From 0c92dd719a46139523f6e353c354871bd78024a4 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 25 May 2017 23:19:36 +0200 Subject: m 2: rename stats and share --- makefu/1systems/gum.nix | 6 +- makefu/1systems/omo.nix | 13 ++-- makefu/2configs/gum-share.nix | 39 ---------- makefu/2configs/logging/central-logging-client.nix | 32 --------- makefu/2configs/logging/central-logging-server.nix | 23 ------ makefu/2configs/logging/central-stats-client.nix | 60 ---------------- makefu/2configs/logging/central-stats-server.nix | 84 ---------------------- makefu/2configs/logging/client.nix | 32 +++++++++ makefu/2configs/logging/external/aralast.nix | 38 ---------- makefu/2configs/logging/server.nix | 23 ++++++ makefu/2configs/omo-share.nix | 69 ------------------ makefu/2configs/share/gum.nix | 39 ++++++++++ makefu/2configs/share/omo.nix | 69 ++++++++++++++++++ makefu/2configs/share/temp-share-samba.nix | 31 ++++++++ makefu/2configs/stats/client.nix | 60 ++++++++++++++++ makefu/2configs/stats/external/aralast.nix | 38 ++++++++++ makefu/2configs/stats/server.nix | 84 ++++++++++++++++++++++ makefu/2configs/temp-share-samba.nix | 31 -------- 18 files changed, 387 insertions(+), 384 deletions(-) delete mode 100644 makefu/2configs/gum-share.nix delete mode 100644 makefu/2configs/logging/central-logging-client.nix delete mode 100644 makefu/2configs/logging/central-logging-server.nix delete mode 100644 makefu/2configs/logging/central-stats-client.nix delete mode 100644 makefu/2configs/logging/central-stats-server.nix create mode 100644 makefu/2configs/logging/client.nix delete mode 100644 makefu/2configs/logging/external/aralast.nix create mode 100644 makefu/2configs/logging/server.nix delete mode 100644 makefu/2configs/omo-share.nix create mode 100644 makefu/2configs/share/gum.nix create mode 100644 makefu/2configs/share/omo.nix create mode 100644 makefu/2configs/share/temp-share-samba.nix create mode 100644 makefu/2configs/stats/client.nix create mode 100644 makefu/2configs/stats/external/aralast.nix create mode 100644 makefu/2configs/stats/server.nix delete mode 100644 makefu/2configs/temp-share-samba.nix diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index ddff9f78..fb4fac3f 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -32,7 +32,7 @@ in { ../2configs/tools/sec.nix # services - ../2configs/gum-share.nix + ../2configs/share/gum.nix ../2configs/sabnzbd.nix ../2configs/torrent.nix ../2configs/iodined.nix @@ -64,8 +64,8 @@ in { ../2configs/syncthing.nix # ../2configs/opentracker.nix - ../2configs/logging/central-stats-client.nix - # ../2configs/logging/central-logging-client.nix + ../2configs/stats/client.nix + # ../2configs/logging/client.nix ]; makefu.dl-dir = "/var/download"; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 91785a07..0f1b8e0d 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -50,11 +50,13 @@ in { # ../2configs/disable_v6.nix #../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix - ../2configs/omo-share.nix + ../2configs/share/omo.nix ../2configs/tinc/retiolum.nix - ../2configs/logging/central-stats-server.nix - # ../2configs/logging/central-logging-server.nix - ../2configs/logging/central-stats-client.nix + + # Logging + ../2configs/stats/server.nix #influx + grafana + ../2configs/stats/client.nix + ../2configs/stats/external/aralast.nix # logs to influx # services ../2configs/syncthing.nix @@ -180,7 +182,8 @@ in { uid = 9002; name = "misa"; }; - hardware.enableAllFirmware = true; + # hardware.enableAllFirmware = true; + hardware.enableRedistributableFirmware = true; hardware.cpu.intel.updateMicrocode = true; zramSwap.enable = true; diff --git a/makefu/2configs/gum-share.nix b/makefu/2configs/gum-share.nix deleted file mode 100644 index e578f43d..00000000 --- a/makefu/2configs/gum-share.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -let - hostname = config.krebs.build.host.name; -in { - # users.users.smbguest = { - # name = "smbguest"; - # uid = config.ids.uids.smbguest; - # description = "smb guest user"; - # home = "/var/empty"; - # }; - - users.users.download = { }; - services.samba = { - enable = true; - shares = { - download = { - path = "/var/download"; - "read only" = "no"; - browseable = "yes"; - "guest ok" = "no"; - "valid users" = "download"; - }; - }; - extraConfig = '' - # guest account = smbguest - # map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport 445 -j ACCEPT - ''; -} diff --git a/makefu/2configs/logging/central-logging-client.nix b/makefu/2configs/logging/central-logging-client.nix deleted file mode 100644 index 04d2de0d..00000000 --- a/makefu/2configs/logging/central-logging-client.nix +++ /dev/null @@ -1,32 +0,0 @@ -{pkgs, buil, config, ...}: -let - log-server = config.makefu.log-server; - log-port = 9200; -in { - services.journalbeat = { - enable = true; - # TODO: filter for certain journal fields, not all - extraConfig = '' - journalbeat: - name: logs-${config.krebs.build.host.name} - seek_position: cursor - cursor_seek_fallback: tail - write_cursor_state: true - cursor_flush_period: 5s - clean_field_names: true - convert_to_numbers: false - move_metadata_to_field: journal - default_type: journal - output.elasticsearch: - enabled: true - hosts: ["${log-server}:${builtins.toString log-port}"] - template.enabled: false - #output.console: - # enabled: true - logging.level: info - logging.to_syslog: true - logging.selectors: ["*"] - - ''; - }; -} diff --git a/makefu/2configs/logging/central-logging-server.nix b/makefu/2configs/logging/central-logging-server.nix deleted file mode 100644 index 90f8e668..00000000 --- a/makefu/2configs/logging/central-logging-server.nix +++ /dev/null @@ -1,23 +0,0 @@ -{pkgs, config, ...}: - -with import ; -let - es-port = 9200; - kibana-port = 5601; -in { - services.elasticsearch = { - enable = true; - listenAddress = "0.0.0.0"; - port = es-port; - }; - services.kibana = { - enable = true; - listenAddress = "0.0.0.0"; - port = kibana-port; - }; - - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport ${toString es-port} -j ACCEPT - iptables -A INPUT -i retiolum -p tcp --dport ${toString kibana-port} -j ACCEPT - ''; -} diff --git a/makefu/2configs/logging/central-stats-client.nix b/makefu/2configs/logging/central-stats-client.nix deleted file mode 100644 index dd6dddda..00000000 --- a/makefu/2configs/logging/central-stats-client.nix +++ /dev/null @@ -1,60 +0,0 @@ -{pkgs, config, ...}: -{ - services.collectd = { - enable = true; - autoLoadPlugin = true; - extraConfig = '' - Hostname ${config.krebs.build.host.name} - LoadPlugin load - LoadPlugin disk - LoadPlugin memory - LoadPlugin df - Interval 30.0 - - LoadPlugin interface - - Interface "*Link" - Interface "lo" - Interface "vboxnet*" - Interface "virbr*" - IgnoreSelected true - - - LoadPlugin df - - MountPoint "/nix/store" - # MountPoint "/run*" - # MountPoint "/sys*" - # MountPoint "/dev" - # MountPoint "/dev/shm" - # MountPoint "/tmp" - FSType "tmpfs" - FSType "binfmt_misc" - FSType "debugfs" - FSType "mqueue" - FSType "hugetlbfs" - FSType "systemd-1" - FSType "cgroup" - FSType "securityfs" - FSType "ramfs" - FSType "proc" - FSType "devpts" - FSType "devtmpfs" - MountPoint "/var/lib/docker/devicemapper" - IgnoreSelected true - - - LoadPlugin cpu - - ReportByCpu true - ReportByState true - ValuesPercentage true - - - LoadPlugin network - - Server "${config.makefu.stats-server}" "25826" - - ''; - }; -} diff --git a/makefu/2configs/logging/central-stats-server.nix b/makefu/2configs/logging/central-stats-server.nix deleted file mode 100644 index 602fcc6d..00000000 --- a/makefu/2configs/logging/central-stats-server.nix +++ /dev/null @@ -1,84 +0,0 @@ -{pkgs, config, ...}: - -with import ; -let - collectd-port = 25826; - influx-port = 8086; - grafana-port = 3000; # TODO nginx forward - db = "collectd_db"; - logging-interface = config.makefu.server.primary-itf; -in { - services.grafana.enable = true; - services.grafana.addr = "0.0.0.0"; - - services.influxdb.enable = true; - # redirect grafana to stats.makefu.r - services.nginx.enable = true; - services.nginx.virtualHosts."stats.makefu.r".locations."/".proxyPass = "http://localhost:3000"; - # forward these via nginx - services.influxdb.extraConfig = { - meta.hostname = config.krebs.build.host.name; - # meta.logging-enabled = true; - http.bind-address = ":${toString influx-port}"; - admin.bind-address = ":8083"; - monitoring = { - enabled = false; - # write-interval = "24h"; - }; - collectd = [{ - enabled = true; - typesdb = "${pkgs.collectd}/share/collectd/types.db"; - database = db; - port = collectd-port; - }]; - }; - krebs.kapacitor = - let - echoToIrc = pkgs.writeDash "echo_irc" '' - set -euf - data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=malarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.freenode.org 6667 malarm \#krebs-bots "$data" >/dev/null - ''; - in { - enable = true; - alarms = { - cpu_deadman.database = db; - cpu_deadman.text = '' - var data = batch - |query(${"'''"} - SELECT mean("value") AS mean - FROM "collectd_db"."default"."cpu_value" - WHERE "type_instance" = 'idle' AND "type" = 'percent' fill(0) - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" < 50) - .stateChangesOnly() - .exec('${echoToIrc}') - data |deadman(1.0,5m) - .stateChangesOnly() - .exec('${echoToIrc}') - ''; - }; - - }; - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT - iptables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT - iptables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT - iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT - iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT - iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT - - ip6tables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT - ip6tables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT - ip6tables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT - ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT - ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT - ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT - ''; -} diff --git a/makefu/2configs/logging/client.nix b/makefu/2configs/logging/client.nix new file mode 100644 index 00000000..04d2de0d --- /dev/null +++ b/makefu/2configs/logging/client.nix @@ -0,0 +1,32 @@ +{pkgs, buil, config, ...}: +let + log-server = config.makefu.log-server; + log-port = 9200; +in { + services.journalbeat = { + enable = true; + # TODO: filter for certain journal fields, not all + extraConfig = '' + journalbeat: + name: logs-${config.krebs.build.host.name} + seek_position: cursor + cursor_seek_fallback: tail + write_cursor_state: true + cursor_flush_period: 5s + clean_field_names: true + convert_to_numbers: false + move_metadata_to_field: journal + default_type: journal + output.elasticsearch: + enabled: true + hosts: ["${log-server}:${builtins.toString log-port}"] + template.enabled: false + #output.console: + # enabled: true + logging.level: info + logging.to_syslog: true + logging.selectors: ["*"] + + ''; + }; +} diff --git a/makefu/2configs/logging/external/aralast.nix b/makefu/2configs/logging/external/aralast.nix deleted file mode 100644 index c335db45..00000000 --- a/makefu/2configs/logging/external/aralast.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - pkg = pkgs.stdenv.mkDerivation { - name = "aralast-master"; - src = pkgs.fetchFromGitHub { - owner = "makefu"; - repo = "aralast"; - rev = "7121598"; - sha256 = "0vw027c698h9b69ksid5p3pji9960hd7n9xi4arrax0vfkwryb4m"; - }; - installPhase = '' - install -m755 -D aralast.sh $out/bin/aralast - ''; - }; -in { - systemd.services.aralast = { - description = "periodically fetch aramark"; - path = [ - pkgs.curl - pkgs.gnugrep - pkgs.gnused - ]; - wantedBy = [ "multi-user.target" ]; - environment = { - INFLUX_HOST = "localhost"; - INFLUX_PORT = "8086"; - }; - # every 10 seconds when the cantina is open - startAt = "Mon,Tue,Wed,Thu,Fri *-*-* 6,7,8,9,10,11,12,13,14,15:*:0/10"; - serviceConfig = { - User = "nobody"; - ExecStart = "${pkg}/bin/aralast"; - PrivateTmp = true; - }; - }; -} diff --git a/makefu/2configs/logging/server.nix b/makefu/2configs/logging/server.nix new file mode 100644 index 00000000..90f8e668 --- /dev/null +++ b/makefu/2configs/logging/server.nix @@ -0,0 +1,23 @@ +{pkgs, config, ...}: + +with import ; +let + es-port = 9200; + kibana-port = 5601; +in { + services.elasticsearch = { + enable = true; + listenAddress = "0.0.0.0"; + port = es-port; + }; + services.kibana = { + enable = true; + listenAddress = "0.0.0.0"; + port = kibana-port; + }; + + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p tcp --dport ${toString es-port} -j ACCEPT + iptables -A INPUT -i retiolum -p tcp --dport ${toString kibana-port} -j ACCEPT + ''; +} diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix deleted file mode 100644 index 7d7a4ec5..00000000 --- a/makefu/2configs/omo-share.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - hostname = config.krebs.build.host.name; - # TODO local-ip from the nets config - local-ip = "192.168.1.11"; - # local-ip = config.krebs.build.host.nets.retiolum.ip4.addr; -in { - - # samba share /media/crypt1/share - users.users.smbguest = { - name = "smbguest"; - uid = config.ids.uids.smbguest; - description = "smb guest user"; - home = "/var/empty"; - }; - services.samba = { - enable = true; - shares = { - winshare = { - path = "/media/crypt1/share"; - "read only" = "no"; - browseable = "yes"; - "guest ok" = "yes"; - }; - emu = { - path = "/media/crypt1/emu"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - usenet = { - path = "/media/crypt0/usenet/dst"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - pyload = { - path = "/media/crypt0/pyload"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - crypt0 = { - path = "/media/crypt0"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - media-rw = { - path = "/media/"; - "read only" = "no"; - browseable = "yes"; - "guest ok" = "no"; - "valid users" = "makefu"; - }; - }; - extraConfig = '' - guest account = smbguest - map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; -} diff --git a/makefu/2configs/share/gum.nix b/makefu/2configs/share/gum.nix new file mode 100644 index 00000000..e578f43d --- /dev/null +++ b/makefu/2configs/share/gum.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + hostname = config.krebs.build.host.name; +in { + # users.users.smbguest = { + # name = "smbguest"; + # uid = config.ids.uids.smbguest; + # description = "smb guest user"; + # home = "/var/empty"; + # }; + + users.users.download = { }; + services.samba = { + enable = true; + shares = { + download = { + path = "/var/download"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "no"; + "valid users" = "download"; + }; + }; + extraConfig = '' + # guest account = smbguest + # map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p tcp --dport 445 -j ACCEPT + ''; +} diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix new file mode 100644 index 00000000..7d7a4ec5 --- /dev/null +++ b/makefu/2configs/share/omo.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + hostname = config.krebs.build.host.name; + # TODO local-ip from the nets config + local-ip = "192.168.1.11"; + # local-ip = config.krebs.build.host.nets.retiolum.ip4.addr; +in { + + # samba share /media/crypt1/share + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + services.samba = { + enable = true; + shares = { + winshare = { + path = "/media/crypt1/share"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + emu = { + path = "/media/crypt1/emu"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + usenet = { + path = "/media/crypt0/usenet/dst"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + pyload = { + path = "/media/crypt0/pyload"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + crypt0 = { + path = "/media/crypt0"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + media-rw = { + path = "/media/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "no"; + "valid users" = "makefu"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/makefu/2configs/share/temp-share-samba.nix b/makefu/2configs/share/temp-share-samba.nix new file mode 100644 index 00000000..0907c2db --- /dev/null +++ b/makefu/2configs/share/temp-share-samba.nix @@ -0,0 +1,31 @@ +{config, ... }:{ + networking.firewall.allowedUDPPorts = [ 137 138 ]; + networking.firewall.allowedTCPPorts = [ 139 445 ]; + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/makefu/2configs/stats/client.nix b/makefu/2configs/stats/client.nix new file mode 100644 index 00000000..dd6dddda --- /dev/null +++ b/makefu/2configs/stats/client.nix @@ -0,0 +1,60 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + + + LoadPlugin df + + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + + + LoadPlugin cpu + + ReportByCpu true + ReportByState true + ValuesPercentage true + + + LoadPlugin network + + Server "${config.makefu.stats-server}" "25826" + + ''; + }; +} diff --git a/makefu/2configs/stats/external/aralast.nix b/makefu/2configs/stats/external/aralast.nix new file mode 100644 index 00000000..c335db45 --- /dev/null +++ b/makefu/2configs/stats/external/aralast.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + pkg = pkgs.stdenv.mkDerivation { + name = "aralast-master"; + src = pkgs.fetchFromGitHub { + owner = "makefu"; + repo = "aralast"; + rev = "7121598"; + sha256 = "0vw027c698h9b69ksid5p3pji9960hd7n9xi4arrax0vfkwryb4m"; + }; + installPhase = '' + install -m755 -D aralast.sh $out/bin/aralast + ''; + }; +in { + systemd.services.aralast = { + description = "periodically fetch aramark"; + path = [ + pkgs.curl + pkgs.gnugrep + pkgs.gnused + ]; + wantedBy = [ "multi-user.target" ]; + environment = { + INFLUX_HOST = "localhost"; + INFLUX_PORT = "8086"; + }; + # every 10 seconds when the cantina is open + startAt = "Mon,Tue,Wed,Thu,Fri *-*-* 6,7,8,9,10,11,12,13,14,15:*:0/10"; + serviceConfig = { + User = "nobody"; + ExecStart = "${pkg}/bin/aralast"; + PrivateTmp = true; + }; + }; +} diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix new file mode 100644 index 00000000..602fcc6d --- /dev/null +++ b/makefu/2configs/stats/server.nix @@ -0,0 +1,84 @@ +{pkgs, config, ...}: + +with import ; +let + collectd-port = 25826; + influx-port = 8086; + grafana-port = 3000; # TODO nginx forward + db = "collectd_db"; + logging-interface = config.makefu.server.primary-itf; +in { + services.grafana.enable = true; + services.grafana.addr = "0.0.0.0"; + + services.influxdb.enable = true; + # redirect grafana to stats.makefu.r + services.nginx.enable = true; + services.nginx.virtualHosts."stats.makefu.r".locations."/".proxyPass = "http://localhost:3000"; + # forward these via nginx + services.influxdb.extraConfig = { + meta.hostname = config.krebs.build.host.name; + # meta.logging-enabled = true; + http.bind-address = ":${toString influx-port}"; + admin.bind-address = ":8083"; + monitoring = { + enabled = false; + # write-interval = "24h"; + }; + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = db; + port = collectd-port; + }]; + }; + krebs.kapacitor = + let + echoToIrc = pkgs.writeDash "echo_irc" '' + set -euf + data="$(${pkgs.jq}/bin/jq -r .message)" + export LOGNAME=malarm + ${pkgs.irc-announce}/bin/irc-announce \ + irc.freenode.org 6667 malarm \#krebs-bots "$data" >/dev/null + ''; + in { + enable = true; + alarms = { + cpu_deadman.database = db; + cpu_deadman.text = '' + var data = batch + |query(${"'''"} + SELECT mean("value") AS mean + FROM "collectd_db"."default"."cpu_value" + WHERE "type_instance" = 'idle' AND "type" = 'percent' fill(0) + ${"'''"}) + .period(10m) + .every(1m) + .groupBy('host') + data |alert() + .crit(lambda: "mean" < 50) + .stateChangesOnly() + .exec('${echoToIrc}') + data |deadman(1.0,5m) + .stateChangesOnly() + .exec('${echoToIrc}') + ''; + }; + + }; + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT + iptables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT + iptables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT + iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT + iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT + iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT + + ip6tables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT + ip6tables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT + ip6tables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT + ''; +} diff --git a/makefu/2configs/temp-share-samba.nix b/makefu/2configs/temp-share-samba.nix deleted file mode 100644 index 0907c2db..00000000 --- a/makefu/2configs/temp-share-samba.nix +++ /dev/null @@ -1,31 +0,0 @@ -{config, ... }:{ - networking.firewall.allowedUDPPorts = [ 137 138 ]; - networking.firewall.allowedTCPPorts = [ 139 445 ]; - users.users.smbguest = { - name = "smbguest"; - uid = config.ids.uids.smbguest; - description = "smb guest user"; - home = "/home/share"; - createHome = true; - }; - services.samba = { - enable = true; - shares = { - share-home = { - path = "/home/share/"; - "read only" = "no"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - extraConfig = '' - guest account = smbguest - map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; -} -- cgit v1.2.3