diff options
Diffstat (limited to 'krebs/1systems')
-rw-r--r-- | krebs/1systems/filebitch/config.nix | 48 | ||||
-rw-r--r-- | krebs/1systems/filebitch/hardware-configuration.nix | 94 | ||||
-rw-r--r-- | krebs/1systems/hotdog/config.nix | 6 | ||||
-rw-r--r-- | krebs/1systems/news/config.nix | 36 | ||||
-rw-r--r-- | krebs/1systems/puyak/config.nix | 118 | ||||
-rw-r--r-- | krebs/1systems/puyak/net.nix | 23 | ||||
-rw-r--r-- | krebs/1systems/wolf/config.nix | 71 |
7 files changed, 308 insertions, 88 deletions
diff --git a/krebs/1systems/filebitch/config.nix b/krebs/1systems/filebitch/config.nix new file mode 100644 index 00000000..9c6a9da0 --- /dev/null +++ b/krebs/1systems/filebitch/config.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: +let + shack-ip = config.krebs.build.host.nets.shack.ip4.addr; +in +{ + imports = [ + ./hardware-configuration.nix + <stockholm/krebs> + <stockholm/krebs/2configs> + # <stockholm/krebs/2configs/secret-passwords.nix> + + # <stockholm/krebs/2configs/binary-cache/nixos.nix> + # <stockholm/krebs/2configs/binary-cache/prism.nix> + <stockholm/krebs/2configs/shack/ssh-keys.nix> + <stockholm/krebs/2configs/shack/prometheus/node.nix> + # provides access to /home/share for smbuser via smb + <stockholm/krebs/2configs/shack/share.nix> + { + fileSystems."/home/share" = + { device = "/serve"; + options = [ "bind" "nofail" ]; + }; + } + + ## Collect local statistics via collectd and send to collectd + <stockholm/krebs/2configs/stats/shack-client.nix> + <stockholm/krebs/2configs/stats/shack-debugging.nix> + ]; + + krebs.build.host = config.krebs.hosts.filebitch; + sound.enable = false; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="60:a4:4c:3d:52:cf", NAME="et0" + ''; + networking = { + firewall.enable = true; + interfaces.et0.ipv4.addresses = [ + { + address = shack-ip; + prefixLength = 20; + } + ]; + + defaultGateway = "10.42.0.1"; + nameservers = [ "10.42.0.100" "10.42.0.200" ]; + }; +} diff --git a/krebs/1systems/filebitch/hardware-configuration.nix b/krebs/1systems/filebitch/hardware-configuration.nix new file mode 100644 index 00000000..1e7fa787 --- /dev/null +++ b/krebs/1systems/filebitch/hardware-configuration.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: +let + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-SMI_USB_DISK_AA08061700009650-0:0"; +in +{ + imports = + [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues + boot.zfs.forceImportRoot = false; + boot.zfs.forceImportAll = false; + boot.kernelParams = [ + "boot.shell_on_fail" + "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues + ]; + boot.tmpOnTmpfs = true; + + + boot.initrd.availableKernelModules = [ + "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" + "raid456" + "usbhid" + "usb_storage" + ]; + boot.initrd.kernelModules = [ + "sata_sil" + "megaraid_sas" + ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "tank/root"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "tank/home"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "tank/nix"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5266-931D"; + fsType = "vfat"; + }; + fileSystems."/serve" = + { device = "/dev/cryptvg/serve"; + fsType = "ext4"; + options = [ "nofail" ]; + }; + fileSystems."/serve/incoming" = + { device = "/dev/cryptvg/incoming"; + fsType = "ext4"; + options = [ "nofail" ]; + + }; + fileSystems."/serve/movies" = + { device = "/dev/cryptvg/servemovies"; + fsType = "ext4"; + options = [ "nofail" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/3353c76f-50e4-471d-84bc-ff922d22b271"; } + ]; + + nix.maxJobs = lib.mkDefault 4; + boot.loader.grub.device = byid "ata-INTEL_SSDSA2M080G2GC_CVPO013300WD080BGN"; + + networking.hostId = "54d97450"; # required for zfs use + boot.initrd.luks.devices = let + usbkey = device: { + inherit device keyFile; + keyFileSize = 2048; + preLVM = true; + }; + in { + swap = ((usbkey (byid "ata-INTEL_SSDSA2M080G2GC_CVPO013300WD080BGN-part2")) + // { allowDiscards = true; } ); + root = ((usbkey (byid "ata-INTEL_SSDSA2M080G2GC_CVPO013300WD080BGN-part3")) + // { allowDiscards = true; } ); + md125 = usbkey "/dev/md125"; + md126 = usbkey "/dev/md126"; + md127 = usbkey "/dev/md127"; + }; +} diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 60ec625f..a100e414 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, lib, pkgs, ... }: { @@ -12,8 +8,8 @@ <stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/ircd.nix> - <stockholm/krebs/2configs/nscd-fix.nix> <stockholm/krebs/2configs/reaktor2.nix> + <stockholm/krebs/2configs/wiki.nix> ]; krebs.build.host = config.krebs.hosts.hotdog; diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix new file mode 100644 index 00000000..5c4b37ae --- /dev/null +++ b/krebs/1systems/news/config.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + + <stockholm/krebs/2configs/ircd.nix> + <stockholm/krebs/2configs/go.nix> + + #### NEWS #### + <stockholm/krebs/2configs/ircd.nix> + <stockholm/krebs/2configs/news.nix> + ]; + + krebs.build.host = config.krebs.hosts.news; + + boot.isContainer = true; + networking.useDHCP = false; + krebs.bindfs = { + "/var/lib/htgen-go" = { + source = "/var/state/htgen-go"; + options = [ + "-m ${toString config.users.users.htgen-go.uid}" + ]; + clearTarget = true; + }; + "/var/lib/brockman" = { + source = "/var/state/brockman"; + options = [ + "-m ${toString config.users.users.brockman.uid}:${toString config.users.users.nginx.uid}" + ]; + clearTarget = true; + }; + }; +} diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 6321b6cc..1e0687ba 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -1,21 +1,111 @@ { config, pkgs, ... }: - { imports = [ + ./net.nix <stockholm/krebs> <stockholm/krebs/2configs> <stockholm/krebs/2configs/secret-passwords.nix> <stockholm/krebs/2configs/hw/x220.nix> + # see documentation in included getty-for-esp.nix: + # brain hosts/puyak/root + <stockholm/krebs/2configs/hw/getty-for-esp.nix> + + + ## initrd unlocking + # (brain hosts/puyak/luks-ssd;echo) | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase' + <stockholm/krebs/2configs/tor/initrd.nix> + <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/prism.nix> - <stockholm/krebs/2configs/go.nix> - <stockholm/krebs/2configs/ircd.nix> - <stockholm/krebs/2configs/news.nix> - <stockholm/krebs/2configs/news-spam.nix> - <stockholm/krebs/2configs/shack/prometheus/node.nix> + + ### shackspace ### + # handle the worlddomination map via coap + <stockholm/krebs/2configs/shack/worlddomination.nix> + <stockholm/krebs/2configs/shack/ssh-keys.nix> + + # drivedroid.shack for shackphone + <stockholm/krebs/2configs/shack/drivedroid.nix> + # <stockholm/krebs/2configs/shack/nix-cacher.nix> + + # Say if muell will be collected + <stockholm/krebs/2configs/shack/muell_caller.nix> + # provide muellshack api: muell.shack + <stockholm/krebs/2configs/shack/muellshack.nix> + # send mail if muell was not handled + <stockholm/krebs/2configs/shack/muell_mail.nix> + + # provide light control api + <stockholm/krebs/2configs/shack/node-light.nix> # light.shack lounge.light.shack power.light.shack openhab.shack lightapi.shack + # light.shack web-ui + <stockholm/krebs/2configs/shack/light.shack.nix> #light.shack + + # powerraw usb serial to mqtt and raw socket + <stockholm/krebs/2configs/shack/powerraw.nix> # powerraw.shack standby.shack + # send power stats to s3 + <stockholm/krebs/2configs/shack/s3-power.nix> # powerraw.shack must be available + + + { # do not log to /var/spool/log + services.nginx.appendHttpConfig = '' + map $request_method $loggable { + default 1; + GET 0; + } + log_format vhost '$host $remote_addr - $remote_user ' + '[$time_local] "$request" $status ' + '$body_bytes_sent "$http_referer" ' + '"$http_user_agent"'; + error_log stderr; + access_log syslog:server=unix:/dev/log vhost; + ''; + services.journald.rateLimitBurst = 10000; + } + + # create samba share for anonymous usage with the laser and 3d printer pc + <stockholm/krebs/2configs/shack/share.nix> + + # mobile.lounge.mpd.shack + <stockholm/krebs/2configs/shack/mobile.mpd.nix> + + # hass.shack + <stockholm/krebs/2configs/shack/glados> + + # connect to git.shackspace.de as group runner for rz <stockholm/krebs/2configs/shack/gitlab-runner.nix> + # Statistics collection and visualization + # <stockholm/krebs/2configs/shack/graphite.nix> # graphiteApi is broken and unused(hopefully) + ## Collect data from mqtt.shack and store in graphite database + <stockholm/krebs/2configs/shack/mqtt_sub.nix> + ## Collect radioactive data and put into graphite + <stockholm/krebs/2configs/shack/radioactive.nix> + ## mqtt.shack + <stockholm/krebs/2configs/shack/mqtt.nix> + ## influx.shack + <stockholm/krebs/2configs/shack/influx.nix> + + ## Collect local statistics via collectd and send to collectd + <stockholm/krebs/2configs/stats/shack-client.nix> + <stockholm/krebs/2configs/stats/shack-debugging.nix> + + ## netbox.shack: Netbox is disabled as nobody seems to be using it anyway + # <stockholm/krebs/2configs/shack/netbox.nix> + + # grafana.shack + <stockholm/krebs/2configs/shack/grafana.nix> + + # shackdns.shack + # replacement for leases.shack and shackles.shack + <stockholm/krebs/2configs/shack/shackDNS.nix> + + # monitoring: prometheus.shack + <stockholm/krebs/2configs/shack/prometheus/node.nix> + <stockholm/krebs/2configs/shack/prometheus/server.nix> + <stockholm/krebs/2configs/shack/prometheus/blackbox.nix> + <stockholm/krebs/2configs/shack/prometheus/unifi.nix> + <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> + ## Collect local statistics via collectd and send to collectd <stockholm/krebs/2configs/stats/shack-client.nix> <stockholm/krebs/2configs/stats/shack-debugging.nix> @@ -23,12 +113,11 @@ krebs.build.host = config.krebs.hosts.puyak; sound.enable = false; - boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; + initrd.luks.devices.luksroot.device = "/dev/sda3"; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; @@ -68,10 +157,6 @@ services.logind.lidSwitchExternalPower = "ignore"; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0" - ''; environment.systemPackages = [ pkgs.zsh ]; @@ -79,16 +164,9 @@ echo level disengaged > /proc/acpi/ibm/fan ''; - # to access vorstand vm - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.ulrich.pubkey - config.krebs.users.raute.pubkey - ]; - users.users.joerg = { - openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ]; + openssh.authorizedKeys.keys = [ config.krebs.users.mic92.pubkey ]; isNormalUser = true; shell = "/run/current-system/sw/bin/zsh"; }; - networking.firewall.allowedTCPPorts = [ 5901 ]; } diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix new file mode 100644 index 00000000..4cb8d247 --- /dev/null +++ b/krebs/1systems/puyak/net.nix @@ -0,0 +1,23 @@ +let + ext-if = "enp0s25"; + shack-ip = "10.42.22.184"; + shack-gw = "10.42.20.1"; +in { + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0" + ''; + networking = { + firewall.enable = false; + firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ]; + interfaces."${ext-if}".ipv4.addresses = [ + { + address = shack-ip; + prefixLength = 20; + } + ]; + + defaultGateway = shack-gw; + nameservers = [ "10.42.0.100" "10.42.0.200" ]; + }; +} diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index 6e53637e..25e7c5f0 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -14,59 +14,15 @@ in <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/prism.nix> - # handle the worlddomination map via coap - <stockholm/krebs/2configs/shack/worlddomination.nix> - - # drivedroid.shack for shackphone - <stockholm/krebs/2configs/shack/drivedroid.nix> - # <stockholm/krebs/2configs/shack/nix-cacher.nix> - # Say if muell will be collected - <stockholm/krebs/2configs/shack/muell_caller.nix> - # provide muellshack api - <stockholm/krebs/2configs/shack/muellshack.nix> - # provide light control api - <stockholm/krebs/2configs/shack/node-light.nix> - # send mail if muell was not handled - <stockholm/krebs/2configs/shack/muell_mail.nix> - # send mail if muell was not handled - <stockholm/krebs/2configs/shack/s3-power.nix> - # powerraw usb serial to mqtt and raw socket - <stockholm/krebs/2configs/shack/powerraw.nix> - - # create samba share for anonymous usage with the laser and 3d printer pc - <stockholm/krebs/2configs/shack/share.nix> - - # mobile.lounge.mpd.shack - <stockholm/krebs/2configs/shack/mobile.mpd.nix> - - # hass.shack - <stockholm/krebs/2configs/shack/glados> - - # connect to git.shackspace.de as group runner for rz - <stockholm/krebs/2configs/shack/gitlab-runner.nix> + #### shackspace services + <stockholm/krebs/2configs/shack/share.nix> # wolf.shack - # Statistics collection and visualization - <stockholm/krebs/2configs/shack/graphite.nix> - ## Collect data from mqtt.shack and store in graphite database - <stockholm/krebs/2configs/shack/mqtt_sub.nix> - ## Collect radioactive data and put into graphite - <stockholm/krebs/2configs/shack/radioactive.nix> - ## mqtt.shack - <stockholm/krebs/2configs/shack/mqtt.nix> - ## influx.shack - <stockholm/krebs/2configs/shack/influx.nix> - - ## Collect local statistics via collectd and send to collectd - <stockholm/krebs/2configs/stats/shack-client.nix> - <stockholm/krebs/2configs/stats/shack-debugging.nix> - - <stockholm/krebs/2configs/shack/netbox.nix> - # prometheus.shack - <stockholm/krebs/2configs/shack/prometheus/server.nix> + # gitlab runner + <stockholm/krebs/2configs/shack/gitlab-runner.nix> + # misc + <stockholm/krebs/2configs/shack/ssh-keys.nix> + <stockholm/krebs/2configs/save-diskspace.nix> <stockholm/krebs/2configs/shack/prometheus/node.nix> - <stockholm/krebs/2configs/shack/prometheus/unifi.nix> - # grafana.shack - <stockholm/krebs/2configs/shack/grafana.nix> ]; # use your own binary cache, fallback use cache.nixos.org (which is used by @@ -117,18 +73,6 @@ in fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; - swapDevices = [ - { device = "/dev/disk/by-label/swap"; } - ]; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - config.krebs.users."0x4A6F".pubkey - config.krebs.users.ulrich.pubkey - config.krebs.users.raute.pubkey - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDb9NPa2Hf51afcG1H13UPbE5E02J8aC9a1sGCRls592wAVlQbmojYR1jWDPA2m32Bsyv0ztqi81zDyndWWZPQVJVBk00VjYBcgk6D5ifqoAuWLzfuHJPWZGOvBf/U74/LNFNUkj1ywjneK7HYTRPXrRBBfBSQNmQzkvue7s599L2vdueZKyjNsMpx2m6nm2SchaMuDskSQut/168JgU1l4M8BeT68Bo4WdelhBYnhSI1a59FGkgdu2SCjyighLQRy2sOH3ksnkHWENPkA+wwQOlKl7R3DsEybrNd4NU9FSwFDyDmdhfv5gJp8UGSFdjAwx43+8zM5t5ruZ25J0LnVb0PuTuRA00UsW83MkLxFpDQLrQV08tlsY6iGrqxP67C3VJ6t4v6oTp7/vaRLhEFc1PhOLh+sZ18o8MLO+e2rGmHGHQnSKfBOLUvDMGa4jb01XBGjdnIXLOkVo79YR5jZn7jJb2gTZ95OD6bWSDADoURSuwuLa7kh4ti1ItAKuhkIvbuky3rRVvQEc92kJ6aNUswIUXJa0K2ibbIY6ycKAA3Ljksl3Mm9KzOn6yc/i/lSF+SOrTGhabPJigKkIoqKIwnV5IU3gkfsxPQJOBMPqHDGAOeYQe3WpWedEPYuhQEczw4exMb9TkNE96F71PzuQPJDl5sPAWyPLeMKpy5XbfRiF2by4nxN3ZIQvjtoyVkjNV+qM0q0yKBzLxuRAEQOZ2yCEaBudZQkQiwHD97H2vu4SRQ/2aOie1XiOnmdbQRDZSO3BsoDK569K1w+gDfSnqY7zVUMj6tw+uKx6Gstck5lbvYMtdWKsfPv/pDM8eyIVFLL93dKTX+ertcQj6xDwLfOiNubE5ayFXhYkjwImV6NgfBuq+3hLK0URP2rPlOZbbZTQ0WlKD6CCRZPMSZCU9oD2zYfqpvRArBUcdkAwGePezORkfJQLE6mYEJp6pdFkJ/IeFLbO6M0lZVlfnpzAC9kjjkMCRofZUETcFSppyTImCbgo3+ok59/PkNU5oavBXyW80ue2tWHr08HX/QALNte3UITmIIlU6SFMCPMWJqadK1eDPWfJ4H4iDXRNn3D5wqN++iMloKvpaj0wieqXLY4+YfvNTNr177OU48GEWW8DnoEkbpwsCbjPxznGDQhdDqdYyMY/fDgRQReKITvKYGHRzesGysw5cKsp9LEfXD0R6WE2TeiiENla5AWzTgXJB0AyZEcOiIfqOgT9Nr9S8q5gc/BdA7P+jhGGJgEHhV3dVlfIZ7pmZc27Yu7UTQ0lbAKWqcMSTOdne+QL6ILzbvLrQwdvax4tQdm5opfU16SrOox1AMwAbkdq84z6uJqYVx3cUXfMJgTyDNrVv3or root@plattenschwein" # for backup - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Lx5MKtVjB/Ef6LpEiIAgVwY5xKQFdHuLQR+odQO4cAgxj1QaIXGN0moixY52DebVQhAtiCNiFZ83uJyOj8kmu30yuXwtSOQeqziA859qMJKZ4ZcYdKvbXwnf2Chm5Ck/0FvtpjTWHIZAogwP1wQto/lcqHOjrTAnZeJfQuHTswYUSnmUU5zdsEZ9HidDPUc2Gv0wkBNd+KMQyOZl0HkaxHWvn0h4KK4hYZisOpeTfXJxD87bo+Eg4LL2vvnHW6dF6Ygrbd/0XRMsRRI8OAReVBUoJn7IE1wwAl/FpblNmhaF9hlL7g7hR1ADvaWMMw0e8SSzW6Y+oIa8qFQL6wR1 gitlab-builder" # for being deployed by gitlab ci - ]; - services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}" ''; @@ -141,6 +85,7 @@ in enable = true; wideArea = false; }; + environment.systemPackages = [ pkgs.avahi ]; } |