summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
authornin <nin@c-base.org>2018-05-02 15:13:40 +0200
committernin <nin@c-base.org>2018-05-02 15:13:40 +0200
commit689fb1a77ad53722086da922de2de533460205b3 (patch)
tree408667e6aa15e1e0fa031e99c003c3968ba1578d /lass/2configs
parent702136442c5f8c4f7f1bb911bd21d238a164218a (diff)
parent37fa7bff9339799984554b8ccbacf1f07281d6ce (diff)
Merge branch 'master' of prism:stockholm
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/backup.nix20
-rw-r--r--lass/2configs/backups.nix173
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/bitcoin.nix10
-rw-r--r--lass/2configs/browsers.nix77
-rw-r--r--lass/2configs/dcso-dev.nix1
-rw-r--r--lass/2configs/default.nix3
-rw-r--r--lass/2configs/dns-stuff.nix16
-rw-r--r--lass/2configs/exim-smarthost.nix2
-rw-r--r--lass/2configs/games.nix4
-rw-r--r--lass/2configs/gc.nix2
-rw-r--r--lass/2configs/git.nix14
-rw-r--r--lass/2configs/go.nix19
-rw-r--r--lass/2configs/mail.nix23
-rw-r--r--lass/2configs/monitoring/client.nix26
-rw-r--r--lass/2configs/monitoring/monit-alarms.nix44
-rw-r--r--lass/2configs/monitoring/node-exporter.nix15
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix217
-rw-r--r--lass/2configs/monitoring/server.nix87
-rw-r--r--lass/2configs/network-manager.nix8
-rw-r--r--lass/2configs/privoxy.nix5
-rw-r--r--lass/2configs/reaktor-coders.nix17
-rw-r--r--lass/2configs/repo-sync.nix15
-rw-r--r--lass/2configs/security-workarounds.nix2
-rw-r--r--lass/2configs/syncthing.nix1
-rw-r--r--lass/2configs/virtualbox.nix2
-rw-r--r--lass/2configs/websites/domsen.nix2
-rw-r--r--lass/2configs/websites/fritz.nix3
-rw-r--r--lass/2configs/websites/lassulus.nix56
-rw-r--r--lass/2configs/websites/util.nix59
-rw-r--r--lass/2configs/zsh.nix4
31 files changed, 437 insertions, 491 deletions
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix
new file mode 100644
index 000000000..27adf6d2a
--- /dev/null
+++ b/lass/2configs/backup.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+with import <stockholm/lib>;
+
+{
+ fileSystems = {
+ "/backups" = {
+ device = "/dev/pool/backup";
+ fsType = "ext4";
+ };
+ };
+ users.users.backup = {
+ useDefaultShell = true;
+ home = "/backups";
+ createHome = true;
+ openssh.authorizedKeys.keys = with config.krebs.hosts; [
+ mors.ssh.pubkey
+ prism.ssh.pubkey
+ ];
+ };
+}
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
deleted file mode 100644
index c4fb85420..000000000
--- a/lass/2configs/backups.nix
+++ /dev/null
@@ -1,173 +0,0 @@
-{ config, lib, ... }:
-with import <stockholm/lib>;
-{
-
- # TODO add timerConfig to krebs.backup and randomize startup
- # TODO define plans more abstract
- krebs.backup.plans = {
- } // mapAttrs (_: recursiveUpdate {
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
- }) {
- dishfire-http-prism = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
- startAt = "03:00";
- };
- dishfire-http-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
- startAt = "03:10";
- };
- dishfire-http-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
- startAt = "03:05";
- };
- dishfire-http-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
- startAt = "03:10";
- };
- dishfire-sql-prism = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
- startAt = "03:15";
- };
- dishfire-sql-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
- startAt = "03:25";
- };
- dishfire-sql-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
- startAt = "03:20";
- };
- dishfire-sql-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
- startAt = "03:25";
- };
- prism-bitlbee-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-bitlbee-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-bitlbee-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-chat-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; };
- startAt = "03:35";
- };
- prism-chat-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
- startAt = "03:30";
- };
- prism-chat-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
- startAt = "03:35";
- };
- prism-sql-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; };
- startAt = "03:45";
- };
- prism-sql-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
- startAt = "03:40";
- };
- prism-sql-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
- startAt = "03:45";
- };
- prism-http-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; };
- startAt = "03:55";
- };
- prism-http-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
- startAt = "03:50";
- };
- prism-http-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
- startAt = "03:55";
- };
- icarus-home-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.icarus; path = "/home"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; };
- startAt = "05:00";
- };
- icarus-home-shodan = {
- method = "push";
- src = { host = config.krebs.hosts.icarus; path = "/home"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; };
- startAt = "05:00";
- };
- mors-home-icarus = {
- method = "push";
- src = { host = config.krebs.hosts.mors; path = "/home"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; };
- startAt = "05:00";
- };
- mors-home-shodan = {
- method = "push";
- src = { host = config.krebs.hosts.mors; path = "/home"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
- startAt = "05:00";
- };
- shodan-home-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.shodan; path = "/home"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; };
- startAt = "04:00";
- };
- shodan-home-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.shodan; path = "/home"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
- startAt = "04:00";
- };
- };
-}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index ed179ded6..e2e44b6fc 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,7 +9,6 @@ in {
./power-action.nix
./copyq.nix
./livestream.nix
- ./dns-stuff.nix
./urxvt.nix
./network-manager.nix
{
diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix
index a405addfc..9f6fd3bf0 100644
--- a/lass/2configs/bitcoin.nix
+++ b/lass/2configs/bitcoin.nix
@@ -10,9 +10,6 @@ in {
krebs.per-user.bitcoin.packages = [
pkgs.electrum
];
- krebs.per-user.ethereum.packages = [
- pkgs.go-ethereum
- ];
users.extraUsers = {
bch = {
name = "bch";
@@ -28,13 +25,6 @@ in {
useDefaultShell = true;
createHome = true;
};
- ethereum = {
- name = "ethereum";
- description = "user for ethereum stuff";
- home = "/home/ethereum";
- useDefaultShell = true;
- createHome = true;
- };
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index cbbd54b6b..3030d8faf 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -21,59 +21,37 @@ let
$BIN "$@"
'';
- createChromiumUser = name: extraGroups: precedence:
- let
- bin = pkgs.writeScriptBin name ''
- /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
- '';
- in {
- users.extraUsers.${name} = {
- inherit name;
- inherit extraGroups;
- home = "/home/${name}";
- uid = genid name;
- useDefaultShell = true;
- createHome = true;
- };
- lass.browser.paths.${name} = {
- path = bin;
- inherit precedence;
+ createUser = script: name: groups: precedence: dpi:
+ {
+ lass.xjail.${name} = {
+ inherit script groups dpi;
};
- security.sudo.extraConfig = ''
- ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
- '';
environment.systemPackages = [
- bin
+ config.lass.xjail-bins.${name}
+ (pkgs.writeDashBin "cx-${name}" ''
+ DISPLAY=:${toString (genid_signed name)} ${pkgs.xclip}/bin/xclip -o | DISPLAY=:0 ${pkgs.xclip}/bin/xclip
+ '')
];
- };
-
- createFirefoxUser = name: extraGroups: precedence:
- let
- bin = pkgs.writeScriptBin name ''
- /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@
- '';
- in {
- users.extraUsers.${name} = {
- inherit name;
- inherit extraGroups;
- home = "/home/${name}";
- uid = genid name;
- useDefaultShell = true;
- createHome = true;
- };
lass.browser.paths.${name} = {
- path = bin;
+ path = config.lass.xjail-bins.${name};
inherit precedence;
};
- security.sudo.extraConfig = ''
- ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
- '';
- environment.systemPackages = [
- bin
- ];
};
- #TODO: abstract this
+ createChromiumUser = name: groups: precedence:
+ createUser (pkgs.writeDash name ''
+ ${pkgs.chromium}/bin/chromium "$@"
+ '') name groups precedence 80;
+
+ createFirefoxUser = name: groups: precedence:
+ createUser (pkgs.writeDash name ''
+ ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@"
+ '') name groups precedence 80;
+
+ createQuteUser = name: groups: precedence:
+ createUser (pkgs.writeDash name ''
+ ${pkgs.qutebrowser}/bin/qutebrowser "$@"
+ '') name groups precedence 60;
in {
@@ -110,12 +88,13 @@ in {
}));
};
}
+ ( createQuteUser "qb" [ "audio" ] 20 )
( createFirefoxUser "ff" [ "audio" ] 10 )
- ( createChromiumUser "cr" [ "video" "audio" ] 9 )
+ ( createChromiumUser "cr" [ "audio" ] 9 )
( createChromiumUser "gm" [ "video" "audio" ] 8 )
- ( createChromiumUser "wk" [ "video" "audio" ] 0 )
- ( createChromiumUser "fb" [ "video" "audio" ] 0 )
- ( createChromiumUser "com" [ "video" "audio" ] 0 )
+ ( createChromiumUser "wk" [ "audio" ] 0 )
+ ( createChromiumUser "fb" [ "audio" ] 0 )
+ ( createChromiumUser "com" [ "audio" ] 0 )
( createChromiumUser "fin" [] (-1) )
];
}
diff --git a/lass/2configs/dcso-dev.nix b/lass/2configs/dcso-dev.nix
index ae1c7bc8d..b985b67b3 100644
--- a/lass/2configs/dcso-dev.nix
+++ b/lass/2configs/dcso-dev.nix
@@ -9,6 +9,7 @@ in {
dev = {
name = "dev";
uid = genid "dev";
+ extraGroups = [ "docker" ];
description = "user for collaborative development";
home = "/home/dev";
useDefaultShell = true;
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 5a5f1b347..12a814605 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -6,10 +6,9 @@ with import <stockholm/lib>;
./gc.nix
./mc.nix
./vim.nix
- ./monitoring/client.nix
+ ./monitoring/node-exporter.nix
./zsh.nix
./htop.nix
- ./backups.nix
./security-workarounds.nix
{
users.extraUsers =
diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix
deleted file mode 100644
index cbcce8df9..000000000
--- a/lass/2configs/dns-stuff.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-{
- services.dnscrypt-proxy = {
- enable = true;
- localAddress = "127.1.0.1";
- customResolver = {
- address = config.krebs.hosts.gum.nets.internet.ip4.addr;
- port = 15251;
- name = "2.dnscrypt-cert.euer.krebsco.de";
- key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
- };
- };
- services.resolved.enable = true;
- services.resolved.fallbackDns = [ "127.1.0.1" ];
-}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index ae652722a..e05ed2427 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -78,6 +78,8 @@ with import <stockholm/lib>;
{ from = "github@lassul.us"; to = lass.mail; }
{ from = "ovh@lassul.us"; to = lass.mail; }
{ from = "hetzner@lassul.us"; to = lass.mail; }
+ { from = "allygator@lassul.us"; to = lass.mail; }
+ { from = "immoscout@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 50362cda4..3ee3a98a5 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -3,7 +3,7 @@
let
mainUser = config.users.extraUsers.mainUser;
vdoom = pkgs.writeDash "vdoom" ''
- ${pkgs.zandronum-bin}/bin/zandronum \
+ ${pkgs.zandronum}/bin/zandronum \
-fov 120 \
"$@"
'';
@@ -50,7 +50,7 @@ let
vdoomserver = pkgs.writeDashBin "vdoomserver" ''
DOOM_DIR=''${DOOM_DIR:-~/doom/}
- ${pkgs.zandronum-bin}/bin/zandronum-server \
+ ${pkgs.zandronum}/bin/zandronum-server \
+exec ${doomservercfg} \
"$@"
'';
diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
index ad015180a..c5073e384 100644
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@@ -3,6 +3,6 @@
with import <stockholm/lib>;
{
nix.gc = {
- automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
+ automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer);
};
}
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 1fe87c666..43085ba5e 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -57,6 +57,16 @@ let
cgit.desc = "Fork of nix-user-chroot my lethalman";
cgit.section = "software";
};
+ nixos-aws = {
+ collaborators = [ {
+ name = "fabio";
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
+ } ];
+ };
+ krops = {
+ cgit.desc = "krebs deployment";
+ cgit.section = "software";
+ };
} // mapAttrs make-public-repo-silent {
};
@@ -70,8 +80,8 @@ let
import <secrets/repos.nix> { inherit config lib pkgs; }
);
- make-public-repo = name: { cgit ? {}, ... }: {
- inherit cgit name;
+ make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: {
+ inherit cgit collaborators name;
public = true;
hooks = {
post-receive = pkgs.git-hooks.irc-announce {
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
new file mode 100644
index 000000000..ecf89b298
--- /dev/null
+++ b/lass/2configs/go.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+{
+ krebs.go = {
+ enable = true;
+ };
+ services.nginx = {
+ enable = true;
+ virtualHosts.go = {
+ locations."/".extraConfig = ''
+ proxy_set_header Host go.lassul.us;
+ proxy_pass http://localhost:1337;
+ '';
+ serverAliases = [
+ "go.lassul.us"
+ ];
+ };
+ };
+}
+
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 03d39ef75..2bb51b50a 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -8,6 +8,16 @@ let
logfile ~/.msmtp.log
account prism
host prism.r
+ account c-base
+ from lassulus@c-base.org
+ host c-mail.c-base.org
+ port 465
+ tls on
+ tls_starttls off
+ tls_fingerprint 8C:10:A6:AB:1F:82:C4:8F:B1:B4:22:D5:8B:8B:49:9B:59:0B:22:A4
+ auth on
+ user lassulus
+ passwordeval pass show c-base/pass
account default: prism
'';
@@ -36,9 +46,11 @@ let
];
dezentrale = [ "to:dezentrale.space" ];
dhl = [ "to:dhl@lassul.us" ];
+ eloop = [ "to:eloop.org" ];
github = [ "to:github@lassul.us" ];
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
+ lugs = [ "to:lugs@lug-s.org" ];
nix-devel = [ "to:nix-devel@googlegroups.com" ];
patreon = [ "to:patreon@lassul.us" ];
paypal = [ "to:paypal@lassul.us" ];
@@ -63,9 +75,9 @@ let
muttrc = pkgs.writeText "muttrc" ''
# gpg
- source ${pkgs.neomutt}/share/doc/mutt/samples/gpg.rc
+ source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc
set pgp_use_gpg_agent = yes
- set pgp_sign_as = 0x976A7E4D
+ set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D
set crypt_autosign = yes
set crypt_replyencrypt = yes
set crypt_verify_sig = yes
@@ -183,7 +195,7 @@ let
name = "mutt";
paths = [
(pkgs.writeDashBin "mutt" ''
- exec ${pkgs.neomutt}/bin/mutt -F ${muttrc} $@
+ exec ${pkgs.neomutt}/bin/neomutt -F ${muttrc} $@
'')
pkgs.neomutt
];
@@ -194,8 +206,11 @@ in {
msmtp
mutt
pkgs.much
- pkgs.notmuch
tag-new-mails
tag-old-mails
];
+
+ nixpkgs.config.packageOverrides = opkgs: {
+ notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
+ };
}
diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix
deleted file mode 100644
index b8c245215..000000000
--- a/lass/2configs/monitoring/client.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{pkgs, config, ...}:
-with import <stockholm/lib>;
-{
- services.telegraf = {
- enable = true;
-
- extraConfig = {
- agent.interval = "1s";
- outputs = {
- influxdb = {
- urls = ["http://prism:8086"];
- database = "telegraf_db";
- user_agent = "telegraf";
- };
- };
- inputs = {
- cpu = {
- percpu = false;
- totalcpu = true;
- };
- mem = {};
- net = {};
- };
- };
- };
-}
diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix
deleted file mode 100644
index 2cfc292e5..000000000
--- a/lass/2configs/monitoring/monit-alarms.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{pkgs, config, ...}:
-with import <stockholm/lib>;
-let
- echoToIrc = msg:
- pkgs.writeDash "echo_irc" ''
- set -euf
- export LOGNAME=prism-alarm
- ${pkgs.irc-announce}/bin/irc-announce \
- irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
- '';
-
-in {
- krebs.monit = {
- enable = true;
- http.enable = true;
- alarms = {
- nirwanabluete = {
- test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'";
- alarm = echoToIrc "test nirwanabluete failed";
- };
- ubik = {
- test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'";
- alarm = echoToIrc "test ubik failed";
- };
- cac-panel = {
- test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'";
- alarm = echoToIrc "test cac-panel failed";
- };
- radio = {
- test = pkgs.writeBash "check_stream" ''
- ${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \
- | ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \
- | ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}"
- '';
- alarm = echoToIrc "test radio failed";
- };
- };
- };
-
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
- ];
-}
-
diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix
new file mode 100644
index 000000000..561e3a25c
--- /dev/null
+++ b/lass/2configs/monitoring/node-exporter.nix
@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+{
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; }
+ { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; }
+ ];
+ services.prometheus.exporters = {
+ node = {
+ enable = true;
+ enabledCollectors = [
+ "systemd"
+ ];
+ };
+ };
+}
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
new file mode 100644
index 000000000..1f9419e1a
--- /dev/null
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -0,0 +1,217 @@
+{ pkgs, lib, config, ... }:
+{
+ #networking = {
+ # firewall.allowedTCPPorts = [
+ # 3000 # grafana
+ # 9090 # prometheus
+ # 9093 # alertmanager
+ # ];
+ # useDHCP = true;
+ #};
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; }
+ ];
+
+ services = {
+ prometheus = {
+ enable = true;
+ extraFlags = [
+ "-storage.local.retention 8760h"
+ "-storage.local.series-file-shrink-ratio 0.3"
+ "-storage.local.memory-chunks 2097152"
+ "-storage.local.max-chunks-to-persist 1048576"
+ "-storage.local.index-cache-size.fingerprint-to-metric 2097152"
+ "-storage.local.index-cache-size.fingerprint-to-timerange 1048576"
+ "-storage.local.index-cache-size.label-name-to-label-values 2097152"
+ "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040"
+ ];
+ alertmanagerURL = [ "http://localhost:9093" ];
+ rules = [
+ ''
+ ALERT node_down
+ IF up == 0
+ FOR 5m
+ LABELS {
+ severity="page"
+ }
+ ANNOTATIONS {
+ summary = "{{$labels.alias}}: Node is down.",
+ description = "{{$labels.alias}} has been down for more than 5 minutes."
+ }
+ ALERT node_systemd_service_failed
+ IF node_systemd_unit_state{state="failed"} == 1
+ FOR 4m
+ LABELS {
+ severity="page"
+ }
+ ANNOTATIONS {
+ summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.",
+ description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}."
+ }
+ ALERT node_filesystem_full_90percent
+ IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3
+ FOR 5m
+ LABELS {
+ severity="page"
+ }
+ ANNOTATIONS {
+ summary = "{{$labels.alias}}: Filesystem is running out of space soon.",
+ description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem."
+ }
+ ALERT node_filesystem_full_in_4h
+ IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0
+ FOR 5m
+ LABELS {
+ severity="page"
+ }
+ ANNOTATIONS {
+ summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.",
+ description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours"
+ }
+ ALERT node_filedescriptors_full_in_3h
+ IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum
+ FOR 20m
+ LABELS {
+ severity="page"
+ }