From 69ead6d8cfb05590079cfe0d6ba4ec66b59fcffb Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 3 Jul 2016 21:14:07 +0200 Subject: [PATCH 1/5] cd nginx: enable https --- tv/1systems/cd.nix | 54 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index a46edb4d9..75c19008a 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -44,20 +44,50 @@ with config.krebs.lib; "cgit.cd.viljetic.de" ]; # TODO make public_html also available to cd, cd.retiolum (AKA default) - krebs.nginx.servers.public_html = { - server-names = singleton "cd.viljetic.de"; - locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - ''); - }; - krebs.nginx.servers.viljetic = { + krebs.nginx.servers."https://viljetic.de" = { server-names = singleton "viljetic.de"; - # TODO directly set root (instead via location) - locations = singleton (nameValuePair "/" '' - root ${pkgs.viljetic-pages}; - ''); + listen = mkForce []; # disable default + ssl = { + enable = true; + certificate = "/var/lib/acme/viljetic.de/fullchain.pem"; + certificate_key = "/var/lib/acme/viljetic.de/key.pem"; + }; + locations = [ + (nameValuePair "/" '' + root ${pkgs.viljetic-pages}; + '') + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; }; - tv.iptables.input-internet-accept-tcp = singleton "http"; + krebs.nginx.servers."http://viljetic.de" = { + server-names = singleton "viljetic.de"; + locations = [ + (nameValuePair "/.well-known/acme-challenge/" '' + root /var/lib/acme/challenges/viljetic.de/; + '') + (nameValuePair "/" '' + return 301 https://viljetic.de$request_uri; + '') + ]; + }; + security.acme = { + certs."viljetic.de" = { + email = "tomislav@viljetic.de"; + webroot = "/var/lib/acme/challenges/viljetic.de"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + user = "nginx"; + }; + }; + tv.iptables.input-internet-accept-tcp = [ + "http" + "https" + ]; } ]; From 7c68b926aeb6ae38b21e5b7a23bb46ddf402bea9 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 3 Jul 2016 21:26:01 +0200 Subject: [PATCH 2/5] Revert "tv nginx: define events" This reverts commit 9962ba1036945652c1b1cfd661d92377b4dc691e. --- tv/2configs/nginx/default.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 70e25e2e5..d0d07d5ca 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,10 +4,6 @@ with config.krebs.lib; { krebs.nginx = { - extraConfig = '' - events { - } - ''; servers.default.locations = [ (nameValuePair "= /etc/os-release" '' default_type text/plain; From 99136e1764d5eb0d2e04252af7097062e6aaaa0b Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 3 Jul 2016 21:30:46 +0200 Subject: [PATCH 3/5] tv: define journald default extraConfig --- tv/1systems/cd.nix | 5 ----- tv/1systems/mu.nix | 5 ----- tv/1systems/wu.nix | 5 ----- tv/1systems/xu.nix | 5 ----- tv/2configs/default.nix | 7 +++++++ 5 files changed, 7 insertions(+), 20 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 75c19008a..2120134cc 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -112,9 +112,4 @@ with config.krebs.lib; rxvt_unicode.terminfo tcpdump ]; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; } diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix index ec208a0bd..e7908e299 100644 --- a/tv/1systems/mu.nix +++ b/tv/1systems/mu.nix @@ -157,11 +157,6 @@ with config.krebs.lib; ]; }; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - # see tmpfiles.d(5) systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" # does this work with mounted /tmp? diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index d115e274b..645cda61f 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -164,11 +164,6 @@ with config.krebs.lib; services.printing.enable = true; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - # see tmpfiles.d(5) systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" # does this work with mounted /tmp? diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 7277f5cb7..1cd1df1ac 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -176,11 +176,6 @@ with config.krebs.lib; services.printing.enable = true; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - # see tmpfiles.d(5) systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" # does this work with mounted /tmp? diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index dcc3edd82..0f6258139 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -168,6 +168,13 @@ with config.krebs.lib; tv.iptables.accept-echo-request = "internet"; } + { + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + } + { services.openssh = { enable = true; From fa14575ce2fbcf0fd7f1df4934b54c19d34401b5 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 3 Jul 2016 21:35:34 +0200 Subject: [PATCH 4/5] tv: use timesyncd --- tv/1systems/cd.nix | 1 - tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/default.nix | 1 + 5 files changed, 1 insertion(+), 4 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 2120134cc..2ad4a1505 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -108,7 +108,6 @@ with config.krebs.lib; iotop iptables nethogs - ntp # ntpate rxvt_unicode.terminfo tcpdump ]; diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 3696bcdfc..5415e50b1 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -60,7 +60,6 @@ with config.krebs.lib; esac '') gnupg - ntp # ntpate rxvt_unicode.terminfo tmux ]; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 645cda61f..a2e113e18 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -29,7 +29,6 @@ with config.krebs.lib; # root cryptsetup - ntp # ntpate # tv bc diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 1cd1df1ac..b832470d0 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -41,7 +41,6 @@ with config.krebs.lib; # root cryptsetup - ntp # ntpate # tv bc diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 0f6258139..a9ba1eadd 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -153,6 +153,7 @@ with config.krebs.lib; services.cron.enable = false; services.nscd.enable = false; services.ntp.enable = false; + services.timesyncd.enable = true; } { From 0c72da81cc58dcb68ae079901fae464249e5cec3 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 7 Jul 2016 22:31:50 +0200 Subject: [PATCH 5/5] zu: init --- krebs/3modules/tv/default.nix | 31 +++++ tv/1systems/zu.nix | 229 ++++++++++++++++++++++++++++++++++ 2 files changed, 260 insertions(+) create mode 100644 tv/1systems/zu.nix diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 2d18a7e8d..075066961 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -358,6 +358,37 @@ with config.krebs.lib; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu"; }; + zu = { + cores = 4; + nets = { + #gg23 = { + # ip4.addr = ""; + # aliases = ["zu.gg23"]; + # ssh.port = 11423; + #}; + retiolum = { + ip4.addr = "10.243.13.40"; + ip6.addr = "42:0:0:0:0:0:0:1340"; + aliases = [ + "zu.r" + "zu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d + idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u + BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a + OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj + /NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk + b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + ssh.privkey.path = ; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu"; + }; }; users = { mv = { diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix new file mode 100644 index 000000000..bfc018cc3 --- /dev/null +++ b/tv/1systems/zu.nix @@ -0,0 +1,229 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.build.host = config.krebs.hosts.zu; + + imports = [ + { + options.tv.test.sercret-file = mkOption { + type = types.secret-file; + default = {}; + }; + } + ../. + ../2configs/hw/x220.nix + ../2configs/exim-retiolum.nix + ../2configs/git.nix + ../2configs/mail-client.nix + ../2configs/man.nix + ../2configs/nginx/public_html.nix + ../2configs/pulse.nix + ../2configs/retiolum.nix + ../2configs/wu-binary-cache/client.nix + ../2configs/xserver + { + environment.systemPackages = with pkgs; [ + + # stockholm + gnumake + hashPassword + haskellPackages.lentil + parallel + (pkgs.writeBashBin "im" '' + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + + # root + cryptsetup + + # tv + bc + bind # dig + cac-api + dic + file + gnupg1compat + haskellPackages.hledger + htop + jq + mkpasswd + netcat + nix-repl + nmap + p7zip + pass + q + qrencode + # XXX fails at systemd.services.dbus.unitConfig + #texlive + tmux + + #ack + #apache-httpd + #ascii + #emacs + #es + #esniper + #gcc + #gptfdisk + #graphviz + #haskellPackages.cabal2nix + #haskellPackages.ghc + #haskellPackages.shake + #hdparm + #i7z + #iftop + #imagemagick + #inotifyTools + #iodine + #iotop + #lshw + #lsof + #minicom + #mtools + #ncmpc + #nethogs + #nix-prefetch-scripts #cvs bug + #openssl + #openswan + #parted + #perl + #powertop + #ppp + #proot + #pythonPackages.arandr + #pythonPackages.youtube-dl + #racket + #rxvt_unicode-with-plugins + #scrot + #sec + #silver-searcher + #sloccount + #smartmontools + #socat + #sshpass + #strongswan + #sysdig + #sysstat + #tcpdump + #tlsdate + #unetbootin + #utillinuxCurses + #wvdial + #xdotool + #xkill + #xl2tpd + #xsel + + unison + ]; + } + ]; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { name = "zuca"; device = "/dev/sda2"; } + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/zuvga-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/home" = { + device = "/dev/mapper/zuvga-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + nixpkgs.config.chromium.enablePepperFlash = true; + + #hardware.bumblebee.enable = true; + #hardware.bumblebee.group = "video"; + hardware.enableAllFirmware = true; + #hardware.opengl.driSupport32Bit = true; + + environment.systemPackages = with pkgs; [ + ethtool + tinc_pre + iptables + #jack2 + + gptfdisk + ]; + + security.setuidPrograms = [ + "sendmail" # for cron + ]; + + services.printing.enable = true; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + #services.bitlbee.enable = true; + #services.tor.client.enable = true; + #services.tor.enable = true; + #services.virtualboxHost.enable = true; + + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + +#/* +#{ host api.doraemon.sg.zalora.net | awk '{print$4" api.zalora.sg"}'; +# host bob.live.sg.zalora.net | awk '{print$4" bob.zalora.sg"}'; +# host www.live.sg.zalora.net | awk '{print$4" www.zalora.sg costa.zalora.sg"}'; } +#*/ +# networking.extraHosts = optionalString (1 == 1) '' +#54.255.133.72 api.zalora.sg +#52.77.12.194 bob.zalora.sg +#52.74.232.49 www.zalora.sg costa.zalora.sg +# ''; + + + #services.elasticsearch.enable = true; + #services.kibana.enable = true; + #services.logstash.enable = true; + + environment.etc."ssh/ssh_config".text = mkForce '' + AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} + + ${optionalString config.programs.ssh.setXAuthLocation '' + XAuthLocation ${pkgs.xorg.xauth}/bin/xauth + ''} + + ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"} + + # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) + #PubkeyAcceptedKeyTypes +ssh-dss + + ${config.programs.ssh.extraConfig} + ''; + +}