diff options
author | tv <tv@krebsco.de> | 2022-03-06 10:43:33 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2022-03-06 10:43:33 +0100 |
commit | 5182daaaf4cadaba84331a34b5455bf9dff131b6 (patch) | |
tree | deaa480a8ad3a9aaad6176bc14804f2bb6569c30 /krebs/3modules | |
parent | 6bcbb9adae290249988c86da35b2b5236df6ce96 (diff) | |
parent | 87a44dd1573cbdc8f0fc3553b0896b470bcfa44d (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/external/kmein.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/makefu/default.nix | 43 | ||||
-rw-r--r-- | krebs/3modules/makefu/retiolum/latte.pub | 8 | ||||
-rw-r--r-- | krebs/3modules/makefu/retiolum/latte_ed25519.pub | 1 | ||||
-rw-r--r-- | krebs/3modules/rtorrent.nix | 348 | ||||
-rw-r--r-- | krebs/3modules/tinc.nix | 12 |
7 files changed, 62 insertions, 352 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index fc57d8188..2d73da884 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -46,7 +46,6 @@ let ./realwallpaper.nix ./repo-sync.nix ./retiolum-bootstrap.nix - ./rtorrent.nix ./secret.nix ./setuid.nix ./shadow.nix diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix index 1e4a68057..4605fbdf0 100644 --- a/krebs/3modules/external/kmein.nix +++ b/krebs/3modules/external/kmein.nix @@ -63,6 +63,7 @@ in "names.kmein.r" "graph.r" "rrm.r" + "redaktion.r" ]; ip4.addr = "10.243.2.84"; tinc.pubkey = '' diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index f87802b45..68484a102 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -148,6 +148,46 @@ in { }; }; }; + latte = rec { + ci = true; + extraZones = { + "krebsco.de" = '' + latte.euer IN A ${nets.internet.ip4.addr} + rss.euer IN A ${nets.internet.ip4.addr} + ''; + }; + cores = 4; + nets = rec { + internet = { + ip4.addr = "178.254.30.202"; + ip6.addr = "2a00:6800:3:18c::2"; + aliases = [ + "latte.i" + ]; + }; + #wiregrill = { + # via = internet; + # ip4.addr = "10.244.245.1"; + # ip6.addr = w6 "1"; + # wireguard.port = 51821; + # wireguard.subnets = [ + # (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR + # "10.244.245.0/24" # required for routing directly to gum via rockit + # ]; + #}; + retiolum = { + via = internet; + ip4.addr = "10.243.0.214"; + # never connect via gum (he eats your packets!) + #tinc.weight = 9001; + + aliases = [ + "latte.r" + "torrent.latte.r" + ]; + }; + }; + }; gum = rec { ci = true; extraZones = { @@ -173,7 +213,6 @@ in { feed.euer IN A ${nets.internet.ip4.addr} board.euer IN A ${nets.internet.ip4.addr} etherpad.euer IN A ${nets.internet.ip4.addr} - rss.euer IN A ${nets.internet.ip4.addr} mediengewitter IN CNAME over.dose.io. mon.euer IN A ${nets.internet.ip4.addr} netdata.euer IN A ${nets.internet.ip4.addr} @@ -220,7 +259,7 @@ in { via = internet; ip4.addr = "10.243.0.213"; # never connect via gum (he eats your packets!) - tinc.weight = 9001; + #tinc.weight = 9001; aliases = [ "gum.r" diff --git a/krebs/3modules/makefu/retiolum/latte.pub b/krebs/3modules/makefu/retiolum/latte.pub new file mode 100644 index 000000000..17fca2b40 --- /dev/null +++ b/krebs/3modules/makefu/retiolum/latte.pub @@ -0,0 +1,8 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAx70gmNoP4RYeF3ShddEMsbNad9L5ezegwxJTZA7XTfF+/cwr/QwU +5BL0QXTwBnKzS0gun5NXmhwPzvOdvfczAxtJLk8/NjVHFeE39CiTHGgIxkZFgnbo +r2Rj6jJb89ZPaTr+hl0+0WQQVpl9NI7MTCUimvFBaD6IPmBh5wTySu6mYBs0mqmf +43RrvS42ieqQJAvVPkIzxxJeTS/M3NXmjbJ3bdx/2Yzd7INdfPkMhOONHcQhTKS4 +GSXJRTytLYZEah8lp8F4ONggN6ixlhlcQAotToFP4s8c+KqYfIZrtP+pRj7W72Y6 +vhnobLDJwBbAsW1RQ6FHcw10TrP2H+haewIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/krebs/3modules/makefu/retiolum/latte_ed25519.pub b/krebs/3modules/makefu/retiolum/latte_ed25519.pub new file mode 100644 index 000000000..7974bb6e5 --- /dev/null +++ b/krebs/3modules/makefu/retiolum/latte_ed25519.pub @@ -0,0 +1 @@ +ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix deleted file mode 100644 index 4a96f6203..000000000 --- a/krebs/3modules/rtorrent.nix +++ /dev/null @@ -1,348 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with import <stockholm/lib>; -let - cfg = config.krebs.rtorrent; - webcfg = config.krebs.rtorrent.web; - rucfg = config.krebs.rtorrent.rutorrent; - - nginx-user = config.services.nginx.user; - nginx-group = config.services.nginx.group; - fpm-socket = config.services.phpfpm.pools.rutorrent.socket; - - webdir = rucfg.webdir; - systemd-logfile = cfg.workDir + "/rtorrent-systemd.log"; - - # rutorrent requires a couple of binaries to be available to either the - # rtorrent process or to phpfpm - - rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ - (if (config.nixpkgs.config.allowUnfree or false) then - trace "enabling unfree packages for rutorrent" [ unrar unzip ] else - trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []); - - configFile = pkgs.writeText "rtorrent-config" '' - # THIS FILE IS AUTOGENERATED - ${optionalString (cfg.listenPort != null) '' - port_range = ${toString cfg.listenPort}-${toString cfg.listenPort} - port_random = no - ''} - - ${optionalString (cfg.watchDir != null) '' - directory.watch.added = "${cfg.watchDir}", load.start_verbose - ''} - - directory = ${cfg.downloadDir} - session = ${cfg.sessionDir} - - ${optionalString (cfg.enableXMLRPC ) '' - # prepare socket and set permissions. rtorrent user is part of group nginx - # TODO: configure a shared torrent group - execute.nothrow = rm,${cfg.xmlrpc-socket} - scgi_local = ${cfg.xmlrpc-socket} - schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}" - ''} - - system.file.allocate.set = ${if cfg.preAllocate then "yes" else "no"} - - # Prepare systemd logging - log.open_file = "rtorrent-systemd", ${systemd-logfile} - log.add_output = "warn", "rtorrent-systemd" - log.add_output = "notice", "rtorrent-systemd" - log.add_output = "info", "rtorrent-systemd" - # log.add_output = "debug", "rtorrent-systemd" - ${cfg.extraConfig} - ''; - - out = { - options.krebs.rtorrent = api; - # This only works because none of the attrsets returns the same key - config = with lib; mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf webcfg.enable rpcweb-imp) - # only build rutorrent-imp if webcfg is enabled as well - (lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp) - imp - ]); - }; - - api = { - enable = mkEnableOption "rtorrent"; - - web = { - # configure NGINX to provide /RPC2 for listen address - # authentication also applies to rtorrent.rutorrent - enable = mkEnableOption "rtorrent nginx web RPC"; - - addr = mkOption { - type = types.addr4; - default = "0.0.0.0"; - description = '' - the address to listen on - default is 0.0.0.0 - ''; - }; - - port = mkOption { - type = types.nullOr types.int; - description ='' - nginx listen port for rtorrent - ''; - default = 8006; - }; - - basicAuth = mkOption { - type = types.attrsOf types.str ; - description = '' - basic authentication to be used. If unset, no authentication will be - enabled. - - Refer to `services.nginx.virtualHosts.‹name›.basicAuth` - ''; - default = {}; - }; - }; - - rutorrent = { - enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable - - package = mkOption { - type = types.package; - description = '' - path to rutorrent package. When using your own ruTorrent package, - scgi_port and scgi_host will be patched on startup. - ''; - default = pkgs.rutorrent; - }; - - webdir = mkOption { - type = types.path; - description = '' - rutorrent php files will be written to this folder. - when using nginx, be aware that the the folder should be readable by nginx. - because rutorrent does not hold mutable data in a separate folder - these files must be writable. - ''; - default = "/var/lib/rutorrent"; - }; - - }; - - package = mkOption { - type = types.package; - default = pkgs.rtorrent; - }; - - # TODO: enable xmlrpc with web.enable - enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket"; - xmlrpc-socket = mkOption { - type = types.str; - description = '' - enable xmlrpc at given socket. Required for web-interface. - - for documentation see: - https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC - ''; - default = cfg.workDir + "/rtorrent.sock"; - }; - - preAllocate = mkOption { - type = types.bool; - description = '' - Pre-Allocate torrent files - ''; - default = true; - }; - - downloadDir = mkOption { - type = types.path; - description = '' - directory where torrents are stored - ''; - default = cfg.workDir + "/downloads"; - }; - - sessionDir = mkOption { - type = types.path; - description = '' - directory where torrent progress is stored - ''; - default = cfg.workDir + "/rtorrent-session"; - }; - - watchDir = mkOption { - type = with types; nullOr str; - description = '' - directory to watch for torrent files. - If unset, no watch directory will be configured - ''; - default = null; - }; - - listenPort = mkOption { - type = with types; nullOr int; - description ='' - listening port. if you want multiple ports, use extraConfig port_range - ''; - }; - - extraConfig = mkOption { - type = types.lines; - description = '' - config to be placed into ${cfg.workDir}/.rtorrent.rc - - see ${cfg.package}/share/doc/rtorrent/rtorrent.rc - ''; - example = literalExample '' - log.execute = ${cfg.workDir}/execute.log - log.xmlrpc = ${cfg.workDir}/xmlrpc.log - ''; - default = ""; - }; - - user = mkOption { - description = '' - user which will run rtorrent. if kept default a new user will be created - ''; - type = types.str; - default = "rtorrent"; - }; - - workDir = mkOption { - description = '' - working directory. rtorrent will search in HOME for `.rtorrent.rc` - ''; - type = types.str; - default = "/var/lib/rtorrent"; - }; - - }; - - imp = { - systemd.services = { - rtorrent-daemon = { - description = "rtorrent headless"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; - serviceConfig = { - Type = "forking"; - ExecStartPre = pkgs.writeDash "prepare-folder" '' - mkdir -p ${cfg.workDir} ${cfg.sessionDir} - chmod 770 ${cfg.workDir} ${cfg.sessionDir} - touch ${systemd-logfile} - cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc - ''; - ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; - Restart = "always"; - RestartSec = "10"; - - ## you can simply sudo -u rtorrent tmux a if privateTmp is set to false - ## otherwise the tmux session is stored in some private folder in /tmp - PrivateTmp = false; - - WorkingDirectory = cfg.workDir; - User = "${cfg.user}"; - }; - }; - rtorrent-log = { - after = [ "rtorrent-daemon.service" ]; - bindsTo = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; - User = "${cfg.user}"; - }; - }; - } // (optionalAttrs webcfg.enable { - rutorrent-prepare = { - after = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - Type = "oneshot"; - # we create the folder and set the permissions to allow nginx - # TODO: update files if the version of rutorrent changed - ExecStart = pkgs.writeDash "create-webconfig-dir" '' - if [ ! -e ${webdir} ];then - echo "creating webconfiguration directory for rutorrent: ${webdir}" - cp -vr ${rucfg.package} ${webdir} - echo "setting permissions for webdir to ${cfg.user}:${nginx-group}" - chown -R ${cfg.user}:${nginx-group} ${webdir} - chmod -R 770 ${webdir} - else - echo "not overwriting ${webdir}" - - fi - echo "updating xmlrpc-socket with unix://${cfg.xmlrpc-socket}" - sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \ - -e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \ - "${webdir}/conf/config.php" - ''; - }; - }; - }) - // (optionalAttrs rucfg.enable { }); - - users = lib.mkIf (cfg.user == "rtorrent") { - users.rtorrent = { - uid = genid "rtorrent"; - home = cfg.workDir; - group = nginx-group; # required for rutorrent to work - shell = "/bin/sh"; #required for tmux - isSystemUser = true; - createHome = true; - }; - groups.rtorrent.gid = genid "rtorrent"; - }; - }; - - rpcweb-imp = { - services.nginx.enable = mkDefault true; - services.nginx.virtualHosts.rtorrent = { - default = mkDefault true; - inherit (webcfg) basicAuth; - root = optionalString rucfg.enable webdir; - listen = [ { inherit (webcfg) addr port; } ]; - - locations = { - "/RPC2".extraConfig = '' - include ${pkgs.nginx}/conf/scgi_params; - scgi_param SCRIPT_NAME /RPC2; - scgi_pass unix:${cfg.xmlrpc-socket}; - ''; - } // (optionalAttrs rucfg.enable { - "~ \.php$".extraConfig = '' - client_max_body_size 200M; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${fpm-socket}; - try_files $uri =404; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - ''; } - ); - }; - }; - - rutorrent-imp = { - services.phpfpm = { - pools.rutorrent = { - user = nginx-user; - group = nginx-group; - phpEnv.PATH = makeBinPath rutorrent-deps; - - settings = { - "listen.owner" = nginx-user; - "pm" = "dynamic"; - "pm.max_children" = 5; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - "chdir" = "/"; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = "on"; - "catch_workers_output" = "yes"; - }; - }; - }; - }; -in out diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index bc85aa0a6..1b28628d6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -19,13 +19,15 @@ with import <stockholm/lib>; "hosts" = tinc.config.hostsPackage; "tinc.conf" = pkgs.writeText "${netname}-tinc.conf" '' Name = ${tinc.config.host.name} + LogLevel = ${toString tinc.config.logLevel} Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + "tinc-up" = pkgs.writeScript "${netname}-tinc-up" '' + #!/bin/sh ip link set ${netname} up ${tinc.config.tincUp} ''; @@ -192,6 +194,14 @@ with import <stockholm/lib>; ''; }; + logLevel = mkOption { + type = types.int; + description = '' + LogLevel in tinc.conf + ''; + default = 3; + }; + user = mkOption { type = types.user; default = { |