Merge remote-tracking branch 'gum/master'

4 files changed, 303 insertions, 1 deletions

diff --git a/makefu/1systems/sdev.nix b/makefu/1systems/sdev.nix
new file mode 100644
index 00000000..233f7cef
--- /dev/null
+++ b/makefu/1systems/sdev.nix
@@ -0,0 +1,56 @@
+{ lib, config, pkgs, ... }:
+{
+  krebs.build.host = config.krebs.hosts.sdev;
+  makefu.awesome.modkey = "Mod1";
+  imports =
+    [ # Include the results of the hardware scan.
+      ../.
+      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
+      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
+      ../2configs/main-laptop.nix #< base-gui
+      # <secrets/extra-hosts.nix>
+
+      # environment
+      ../2configs/tinc/retiolum.nix
+
+    ];
+  # workaround for https://github.com/NixOS/nixpkgs/issues/16641
+  services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  # allow sdev to deploy self
+  users.extraUsers = {
+    root = {
+        openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
+    };
+  };
+
+  environment.systemPackages = with pkgs;[
+    ppp xclip
+    get
+    passwdqc-utils
+    docker
+    gnupg
+    populate
+    (pkgs.writeScriptBin "tor-browser" ''
+      #! /bin/sh
+      TOR_SKIP_LAUNCH=1 ${torbrowser}/bin/tor-browser
+    '')
+  ];
+
+  virtualisation.docker.enable = true;
+
+  networking.firewall.allowedTCPPorts = [
+    25
+    80
+    8010
+  ];
+
+  fileSystems."/media/share" = {
+    fsType = "vboxsf";
+    device = "share";
+    options = [ "rw" "uid=9001" "gid=9001" ];
+  };
+
+}
diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix
new file mode 100644
index 00000000..5adaa0c6
--- /dev/null
+++ b/makefu/2configs/elchos/search.nix
@@ -0,0 +1,211 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with import <stockholm/lib>;
+let
+  #primary-itf = "eth0";
+  primary-itf = "wlp2s0";
+  elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock";
+  ddclientUser = "ddclient";
+  sec = toString <secrets>;
+  nsupdate = import "${sec}/nsupdate-search.nix";
+  stateDir = "/var/spool/ddclient";
+  cfg = "${stateDir}/cfg";
+  ddclientPIDFile = "${stateDir}/ddclient.pid";
+
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+  # TODO: correct cert generation requires a `real` internet ip address
+  stats-dom = "stats.nsupdate.info";
+  search-dom = "search.nsupdate.info";
+  search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem";
+  search_ssl_key = "${acmepath}/${search-dom}/key.pem";
+  stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem";
+  stats_ssl_key = "${acmepath}/${stats-dom}/key.pem";
+
+  gen-cfg = dict: ''
+    ssl=yes
+    cache=${stateDir}/ddclient.cache
+    pid=${ddclientPIDFile}
+    ${concatStringsSep "\n" (mapAttrsToList (user: pass: ''
+
+      use=if, if=${primary-itf}
+      protocol=dyndns2, server=ipv4.nsupdate.info, login=${user}, password='${pass}' ${user}
+      #usev6=if, if=${primary-itf}
+      #protocol=dyndns2, server=ipv6.nsupdate.info, login=${user}, password='${pass}' ${user}
+    '') dict)}
+  '';
+
+in {
+  users.extraUsers = singleton {
+    name = ddclientUser;
+    uid = genid "ddclient";
+    description = "ddclient daemon user";
+    home = stateDir;
+    createHome = true;
+  };
+  services.redis.enable = mkForce true;
+  services.redis.bind = "127.0.0.1";
+
+  services.uwsgi = {
+    enable = true;
+    user = "nginx";
+    plugins = [ "python3" ];
+    instance = {
+      type = "emperor";
+      vassals = {
+        elchhub = {
+          type = "normal";
+          pythonPackages = self: with self; [ pkgs.elchhub ];
+          socket = elch-sock;
+        };
+      };
+    };
+  };
+
+  security.acme.certs = {
+    "${stats-dom}" = {
+      email = "acme@syntax-fehler.de";
+      webroot = "${acmechall}/${stats-dom}/";
+      group = "nginx";
+      allowKeysForGroup = true;
+      postRun = "systemctl reload nginx.service";
+      extraDomains = {
+        "${stats-dom}" = null ;
+      };
+    };
+    "${search-dom}" = {
+      email = "acme@syntax-fehler.de";
+      webroot = "${acmechall}/${search-dom}/";
+      group = "nginx";
+      allowKeysForGroup = true;
+      postRun = "systemctl reload nginx.service";
+      extraDomains = {
+        "${stats-dom}" = null ;
+      };
+    };
+  };
+
+  krebs.nginx = {
+    enable = mkDefault true;
+    servers = {
+      elch-stats = {
+        server-names = [ stats-dom ];
+        # listen = [ "80" "443 ssl" ];
+        ssl = {
+            enable = true;
+            certificate =   stats_ssl_cert;
+            certificate_key = stats_ssl_key;
+            force_encryption = true;
+        };
+
+        locations = [
+            (nameValuePair "/" ''
+              proxy_set_header   Host $host;
+              proxy_set_header   X-Real-IP          $remote_addr;
+              proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_pass http://localhost:3000/;
+            '')
+            (nameValuePair  "/.well-known/acme-challenge" ''
+             root ${acmechall}/${search-dom}/;
+            '')
+        ];
+      };
+      elchhub = {
+        server-names = [ "search.nsupdate.info" ];
+        # listen = [ "80" "443 ssl" ];
+        ssl = {
+            enable = true;
+            certificate =   search_ssl_cert;
+            certificate_key = search_ssl_key;
+            force_encryption = true;
+        };
+        locations = [ (nameValuePair "/" ''
+          uwsgi_pass unix://${elch-sock};
+          uwsgi_param         UWSGI_CHDIR     ${pkgs.elchhub}/${pkgs.python3.sitePackages};
+          uwsgi_param         UWSGI_MODULE    elchhub.wsgi;
+          uwsgi_param         UWSGI_CALLABLE  app;
+
+          include ${pkgs.nginx}/conf/uwsgi_params;
+        '')
+        (nameValuePair  "/.well-known/acme-challenge" ''
+          root ${acmechall}/${search-dom}/;
+        '')
+        ];
+      };
+    };
+  };
+
+  systemd.services = {
+    redis.serviceConfig.LimitNOFILE=10032;
+    elchos-ftp-scanner = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "ip-up.target" ];
+      serviceConfig = {
+        User = "nginx";
+        ExecStart = "${pkgs.elchhub}/bin/elch-manager";
+      };
+    };
+    register-elchos-nsupdate = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "ip-up.target" ];
+      serviceConfig = {
+        Type = "forking";
+        User = ddclientUser;
+        PIDFile = ddclientPIDFile;
+        ExecStartPre = pkgs.writeDash "init-nsupdate" ''
+          cp -vf ${pkgs.writeText "ddclient-config" (gen-cfg nsupdate)} ${cfg}
+          chmod 700 ${cfg}
+        '';
+        ExecStart = "${pkgs.ddclient}/bin/ddclient -verbose -daemon 1 -noquiet -file ${cfg}";
+      };
+    };
+  };
+
+  services.grafana = {
+    enable = true;
+    addr = "127.0.0.1";
+    users.allowSignUp = false;
+    users.allowOrgCreate = false;
+    users.autoAssignOrg = false;
+    auth.anonymous.enable = true;
+    security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+  };
+
+  services.graphite = {
+    api = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 8080;
+    };
+    carbon = {
+      enableCache = true;
+      # save disk usage by restricting to 1 bulk update per second
+      config = ''
+        [cache]
+        MAX_CACHE_SIZE = inf
+        MAX_UPDATES_PER_SECOND = 1
+        MAX_CREATES_PER_MINUTE = 500
+        '';
+      storageSchemas = ''
+        [carbon]
+        pattern = ^carbon\.
+        retentions = 60:90d
+
+        [elchos]
+        patterhn = ^elchos\.
+        retentions = 10s:30d,60s:3y
+
+        [default]
+        pattern = .*
+        retentions = 30s:30d,300s:1y
+        '';
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 2003 80 443 ];
+    allowedUDPPorts = [ 2003 ];
+  };
+}
diff --git a/makefu/5pkgs/elchhub/default.nix b/makefu/5pkgs/elchhub/default.nix
new file mode 100644
index 00000000..a4fb8604
--- /dev/null
+++ b/makefu/5pkgs/elchhub/default.nix
@@ -0,0 +1,35 @@
+{ lib, pkgs, fetchFromGitHub, ... }:
+
+with pkgs.python3Packages;
+let
+  ftputil = buildPythonPackage rec {
+    version = "3.3.1";
+    name = "ftputil-${version}";
+    doCheck = false;
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/f/ftputil/${name}.tar.gz";
+      sha256 = "bc88f35cc7f5f292ec4b56e99c8b05d361de1cc8b330050e32b0c4ecaa2d2b01";
+    };
+};
+in buildPythonPackage rec {
+  name = "elchhub-${version}";
+  version = "1.0.5";
+  propagatedBuildInputs = [
+    flask
+    requests2
+    ftputil
+    redis
+  ];
+  doCheck = false;
+  src = fetchFromGitHub {
+    owner = "krebscode";
+    repo = "elchhub";
+    rev = "2f499c1";
+    sha256 = "1lbql3lx7i3ynsjanfy9vln6795rb56n9xq9vkb7xbml60gmn1wg";
+  };
+  meta = {
+    homepage = https://github.com/krebscode/elchhub;
+    description = "elchhub";
+    license = lib.licenses.wtfpl;
+  };
+}
diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix
index 8b097653..ce3c63f2 100644
--- a/shared/1systems/wolf.nix
+++ b/shared/1systems/wolf.nix
@@ -25,10 +25,10 @@ in
   services.grafana = {
     enable = true;
     addr = "0.0.0.0";
-    extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
     users.allowSignUp = true;
     users.allowOrgCreate = true;
     users.autoAssignOrg = true;
+    auth.anonymous.enable = true;
     security = import <secrets/grafana_security.nix>;
   };