ma 1 shoney: enable tinc_graphs for siem tinc

1 files changed, 31 insertions, 15 deletions

diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 48679fe58..1fe8871d2 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -1,5 +1,7 @@
 { config, pkgs, ... }:
 let
+  tinc-siem-ip = "10.8.10.1";
+
   ip     = "64.137.234.215";
   alt-ip = "64.137.234.210";
   extra-ip = "64.137.234.114"; #currently unused
@@ -7,32 +9,46 @@ let
 in {
   imports = [
     ../.
+    ../2configs/save-diskspace.nix
     ../2configs/hw/CAC.nix
     ../2configs/fs/CAC-CentOS-7-64bit.nix
-
   ];
 
 
-  services.tinc.networks.siem.name = "sjump";
 
-  # minimal resources
-  services.nixosManual.enable = false;
-  programs.man.enable = false;
-  nix.gc.automatic = true;
-  nix.gc.dates = "03:10";
+  services.tinc.networks.siem.name = "sjump";
 
   krebs = {
     enable = true;
     retiolum.enable = true;
     build.host = config.krebs.hosts.shoney;
+    nginx.enable = true;
+    tinc_graphs = {
+      enable = true;
+      network = "siem";
+      hostsPath = "/etc/tinc/siem/hosts";
+      nginx = {
+        enable = true;
+        # TODO: remove hard-coded hostname
+        complete = {
+          listen = [ "${tinc-siem-ip}:80" ];
+          server-names = [ "graphs.siem" ];
+        };
+      };
+    };
   };
-  networking.interfaces.enp2s1.ip4 = [
-    { address = ip; prefixLength = 24; }
-    { address = alt-ip; prefixLength = 24; }
-  ];
+  networking =  {
+    interfaces.enp2s1.ip4 = [
+      { address = ip; prefixLength = 24; }
+      { address = alt-ip; prefixLength = 24; }
+    ];
 
-  networking.defaultGateway = gw;
-  networking.nameservers = [ "8.8.8.8" ];
-  networking.firewall.allowedUDPPorts = [ 655 1655 ];
-  networking.firewall.allowedTCPPorts = [ 655 1655 ];
+    defaultGateway = gw;
+    nameservers = [ "8.8.8.8" ];
+    firewall = {
+      trustedInterfaces = [ "tinc.siem" ];
+      allowedUDPPorts = [ 655 1655 ];
+      allowedTCPPorts = [ 655 1655 ];
+    };
+  };
 }