summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-11-27 11:47:54 +0100
committertv <tv@krebsco.de>2018-11-27 11:47:54 +0100
commitc4fabb0bc40e270f7d34a06115b121ef879fc2d1 (patch)
treed745b162ca3fed36057a1d6aa7d4b4b591d76107 /krebs
parent09144f173677ed33850e484cf46876d13bb37c9e (diff)
parenteef1d7877defd7c310dc20f62bf96c7b8f408044 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs')
-rw-r--r--krebs/2configs/cache.nsupdate.info.nix33
-rw-r--r--krebs/3modules/buildbot/master.nix2
-rw-r--r--krebs/3modules/buildbot/slave.nix2
-rw-r--r--krebs/3modules/cachecache.nix171
-rw-r--r--krebs/3modules/ci.nix9
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/fetchWallpaper.nix9
-rw-r--r--krebs/3modules/makefu/default.nix13
-rw-r--r--krebs/nixpkgs.json6
9 files changed, 227 insertions, 19 deletions
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
new file mode 100644
index 000000000..056667d8c
--- /dev/null
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -0,0 +1,33 @@
+{lib, ... }:
+with lib;
+let
+ domain = "cache.nsupdate.info";
+in {
+ # This only works for a single domain for nsupdate.info as multiple usernames
+ # and passwords are required for multiple domains
+ services.ddclient = {
+ enable = true;
+ server = "ipv4.nsupdate.info";
+ username = domain;
+ password = import ((toString <secrets>) + "/nsupdate-cache.nix");
+ domains = [ domain ];
+ use= "if, if=et0";
+ # use = "web, web=http://ipv4.nsupdate.info/myip";
+
+ };
+ krebs.cachecache = {
+ enable = true;
+ enableSSL = false; # disable letsencrypt for testing
+ cacheDir = "/var/cache/nix-cache-cache";
+ maxSize = "10g";
+
+ # assumes that the domain is reachable from the internet
+ virtualHost = domain;
+ };
+
+ boot.kernelModules = [ "tcp_bbr" ];
+
+ boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
+ boot.kernel.sysctl."net.core.default_qdisc" = "fq";
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 209dbe980..8995753ac 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -362,7 +362,7 @@ let
# normally we should write buildbot.tac by our own
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 544f9c4e0..c15169fba 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -166,7 +166,7 @@ let
echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix
new file mode 100644
index 000000000..989320480
--- /dev/null
+++ b/krebs/3modules/cachecache.nix
@@ -0,0 +1,171 @@
+{ config, lib, ... }:
+
+
+# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
+# related: https://github.com/nh2/nix-binary-cache-proxy
+
+with lib;
+
+let
+
+ cfg = config.krebs.cachecache;
+
+ nginxCfg = config.services.nginx;
+
+ cacheFallbackConfig = {
+ proxyPass = "$upstream_endpoint";
+ extraConfig = ''
+ # Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
+ proxy_http_version 1.1;
+
+ # Remove the Connection header if the client sends it, it could
+ # be "close" to close a keepalive connection
+ proxy_set_header Connection "";
+
+ # Needed for CloudFront.
+ proxy_ssl_server_name on;
+
+ proxy_set_header Host $proxy_host;
+ proxy_cache nix_cache_cache;
+ proxy_cache_valid 200 302 60m;
+ proxy_cache_valid 404 1m;
+
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+ '';
+ };
+
+in
+
+{
+ options = {
+ krebs.cachecache = {
+ enable = mkEnableOption "Nix binary cache cache";
+
+ virtualHost = mkOption {
+ type = types.str;
+ default = "nix-cache";
+ description = ''
+ Name of the nginx virtualhost to use and setup. If null, do
+ not setup any virtualhost.
+ '';
+ };
+ enableSSL = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ enable SSL via letsencrypt. Requires working dns resolution and open
+ internet tls port.
+ '';
+ };
+
+ # webRoot = mkOption {
+ # type = types.str;
+ # default = "/";
+ # description = ''
+ # Directory on virtual host that serves the cache. Must end in
+ # <literal>/</literal>.
+ # '';
+ # };
+
+ resolver = mkOption {
+ type = types.str;
+ description = "Address of DNS resolver.";
+ default = "8.8.8.8 ipv6=off";
+ example = "127.0.0.1 ipv6=off";
+ };
+
+ cacheDir = mkOption {
+ type = types.str;
+ default = "/var/cache/nix-cache-cache";
+ description = ''
+ Where nginx should store cached data.
+ '';
+ };
+
+ maxSize = mkOption {
+ type = types.str;
+ default = "50g";
+ description = "Maximum cache size.";
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+
+ systemd.services.nginx.preStart = ''
+ mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chown ${nginxCfg.user}:${nginxCfg.group} \
+ ${cfg.cacheDir} /srv/www/nix-cache-cache
+ '';
+
+ services.nginx = {
+ enable = true;
+
+ appendHttpConfig = ''
+ proxy_cache_path ${cfg.cacheDir}
+ levels=1:2
+ keys_zone=nix_cache_cache:100m
+ max_size=${cfg.maxSize}
+ inactive=365d
+ use_temp_path=off;
+
+ # Cache only success status codes; in particular we don't want
+ # to cache 404s. See https://serverfault.com/a/690258/128321.
+ map $status $nix_cache_cache_header {
+ 200 "public";
+ 302 "public";
+ default "no-cache";
+ }
+ '';
+
+ virtualHosts.${cfg.virtualHost} = {
+ addSSL = cfg.enableSSL;
+ enableACME = cfg.enableSSL;
+ extraConfig = ''
+ # Using a variable for the upstream endpoint to ensure that it is
+ # resolved at runtime as opposed to once when the config file is loaded
+ # and then cached forever (we don't want that):
+ # see https://tenzer.dk/nginx-with-dynamic-upstreams/
+ # This fixes errors like
+ #
+ # nginx: [emerg] host not found in upstream "upstream.example.com"
+ #
+ # when the upstream host is not reachable for a short time when
+ # nginx is started.
+ resolver ${cfg.resolver} valid=10s;
+ set $upstream_endpoint https://cache.nixos.org;
+ '';
+
+ locations."/" =
+ {
+ root = "/srv/www/nix-cache-cache";
+ extraConfig = ''
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+
+ # Ask the upstream server if a file isn't available
+ # locally.
+ error_page 404 = @fallback;
+
+ # Don't bother logging the above 404.
+ log_not_found off;
+ '';
+ };
+
+ locations."@fallback" = cacheFallbackConfig;
+
+ # We always want to copy cache.nixos.org's nix-cache-info
+ # file, and ignore our own, because `nix-push` by default
+ # generates one without `Priority` field, and thus that file
+ # by default has priority 50 (compared to cache.nixos.org's
+ # `Priority: 40`), which will make download clients prefer
+ # `cache.nixos.org` over our binary cache.
+ locations."= /nix-cache-info" = cacheFallbackConfig;
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index 4cfe598d6..d8d0e7f3d 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -26,8 +26,15 @@ let
hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" ''
+ set -efu
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
- nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
+ js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
+ echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \
+ | while read -r host builder; do
+ gcroot=${shell.escape profileRoot}/$host-builder
+ ${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
+ done
+ echo "$js"
'';
profileRoot = "/nix/var/nix/profiles/ci";
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index ca67ce65c..24cbd9cc9 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -14,6 +14,7 @@ let
./buildbot/master.nix
./buildbot/slave.nix
./build.nix
+ ./cachecache.nix
./charybdis.nix
./ci.nix
./current.nix
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index f67188122..5a5065565 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -38,11 +38,6 @@ let
'';
default = {};
};
- maxTime = mkOption {
- type = types.int;
- default = 0;
- description = "Time to wait before download is aborted";
- };
};
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@@ -51,8 +46,8 @@ let
mkdir -p ${cfg.stateDir}
chmod o+rx ${cfg.stateDir}
cd ${cfg.stateDir}
- (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
- feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
+ (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
+ feh --no-fehbg --bg-scale wallpaper
'';
imp = {
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index bea0f1c0e..188fbc461 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -624,15 +624,16 @@ in {
"blog.makefu.r"
"blog.gum.r"
"dcpp.gum.r"
+ "torrent.gum.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8
- aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO
- npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh
- 6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF
- 3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN
- VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB
+ MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
+ BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
+ i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
+ 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
+ u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
+ OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index e013645ea..61fd085be 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
- "rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c",
- "date": "2018-11-04T19:36:25+01:00",
- "sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m",
+ "rev": "5d4a1a3897e2d674522bcb3aa0026c9e32d8fd7c",
+ "date": "2018-11-24T00:40:22-05:00",
+ "sha256": "19kryzx9a6x68mpyxks3dajraf92hkbnw1zf952k73s2k4qw9jlq",
"fetchSubmodules": false
}