From fc64fd18cb8677f08d038a086de879fd69f89b8c Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 00:20:16 +0200
Subject: krebs.*: make StrictHostKeyChecking configurable

---
 krebs/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'krebs')

diff --git a/krebs/default.nix b/krebs/default.nix
index 0b055cd2..08de7229 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -3,6 +3,7 @@
 , current-user-name
 , lib
 , stockholm
+, StrictHostKeyChecking ? "yes"
 }:
 
 let out = {
@@ -260,7 +261,10 @@ let out = {
     in out;
 
   rootssh = target: script:
-    "ssh root@${target} -T ${doc ''
+    let
+      flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
+    in
+    "ssh ${flags} root@${target} -T ${doc ''
       set -efu
       ${script}
     ''}";
-- 
cgit v1.2.3


From 4b8ffc1bfd494de1fafde2527a337ad5eb31a27c Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 00:23:02 +0200
Subject: krebs.nixos-install: fail if pkg cannot be found

Collaterally, search in /nix instead of /mnt/nix
---
 krebs/default.nix | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'krebs')

diff --git a/krebs/default.nix b/krebs/default.nix
index 08de7229..40d245f9 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -132,16 +132,20 @@ let out = {
           s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
         ')
         echo "nix-env is $nix_env" >&2
-        getchrootpath() {(
+        findpkg() {(
           name=$1
-          path=$(find /mnt/nix/store \
+          path=$(find /nix/store \
               -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
             | head -n 1 | sed s:^/mnt::)
-          echo "$name is $path" >&2
-          echo "$path"
+          if echo "$path" | grep .; then
+            echo "$name is $path" >&2
+          else
+            echo "Error: package not found: $name" >&2
+            exit 1
+          fi
         )}
-        cacert=$(getchrootpath cacert)
-        coreutils=$(getchrootpath coreutils)
+        cacert=$(findpkg cacert)
+        coreutils=$(findpkg coreutils)
         env="$coreutils/bin/env \
             SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
         sed -i '
-- 
cgit v1.2.3


From df6f0392cbdf7923537eb5d328bd345cde11eb53 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 00:49:51 +0200
Subject: krebs.nixos-install: cacert -> /root/SSL_CERT_FILE

---
 krebs/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/default.nix b/krebs/default.nix
index 40d245f9..31a7f7d0 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -146,8 +146,8 @@ let out = {
         )}
         cacert=$(findpkg cacert)
         coreutils=$(findpkg coreutils)
-        env="$coreutils/bin/env \
-            SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
+        cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
+        env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
         sed -i '
           s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
           s:^nix-env:'"$nix_env"':
-- 
cgit v1.2.3


From 9be59a04001698e8e34ae4e2a49e2dea920765b1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 15:26:54 +0200
Subject: krebs 3 modules: bepasty-server is a krebs module

---
 krebs/3modules/bepasty-server.nix | 164 ++++++++++++++++++++++++++++++++++++++
 krebs/3modules/default.nix        |   1 +
 2 files changed, 165 insertions(+)
 create mode 100644 krebs/3modules/bepasty-server.nix

(limited to 'krebs')

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
new file mode 100644
index 00000000..ff32eea6
--- /dev/null
+++ b/krebs/3modules/bepasty-server.nix
@@ -0,0 +1,164 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  gunicorn = pkgs.pythonPackages.gunicorn;
+  bepasty = pkgs.pythonPackages.bepasty-server;
+  gevent = pkgs.pythonPackages.gevent;
+  python = pkgs.pythonPackages.python;
+  cfg = config.krebs.bepasty;
+
+  out = {
+    options.krebs.bepasty = api;
+    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+  };
+
+  api = {
+    enable = mkEnableOption "Bepasty Servers";
+    serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx";
+
+    servers = mkOption {
+      type = with types; attrsOf optionSet;
+      options = singleton {
+        nginx = mkOption {
+          # TODO use the correct type
+          type = with types; attrsOf unspecified;
+          description = ''
+            additional nginx configuration. see krebs.nginx for all options
+          '' ;
+        };
+
+        secretKey = mkOption {
+          type = types.str;
+          description = ''
+            server secret for safe session cookies, must be set.
+          '';
+          default = "";
+        };
+
+        # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
+        workDir = mkOption {
+          type = types.str;
+          description = ''
+            Path to the working directory (used for sockets and pidfile).
+            Defaults to the users home directory. Must be accessible to nginx,
+            permissions will be set to 755
+          '';
+          default = config.users.extraUsers.bepasty.home;
+        };
+
+        dataDir = mkOption {
+          type = types.str;
+          description = ''
+            Defaults to the new users home dir which defaults to
+            /var/lib/bepasty-server/data
+            '';
+          default = "${config.users.extraUsers.bepasty.home}/data";
+        };
+
+        extraConfig = mkOption {
+          type = types.str;
+          default = "";
+          # TODO configure permissions in separate
+          example = ''
+            PERMISSIONS = {
+              'myadminsecret': 'admin,list,create,read,delete',
+            }
+            MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
+            '';
+        };
+
+        defaultPermissions = mkOption {
+          # TODO: listOf str
+          type = types.str;
+          description = ''
+          default permissions for all unauthenticated users.
+          '';
+          example = "read,create,delete";
+          default = "read";
+        };
+
+      };
+      default = {};
+    };
+
+  };
+
+  imp = {
+    # Configures systemd services for each configured server
+    # environment.systemPackages = [ bepasty gunicorn gevent ];
+    systemd.services = mapAttrs' (name: server:
+      nameValuePair ("bepasty-server-${name}")
+        ({
+          description = "Bepasty Server ${name}";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          restartIfChanged = true;
+          environment = {
+            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+          };
+          serviceConfig = {
+            Type = "simple";
+            PrivateTmp = true;
+
+            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+              #!/bin/sh
+              mkdir -p "${server.dataDir}" "${server.workDir}"
+              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+              SITENAME="${name}"
+              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+              SECRET_KEY="${server.secretKey}"
+              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+              ${server.extraConfig}
+              EOF
+            '';
+            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+              -u bepasty \
+              -g bepasty \
+              --workers 3 --log-level=info \
+              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+              --pid ${server.workDir}/gunicorn-${name}.pid \
+              -k gevent
+            '';
+          };
+        })
+    ) cfg.servers;
+
+    users.extraUsers.bepasty = {
+      uid = 2796546855; #genid bepasty
+      group = "bepasty";
+      home = "/var/lib/bepasty-server";
+    };
+    users.extraGroups.bepasty = {
+      gid = 2796546855; #genid bepasty
+    };
+  };
+
+  nginx-imp = {
+    assertions = [ { assertion = config.krebs.nginx.enable;
+                      message = "krebs.nginx.enable must be true"; }];
+
+    krebs.nginx.servers = mapAttrs' (name: server:
+      nameValuePair("bepasty-server-${name}")
+      (mkMerge [ server.nginx  {
+        extraConfig = ''
+          client_max_body_size 32M;
+          '';
+        locations = [
+          (nameValuePair ("/")
+          (''
+            proxy_set_header Host $http_host;
+            proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
+          ''))
+          (nameValuePair ("/static/")
+          (''
+            alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+          ''))
+          ];
+      }])
+    ) cfg.servers ;
+  };
+in
+out
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 756245c0..1f34c8e6 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,6 +6,7 @@ let
 
   out = {
     imports = [
+      ./bepasty-server.nix
       ./build.nix
       ./exim-retiolum.nix
       ./exim-smarthost.nix
-- 
cgit v1.2.3


From 9bb3069f69ed801d98034a2effcb4d88f279a92f Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 15:33:05 +0200
Subject: krebs 3 tinc_graphs: mv from makefu 3 tinc_graphs

---
 krebs/3modules/default.nix     |   1 +
 krebs/3modules/tinc_graphs.nix | 145 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 146 insertions(+)
 create mode 100644 krebs/3modules/tinc_graphs.nix

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 1f34c8e6..5c5bec00 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -18,6 +18,7 @@ let
       ./retiolum-bootstrap.nix
       ./realwallpaper.nix
       ./retiolum.nix
+      ./tinc_graphs.nix
       ./urlwatch.nix
     ];
     options.krebs = api;
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
new file mode 100644
index 00000000..a6c62835
--- /dev/null
+++ b/krebs/3modules/tinc_graphs.nix
@@ -0,0 +1,145 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.krebs.tinc_graphs;
+  internal_dir = "${cfg.workingDir}/internal";
+  external_dir = "${cfg.workingDir}/external";
+
+  out = {
+    options.krebs.tinc_graphs = api;
+    config = mkIf cfg.enable imp ;
+  };
+
+  api = {
+    enable = mkEnableOption "tinc graphs";
+
+    geodbPath = mkOption {
+      type = types.str;
+      description = "Path to geocitydb, defaults to geolite-legacy";
+      default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat";
+    };
+
+    nginx = {
+      enable = mkEnableOption "enable tinc_graphs to be served with nginx";
+
+      anonymous = {
+        server-names = mkOption {
+          type = with types; listOf str;
+          description = "hostnames which serve anonymous graphs";
+          default = [ "graphs.${config.krebs.build.host.name}" ];
+        };
+
+        listen = mkOption {
+          # use the type of the nginx listen option
+          type = with types; listOf str;
+          description = "listen address for anonymous graphs";
+          default = [ "80" ];
+        };
+
+      };
+
+      complete = {
+        server-names = mkOption {
+          type = with types; listOf str;
+          description = "hostname which serves complete graphs";
+          default = [ "graphs.${config.krebs.build.host.name}" ];
+        };
+
+        listen = mkOption {
+          type = with types; listOf str;
+          description = "listen address for complete graphs";
+          default = [ "127.0.0.1:80" ];
+        };
+
+      };
+    };
+
+    workingDir = mkOption {
+      type = types.str;
+      description = ''
+        Path to working dir, will create interal and external/.
+        Defaults to the new users home dir which defaults to
+        /var/cache/tinc_graphs'';
+      default = config.users.extraUsers.tinc_graphs.home;
+    };
+
+    timerConfig = mkOption {
+      type = with types; attrsOf str;
+      default = {
+        OnCalendar = "*:0/15";
+      };
+    };
+  };
+
+  imp = {
+    environment.systemPackages = [ pkgs.tinc_graphs];
+    systemd.timers.tinc_graphs = {
+      description = "Build Tinc Graphs via via timer";
+      wantedBy = [ "timers.target"];
+      timerConfig = cfg.timerConfig;
+    };
+    systemd.services.tinc_graphs = {
+      description = "Build Tinc Graphs";
+      environment = {
+        EXTERNAL_FOLDER = external_dir;
+        INTERNAL_FOLDER = internal_dir;
+        GEODB = cfg.geodbPath;
+        TINC_HOSTPATH=config.krebs.retiolum.hosts;
+      };
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        Type = "simple";
+
+        ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
+          #!/bin/sh
+          if ! test -e "${cfg.workingDir}/internal/index.html"; then
+            cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}"
+          fi
+        '';
+
+        ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
+
+        ExecStartPost = pkgs.writeScript "tinc_graphs-post" ''
+          #!/bin/sh
+          # TODO: this may break if workingDir is set to something stupid
+          # this is needed because homedir is created with 700
+          chmod 755  "${cfg.workingDir}"
+        '';
+        PrivateTmp = "yes";
+
+        User = "root"; # tinc cannot be queried as user,
+                       #  seems to be a tinc-pre issue
+      };
+    };
+
+    users.extraUsers.tinc_graphs = {
+      uid = 3925439960; #genid tinc_graphs
+      home = "/var/spool/tinc_graphs";
+      createHome = true;
+    };
+
+    krebs.nginx.servers = mkIf cfg.nginx.enable {
+      tinc_graphs_complete = mkMerge [ cfg.nginx.complete  {
+        locations = [
+          (nameValuePair "/" ''
+            autoindex on;
+            root ${internal_dir};
+          '')
+        ];
+      }] ;
+      tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
+        locations = [
+          (nameValuePair "/" ''
+            autoindex on;
+            root ${external_dir};
+          '')
+        ];
+      }];
+    };
+  };
+
+in
+out
-- 
cgit v1.2.3


From be39c6d8494724c6d7c87b826830f626aada15d8 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 16:14:37 +0200
Subject: krebs 3 bepasty-server: styling

---
 krebs/3modules/bepasty-server.nix | 102 +++++++++++++++++++-------------------
 1 file changed, 51 insertions(+), 51 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index ff32eea6..c99c3d11 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -10,7 +10,10 @@ let
 
   out = {
     options.krebs.bepasty = api;
-    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+    config = mkIf cfg.enable (mkMerge [
+      (mkIf cfg.serveNginx nginx-imp)
+      imp
+    ]);
   };
 
   api = {
@@ -25,7 +28,7 @@ let
           type = with types; attrsOf unspecified;
           description = ''
             additional nginx configuration. see krebs.nginx for all options
-          '' ;
+          '';
         };
 
         secretKey = mkOption {
@@ -52,7 +55,7 @@ let
           description = ''
             Defaults to the new users home dir which defaults to
             /var/lib/bepasty-server/data
-            '';
+          '';
           default = "${config.users.extraUsers.bepasty.home}/data";
         };
 
@@ -65,14 +68,14 @@ let
               'myadminsecret': 'admin,list,create,read,delete',
             }
             MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
-            '';
+          '';
         };
 
         defaultPermissions = mkOption {
           # TODO: listOf str
           type = types.str;
           description = ''
-          default permissions for all unauthenticated users.
+            default permissions for all unauthenticated users.
           '';
           example = "read,create,delete";
           default = "read";
@@ -88,42 +91,42 @@ let
     # Configures systemd services for each configured server
     # environment.systemPackages = [ bepasty gunicorn gevent ];
     systemd.services = mapAttrs' (name: server:
-      nameValuePair ("bepasty-server-${name}")
-        ({
-          description = "Bepasty Server ${name}";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          restartIfChanged = true;
-          environment = {
-            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
-            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
-          };
-          serviceConfig = {
-            Type = "simple";
-            PrivateTmp = true;
-
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
-              #!/bin/sh
-              mkdir -p "${server.dataDir}" "${server.workDir}"
-              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
-              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
-              SITENAME="${name}"
-              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
-              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
-              ${server.extraConfig}
-              EOF
-            '';
-            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
-              -u bepasty \
-              -g bepasty \
-              --workers 3 --log-level=info \
-              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
-              --pid ${server.workDir}/gunicorn-${name}.pid \
-              -k gevent
-            '';
-          };
-        })
+      nameValuePair "bepasty-server-${name}" {
+        description = "Bepasty Server ${name}";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        restartIfChanged = true;
+        environment = {
+          BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+          PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+        };
+
+        serviceConfig = {
+          Type = "simple";
+          PrivateTmp = true;
+
+          ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            #!/bin/sh
+            mkdir -p "${server.dataDir}" "${server.workDir}"
+            chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+            cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+            SITENAME="${name}"
+            STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+            SECRET_KEY="${server.secretKey}"
+            DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+            ${server.extraConfig}
+            EOF
+          '';
+          ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+            -u bepasty \
+            -g bepasty \
+            --workers 3 --log-level=info \
+            --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+            --pid ${server.workDir}/gunicorn-${name}.pid \
+            -k gevent
+          '';
+        };
+      }
     ) cfg.servers;
 
     users.extraUsers.bepasty = {
@@ -137,8 +140,8 @@ let
   };
 
   nginx-imp = {
-    assertions = [ { assertion = config.krebs.nginx.enable;
-                      message = "krebs.nginx.enable must be true"; }];
+    assertions = [{ assertion = config.krebs.nginx.enable;
+                     message = "krebs.nginx.enable must be true"; }];
 
     krebs.nginx.servers = mapAttrs' (name: server:
       nameValuePair("bepasty-server-${name}")
@@ -147,18 +150,15 @@ let
           client_max_body_size 32M;
           '';
         locations = [
-          (nameValuePair ("/")
-          (''
+          (nameValuePair "/" ''
             proxy_set_header Host $http_host;
             proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
-          ''))
-          (nameValuePair ("/static/")
-          (''
+           '')
+          (nameValuePair "/static/" ''
             alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
-          ''))
+          '')
           ];
-      }])
-    ) cfg.servers ;
+      }])) cfg.servers ;
   };
 in
 out
-- 
cgit v1.2.3


From f092e6acb4500569eccee7aed65b521adb3b07b6 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 17:17:04 +0200
Subject: krebs 3 zones: remove empty lines

---
 krebs/3modules/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 5c5bec00..075db182 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -105,10 +105,14 @@ let
 
       # Implements environment.etc."zones/<zone-name>"
       environment.etc = let
+        stripEmptyLines = s: concatStringsSep "\n"
+          (remove "\n" (remove "" (splitString "\n" s)));
         all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
-          ([cfg.zone-head-config] ++ combined-hosts) ;
+          ([cfg.zone-head-config] ++ combined-hosts);
         combined-hosts = (mapAttrsToList (name: value: value.extraZones)  cfg.hosts );
-      in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+      in lib.mapAttrs' (name: value: nameValuePair
+        ("zones/" + name)
+        { text=(stripEmptyLines value); }) all-zones;
 
       krebs.exim-smarthost.internet-aliases = let
         format = from: to:
-- 
cgit v1.2.3