diff options
Diffstat (limited to 'krebs/3modules')
71 files changed, 2402 insertions, 1490 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index 308c6d41..2a035d7b 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -17,7 +17,7 @@ let nickname = mkOption { default = config.krebs.build.host.name + "|r"; - type = types.string; + type = types.str; description = '' The nick name of the irc bot. Defaults to {hostname}|r @@ -47,7 +47,7 @@ let extraConfig = mkOption { default = ""; - type = types.string; + type = types.str; description = '' configuration appended to the default or overridden configuration ''; diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index c0b218c1..910324f3 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -226,10 +226,14 @@ let # XXX Is one ping enough to determine fastest address? fastest-address = host: '' - { ${pkgs.fping}/bin/fping </dev/null -a \ + { ${pkgs.fping}/bin/fping </dev/null -a -e \ ${concatMapStringsSep " " shell.escape (mapAttrsToList (_: net: head net.aliases) host.nets)} \ - | ${pkgs.coreutils}/bin/head -1; } + | ${pkgs.gnused}/bin/sed -r 's/^(\S+) \(([0-9.]+) ms\)$/\2\t\1/' \ + | ${pkgs.coreutils}/bin/sort -n \ + | ${pkgs.coreutils}/bin/cut -f2 \ + | ${pkgs.coreutils}/bin/head -n 1 + } ''; in out diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 94a50952..ffa9a29e 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -2,10 +2,10 @@ with import <stockholm/lib>; let - gunicorn = pkgs.python27Packages.gunicorn; - bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; }; - gevent = pkgs.python27Packages.gevent; - python = pkgs.python27Packages.python; + gunicorn = pkgs.python3Packages.gunicorn; + bepasty = pkgs.bepasty; + gevent = pkgs.python3Packages.gevent; + python = pkgs.python3Packages.python; cfg = config.krebs.bepasty; out = { @@ -164,7 +164,7 @@ let client_max_body_size 32M; ''; locations = { - "/".extraConfig = "proxy_set_header Host $http_host;"; + "/".extraConfig = "proxy_set_header Host $host;"; "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock"; "/static/".extraConfig = '' alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; diff --git a/krebs/3modules/bindfs.nix b/krebs/3modules/bindfs.nix new file mode 100644 index 00000000..7e3730e8 --- /dev/null +++ b/krebs/3modules/bindfs.nix @@ -0,0 +1,61 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: +let + cfg = config.krebs.bindfs; +in { + options.krebs.bindfs = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + target = mkOption { + description = '' + destination where bindfs mounts to. + second positional argument to bindfs. + ''; + default = config._module.args.name; + type = types.absolute-pathname; + }; + source = mkOption { + description = '' + source folder where the mounted directory is originally. + first positional argument to bindfs. + ''; + type = types.absolute-pathname; + }; + options = mkOption { + description = '' + additional arguments to bindfs + ''; + type = types.listOf types.str; + default = []; + }; + clearTarget = mkOption { + description = '' + whether to clear the target folder before mounting + ''; + type = types.bool; + default = false; + }; + }; + })); + default = {}; + }; + + config = mkIf (cfg != {}) { + systemd.services = mapAttrs' (n: mount: let + name = replaceStrings [ "/" ] [ "_" ] n; + in nameValuePair "bindfs-${name}" { + wantedBy = [ "local-fs.target" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + ${optionalString mount.clearTarget '' + rm -rf '${mount.target}' + ''} + mkdir -p '${mount.source}' + mkdir -p '${mount.target}' + ''; + ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; + }; + }) cfg; + }; +} diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix new file mode 100644 index 00000000..9b2ed4a7 --- /dev/null +++ b/krebs/3modules/brockman.nix @@ -0,0 +1,36 @@ +{ pkgs, config, ... }: +with import <stockholm/lib>; +let + cfg = config.krebs.brockman; +in { + options.krebs.brockman = { + enable = mkEnableOption "brockman"; + config = mkOption { type = types.attrs; }; # TODO make real config here + }; + + config = mkIf cfg.enable { + users.extraUsers.brockman = { + home = "/var/lib/brockman"; + createHome = true; + isNormalUser = false; + uid = genid_uint31 "brockman"; + }; + + systemd.services.brockman = { + description = "RSS to IRC broadcaster"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Restart = "always"; + ExecStart = '' + ${pkgs.brockman}/bin/brockman ${pkgs.writeText "brockman.json" (builtins.toJSON cfg.config)} + ''; + User = config.users.extraUsers.brockman.name; + PrivateTmp = true; + RuntimeDirectory = "brockman"; + WorkingDirectory = "%t/brockman"; + RestartSec = 5; + }; + }; + }; +} diff --git a/krebs/3modules/charybdis.nix b/krebs/3modules/charybdis.nix index f4a7c131..038d79dd 100644 --- a/krebs/3modules/charybdis.nix +++ b/krebs/3modules/charybdis.nix @@ -21,14 +21,14 @@ in enable = mkEnableOption "Charybdis IRC daemon"; config = mkOption { - type = types.string; + type = types.str; description = '' Charybdis IRC daemon configuration file. ''; }; statedir = mkOption { - type = types.string; + type = types.str; default = "/var/lib/charybdis"; description = '' Location of the state directory of charybdis. @@ -36,7 +36,7 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "ircd"; description = '' Charybdis IRC daemon user. @@ -44,7 +44,7 @@ in }; group = mkOption { - type = types.string; + type = types.str; default = "ircd"; description = '' Charybdis IRC daemon group. @@ -71,14 +71,13 @@ in config = mkIf cfg.enable (lib.mkMerge [ { - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "Charybdis IRC daemon user"; uid = config.ids.uids.ircd; group = cfg.group; }; - users.groups = singleton { + users.groups.${cfg.group} = { name = cfg.group; gid = config.ids.gids.ircd; }; @@ -102,7 +101,7 @@ in }; } - + (mkIf (cfg.motd != null) { environment.etc."charybdis/ircd.motd".text = cfg.motd; }) diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 244de1a0..50db0b97 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -27,7 +27,7 @@ let hostname = config.networking.hostName; getJobs = pkgs.writeDash "get_jobs" '' set -efu - ${pkgs.nix}/bin/nix-build --no-out-link --quiet -Q ./ci.nix >&2 + ${pkgs.nix}/bin/nix-build --no-out-link --quiet --show-trace -Q ./ci.nix >&2 json="$(${pkgs.nix}/bin/nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)" echo "$json" | ${pkgs.jq}/bin/jq -r 'to_entries[] | [.key, .value] | @tsv' \ | while read -r host builder; do @@ -52,7 +52,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=10 + pollinterval=100 ) ) '') repo.urls) @@ -135,6 +135,7 @@ let f_${name} = util.BuildFactory() f_${name}.addStep(steps.Git( repourl=util.Property('repository', '${head repo.urls}'), + method='clobber', mode='full', submodules=True, )) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 10a33d5d..85d27459 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,8 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix + ./bindfs.nix + ./brockman.nix ./buildbot/master.nix ./buildbot/slave.nix ./build.nix @@ -27,6 +29,7 @@ let ./github-known-hosts.nix ./git.nix ./go.nix + ./gollum.nix ./hidden-ssh.nix ./hosts.nix ./htgen.nix @@ -35,7 +38,6 @@ let ./kapacitor.nix ./konsens.nix ./monit.nix - ./newsbot-js.nix ./nixpkgs.nix ./on-failure.nix ./os-release.nix @@ -50,9 +52,10 @@ let ./secret.nix ./setuid.nix ./shadow.nix - ./syncthing.nix + ./sync-containers.nix ./tinc.nix ./tinc_graphs.nix + ./upstream ./urlwatch.nix ./repo-sync.nix ./xresources.nix @@ -90,8 +93,10 @@ let @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) IN NS ns19.ovh.net. IN NS dns19.ovh.net. - IN A 192.30.252.154 - IN A 192.30.252.153 + IN A 185.199.108.153 + IN A 185.199.109.153 + IN A 185.199.110.153 + IN A 185.199.111.153 ''; }; }; @@ -103,13 +108,12 @@ let { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } - { krebs = import ./mb { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; } + { krebs = import ./external/mic92.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { "krebsco.de" = "zones"; - gg23 = "hosts"; shack = "hosts"; i = "hosts"; r = "hosts"; @@ -153,9 +157,11 @@ let let longs = net.aliases; shorts = - map (removeSuffix ".${cfg.dns.search-domain}") - (filter (hasSuffix ".${cfg.dns.search-domain}") - longs); + optionals + (cfg.dns.search-domain != null) + (map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") + longs)); add-port = a: if net.ssh.port != 22 then "[${a}]:${toString net.ssh.port}" @@ -178,7 +184,8 @@ let (concatMap (host: attrValues host.nets) (mapAttrsToList (_: host: recursiveUpdate host - (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) { + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { nets."" = host.nets.${cfg.dns.search-domain} // { aliases = [host.name]; addrs = []; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix index b7e2a2cb..8acc4ccd 100644 --- a/krebs/3modules/dns.nix +++ b/krebs/3modules/dns.nix @@ -6,7 +6,7 @@ with import <stockholm/lib>; }; krebs.dns.search-domain = mkOption { - type = types.hostname; + type = types.nullOr types.hostname; }; }; } diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 118a8b2d..a16661c9 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -10,6 +10,11 @@ with import <stockholm/lib>; (s: substring 1 (stringLength s - 2) s) (toJSON value); + to-lsearch = concatMapStrings ({ from, to, ... }: "${from}: ${to}\n"); + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) ({ + inherit (cfg) system-aliases; + }); + in { options.krebs.exim-retiolum = { enable = mkEnableOption "krebs.exim-retiolum"; @@ -59,6 +64,19 @@ in { }; }; }; + system-aliases = mkOption { + type = types.listOf (types.submodule ({ + options = { + from = mkOption { + type = types.str; # TODO e-mail address + }; + to = mkOption { + type = types.str; # TODO e-mail address / TODO listOf + }; + }; + })); + default = []; + }; }; imports = [ { @@ -145,6 +163,11 @@ in { begin routers + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + local: driver = accept domains = +local_domains diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index e988fb56..c5969caa 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -26,6 +26,7 @@ let private_key = mkOption { type = types.secret-file; default = { + name = "exim.dkim_private_key/${config.domain}"; path = "/run/krebs.secret/${config.domain}.dkim_private_key"; owner.name = "exim"; source-path = toString <secrets> + "/${config.domain}.dkim.priv"; @@ -115,8 +116,12 @@ let })); systemd.services = mkIf (cfg.dkim != []) { exim = { - after = [ "secret.service" ]; - requires = [ "secret.service" ]; + after = flip map cfg.dkim (dkim: + config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service + ); + partOf = flip map cfg.dkim (dkim: + config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service + ); }; }; krebs.exim = { diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index f12dda09..efe3ace0 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -18,12 +18,15 @@ with import <stockholm/lib>; in { hosts = mapAttrs hostDefaults { - catullus = { + toum = { owner = config.krebs.users.kmein; nets = { retiolum = { ip4.addr = "10.243.2.3"; - aliases = [ "catullus.r" ]; + aliases = [ + "toum.r" + "toum.kmein.r" + ]; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2tRtskPP6391+ZX9xzsx @@ -48,7 +51,10 @@ in { nets = { retiolum = { ip4.addr = "10.243.2.4"; - aliases = [ "wilde.r" ]; + aliases = [ + "wilde.r" + "wilde.kmein.r" + ]; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- |