summaryrefslogtreecommitdiffstats
path: root/makefu/2configs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-10-20 20:22:29 +0200
committertv <tv@krebsco.de>2016-10-20 20:22:29 +0200
commit9329c1e47ddda0653d7e9824a01632ce3766e8f0 (patch)
tree2bfb70737a757d0bd61ca0aa895c77d740b21e73 /makefu/2configs
parent844d347ce7cf0b7646e9ecba3fbdc0b90e608501 (diff)
parent0f2a9778315c3126794c0f1ad63710d38e7a67f7 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs')
-rw-r--r--makefu/2configs/backup.nix8
-rw-r--r--makefu/2configs/base-gui.nix1
-rw-r--r--makefu/2configs/default.nix11
-rw-r--r--makefu/2configs/elchos/stats.nix96
-rw-r--r--makefu/2configs/filepimp-share.nix33
-rw-r--r--makefu/2configs/hw/tp-x220.nix2
-rw-r--r--makefu/2configs/hw/tp-x2x0.nix4
-rw-r--r--makefu/2configs/iodined.nix3
-rw-r--r--makefu/2configs/nginx/icecult.nix28
-rw-r--r--makefu/2configs/rad1o.nix2
-rw-r--r--makefu/2configs/solr.nix24
-rw-r--r--makefu/2configs/urlwatch.nix2
12 files changed, 204 insertions, 10 deletions
diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix
index 6f79ed4f4..57fd7a64d 100644
--- a/makefu/2configs/backup.nix
+++ b/makefu/2configs/backup.nix
@@ -1,6 +1,10 @@
{ config, lib, ... }:
with config.krebs.lib;
let
+ # preparation:
+ # mkdir -p defaultBackupDir/host.name/src
+ # as root on omo:
+ # ssh-copy-id root@src
startAt = "0,6,12,18:00";
defaultBackupServer = config.krebs.hosts.omo;
defaultBackupDir = "/home/backup";
@@ -12,7 +16,7 @@ let
};
dst = {
host = defaultBackupServer;
- path = defaultBackupDir + src;
+ path = "${defaultBackupDir}/${host.name}${src}";
};
startAt = "0,6,12,18:00";
snapshots = {
@@ -25,6 +29,6 @@ let
};
in {
krebs.backup.plans = {
- wry-to-omo_var-www = defaultPull wry "/var/www";
+ wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/";
};
}
diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix
index b039c12ca..cbc3efbac 100644
--- a/makefu/2configs/base-gui.nix
+++ b/makefu/2configs/base-gui.nix
@@ -82,7 +82,6 @@ in
URxvt.perl-ext: default,url-select
URxvt.keysym.M-u: perl:url-select:select_next
- #URxvt.url-select.launcher: firefox -new-tab
URxvt.url-select.launcher: chromium
URxvt.url-select.underline: true
URxvt.searchable-scrollback: CM-s
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index a7c2a983e..56a87d7af 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -21,10 +21,13 @@ with config.krebs.lib;
search-domain = "retiolum";
build = {
user = config.krebs.users.makefu;
- source = let inherit (config.krebs.build) host user; in {
+ source = let
+ inherit (config.krebs.build) host user;
+ ref = "b8ede35"; # stable @ 2016-10-19
+ in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
- { # stable @ 2016-07-20
- git = { url = https://github.com/nixos/nixpkgs; ref = "125ffff"; };
+ {
+ git = { url = https://github.com/nixos/nixpkgs; inherit ref; };
}
else
# TODO use http, once it is implemented
@@ -32,7 +35,7 @@ with config.krebs.lib;
## prepare so we do not have to wait for rsync:
## cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/125ffff -L | tar zx && mv NixOS-nixpkgs-125ffff nixpkgs
- { file = "/home/makefu/store/125ffff";};
+ { file = "/home/makefu/store/${ref}";};
secrets.file =
if getEnv "dummy_secrets" == "true"
then toString <stockholm/makefu/6tests/data/secrets>
diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix
new file mode 100644
index 000000000..0282b04cf
--- /dev/null
+++ b/makefu/2configs/elchos/stats.nix
@@ -0,0 +1,96 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+ sec = toString <secrets>;
+ acmepath = "/var/lib/acme/";
+ acmechall = acmepath + "/challenges/";
+ ext-dom = "stats.nsupdate.info";
+ #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+ #ssl_key = "${sec}/wildcard.krebsco.de.key";
+ ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
+ ssl_key = "${acmepath}/${ext-dom}/key.pem";
+in {
+ networking.firewall = {
+ allowedTCPPorts = [ 2003 80 443 ];
+ allowedUDPPorts = [ 2003 ];
+ };
+
+ services.grafana = {
+ enable = true;
+ addr = "127.0.0.1";
+ extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
+ users.allowSignUp = false;
+ users.allowOrgCreate = false;
+ users.autoAssignOrg = false;
+ security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+ };
+ krebs.nginx = {
+ enable = true;
+ servers.elch-stats = {
+ server-names = [ ext-dom ];
+ listen = [ "80" "443 ssl" ];
+ ssl = {
+ enable = true;
+ # these certs will be needed if acme has not yet created certificates:
+ certificate = ssl_cert;
+ certificate_key = ssl_key;
+ force_encryption = true;
+ };
+
+ locations = [
+ (nameValuePair "/" ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://localhost:3000/;
+ '')
+ (nameValuePair "/.well-known/acme-challenge" ''
+ root ${acmechall}/${ext-dom}/;
+ '')
+ ];
+ };
+ };
+
+ security.acme.certs."${ext-dom}" = {
+ email = "acme@syntax-fehler.de";
+ webroot = "${acmechall}/${ext-dom}/";
+ group = "nginx";
+ allowKeysForGroup = true;
+ postRun = "systemctl reload nginx.service";
+ extraDomains."${ext-dom}" = null ;
+ };
+
+ services.graphite = {
+ web = {
+ enable = true;
+ host = "127.0.0.1";
+ port = 8080;
+ };
+ carbon = {
+ enableCache = true;
+ # save disk usage by restricting to 1 bulk update per second
+ config = ''
+ [cache]
+ MAX_CACHE_SIZE = inf
+ MAX_UPDATES_PER_SECOND = 1
+ MAX_CREATES_PER_MINUTE = 500
+ '';
+ storageSchemas = ''
+ [carbon]
+ pattern = ^carbon\.
+ retentions = 60:90d
+
+ [elchos]
+ patterhn = ^elchos\.
+ retention = 10s:30d,60s:1y
+
+ [default]
+ pattern = .*
+ retentions = 30s:30d,300s:1y
+ '';
+ };
+ };
+}
diff --git a/makefu/2configs/filepimp-share.nix b/makefu/2configs/filepimp-share.nix
new file mode 100644
index 000000000..23fa8da08
--- /dev/null
+++ b/makefu/2configs/filepimp-share.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+let
+ hostname = config.krebs.build.host.name;
+in {
+ users.users.smbguest = {
+ name = "smbguest";
+ uid = config.ids.uids.smbguest;
+ description = "smb guest user";
+ home = "/var/empty";
+ };
+ services.samba = {
+ enable = true;
+ shares = {
+ media = {
+ path = "/media/";
+ "read only" = "no";
+ browseable = "yes";
+ "guest ok" = "yes";
+ };
+ };
+ extraConfig = ''
+ guest account = smbguest
+ map to guest = bad user
+ # disable printing
+ load printers = no
+ printing = bsd
+ printcap name = /dev/null
+ disable spoolss = yes
+ '';
+ };
+}
diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix
index 58390e48d..2ec531e56 100644
--- a/makefu/2configs/hw/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x220.nix
@@ -5,7 +5,7 @@ with config.krebs.lib;
imports = [ ./tp-x2x0.nix ];
boot = {
- kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
+ kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
};
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix
index 9047cfb66..368465a8b 100644
--- a/makefu/2configs/hw/tp-x2x0.nix
+++ b/makefu/2configs/hw/tp-x2x0.nix
@@ -38,4 +38,8 @@ with config.krebs.lib;
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
+
+ powerManagement.resumeCommands = ''
+ {pkgs.rfkill}/bin/rfkill unblock all
+ '';
}
diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix
index ca489d073..b1446eab4 100644
--- a/makefu/2configs/iodined.nix
+++ b/makefu/2configs/iodined.nix
@@ -5,8 +5,9 @@ let
domain = "io.krebsco.de";
pw = import <secrets/iodinepw.nix>;
in {
+ networking.firewall.allowedUDPPorts = [ 53 ];
- services.iodined = {
+ services.iodine = {
server = {
enable = true;
domain = domain;
diff --git a/makefu/2configs/nginx/icecult.nix b/makefu/2configs/nginx/icecult.nix
new file mode 100644
index 000000000..a11f92af7
--- /dev/null
+++ b/makefu/2configs/nginx/icecult.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, lib, ... }:
+
+with config.krebs.lib;
+
+let
+ icecult = pkgs.fetchFromGitHub {
+ owner = "kraiz";
+ repo = "icecult";
+ rev = "1942d43381a97f30111a48725f7532c343a6f4d7";
+ sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58";
+ };
+in{
+ krebs.nginx = {
+ enable = true;
+ servers.default = {
+ extraConfig = ''
+ root ${icecult}/app;
+ '';
+ locations = [
+ (nameValuePair "/rpc" ''
+ rewrite /rpc/(.*) /$1 break;
+ proxy_http_version 1.1;
+ proxy_pass http://10.42.22.163:3121;
+ '')
+ ];
+ };
+ };
+}
diff --git a/makefu/2configs/rad1o.nix b/makefu/2configs/rad1o.nix
index 03bb9bc7e..6eca69e0c 100644
--- a/makefu/2configs/rad1o.nix
+++ b/makefu/2configs/rad1o.nix
@@ -3,7 +3,7 @@
{
environment.systemPackages = with pkgs; [
- gnuradio-full
+ gnuradio-with-packages
gnuradio-osmosdr
gqrx
];
diff --git a/makefu/2configs/solr.nix b/makefu/2configs/solr.nix
new file mode 100644
index 000000000..cad9eabc1
--- /dev/null
+++ b/makefu/2configs/solr.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+ solrHome = "/var/db/solr";
+in {
+ imports = [ ];
+ users.users.solr = {
+ home = solrHome;
+ uid = genid "solr";
+ createHome = true;
+ group = "solr";
+ };
+ users.groups.solr.gid = genid "solr";
+
+ services.solr = {
+ enable = true;
+ inherit solrHome;
+ user = "solr";
+ group = "solr";
+ };
+}
diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix
index e0fbefa36..0d8f888fa 100644
--- a/makefu/2configs/urlwatch.nix
+++ b/makefu/2configs/urlwatch.nix
@@ -14,6 +14,8 @@
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
+ https://github.com/amadvance/snapraid/releases.atom
+ https://erdgeist.org/gitweb/opentracker/commit/
];
};
}