncloud.nix>
<stockholm/makefu/2configs/deployment/boot-euer.nix> <stockholm/makefu/2configs/deployment/boot-euer.nix>
<stockholm/makefu/2configs/deployment/bgt/hidden_service.nix> <stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix>
<stockholm/makefu/2configs/bgt/hidden_service.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/logging/client.nix> # <stockholm/makefu/2configs/logging/client.nix>
# sharing # sharing
@ -116,6 +146,7 @@ in {
# krebs infrastructure services # krebs infrastructure services
<stockholm/makefu/2configs/stats/server.nix> <stockholm/makefu/2configs/stats/server.nix>
]; ];
makefu.dl-dir = "/var/download"; makefu.dl-dir = "/var/download";
services.openssh.hostKeys = [ services.openssh.hostKeys = [
@ -125,70 +156,14 @@ in {
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum; krebs.build.host = config.krebs.hosts.gum;
krebs.tinc.retiolum = {
extraConfig = ''
ListenAddress = ${external-ip} 53
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
connectTo = [
"prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
];
};
# access
users.users = {
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
};
# Chat
environment.systemPackages = with pkgs;[
weechat
bepasty-client-cli
tmux
];
# Hardware
# Network # Network
networking = { networking = {
firewall = { firewall = {
allowPing = true; allowPing = true;
logRefusedConnections = false; logRefusedConnections = false;
allowedTCPPorts = [
# smtp
25
# http
80 443
# httptunnel
8080 8443
# tinc
655
# tinc-shack
21032
# tinc-retiolum
21031
# taskserver
53589
# temp vnc
18001
# temp reverseshell
31337
];
allowedUDPPorts = [
# tinc
655 53
# tinc-retiolum
21031
# tinc-shack
21032
];
}; };
nameservers = [ "8.8.8.8" ]; nameservers = [ "8.8.8.8" ];
}; };
users.users.makefu.extraGroups = [ "download" "nginx" ]; users.users.makefu.extraGroups = [ "download" "nginx" ];
boot.tmpOnTmpfs = true;
state = [ "/home/makefu/.weechat" ]; state = [ "/home/makefu/.weechat" ];
} }

View File

@ -46,7 +46,7 @@ in {
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
"xhci_pci" "ehci_pci" "ahci" "sd_mod" "xhci_pci" "ehci_pci" "ahci" "sd_mod"
]; ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ];
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
fileSystems."/" = { fileSystems."/" = {
device = "/dev/mapper/nixos-root"; device = "/dev/mapper/nixos-root";
@ -56,10 +56,19 @@ in {
device = "/dev/mapper/nixos-lib"; device = "/dev/mapper/nixos-lib";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/var/log" = {
device = "/dev/mapper/nixos-log";
fsType = "ext4";
};
fileSystems."/var/download" = { fileSystems."/var/download" = {
device = "/dev/mapper/nixos-download"; device = "/dev/mapper/nixos-download";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/var/www/binaergewitter" = {
device = "/dev/mapper/nixos-binaergewitter";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/var/lib/borgbackup" = { fileSystems."/var/lib/borgbackup" = {
device = "/dev/mapper/nixos-backup"; device = "/dev/mapper/nixos-backup";
fsType = "ext4"; fsType = "ext4";

View File

@ -1,10 +1,14 @@
ssh gum.i -o StrictHostKeyChecking=no
mount /dev/mapper/nixos-root /mnt mount /dev/mapper/nixos-root /mnt
mount /dev/sda2 /mnt/boot mount /dev/sda2 /mnt/boot
chroot-prepare /mnt chroot-prepare /mnt
chroot /mnt /bin/sh chroot /mnt /bin/sh
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub) journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
# ... activating ...
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate /nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate

View File

@ -1,5 +1,5 @@
{ {
name="nextgum"; name="gum";
torrent = true; torrent = true;
clever_kexec = true; clever_kexec = true;
} }

View File

@ -44,7 +44,8 @@ in {
# <stockholm/makefu/2configs/share/omo-timemachine.nix> # <stockholm/makefu/2configs/share/omo-timemachine.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix> <stockholm/makefu/2configs/tinc/retiolum.nix>
# statistics
<stockholm/makefu/2configs/stats/client.nix>
# Logging # Logging
#influx + grafana #influx + grafana
<stockholm/makefu/2configs/stats/server.nix> <stockholm/makefu/2configs/stats/server.nix>
@ -74,7 +75,8 @@ in {
"homeassistant-0.77.2" "homeassistant-0.77.2"
]; ];
} }
<stockholm/makefu/2configs/deployment/homeautomation> <stockholm/makefu/2configs/homeautomation>
<stockholm/makefu/2configs/homeautomation/google-muell.nix>
{ {
makefu.ps3netsrv = { makefu.ps3netsrv = {
enable = true; enable = true;

View File

@ -48,9 +48,8 @@ in {
makefu.snapraid = { makefu.snapraid = {
enable = true; enable = true;
# TODO: 3 is not protected disks = map toMapper [ 0 2 3 ];
disks = map toMapper [ 0 1 ]; parity = toMapper 1;
parity = toMapper 2;
}; };
fileSystems = let fileSystems = let
cryptMount = name: cryptMount = name:

View File

@ -20,9 +20,6 @@ in {
<stockholm/makefu/2configs/mqtt.nix> <stockholm/makefu/2configs/mqtt.nix>
<stockholm/makefu/2configs/gui/wbob-kiosk.nix> <stockholm/makefu/2configs/gui/wbob-kiosk.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/gui/studio-virtual.nix> # <stockholm/makefu/2configs/gui/studio-virtual.nix>
# <stockholm/makefu/2configs/audio/jack-on-pulse.nix> # <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
# <stockholm/makefu/2configs/audio/realtime-audio.nix> # <stockholm/makefu/2configs/audio/realtime-audio.nix>
@ -35,6 +32,8 @@ in {
<stockholm/makefu/2configs/bluetooth-mpd.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix>
# Sensors # Sensors
<stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/stats/collectd-client.nix>
<stockholm/makefu/2configs/stats/telegraf> <stockholm/makefu/2configs/stats/telegraf>
<stockholm/makefu/2configs/stats/telegraf/airsensor.nix> <stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
<stockholm/makefu/2configs/stats/telegraf/europastats.nix> <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
@ -51,9 +50,9 @@ in {
"homeassistant-0.77.2" "homeassistant-0.77.2"
]; ];
} }
<stockholm/makefu/2configs/deployment/bureautomation> <stockholm/makefu/2configs/bureautomation>
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix> <stockholm/makefu/2configs/bureautomation/mpd.nix>
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix> <stockholm/makefu/2configs/bureautomation/hass.nix>
(let (let
collectd-port = 25826; collectd-port = 25826;
influx-port = 8086; influx-port = 8086;

View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx

View File

@ -1,12 +1,25 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with import <stockholm/lib>;
let let
ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519"; ident = (builtins.readFile ./auphonic.pub);
in { in {
systemd.services.mirrorsync = { services.openssh = {
startAt = "08:00:00"; allowSFTP = true;
path = with pkgs; [ rsync openssh ]; sftpFlags = [ "-l VERBOSE" ];
script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter''; extraConfig = ''
Match User auphonic
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication no
'';
};
users.users.auphonic = {
uid = genid "auphonic";
group = "nginx";
useDefaultShell = true;
openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ];
}; };
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;

View File

@ -3,7 +3,7 @@
{ {
nix = { nix = {
binaryCaches = [ binaryCaches = [
"http://cache.prism.r" "https://cache.krebsco.de"
]; ];
binaryCachePublicKeys = [ binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="

View File

@ -3,6 +3,6 @@
{ {
services.bitlbee = { services.bitlbee = {
enable = true; enable = true;
libpurple_plugins = [ pkgs.telegram-purple ]; libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb];
}; };
} }

View File

@ -112,7 +112,6 @@ in {
"temperature" # "temperature_high" "temperature_low" "temperature" # "temperature_high" "temperature_low"
"apparent_temperature" "apparent_temperature"
"hourly_summary" # next 24 hours text "hourly_summary" # next 24 hours text
"minutely_summary"
"humidity" "humidity"
"pressure" "pressure"
"uv_index" ]; "uv_index" ];
@ -212,27 +211,44 @@ in {
to = "on"; to = "on";
}; };
action = { action = {
service= "homeassistant.turn_on"; service = "homeassistant.turn_on";
entity_id= "switch.fernseher"; entity_id = [ "switch.fernseher" "switch.blitzdings" ];
}; };
} }
{ alias = "Turn off Fernseher 10 minutes after last movement"; { alias = "Turn off Fernseher 10 minutes after last movement";
trigger = { trigger = [
{ # trigger when movement was detected at the time
platform = "state"; platform = "state";
entity_id = "binary_sensor.motion"; entity_id = "binary_sensor.motion";
to = "off"; to = "off";
for.minutes = 10; for.minutes = 10;
}; }
{ # trigger at 20:00 no matter what
# to avoid 'everybody left before 18:00:00'
platform = "time";
at = "18:00:00";
}
];
action = { action = {
service= "homeassistant.turn_off"; service = "homeassistant.turn_off";
entity_id= "switch.fernseher"; entity_id = [ "switch.fernseher" "switch.blitzdings" ];
}; };
condition = [{ condition =
{ condition = "and";
conditions = [
{
condition = "time"; condition = "time";
before = "06:30:00"; #only turn off between 6:30 and 18:00 before = "06:30:00"; #only turn off between 6:30 and 18:00
after = "18:00:00"; after = "18:00:00";
weekday = [ "mon" "tue" "wed" "thu" "fri" ]; # weekday = [ "mon" "tue" "wed" "thu" "fri" ];
}]; }
{
condition = "state";
entity_id = "binary_sensor.motion";
state = "off";
}
];
};
} }
]; ];
}; };

View File

@ -32,7 +32,7 @@ let
${user} ${user}
protocol=dyndns2 protocol=dyndns2
usev5=if, if=${primary-itf} usev6=if, if=${primary-itf}
ssl=yes ssl=yes
server=ipv6.nsupdate.info server=ipv6.nsupdate.info
login=${user} login=${user}

View File

@ -31,7 +31,7 @@ let
brightness_scale = 100; brightness_scale = 100;
# color # color
rgb_state_topic = "/ham/${topic}/stat/Color"; rgb_state_topic = "/ham/${topic}/stat/Color";
rgb_command_topic = "/ham/${topic}/cmnd/Color2"; rgb_command_topic = "/ham/${topic}/cmnd/MEM1"; # use enabled tasmota rule
rgb_command_mode = "hex"; rgb_command_mode = "hex";
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}"; rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
# effects # effects

View File

@ -1,7 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz") (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz")
]; ];
mailserver = { mailserver = {

View File

@ -7,8 +7,8 @@
# the only true timezone (even after the the removal of DST) # the only true timezone (even after the the removal of DST)
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
networking.hostName = config.krebs.build.host.name; networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
nix.buildCores = config.krebs.build.host.cores; nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
# we use gpg if necessary (or nothing at all) # we use gpg if necessary (or nothing at all)
programs.ssh.startAgent = false; programs.ssh.startAgent = false;
@ -85,4 +85,6 @@
"net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2;
}; };
services.nscd.enable = false;
} }

View File

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
in {
services.nginx = {
enable = mkDefault true;
virtualHosts."gum.krebsco.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
# proxyPass = "http://localhost:8000/";
# extraConfig = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# '';
};
};
};
}

View File

@ -2,8 +2,8 @@
with import <stockholm/lib>; with import <stockholm/lib>;
let let
shack-announce = pkgs.callPackage (builtins.fetchTarball { shack-announce = pkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz"; url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz";
sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd"; sha256 = "0rn1ykgjbd79zg03maa49kzi6hpzn4xzf4j93qgx5wax7h12qjx0";
}) {} ; }) {} ;
home = "/var/lib/shackannounce"; home = "/var/lib/shackannounce";
user = "shackannounce"; user = "shackannounce";

View File

@ -30,6 +30,12 @@ in {
browseable = "yes"; browseable = "yes";
"guest ok" = "yes"; "guest ok" = "yes";
}; };
audiobook = {
path = "/media/crypt1/audiobooks";
"read only" = "yes";
browseable = "yes";
"guest ok" = "yes";
};
crypt0 = { crypt0 = {
path = "/media/crypt0"; path = "/media/crypt0";
"read only" = "yes"; "read only" = "yes";

View File

@ -8,6 +8,7 @@
home = "/home/share"; home = "/home/share";
createHome = true; createHome = true;
}; };
users.groups.mpd.members = [ "makefu" ];
services.samba = { services.samba = {
enable = true; enable = true;
enableNmbd = true; enableNmbd = true;
@ -24,6 +25,12 @@
browseable = "yes"; browseable = "yes";
"guest ok" = "yes"; "guest ok" = "yes";
}; };
music-rw = {
path = "/data/music";
"read only" = "no";
browseable = "yes";
"guest ok" = "no";
};
}; };
extraConfig = '' extraConfig = ''
guest account = smbguest guest account = smbguest

View File

@ -1,61 +1,7 @@
{pkgs, config, ...}:
{ {
services.collectd = { makefu.netdata = {
enable = true; enable = true;
autoLoadPlugin = true; stream.role = "slave";
extraConfig = '' # stream.destination = "netdata.makefu.r";
Hostname ${config.krebs.build.host.name}
LoadPlugin load
LoadPlugin disk
LoadPlugin memory
LoadPlugin df
Interval 30.0
LoadPlugin interface
<Plugin "interface">
Interface "*Link"
Interface "lo"
Interface "vboxnet*"
Interface "virbr*"
IgnoreSelected true
</Plugin>
LoadPlugin df
<Plugin "df">
MountPoint "/nix/store"
# MountPoint "/run*"
# MountPoint "/sys*"
# MountPoint "/dev"
# MountPoint "/dev/shm"
# MountPoint "/tmp"
FSType "tmpfs"
FSType "binfmt_misc"
FSType "debugfs"
FSType "tracefs"
FSType "mqueue"
FSType "hugetlbfs"
FSType "systemd-1"
FSType "cgroup"
FSType "securityfs"
FSType "ramfs"
FSType "proc"
FSType "devpts"
FSType "devtmpfs"
MountPoint "/var/lib/docker/devicemapper"
IgnoreSelected true
</Plugin>
LoadPlugin cpu
<Plugin cpu>
ReportByCpu true
ReportByState true
ValuesPercentage true
</Plugin>
LoadPlugin network
<Plugin "network">
Server "${config.makefu.stats-server}" "25826"
</Plugin>
'';
}; };
} }

View File

@ -0,0 +1,61 @@
{pkgs, config, ...}:
{
services.collectd = {
enable = true;
autoLoadPlugin = true;
extraConfig = ''
Hostname ${config.krebs.build.host.name}
LoadPlugin load
LoadPlugin disk
LoadPlugin memory
LoadPlugin df
Interval 30.0
LoadPlugin interface
<Plugin "interface">
Interface "*Link"
Interface "lo"
Interface "vboxnet*"
Interface "virbr*"
IgnoreSelected true
</Plugin>
LoadPlugin df
<Plugin "df">
MountPoint "/nix/store"
# MountPoint "/run*"
# MountPoint "/sys*"
# MountPoint "/dev"
# MountPoint "/dev/shm"
# MountPoint "/tmp"
FSType "tmpfs"
FSType "binfmt_misc"
FSType "debugfs"
FSType "tracefs"
FSType "mqueue"
FSType "hugetlbfs"
FSType "systemd-1"
FSType "cgroup"
FSType "securityfs"
FSType "ramfs"
FSType "proc"
FSType "devpts"
FSType "devtmpfs"
MountPoint "/var/lib/docker/devicemapper"
IgnoreSelected true
</Plugin>
LoadPlugin cpu
<Plugin cpu>
ReportByCpu true
ReportByState true
ValuesPercentage true
</Plugin>
LoadPlugin network
<Plugin "network">
Server "${config.makefu.stats-server}" "25826"
</Plugin>
'';
};
}

View File

@ -0,0 +1,17 @@
{
makefu.netdata = {
enable = true;
stream.role = "master";
};
services.nginx = {
virtualHosts."netdata.euer.krebsco.de" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:19999";
};
virtualHosts."netdata.makefu.r" = {
locations."/".proxyPass = "http://localhost:19999";
};
};
}

View File

@ -21,6 +21,13 @@ in {
services.influxdb.extraConfig = { services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name; meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true; # meta.logging-enabled = true;
logging.level = "info";
http.log-enabled = true;
http.write-tracing = false;
http.suppress-write-log = true;
data.trace-logging-enabled = false;
data.query-log-enabled = false;
http.bind-address = ":${toString influx-port}"; http.bind-address = ":${toString influx-port}";
admin.bind-address = ":8083"; admin.bind-address = ":8083";
monitoring = { monitoring = {

View File

@ -1,8 +1,10 @@
{ pkgs, ... }: { pkgs, config, ... }:
{ {
imports = [ imports = [
../binary-cache/lass.nix ../binary-cache/lass.nix
]; ];
krebs.tinc.retiolum.enable = true; krebs.tinc.retiolum.enable = true;
environment.systemPackages = [ pkgs.tinc ]; environment.systemPackages = [ pkgs.tinc ];
networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
} }

View File

@ -5,6 +5,7 @@ _:
./awesome-extra.nix ./awesome-extra.nix
./deluge.nix ./deluge.nix
./forward-journal.nix ./forward-journal.nix
./netdata.nix
./opentracker.nix ./opentracker.nix
./ps3netsrv.nix ./ps3netsrv.nix
./logging-config.nix ./logging-config.nix

150
makefu/3modules/netdata.nix Normal file
View File

@ -0,0 +1,150 @@
{ config, lib, pkgs, ... }:
# fork of https://github.com/Mic92/dotfiles/blob/master/nixos/vms/modules/netdata.nix
with lib;
let
cfg = config.makefu.netdata;
in
{
options.makefu.netdata = {
enable = mkEnableOption "netdata";
# TODO only apikey from file, set remote host manually
stream.file = mkOption {
type = types.str;
default = toString <secrets/netdata-stream.conf>;
description = "path to stream data file";
};
stream.role = mkOption {
type = types.enum [ "master" "slave" ];
default = "slave";
description = "Wether to stream data";
};
httpcheck.checks = mkOption {
type = types.attrsOf (types.submodule ({
options = {
url = mkOption {
type = types.str;
example = "https://thalheim.io";
description = "Url to check";
};
regex = mkOption {
type = types.nullOr types.str;
default = null;
example = "My homepage";
description = "Regex that is matched against the returned content";
};
statusAccepted = mkOption {
type = types.listOf types.int;
default = [ 200 ];
example = [ 401 ];
description = "Expected http status code";
};
};
}));
default = {};
description = ''
httpcheck plugin: https://github.com/netdata/netdata/blob/master/collectors/python.d.plugin/httpcheck/httpcheck.conf
'';
};
portcheck.checks = mkOption {
type = types.attrsOf (types.submodule ({
options = {
host = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Dns name/IP to check";
};
port = mkOption {
type = types.int;
description = "Tcp port number";
};
};
}));
default = {};
description = ''
portcheck plugin: https://github.com/netdata/netdata/tree/master/collectors/python.d.plugin/portcheck
'';
};
};
config = mkIf cfg.enable {
systemd.services.netdata = {
requires = [ "secret.service" ];
after = [ "secret.service" ];
};
krebs.secret.files.netdata-stream = {
path = "/run/secret/netdata-stream.conf";
owner.name = "netdata";
source-path = cfg.stream.file;
};
environment.etc."netdata/stream.conf".source = "/run/secret/netdata-stream.conf";
services.netdata = {
enable = true;
config = {
global = {
"bind to" = "0.0.0.0:19999 [::]:19999";
"error log" = "stderr";
"update every" = "5";
};
health.enable = if cfg.stream.role == "master" then "yes" else "no";
};
};
services.netdata.python.extraPackages = ps: [
ps.psycopg2 ps.docker ps.dnspython
];
makefu.netdata.portcheck.checks.openssh.port = (lib.head config.services.openssh.ports);
networking.firewall.allowedTCPPorts = [ 19999 ];
environment.etc."netdata/python.d/httpcheck.conf".text = ''
update_every: 30
${lib.concatStringsSep "\n" (mapAttrsToList (site: options:
''
${site}:
url: '${options.url}'
${optionalString (options.regex != null) "regex: '${options.regex}'"}
status_accepted: [ ${lib.concatStringsSep " " (map toString options.statusAccepted) } ]
'') cfg.httpcheck.checks)
}
'';
environment.etc."netdata/python.d/portcheck.conf".text = ''
${lib.concatStringsSep "\n" (mapAttrsToList (service: options:
''
${service}:
host: '${options.host}'
port: ${toString options.port}
'') cfg.portcheck.checks)
}
'';
systemd.services.netdata.restartTriggers = [
config.environment.etc."netdata/python.d/httpcheck.conf".source
config.environment.etc."netdata/python.d/portcheck.conf".source
config.environment.etc."netdata/stream.conf".source
];
environment.etc."netdata/health.d/httpcheck.conf".text = ''
# taken from the original but warn only if a request is at least 300ms slow
template: web_service_slow
families: *
on: httpcheck.responsetime
lookup: average -3m unaligned of time
units: ms
every: 10s
warn: ($this > ($1h_web_service_response_time * 4) && $this > 1000)
crit: ($this > ($1h_web_service_response_time * 6) && $this > 1000)
info: average response time over the last 3 minutes, compared to the average over the last hour
delay: down 5m multiplier 1.5 max 1h
options: no-clear-notification
to: webmaster
'';
};
# TODO: notification
# environment.etc."netdata/health_alarm_notify.conf".source = "/run/keys/netdata-pushover.conf";
}

View File

@ -1,30 +0,0 @@
{ lib, stdenv, fetchFromGitHub, gcc-arm-embedded, python }:
stdenv.mkDerivation rec {
name = "libopencm-${version}";
version = "2017-04-01";
src = fetchFromGitHub {
owner = "libopencm3";
repo = "libopencm3";
rev = "383fafc862c0d47f30965f00409d03a328049278";
sha256 = "0ar67icxl39cf7yb5glx3zd5413vcs7zp1jq0gzv1napvmrv3jv9";
};
buildInputs = [ gcc-arm-embedded python ];
buildPhase = ''
sed -i 's#/usr/bin/env python#${python}/bin/python#' ./scripts/irq2nvic_h
make
'';
installPhase = ''
mkdir -p $out
cp -r lib $out/
'';
meta = {
description = "Open Source ARM cortex m microcontroller library";
homepage = https://github.com/libopencm3/libopencm3;
license = stdenv.lib.licenses.gpl2;
platforms = stdenv.lib.platforms.linux;
maintainers = with stdenv.lib.maintainers; [ makefu ];
};
}

View File

@ -7,7 +7,6 @@
host-src = { host-src = {
secure = false; secure = false;
full = false;
torrent = false; torrent = false;
hw = false; hw = false;
musnix = false; musnix = false;
@ -23,7 +22,11 @@
{ {
# nixos-18.09 @ 2018-09-18 # nixos-18.09 @ 2018-09-18
# + uhub/sqlite: 5dd7610401747 # + uhub/sqlite: 5dd7610401747
nixpkgs = if test then { # + hovercraft: 7134801b17d72
nixpkgs = if host-src.arm6 then {
# TODO: we want to track the unstable channel
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
} else {
file = { file = {
path = toString (pkgs.fetchFromGitHub { path = toString (pkgs.fetchFromGitHub {
owner = "makefu"; owner = "makefu";
@ -33,14 +36,6 @@
}); });
useChecksum = true; useChecksum = true;
}; };
} else if host-src.full then {
git.ref = nixpkgs-src.rev;
git.url = nixpkgs-src.url;
} else if host-src.arm6 then {
# TODO: we want to track the unstable channel
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
} else {
file = "/home/makefu/store/${nixpkgs-src.rev}";
}; };
nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix"; nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix";

View File

@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--rev refs/heads/master' \ --rev refs/heads/master' \
> $dir/nixpkgs.json > $dir/nixpkgs.json
newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref" echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'"