Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
c422632d03
@ -298,6 +298,7 @@ with import <stockholm/lib>;
|
||||
'';
|
||||
};
|
||||
};
|
||||
secure = true;
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
|
||||
};
|
||||
|
@ -24,7 +24,7 @@ let
|
||||
|
||||
daymap = mkOption {
|
||||
type = types.str;
|
||||
default = "http://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
|
||||
default = "https://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
|
||||
};
|
||||
|
||||
cloudmap = mkOption {
|
||||
|
@ -108,67 +108,5 @@ let
|
||||
fi
|
||||
'';
|
||||
|
||||
irc-announce-script = pkgs.writeDash "irc-announce-script" ''
|
||||
set -euf
|
||||
|
||||
export PATH=${makeSearchPath "bin" (with pkgs; [
|
||||
coreutils
|
||||
gawk
|
||||
gnused
|
||||
netcat
|
||||
nettools
|
||||
])}
|
||||
|
||||
IRC_SERVER=$1
|
||||
IRC_PORT=$2
|
||||
IRC_NICK=$3$$
|
||||
IRC_CHANNEL=$4
|
||||
message=$5
|
||||
|
||||
export IRC_CHANNEL # for privmsg_cat
|
||||
|
||||
# echo2 and cat2 are used output to both, stdout and stderr
|
||||
# This is used to see what we send to the irc server. (debug output)
|
||||
echo2() { echo "$*"; echo "$*" >&2; }
|
||||
cat2() { tee /dev/stderr; }
|
||||
|
||||
# privmsg_cat transforms stdin to a privmsg
|
||||
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
|
||||
|
||||
# ircin is used to feed the output of netcat back to the "irc client"
|
||||
# so we can implement expect-like behavior with sed^_^
|
||||
# XXX mkselfdestructingtmpfifo would be nice instead of this cruft
|
||||
tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
|
||||
cd "$tmpdir"
|
||||
mkfifo ircin
|
||||
trap "
|
||||
rm ircin
|
||||
cd '$OLDPWD'
|
||||
rmdir '$tmpdir'
|
||||
trap - EXIT INT QUIT
|
||||
" EXIT INT QUIT
|
||||
|
||||
{
|
||||
echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
|
||||
echo2 "NICK $IRC_NICK"
|
||||
|
||||
# wait for MODE message
|
||||
sed -n '/^:[^ ]* MODE /q'
|
||||
|
||||
echo2 "JOIN $IRC_CHANNEL"
|
||||
|
||||
printf '%s' "$message" \
|
||||
| privmsg_cat \
|
||||
| cat2
|
||||
|
||||
echo2 "PART $IRC_CHANNEL"
|
||||
|
||||
# wait for PART confirmation
|
||||
sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
|
||||
|
||||
echo2 'QUIT :Gone to have lunch'
|
||||
} < ircin \
|
||||
| nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
|
||||
'';
|
||||
|
||||
irc-announce-script = "${pkgs.irc-announce}/bin/irc-announce";
|
||||
in out
|
||||
|
68
krebs/5pkgs/irc-announce/default.nix
Normal file
68
krebs/5pkgs/irc-announce/default.nix
Normal file
@ -0,0 +1,68 @@
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
pkgs.writeDashBin "irc-announce" ''
|
||||
set -euf
|
||||
|
||||
export PATH=${makeSearchPath "bin" (with pkgs; [
|
||||
coreutils
|
||||
gawk
|
||||
gnused
|
||||
netcat
|
||||
nettools
|
||||
])}
|
||||
|
||||
IRC_SERVER=$1
|
||||
IRC_PORT=$2
|
||||
IRC_NICK=$3$$
|
||||
IRC_CHANNEL=$4
|
||||
message=$5
|
||||
|
||||
export IRC_CHANNEL # for privmsg_cat
|
||||
|
||||
# echo2 and cat2 are used output to both, stdout and stderr
|
||||
# This is used to see what we send to the irc server. (debug output)
|
||||
echo2() { echo "$*"; echo "$*" >&2; }
|
||||
cat2() { tee /dev/stderr; }
|
||||
|
||||
# privmsg_cat transforms stdin to a privmsg
|
||||
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
|
||||
|
||||
# we cd to /tmp here to be able to create a tmpdir in the first place
|
||||
cd /tmp
|
||||
# ircin is used to feed the output of netcat back to the "irc client"
|
||||
# so we can implement expect-like behavior with sed^_^
|
||||
# XXX mkselfdestructingtmpfifo would be nice instead of this cruft
|
||||
tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
|
||||
cd "$tmpdir"
|
||||
mkfifo ircin
|
||||
trap "
|
||||
rm ircin
|
||||
cd '$OLDPWD'
|
||||
rmdir '$tmpdir'
|
||||
trap - EXIT INT QUIT
|
||||
" EXIT INT QUIT
|
||||
|
||||
{
|
||||
echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
|
||||
echo2 "NICK $IRC_NICK"
|
||||
|
||||
# wait for MODE message
|
||||
sed -n '/^:[^ ]* MODE /q'
|
||||
|
||||
echo2 "JOIN $IRC_CHANNEL"
|
||||
|
||||
printf '%s' "$message" \
|
||||
| privmsg_cat \
|
||||
| cat2
|
||||
|
||||
echo2 "PART $IRC_CHANNEL"
|
||||
|
||||
# wait for PART confirmation
|
||||
sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
|
||||
|
||||
echo2 'QUIT :Gone to have lunch'
|
||||
} < ircin \
|
||||
| nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
|
||||
''
|
@ -17,7 +17,6 @@ with import <stockholm/lib>;
|
||||
../2configs/steam.nix
|
||||
../2configs/wine.nix
|
||||
../2configs/git.nix
|
||||
../2configs/skype.nix
|
||||
../2configs/libvirt.nix
|
||||
../2configs/fetchWallpaper.nix
|
||||
#../2configs/c-base.nix
|
||||
@ -66,20 +65,18 @@ with import <stockholm/lib>;
|
||||
};
|
||||
}
|
||||
{
|
||||
krebs.nginx = {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
servers.default = {
|
||||
server-names = [
|
||||
virtualHosts.default = {
|
||||
serverAliases = [
|
||||
"localhost"
|
||||
"${config.krebs.build.host.name}"
|
||||
"${config.krebs.build.host.name}.r"
|
||||
"${config.krebs.build.host.name}.retiolum"
|
||||
];
|
||||
locations = [
|
||||
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
|
||||
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
|
||||
alias /home/$1/public_html$2;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
@ -89,6 +86,137 @@ with import <stockholm/lib>;
|
||||
{
|
||||
virtualisation.libvirtd.enable = true;
|
||||
}
|
||||
{
|
||||
services.nginx = {
|
||||
enable = mkDefault true;
|
||||
virtualHosts = {
|
||||
"stats.mors" = {
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://localhost:3000/";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
addr = "127.0.0.1";
|
||||
users.allowSignUp = false;
|
||||
users.allowOrgCreate = false;
|
||||
users.autoAssignOrg = false;
|
||||
auth.anonymous.enable = true;
|
||||
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
|
||||
};
|
||||
|
||||
services.graphite = {
|
||||
api = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
port = 18080;
|
||||
};
|
||||
carbon = {
|
||||
enableCache = true;
|
||||
# save disk usage by restricting to 1 bulk update per second
|
||||
config = ''
|
||||
[cache]
|
||||
MAX_CACHE_SIZE = inf
|
||||
MAX_UPDATES_PER_SECOND = 1
|
||||
MAX_CREATES_PER_MINUTE = 500
|
||||
'';
|
||||
storageSchemas = ''
|
||||
[carbon]
|
||||
pattern = ^carbon\.
|
||||
retentions = 60:90d
|
||||
|
||||
[elchos]
|
||||
patterhn = ^elchos\.
|
||||
retentions = 10s:30d,60s:3y
|
||||
|
||||
[default]
|
||||
pattern = .*
|
||||
retentions = 30s:30d,300s:1y
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.collectd = {
|
||||
enable = true;
|
||||
include = [ (toString (pkgs.writeText "collectd-graphite-cfg" ''
|
||||
LoadPlugin write_graphite
|
||||
<Plugin "write_graphite">
|
||||
<Carbon>
|
||||
Host "localhost"
|
||||
Port "2003"
|
||||
EscapeCharacter "_"
|
||||
StoreRates false
|
||||
AlwaysAppendDS false
|
||||
</Carbon>
|
||||
</Plugin>
|
||||
''))
|
||||
];
|
||||
extraConfig = ''
|
||||
LoadPlugin interface
|
||||
LoadPlugin battery
|
||||
LoadPlugin load
|
||||
LoadPlugin cpu
|
||||
LoadPlugin entropy
|
||||
LoadPlugin write_graphite
|
||||
<Plugin "interface">
|
||||
Interface "et0"
|
||||
Interface "wl0"
|
||||
Interface "retiolum"
|
||||
</Plugin>
|
||||
'';
|
||||
};
|
||||
services.graphite.beacon = {
|
||||
enable = true;
|
||||
config = {
|
||||
graphite_url = "http://localhost:18080";
|
||||
cli = {
|
||||
command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' '';
|
||||
};
|
||||
smtp = {
|
||||
from = "beacon@mors.r";
|
||||
to = [
|
||||
"lass@mors.r"
|
||||
];
|
||||
};
|
||||
normal_handlers = [
|
||||
"smtp"
|
||||
"cli"
|
||||
];
|
||||
warning_handlers = [
|
||||
"smtp"
|
||||
"cli"
|
||||
];
|
||||
critical_handlers = [
|
||||
"smtp"
|
||||
"cli"
|
||||
];
|
||||
alerts = [
|
||||
{
|
||||
name = "testbattery";
|
||||
query = "*.battery-0.capacity";
|
||||
method = "last_value";
|
||||
interval = "1minute";
|
||||
logging = "info";
|
||||
repeat_interval = "5minute";
|
||||
rules = [
|
||||
"warning: < 30.0"
|
||||
"critical: < 10.0"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.mors;
|
||||
@ -238,8 +366,4 @@ with import <stockholm/lib>;
|
||||
krebs.repo-sync.timerConfig = {
|
||||
OnCalendar = "00:37";
|
||||
};
|
||||
|
||||
services.mongodb = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
|
@ -24,6 +24,8 @@ in {
|
||||
../2configs/repo-sync.nix
|
||||
../2configs/binary-cache/server.nix
|
||||
../2configs/iodined.nix
|
||||
../2configs/libvirt.nix
|
||||
../2configs/hfos.nix
|
||||
{
|
||||
users.extraGroups = {
|
||||
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
|
||||
@ -178,11 +180,9 @@ in {
|
||||
imports = [
|
||||
../2configs/realwallpaper.nix
|
||||
];
|
||||
krebs.nginx.servers."lassul.us".locations = [
|
||||
(lib.nameValuePair "/wallpaper.png" ''
|
||||
services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
|
||||
alias /tmp/wallpaper.png;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
}
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
@ -202,16 +202,13 @@ in {
|
||||
};
|
||||
}
|
||||
{
|
||||
krebs.nginx = {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
servers.public = {
|
||||
listen = [ "8088" ];
|
||||
server-names = [ "default" ];
|
||||
locations = [
|
||||
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
|
||||
virtualHosts.public = {
|
||||
port = 8088;
|
||||
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
|
||||
alias /home/$1/public_html$2;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
};
|
||||
};
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
@ -228,10 +225,6 @@ in {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
{
|
||||
virtualisation.libvirtd.enable = true;
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.prism;
|
||||
|
@ -17,13 +17,13 @@
|
||||
owner.name = "nix-serve";
|
||||
source-path = toString <secrets> + "/nix-serve.key";
|
||||
};
|
||||
krebs.nginx = {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
servers.nix-serve = {
|
||||
server-names = [ "cache.prism.r" ];
|
||||
locations = lib.singleton (lib.nameValuePair "/" ''
|
||||
virtualHosts.nix-serve = {
|
||||
serverAliases = [ "cache.prism.r" ];
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||
'');
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -40,9 +40,8 @@ with import <stockholm/lib>;
|
||||
enable = true;
|
||||
web = {
|
||||
enable = true;
|
||||
enableAuth = true;
|
||||
listenAddress = "9091";
|
||||
authfile = <secrets/torrent-authfile>;
|
||||
port = 9091;
|
||||
basicAuth = import <secrets/torrent-auth>;
|
||||
};
|
||||
rutorrent.enable = true;
|
||||
enableXMLRPC = true;
|
||||
|
@ -8,16 +8,14 @@ with import <stockholm/lib>;
|
||||
krebs.go = {
|
||||
enable = true;
|
||||
};
|
||||
krebs.nginx = {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
servers.go = {
|
||||
locations = [
|
||||
(nameValuePair "/" ''
|
||||
virtualHosts.go = {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_set_header Host go;
|
||||
proxy_pass http://localhost:1337;
|
||||
'')
|
||||
];
|
||||
server-names = [
|
||||
'';
|
||||
serverAliases = [
|
||||
"go"
|
||||
"go.retiolum"
|
||||
];
|
||||
|
33
lass/2configs/hfos.nix
Normal file
33
lass/2configs/hfos.nix
Normal file
@ -0,0 +1,33 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
users.users.riot = {
|
||||
uid = genid "riot";
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "libvirtd" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange"
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
|
||||
networking.interfaces.et0.ip4 = [
|
||||
{
|
||||
address = "213.239.205.246";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
|
||||
];
|
||||
|
||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
@ -1,23 +1,30 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
mainUser = config.users.extraUsers.mainUser;
|
||||
inherit (import <stockholm/lib>) genid;
|
||||
|
||||
in {
|
||||
{
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
virtualisation.libvirtd.enable = true;
|
||||
|
||||
users.extraUsers = {
|
||||
libvirt = {
|
||||
uid = genid "libvirt";
|
||||
description = "user for running libvirt stuff";
|
||||
home = "/home/libvirt";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "libvirtd" "audio" ];
|
||||
createHome = true;
|
||||
};
|
||||
};
|
||||
security.sudo.extraConfig = ''
|
||||
${mainUser.name} ALL=(libvirt) NOPASSWD: ALL
|
||||
'';
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
|
||||
];
|
||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
||||
{ v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||
{ v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||
];
|
||||
krebs.iptables.tables.filter.OUTPUT.rules = [
|
||||
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
|
||||
];
|
||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
|
||||
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
|
||||
{ v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; }
|
||||
{ v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
|
||||
{ v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
|
||||
];
|
||||
}
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
{
|
||||
krebs.build.source.nixpkgs.git = {
|
||||
url = https://github.com/nixos/nixpkgs;
|
||||
ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905";
|
||||
url = https://github.com/lassulus/nixpkgs;
|
||||
ref = "819c1ab486a9c81d6a6b76c759aedece2df39037";
|
||||
};
|
||||
}
|
||||
|
@ -156,7 +156,7 @@ in {
|
||||
})
|
||||
];
|
||||
};
|
||||
krebs.nginx.servers."lassul.us".locations = let
|
||||
services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
|
||||
html = pkgs.writeText "index.html" ''
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
@ -175,10 +175,8 @@ in {
|
||||
</body>
|
||||
</html>
|
||||
'';
|
||||
in [
|
||||
(nameValuePair "/the_playlist" ''
|
||||
in ''
|
||||
default_type "text/html";
|
||||
alias ${html};
|
||||
'')
|
||||
];
|
||||
'';
|
||||
}
|
||||
|
@ -9,15 +9,13 @@ let
|
||||
in {
|
||||
krebs.realwallpaper.enable = true;
|
||||
|
||||
krebs.nginx.servers.wallpaper = {
|
||||
server-names = [
|
||||
services.nginx.virtualHosts.wallpaper = {
|
||||
serverAliases = [
|
||||
hostname
|
||||
];
|
||||
locations = [
|
||||
(nameValuePair "/wallpaper.png" ''
|
||||
locations."/wallpaper.png".extraConfig = ''
|
||||
root /tmp/;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
};
|
||||
|
||||
krebs.iptables = {
|
||||
|
3
lass/2configs/tests/dummy-secrets/torrent-auth
Normal file
3
lass/2configs/tests/dummy-secrets/torrent-auth
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
x = "xxx";
|
||||
}
|
@ -1 +0,0 @@
|
||||
"xxx"
|
@ -35,10 +35,10 @@ in {
|
||||
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
|
||||
|
||||
(ssl [ "pixelpocket.de" ])
|
||||
(servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
|
||||
(servePage [ "pixelpocket.de" ])
|
||||
|
||||
(ssl [ "o.ubikmedia.de" ])
|
||||
(serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
|
||||
(serveOwncloud [ "o.ubikmedia.de" ])
|
||||
|
||||
(ssl [
|
||||
"ubikmedia.de"
|
||||
@ -88,15 +88,12 @@ in {
|
||||
"www.illucloud.eu"
|
||||
"www.illucloud.de"
|
||||
"www.illucloud.com"
|
||||
"*.ubikmedia.de"
|
||||
])
|
||||
];
|
||||
|
||||
krebs.nginx.servers."ubikmedia.de".locations = [
|
||||
(lib.nameValuePair "/piwik" ''
|
||||
services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
|
||||
lass.mysqlBackup.config.all.databases = [
|
||||
"ubikmedia_de"
|
||||
|
@ -7,7 +7,6 @@ let
|
||||
head
|
||||
;
|
||||
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
||||
manageCerts
|
||||
ssl
|
||||
servePage
|
||||
serveWordpress
|
||||
@ -26,8 +25,6 @@ let
|
||||
in {
|
||||
imports = [
|
||||
./sqlBackup.nix
|
||||
(ssl [ "biostase.de" "www.biostase.de" ])
|
||||
(serveWordpress [ "biostase.de" "www.biostase.de" ])
|
||||
|
||||
(ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
|
||||
(serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
|
||||
@ -50,30 +47,17 @@ in {
|
||||
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
|
||||
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
|
||||
|
||||
(manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
|
||||
(ssl [ "goldbarrendiebstahl.radical-dreamers.de" ])
|
||||
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
|
||||
];
|
||||
|
||||
lass.mysqlBackup.config.all.databases = [
|
||||
"biostase_de"
|
||||
"eastuttgart_de"
|
||||
"radical_dreamers_de"
|
||||
"spielwaren_kern_de"
|
||||
"ttf_kleinaspach_de"
|
||||
];
|
||||
|
||||
#password protect some dirs
|
||||
krebs.nginx.servers."biostase.de".locations = [
|
||||
(nameValuePair "/old_biostase.de" ''
|
||||
auth_basic "Administrator Login";
|
||||
auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
|
||||
'')
|
||||
(nameValuePair "/mysqldumper" ''
|
||||
auth_basic "Administrator Login";
|
||||
auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
|
||||
'')
|
||||
];
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.fritz.pubkey
|
||||
];
|
||||
|
@ -14,7 +14,7 @@ in {
|
||||
security.acme = {
|
||||
certs."lassul.us" = {
|
||||
email = "lass@lassul.us";
|
||||
webroot = "/var/lib/acme/challenges/lassul.us";
|
||||
webroot = "/var/lib/acme/acme-challenges";
|
||||
plugins = [
|
||||
"account_key.json"
|
||||
"key.pem"
|
||||
@ -26,7 +26,7 @@ in {
|
||||
};
|
||||
certs."cgit.lassul.us" = {
|
||||
email = "lassulus@gmail.com";
|
||||
webroot = "/var/lib/acme/challenges/cgit.lassul.us";
|
||||
webroot = "/var/lib/acme/acme-challenges";
|
||||
plugins = [
|
||||
"account_key.json"
|
||||
"key.pem"
|
||||
@ -69,22 +69,21 @@ in {
|
||||
"nginx"
|
||||
];
|
||||
|
||||
krebs.nginx.servers."lassul.us" = {
|
||||
server-names = [ "lassul.us" ];
|
||||
locations = [
|
||||
(nameValuePair "/" ''
|
||||
services.nginx.virtualHosts."lassul.us" = {
|
||||
serverAliases = [ "lassul.us" ];
|
||||
locations."/".extraConfig = ''
|
||||
root /srv/http/lassul.us;
|
||||
'')
|
||||
(nameValuePair "/.well-known/acme-challenge" ''
|
||||
'';
|
||||
locations."/.well-known/acme-challenge".extraConfig = ''
|
||||
root /var/lib/acme/challenges/lassul.us/;
|
||||
'')
|
||||
(nameValuePair "= /retiolum-hosts.tar.bz2" ''
|
||||
'';
|
||||
locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
|
||||
alias ${config.krebs.tinc.retiolum.hostsArchive};
|
||||
'')
|
||||
(nameValuePair "/tinc" ''
|
||||
'';
|
||||
locations."/tinc".extraConfig = ''
|
||||
alias ${config.krebs.tinc_graphs.workingDir}/external;
|
||||
'')
|
||||
(let
|
||||
'';
|
||||
locations."= /ddate".extraConfig = let
|
||||
script = pkgs.writeBash "test" ''
|
||||
echo "hello world"
|
||||
'';
|
||||
@ -92,36 +91,32 @@ in {
|
||||
# filename = "${pkgs.ddate}/bin/ddate";
|
||||
# argv = [];
|
||||
#};
|
||||
in nameValuePair "= /ddate" ''
|
||||
in ''
|
||||
gzip off;
|
||||
fastcgi_pass unix:/var/run/lass-stuff.socket;
|
||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||
fastcgi_param DOCUMENT_ROOT /var/empty;
|
||||
fastcgi_param SCRIPT_FILENAME ${script};
|
||||
fastcgi_param SCRIPT_NAME ${script};
|
||||
'')
|
||||
];
|
||||
ssl = {
|
||||
enable = true;
|
||||
certificate = "/var/lib/acme/lassul.us/fullchain.pem";
|
||||
certificate_key = "/var/lib/acme/lassul.us/key.pem";
|
||||
};
|
||||
'';
|
||||
|
||||
enableSSL = true;
|
||||
extraConfig = "listen 80;";
|
||||
sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
|
||||
};
|
||||
|
||||
krebs.nginx.servers.cgit = {
|
||||
server-names = [
|
||||
services.nginx.virtualHosts.cgit = {
|
||||
serverAliases = [
|
||||
"cgit.lassul.us"
|
||||
];
|
||||
locations = [
|
||||
(nameValuePair "/.well-known/acme-challenge" ''
|
||||
root /var/lib/acme/challenges/cgit.lassul.us/;
|
||||
'')
|
||||
];
|
||||
ssl = {
|
||||
enable = true;
|
||||
certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
|
||||
certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
|
||||
};
|
||||
locations."/.well-known/acme-challenge".extraConfig = ''
|
||||
root /var/lib/acme/acme-challenges;
|
||||
'';
|
||||
enableSSL = true;
|
||||
extraConfig = "listen 80;";
|
||||
sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
|
||||
};
|
||||
|
||||
users.users.blog = {
|
||||
|
@ -4,66 +4,24 @@ with lib;
|
||||
|
||||
rec {
|
||||
|
||||
manageCerts = domains:
|
||||
ssl = domains :
|
||||
let
|
||||
domain = head domains;
|
||||
in {
|
||||
#security.acme = {
|
||||
# certs."${domain}" = {
|
||||
# email = "lassulus@gmail.com";
|
||||
# webroot = "/var/lib/acme/challenges/${domain}";
|
||||
# plugins = [
|
||||
# "account_key.json"
|
||||
# "key.pem"
|
||||
# "fullchain.pem"
|
||||
# ];
|
||||
# group = "nginx";
|
||||
# allowKeysForGroup = true;
|
||||
# extraDomains = genAttrs domains (_: null);
|
||||
# };
|
||||
#};
|
||||
|
||||
krebs.nginx.servers."${domain}" = {
|
||||
ssl.acmeEnable = true;
|
||||
server-names = domains;
|
||||
#locations = [
|
||||
# (nameValuePair "/.well-known/acme-challenge" ''
|
||||
# root /var/lib/acme/challenges/${domain}/;
|
||||
# '')
|
||||
#];
|
||||
};
|
||||
};
|
||||
|
||||
ssl = domains:
|
||||
{
|
||||
imports = [
|
||||
( manageCerts domains )
|
||||
#( activateACME (head domains) )
|
||||
];
|
||||
};
|
||||
|
||||
activateACME = domain:
|
||||
{
|
||||
krebs.nginx.servers.${domain} = {
|
||||
ssl = {
|
||||
enable = true;
|
||||
certificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
certificate_key = "/var/lib/acme/${domain}/key.pem";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
servePage = domains:
|
||||
let
|
||||
domain = head domains;
|
||||
in {
|
||||
krebs.nginx.servers.${domain} = {
|
||||
server-names = domains;
|
||||
locations = [
|
||||
(nameValuePair "/" ''
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
enableACME = true;
|
||||
enableSSL = true;
|
||||
extraConfig = "listen 80;";
|
||||
serverAliases = domains;
|
||||
locations."/".extraConfig = ''
|
||||
root /srv/http/${domain};
|
||||
'')
|
||||
];
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
@ -71,9 +29,13 @@ rec {
|
||||
let
|
||||
domain = head domains;
|
||||
in {
|
||||
krebs.nginx.servers."${domain}" = {
|
||||
server-names = domains;
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
enableACME = true;
|
||||
enableSSL = true;
|
||||
serverAliases = domains;
|
||||
extraConfig = ''
|
||||
listen 80;
|
||||
|
||||
# Add headers to serve security related headers
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
@ -109,27 +71,26 @@ rec {
|
||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||
'';
|
||||
locations = [
|
||||
(nameValuePair "/robots.txt" ''
|
||||
locations."/robots.txt".extraConfig = ''
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
'')
|
||||
(nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
|
||||
'';
|
||||
locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
|
||||
deny all;
|
||||
'')
|
||||
'';
|
||||
|
||||
(nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
|
||||
locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
|
||||
deny all;
|
||||
'')
|
||||
'';
|
||||
|
||||
(nameValuePair "/" ''
|
||||
locations."/".extraConfig = ''
|
||||
rewrite ^/remote/(.*) /remote.php last;
|
||||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
'')
|
||||
'';
|
||||
|
||||
(nameValuePair "~ \.php(?:$|/)" ''
|
||||
locations."~ \.php(?:$|/)".extraConfig = ''
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
@ -138,11 +99,11 @@ rec {
|
||||
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
|
||||
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
|
||||
fastcgi_intercept_errors on;
|
||||
'')
|
||||
'';
|
||||
|
||||
# Adding the cache control header for js and css files
|
||||
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
|
||||
(nameValuePair "~* \.(?:css|js)$" ''
|
||||
locations."~* \.(?:css|js)$".extraConfig = ''
|
||||
add_header Cache-Control "public, max-age=7200";
|
||||
# Add headers to serve security related headers
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
@ -152,13 +113,11 @@ rec {
|
||||
add_header X-Robots-Tag none;
|
||||
# Optional: Don't log access to assets
|
||||
access_log off;
|
||||
'')
|
||||
|
||||
'';
|
||||
# Optional: Don't log access to other assets
|
||||
(nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
|
||||
locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
|
||||
access_log off;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
};
|
||||
services.phpfpm.poolConfigs."${domain}" = ''
|
||||
listen = /srv/http/${domain}/phpfpm.pool
|
||||
@ -183,9 +142,12 @@ rec {
|
||||
domain = head domains;
|
||||
|
||||
in {
|
||||
krebs.nginx.servers."${domain}" = {
|
||||
server-names = domains;
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
enableACME = true;
|
||||
enableSSL = true;
|
||||
serverAliases = domains;
|
||||
extraConfig = ''
|
||||
listen 80;
|
||||
root /srv/http/${domain}/;
|
||||
index index.php;
|
||||
access_log /tmp/nginx_acc.log;
|
||||
@ -194,24 +156,19 @@ rec {
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
client_max_body_size 100m;
|
||||
'';
|
||||
locations = [
|
||||
(nameValuePair "/" ''
|
||||
locations."/".extraConfig = ''
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
'')
|
||||
(nameValuePair "~ \.php$" ''
|
||||
'';
|
||||
locations."~ \.php$".extraConfig = ''
|
||||
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
|
||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||
'')
|
||||
#(nameValuePair "~ /\\." ''
|
||||
# deny all;
|
||||
#'')
|
||||
'';
|
||||
#Directives to send expires headers and turn off 404 error logging.
|
||||
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
|
||||
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
'')
|
||||
];
|
||||
'';
|
||||
};
|
||||
services.phpfpm.poolConfigs."${domain}" = ''
|
||||
listen = /srv/http/${domain}/phpfpm.pool
|
||||
|
@ -8,7 +8,6 @@ _:
|
||||
./umts.nix
|
||||
./urxvtd.nix
|
||||
./usershadow.nix
|
||||
./wordpress_nginx.nix
|
||||
./xresources.nix
|
||||
];
|
||||
}
|
||||
|
@ -1,210 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
|
||||
let
|
||||
cfg = config.lass.owncloud;
|
||||
|
||||
out = {
|
||||
options.lass.owncloud = api;
|
||||
config = imp;
|
||||
};
|
||||
|
||||
api = mkOption {
|
||||
type = with types; attrsOf (submodule ({ config, ... }: {
|
||||
options = {
|
||||
domain = mkOption {
|
||||
type = str;
|
||||
default = config._module.args.name;
|
||||
};
|
||||
dataDir = mkOption {
|
||||
type = str;
|
||||
default = "${config.folder}/data";
|
||||
};
|
||||
dbUser = mkOption {
|
||||
type = str;
|
||||
default = replaceStrings ["."] ["_"] config.domain;
|
||||
};
|
||||
dbName = mkOption {
|
||||
type = str;
|
||||
default = replaceStrings ["."] ["_"] config.domain;
|
||||
};
|
||||
dbType = mkOption {
|
||||
# TODO: check for valid dbType
|
||||
type = str;
|
||||
default = "mysql";
|
||||
};
|
||||
folder = mkOption {
|
||||
type = str;
|
||||
default = "/srv/http/${config.domain}";
|
||||
};
|
||||
auto = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
instanceid = mkOption {
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
|
||||
user = config.services.nginx.user;
|
||||
group = config.services.nginx.group;
|
||||
|
||||
imp = {
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
|
||||
server-names = [
|
||||
"${domain}"
|
||||
"www.${domain}"
|
||||
];
|
||||
locations = [
|
||||
(nameValuePair "/" ''
|
||||
# The following 2 rules are only needed with webfinger
|
||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||
|
||||
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
|
||||
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
|
||||
|
||||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
|
||||
|
||||
try_files $uri $uri/ /index.php;
|
||||
'')
|
||||
(nameValuePair "~ \.php$" ''
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:${folder}/phpfpm.pool;
|
||||
'')
|
||||
(nameValuePair "~ /\\." ''
|
||||
deny all;
|
||||
'')
|
||||
];
|
||||
extraConfig = ''
|
||||
root ${folder}/;
|
||||
#index index.php;
|
||||
access_log /tmp/nginx_acc.log;
|
||||
error_log /tmp/nginx_err.log;
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 10G;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
|
||||
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
|
||||
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
|
||||
|
||||
error_page 403 /core/templates/403.php;
|
||||
error_page 404 /core/templates/404.php;
|
||||
'';
|
||||
});
|
||||
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
|
||||
listen = ${folder}/phpfpm.pool
|
||||
user = ${user}
|
||||
group = ${group}
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
listen.owner = ${user}
|
||||
listen.group = ${group}
|
||||
php_admin_value[error_log] = 'stderr'
|
||||
php_admin_flag[log_errors] = on
|
||||
catch_workers_output = yes
|
||||
'');
|
||||
#systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
|
||||
# name = "owncloudInit-${name}";
|
||||
# value = {
|
||||
# path = [
|
||||
# pkgs.mysql
|
||||
# pkgs.su
|
||||
# pkgs.gawk
|
||||
# pkgs.jq
|
||||
# ];
|
||||
# requiredBy = [ "nginx.service" ];
|
||||
# serviceConfig = let
|
||||
# php.define = name: value:
|
||||
# "define(${php.newdoc name}, ${php.newdoc value});";
|
||||
# php.toString = x:
|
||||
# "'${x}'";
|
||||
# php.newdoc = s:
|
||||
# let b = "EOF${builtins.hashString "sha256" s}"; in
|
||||
# ''<<<'${b}'
|
||||
# ${s}
|
||||
# ${b}
|
||||
# '';
|
||||
# in {
|
||||
# Type = "oneshot";
|
||||
# ExecStart = pkgs.writeScript "wordpressInit" ''
|
||||
# #!/bin/sh
|
||||
# set -euf
|
||||
# oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
|
||||
# db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
|
||||
# get_secret() {
|
||||
# echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
|
||||
# }
|
||||
# to_php_string() {
|
||||
# echo "base64_decode('$(base64)')"
|
||||
# }
|
||||
# {
|
||||
# cat ${toString <secrets/mysql_rootPassword>}
|
||||
# password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
|
||||
# # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
|
||||
# # TODO as package pkgs.sqlHashPassword
|
||||
# # TODO not using mysql
|
||||
# # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
|
||||
# passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
|
||||
# user=${shell.escape dbUser}@localhost
|
||||
# database=${shell.escape dbName}
|
||||
# cat << EOF
|
||||
# CREATE DATABASE IF NOT EXISTS $database;
|
||||
# GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
|
||||
# GRANT ALL PRIVILEGES ON $database.* TO $user;
|
||||
# FLUSH PRIVILEGES;
|
||||
# EOF
|
||||
# } | mysql -u root -p
|
||||
# # TODO nix2php for wp-config.php
|
||||
# mkdir -p ${folder}/config
|
||||
# cat > ${folder}/config/config.php << EOF
|
||||
# <?php
|
||||
# \$CONFIG = array (
|
||||
# 'dbhost' => 'localhost',
|
||||
# 'dbtableprefix' => 'oc_',
|
||||
# 'dbpassword' => '$db_password',
|
||||
# 'installed' => 'true',
|
||||
# 'trusted_domains' =>
|
||||
# array (
|
||||
# 0 => '${domain}',
|
||||
# ),
|
||||
# 'overwrite.cli.url' => 'http://${domain}',
|
||||
|
||||
# ${concatStringsSep "\n" (mapAttrsToList (name: value:
|
||||
# "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
|
||||
# ) {
|
||||
# instanceid = instanceid;
|
||||
# datadirectory = dataDir;
|
||||
# dbtype = dbType;
|
||||
# dbname = dbName;
|
||||
# dbuser = dbUser;
|
||||
# })}
|
||||
|
||||
# ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
|
||||
# "secret"
|
||||
# "passwordsalt"
|
||||
# ]}
|
||||
# );
|
||||
# EOF
|
||||
# '';
|
||||
# };
|
||||
# };
|
||||
#});
|
||||
users.users.nobody_oc = {
|
||||
uid = genid "nobody_oc";
|
||||
useDefaultShell = true;
|
||||
};
|
||||
};
|
||||
|
||||
in out
|
@ -1,265 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
|
||||
let
|
||||
cfg = config.lass.wordpress;
|
||||
|
||||
out = {
|
||||
options.lass.wordpress = api;
|
||||
config = imp;
|
||||
};
|
||||
|
||||
api = mkOption {
|
||||
type = with types; attrsOf (submodule ({ config, ... }: {
|
||||
options = {
|
||||
domain = mkOption {
|
||||
type = str;
|
||||
default = config._module.args.name;
|
||||
};
|
||||
dbUser = mkOption {
|
||||
type = str;
|
||||
default = replaceStrings ["."] ["_"] config.domain;
|
||||
};
|
||||
dbName = mkOption {
|
||||
type = str;
|
||||
default = replaceStrings ["."] ["_"] config.domain;
|
||||
};
|
||||
folder = mkOption {
|
||||
type = str;
|
||||
default = "/srv/http/${config.domain}";
|
||||
};
|
||||
auto = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
charset = mkOption {
|
||||
type = str;
|
||||
default = "utf8mb4";
|
||||
};
|
||||
collate = mkOption {
|
||||
type = str;
|
||||
default = "";
|
||||
};
|
||||
debug = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
multiSite = mkOption {
|
||||
type = attrsOf str;
|
||||
default = {};
|
||||
example = {
|
||||
"0" = "bla.testsite.de";
|
||||
"1" = "test.testsite.de";
|
||||
};
|
||||
};
|
||||
ssl = mkOption {
|
||||
type = with types; submodule ({
|
||||
options = {
|
||||
enable = mkEnableOption "ssl";
|
||||
certificate = mkOption {
|
||||
type = str;
|
||||
};
|
||||
certificate_key = mkOption {
|
||||
type = str;
|
||||
};
|
||||
ciphers = mkOption {
|
||||
type = str;
|
||||
default = "AES128+EECDH:AES128+EDH";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
|
||||
user = config.services.nginx.user;
|
||||
group = config.services.nginx.group;
|
||||
|
||||
imp = {
|
||||
#services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
|
||||
# map $http_host $blogid {
|
||||
# ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
|
||||
# }
|
||||
#'';
|
||||
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
|
||||
server-names = [
|
||||
"${domain}"
|
||||
"www.${domain}"
|
||||
];
|
||||
#(mkIf (multiSite != {})
|
||||
#)
|
||||
locations = (if (multiSite != {}) then
|
||||
[
|
||||
(nameValuePair "~ ^/files/(.*)$" ''
|
||||
try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
|
||||
'')
|
||||
(nameValuePair "^~ /blogs.dir" ''
|
||||
internal;
|
||||
alias ${folder}/wp-content/blogs.dir ;
|
||||
access_log off; log_not_found off; expires max;
|
||||
'')
|
||||
]
|
||||
else
|
||||
[]
|
||||
) ++
|
||||
[
|
||||
(nameValuePair "/" ''
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
'')
|
||||
(nameValuePair "~ \.php$" ''
|
||||
fastcgi_pass unix:${folder}/phpfpm.pool;
|
||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||
'')
|
||||
(nameValuePair "~ /\\." ''
|
||||
deny all;
|
||||
'')
|
||||
#Directives to send expires headers and turn off 404 error logging.
|
||||
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
'')
|
||||
];
|
||||
extraConfig = ''
|
||||
root ${folder}/;
|
||||
index index.php;
|
||||
access_log /tmp/nginx_acc.log;
|
||||
error_log /tmp/nginx_err.log;
|
||||
error_page 404 /404.html;
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
${if ssl.enable then ''
|
||||
ssl_certificate ${ssl.certificate};
|
||||
ssl_certificate_key ${ssl.certificate_key};
|
||||
'' else ""}
|
||||
|
||||
'';
|
||||
listen = (if ssl.enable then
|
||||
[ "80" "443 ssl" ]
|
||||
else
|
||||
"80"
|
||||
);
|
||||
});
|
||||
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
|
||||
listen = ${folder}/phpfpm.pool
|
||||
user = ${user}
|
||||
group = ${group}
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
listen.owner = ${user}
|
||||
listen.group = ${group}
|
||||
php_admin_value[error_log] = 'stderr'
|
||||
php_admin_flag[log_errors] = on
|
||||
catch_workers_output = yes
|
||||
'');
|
||||
systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
|
||||
name = "wordpressInit-${name}";
|
||||
value = {
|
||||
path = [
|
||||
pkgs.mysql
|
||||
pkgs.su
|
||||
pkgs.gawk
|
||||
pkgs.jq
|
||||
];
|
||||
requiredBy = [ "nginx.service" ];
|
||||
serviceConfig = let
|
||||
php.define = name: value:
|
||||
"define(${php.newdoc name}, ${php.newdoc value});";
|
||||
php.toString = x:
|
||||
"'${x}'";
|
||||
php.newdoc = s:
|
||||
let b = "EOF${builtins.hashString "sha256" s}"; in
|
||||
''<<<'${b}'
|
||||
${s}
|
||||
${b}
|
||||
'';
|
||||
in {
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeScript "wordpressInit" ''
|
||||
#!/bin/sh
|
||||
set -euf
|
||||
wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"}
|
||||
db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
|
||||
get_secret() {
|
||||
echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));"
|
||||
}
|
||||
to_php_string() {
|
||||
echo "base64_decode('$(base64)')"
|
||||
}
|
||||
{
|
||||
cat ${toString <secrets/mysql_rootPassword>}
|
||||
password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
|
||||
# TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
|
||||
# TODO as package pkgs.sqlHashPassword
|
||||
# TODO not using mysql
|
||||
# SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
|
||||
passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
|
||||
user=${shell.escape dbUser}@localhost
|
||||
database=${shell.escape dbName}
|
||||
cat << EOF
|
||||
CREATE DATABASE IF NOT EXISTS $database;
|
||||
GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
|
||||
GRANT ALL PRIVILEGES ON $database.* TO $user;
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
} | mysql -u root -p
|
||||
# TODO nix2php for wp-config.php
|
||||
cat > ${folder}/wp-config.php << EOF
|
||||
<?php
|
||||
define('DB_PASSWORD', '$db_password');
|
||||
define('DB_HOST', 'localhost');
|
||||
|
||||
${concatStringsSep "\n" (mapAttrsToList (name: value:
|
||||
"define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));"
|
||||
) {
|
||||
DB_NAME = dbName;
|
||||
DB_USER = dbUser;
|
||||
DB_CHARSET = charset;
|
||||
DB_COLLATE = collate;
|
||||
})}
|
||||
|
||||
${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
|
||||
"AUTH_KEY"
|
||||
"SECURE_AUTH_KEY"
|
||||
"LOGGED_IN_KEY"
|
||||
"NONCE_KEY"
|
||||
"AUTH_SALT"
|
||||
"SECURE_AUTH_SALT"
|
||||
"LOGGED_IN_SALT"
|
||||
"NONCE_SALT"
|
||||
]}
|
||||
|
||||
\$table_prefix = 'wp_';
|
||||
|
||||
${if (multiSite != {}) then
|
||||
"define('WP_ALLOW_MULTISITE', true);"
|
||||
else
|
||||
""
|
||||
}
|
||||
|
||||
define('WP_DEBUG', ${toJSON debug});
|
||||
if ( !defined('ABSPATH') )
|
||||
define('ABSPATH', dirname(__FILE__) . '/');
|
||||
|
||||
/** Sets up WordPress vars and included files. */
|
||||
require_once(ABSPATH . 'wp-settings.php');
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
users.users.nobody2 = mkDefault {
|
||||
uid = mkDefault (genid "nobody2");
|
||||
useDefaultShell = mkDefault true;
|
||||
};
|
||||
};
|
||||
|
||||
indent = replaceChars ["\n"] ["\n "];
|
||||
|
||||
in out
|
Loading…
Reference in New Issue
Block a user