summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2017-07-14 00:17:58 +0200
committertv <tv@krebsco.de>2017-07-14 00:21:02 +0200
commit58380c82848c3db0bd6c3d74904153f3464c2098 (patch)
treedcefa424c037ef13edba18967143b3290dc739cb /krebs
parentc213968c44befe32f115ec0122accebdabd89582 (diff)
merge shared into krebs
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/test-all-krebs-modules/config.nix55
-rw-r--r--krebs/1systems/test-all-krebs-modules/source.nix3
-rw-r--r--krebs/1systems/test-arch/config.nix33
-rw-r--r--krebs/1systems/test-arch/source.nix3
-rw-r--r--krebs/1systems/test-centos6/config.nix31
-rw-r--r--krebs/1systems/test-centos6/source.nix3
-rw-r--r--krebs/1systems/test-centos7/config.nix17
-rw-r--r--krebs/1systems/test-centos7/source.nix3
-rw-r--r--krebs/1systems/test-failing/config.nix10
-rw-r--r--krebs/1systems/test-failing/source.nix3
-rw-r--r--krebs/1systems/test-minimal-deploy/config.nix17
-rw-r--r--krebs/1systems/test-minimal-deploy/source.nix3
-rw-r--r--krebs/1systems/wolf/config.nix108
-rw-r--r--krebs/1systems/wolf/source.nix3
-rw-r--r--krebs/2configs/central-stats-client.nix68
-rw-r--r--krebs/2configs/cgit-mirror.nix45
-rw-r--r--krebs/2configs/collectd-base.nix41
-rw-r--r--krebs/2configs/default.nix51
-rw-r--r--krebs/2configs/graphite.nix93
-rw-r--r--krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix47
-rw-r--r--krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix47
-rw-r--r--krebs/2configs/repo-sync.nix31
-rw-r--r--krebs/2configs/save-diskspace.nix11
-rw-r--r--krebs/2configs/shack/bincache.nix6
-rw-r--r--krebs/2configs/shack/drivedroid.nix49
-rw-r--r--krebs/2configs/shack/mqtt_sub.nix34
-rw-r--r--krebs/2configs/shack/muell_caller.nix41
-rw-r--r--krebs/2configs/shack/nix-cacher.nix31
-rw-r--r--krebs/2configs/shack/radioactive.nix35
-rw-r--r--krebs/2configs/shack/share.nix38
-rw-r--r--krebs/2configs/shack/worlddomination.nix67
-rw-r--r--krebs/2configs/shared-buildbot.nix178
-rw-r--r--krebs/2configs/temp/dirs.nix1
-rw-r--r--krebs/2configs/temp/networking.nix1
-rw-r--r--krebs/3modules/default.nix2
-rw-r--r--krebs/3modules/krebs/default.nix (renamed from krebs/3modules/shared/default.nix)8
-rwxr-xr-xkrebs/5pkgs/test/infest-cac-centos7/notes8
-rw-r--r--krebs/6tests/data/secrets/grafana_security.nix1
-rw-r--r--krebs/6tests/data/secrets/retiolum.rsa_key.priv0
-rw-r--r--krebs/6tests/data/secrets/ssh.id_ed255190
-rw-r--r--krebs/source.nix19
41 files changed, 1236 insertions, 9 deletions
diff --git a/krebs/1systems/test-all-krebs-modules/config.nix b/krebs/1systems/test-all-krebs-modules/config.nix
new file mode 100644
index 000000000..c0c14b71f
--- /dev/null
+++ b/krebs/1systems/test-all-krebs-modules/config.nix
@@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+let
+ en = { enable = true;};
+in {
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ ];
+ krebs = {
+ enable = true;
+ build.user = config.krebs.users.krebs;
+ build.host = config.krebs.hosts.test-all-krebs-modules;
+ Reaktor.test = {};
+ apt-cacher-ng.enable = true;
+ backup.enable = true;
+ bepasty.enable = true;
+ # FIXME fast-tests / instantiate-test-all-modules fails at wolfbot
+ # http://wolf:8010/builders/fast-tests/builds/442
+ #buildbot.master.enable = true;
+ buildbot.worker = {
+ enable = true;
+ username = "lol";
+ password = "wut";
+ };
+ # XXX exim-retiolum and exim-smarthost are mutually exclusive
+ #exim-retiolum = {
+ # enable = true;
+ # primary_hostname = "test.r";
+ #};
+ exim-smarthost = {
+ enable = true;
+ primary_hostname = "test.r";
+ system-aliases = [ { from = "dick"; to = "butt"; } ];
+ };
+ go.enable = true;
+ iptables = {
+ enable = true;
+ tables = {};
+ };
+ realwallpaper.enable = true;
+ tinc.retiolum.enable = true;
+ retiolum-bootstrap.enable = true;
+ tinc_graphs.enable = true;
+ urlwatch.enable = true;
+ fetchWallpaper = {
+ enable = true;
+ url ="localhost";
+ };
+ };
+ # just get the system running
+ boot.loader.grub.devices = ["/dev/sda"];
+ fileSystems."/" = {
+ device = "/dev/lol";
+ };
+}
diff --git a/krebs/1systems/test-all-krebs-modules/source.nix b/krebs/1systems/test-all-krebs-modules/source.nix
new file mode 100644
index 000000000..66fdaa773
--- /dev/null
+++ b/krebs/1systems/test-all-krebs-modules/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "test-all-krebs-modules";
+}
diff --git a/krebs/1systems/test-arch/config.nix b/krebs/1systems/test-arch/config.nix
new file mode 100644
index 000000000..b5a4234e7
--- /dev/null
+++ b/krebs/1systems/test-arch/config.nix
@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ {
+ boot.loader.grub = {
+ device = "/dev/sda";
+ splashImage = null;
+ };
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "vmw_pvscsi"
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/sda1";
+ };
+ }
+ {
+ networking.dhcpcd.allowInterfaces = [
+ "enp*"
+ ];
+ }
+ {
+ sound.enable = false;
+ }
+ ];
+
+ krebs.build.host = config.krebs.hosts.test-arch;
+}
diff --git a/krebs/1systems/test-arch/source.nix b/krebs/1systems/test-arch/source.nix
new file mode 100644
index 000000000..bff9d4325
--- /dev/null
+++ b/krebs/1systems/test-arch/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "test-arch";
+}
diff --git a/krebs/1systems/test-centos6/config.nix b/krebs/1systems/test-centos6/config.nix
new file mode 100644
index 000000000..968f8b8f0
--- /dev/null
+++ b/krebs/1systems/test-centos6/config.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) head;
+
+ ip = "168.235.148.52";
+ gw = "168.235.148.1";
+in {
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ <stockholm/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix>
+ {
+ networking.interfaces.enp11s0.ip4 = [
+ {
+ address = ip;
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = gw;
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+ }
+ {
+ sound.enable = false;
+ }
+ ];
+
+ krebs.build.host = config.krebs.hosts.test-centos6;
+}
diff --git a/krebs/1systems/test-centos6/source.nix b/krebs/1systems/test-centos6/source.nix
new file mode 100644
index 000000000..3693bbb29
--- /dev/null
+++ b/krebs/1systems/test-centos6/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "test-centos6";
+}
diff --git a/krebs/1systems/test-centos7/config.nix b/krebs/1systems/test-centos7/config.nix
new file mode 100644
index 000000000..732bc4f17
--- /dev/null
+++ b/krebs/1systems/test-centos7/config.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) head;
+
+in {
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
+ <stockholm/krebs/2configs/temp/networking.nix>
+ <stockholm/krebs/2configs/temp/dirs.nix>
+ ];
+
+ sound.enable = false;
+ krebs.build.host = config.krebs.hosts.test-centos7;
+}
diff --git a/krebs/1systems/test-centos7/source.nix b/krebs/1systems/test-centos7/source.nix
new file mode 100644
index 000000000..44230f08d
--- /dev/null
+++ b/krebs/1systems/test-centos7/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "test-centos7";
+}
diff --git a/krebs/1systems/test-failing/config.nix b/krebs/1systems/test-failing/config.nix
new file mode 100644
index 000000000..0dc8e6bf8
--- /dev/null
+++ b/krebs/1systems/test-failing/config.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ ];
+ programs.ssh.startAgent = true;
+ programs.ssh.startAgent = false;
+}
diff --git a/krebs/1systems/test-failing/source.nix b/krebs/1systems/test-failing/source.nix
new file mode 100644
index 000000000..60b77a0a0
--- /dev/null
+++ b/krebs/1systems/test-failing/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "test-failing";
+}
diff --git a/krebs/1systems/test-minimal-deploy/config.nix b/krebs/1systems/test-minimal-deploy/config.nix
new file mode 100644
index 000000000..9974b4f7c
--- /dev/null
+++ b/krebs/1systems/test-minimal-deploy/config.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }:
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ ];
+ krebs = {
+ enable = true;
+ build.user = config.krebs.users.krebs;
+ build.host = config.krebs.hosts.test-all-krebs-modules;
+ };
+ # just get the system to eval in nixos without errors
+ boot.loader.grub.devices = ["/dev/sda"];
+ fileSystems."/" = {
+ device = "/dev/lol";
+ };
+}
diff --git a/krebs/1systems/test-minimal-deploy/source.nix b/krebs/1systems/test-minimal-deploy/source.nix
new file mode 100644
index 000000000..032ab12bb
--- /dev/null
+++ b/krebs/1systems/test-minimal-deploy/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "test-minimal-deploy";
+}
diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix
new file mode 100644
index 000000000..b8cc1b4a1
--- /dev/null
+++ b/krebs/1systems/wolf/config.nix
@@ -0,0 +1,108 @@
+{ config, pkgs, ... }:
+let
+ shack-ip = config.krebs.build.host.nets.shack.ip4.addr;
+in
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+ <stockholm/krebs/2configs/collectd-base.nix>
+ <stockholm/krebs/2configs/central-stats-client.nix>
+ <stockholm/krebs/2configs/save-diskspace.nix>
+
+ <stockholm/krebs/2configs/cgit-mirror.nix>
+ <stockholm/krebs/2configs/graphite.nix>
+ <stockholm/krebs/2configs/repo-sync.nix>
+ <stockholm/krebs/2configs/shared-buildbot.nix>
+
+ <stockholm/krebs/2configs/shack/worlddomination.nix>
+ <stockholm/krebs/2configs/shack/drivedroid.nix>
+ # <stockholm/krebs/2configs/shack/nix-cacher.nix>
+ <stockholm/krebs/2configs/shack/mqtt_sub.nix>
+ <stockholm/krebs/2configs/shack/muell_caller.nix>
+ <stockholm/krebs/2configs/shack/radioactive.nix>
+ <stockholm/krebs/2configs/shack/share.nix>
+
+ ];
+ # use your own binary cache, fallback use cache.nixos.org (which is used by
+ # apt-cacher-ng in first place)
+
+ services.influxdb.enable = true;
+
+ # local discovery in shackspace
+ nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+ krebs.tinc.retiolum.extraConfig = "TCPOnly = yes";
+ services.grafana = {
+ enable = true;
+ addr = "0.0.0.0";
+ users.allowSignUp = true;
+ users.allowOrgCreate = true;
+ users.autoAssignOrg = true;
+ auth.anonymous.enable = true;
+ security = import <secrets/grafana_security.nix>;
+ };
+
+ nix = {
+ # use the up to date prism cache
+ binaryCaches = [
+ "http://cache.prism.r"
+ "https://cache.nixos.org/"
+ ];
+ binaryCachePublicKeys = [
+ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
+ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
+ ];
+ };
+
+ networking = {
+ firewall.enable = false;
+ firewall.allowedTCPPorts = [ 8088 8086 8083 ];
+ interfaces.enp0s3.ip4 = [{
+ address = shack-ip;
+ prefixLength = 20;
+ }];
+
+ defaultGateway = "10.42.0.1";
+ nameservers = [ "10.42.0.100" "10.42.0.200" ];
+ };
+
+ #####################
+ # uninteresting stuff
+ #####################
+ krebs.build.host = config.krebs.hosts.wolf;
+
+ boot.kernel.sysctl = {
+ # Enable IPv6 Privacy Extensions
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk"
+ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.device = "/dev/vda";
+
+ fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
+
+ swapDevices = [
+ { device = "/dev/disk/by-label/swap"; }
+ ];
+ # fallout of ipv6calypse
+ networking.extraHosts = ''
+ hass.shack 10.42.2.191
+ heidi.shack 10.42.2.135
+ '';
+
+ users.extraUsers.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.ulrich.pubkey
+ ];
+
+ time.timeZone = "Europe/Berlin";
+ sound.enable = false;
+}
diff --git a/krebs/1systems/wolf/source.nix b/krebs/1systems/wolf/source.nix
new file mode 100644
index 000000000..c292bfa62
--- /dev/null
+++ b/krebs/1systems/wolf/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "wolf";
+}
diff --git a/krebs/2configs/central-stats-client.nix b/krebs/2configs/central-stats-client.nix
new file mode 100644
index 000000000..0412eba9a
--- /dev/null
+++ b/krebs/2configs/central-stats-client.nix
@@ -0,0 +1,68 @@
+{pkgs, config, ...}:
+{
+ services.collectd = {
+ enable = true;
+ autoLoadPlugin = true;
+ extraConfig = ''
+ Hostname ${config.krebs.build.host.name}
+ LoadPlugin load
+ LoadPlugin disk
+ LoadPlugin memory
+ LoadPlugin df
+ Interval 30.0
+
+ LoadPlugin interface
+ <Plugin "interface">
+ Interface "*Link"
+ Interface "lo"
+ Interface "vboxnet*"
+ Interface "virbr*"
+ IgnoreSelected true
+ </Plugin>
+
+ LoadPlugin df
+ <Plugin "df">
+ MountPoint "/nix/store"
+ # MountPoint "/run*"
+ # MountPoint "/sys*"
+ # MountPoint "/dev"
+ # MountPoint "/dev/shm"
+ # MountPoint "/tmp"
+ FSType "tmpfs"
+ FSType "binfmt_misc"
+ FSType "debugfs"
+ FSType "mqueue"
+ FSType "hugetlbfs"
+ FSType "systemd-1"
+ FSType "cgroup"
+ FSType "securityfs"
+ FSType "ramfs"
+ FSType "proc"
+ FSType "devpts"
+ FSType "devtmpfs"
+ MountPoint "/var/lib/docker/devicemapper"
+ IgnoreSelected true
+ </Plugin>
+
+ LoadPlugin cpu
+ <Plugin cpu>
+ ReportByCpu true
+ ReportByState true
+ ValuesPercentage true
+ </Plugin>
+
+ LoadPlugin network
+ <Plugin "network">
+ Server "stats.makefu.r" "25826"
+ </Plugin>
+
+ LoadPlugin curl
+ <Plugin curl>
+ <Page "smarthome">
+ URL "http://smarthome.shack/";
+ MeasureResponseTime true
+ </Page>
+ </Plugin>
+ '';
+ };
+}
diff --git a/krebs/2configs/cgit-mirror.nix b/krebs/2configs/cgit-mirror.nix
new file mode 100644
index 000000000..c2326a5cc
--- /dev/null
+++ b/krebs/2configs/cgit-mirror.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+ rules = with git; singleton {
+ user = [ wolf-repo-sync ];
+ repo = [ stockholm-mirror ];
+ perm = push ''refs/*'' [ non-fast-forward create delete merge ];
+ };
+
+ stockholm-mirror = {
+ public = true;
+ name = "stockholm-mirror";
+ cgit.desc = "mirror for all stockholm branches";
+ hooks = {
+ post-receive = pkgs.git-hooks.irc-announce {
+ nick = config.networking.hostName;
+ verbose = false;
+ channel = "#retiolum";
+ server = "ni.r";
+ };
+ };
+ };
+
+ wolf-repo-sync = {
+ name = "wolf-repo-sync";
+ mail = "spam@krebsco.de";
+ # TODO put git-sync pubkey somewhere more appropriate
+ pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf'';
+ };
+
+in {
+ krebs.users.wolf-repo-sync = wolf-repo-sync;
+ krebs.git = {
+ enable = true;
+ cgit = {
+ settings = {
+ root-title = "Shared Repos";
+ root-desc = "keep on krebsing";
+ };
+ };
+ inherit rules;
+ repos.stockholm-mirror = stockholm-mirror;
+ };
+}
diff --git a/krebs/2configs/collectd-base.nix b/krebs/2configs/collectd-base.nix
new file mode 100644
index 000000000..440f83fce
--- /dev/null
+++ b/krebs/2configs/collectd-base.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+# TODO: krebs.collectd.plugins
+with import <stockholm/lib>;
+let
+ connect-time-cfg = with pkgs; writeText "collectd-connect-time.conf" ''
+ LoadPlugin python
+ <Plugin python>
+ ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/"
+ Import "collectd_connect_time"
+ <Module collectd_connect_time>
+ target "localhost:22" "google.com" "google.de" "gum.r:22" "gum.krebsco.de" "heidi.shack:22" "10.42.0.1:22" "heise.de" "t-online.de"
+ interval 10
+ </Module>
+ </Plugin>
+ '';
+ graphite-cfg = pkgs.writeText "collectd-graphite.conf" ''
+ LoadPlugin write_graphite
+ <Plugin "write_graphite">
+ <Carbon>
+ Host "heidi.shack"
+ Port "2003"
+ Prefix "retiolum."
+ EscapeCharacter "_"
+ StoreRates false
+ AlwaysAppendDS false
+ </Carbon>
+ </Plugin>
+ '';
+in {
+ imports = [ ];
+
+ nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+ collectd = pkgs.collectd.override { python= pkgs.python; };
+ };
+ services.collectd = {
+ enable = true;
+ include = [ (toString connect-time-cfg) (toString graphite-cfg) ];
+ };
+
+}
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
new file mode 100644
index 000000000..53ad56d65
--- /dev/null
+++ b/krebs/2configs/default.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+ krebs.enable = true;
+ krebs.tinc.retiolum.enable = true;
+
+ krebs.build.user = mkDefault config.krebs.users.krebs;
+
+ networking.hostName = config.krebs.build.host.name;
+
+ nix.maxJobs = 1;
+ nix.trustedBinaryCaches = [
+ "https://cache.nixos.org"
+ "http://cache.nixos.org"
+ "http://hydra.nixos.org"
+ ];
+ nix.useSandbox = true;
+
+ environment.systemPackages = with pkgs; [
+ git
+ rxvt_unicode.terminfo
+ ];
+
+ programs.ssh.startAgent = false;
+
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ };
+ services.cron.enable = false;
+ services.nscd.enable = false;
+ services.ntp.enable = false;
+
+ users.mutableUsers = false;
+ users.extraUsers.root.openssh.authorizedKeys.keys = [
+ # TODO
+ config.krebs.users.lass.pubkey
+ config.krebs.users.makefu.pubkey
+ # TODO HARDER:
+ config.krebs.users.makefu-omo.pubkey
+ config.krebs.users.tv.pubkey
+ ];
+
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+ system.stateVersion = "15.09";
+
+}
diff --git a/krebs/2configs/graphite.nix b/krebs/2configs/graphite.nix
new file mode 100644
index 000000000..64222e43a
--- /dev/null
+++ b/krebs/2configs/graphite.nix
@@ -0,0 +1,93 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+
+# TODO: krebs.graphite.minimal.enable
+# TODO: configure firewall
+with import <stockholm/lib>;
+{
+ imports = [ ];
+
+ services.graphite = {
+ api = {
+ enable = true;
+ listenAddress = "0.0.0.0";
+ };
+ carbon = {
+ enableCache = true;
+ # save disk usage by restricting to 1 bulk update per second
+ config = ''
+ [cache]
+ MAX_CACHE_SIZE = inf
+ MAX_UPDATES_PER_SECOND = 1
+ MAX_CREATES_PER_MINUTE = 50
+ MAX_UPDATES_PER_SECOND_ONSHUTDOWN = 9001
+
+ LOG_CACHE_HITS = False
+ LOG_CACHE_QUEUE_SORTS = False
+ LOG_UPDATES = False
+ LOG_LISTENER_CONNECTIONS = False
+ LOG_CREATES = True
+ '';
+ storageAggregation = ''
+ '';
+ storageSchemas = ''
+ [carbon]
+ pattern = ^carbon\.
+ retentions = 60:90d
+
+
+ [radiation_sensor]
+ pattern = ^sensors\.radiation\.
+ retentions = 1m:30d,5m:180d,10m:3y
+
+ [motion_sensors]
+ pattern = ^sensors\.motion\.
+ retentions = 1s:1h,60s:30d,300s:1y
+
+ [motion_sensors]
+ pattern = ^retiolum\.
+ retentions = 10s:1h,30s:30d,300s:1y
+
+ [homeassistant]
+ pattern = ^homeassistant\.
+ retentions = 10s:24h,30s:30d,300s:1y,3600s:5y
+
+ [ara]
+ pattern = ^ara\.
+ retentions = 60s:30d,300s:1y
+
+ [openweathermap]
+ pattern = ^weather\.openweathermap
+ retentions = 30m:30d,1h:5y
+
+ [stadtklima]
+ pattern = ^weather\.stadtklima-stuttgart
+ retentions = 15m:30d,30m:5y
+
+ [sensebox]
+ pattern = ^weather\.sensebox
+ retentions = 1m:90d,30m:5y
+
+ [elchos]
+ pattern = ^elchos\.
+ retentions = 10s:14d,1m:90d,10m:5y
+
+ [icinga_default]
+ pattern = ^icinga
+ retentions = 10s:14d,5m:90d,10m:5y
+
+ [icinga_internals]
+ pattern = ^icinga.*\.(max_check_attempts|reachable|current_attempt|execution_time|latency|state|state_type)
+ retentions = 5m:7d
+
+ [default]
+ pattern = .*
+ retentions = 60s:30d,300s:1y
+ '';
+ };
+ };
+ systemd.services.carbonCache.serviceConfig.Restart="always";
+ systemd.services.graphiteApi.serviceConfig.Restart="always";
+}
diff --git a/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix
new file mode 100644
index 000000000..b5ec722a0
--- /dev/null
+++ b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix
@@ -0,0 +1,47 @@
+_:
+
+{
+ boot.loader.grub = {
+ device = "/dev/sda";
+ splashImage = null;
+ };
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "vmw_pvscsi"
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/VolGroup/lv_root";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/sda1";
+ fsType = "ext4";
+ };
+
+ swapDevices = [
+ { device = "/dev/VolGroup/lv_swap"; }
+ ];
+
+ users.extraGroups = {
+ # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+ # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+ # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+ # Docs: man:tmpfiles.d(5)
+ # man:systemd-tmpfiles(8)
+ # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+ # Main PID: 19272 (code=exited, status=1/FAILURE)
+ #
+ # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+ # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+ # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+ # warning: error(s) occured while switching to the new configuration
+ lock.gid = 10001;
+ };
+}
diff --git a/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix
new file mode 100644
index 000000000..168d1d97b
--- /dev/null
+++ b/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix
@@ -0,0 +1,47 @@
+_:
+
+{
+ boot.loader.grub = {
+ device = "/dev/sda";
+ splashImage = null;
+ };
+
+ boot.initrd.ava