diff options
| author | tv <tv@krebsco.de> | 2017-07-14 00:17:58 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2017-07-14 00:21:02 +0200 |
| commit | 58380c82848c3db0bd6c3d74904153f3464c2098 (patch) | |
| tree | dcefa424c037ef13edba18967143b3290dc739cb /krebs/2configs | |
| parent | c213968c44befe32f115ec0122accebdabd89582 (diff) | |
merge shared into krebs
Diffstat (limited to 'krebs/2configs')
| -rw-r--r-- | krebs/2configs/central-stats-client.nix | 68 | ||||
| -rw-r--r-- | krebs/2configs/cgit-mirror.nix | 45 | ||||
| -rw-r--r-- | krebs/2configs/collectd-base.nix | 41 | ||||
| -rw-r--r-- | krebs/2configs/default.nix | 51 | ||||
| -rw-r--r-- | krebs/2configs/graphite.nix | 93 | ||||
| -rw-r--r-- | krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix | 47 | ||||
| -rw-r--r-- | krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix | 47 | ||||
| -rw-r--r-- | krebs/2configs/repo-sync.nix | 31 | ||||
| -rw-r--r-- | krebs/2configs/save-diskspace.nix | 11 | ||||
| -rw-r--r-- | krebs/2configs/shack/bincache.nix | 6 | ||||
| -rw-r--r-- | krebs/2configs/shack/drivedroid.nix | 49 | ||||
| -rw-r--r-- | krebs/2configs/shack/mqtt_sub.nix | 34 | ||||
| -rw-r--r-- | krebs/2configs/shack/muell_caller.nix | 41 | ||||
| -rw-r--r-- | krebs/2configs/shack/nix-cacher.nix | 31 | ||||
| -rw-r--r-- | krebs/2configs/shack/radioactive.nix | 35 | ||||
| -rw-r--r-- | krebs/2configs/shack/share.nix | 38 | ||||
| -rw-r--r-- | krebs/2configs/shack/worlddomination.nix | 67 | ||||
| -rw-r--r-- | krebs/2configs/shared-buildbot.nix | 178 | ||||
| -rw-r--r-- | krebs/2configs/temp/dirs.nix | 1 | ||||
| -rw-r--r-- | krebs/2configs/temp/networking.nix | 1 |
20 files changed, 915 insertions, 0 deletions
diff --git a/krebs/2configs/central-stats-client.nix b/krebs/2configs/central-stats-client.nix new file mode 100644 index 00000000..0412eba9 --- /dev/null +++ b/krebs/2configs/central-stats-client.nix @@ -0,0 +1,68 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + <Plugin "interface"> + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + </Plugin> + + LoadPlugin df + <Plugin "df"> + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + </Plugin> + + LoadPlugin cpu + <Plugin cpu> + ReportByCpu true + ReportByState true + ValuesPercentage true + </Plugin> + + LoadPlugin network + <Plugin "network"> + Server "stats.makefu.r" "25826" + </Plugin> + + LoadPlugin curl + <Plugin curl> + <Page "smarthome"> + URL "http://smarthome.shack/"; + MeasureResponseTime true + </Page> + </Plugin> + ''; + }; +} diff --git a/krebs/2configs/cgit-mirror.nix b/krebs/2configs/cgit-mirror.nix new file mode 100644 index 00000000..c2326a5c --- /dev/null +++ b/krebs/2configs/cgit-mirror.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + rules = with git; singleton { + user = [ wolf-repo-sync ]; + repo = [ stockholm-mirror ]; + perm = push ''refs/*'' [ non-fast-forward create delete merge ]; + }; + + stockholm-mirror = { + public = true; + name = "stockholm-mirror"; + cgit.desc = "mirror for all stockholm branches"; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + nick = config.networking.hostName; + verbose = false; + channel = "#retiolum"; + server = "ni.r"; + }; + }; + }; + + wolf-repo-sync = { + name = "wolf-repo-sync"; + mail = "spam@krebsco.de"; + # TODO put git-sync pubkey somewhere more appropriate + pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; + }; + +in { + krebs.users.wolf-repo-sync = wolf-repo-sync; + krebs.git = { + enable = true; + cgit = { + settings = { + root-title = "Shared Repos"; + root-desc = "keep on krebsing"; + }; + }; + inherit rules; + repos.stockholm-mirror = stockholm-mirror; + }; +} diff --git a/krebs/2configs/collectd-base.nix b/krebs/2configs/collectd-base.nix new file mode 100644 index 00000000..440f83fc --- /dev/null +++ b/krebs/2configs/collectd-base.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +# TODO: krebs.collectd.plugins +with import <stockholm/lib>; +let + connect-time-cfg = with pkgs; writeText "collectd-connect-time.conf" '' + LoadPlugin python + <Plugin python> + ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/" + Import "collectd_connect_time" + <Module collectd_connect_time> + target "localhost:22" "google.com" "google.de" "gum.r:22" "gum.krebsco.de" "heidi.shack:22" "10.42.0.1:22" "heise.de" "t-online.de" + interval 10 + </Module> + </Plugin> + ''; + graphite-cfg = pkgs.writeText "collectd-graphite.conf" '' + LoadPlugin write_graphite + <Plugin "write_graphite"> + <Carbon> + Host "heidi.shack" + Port "2003" + Prefix "retiolum." + EscapeCharacter "_" + StoreRates false + AlwaysAppendDS false + </Carbon> + </Plugin> + ''; +in { + imports = [ ]; + + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + collectd = pkgs.collectd.override { python= pkgs.python; }; + }; + services.collectd = { + enable = true; + include = [ (toString connect-time-cfg) (toString graphite-cfg) ]; + }; + +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix new file mode 100644 index 00000000..53ad56d6 --- /dev/null +++ b/krebs/2configs/default.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +{ + krebs.enable = true; + krebs.tinc.retiolum.enable = true; + + krebs.build.user = mkDefault config.krebs.users.krebs; + + networking.hostName = config.krebs.build.host.name; + + nix.maxJobs = 1; + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + nix.useSandbox = true; + + environment.systemPackages = with pkgs; [ + git + rxvt_unicode.terminfo + ]; + + programs.ssh.startAgent = false; + + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + + users.mutableUsers = false; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + # TODO + config.krebs.users.lass.pubkey + config.krebs.users.makefu.pubkey + # TODO HARDER: + config.krebs.users.makefu-omo.pubkey + config.krebs.users.tv.pubkey + ]; + + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + +} diff --git a/krebs/2configs/graphite.nix b/krebs/2configs/graphite.nix new file mode 100644 index 00000000..64222e43 --- /dev/null +++ b/krebs/2configs/graphite.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) + +# TODO: krebs.graphite.minimal.enable +# TODO: configure firewall +with import <stockholm/lib>; +{ + imports = [ ]; + + services.graphite = { + api = { + enable = true; + listenAddress = "0.0.0.0"; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 50 + MAX_UPDATES_PER_SECOND_ONSHUTDOWN = 9001 + + LOG_CACHE_HITS = False + LOG_CACHE_QUEUE_SORTS = False + LOG_UPDATES = False + LOG_LISTENER_CONNECTIONS = False + LOG_CREATES = True + ''; + storageAggregation = '' + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + + [radiation_sensor] + pattern = ^sensors\.radiation\. + retentions = 1m:30d,5m:180d,10m:3y + + [motion_sensors] + pattern = ^sensors\.motion\. + retentions = 1s:1h,60s:30d,300s:1y + + [motion_sensors] + pattern = ^retiolum\. + retentions = 10s:1h,30s:30d,300s:1y + + [homeassistant] + pattern = ^homeassistant\. + retentions = 10s:24h,30s:30d,300s:1y,3600s:5y + + [ara] + pattern = ^ara\. + retentions = 60s:30d,300s:1y + + [openweathermap] + pattern = ^weather\.openweathermap + retentions = 30m:30d,1h:5y + + [stadtklima] + pattern = ^weather\.stadtklima-stuttgart + retentions = 15m:30d,30m:5y + + [sensebox] + pattern = ^weather\.sensebox + retentions = 1m:90d,30m:5y + + [elchos] + pattern = ^elchos\. + retentions = 10s:14d,1m:90d,10m:5y + + [icinga_default] + pattern = ^icinga + retentions = 10s:14d,5m:90d,10m:5y + + [icinga_internals] + pattern = ^icinga.*\.(max_check_attempts|reachable|current_attempt|execution_time|latency|state|state_type) + retentions = 5m:7d + + [default] + pattern = .* + retentions = 60s:30d,300s:1y + ''; + }; + }; + systemd.services.carbonCache.serviceConfig.Restart="always"; + systemd.services.graphiteApi.serviceConfig.Restart="always"; +} diff --git a/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix new file mode 100644 index 00000000..b5ec722a --- /dev/null +++ b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/VolGroup/lv_root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/VolGroup/lv_swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix new file mode 100644 index 00000000..168d1d97 --- /dev/null +++ b/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix new file mode 100644 index 00000000..637a26e3 --- /dev/null +++ b/krebs/2configs/repo-sync.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + krebs.repo-sync = let + # TODO addMirrorURL function + mirror = "git@wolf:stockholm-mirror"; + in { + enable = true; + repos.stockholm = { + branches = { + makefu = { + origin.url = http://cgit.gum/stockholm ; + mirror.url = mirror; + }; + tv = { + origin.url = http://cgit.ni.r/stockholm; + mirror.url = mirror; + }; + lassulus = { + origin.url = http://cgit.prism/stockholm ; + mirror.url = mirror; + }; + }; + latest = { + url = mirror; + ref = "heads/master"; + }; + }; + }; +} diff --git a/krebs/2configs/save-diskspace.nix b/krebs/2configs/save-diskspace.nix new file mode 100644 index 00000000..ab074c75 --- /dev/null +++ b/krebs/2configs/save-diskspace.nix @@ -0,0 +1,11 @@ +{lib, ... }: +# TODO: do not check out nixpkgs master but fetch revision from github +{ + environment.noXlibs = true; + nix.gc.automatic = true; + nix.gc.dates = lib.mkDefault "03:10"; + programs.info.enable = false; + programs.man.enable = false; + services.journald.extraConfig = "SystemMaxUse=50M"; + services.nixosManual.enable = false; +} diff --git a/krebs/2configs/shack/bincache.nix b/krebs/2configs/shack/bincache.nix new file mode 100644 index 00000000..9cd7fae2 --- /dev/null +++ b/krebs/2configs/shack/bincache.nix @@ -0,0 +1,6 @@ +{...}: +{ + nix.binaryCaches = [ + "http://wolf.shack:3142/nixos" + ]; +} diff --git a/krebs/2configs/shack/drivedroid.nix b/krebs/2configs/shack/drivedroid.nix new file mode 100644 index 00000000..12e4a39c --- /dev/null +++ b/krebs/2configs/shack/drivedroid.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +let + root = "/var/srv/drivedroid"; +in +{ + environment.systemPackages = [ pkgs.drivedroid-gen-repo ]; + + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-drivedroid = { + serverAliases = [ + "drivedroid.shack" + ]; + # TODO: prepare this somehow + locations."/".extraConfig = '' + root ${root}; + index main.json; + ''; + }; + }; + + systemd.services.drivedroid-gen-repo = { + description = "generates drivedroid repo file"; + path = [ + pkgs.coreutils + pkgs.drivedroid-gen-repo + pkgs.inotify-tools + ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + ExecStartPre = pkgs.writeDash "prepare-drivedroid-gen-repo" '' + mkdir -p ${root}/repos + ''; + ExecStart = pkgs.writeDash "start-drivedroid-gen-repo" '' + set -efu + cd ${root} + while sleep 60; do + if inotifywait -r .; then + drivedroid-gen-repo repos > main.json + fi + done + ''; + }; + }; +} diff --git a/krebs/2configs/shack/mqtt_sub.nix b/krebs/2configs/shack/mqtt_sub.nix new file mode 100644 index 00000000..a8427dde --- /dev/null +++ b/krebs/2configs/shack/mqtt_sub.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + pkg = pkgs.stdenv.mkDerivation { + name = "mqtt2graphite-2017-05-29"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/mqtt2graphite/"; + rev = "117179d"; + sha256 = "1334jbbzlqizyp7zcn4hdswhhrnkj1p4p435n5nph82lzffrsi44"; + }; + buildInputs = [ + (pkgs.python35.withPackages (pythonPackages: with pythonPackages; [ + docopt + paho-mqtt + ])) + ]; + installPhase = '' + install -m755 -D sub.py $out/bin/sub + install -m755 -D sub2.py $out/bin/sub-new + ''; + }; +in { + systemd.services.mqtt_sub = { + description = "subscribe to mqtt, send to graphite"; + # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; + ExecStart = "${pkg}/bin/sub-new"; + PrivateTmp = true; + }; + }; +} diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix new file mode 100644 index 00000000..2d8d78e3 --- /dev/null +++ b/krebs/2configs/shack/muell_caller.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + pkg = pkgs.stdenv.mkDerivation { + name = "muell_caller-2017-06-01"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/muell_caller/"; + rev = "bbd4009"; + sha256 = "1bfnfl2vdh0p5wzyz5p48qh04vvsg2445avg86fzhzragx25fqv0"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + requests2 + paramiko + python + ])) + ]; + installPhase = '' + install -m755 -D call.py $out/bin/call-muell + ''; + }; + cfg = "${toString <secrets>}/tell.json"; +in { + systemd.services.call_muell = { + description = "call muell"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStartPre = pkgs.writeDash "call-muell-pre" '' + cp ${cfg} /tmp/tell.json + chown nobody /tmp/tell.json + ''; + ExecStart = "${pkg}/bin/call-muell --cfg /tmp/tell.json --mode mpd loop 60"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; +} diff --git a/krebs/2configs/shack/nix-cacher.nix b/krebs/2configs/shack/nix-cacher.nix new file mode 100644 index 00000000..8feeca9a --- /dev/null +++ b/krebs/2configs/shack/nix-cacher.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +let + cfg = config.krebs.apt-cacher-ng; +in +{ + imports = [ + ./bincache.nix + ]; + krebs.apt-cacher-ng = { + enable = true; + port = 3142; + bindAddress = "localhost"; + cacheExpiration = 30; + }; + + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-nix-cacher = { + serverAliases = [ + "acng.shack" + ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:${toString cfg.port}/; + ''; + }; + }; +} diff --git a/krebs/2configs/shack/radioactive.nix b/krebs/2configs/shack/radioactive.nix new file mode 100644 index 00000000..378b5405 --- /dev/null +++ b/krebs/2configs/shack/radioactive.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + pkg = pkgs.stdenv.mkDerivation { + name = "radioactive-2017-06-01"; + src = pkgs.fetchgit { + url = "https://github.com/makefu/nagios-radioactiveathome-plugins/"; + rev = "955f614"; + sha256 = "0ql6npl3n6shvij0ly6a52yjmf7dc31c5x29y927k9lvp8ygin20"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + requests2 + python + ])) + ]; + installPhase = '' + install -m755 -D add_many_points.py $out/bin/radioactive-add-many + ''; + }; +in { + systemd.services.radioactive = { + description = "radioactive"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStart = "${pkg}/bin/radioactive-add-many loop 60"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; +} diff --git a/krebs/2configs/shack/share.nix b/krebs/2configs/shack/share.nix new file mode 100644 index 00000000..247b9ee7 --- /dev/null +++ b/krebs/2configs/shack/share.nix @@ -0,0 +1,38 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + group = "share"; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + + networking.firewall.allowedTCPPorts = [ + 139 445 # samba + ]; + + networking.firewall.allowedUDPPorts = [ + 137 138 + ]; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix new file mode 100644 index 00000000..d0f9f5fa --- /dev/null +++ b/krebs/2configs/shack/worlddomination.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + pythonPackages = pkgs.python3Packages; + # https://github.com/chrysn/aiocoap + aiocoap = pythonPackages.buildPythonPackage { + name = "aiocoap-0.3"; + src = pkgs.fetchurl { url = "https://pypi.python.org/packages/9c/f6/d839e4b14258d76e74a39810829c13f8dd31de2bfe0915579b2a609d1bbe/aiocoap-0.3.tar.gz"; sha256 = "402d4151db6d8d0b1d66af5b6e10e0de1521decbf12140637e5b8d2aa9c5aef6"; }; + propagatedBuildInputs = [ ]; + doCheck = false; # 2 errors, dunnolol + meta = with pkgs.stdenv.lib; { + homepage = ""; + license = licenses.mit; + description = "Python CoAP library"; + }; + }; + LinkHeader = pythonPackages.buildPythonPackage { + name = "LinkHeader-0.4.3"; + src = pkgs.fetchurl { url = "https://pypi.python.org/packages/27/d4/eb1da743b2dc825e936ef1d9e04356b5701e3a9ea022c7aaffdf4f6b0594/LinkHeader-0.4.3.tar.gz"; sha256 = "7fbbc35c0ba3fbbc530571db7e1c886e7db3d718b29b345848ac9686f21b50c3"; }; + propagatedBuildInputs = [ ]; + meta = with pkgs.stdenv.lib; { + homepage = ""; + license = licenses.bsdOriginal; + description = "Parse and format link headers according to RFC 5988 \"Web Linking\""; + }; + }; + pkg = pkgs.stdenv.mkDerivation { + name = "worlddomination-2017-06-10"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/worlddomination/"; + rev = "72fc9b5"; + sha256 = "05h500rswzypcxy4i22qc1vkc8izbzfqa9m86xg289hjxh133xyf"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + LinkHeader + aiocoap + requests2 + paramiko + python + ])) + ]; + installPhase = '' + install -m755 -D backend/push_led.py $out/bin/push-led + install -m755 -D backend/loop_single.py $out/bin/loop-single + # copy the provided file to the package + install -m755 -D backend/wd.lst $out/${wdpath} + ''; + }; + wdpath = "/usr/worlddomination/wd.lst"; + esphost = "10.42.24.7"; # esp8266 + timeout = 10; # minutes +in { + systemd.services.worlddomination = { + description = "run worlddomination"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStart = "${pkg}/bin/push-led ${esphost} ${pkg}/${wdpath} loop ${toString timeout}"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; +} diff --git a/krebs/2configs/shared-buildbot.nix b/krebs/2configs/shared-buildbot.nix new file mode 100644 index 00000000..efb41cc3 --- /dev/null +++ b/krebs/2configs/shared-buildbot.nix @@ -0,0 +1,178 @@ +{ lib, config, pkgs, ... }: +# The buildbot config is self-contained and currently provides a way +# to test "krebs" configuration (infrastructure to be used by every krebsminister). + +# You can add your own test, test steps as required. Deploy the config on a +# krebs host like wolf and everything should be fine. + +# TODO for all users schedule a build for fast tests +{ + # due to the fact that we actually build stuff on the box via the daemon, + # /nix/store should be cleaned up automatically as well + services.nginx.virtualHosts.build = { + serverAliases = [ "build.wolf.r" ]; + locations."/".extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port}; + ''; + }; + + nix.gc.automatic = true; + nix.gc.dates = "05:23"; + networking.firewall.allowedTCPPorts = [ 8010 9989 ]; + krebs.buildbot.master = let + stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ; + in { + secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ]; + workers = { + testworker = "krebspass"; + }; + change_source.stockholm = '' + stockholm_repo = '${stockholm-mirror-url}' + cs.append(changes.GitPoller( + stockholm_repo, + workdir='stockholm-poller', branches=True, + project='stockholm', + pollinterval=60)) + ''; + scheduler = { + force-scheduler = '' + sched.append(schedulers.ForceScheduler( + name="force", + builderNames=[ + # "full-tests", + "fast-tests", + "build-local" + ])) + ''; + fast-tests-scheduler = '' + # test everything real quick + sched.append(schedulers.AnyBranchScheduler( + treeStableTimer=10, + name="fast-all-branches", + builderNames=["fast-tests"])) + ''; + test-cac-infest-master = '' + # files everyone depends on or are part of the share branch + def shared_files(change): + r =re.compile("^(krebs/.*|Makefile|default.nix|shell.nix)") + for file in change.files: + if r.match(file): + return True + return False + + sched.append(schedulers.SingleBranchScheduler( + change_filter=util.ChangeFilter(branch="master"), + fileIsImportant=shared_files, + treeStableTimer=60*60, # master was stable for the last hour + name="full-master", + builderNames=[ + # "full-tests", + "build-local" + ])) + ''; + }; + builder_pre = '' + # prepare grab_repo step for stockholm + grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') + + env = { + "LOGNAME": "krebs", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } + + # prepare nix-shell + # the dependencies which are used by the test script + deps = [ "gnumake", "jq", "nix", + "(import <stockholm>).pkgs.populate", + "(import <stockholm>).pkgs.test.infest-cac-centos7" ] + # TODO: --pure , prepare ENV in nix-shell command: + # SSL_CERT_FILE,LOGNAME,NIX_REMOTE + nixshell = ["nix-shell", + "-I", "stockholm=.", + |