Merge remote-tracking branches 'mors/master' and 'pnp/master'

This commit is contained in:
tv 2015-11-07 10:38:27 +01:00
commit bbcdef021a
47 changed files with 801 additions and 139 deletions

View File

@ -108,8 +108,8 @@ let
# Implements environment.etc."zones/<zone-name>"
environment.etc = let
stripEmptyLines = s: concatStringsSep "\n"
(remove "\n" (remove "" (splitString "\n" s)));
stripEmptyLines = s: (concatStringsSep "\n"
(remove "\n" (remove "" (splitString "\n" s)))) + "\n";
all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
([cfg.zone-head-config] ++ combined-hosts);
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );

View File

@ -33,7 +33,7 @@ let
in {
hosts = addNames {
echelon = {
cores = 4;
cores = 2;
dc = "lass"; #dc = "cac";
nets = rec {
internet = {
@ -66,6 +66,39 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
};
prism = {
cores = 4;
dc = "lass"; #dc = "cac";
nets = rec {
internet = {
addrs4 = ["213.239.205.240"];
aliases = [
"prism.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.0.103"];
addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"];
aliases = [
"prism.retiolum"
"cgit.prism.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl
kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl
JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I
AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5
jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j
anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q==";
};
fastpoke = {
dc = "lass";
nets = rec {

View File

@ -164,6 +164,8 @@ with lib;
dc = "makefu"; #dc = "cac";
extraZones = {
"krebsco.de" = ''
euer IN A ${head nets.internet.addrs4}
wiki.euer IN A ${head nets.internet.addrs4}
wry IN A ${head nets.internet.addrs4}
io IN NS wry.krebsco.de.
graphs IN A ${head nets.internet.addrs4}
@ -185,9 +187,14 @@ with lib;
addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"];
aliases = [
"graphs.wry.retiolum"
"graphs.retiolum"
"paste.wry.retiolum"
"paste.retiolum"
"wry.retiolum"
"wiki.makefu.retiolum"
"wiki.wry.retiolum"
"blog.makefu.retiolum"
"blog.wry.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -207,14 +214,37 @@ with lib;
};
};
};
filepimp = rec {
cores = 1;
dc = "makefu"; #nas
nets = {
retiolum = {
addrs4 = ["10.243.153.102"];
addrs6 = ["42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"];
aliases = [
"filepimp.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
gum = rec {
cores = 1;
dc = "online.net"; #root-server
extraZones = {
"krebsco.de" = ''
omo IN A ${head nets.internet.addrs4}
euer IN A ${head nets.internet.addrs4}
share.euer IN A ${head nets.internet.addrs4}
gum IN A ${head nets.internet.addrs4}
'';
};

View File

@ -95,8 +95,12 @@ let
ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
#!/bin/sh
mkdir -p "${internal_dir}" "${external_dir}"
if ! test -e "${cfg.workingDir}/internal/index.html"; then
cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}"
cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/." "${internal_dir}"
fi
if ! test -e "${cfg.workingDir}/external/index.html"; then
cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}"
fi
'';
@ -118,7 +122,6 @@ let
users.extraUsers.tinc_graphs = {
uid = 3925439960; #genid tinc_graphs
home = "/var/spool/tinc_graphs";
createHome = true;
};
krebs.nginx.servers = mkIf cfg.nginx.enable {

View File

@ -56,6 +56,13 @@ let
https://nixos.org/channels/nixos-unstable/git-revision
];
};
verbose = mkOption {
type = types.bool;
default = false;
description = ''
verbose output of urlwatch
'';
};
};
urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls);
@ -106,7 +113,7 @@ let
cd /tmp
urlwatch -e --urls="$urlsFile" > changes 2>&1 || :
urlwatch -e ${optionalString cfg.verbose "-v"} --urls="$urlsFile" > changes || :
if test -s changes; then
date=$(date -R)

View File

@ -11,12 +11,28 @@ prepare() {(
;;
centos)
case $VERSION_ID in
6)
prepare_centos "$@"
exit
;;
7)
prepare_centos "$@"
exit
;;
esac
;;
debian)
case $VERSION_ID in
7)
prepare_debian "$@"
exit
;;
8)
prepare_debian "$@"
exit
;;
esac
;;
esac
elif test -e /etc/centos-release; then
case $(cat /etc/centos-release) in
@ -31,6 +47,7 @@ prepare() {(
)}
prepare_arch() {
pacman -Sy
type bzip2 2>/dev/null || pacman -S --noconfirm bzip2
type git 2>/dev/null || pacman -S --noconfirm git
type rsync 2>/dev/null || pacman -S --noconfirm rsync
@ -44,6 +61,14 @@ prepare_centos() {
prepare_common
}
prepare_debian() {
apt-get update
type bzip2 2>/dev/null || apt-get install bzip2
type git 2>/dev/null || apt-get install git
type rsync 2>/dev/null || apt-get install rsync
prepare_common
}
prepare_common() {
if ! getent group nixbld >/dev/null; then

View File

@ -0,0 +1,22 @@
{ lib, pkgs, pythonPackages, fetchurl, ... }:
with pythonPackages; buildPythonPackage rec {
name = "bepasty-client-cli-${version}";
version = "0.3.0";
propagatedBuildInputs = [
python_magic
click
requests2
];
src = fetchurl {
url = "https://pypi.python.org/packages/source/b/bepasty-client-cli/bepasty-client-cli-${version}.tar.gz";
sha256 = "002kcplyfnmr5pn2ywdfilss0rmbm8wcdzz8hzp03ksy2zr4sdbw";
};
meta = {
homepage = https://github.com/bepasty/bepasty-client-cli;
description = "CLI client for bepasty-server";
license = lib.licenses.bsd2;
};
}

View File

@ -0,0 +1,15 @@
{lib, pkgs, pythonPackages, fetchurl, ... }:
pythonPackages.buildPythonPackage rec {
name = "collectd-connect-time-${version}";
version = "0.3.0";
src = fetchurl {
url = "https://pypi.python.org/packages/source/c/collectd-connect-time/collectd-connect-time-${version}.tar.gz";
sha256 = "0vvrf9py9bwc8hk3scxwg4x2j8jlp2qva0mv4q8d9m4b4mk99c95";
};
meta = {
homepage = https://pypi.python.org/pypi/collectd-connect-time/;
description = "TCP Connection time plugin for collectd";
license = lib.licenses.wtfpl;
};
}

View File

@ -0,0 +1,7 @@
{ writeScriptBin, pkgs }:
# TODO: use `wrapProgram --add-flags` instead?
writeScriptBin "krebspaste" ''
#! /bin/sh
exec ${pkgs.bepasty-client-cli}/bin/bepasty-cli --url http://paste.retiolum "$@"
''

View File

@ -2,14 +2,14 @@
python3Packages.buildPythonPackage rec {
name = "tinc_graphs-${version}";
version = "0.3.6";
version = "0.3.9";
propagatedBuildInputs = with pkgs;[
python3Packages.pygeoip
## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
];
src = fetchurl {
url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
sha256 = "0ghdx9aaipmppvc2b6cgks4nxw6zsb0fhjrmnisbx7rz0vjvzc74";
sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx";
};
preFixup = with pkgs;''
wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"

View File

@ -0,0 +1,43 @@
{stdenv, fetchurl,pkgs,... }:
let
s =
rec {
baseName="translate-shell";
version="0.9.0.9";
name="${baseName}-${version}";
url=https://github.com/soimort/translate-shell/archive/v0.9.0.9.tar.gz;
sha256="1269j4yr9dr1d8c5kmysbzfplbgdg8apqnzs5w57d29sd7gz2i34";
};
searchpath = with pkgs; stdenv.lib.makeSearchPath "bin" [
fribidi
gawk
bash
curl
less
];
buildInputs = [
pkgs.makeWrapper
];
in
stdenv.mkDerivation {
inherit (s) name version;
inherit buildInputs;
src = fetchurl {
inherit (s) url sha256;
};
# TODO: maybe mplayer
installPhase = ''
mkdir -p $out/bin
make PREFIX=$out install
wrapProgram $out/bin/trans --suffix PATH : "${searchpath}"
'';
meta = {
inherit (s) version;
description = ''translate using google api'';
license = stdenv.lib.licenses.free;
maintainers = [stdenv.lib.maintainers.makefu];
platforms = stdenv.lib.platforms.linux ;
};
}

View File

@ -2,7 +2,6 @@ Address= 195.154.108.70
Address= 195.154.108.70 53
Subnet = 10.243.0.211
Subnet = 42:f9f0:0000:0000:0000:0000:0000:70d2
Aliases = paste
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY

12
krebs/Zhosts/prism Normal file
View File

@ -0,0 +1,12 @@
Address = 213.239.205.240
Subnet = 10.243.0.103
Subnet = 42:0000:0000:0000:0000:0000:0000:15ab
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl
kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl
JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I
AoPW2ol8/sdZxeK4hCe/aQz6y0AEvigpvPkHx+TE5fkBeIeqhiKTIWpEqjU4wXx5
jP2izYuaIsHAihU8mm03xRxT4+4IHYt6ddrhNeBuJBsATLkDgULdQyOoEzmXCm2j
anGRBZoYVazxn7d8mKBdE09ZNc1ijULZgwIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -47,6 +47,23 @@ in {
{ predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; }
];
}
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
];
};
};
}
];
krebs.build.host = config.krebs.hosts.echelon;

View File

@ -156,6 +156,7 @@
get
genid
teamspeak_client
hashPassword
];
#TODO: fix this shit

93
lass/1systems/prism.nix Normal file
View File

@ -0,0 +1,93 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) head;
ip = (head config.krebs.build.host.nets.internet.addrs4);
in {
imports = [
../2configs/base.nix
../2configs/downloading.nix
../2configs/git.nix
../2configs/ts3.nix
{
users.extraGroups = {
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
# Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
# Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
# Docs: man:tmpfiles.d(5)
# man:systemd-tmpfiles(8)
# Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
# Main PID: 19272 (code=exited, status=1/FAILURE)
#
# Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
# Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
# Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
# Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
# Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
# Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
# Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
# warning: error(s) occured while switching to the new configuration
lock.gid = 10001;
};
}
{
networking.interfaces.et0.ip4 = [
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = "213.239.205.225";
networking.nameservers = [
"8.8.8.8"
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0"
'';
}
{
#boot.loader.gummiboot.enable = true;
#boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
devices = [
"/dev/sda"
"/dev/sdb"
];
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"vmw_pvscsi"
];
fileSystems."/" = {
device = "/dev/pool/nix";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36";
};
fileSystems."/var/download" = {
device = "/dev/pool/download";
};
}
{
sound.enable = false;
}
{
#workaround for server dying after 6-7h
boot.kernelPackages = pkgs.linuxPackages_4_2;
}
{
nixpkgs.config.allowUnfree = true;
}
];
krebs.build.host = config.krebs.hosts.prism;
}

View File

@ -15,8 +15,8 @@ with lib;
{
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = map readFile [
../../krebs/Zpubkeys/lass.ssh.pub
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
mainUser = {
@ -27,11 +27,9 @@ with lib;
createHome = true;
useDefaultShell = true;
extraGroups = [
"audio"
"wheel"
];
openssh.authorizedKeys.keys = map readFile [
../../krebs/Zpubkeys/lass.ssh.pub
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
};
@ -50,7 +48,7 @@ with lib;
source = {
git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
rev = "33bdc011f5360288cd10b9fda90da2950442b2ab";
rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
};
dir.secrets = {
host = config.krebs.hosts.mors;

View File

@ -8,6 +8,8 @@ in {
./urxvt.nix
];
users.extraUsers.mainUser.extraGroups = [ "audio" ];
time.timeZone = "Europe/Berlin";
virtualisation.libvirtd.enable = true;

View File

@ -1,6 +1,10 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
{
with lib;
let
rpc-password = import <secrets/transmission-pw.nix>;
in {
imports = [
../3modules/folderPerms.nix
];
@ -10,9 +14,13 @@
name = "download";
home = "/var/download";
createHome = true;
useDefaultShell = true;
extraGroups = [
"download"
];
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
transmission = {
@ -41,8 +49,8 @@
rpc-authentication-required = true;
rpc-whitelist-enabled = false;
rpc-username = "download";
#add rpc-password in secrets
rpc-password = "test123";
inherit rpc-password;
peer-port = 51413;
};
};
@ -50,6 +58,8 @@
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
];
};

View File

@ -33,6 +33,8 @@ let
web-routes-wai-custom = {};
go = {};
newsbot-js = {};
kimsufi-check = {};
realwallpaper = {};
};
restricted-repos = mapAttrs make-restricted-repo (

View File

@ -16,7 +16,7 @@
enable = true;
hosts = ../../krebs/Zhosts;
connectTo = [
"fastpoke"
"prism"
"cloudkrebs"
"echelon"
"pigstarter"

19
lass/2configs/ts3.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, ... }:
{
services.teamspeak3 = {
enable = true;
};
krebs.iptables.tables.filter.INPUT.rules = [
#voice port
{ predicate = "-p tcp --dport 9987"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 9987"; target = "ACCEPT"; }
##file transfer port
#{ predicate = "-p tcp --dport 30033"; target = "ACCEPT"; }
#{ predicate = "-p udp --dport 30033"; target = "ACCEPT"; }
##query port
#{ predicate = "-p tcp --dport 10011"; target = "ACCEPT"; }
#{ predicate = "-p udp --dport 10011"; target = "ACCEPT"; }
];
}

View File

@ -0,0 +1,38 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
../2configs/default.nix
../2configs/fs/vm-single-partition.nix
../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix
];
krebs.build.host = config.krebs.hosts.filepimp;
# AMD N54L
boot = {
loader.grub.device = "/dev/sda";
initrd.availableKernelModules = [
"usb_storage"
"ahci"
"xhci_hcd"
"ata_piix"
"uhci_hcd"
"ehci_pci"
];
kernelModules = [ ];
extraModulePackages = [ ];
};
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true;
}

38
makefu/1systems/gum.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
with lib;
let
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
imports = [
# TODO: copy this config or move to krebs
../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix
# ../2configs/iodined.nix
# Reaktor
../2configs/Reaktor/simpleExtend.nix
];
krebs.build.host = config.krebs.hosts.gum;
krebs.Reaktor.enable = true;
# prepare graphs
krebs.nginx.enable = true;
networking = {
firewall.allowPing = true;
firewall.allowedTCPPorts = [ 80 443 655 ];
firewall.allowedUDPPorts = [ 655 ];
interfaces.enp2s1.ip4 = [{
address = external-ip;
prefixLength = 24;
}];
defaultGateway = "195.154.108.1";
nameservers = [ "8.8.8.8" ];
};
# based on ../../tv/2configs/CAC-Developer-2.nix
}

View File

@ -8,11 +8,12 @@
imports =
[ # Include the results of the hardware scan.
# Base
../2configs/base.nix
../2configs/base-sources.nix
../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix
# HW/FS
# enables virtio kernel modules in initrd
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/fs/vm-single-partition.nix
@ -32,6 +33,8 @@
# ../2configs/graphite-standalone.nix
];
krebs.urlwatch.verbose = true;
krebs.Reaktor.enable = true;
krebs.Reaktor.debug = true;
krebs.Reaktor.nickname = "Reaktor|bot";
@ -40,8 +43,6 @@
};
krebs.build.host = config.krebs.hosts.pnp;
krebs.build.user = config.krebs.users.makefu;
krebs.build.target = "root@pnp";
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };

View File

@ -6,12 +6,8 @@
{
imports =
[ # Include the results of the hardware scan.
../2configs/base.nix
../2configs/main-laptop.nix #< base-gui
# configures sources
../2configs/base-sources.nix
# Krebs
../2configs/tinc-basic-retiolum.nix
#../2configs/disable_v6.nix
@ -23,7 +19,8 @@
../2configs/exim-retiolum.nix
../2configs/mail-client.nix
#../2configs/virtualization.nix
../2configs/virtualization-virtualbox.nix
../2configs/virtualization.nix
#../2configs/virtualization-virtualbox.nix
../2configs/wwan.nix
# services
@ -34,16 +31,19 @@
../2configs/hw/tp-x220.nix
# mount points
../2configs/fs/sda-crypto-root-home.nix
# ../2configs/mediawiki.nix
#../2configs/wordpress.nix
];
krebs.Reaktor.enable = true;
krebs.Reaktor.debug = true;
krebs.Reaktor.nickname = "makefu|r";
#krebs.Reaktor.enable = true;
#krebs.Reaktor.nickname = "makefu|r";
krebs.build.host = config.krebs.hosts.pornocauster;
krebs.build.user = config.krebs.users.makefu;
krebs.build.target = "root@pornocauster";
environment.systemPackages = with pkgs;[ get ];
environment.systemPackages = with pkgs;[
get
virtmanager
gnome3.dconf
];
services.logind.extraConfig = "HandleLidSwitch=ignore";
# configure pulseAudio to provide a HDMI sink as well

View File

@ -8,26 +8,9 @@
imports =
[ # Include the results of the hardware scan.
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/base.nix
../2configs/cgit-retiolum.nix
];
krebs.build.host = config.krebs.hosts.repunit;
krebs.build.user = config.krebs.users.makefu;
krebs.build.target = "root@repunit";
krebs.build.deps = {
nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
#url = https://github.com/makefu/nixpkgs;
rev = "13576925552b1d0751498fdda22e91a055a1ff6c";
};
secrets = {
url = "/home/makefu/secrets/${config.krebs.build.host.name}";
};
stockholm = {
url = toString ../..;
};
};
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;

View File

@ -6,7 +6,6 @@
{
imports =
[ # Include the results of the hardware scan.
../2configs/base.nix
../2configs/base-gui.nix
../2configs/tinc-basic-retiolum.nix
../2configs/fs/sda-crypto-root.nix
@ -21,19 +20,9 @@
];
# not working in vm
krebs.build.host = config.krebs.hosts.tsp;
krebs.build.user = config.krebs.users.makefu;
krebs.build.target = "root@tsp";
networking.firewall.allowedTCPPorts = [
25
];
krebs.build.deps = {
nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
#url = https://github.com/makefu/nixpkgs;
rev = "13576925552b1d0751498fdda22e91a055a1ff6c";
};
};
}

View File

@ -8,9 +8,10 @@ let
in {
imports = [
# TODO: copy this config or move to krebs
../../tv/2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../../tv/2configs/hw/CAC.nix
../../tv/2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/unstable-sources.nix
../2configs/headless.nix
../2configs/tinc-basic-retiolum.nix
../2configs/bepasty-dual.nix
@ -19,15 +20,16 @@ in {
# Reaktor
../2configs/Reaktor/simpleExtend.nix
# other nginx
../2configs/nginx/euer.wiki.nix
../2configs/nginx/euer.blog.nix
# collectd
../2configs/collectd/collectd-base.nix
];
krebs.build = {
user = config.krebs.users.makefu;
target = "root@wry";
host = config.krebs.hosts.wry;
};
krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor.enable = true;
@ -47,7 +49,7 @@ in {
# TODO: remove hard-coded hostname
complete = {
listen = [ "${internal-ip}:80" ];
server-names = [ "graphs.wry" ];
server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];
};
anonymous = {
listen = [ "${external-ip}:80" ] ;
@ -55,9 +57,11 @@ in {
};
};
};
networking = {
firewall.allowPing = true;
firewall.allowedTCPPorts = [ 53 80 443 ];
firewall.allowedUDPPorts = [ 655 ];
interfaces.enp2s1.ip4 = [{
address = external-ip;
prefixLength = 24;
@ -66,7 +70,5 @@ in {
nameservers = [ "8.8.8.8" ];
};
# based on ../../tv/2configs/CAC-Developer-2.nix
sound.enable = false;
environment.systemPackages = [ pkgs.translate-shell ];
}

View File

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
{
krebs.build.source = {
git.nixpkgs = {
#url = https://github.com/NixOS/nixpkgs;
url = https://github.com/makefu/nixpkgs;
rev = "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picked iodine
};
dir.secrets = {
host = config.krebs.hosts.pornocauster;
path = "/home/makefu/secrets/${config.krebs.build.host.name}/";
};
dir.stockholm = {
host = config.krebs.hosts.pornocauster;
path = toString ../.. ;
};
};
}

View File

@ -11,7 +11,11 @@
# bepasty-secret.nix <- contains single string
with lib;
{
let
sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>;
in {
krebs.nginx.enable = mkDefault true;
krebs.bepasty = {
@ -24,7 +28,7 @@ with lib;
server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = import <secrets/bepasty-secret.nix>;
secretKey = secKey;
};
external = {
@ -33,8 +37,8 @@ with lib;
extraConfig = ''
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_certificate /root/secrets/wildcard.krebsco.de.crt;
ssl_certificate_key /root/secrets/wildcard.krebsco.de.key;
ssl_certificate ${sec}/wildcard.krebsco.de.crt;
ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
ssl_verify_client off;
proxy_ssl_session_reuse off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@ -45,7 +49,7 @@ with lib;
}'';
};
defaultPermissions = "read";
secretKey = import <secrets/bepasty-secret.nix>;
secretKey = secKey;
};
};
};

View File

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
# graphite-web on port 8080
# carbon cache on port 2003 (tcp/udp)
with lib;
let
connect-time-cfg = with pkgs; writeText "collectd-connect-time.cfg" ''
LoadPlugin python
<Plugin python>
ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/"
Import "collectd_connect_time"
<Module collectd_connect_time>
target "wry.retiolum" "localhost" "google.com"
interval 30
</Module>
</Plugin>
'';
graphite-cfg = pkgs.writeText "collectd-graphite-cfg" ''
LoadPlugin write_graphite
<Plugin "write_graphite">
<Carbon>
Host "heidi.retiolum"
Port "2003"
Prefix "retiolum."
EscapeCharacter "_"
StoreRates false
AlwaysAppendDS false
</Carbon>
</Plugin>
'';
in {
imports = [ ];
nixpkgs.config.packageOverrides = pkgs: with pkgs; {
collectd = pkgs.collectd.override { python= pkgs.python; };
};
services.collectd = {
enable = true;
include = [ (toString connect-time-cfg) (toString graphite-cfg) ];
};
}

View File

@ -2,6 +2,8 @@
with lib;
{
system.stateVersion = "15.09";
imports = [
{
users.extraUsers =
@ -10,10 +12,36 @@ with lib;
}
./vim.nix
];
krebs.enable = true;
krebs.search-domain = "retiolum";
krebs = {
enable = true;
search-domain = "retiolum";
build = {
target = mkDefault "root@${config.krebs.build.host.name}";
user = config.krebs.users.makefu;
source = {
git.nixpkgs = {
#url = https://github.com/NixOS/nixpkgs;
url = mkDefault https://github.com/makefu/nixpkgs;
rev = mkDefault "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picking
target-path = "/var/src/nixpkgs";
};
dir.secrets = {
host = config.krebs.hosts.pornocauster;
path = "/home/makefu/secrets/${config.krebs.build.host.name}/";
};
dir.stockholm = {
host = config.krebs.hosts.pornocauster;
path = "/home/makefu/stockholm" ;
target-path = "/var/src/stockholm";
};
};
};
};
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
@ -56,7 +84,6 @@ with lib;
environment.systemPackages = with pkgs; [
jq
git
vim
gnumake
rxvt_unicode.terminfo
htop

View File

@ -18,6 +18,4 @@ with lib;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
hardware.cpu.amd.updateMicrocode = true;
}

View File

@ -6,8 +6,8 @@
with lib;
{
boot = {
loader.grub.enable =true;
loader.grub.version =2;
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];

View File

@ -0,0 +1,10 @@
{config, ...}:
{
boot.loader.grub.enable = assert config.boot.loader.grub.device != ""; true;
boot.loader.grub.version = 2;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
}

View File

@ -3,18 +3,9 @@
# vda1 ext4 (label nixos) -> only root partition
with lib;
{
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
imports = [
./single-partition-ext4.nix
];
boot.loader.grub.device = "/dev/vda";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
hardware.cpu.amd.updateMicrocode = true;
}

View File

@ -0,0 +1,4 @@
{lib,... }:
{
sound.enable = lib.mkForce false;
}

View File

@ -8,6 +8,8 @@ with lib;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;

View File

@ -0,0 +1,56 @@
{ config, lib, pkgs, ... }:
with lib;
let
sec = toString <secrets>;
ssl_cert = "${sec}/wildcard.krebsco.de.crt";
ssl_key = "${sec}/wildcard.krebsco.de.key";
hostname = config.krebs.build.host.name;
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
base-dir = "/var/www/blog.euer";
in {
# Prepare Blog directory
systemd.services.prepare-euer-blog = {
wantedBy = [ "local-fs.target" ];
before = [ "nginx.service" ];
serviceConfig = {
# do nothing if the base dir already exists
ExecStart = pkgs.writeScript "prepare-euer-blog-service" ''
#!/bin/sh
if ! test -d "${base-dir}" ;then
mkdir -p "${base-dir}"
chown ${user}:${group} "${base-dir}"
chmod 700 "${base-dir}"
fi
'';
Type = "oneshot";
RemainAfterExit = "yes";
TimeoutSec = "0";
};
};
krebs.nginx = {
enable = mkDefault true;
servers = {
euer-blog = {
listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
"${internal-ip}:80" "${internal-ip}:443 ssl" ];
server-names = [ "euer.krebsco.de" "blog.euer.krebsco.de" "blog.${hostname}" ];
extraConfig = ''
gzip on;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/css;
ssl_certificate ${ssl_cert};
ssl_certificate_key ${ssl_key};
default_type text/plain;
'';
locations = singleton (nameValuePair "/" ''
root ${base-dir};
'');
};
};
};
}

View File

@ -0,0 +1,118 @@
{ config, lib, pkgs, ... }:
with lib;
let
sec = toString <secrets>;
ssl_cert = "${sec}/wildcard.krebsco.de.crt";
ssl_key = "${sec}/wildcard.krebsco.de.key";
user = config.services.nginx.user;
group = config.services.nginx.group;
fpm-socket = "/var/run/php5-fpm.sock";
hostname = config.krebs.build.host.name;
tw-upload = pkgs.tw-upload-plugin;
base-dir = "/var/www/wiki.euer";
base-cfg = "${base-dir}/twconf.ini";
wiki-dir = "${base-dir}/store/";
backup-dir = "${base-dir}/backup/";
# contains:
# user1 = pass1
# userN = passN
tw-pass-file = "${sec}/tw-pass.ini";
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
services.phpfpm = {
# phpfpm does not have an enable option
poolConfigs = {
euer-wiki = ''
user = ${user}
group = ${group}
listen = ${fpm-socket}
listen.owner = ${user}
listen.group = ${group}
env[twconf] = ${base-cfg};
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
# errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
};
systemd.services.prepare-tw = {
wantedBy = [ "local-fs.target" ];
before = [ "phpfpm.service" ];
serviceConfig = {
ExecStart = pkgs.writeScript "prepare-tw-service" ''
#!/bin/sh
if ! test -d "${base-dir}" ;then
mkdir -p "${wiki-dir}" "${backup-dir}"
# write the base configuration
cat > "${base-cfg}" <<EOF
[users]
$(cat "${tw-pass-file}")
[directories]
backupdir = ${backup-dir}
savedir = ${wiki-dir}
EOF
chown -R ${user}:${group} "${base-dir}"
chmod 700 -R "${base-dir}"
fi
'';
Type = "oneshot";
RemainAfterExit = "yes";
TimeoutSec = "0";
};
};
krebs.nginx = {
enable = mkDefault true;
servers = {
euer-wiki = {
listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
"${internal-ip}:80" "${internal-ip}:443 ssl" ];
server-names = [
"wiki.euer.krebsco.de"
"wiki.makefu.retiolum"
"wiki.makefu"
];
extraConfig = ''
gzip on;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/css;
ssl_certificate ${ssl_cert};
ssl_certificate_key ${ssl_key};
default_type text/plain;
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
'';
locations = [
(nameValuePair "/" ''
root ${wiki-dir};
expires -1;
autoindex on;
'')
(nameValuePair "/store.php" ''
root ${tw-upload};
client_max_body_size 200M;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${fpm-socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'')
];
};
};
};
}

View File

@ -1,19 +1,8 @@
{ config, lib, pkgs, ... }:
_:
{
krebs.build.source = {
git.nixpkgs = {
krebs.build.source.git.nixpkgs = {
url = https://github.com/makefu/nixpkgs;
rev = "984d33884d63d404ff2da76920b8bc8b15471552";
};
dir.secrets = {
host = config.krebs.hosts.pornocauster;
path = "/home/makefu/secrets/${config.krebs.build.host.name}/";
};
dir.stockholm = {
host = config.krebs.hosts.pornocauster;
path = toString ../.. ;
};
rev = "15b5bbfbd1c8a55e7d9e05dd9058dc102fac04fe"; # cherry-picked collectd
};
}

View File

@ -10,6 +10,8 @@
https://api.github.com/repos/ovh/python-ovh/tags
https://api.github.com/repos/embray/d2to1/tags
http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
];
};

View File

@ -7,6 +7,6 @@ in
alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";};
alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";};
alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";};
tinc_graphs = callPackage ./tinc_graphs {};
awesomecfg = callPackage ./awesomecfg {};
tw-upload-plugin = callPackage ./tw-upload-plugin {};
}

View File

@ -0,0 +1,8 @@
{pkgs}:
pkgs.fetchFromGitHub {
owner = "makefu";
repo = "tw-upload-plugin";
rev = "a00aac";
sha256 = "0kazqs24kzjxqzr33kg1jbfx8xyvmrnrdxh6g27kgkgbl1d2qknh";
}

View File

@ -5,6 +5,7 @@ with lib;
{
imports = [
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/collectd-base.nix
];
krebs.build.host = config.krebs.hosts.wolf;
@ -26,7 +27,7 @@ with lib;
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "e916273209560b302ab231606babf5ce1c481f08";
rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
};
dir.secrets = {
host = config.krebs.current.host;

View File

@ -0,0 +1,41 @@
{ config, lib, pkgs, ... }:
# TODO: krebs.collectd.plugins
with lib;
let
connect-time-cfg = with pkgs; writeText "collectd-connect-time.conf" ''
LoadPlugin python
<Plugin python>
ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/"
Import "collectd_connect_time"
<Module collectd_connect_time>
target "localhost:22" "google.com" "google.de" "gum.retiolum:22" "gum.krebsco.de" "heidi.shack:22" "10.42.0.1:22" "heise.de" "t-online.de"
interval 10
</Module>
</Plugin>
'';
graphite-cfg = pkgs.writeText "collectd-graphite.conf" ''
LoadPlugin write_graphite
<Plugin "write_graphite">
<Carbon>
Host "heidi.shack"
Port "2003"
Prefix "retiolum."
EscapeCharacter "_"
StoreRates false
AlwaysAppendDS false
</Carbon>
</Plugin>
'';
in {
imports = [ ];
nixpkgs.config.packageOverrides = pkgs: with pkgs; {
collectd = pkgs.collectd.override { python= pkgs.python; };
};
services.collectd = {
enable = true;
include = [ (toString connect-time-cfg) (toString graphite-cfg) ];
};
}