Merge remote-tracking branch 'prism/master'

This commit is contained in:
tv 2018-11-27 11:47:54 +01:00
commit c4fabb0bc4
27 changed files with 461 additions and 53 deletions

View File

@ -0,0 +1,33 @@
{lib, ... }:
with lib;
let
domain = "cache.nsupdate.info";
in {
# This only works for a single domain for nsupdate.info as multiple usernames
# and passwords are required for multiple domains
services.ddclient = {
enable = true;
server = "ipv4.nsupdate.info";
username = domain;
password = import ((toString <secrets>) + "/nsupdate-cache.nix");
domains = [ domain ];
use= "if, if=et0";
# use = "web, web=http://ipv4.nsupdate.info/myip";
};
krebs.cachecache = {
enable = true;
enableSSL = false; # disable letsencrypt for testing
cacheDir = "/var/cache/nix-cache-cache";
maxSize = "10g";
# assumes that the domain is reachable from the internet
virtualHost = domain;
};
boot.kernelModules = [ "tcp_bbr" ];
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
boot.kernel.sysctl."net.core.default_qdisc" = "fq";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

View File

@ -362,7 +362,7 @@ let
# normally we should write buildbot.tac by our own # normally we should write buildbot.tac by our own
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir} # ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir} chmod 700 ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir} chown buildbotMaster:buildbotMaster -R ${workdir}
''; '';
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}"; ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";

View File

@ -166,7 +166,7 @@ let
echo ${description} > ${workdir}/info/host echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir} chown buildbotSlave:buildbotSlave -R ${workdir}
chmod 700 -R ${workdir} chmod 700 ${workdir}
''; '';
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}"; ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}"; ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";

View File

@ -0,0 +1,171 @@
{ config, lib, ... }:
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
# related: https://github.com/nh2/nix-binary-cache-proxy
with lib;
let
cfg = config.krebs.cachecache;
nginxCfg = config.services.nginx;
cacheFallbackConfig = {
proxyPass = "$upstream_endpoint";
extraConfig = ''
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
proxy_http_version 1.1;
# Remove the Connection header if the client sends it, it could
# be "close" to close a keepalive connection
proxy_set_header Connection "";
# Needed for CloudFront.
proxy_ssl_server_name on;
proxy_set_header Host $proxy_host;
proxy_cache nix_cache_cache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
expires max;
add_header Cache-Control $nix_cache_cache_header always;
'';
};
in
{
options = {
krebs.cachecache = {
enable = mkEnableOption "Nix binary cache cache";
virtualHost = mkOption {
type = types.str;
default = "nix-cache";
description = ''
Name of the nginx virtualhost to use and setup. If null, do
not setup any virtualhost.
'';
};
enableSSL = mkOption {
type = types.bool;
default = true;
description = ''
enable SSL via letsencrypt. Requires working dns resolution and open
internet tls port.
'';
};
# webRoot = mkOption {
# type = types.str;
# default = "/";
# description = ''
# Directory on virtual host that serves the cache. Must end in
# <literal>/</literal>.
# '';
# };
resolver = mkOption {
type = types.str;
description = "Address of DNS resolver.";
default = "8.8.8.8 ipv6=off";
example = "127.0.0.1 ipv6=off";
};
cacheDir = mkOption {
type = types.str;
default = "/var/cache/nix-cache-cache";
description = ''
Where nginx should store cached data.
'';
};
maxSize = mkOption {
type = types.str;
default = "50g";
description = "Maximum cache size.";
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.preStart = ''
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
chown ${nginxCfg.user}:${nginxCfg.group} \
${cfg.cacheDir} /srv/www/nix-cache-cache
'';
services.nginx = {
enable = true;
appendHttpConfig = ''
proxy_cache_path ${cfg.cacheDir}
levels=1:2
keys_zone=nix_cache_cache:100m
max_size=${cfg.maxSize}
inactive=365d
use_temp_path=off;
# Cache only success status codes; in particular we don't want
# to cache 404s. See https://serverfault.com/a/690258/128321.
map $status $nix_cache_cache_header {
200 "public";
302 "public";
default "no-cache";
}
'';
virtualHosts.${cfg.virtualHost} = {
addSSL = cfg.enableSSL;
enableACME = cfg.enableSSL;
extraConfig = ''
# Using a variable for the upstream endpoint to ensure that it is
# resolved at runtime as opposed to once when the config file is loaded
# and then cached forever (we don't want that):
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
# This fixes errors like
#
# nginx: [emerg] host not found in upstream "upstream.example.com"
#
# when the upstream host is not reachable for a short time when
# nginx is started.
resolver ${cfg.resolver} valid=10s;
set $upstream_endpoint https://cache.nixos.org;
'';
locations."/" =
{
root = "/srv/www/nix-cache-cache";
extraConfig = ''
expires max;
add_header Cache-Control $nix_cache_cache_header always;
# Ask the upstream server if a file isn't available
# locally.
error_page 404 = @fallback;
# Don't bother logging the above 404.
log_not_found off;
'';
};
locations."@fallback" = cacheFallbackConfig;
# We always want to copy cache.nixos.org's nix-cache-info
# file, and ignore our own, because `nix-push` by default
# generates one without `Priority` field, and thus that file
# by default has priority 50 (compared to cache.nixos.org's
# `Priority: 40`), which will make download clients prefer
# `cache.nixos.org` over our binary cache.
locations."= /nix-cache-info" = cacheFallbackConfig;
};
};
};
}

View File

@ -26,8 +26,15 @@ let
hostname = config.networking.hostName; hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" '' getJobs = pkgs.writeDash "get_jobs" ''
set -efu
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
nix-instantiate --quiet -Q --eval --strict --json ./ci.nix js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \
| while read -r host builder; do
gcroot=${shell.escape profileRoot}/$host-builder
${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
done
echo "$js"
''; '';
profileRoot = "/nix/var/nix/profiles/ci"; profileRoot = "/nix/var/nix/profiles/ci";

View File

@ -14,6 +14,7 @@ let
./buildbot/master.nix ./buildbot/master.nix
./buildbot/slave.nix ./buildbot/slave.nix
./build.nix ./build.nix
./cachecache.nix
./charybdis.nix ./charybdis.nix
./ci.nix ./ci.nix
./current.nix ./current.nix

View File

@ -38,11 +38,6 @@ let
''; '';
default = {}; default = {};
}; };
maxTime = mkOption {
type = types.int;
default = 0;
description = "Time to wait before download is aborted";
};
}; };
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@ -51,8 +46,8 @@ let
mkdir -p ${cfg.stateDir} mkdir -p ${cfg.stateDir}
chmod o+rx ${cfg.stateDir} chmod o+rx ${cfg.stateDir}
cd ${cfg.stateDir} cd ${cfg.stateDir}
(curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || : (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper feh --no-fehbg --bg-scale wallpaper
''; '';
imp = { imp = {

View File

@ -624,15 +624,16 @@ in {
"blog.makefu.r" "blog.makefu.r"
"blog.gum.r" "blog.gum.r"
"dcpp.gum.r" "dcpp.gum.r"
"torrent.gum.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8 MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };

View File

@ -1,7 +1,7 @@
{ {
"url": "https://github.com/NixOS/nixpkgs-channels", "url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c", "rev": "5d4a1a3897e2d674522bcb3aa0026c9e32d8fd7c",
"date": "2018-11-04T19:36:25+01:00", "date": "2018-11-24T00:40:22-05:00",
"sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m", "sha256": "19kryzx9a6x68mpyxks3dajraf92hkbnw1zf952k73s2k4qw9jlq",
"fetchSubmodules": false "fetchSubmodules": false
} }

View File

@ -110,7 +110,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix> <stockholm/lass/2configs/monitoring/prometheus-server.nix>

View File

@ -0,0 +1,11 @@
{ lib, pkgs, ... }:
{
nixpkgs = lib.mkForce {
file = toString (pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
});
};
}

View File

@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/blue-host.nix>
{ {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain #risk of rain

View File

@ -5,42 +5,35 @@ with import <stockholm/lib>;
<stockholm/lass> <stockholm/lass>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/blue-host.nix>
{ {
# discordius config
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
users.users.discordius = { users.users.discordius = {
uid = genid "discordius"; uid = genid "diskordius";
home = "/home/discordius"; isNormalUser = true;
group = "users";
createHome = true;
extraGroups = [ extraGroups = [
"audio" "audio"
"networkmanager" "networkmanager"
]; ];
useDefaultShell = true;
}; };
networking.networkmanager.enable = true; environment.systemPackages = with pkgs; [
networking.wireless.enable = mkForce false; google-chrome
];
hardware.pulseaudio = { hardware.pulseaudio = {
enable = true; enable = true;
systemWide = true; systemWide = true;
}; };
environment.systemPackages = with pkgs; [
pavucontrol
firefox
hexchat
networkmanagerapplet
];
services.xserver.desktopManager.gnome3 = {
enable = true;
};
} }
]; ];
krebs.build.host = config.krebs.hosts.skynet; krebs.build.host = config.krebs.hosts.skynet;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.extraConfig = '' services.logind.extraConfig = ''
HandleLidSwitch=ignore HandleLidSwitch=ignore
''; '';

View File

@ -1,10 +1,27 @@
{ {
imports = [ imports = [
./config.nix ./config.nix
<stockholm/lass/2configs/hw/x220.nix> <stockholm/krebs/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
]; ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "nodev";
networking.hostId = "06442b9a";
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0876-B308";
fsType = "vfat";
};
services.udev.extraRules = '' services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"

View File

@ -20,7 +20,14 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts.nix-serve = { virtualHosts.nix-serve = {
serverAliases = [ "cache.prism.r" "cache.krebsco.de" "cache.lassul.us" ]; serverAliases = [ "cache.prism.r" ];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
};
virtualHosts."cache.krebsco.de" = {
serverAliases = [ "cache.lassul.us" ];
enableACME = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${toString config.services.nix-serve.port};
''; '';

View File

@ -1,23 +1,114 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
let
all_hosts = [
"icarus"
"shodan"
"daedalus"
"skynet"
"prism"
];
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
{ in {
imports = [ imports = [
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
]; { #hack for already defined
systemd.services."container@blue".reloadIfChanged = mkForce false; systemd.services."container@blue".reloadIfChanged = mkForce false;
systemd.services."container@blue".preStart = ''
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
'';
systemd.services."container@blue".preStop = ''
/run/wrappers/bin/fusermount -u /var/lib/containers/blue
'';
}
];
system.activationScripts.containerPermissions = ''
mkdir -p /var/lib/containers
chmod 711 /var/lib/containers
'';
containers.blue = { containers.blue = {
config = { ... }: { config = { ... }: {
environment.systemPackages = [ pkgs.git ]; environment.systemPackages = [
pkgs.git
pkgs.rxvt_unicode.terminfo
];
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey config.krebs.users.lass.pubkey
]; ];
}; };
autoStart = true; autoStart = false;
enableTun = true; enableTun = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "10.233.2.9"; hostAddress = "10.233.2.9";
localAddress = "10.233.2.10"; localAddress = "10.233.2.10";
}; };
systemd.services = builtins.listToAttrs (map (host:
let
in nameValuePair "sync-blue-${host}" {
bindsTo = [ "container@blue.service" ];
wantedBy = [ "container@blue.service" ];
# ssh needed for rsync
path = [ pkgs.openssh ];
serviceConfig = {
Restart = "always";
RestartSec = 10;
ExecStart = pkgs.writeDash "sync-blue-${host}" ''
set -efu
#make sure blue is running
/run/wrappers/bin/ping -c1 blue.r > /dev/null
#make sure the container is unlocked
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
#make sure our target is reachable
${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
#start sync
${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
settings {
nodaemon = true,
inotifyMode = "CloseWrite or Modify",
}
sync {
default.rsyncssh,
source = "/var/lib/containers/.blue",
host = "${host}.r",
targetdir = "/var/lib/containers/.blue",
rsync = {
owner = true,
group = true,
};
ssh = {
binary = "${pkgs.openssh}/bin/ssh";
identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
},
}
''}
'';
};
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
}
) remote_hosts);
environment.systemPackages = [
(pkgs.writeDashBin "start-blue" ''
set -ef
if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
fi
nixos-container start blue
nixos-container run blue -- nixos-rebuild -I /var/src dry-build
if ping -c1 blue.r >/dev/null; then
echo 'blue is already running. bailing out'
exit 23
fi
nixos-container run blue -- nixos-rebuild -I /var/src switch
'')
];
} }

View File

@ -92,6 +92,7 @@ with import <stockholm/lib>;
{ from = "ccc@lassul.us"; to = lass.mail; } { from = "ccc@lassul.us"; to = lass.mail; }
{ from = "neocron@lassul.us"; to = lass.mail; } { from = "neocron@lassul.us"; to = lass.mail; }
{ from = "osmocom@lassul.us"; to = lass.mail; } { from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

View File

@ -7,7 +7,6 @@ in {
enable = true; enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/realwallpaper-krebs.png"; url = "prism/realwallpaper-krebs.png";
maxTime = 10;
}; };
} }

View File

@ -31,6 +31,7 @@ let
''; '';
mailboxes = { mailboxes = {
afra = [ "to:afra@afra-berlin.de" ];
c-base = [ "to:c-base.org" ]; c-base = [ "to:c-base.org" ];
coins = [ coins = [
"to:btce@lassul.us" "to:btce@lassul.us"
@ -46,11 +47,14 @@ let
]; ];
dezentrale = [ "to:dezentrale.space" ]; dezentrale = [ "to:dezentrale.space" ];
dhl = [ "to:dhl@lassul.us" ]; dhl = [ "to:dhl@lassul.us" ];
dn42 = [ "to:dn42@lists.nox.tf" ];
eloop = [ "to:eloop.org" ]; eloop = [ "to:eloop.org" ];
github = [ "to:github@lassul.us" ]; github = [ "to:github@lassul.us" ];
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ]; gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ]; kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
lugs = [ "to:lugs@lug-s.org" ]; lugs = [ "to:lugs@lug-s.org" ];
meetup = [ "to:meetup@lassul.us" ];
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ]; nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
patreon = [ "to:patreon@lassul.us" ]; patreon = [ "to:patreon@lassul.us" ];
paypal = [ "to:paypal@lassul.us" ]; paypal = [ "to:paypal@lassul.us" ];

View File

@ -177,7 +177,8 @@
addr = "0.0.0.0"; addr = "0.0.0.0";
domain = "grafana.example.com"; domain = "grafana.example.com";
rootUrl = "https://grafana.example.com/"; rootUrl = "https://grafana.example.com/";
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} auth.anonymous.enable = true;
auth.anonymous.org_role = "Admin";
}; };
}; };
services.logstash = { services.logstash = {

View File

@ -60,10 +60,25 @@ in {
group = "radio"; group = "radio";
musicDirectory = "/home/radio/the_playlist/music"; musicDirectory = "/home/radio/the_playlist/music";
extraConfig = '' extraConfig = ''
audio_output {
type "shout"
encoding "lame"
name "the_playlist_mp3"
host "localhost"
port "8000"
mount "/radio.mp3"
password "${source-password}"
bitrate "128"
format "44100:16:2"
user "source"
genre "good music"
}
audio_output { audio_output {
type "shout" type "shout"
encoding "ogg" encoding "ogg"
name "the_playlist" name "the_playlist_ogg"
host "localhost" host "localhost"
port "8000" port "8000"
mount "/radio.ogg" mount "/radio.ogg"

View File

@ -139,6 +139,13 @@ in {
ssl_key = "/var/lib/acme/lassul.us/key.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem";
}; };
users.users.xanf = {
uid = genid_uint31 "xanf";
home = "/home/xanf";
useDefaultShell = true;
createHome = true;
};
users.users.domsen = { users.users.domsen = {
uid = genid_uint31 "domsen"; uid = genid_uint31 "domsen";
description = "maintenance acc for domsen"; description = "maintenance acc for domsen";

View File

@ -5,6 +5,12 @@
pkgs pkgs
; ;
host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
else
{}
;
source = { test }: lib.evalSource [ source = { test }: lib.evalSource [
krebs-source krebs-source
{ {
@ -18,15 +24,24 @@
}; };
}; };
} }
host-source
]; ];
in { in {
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy) # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" { deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; }; source = source { test = false; };
inherit target; inherit target;
}; };
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
populate = { target, force ? false }: pkgs.populate {
inherit force;
source = source { test = false; };
target = lib.mkTarget target;
};
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test) # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
test = { target }: pkgs.krops.writeTest "${name}-test" { test = { target }: pkgs.krops.writeTest "${name}-test" {
force = true; force = true;

View File

@ -63,9 +63,17 @@ in {
} }
# <stockholm/makefu/2configs/syncthing.nix> # <stockholm/makefu/2configs/syncthing.nix>
<stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/deployment/google-muell.nix> # TODO:
# <stockholm/makefu/2configs/deployment/google-muell.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/bluetooth-mpd.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix>
{
# Risikoübernahme
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.77.2"
];
}
<stockholm/makefu/2configs/deployment/homeautomation> <stockholm/makefu/2configs/deployment/homeautomation>
{ {
makefu.ps3netsrv = { makefu.ps3netsrv = {
@ -97,6 +105,7 @@ in {
]; ];
makefu.full-populate = true; makefu.full-populate = true;
nixpkgs.config.allowUnfree = true;
krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) { krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
downloadDir = lib.mkForce "/media/cryptX/torrent"; downloadDir = lib.mkForce "/media/cryptX/torrent";
extraConfig = '' extraConfig = ''

View File

@ -45,7 +45,12 @@ in {
# <stockholm/makefu/2configs/stats/telegraf/bamstats.nix> # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
{ environment.systemPackages = [ pkgs.vlc ]; } { environment.systemPackages = [ pkgs.vlc ]; }
{
# Risikoübernahme
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.77.2"
];
}
<stockholm/makefu/2configs/deployment/bureautomation> <stockholm/makefu/2configs/deployment/bureautomation>
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix> <stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix> <stockholm/makefu/2configs/deployment/bureautomation/hass.nix>

View File

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
let
ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519";
in {
systemd.services.mirrorsync = {
startAt = "08:00:00";
path = with pkgs; [ rsync openssh ];
script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter'';
};
services.nginx = {
enable = lib.mkDefault true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."download.binaergewitter.de" = {
serverAliases = [ "dl2.binaergewitter.de" ];
root = "/var/www/binaergewitter";
extraConfig = ''
access_log /var/spool/nginx/logs/binaergewitter.access.log combined;
error_log /var/spool/nginx/logs/binaergewitter.error.log error;
autoindex on;
'';
};
};
}

View File

@ -1,7 +1,7 @@
{ {
"url": "https://github.com/makefu/nixpkgs", "url": "https://github.com/makefu/nixpkgs",
"rev": "bf46294e4cf20649182f76fc9200a48436f5874a", "rev": "9728b2e83406c76efc734ebb1923f23b8e687819",
"date": "2018-09-18T02:20:45+02:00", "date": "2018-11-19T20:36:35+01:00",
"sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94", "sha256": "0nk75ldppjr6x04hgghgg9vanr1cw4k5xhg699d38g2rpxviz5bp",
"fetchSubmodules": false "fetchSubmodules": false
} }