Merge remote-tracking branch 'gum/master'
This commit is contained in:
commit
9a9a6d0a90
@ -3,7 +3,7 @@
|
|||||||
{
|
{
|
||||||
nix = {
|
nix = {
|
||||||
binaryCaches = [
|
binaryCaches = [
|
||||||
"http://cache.prism.r"
|
"https://cache.krebsco.de"
|
||||||
];
|
];
|
||||||
binaryCachePublicKeys = [
|
binaryCachePublicKeys = [
|
||||||
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
|
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
domain = "cache.nsupdate.info";
|
domain = "cache.nsupdate.info";
|
||||||
@ -17,9 +17,13 @@ in {
|
|||||||
};
|
};
|
||||||
krebs.cachecache = {
|
krebs.cachecache = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableSSL = false; # disable letsencrypt for testing
|
enableSSL = true; # disable letsencrypt for testing
|
||||||
cacheDir = "/var/cache/nix-cache-cache";
|
cacheDir = "/var/cache/nix-cache-cache";
|
||||||
maxSize = "10g";
|
maxSize = "10g";
|
||||||
|
indexFile = pkgs.fetchurl {
|
||||||
|
url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html";
|
||||||
|
sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0";
|
||||||
|
};
|
||||||
|
|
||||||
# assumes that the domain is reachable from the internet
|
# assumes that the domain is reachable from the internet
|
||||||
virtualHost = domain;
|
virtualHost = domain;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ config, lib, ... }:
|
{ pkgs, config, lib, ... }:
|
||||||
|
|
||||||
|
|
||||||
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
|
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
|
||||||
@ -59,15 +59,6 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# webRoot = mkOption {
|
|
||||||
# type = types.str;
|
|
||||||
# default = "/";
|
|
||||||
# description = ''
|
|
||||||
# Directory on virtual host that serves the cache. Must end in
|
|
||||||
# <literal>/</literal>.
|
|
||||||
# '';
|
|
||||||
# };
|
|
||||||
|
|
||||||
resolver = mkOption {
|
resolver = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = "Address of DNS resolver.";
|
description = "Address of DNS resolver.";
|
||||||
@ -82,6 +73,13 @@ in
|
|||||||
Where nginx should store cached data.
|
Where nginx should store cached data.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
indexFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = pkgs.writeText "myindex" "<html>hello world</html>";
|
||||||
|
description = ''
|
||||||
|
Path to index.html file.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
maxSize = mkOption {
|
maxSize = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
@ -98,6 +96,7 @@ in
|
|||||||
systemd.services.nginx.preStart = ''
|
systemd.services.nginx.preStart = ''
|
||||||
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
|
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
|
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
|
ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html
|
||||||
chown ${nginxCfg.user}:${nginxCfg.group} \
|
chown ${nginxCfg.user}:${nginxCfg.group} \
|
||||||
${cfg.cacheDir} /srv/www/nix-cache-cache
|
${cfg.cacheDir} /srv/www/nix-cache-cache
|
||||||
'';
|
'';
|
||||||
@ -143,6 +142,7 @@ in
|
|||||||
locations."/" =
|
locations."/" =
|
||||||
{
|
{
|
||||||
root = "/srv/www/nix-cache-cache";
|
root = "/srv/www/nix-cache-cache";
|
||||||
|
index = "index.html";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
expires max;
|
expires max;
|
||||||
add_header Cache-Control $nix_cache_cache_header always;
|
add_header Cache-Control $nix_cache_cache_header always;
|
||||||
|
@ -551,27 +551,28 @@ in {
|
|||||||
ci = true;
|
ci = true;
|
||||||
extraZones = {
|
extraZones = {
|
||||||
"krebsco.de" = ''
|
"krebsco.de" = ''
|
||||||
|
boot.euer IN A ${nets.internet.ip4.addr}
|
||||||
cache.euer IN A ${nets.internet.ip4.addr}
|
cache.euer IN A ${nets.internet.ip4.addr}
|
||||||
cache.gum IN A ${nets.internet.ip4.addr}
|
cache.gum IN A ${nets.internet.ip4.addr}
|
||||||
graph IN A ${nets.internet.ip4.addr}
|
|
||||||
gold IN A ${nets.internet.ip4.addr}
|
|
||||||
iso.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
wg.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
photostore IN A ${nets.internet.ip4.addr}
|
|
||||||
o.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
mon.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
boot.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
wiki.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
pigstarter IN A ${nets.internet.ip4.addr}
|
|
||||||
cgit.euer IN A ${nets.internet.ip4.addr}
|
cgit.euer IN A ${nets.internet.ip4.addr}
|
||||||
git.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
euer IN A ${nets.internet.ip4.addr}
|
|
||||||
share.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
gum IN A ${nets.internet.ip4.addr}
|
|
||||||
wikisearch IN A ${nets.internet.ip4.addr}
|
|
||||||
dl.euer IN A ${nets.internet.ip4.addr}
|
dl.euer IN A ${nets.internet.ip4.addr}
|
||||||
ghook IN A ${nets.internet.ip4.addr}
|
|
||||||
dockerhub IN A ${nets.internet.ip4.addr}
|
dockerhub IN A ${nets.internet.ip4.addr}
|
||||||
|
euer IN A ${nets.internet.ip4.addr}
|
||||||
|
ghook IN A ${nets.internet.ip4.addr}
|
||||||
|
git.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
gold IN A ${nets.internet.ip4.addr}
|
||||||
|
graph IN A ${nets.internet.ip4.addr}
|
||||||
|
gum IN A ${nets.internet.ip4.addr}
|
||||||
|
iso.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
mon.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
netdata.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
o.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
photostore IN A ${nets.internet.ip4.addr}
|
||||||
|
pigstarter IN A ${nets.internet.ip4.addr}
|
||||||
|
share.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
wg.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
wiki.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
wikisearch IN A ${nets.internet.ip4.addr}
|
||||||
io IN NS gum.krebsco.de.
|
io IN NS gum.krebsco.de.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@ -596,24 +597,25 @@ in {
|
|||||||
via = internet;
|
via = internet;
|
||||||
ip4.addr = "10.243.0.213";
|
ip4.addr = "10.243.0.213";
|
||||||
aliases = [
|
aliases = [
|
||||||
"nextgum.r"
|
|
||||||
"graph.r"
|
|
||||||
"cache.gum.r"
|
|
||||||
"logs.makefu.r"
|
|
||||||
"stats.makefu.r"
|
|
||||||
"backup.makefu.r"
|
"backup.makefu.r"
|
||||||
"dcpp.nextgum.r"
|
|
||||||
"gum.r"
|
|
||||||
"cgit.gum.r"
|
|
||||||
"o.gum.r"
|
|
||||||
"tracker.makefu.r"
|
|
||||||
"search.makefu.r"
|
|
||||||
"wiki.makefu.r"
|
|
||||||
"wiki.gum.r"
|
|
||||||
"blog.makefu.r"
|
|
||||||
"blog.gum.r"
|
"blog.gum.r"
|
||||||
|
"blog.makefu.r"
|
||||||
|
"cache.gum.r"
|
||||||
|
"cgit.gum.r"
|
||||||
"dcpp.gum.r"
|
"dcpp.gum.r"
|
||||||
|
"dcpp.nextgum.r"
|
||||||
|
"graph.r"
|
||||||
|
"gum.r"
|
||||||
|
"logs.makefu.r"
|
||||||
|
"netdata.makefu.r"
|
||||||
|
"nextgum.r"
|
||||||
|
"o.gum.r"
|
||||||
|
"search.makefu.r"
|
||||||
|
"stats.makefu.r"
|
||||||
"torrent.gum.r"
|
"torrent.gum.r"
|
||||||
|
"tracker.makefu.r"
|
||||||
|
"wiki.gum.r"
|
||||||
|
"wiki.makefu.r"
|
||||||
];
|
];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
@ -1 +1 @@
|
|||||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de
|
||||||
|
0
makefu/0tests/data/secrets/netdata-stream.conf
Normal file
0
makefu/0tests/data/secrets/netdata-stream.conf
Normal file
1
makefu/0tests/data/secrets/nsupdate-cache.nix
Normal file
1
makefu/0tests/data/secrets/nsupdate-cache.nix
Normal file
@ -0,0 +1 @@
|
|||||||
|
"derp"
|
@ -1,5 +0,0 @@
|
|||||||
{
|
|
||||||
name="gum";
|
|
||||||
torrent = true;
|
|
||||||
clever_kexec = true;
|
|
||||||
}
|
|
@ -4,13 +4,14 @@ with import <stockholm/lib>;
|
|||||||
let
|
let
|
||||||
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
|
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
|
||||||
ext-if = config.makefu.server.primary-itf;
|
ext-if = config.makefu.server.primary-itf;
|
||||||
|
allDisks = [ "/dev/sda" "/dev/sdb" ];
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
<stockholm/makefu>
|
<stockholm/makefu>
|
||||||
./hardware-config.nix
|
./hardware-config.nix
|
||||||
{
|
{
|
||||||
users.users.lass = {
|
users.users.lass = {
|
||||||
uid = 9002;
|
uid = 19002;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
@ -20,8 +21,12 @@ in {
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
# <stockholm/makefu/2configs/stats/client.nix>
|
||||||
|
<stockholm/makefu/2configs/stats/netdata-server.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/headless.nix>
|
<stockholm/makefu/2configs/headless.nix>
|
||||||
# <stockholm/makefu/2configs/smart-monitor.nix>
|
<stockholm/makefu/2configs/smart-monitor.nix>
|
||||||
|
{ services.smartd.devices = builtins.map (x: { device = x; }) allDisks; }
|
||||||
|
|
||||||
# Security
|
# Security
|
||||||
<stockholm/makefu/2configs/sshd-totp.nix>
|
<stockholm/makefu/2configs/sshd-totp.nix>
|
||||||
@ -30,6 +35,8 @@ in {
|
|||||||
<stockholm/makefu/2configs/tools/core.nix>
|
<stockholm/makefu/2configs/tools/core.nix>
|
||||||
<stockholm/makefu/2configs/tools/dev.nix>
|
<stockholm/makefu/2configs/tools/dev.nix>
|
||||||
<stockholm/makefu/2configs/tools/sec.nix>
|
<stockholm/makefu/2configs/tools/sec.nix>
|
||||||
|
<stockholm/makefu/2configs/tools/desktop.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/zsh-user.nix>
|
<stockholm/makefu/2configs/zsh-user.nix>
|
||||||
<stockholm/makefu/2configs/mosh.nix>
|
<stockholm/makefu/2configs/mosh.nix>
|
||||||
# <stockholm/makefu/2configs/gui/xpra.nix>
|
# <stockholm/makefu/2configs/gui/xpra.nix>
|
||||||
@ -41,17 +48,47 @@ in {
|
|||||||
<stockholm/makefu/2configs/iodined.nix>
|
<stockholm/makefu/2configs/iodined.nix>
|
||||||
# <stockholm/makefu/2configs/backup.nix>
|
# <stockholm/makefu/2configs/backup.nix>
|
||||||
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
||||||
|
{ # bonus retiolum config for connecting more hosts
|
||||||
|
krebs.tinc.retiolum = {
|
||||||
|
extraConfig = ''
|
||||||
|
ListenAddress = ${external-ip} 53
|
||||||
|
ListenAddress = ${external-ip} 655
|
||||||
|
ListenAddress = ${external-ip} 21031
|
||||||
|
'';
|
||||||
|
connectTo = [
|
||||||
|
"prism" "ni" "enklave" "eve" "archprism"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts =
|
||||||
|
[
|
||||||
|
53
|
||||||
|
655
|
||||||
|
21031
|
||||||
|
];
|
||||||
|
allowedUDPPorts =
|
||||||
|
[
|
||||||
|
53
|
||||||
|
655
|
||||||
|
21031
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
# ci
|
# ci
|
||||||
# <stockholm/makefu/2configs/exim-retiolum.nix>
|
# <stockholm/makefu/2configs/exim-retiolum.nix>
|
||||||
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
|
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
|
||||||
|
<stockholm/makefu/2configs/shack/events-publisher>
|
||||||
<stockholm/makefu/2configs/shack/gitlab-runner>
|
<stockholm/makefu/2configs/shack/gitlab-runner>
|
||||||
<stockholm/makefu/2configs/remote-build/slave.nix>
|
<stockholm/makefu/2configs/remote-build/slave.nix>
|
||||||
<stockholm/makefu/2configs/taskd.nix>
|
<stockholm/makefu/2configs/taskd.nix>
|
||||||
|
|
||||||
# services
|
# services
|
||||||
<stockholm/makefu/2configs/sabnzbd.nix>
|
# <stockholm/makefu/2configs/sabnzbd.nix>
|
||||||
<stockholm/makefu/2configs/mail/mail.euer.nix>
|
<stockholm/makefu/2configs/mail/mail.euer.nix>
|
||||||
|
{
|
||||||
|
krebs.exim.enable = mkForce false;
|
||||||
|
}
|
||||||
|
|
||||||
# sharing
|
# sharing
|
||||||
<stockholm/makefu/2configs/share/gum.nix>
|
<stockholm/makefu/2configs/share/gum.nix>
|
||||||
@ -59,13 +96,6 @@ in {
|
|||||||
#<stockholm/makefu/2configs/retroshare.nix>
|
#<stockholm/makefu/2configs/retroshare.nix>
|
||||||
## <stockholm/makefu/2configs/ipfs.nix>
|
## <stockholm/makefu/2configs/ipfs.nix>
|
||||||
#<stockholm/makefu/2configs/syncthing.nix>
|
#<stockholm/makefu/2configs/syncthing.nix>
|
||||||
{ # ncdc
|
|
||||||
environment.systemPackages = [ pkgs.ncdc ];
|
|
||||||
networking.firewall = {
|
|
||||||
allowedUDPPorts = [ 51411 ];
|
|
||||||
allowedTCPPorts = [ 51411 ];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
# <stockholm/makefu/2configs/opentracker.nix>
|
# <stockholm/makefu/2configs/opentracker.nix>
|
||||||
|
|
||||||
## network
|
## network
|
||||||
@ -91,17 +121,17 @@ in {
|
|||||||
#<stockholm/makefu/2configs/nginx/public_html.nix>
|
#<stockholm/makefu/2configs/nginx/public_html.nix>
|
||||||
#<stockholm/makefu/2configs/nginx/update.connector.one.nix>
|
#<stockholm/makefu/2configs/nginx/update.connector.one.nix>
|
||||||
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
|
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
|
||||||
<stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
|
# <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
|
||||||
<stockholm/makefu/2configs/nginx/iso.euer.nix>
|
<stockholm/makefu/2configs/nginx/iso.euer.nix>
|
||||||
<stockholm/makefu/2configs/shack/events-publisher>
|
<stockholm/krebs/2configs/cache.nsupdate.info.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
|
<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
|
||||||
<stockholm/makefu/2configs/deployment/graphs.nix>
|
<stockholm/makefu/2configs/deployment/graphs.nix>
|
||||||
<stockholm/makefu/2configs/deployment/owncloud.nix>
|
<stockholm/makefu/2configs/deployment/owncloud.nix>
|
||||||
<stockholm/makefu/2configs/deployment/boot-euer.nix>
|
<stockholm/makefu/2configs/deployment/boot-euer.nix>
|
||||||
<stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
|
<stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix>
|
||||||
|
<stockholm/makefu/2configs/bgt/hidden_service.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/stats/client.nix>
|
|
||||||
# <stockholm/makefu/2configs/logging/client.nix>
|
# <stockholm/makefu/2configs/logging/client.nix>
|
||||||
|
|
||||||
# sharing
|
# sharing
|
||||||
@ -116,6 +146,7 @@ in {
|
|||||||
# krebs infrastructure services
|
# krebs infrastructure services
|
||||||
<stockholm/makefu/2configs/stats/server.nix>
|
<stockholm/makefu/2configs/stats/server.nix>
|
||||||
];
|
];
|
||||||
|
|
||||||
makefu.dl-dir = "/var/download";
|
makefu.dl-dir = "/var/download";
|
||||||
|
|
||||||
services.openssh.hostKeys = [
|
services.openssh.hostKeys = [
|
||||||
@ -125,70 +156,14 @@ in {
|
|||||||
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
|
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
|
||||||
krebs.build.host = config.krebs.hosts.gum;
|
krebs.build.host = config.krebs.hosts.gum;
|
||||||
|
|
||||||
krebs.tinc.retiolum = {
|
|
||||||
extraConfig = ''
|
|
||||||
ListenAddress = ${external-ip} 53
|
|
||||||
ListenAddress = ${external-ip} 655
|
|
||||||
ListenAddress = ${external-ip} 21031
|
|
||||||
'';
|
|
||||||
connectTo = [
|
|
||||||
"prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
# access
|
|
||||||
users.users = {
|
|
||||||
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
|
|
||||||
makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Chat
|
|
||||||
environment.systemPackages = with pkgs;[
|
|
||||||
weechat
|
|
||||||
bepasty-client-cli
|
|
||||||
tmux
|
|
||||||
];
|
|
||||||
|
|
||||||
# Hardware
|
|
||||||
|
|
||||||
# Network
|
# Network
|
||||||
networking = {
|
networking = {
|
||||||
firewall = {
|
firewall = {
|
||||||
allowPing = true;
|
allowPing = true;
|
||||||
logRefusedConnections = false;
|
logRefusedConnections = false;
|
||||||
allowedTCPPorts = [
|
|
||||||
# smtp
|
|
||||||
25
|
|
||||||
# http
|
|
||||||
80 443
|
|
||||||
# httptunnel
|
|
||||||
8080 8443
|
|
||||||
# tinc
|
|
||||||
655
|
|
||||||
# tinc-shack
|
|
||||||
21032
|
|
||||||
# tinc-retiolum
|
|
||||||
21031
|
|
||||||
# taskserver
|
|
||||||
53589
|
|
||||||
# temp vnc
|
|
||||||
18001
|
|
||||||
# temp reverseshell
|
|
||||||
31337
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
# tinc
|
|
||||||
655 53
|
|
||||||
# tinc-retiolum
|
|
||||||
21031
|
|
||||||
# tinc-shack
|
|
||||||
21032
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
nameservers = [ "8.8.8.8" ];
|
nameservers = [ "8.8.8.8" ];
|
||||||
};
|
};
|
||||||
users.users.makefu.extraGroups = [ "download" "nginx" ];
|
users.users.makefu.extraGroups = [ "download" "nginx" ];
|
||||||
boot.tmpOnTmpfs = true;
|
|
||||||
state = [ "/home/makefu/.weechat" ];
|
state = [ "/home/makefu/.weechat" ];
|
||||||
}
|
}
|
||||||
|
@ -46,7 +46,7 @@ in {
|
|||||||
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
|
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
|
||||||
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
|
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
|
||||||
];
|
];
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ];
|
||||||
hardware.enableRedistributableFirmware = true;
|
hardware.enableRedistributableFirmware = true;
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
device = "/dev/mapper/nixos-root";
|
device = "/dev/mapper/nixos-root";
|
||||||
@ -56,10 +56,19 @@ in {
|
|||||||
device = "/dev/mapper/nixos-lib";
|
device = "/dev/mapper/nixos-lib";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
fileSystems."/var/log" = {
|
||||||
|
device = "/dev/mapper/nixos-log";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
fileSystems."/var/download" = {
|
fileSystems."/var/download" = {
|
||||||
device = "/dev/mapper/nixos-download";
|
device = "/dev/mapper/nixos-download";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
fileSystems."/var/www/binaergewitter" = {
|
||||||
|
device = "/dev/mapper/nixos-binaergewitter";
|
||||||
|
fsType = "ext4";
|
||||||
|
options = [ "nofail" ];
|
||||||
|
};
|
||||||
fileSystems."/var/lib/borgbackup" = {
|
fileSystems."/var/lib/borgbackup" = {
|
||||||
device = "/dev/mapper/nixos-backup";
|
device = "/dev/mapper/nixos-backup";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
|
@ -1,10 +1,14 @@
|
|||||||
|
ssh gum.i -o StrictHostKeyChecking=no
|
||||||
|
|
||||||
mount /dev/mapper/nixos-root /mnt
|
mount /dev/mapper/nixos-root /mnt
|
||||||
mount /dev/sda2 /mnt/boot
|
mount /dev/sda2 /mnt/boot
|
||||||
|
|
||||||
chroot-prepare /mnt
|
chroot-prepare /mnt
|
||||||
chroot /mnt /bin/sh
|
chroot /mnt /bin/sh
|
||||||
|
|
||||||
|
|
||||||
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
|
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
|
||||||
|
# ... activating ...
|
||||||
|
|
||||||
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
|
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
|
||||||
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate
|
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{
|
{
|
||||||
name="nextgum";
|
name="gum";
|
||||||
torrent = true;
|
torrent = true;
|
||||||
clever_kexec = true;
|
clever_kexec = true;
|
||||||
}
|
}
|
||||||
|
@ -44,7 +44,8 @@ in {
|
|||||||
# <stockholm/makefu/2configs/share/omo-timemachine.nix>
|
# <stockholm/makefu/2configs/share/omo-timemachine.nix>
|
||||||
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
||||||
|
|
||||||
|
# statistics
|
||||||
|
<stockholm/makefu/2configs/stats/client.nix>
|
||||||
# Logging
|
# Logging
|
||||||
#influx + grafana
|
#influx + grafana
|
||||||
<stockholm/makefu/2configs/stats/server.nix>
|
<stockholm/makefu/2configs/stats/server.nix>
|
||||||
@ -74,7 +75,8 @@ in {
|
|||||||
"homeassistant-0.77.2"
|
"homeassistant-0.77.2"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
<stockholm/makefu/2configs/deployment/homeautomation>
|
<stockholm/makefu/2configs/homeautomation>
|
||||||
|
<stockholm/makefu/2configs/homeautomation/google-muell.nix>
|
||||||
{
|
{
|
||||||
makefu.ps3netsrv = {
|
makefu.ps3netsrv = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -48,9 +48,8 @@ in {
|
|||||||
|
|
||||||
makefu.snapraid = {
|
makefu.snapraid = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# TODO: 3 is not protected
|
disks = map toMapper [ 0 2 3 ];
|
||||||
disks = map toMapper [ 0 1 ];
|
parity = toMapper 1;
|
||||||
parity = toMapper 2;
|
|
||||||
};
|
};
|
||||||
fileSystems = let
|
fileSystems = let
|
||||||
cryptMount = name:
|
cryptMount = name:
|
||||||
|
@ -20,9 +20,6 @@ in {
|
|||||||
<stockholm/makefu/2configs/mqtt.nix>
|
<stockholm/makefu/2configs/mqtt.nix>
|
||||||
<stockholm/makefu/2configs/gui/wbob-kiosk.nix>
|
<stockholm/makefu/2configs/gui/wbob-kiosk.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/stats/client.nix>
|
|
||||||
|
|
||||||
|
|
||||||
# <stockholm/makefu/2configs/gui/studio-virtual.nix>
|
# <stockholm/makefu/2configs/gui/studio-virtual.nix>
|
||||||
# <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
|
# <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
|
||||||
# <stockholm/makefu/2configs/audio/realtime-audio.nix>
|
# <stockholm/makefu/2configs/audio/realtime-audio.nix>
|
||||||
@ -35,6 +32,8 @@ in {
|
|||||||
<stockholm/makefu/2configs/bluetooth-mpd.nix>
|
<stockholm/makefu/2configs/bluetooth-mpd.nix>
|
||||||
|
|
||||||
# Sensors
|
# Sensors
|
||||||
|
<stockholm/makefu/2configs/stats/client.nix>
|
||||||
|
<stockholm/makefu/2configs/stats/collectd-client.nix>
|
||||||
<stockholm/makefu/2configs/stats/telegraf>
|
<stockholm/makefu/2configs/stats/telegraf>
|
||||||
<stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
|
<stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
|
||||||
<stockholm/makefu/2configs/stats/telegraf/europastats.nix>
|
<stockholm/makefu/2configs/stats/telegraf/europastats.nix>
|
||||||
@ -51,9 +50,9 @@ in {
|
|||||||
"homeassistant-0.77.2"
|
"homeassistant-0.77.2"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
<stockholm/makefu/2configs/deployment/bureautomation>
|
<stockholm/makefu/2configs/bureautomation>
|
||||||
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
|
<stockholm/makefu/2configs/bureautomation/mpd.nix>
|
||||||
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
|
<stockholm/makefu/2configs/bureautomation/hass.nix>
|
||||||
(let
|
(let
|
||||||
collectd-port = 25826;
|
collectd-port = 25826;
|
||||||
influx-port = 8086;
|
influx-port = 8086;
|
||||||
|
1
makefu/2configs/bgt/auphonic.pub
Normal file
1
makefu/2configs/bgt/auphonic.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx
|
@ -1,12 +1,25 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with import <stockholm/lib>;
|
||||||
let
|
let
|
||||||
ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519";
|
ident = (builtins.readFile ./auphonic.pub);
|
||||||
in {
|
in {
|
||||||
systemd.services.mirrorsync = {
|
services.openssh = {
|
||||||
startAt = "08:00:00";
|
allowSFTP = true;
|
||||||
path = with pkgs; [ rsync openssh ];
|
sftpFlags = [ "-l VERBOSE" ];
|
||||||
script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter'';
|
extraConfig = ''
|
||||||
|
Match User auphonic
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
AllowTcpForwarding no
|
||||||
|
X11Forwarding no
|
||||||
|
PasswordAuthentication no
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
users.users.auphonic = {
|
||||||
|
uid = genid "auphonic";
|
||||||
|
group = "nginx";
|
||||||
|
useDefaultShell = true;
|
||||||
|
openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ];
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
@ -3,7 +3,7 @@
|
|||||||
{
|
{
|
||||||
nix = {
|
nix = {
|
||||||
binaryCaches = [
|
binaryCaches = [
|
||||||
"http://cache.prism.r"
|
"https://cache.krebsco.de"
|
||||||
];
|
];
|
||||||
binaryCachePublicKeys = [
|
binaryCachePublicKeys = [
|
||||||
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
|
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
{
|
{
|
||||||
services.bitlbee = {
|
services.bitlbee = {
|
||||||
enable = true;
|
enable = true;
|
||||||
libpurple_plugins = [ pkgs.telegram-purple ];
|
libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -112,7 +112,6 @@ in {
|
|||||||
"temperature" # "temperature_high" "temperature_low"
|
"temperature" # "temperature_high" "temperature_low"
|
||||||
"apparent_temperature"
|
"apparent_temperature"
|
||||||
"hourly_summary" # next 24 hours text
|
"hourly_summary" # next 24 hours text
|
||||||
"minutely_summary"
|
|
||||||
"humidity"
|
"humidity"
|
||||||
"pressure"
|
"pressure"
|
||||||
"uv_index" ];
|
"uv_index" ];
|
||||||
@ -212,27 +211,44 @@ in {
|
|||||||
to = "on";
|
to = "on";
|
||||||
};
|
};
|
||||||
action = {
|
action = {
|
||||||
service= "homeassistant.turn_on";
|
service = "homeassistant.turn_on";
|
||||||
entity_id= "switch.fernseher";
|
entity_id = [ "switch.fernseher" "switch.blitzdings" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{ alias = "Turn off Fernseher 10 minutes after last movement";
|
{ alias = "Turn off Fernseher 10 minutes after last movement";
|
||||||
trigger = {
|
trigger = [
|
||||||
|
{ # trigger when movement was detected at the time
|
||||||
platform = "state";
|
platform = "state";
|
||||||
entity_id = "binary_sensor.motion";
|
entity_id = "binary_sensor.motion";
|
||||||
to = "off";
|
to = "off";
|
||||||
for.minutes = 10;
|
for.minutes = 10;
|
||||||
};
|
}
|
||||||
|
{ # trigger at 20:00 no matter what
|
||||||
|
# to avoid 'everybody left before 18:00:00'
|
||||||
|
platform = "time";
|
||||||
|
at = "18:00:00";
|
||||||
|
}
|
||||||
|
];
|
||||||
action = {
|
action = {
|
||||||
service= "homeassistant.turn_off";
|
service = "homeassistant.turn_off";
|
||||||
entity_id= "switch.fernseher";
|
entity_id = [ "switch.fernseher" "switch.blitzdings" ];
|
||||||
};
|
};
|
||||||
condition = [{
|
condition =
|
||||||
|
{ condition = "and";
|
||||||
|
conditions = [
|
||||||
|
{
|
||||||
condition = "time";
|
condition = "time";
|
||||||
before = "06:30:00"; #only turn off between 6:30 and 18:00
|
before = "06:30:00"; #only turn off between 6:30 and 18:00
|
||||||
after = "18:00:00";
|
after = "18:00:00";
|
||||||
weekday = [ "mon" "tue" "wed" "thu" "fri" ];
|
# weekday = [ "mon" "tue" "wed" "thu" "fri" ];
|
||||||
}];
|
}
|
||||||
|
{
|
||||||
|
condition = "state";
|
||||||
|
entity_id = "binary_sensor.motion";
|
||||||
|
state = "off";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
@ -32,7 +32,7 @@ let
|
|||||||
${user}
|
${user}
|
||||||
|
|
||||||
protocol=dyndns2
|
protocol=dyndns2
|
||||||
usev5=if, if=${primary-itf}
|
usev6=if, if=${primary-itf}
|
||||||
ssl=yes
|
ssl=yes
|
||||||
server=ipv6.nsupdate.info
|
server=ipv6.nsupdate.info
|
||||||
login=${user}
|
login=${user}
|
||||||
|
@ -31,7 +31,7 @@ let
|
|||||||
brightness_scale = 100;
|
brightness_scale = 100;
|
||||||
# color
|
# color
|
||||||
rgb_state_topic = "/ham/${topic}/stat/Color";
|
rgb_state_topic = "/ham/${topic}/stat/Color";
|
||||||
rgb_command_topic = "/ham/${topic}/cmnd/Color2";
|
rgb_command_topic = "/ham/${topic}/cmnd/MEM1"; # use enabled tasmota rule
|
||||||
rgb_command_mode = "hex";
|
rgb_command_mode = "hex";
|
||||||
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
|
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
|
||||||
# effects
|
# effects
|
@ -1,7 +1,7 @@
|
|||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz")
|
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz")
|
||||||
];
|
];
|
||||||
|
|
||||||
mailserver = {
|
mailserver = {
|
||||||
|
@ -7,8 +7,8 @@
|
|||||||
# the only true timezone (even after the the removal of DST)
|
# the only true timezone (even after the the removal of DST)
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
networking.hostName = config.krebs.build.host.name;
|
networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
|
||||||
nix.buildCores = config.krebs.build.host.cores;
|
nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
|
||||||
|
|
||||||
# we use gpg if necessary (or nothing at all)
|
# we use gpg if necessary (or nothing at all)
|
||||||
programs.ssh.startAgent = false;
|
programs.ssh.startAgent = false;
|
||||||
@ -85,4 +85,6 @@
|
|||||||
"net.ipv6.conf.all.use_tempaddr" = 2;
|
"net.ipv6.conf.all.use_tempaddr" = 2;
|
||||||
"net.ipv6.conf.default.use_tempaddr" = 2;
|
"net.ipv6.conf.default.use_tempaddr" = 2;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nscd.enable = false;
|
||||||
}
|
}
|
||||||
|
21
makefu/2configs/nginx/gum.krebsco.de.nix
Normal file
21
makefu/2configs/nginx/gum.krebsco.de.nix
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
let
|
||||||
|
in {
|
||||||
|
services.nginx = {
|
||||||
|
enable = mkDefault true;
|
||||||
|
virtualHosts."gum.krebsco.de" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
# proxyPass = "http://localhost:8000/";
|
||||||
|
# extraConfig = ''
|
||||||
|
# proxy_set_header Host $host;
|
||||||
|
# proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
# '';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -2,8 +2,8 @@
|
|||||||
with import <stockholm/lib>;
|
with import <stockholm/lib>;
|
||||||
let
|
let
|
||||||
shack-announce = pkgs.callPackage (builtins.fetchTarball {
|
shack-announce = pkgs.callPackage (builtins.fetchTarball {
|
||||||
url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz";
|
url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz";
|
||||||
sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd";
|
sha256 = "0rn1ykgjbd79zg03maa49kzi6hpzn4xzf4j93qgx5wax7h12qjx0";
|
||||||
}) {} ;
|
}) {} ;
|
||||||
home = "/var/lib/shackannounce";
|
home = "/var/lib/shackannounce";
|
||||||
user = "shackannounce";
|
user = "shackannounce";
|
||||||
|
@ -30,6 +30,12 @@ in {
|
|||||||
browseable = "yes";
|
browseable = "yes";
|
||||||
"guest ok" = "yes";
|
"guest ok" = "yes";
|
||||||
};
|
};
|
||||||
|
audiobook = {
|
||||||
|
path = "/media/crypt1/audiobooks";
|
||||||
|
"read only" = "yes";
|
||||||
|
browseable = "yes";
|
||||||
|
"guest ok" = "yes";
|
||||||
|
};
|
||||||
crypt0 = {
|
crypt0 = {
|
||||||
path = "/media/crypt0";
|
path = "/media/crypt0";
|
||||||
"read only" = "yes";
|
"read only" = "yes";
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
home = "/home/share";
|
home = "/home/share";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
};
|
};
|
||||||
|
users.groups.mpd.members = [ "makefu" ];
|
||||||
services.samba = {
|
services.samba = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableNmbd = true;
|
enableNmbd = true;
|
||||||
@ -24,6 +25,12 @@
|
|||||||
browseable = "yes";
|
browseable = "yes";
|
||||||
"guest ok" = "yes";
|
"guest ok" = "yes";
|
||||||
};
|
};
|
||||||
|
music-rw = {
|
||||||
|
path = "/data/music";
|
||||||
|
"read only" = "no";
|
||||||
|
browseable = "yes";
|
||||||
|
"guest ok" = "no";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
guest account = smbguest
|
guest account = smbguest
|
||||||
|
@ -1,61 +1,7 @@
|
|||||||
{pkgs, config, ...}:
|
|
||||||
{
|
{
|
||||||
services.collectd = {
|
makefu.netdata = {
|
||||||
enable = true;
|
enable = true;
|
||||||
autoLoadPlugin = true;
|
stream.role = "slave";
|
||||||
extraConfig = ''
|
# stream.destination = "netdata.makefu.r";
|
||||||
Hostname ${config.krebs.build.host.name}
|
|
||||||
LoadPlugin load
|
|
||||||
LoadPlugin disk
|
|
||||||
LoadPlugin memory
|
|
||||||
LoadPlugin df
|
|
||||||
Interval 30.0
|
|
||||||
|
|
||||||
LoadPlugin interface
|
|
||||||
<Plugin "interface">
|
|
||||||
Interface "*Link"
|
|
||||||
Interface "lo"
|
|
||||||
Interface "vboxnet*"
|
|
||||||
Interface "virbr*"
|
|
||||||
IgnoreSelected true
|
|
||||||
</Plugin>
|
|
||||||
|
|
||||||
LoadPlugin df
|
|
||||||
<Plugin "df">
|
|
||||||
MountPoint "/nix/store"
|
|
||||||
# MountPoint "/run*"
|
|
||||||
# MountPoint "/sys*"
|
|
||||||
# MountPoint "/dev"
|
|
||||||
# MountPoint "/dev/shm"
|
|
||||||
# MountPoint "/tmp"
|
|
||||||
FSType "tmpfs"
|
|
||||||
FSType "binfmt_misc"
|
|
||||||
FSType "debugfs"
|
|
||||||
FSType "tracefs"
|
|
||||||
FSType "mqueue"
|
|
||||||
FSType "hugetlbfs"
|
|
||||||
FSType "systemd-1"
|
|
||||||
FSType "cgroup"
|
|
||||||
FSType "securityfs"
|
|
||||||
FSType "ramfs"
|
|
||||||
FSType "proc"
|
|
||||||
FSType "devpts"
|
|
||||||
FSType "devtmpfs"
|
|
||||||
MountPoint "/var/lib/docker/devicemapper"
|
|
||||||
IgnoreSelected true
|
|
||||||
</Plugin>
|
|
||||||
|
|
||||||
LoadPlugin cpu
|
|
||||||
<Plugin cpu>
|
|
||||||
ReportByCpu true
|
|
||||||
ReportByState true
|
|
||||||
ValuesPercentage true
|
|
||||||
</Plugin>
|
|
||||||
|
|
||||||
LoadPlugin network
|
|
||||||
<Plugin "network">
|
|
||||||
Server "${config.makefu.stats-server}" "25826"
|
|
||||||
</Plugin>
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
61
makefu/2configs/stats/collectd-client.nix
Normal file
61
makefu/2configs/stats/collectd-client.nix
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
{pkgs, config, ...}:
|
||||||
|
{
|
||||||
|
services.collectd = {
|
||||||
|
enable = true;
|
||||||
|
autoLoadPlugin = true;
|
||||||
|
extraConfig = ''
|
||||||
|
Hostname ${config.krebs.build.host.name}
|
||||||
|
LoadPlugin load
|
||||||
|
LoadPlugin disk
|
||||||
|
LoadPlugin memory
|
||||||
|
LoadPlugin df
|
||||||
|
Interval 30.0
|
||||||
|
|
||||||
|
LoadPlugin interface
|
||||||
|
<Plugin "interface">
|
||||||
|
Interface "*Link"
|
||||||
|
Interface "lo"
|
||||||
|
Interface "vboxnet*"
|
||||||
|
Interface "virbr*"
|
||||||
|
IgnoreSelected true
|
||||||
|
</Plugin>
|
||||||
|
|
||||||
|
LoadPlugin df
|
||||||
|
<Plugin "df">
|
||||||
|
MountPoint "/nix/store"
|
||||||
|
# MountPoint "/run*"
|
||||||
|
# MountPoint "/sys*"
|
||||||
|
# MountPoint "/dev"
|
||||||
|
# MountPoint "/dev/shm"
|
||||||
|
# MountPoint "/tmp"
|
||||||
|
FSType "tmpfs"
|
||||||
|
FSType "binfmt_misc"
|
||||||
|
FSType "debugfs"
|
||||||
|
FSType "tracefs"
|
||||||
|
FSType "mqueue"
|
||||||
|
FSType "hugetlbfs"
|
||||||
|
FSType "systemd-1"
|
||||||
|
FSType "cgroup"
|
||||||
|
FSType "securityfs"
|
||||||
|
FSType "ramfs"
|
||||||
|
FSType "proc"
|
||||||
|
FSType "devpts"
|
||||||
|
FSType "devtmpfs"
|
||||||
|
MountPoint "/var/lib/docker/devicemapper"
|
||||||
|
IgnoreSelected true
|
||||||
|
</Plugin>
|
||||||
|
|
||||||
|
LoadPlugin cpu
|
||||||
|
<Plugin cpu>
|
||||||
|
ReportByCpu true
|
||||||
|
ReportByState true
|
||||||
|
ValuesPercentage true
|
||||||
|
</Plugin>
|
||||||
|
|
||||||
|
LoadPlugin network
|
||||||
|
<Plugin "network">
|
||||||
|
Server "${config.makefu.stats-server}" "25826"
|
||||||
|
</Plugin>
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
17
makefu/2configs/stats/netdata-server.nix
Normal file
17
makefu/2configs/stats/netdata-server.nix
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{
|
||||||
|
makefu.netdata = {
|
||||||
|
enable = true;
|
||||||
|
stream.role = "master";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."netdata.euer.krebsco.de" = {
|
||||||
|
addSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/".proxyPass = "http://localhost:19999";
|
||||||
|
};
|
||||||
|
virtualHosts."netdata.makefu.r" = {
|
||||||
|
locations."/".proxyPass = "http://localhost:19999";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -21,6 +21,13 @@ in {
|
|||||||
services.influxdb.extraConfig = {
|
services.influxdb.extraConfig = {
|
||||||
meta.hostname = config.krebs.build.host.name;
|
meta.hostname = config.krebs.build.host.name;
|
||||||
# meta.logging-enabled = true;
|
# meta.logging-enabled = true;
|
||||||
|
logging.level = "info";
|
||||||
|
http.log-enabled = true;
|
||||||
|
http.write-tracing = false;
|
||||||
|
http.suppress-write-log = true;
|
||||||
|
data.trace-logging-enabled = false;
|
||||||
|
data.query-log-enabled = false;
|
||||||
|
|
||||||
http.bind-address = ":${toString influx-port}";
|
http.bind-address = ":${toString influx-port}";
|
||||||
admin.bind-address = ":8083";
|
admin.bind-address = ":8083";
|
||||||
monitoring = {
|
monitoring = {
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
{ pkgs, ... }:
|
{ pkgs, config, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../binary-cache/lass.nix
|
../binary-cache/lass.nix
|
||||||
];
|
];
|
||||||
krebs.tinc.retiolum.enable = true;
|
krebs.tinc.retiolum.enable = true;
|
||||||
environment.systemPackages = [ pkgs.tinc ];
|
environment.systemPackages = [ pkgs.tinc ];
|
||||||
|
networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
|
||||||
}
|
}
|
||||||
|
@ -5,6 +5,7 @@ _:
|
|||||||
./awesome-extra.nix
|
./awesome-extra.nix
|
||||||
./deluge.nix
|
./deluge.nix
|
||||||
./forward-journal.nix
|
./forward-journal.nix
|
||||||
|
./netdata.nix
|
||||||
./opentracker.nix
|
./opentracker.nix
|
||||||
./ps3netsrv.nix
|
./ps3netsrv.nix
|
||||||
./logging-config.nix
|
./logging-config.nix
|
||||||
|
150
makefu/3modules/netdata.nix
Normal file
150
makefu/3modules/netdata.nix
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
# fork of https://github.com/Mic92/dotfiles/blob/master/nixos/vms/modules/netdata.nix
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.makefu.netdata;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.makefu.netdata = {
|
||||||
|
enable = mkEnableOption "netdata";
|
||||||
|
|
||||||
|
# TODO only apikey from file, set remote host manually
|
||||||
|
stream.file = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = toString <secrets/netdata-stream.conf>;
|
||||||
|
description = "path to stream data file";
|
||||||
|
};
|
||||||
|
stream.role = mkOption {
|
||||||
|
type = types.enum [ "master" "slave" ];
|
||||||
|
default = "slave";
|
||||||
|
description = "Wether to stream data";
|
||||||
|
};
|
||||||
|
|
||||||
|
httpcheck.checks = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule ({
|
||||||
|
options = {
|
||||||
|
url = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
example = "https://thalheim.io";
|
||||||
|
description = "Url to check";
|
||||||
|
};
|
||||||
|
regex = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
example = "My homepage";
|
||||||
|
description = "Regex that is matched against the returned content";
|
||||||
|
};
|
||||||
|
statusAccepted = mkOption {
|
||||||
|
type = types.listOf types.int;
|
||||||
|
default = [ 200 ];
|
||||||
|
example = [ 401 ];
|
||||||
|
description = "Expected http status code";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
httpcheck plugin: https://github.com/netdata/netdata/blob/master/collectors/python.d.plugin/httpcheck/httpcheck.conf
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
portcheck.checks = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule ({
|
||||||
|
options = {
|
||||||
|
host = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "127.0.0.1";
|
||||||
|
description = "Dns name/IP to check";
|
||||||
|
};
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = "Tcp port number";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
portcheck plugin: https://github.com/netdata/netdata/tree/master/collectors/python.d.plugin/portcheck
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
systemd.services.netdata = {
|
||||||
|
requires = [ "secret.service" ];
|
||||||
|
after = [ "secret.service" ];
|
||||||
|
};
|
||||||
|
krebs.secret.files.netdata-stream = {
|
||||||
|
path = "/run/secret/netdata-stream.conf";
|
||||||
|
owner.name = "netdata";
|
||||||
|
source-path = cfg.stream.file;
|
||||||
|
};
|
||||||
|
environment.etc."netdata/stream.conf".source = "/run/secret/netdata-stream.conf";
|
||||||
|
|
||||||
|
services.netdata = {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
global = {
|
||||||
|
"bind to" = "0.0.0.0:19999 [::]:19999";
|
||||||
|
"error log" = "stderr";
|
||||||
|
"update every" = "5";
|
||||||
|
};
|
||||||
|
health.enable = if cfg.stream.role == "master" then "yes" else "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.netdata.python.extraPackages = ps: [
|
||||||
|
ps.psycopg2 ps.docker ps.dnspython
|
||||||
|
];
|
||||||
|
|
||||||
|
makefu.netdata.portcheck.checks.openssh.port = (lib.head config.services.openssh.ports);
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 19999 ];
|
||||||
|
|
||||||
|
environment.etc."netdata/python.d/httpcheck.conf".text = ''
|
||||||
|
update_every: 30
|
||||||
|
${lib.concatStringsSep "\n" (mapAttrsToList (site: options:
|
||||||
|
''
|
||||||
|
${site}:
|
||||||
|
url: '${options.url}'
|
||||||
|
${optionalString (options.regex != null) "regex: '${options.regex}'"}
|
||||||
|
status_accepted: [ ${lib.concatStringsSep " " (map toString options.statusAccepted) } ]
|
||||||
|
'') cfg.httpcheck.checks)
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
environment.etc."netdata/python.d/portcheck.conf".text = ''
|
||||||
|
${lib.concatStringsSep "\n" (mapAttrsToList (service: options:
|
||||||
|
''
|
||||||
|
${service}:
|
||||||
|
host: '${options.host}'
|
||||||
|
port: ${toString options.port}
|
||||||
|
'') cfg.portcheck.checks)
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
systemd.services.netdata.restartTriggers = [
|
||||||
|
config.environment.etc."netdata/python.d/httpcheck.conf".source
|
||||||
|
config.environment.etc."netdata/python.d/portcheck.conf".source
|
||||||
|
config.environment.etc."netdata/stream.conf".source
|
||||||
|
];
|
||||||
|
|
||||||
|
environment.etc."netdata/health.d/httpcheck.conf".text = ''
|
||||||
|
# taken from the original but warn only if a request is at least 300ms slow
|
||||||
|
template: web_service_slow
|
||||||
|
families: *
|
||||||
|
on: httpcheck.responsetime
|
||||||
|
lookup: average -3m unaligned of time
|
||||||
|
units: ms
|
||||||
|
every: 10s
|
||||||
|
warn: ($this > ($1h_web_service_response_time * 4) && $this > 1000)
|
||||||
|
crit: ($this > ($1h_web_service_response_time * 6) && $this > 1000)
|
||||||
|
info: average response time over the last 3 minutes, compared to the average over the last hour
|
||||||
|
delay: down 5m multiplier 1.5 max 1h
|
||||||
|
options: no-clear-notification
|
||||||
|
to: webmaster
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
# TODO: notification
|
||||||
|
# environment.etc."netdata/health_alarm_notify.conf".source = "/run/keys/netdata-pushover.conf";
|
||||||
|
|
||||||
|
}
|
@ -1,30 +0,0 @@
|
|||||||
{ lib, stdenv, fetchFromGitHub, gcc-arm-embedded, python }:
|
|
||||||
stdenv.mkDerivation rec {
|
|
||||||
name = "libopencm-${version}";
|
|
||||||
version = "2017-04-01";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "libopencm3";
|
|
||||||
repo = "libopencm3";
|
|
||||||
rev = "383fafc862c0d47f30965f00409d03a328049278";
|
|
||||||
sha256 = "0ar67icxl39cf7yb5glx3zd5413vcs7zp1jq0gzv1napvmrv3jv9";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildInputs = [ gcc-arm-embedded python ];
|
|
||||||
buildPhase = ''
|
|
||||||
sed -i 's#/usr/bin/env python#${python}/bin/python#' ./scripts/irq2nvic_h
|
|
||||||
make
|
|
||||||
'';
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out
|
|
||||||
cp -r lib $out/
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = {
|
|
||||||
description = "Open Source ARM cortex m microcontroller library";
|
|
||||||
homepage = https://github.com/libopencm3/libopencm3;
|
|
||||||
license = stdenv.lib.licenses.gpl2;
|
|
||||||
platforms = stdenv.lib.platforms.linux;
|
|
||||||
maintainers = with stdenv.lib.maintainers; [ makefu ];
|
|
||||||
};
|
|
||||||
}
|
|
@ -7,7 +7,6 @@
|
|||||||
|
|
||||||
host-src = {
|
host-src = {
|
||||||
secure = false;
|
secure = false;
|
||||||
full = false;
|
|
||||||
torrent = false;
|
torrent = false;
|
||||||
hw = false;
|
hw = false;
|
||||||
musnix = false;
|
musnix = false;
|
||||||
@ -23,7 +22,11 @@
|
|||||||
{
|
{
|
||||||
# nixos-18.09 @ 2018-09-18
|
# nixos-18.09 @ 2018-09-18
|
||||||
# + uhub/sqlite: 5dd7610401747
|
# + uhub/sqlite: 5dd7610401747
|
||||||
nixpkgs = if test then {
|
# + hovercraft: 7134801b17d72
|
||||||
|
nixpkgs = if host-src.arm6 then {
|
||||||
|
# TODO: we want to track the unstable channel
|
||||||
|
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
|
||||||
|
} else {
|
||||||
file = {
|
file = {
|
||||||
path = toString (pkgs.fetchFromGitHub {
|
path = toString (pkgs.fetchFromGitHub {
|
||||||
owner = "makefu";
|
owner = "makefu";
|
||||||
@ -33,14 +36,6 @@
|
|||||||
});
|
});
|
||||||
useChecksum = true;
|
useChecksum = true;
|
||||||
};
|
};
|
||||||
} else if host-src.full then {
|
|
||||||
git.ref = nixpkgs-src.rev;
|
|
||||||
git.url = nixpkgs-src.url;
|
|
||||||
} else if host-src.arm6 then {
|
|
||||||
# TODO: we want to track the unstable channel
|
|
||||||
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
|
|
||||||
} else {
|
|
||||||
file = "/home/makefu/store/${nixpkgs-src.rev}";
|
|
||||||
};
|
};
|
||||||
nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix";
|
nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix";
|
||||||
|
|
||||||
|
@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
|
|||||||
--rev refs/heads/master' \
|
--rev refs/heads/master' \
|
||||||
> $dir/nixpkgs.json
|
> $dir/nixpkgs.json
|
||||||
newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
|
newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
|
||||||
echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref"
|
echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'"
|
||||||
|
Loading…
Reference in New Issue
Block a user