Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2017-02-04 14:31:47 +01:00
commit d6c9edd9dc
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
26 changed files with 458 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
krebs/3modules/fetchWallpaper.nix
View File

@ -38,6 +38,11 @@ let
''; '';
default = {}; default = {};
}; };
maxTime = mkOption {
type = types.int;
default = 0;
description = "Time to wait before download is aborted";
};
}; };
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@ -45,7 +50,7 @@ let
mkdir -p ${shell.escape cfg.stateDir} mkdir -p ${shell.escape cfg.stateDir}
cd ${shell.escape cfg.stateDir} cd ${shell.escape cfg.stateDir}
(curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || : (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || :
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
''; '';

2
krebs/3modules/lass/default.nix
View File

@ -93,6 +93,7 @@ with import <stockholm/lib>;
"cgit.prism.retiolum" "cgit.prism.retiolum"
"cgit.prism.r" "cgit.prism.r"
"cache.prism.r" "cache.prism.r"
"paste.r" "paste.retiolum"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -119,7 +120,6 @@ with import <stockholm/lib>;
ssh.port = 2223; ssh.port = 2223;
}; };
}; };
ssh.pubkey = "ssh-dss AAAAB3NzaC1kc3MAAAEBAPH5Hcrc2QzIi7KQLf17N+aUuFfwb7uKxuojzmO3kyb3nMdn3s+rfTCJLWTJeHCeKb6yMpDF1XGXZwVN+omWV8CsA9tivOHYzZws3b0QB/JENjYmhHbNkKijm6EWXSyvsJ2RuFj0PC8+cv77ZFx7VTnrwZk6Excv7v51j+qo5BejLL1ZybISld/n3kQWE+GJqBYJ9zp/25XEl7macH02o58lRhfqygunDlKm4yiq34pfkA7FS4eHNzcXGvmtQlAHeDts1APbKq8OAoYoyCo0gjK9nbAwbfm0yqM51+eIo3H6xLWjSBdMI9guqndNJWps9PpKHa3bvM1xFB3vfoQZ6m8AAAAVAKf8ZCwMgP4ZpqwwNw4vIn1AuLnfAAABAQCVfUrpUWFvf/TXPucJde4CuAmtoMOrjpepAiXK7N9dwGyq/PbVxr4tnJ/RTyNGOFmBroc6/n0MnxR0qmkQPJNtM/Yz+kk+BCgwsyu2uenVOIX/eJFuQPQYiUdktTcgAyChMp99WF4yfKKgv1CDdMkpFi8xgBEN03s1sOKCRNwJ5rlpTNqh9LatuRyzWOIjNd7atkEYIQK92idJgqSmleo+UhJFfoOGjYlRbsnRVbvfqh7GVd7SSydhKhdb2eZjj2J8eMBwHNl1FLtqt02cnFW3FQDdXPbYYakN25z3F3sex/CPuBGJ0HRGq+y/Ynj/m99TPq9vLkzSUQPR4MmQ5feoAAABAG5L9ffMc/8T9dTeF7FEPlS54ka73M+pNY/5ehMykrrS9CVjFmvpeclnxkBpvjt3G5IlvkSsjUEE6kMk7mW9EV+USL0TTU/LavxXD8fLCSiIwResfLDRxjixjxVI1ouZeKNQ6B3tPOWOEIKR5nPlc7iy435nS77/NM3yBFH0KGdepr+3ZmdgWAjDLKjQhNyCz4Joc1IH1Vf5Ccvb6rsaJ91ajiq29iI2ZpLXXIQsS1ZYzO1Gr9xBTNgmzEmeLqFMcxDSJ+rLMF4VDjRdL2zz5BSmv/Ffj2nICMgv/gj3zzuk7zcMpnbvGyA3W8VWb6IjJDvww4rJ21Q2gHBC5XCohJs=";
}; };
cloudkrebs = { cloudkrebs = {
cores = 1; cores = 1;

1
krebs/3modules/makefu/default.nix
View File

@ -313,7 +313,6 @@ with import <stockholm/lib>;
"graphs.wry.retiolum" "graphs.wry.retiolum"
"graphs.r" "graphs.retiolum" "graphs.r" "graphs.retiolum"
"paste.wry.retiolum" "paste.wry.retiolum"
"paste.r" "paste.retiolum"
"wry.r" "wry.retiolum" "wry.r" "wry.retiolum"
"wiki.makefu.retiolum" "wiki.makefu.retiolum"
"wiki.wry.retiolum" "wiki.wry.retiolum"

197
lass/1systems/mors.nix
View File

@ -31,13 +31,6 @@ with import <stockholm/lib>;
]; ];
} }
#{ #{
# services.mysql = {
# enable = true;
# package = pkgs.mariadb;
# rootPassword = "<secrets>/mysql_rootPassword";
# };
#}
#{
# services.elasticsearch = { # services.elasticsearch = {
# enable = true; # enable = true;
# plugins = [ # plugins = [
@ -83,140 +76,56 @@ with import <stockholm/lib>;
{ {
services.redis.enable = true; services.redis.enable = true;
} }
{ #{
virtualisation.libvirtd.enable = true; # #gitit magic
} # imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];
{ # services.gitit = {
services.nginx = { # enable = true;
enable = mkDefault true; # haskellPackages = pkgs.haskell.packages.ghc7103;
virtualHosts = { # };
"stats.mors" = { #}
locations = { #{
"/" = { # lass.icinga2 = {
proxyPass = "http://localhost:3000/"; # enable = true;
extraConfig = '' # configFiles = [
proxy_set_header Host $host; # ''
proxy_set_header X-Real-IP $remote_addr; # template Service "generic-service" {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # max_check_attempts = 3
''; # check_interval = 5m
}; # retry_interval = 1m
}; # enable_perfdata = true
}; # }
}; # apply Service "ping4" {
}; # }
# ''
services.grafana = { # ];
enable = true; # };
addr = "127.0.0.1"; # services.mysql = {
users.allowSignUp = false; # enable = true;
users.allowOrgCreate = false; # package = pkgs.mariadb;
users.autoAssignOrg = false; # rootPassword = "<secrets>/mysql_rootPassword";
auth.anonymous.enable = true; # };
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} # lass.icingaweb2 = {
}; # enable = true;
# initialRootPasswordHash = "$1$HpWDCehI$ITbAoyfOB6HEN1ftooxZq0";
services.graphite = { # resources = {
api = { # icinga2db = {
enable = true; # type = "mysql";
listenAddress = "127.0.0.1"; # host = "localhost";
port = 18080; # user = "icingaweb2";
}; # db = "icinga";
carbon = { # passfile = <secrets/icinga2-pw>;
enableCache = true; # };
# save disk usage by restricting to 1 bulk update per second # icingaweb2db = {
config = '' # type = "mysql";
[cache] # host = "localhost";
MAX_CACHE_SIZE = inf # user = "icingaweb2";
MAX_UPDATES_PER_SECOND = 1 # db = "icingaweb2";
MAX_CREATES_PER_MINUTE = 500 # passfile = <secrets/icinga2-pw>;
''; # };
storageSchemas = '' # };
[carbon] # };
pattern = ^carbon\. #}
retentions = 60:90d
[elchos]
patterhn = ^elchos\.
retentions = 10s:30d,60s:3y
[default]
pattern = .*
retentions = 30s:30d,300s:1y
'';
};
};
services.collectd = {
enable = true;
include = [ (toString (pkgs.writeText "collectd-graphite-cfg" ''
LoadPlugin write_graphite
<Plugin "write_graphite">
<Carbon>
Host "localhost"
Port "2003"
EscapeCharacter "_"
StoreRates false
AlwaysAppendDS false
</Carbon>
</Plugin>
''))
];
extraConfig = ''
LoadPlugin interface
LoadPlugin battery
LoadPlugin load
LoadPlugin cpu
LoadPlugin entropy
LoadPlugin write_graphite
<Plugin "interface">
Interface "et0"
Interface "wl0"
Interface "retiolum"
</Plugin>
'';
};
services.graphite.beacon = {
enable = true;
config = {
graphite_url = "http://localhost:18080";
cli = {
command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' '';
};
smtp = {
from = "beacon@mors.r";
to = [
"lass@mors.r"
];
};
normal_handlers = [
"smtp"
"cli"
];
warning_handlers = [
"smtp"
"cli"
];
critical_handlers = [
"smtp"
"cli"
];
alerts = [
{
name = "testbattery";
query = "*.battery-0.capacity";
method = "last_value";
interval = "1minute";
logging = "info";
repeat_interval = "5minute";
rules = [
"warning: < 30.0"
"critical: < 10.0"
];
}
];
};
};
}
]; ];
krebs.build.host = config.krebs.hosts.mors; krebs.build.host = config.krebs.hosts.mors;
@ -229,7 +138,6 @@ with import <stockholm/lib>;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
@ -266,11 +174,6 @@ with import <stockholm/lib>;
fsType = "ext4"; fsType = "ext4";
}; };
"/mnt/public" = {
device = "/dev/big/public";
fsType = "ext4";
};
"/mnt/conf" = { "/mnt/conf" = {
device = "/dev/big/conf"; device = "/dev/big/conf";
fsType = "ext4"; fsType = "ext4";

59
lass/1systems/prism.nix
View File

@ -43,6 +43,17 @@ in {
../2configs/libvirt.nix ../2configs/libvirt.nix
../2configs/hfos.nix ../2configs/hfos.nix
../2configs/makefu-sip.nix ../2configs/makefu-sip.nix
../2configs/monitoring/server.nix
{
imports = [
../2configs/bepasty.nix
];
krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
return 403;
}
'';
}
{ {
users.extraGroups = { users.extraGroups = {
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@ -202,20 +213,6 @@ in {
]; ];
}; };
} }
{
services.nginx = {
enable = true;
virtualHosts.public = {
port = 8088;
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
alias /home/$1/public_html$2;
'';
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8088"; target = "ACCEPT"; }
];
}
{ {
krebs.repo-sync.timerConfig = { krebs.repo-sync.timerConfig = {
OnCalendar = "*:0/5"; OnCalendar = "*:0/5";
@ -227,6 +224,7 @@ in {
}; };
} }
{ {
# Nin stuff
users.users.nin = { users.users.nin = {
uid = genid "nin"; uid = genid "nin";
inherit (config.krebs.users.nin) home; inherit (config.krebs.users.nin) home;
@ -240,18 +238,6 @@ in {
"libvirtd" "libvirtd"
]; ];
}; };
krebs.git.rules = [
{
user = [ config.krebs.users.nin ];
repo = [ config.krebs.git.repos.stockholm ];
perm = with git; push "refs/heads/nin" [ fast-forward non-fast-forward create delete merge ];
}
];
krebs.repo-sync.repos.stockholm.nin = {
origin.url = "http://cgit.prism/stockholm";
origin.ref = "heads/nin";
mirror.url = "git@${config.networking.hostName}:stockholm";
};
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; } { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
]; ];
@ -272,7 +258,6 @@ in {
-XFlexibleInstances -XMultiParamTypeClasses \ -XFlexibleInstances -XMultiParamTypeClasses \
-XOverloadedStrings -XFunctionalDependencies \''; -XOverloadedStrings -XFunctionalDependencies \'';
in [ in [
sed-plugin
url-title url-title
(buildSimpleReaktorPlugin "lambdabot-pl" { (buildSimpleReaktorPlugin "lambdabot-pl" {
pattern = "^@pl (?P<args>.*)$$"; pattern = "^@pl (?P<args>.*)$$";
@ -327,16 +312,16 @@ in {
script = pkgs.writePython2 "rup" '' script = pkgs.writePython2 "rup" ''
#!${pkgs.python2}/bin/python #!${pkgs.python2}/bin/python
t1 = """ t1 = """
_. _.
;=',_ () ;=',_ ()
8===D~~ S" .--`|| 8===D~~ S" .--`||
sS \__ || sS \__ ||
__.' ( \-->|| __.' ( \-->||
_=/ _./-\/ || _=/ _./-\/ ||
8===D~~ ((\( /-' -'l || 8===D~~ ((\( /-' -'l ||
) |/ \\ (_)) ) |/ \\ (_))
\\ \\ \\ \\
'~ '~ '~ '~
""" """
print(t1) print(t1)
''; '';

40
lass/2configs/bepasty.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
# secrets used:
# wildcard.krebsco.de.crt
# wildcard.krebsco.de.key
# bepasty-secret.nix <- contains single string
with import <stockholm/lib>;
let
secKey = import <secrets/bepasty-secret.nix>;
ext-dom = "paste.lassul.us" ;
in {
services.nginx.enable = mkDefault true;
krebs.bepasty = {
enable = true;
serveNginx= true;
servers = {
"paste.r" = {
nginx = {
serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey;
};
"${ext-dom}" = {
nginx = {
enableSSL = true;
forceSSL = true;
enableACME = true;
};
defaultPermissions = "read";
secretKey = secKey;
};
};
};
}

17
lass/2configs/buildbot-standalone.nix
View File

@ -58,6 +58,11 @@ in {
"NIX_REMOTE": "daemon", "NIX_REMOTE": "daemon",
"dummy_secrets": "true", "dummy_secrets": "true",
} }
env_nin = {
"LOGNAME": "nin",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_shared = { env_shared = {
"LOGNAME": "shared", "LOGNAME": "shared",
"NIX_REMOTE": "daemon", "NIX_REMOTE": "daemon",
@ -126,6 +131,18 @@ in {
] ]
) )
for i in [ "hiawatha", "onondaga" ]:
addShell(f,name="build-{}".format(i),env=env_nin,
command=nixshell + \
["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \
make \
test \
target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \
method=build \
system={}".format(i)
]
)
bu.append( bu.append(
util.BuilderConfig( util.BuilderConfig(
name="build-hosts", name="build-hosts",

2
lass/2configs/default.nix
View File

@ -9,6 +9,7 @@ with import <stockholm/lib>;
../2configs/mc.nix ../2configs/mc.nix
../2configs/nixpkgs.nix ../2configs/nixpkgs.nix
../2configs/vim.nix ../2configs/vim.nix
../2configs/monitoring/client.nix
./backups.nix ./backups.nix
{ {
users.extraUsers = users.extraUsers =
@ -98,7 +99,6 @@ with import <stockholm/lib>;
# multiple-definition-problem when defining environment.variables.EDITOR # multiple-definition-problem when defining environment.variables.EDITOR
environment.extraInit = '' environment.extraInit = ''
EDITOR=vim EDITOR=vim
MANPAGER=most
''; '';
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

1
lass/2configs/downloading.nix
View File

@ -16,6 +16,7 @@ with import <stockholm/lib>;
lass.pubkey lass.pubkey
lass-shodan.pubkey lass-shodan.pubkey
lass-helios.pubkey lass-helios.pubkey
lass-icarus.pubkey
makefu.pubkey makefu.pubkey
]; ];
}; };

1
lass/2configs/fetchWallpaper.nix
View File

@ -7,6 +7,7 @@ in {
enable = true; enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/wallpaper.png"; url = "prism/wallpaper.png";
maxTime = 10;
}; };
systemd.services.fetchWallpaper = { systemd.services.fetchWallpaper = {
after = [ "xmonad.service" ]; after = [ "xmonad.service" ];

2
lass/2configs/git.nix
View File

@ -57,7 +57,7 @@ let
server = "ni.r"; server = "ni.r";
verbose = config.krebs.build.host.name == "prism"; verbose = config.krebs.build.host.name == "prism";
# TODO define branches in some kind of option per repo # TODO define branches in some kind of option per repo
branches = [ "master" "newest" "nin" ]; branches = [ "master" "newest" ];
}; };
}; };
}; };

7
lass/2configs/hw/tp-x220.nix
View File

@ -47,12 +47,5 @@ with import <stockholm/lib>;
pkgs.vaapiVdpau pkgs.vaapiVdpau
]; ];
services.xserver = {
videoDriver = "intel";
deviceSection = ''
Option "AccelMethod" "sna"
'';
};
security.rngd.enable = true; security.rngd.enable = true;
} }

94
lass/2configs/monitoring/client.nix Normal file
View File

@ -0,0 +1,94 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
lass.telegraf = {
enable = true;
interval = "1s";
outputs = ''
[outputs.influxdb]
urls = ["http://prism:8086"]
database = "telegraf_db"
user_agent = "telegraf"
'';
inputs = [
''
[cpu]
percpu = false
totalcpu = true
drop = ["cpu_time"]
''
''
[[inputs.mem]]
''
''
[[inputs.ping]]
urls = ["8.8.8.8"]
''
''
[[inputs.net]]
''
''
[[inputs.dns_query]]
servers = ["8.8.8.8"]
''
];
};
systemd.services.telegraf.path = with pkgs; [
iputils
lm_sensors
];
services.collectd = {
enable = true;
autoLoadPlugin = true;
extraConfig = ''
Hostname ${config.krebs.build.host.name}
LoadPlugin load
LoadPlugin disk
LoadPlugin memory
Interval 30.0
LoadPlugin interface
<Plugin "interface">
Interface "*Link"
Interface "lo"
Interface "vboxnet*"
Interface "virbr*"
IgnoreSelected true
</Plugin>
LoadPlugin df
<Plugin "df">
MountPoint "/nix/store"
FSType "tmpfs"
FSType "binfmt_misc"
FSType "debugfs"
FSType "mqueue"
FSType "hugetlbfs"
FSType "systemd-1"
FSType "cgroup"
FSType "securityfs"
FSType "ramfs"
FSType "proc"
FSType "devpts"
FSType "devtmpfs"
MountPoint "/var/lib/docker/devicemapper"
IgnoreSelected true
</Plugin>
LoadPlugin cpu
<Plugin cpu>
ReportByCpu true
ReportByState true
ValuesPercentage true
</Plugin>
LoadPlugin network
<Plugin "network">
Server "prism" "25826"
</Plugin>
'';
};
}

66
lass/2configs/monitoring/server.nix Normal file
View File

@ -0,0 +1,66 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.influxdb = {
enable = true;
};
services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true;
http.bind-address = ":8086";
admin.bind-address = ":8083";
monitoring = {
enabled = false;
# write-interval = "24h";
};
collectd = [{
enabled = true;
typesdb = "${pkgs.collectd}/share/collectd/types.db";
database = "collectd_db";
port = 25826;
}];
};
lass.kapacitor =
let
echoToIrc = pkgs.writeDash "echo_irc" ''
set -euf
data="$(${pkgs.jq}/bin/jq -r .message)"
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.freenode.org 6667 prism-alarm \#krebs-bots "$data" >/dev/null
'';
in {
enable = true;
alarms = {
test2 = ''
batch
|query(${"'''"}
SELECT mean("usage_user") AS mean
FROM "${config.lass.kapacitor.check_db}"."default"."cpu"
${"'''"})
.every(3m)
.period(1m)
.groupBy('host')
|alert()
.crit(lambda: "mean" > 90)
// Whenever we get an alert write it to a file.
.log('/tmp/alerts.log')
.exec('${echoToIrc}')
'';
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; }
{ predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; }
{ predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; }
];
services.grafana = {
enable = true;
addr = "0.0.0.0";
auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
}

2
lass/2configs/nixpkgs.nix
View File

@ -3,6 +3,6 @@
{ {
krebs.build.source.nixpkgs.git = { krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs; url = https://github.com/nixos/nixpkgs;
ref = "39098270855c171f0824c09d071b606ae991ff87"; ref = "5fff5a902594b34471b613eb2babcec923e1e1f1";
}; };
} }

4
lass/2configs/repo-sync.nix
View File

@ -44,6 +44,10 @@ let
origin.url = "http://cgit.ni.r/${name}"; origin.url = "http://cgit.ni.r/${name}";
mirror.url = "${mirror}${name}"; mirror.url = "${mirror}${name}";
}; };
nin = {
origin.url = "http://cgit.onondaga.r/${name}";
mirror.url = "${mirror}${name}";
};
lassulus = { lassulus = {
origin.url = "http://cgit.prism/${name}"; origin.url = "http://cgit.prism/${name}";
mirror.url = "${mirror}${name}"; mirror.url = "${mirror}${name}";

1
lass/2configs/tests/dummy-secrets/bepasty-secret.nix Normal file
View File

@ -0,0 +1 @@
"bla"

1
lass/2configs/websites/domsen.nix
View File

@ -66,6 +66,7 @@ in {
"karlaskop.ubikmedia.de" "karlaskop.ubikmedia.de"
"nb.ubikmedia.de" "nb.ubikmedia.de"
"youthtube.ubikmedia.de" "youthtube.ubikmedia.de"
"joemisch.com"
]) ])
]; ];

146
lass/3modules/kapacitor.nix
View File

@ -21,6 +21,14 @@ let
type = types.str; type = types.str;
default = "kapacitor"; default = "kapacitor";
}; };
alarms = mkOption {
type = with types; attrsOf str;
default = {};
};
check_db = mkOption {
type = types.str;
default = "all_data";
};
config = mkOption { config = mkOption {
type = types.str; type = types.str;
#TODO: find a good default #TODO: find a good default
@ -74,115 +82,7 @@ let
[logging] [logging]
file = "STDERR" file = "STDERR"
level = "INFO" level = "DEBUG"
[collectd]
enabled = false
bind-address = ":25826"
database = "collectd"
retention-policy = ""
batch-size = 5000
batch-pending = 10
batch-timeout = "10s"
read-buffer = 0
typesdb = "/usr/share/collectd/types.db"
[opentsdb]
enabled = false
bind-address = ":4242"
database = "opentsdb"
retention-policy = ""
consistency-level = "one"
tls-enabled = false
certificate = "/etc/ssl/influxdb.pem"
batch-size = 1000
batch-pending = 5
batch-timeout = "1s"
log-point-errors = true
[smtp]
enabled = false
host = "localhost"
port = 25
username = ""
password = ""
no-verify = false
global = false
state-changes-only = false
from = ""
idle-timeout = "30s"
[opsgenie]
enabled = false
api-key = ""
url = "https://api.opsgenie.com/v1/json/alert"
recovery_url = "https://api.opsgenie.com/v1/json/alert/note"
global = false
[victorops]
enabled = false
api-key = ""
routing-key = ""
url = "https://alert.victorops.com/integrations/generic/20131114/alert"
global = false
[pagerduty]
enabled = false
url = "https://events.pagerduty.com/generic/2010-04-15/create_event.json"
service-key = ""
global = false
[sensu]
enabled = false
addr = ""
source = "Kapacitor"
[slack]
enabled = false
url = ""
channel = ""
global = false
state-changes-only = false
[telegram]
enabled = false
url = "https://api.telegram.org/bot"
token = ""
chat-id = ""
parse-mode = ""
disable-web-page-preview = false
disable-notification = false
global = false
state-changes-only = false
[hipchat]
enabled = false
url = ""
token = ""
room = ""
global = false
state-changes-only = false
[alerta]
enabled = false
url = ""
token = ""
environment = ""
origin = ""
[reporting]
enabled = true
url = "https://usage.influxdata.com"
[stats]
enabled = true
stats-interval = "10s"
database = "_kapacitor"
retention-policy = "autogen"
timing-sample-rate = 0.1
timing-movavg-size = 1000
[udf]
[deadman] [deadman]
interval = "10s" interval = "10s"
@ -190,11 +90,6 @@ let
id = "{{ .Group }}:NODE_NAME for task '{{ .TaskName }}'" id = "{{ .Group }}:NODE_NAME for task '{{ .TaskName }}'"
message = "{{ .ID }} is {{ if eq .Level \"OK\" }}alive{{ else }}dead{{ end }}: {{ index .Fields \"emitted\" | printf \"%0.3f\" }} points/INTERVAL." message = "{{ .ID }} is {{ if eq .Level \"OK\" }}alive{{ else }}dead{{ end }}: {{ index .Fields \"emitted\" | printf \"%0.3f\" }} points/INTERVAL."
global = false global = false
[talk]
enabled = false
url = ""
author_name = ""
''; '';
description = "configuration kapacitor is started with"; description = "configuration kapacitor is started with";
}; };
@ -216,6 +111,29 @@ let
ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${configFile}"; ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${configFile}";
}; };
}; };
systemd.services.kapacitor-alarms = {
description = "kapacitor-alarms";
after = [ "kapacitor.service" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeDash "add_alarms" ''
${pkgs.kapacitor}/bin/kapacitor delete tasks \*
${concatStrings (mapAttrsToList (name: alarm: ''
${pkgs.kapacitor}/bin/kapacitor define ${name} \
-type batch \
-tick ${pkgs.writeText "${name}.tick" alarm} \
-dbrp ${cfg.check_db}.default
${pkgs.kapacitor}/bin/kapacitor enable ${name}
'') cfg.alarms)}
'';
};
};
}; };
in out in out

39
lass/3modules/telegraf.nix
View File

@ -21,26 +21,43 @@ let
type = types.str; type = types.str;
default = "telegraf"; default = "telegraf";
}; };
outputs = mkOption {
type = types.str;
default = ''
[outputs.influxdb]
urls = ["http://localhost:8086"]
database = "telegraf_db"
user_agent = "telegraf"
'';
};
inputs = mkOption {
type = with types; listOf str;
default = [
''
[cpu]
percpu = false
totalcpu = true
drop = ["cpu_time"]
''
];
};
interval = mkOption {
type = types.str;
default = "10s";
};
config = mkOption { config = mkOption {
type = types.str; type = types.str;
#TODO: find a good default #TODO: find a good default
default = '' default = ''
[agent] [agent]
interval = "1s" interval = "${cfg.interval}"
[outputs] [outputs]
# Configuration to send data to InfluxDB. ${cfg.outputs}
[outputs.influxdb]
urls = ["http://localhost:8086"] ${concatStringsSep "\n" cfg.inputs}
database = "kapacitor_example"
user_agent = "telegraf"
# Collect metrics about cpu usage
[cpu]
percpu = false
totalcpu = true
drop = ["cpu_time"]
''; '';
description = "configuration telegraf is started with"; description = "configuration telegraf is started with";
}; };

9
nin/1systems/hiawatha.nix
View File

@ -11,6 +11,7 @@ with lib;
../. ../.
<nixpkgs/nixos/modules/installer/scan/not-detected.nix> <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
../2configs/retiolum.nix ../2configs/retiolum.nix
../2configs/git.nix
]; ];
krebs.build.host = config.krebs.hosts.hiawatha; krebs.build.host = config.krebs.hosts.hiawatha;
@ -76,15 +77,13 @@ with lib;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
firefox firefox
git
networkmanagerapplet
python
steam steam
thunderbird thunderbird
vim vim
git
hexchat
networkmanagerapplet
python
virtmanager virtmanager
libvirt
]; ];
nixpkgs.config = { nixpkgs.config = {

1
nin/1systems/onondaga.nix
View File

@ -10,6 +10,7 @@
<nixpkgs/nixos/modules/profiles/qemu-guest.nix> <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/retiolum.nix ../2configs/retiolum.nix
../2configs/weechat.nix ../2configs/weechat.nix
../2configs/git.nix
]; ];
krebs.build.host = config.krebs.hosts.onondaga; krebs.build.host = config.krebs.hosts.onondaga;

17
nin/2configs/default.nix
View File

@ -46,6 +46,12 @@ with import <stockholm/lib>;
SSL_CERT_FILE = ca-bundle; SSL_CERT_FILE = ca-bundle;
}; };
}) })
{
nix = {
binaryCaches = ["http://cache.prism.r"];
binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
};
}
]; ];
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;
@ -58,7 +64,10 @@ with import <stockholm/lib>;
user = config.krebs.users.nin; user = config.krebs.users.nin;
source = let inherit (config.krebs.build) host; in { source = let inherit (config.krebs.build) host; in {
nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix"; nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix";
secrets.file = "/home/nin/secrets/${host.name}"; secrets.file =
if getEnv "dummy_secrets" == "true"
then toString <stockholm/nin/6tests/dummysecrets>
else "/home/nin/secrets/${host.name}";
stockholm.file = getEnv "PWD"; stockholm.file = getEnv "PWD";
}; };
}; };
@ -82,11 +91,14 @@ with import <stockholm/lib>;
# multiple-definition-problem when defining environment.variables.EDITOR # multiple-definition-problem when defining environment.variables.EDITOR
environment.extraInit = '' environment.extraInit = ''
EDITOR=vim EDITOR=vim
MANPAGER=most
''; '';
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
environment.shellAliases = {
gs = "git status";
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
#stockholm #stockholm
git git
@ -95,6 +107,7 @@ with import <stockholm/lib>;
proot proot
populate populate
p7zip p7zip
termite
unzip unzip
unrar unrar
hashPassword hashPassword

70
nin/2configs/git.nix Normal file
View File

@ -0,0 +1,70 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
out = {
krebs.git = {
enable = true;
cgit = {
settings = {
root-title = "public repositories at ${config.krebs.build.host.name}";
root-desc = "keep calm and engage";
};
};
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
rules = rules;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
repos = public-repos;
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
stockholm = {
cgit.desc = "take all the computers hostage, they'll love you!";
};
};
make-public-repo = name: { cgit ? {}, ... }: {
inherit cgit name;
public = true;
hooks = {
post-receive = pkgs.git-hooks.irc-announce {
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
channel = "#retiolum";
server = "ni.r";
verbose = config.krebs.build.host.name == "onondaga";
# TODO define branches in some kind of option per repo
branches = [ "master" ];
};
};
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = [ nin ];
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = attrValues config.krebs.users;
repo = [ repo ];
perm = fetch;
} ++
optional (length (repo.collaborators or []) > 0) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
};
in out

1
nin/6tests/dummysecrets/hashedPasswords.nix Normal file
View File

@ -0,0 +1 @@
{}

0
nin/6tests/dummysecrets/ssh.id_ed25519 Normal file
View File