Merge remote-tracking branch 'prism/master'

author: tv <tv@krebsco.de> 2016-10-20 20:22:29 +0200
committer: tv <tv@krebsco.de> 2016-10-20 20:22:29 +0200
commit: 9329c1e47ddda0653d7e9824a01632ce3766e8f0 (patch)
tree: 2bfb70737a757d0bd61ca0aa895c77d740b21e73 /makefu/2configs
parent: 844d347ce7cf0b7646e9ecba3fbdc0b90e608501 (diff)
parent: 0f2a9778315c3126794c0f1ad63710d38e7a67f7 (diff)
12 files changed, 204 insertions, 10 deletions
diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix
index 6f79ed4f..57fd7a64 100644
--- a/makefu/2configs/backup.nix
+++ b/makefu/2configs/backup.nix
@@ -1,6 +1,10 @@
 { config, lib, ... }:
 with config.krebs.lib;
 let
+  # preparation:
+  # mkdir -p defaultBackupDir/host.name/src
+  # as root on omo:
+  #   ssh-copy-id root@src
   startAt = "0,6,12,18:00";
   defaultBackupServer = config.krebs.hosts.omo;
   defaultBackupDir = "/home/backup";
@@ -12,7 +16,7 @@ let
     };
     dst = {
       host = defaultBackupServer;
-      path = defaultBackupDir + src;
+      path = "${defaultBackupDir}/${host.name}${src}";
     };
     startAt = "0,6,12,18:00";
     snapshots = {
@@ -25,6 +29,6 @@ let
   };
 in {
   krebs.backup.plans = {
-    wry-to-omo_var-www = defaultPull wry "/var/www";
+    wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/";
   };
 }
diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix
index b039c12c..cbc3efba 100644
--- a/makefu/2configs/base-gui.nix
+++ b/makefu/2configs/base-gui.nix
@@ -82,7 +82,6 @@ in
 
       URxvt.perl-ext:      default,url-select
       URxvt.keysym.M-u:    perl:url-select:select_next
-      #URxvt.url-select.launcher:   firefox -new-tab
       URxvt.url-select.launcher:   chromium
       URxvt.url-select.underline: true
       URxvt.searchable-scrollback: CM-s
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index a7c2a983..56a87d7a 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -21,10 +21,13 @@ with config.krebs.lib;
     search-domain = "retiolum";
     build = {
       user = config.krebs.users.makefu;
-      source = let inherit (config.krebs.build) host user; in {
+      source = let
+          inherit (config.krebs.build) host user;
+          ref = "b8ede35"; # stable @ 2016-10-19
+      in {
         nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
-          { # stable @ 2016-07-20
-            git = { url = https://github.com/nixos/nixpkgs; ref = "125ffff"; };
+          {
+            git = { url = https://github.com/nixos/nixpkgs; inherit ref; };
           }
             else
             # TODO use http, once it is implemented
@@ -32,7 +35,7 @@ with config.krebs.lib;
 
             ## prepare so we do not have to wait for rsync:
             ## cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/125ffff  -L | tar zx  && mv NixOS-nixpkgs-125ffff nixpkgs
-            { file = "/home/makefu/store/125ffff";};
+            { file = "/home/makefu/store/${ref}";};
         secrets.file =
           if getEnv "dummy_secrets" == "true"
             then toString <stockholm/makefu/6tests/data/secrets>
diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix
new file mode 100644
index 00000000..0282b04c
--- /dev/null
+++ b/makefu/2configs/elchos/stats.nix
@@ -0,0 +1,96 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+  sec = toString <secrets>;
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+  ext-dom = "stats.nsupdate.info";
+  #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+  #ssl_key  = "${sec}/wildcard.krebsco.de.key";
+  ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
+  ssl_key = "${acmepath}/${ext-dom}/key.pem";
+in {
+  networking.firewall = {
+    allowedTCPPorts = [ 2003 80 443 ];
+    allowedUDPPorts = [ 2003 ];
+  };
+
+  services.grafana = {
+    enable = true;
+    addr = "127.0.0.1";
+    extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
+    users.allowSignUp = false;
+    users.allowOrgCreate = false;
+    users.autoAssignOrg = false;
+    security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+  };
+  krebs.nginx = {
+    enable = true;
+    servers.elch-stats = {
+      server-names = [ ext-dom ];
+      listen = [ "80" "443 ssl" ];
+      ssl = {
+          enable = true;
+          # these certs will be needed if acme has not yet created certificates:
+          certificate =   ssl_cert;
+          certificate_key = ssl_key;
+          force_encryption = true;
+      };
+
+      locations = [
+          (nameValuePair "/" ''
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP          $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass http://localhost:3000/;
+          '')
+          (nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '')
+      ];
+    };
+  };
+
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
+
+  services.graphite = {
+    web = {
+      enable = true;
+      host = "127.0.0.1";
+      port = 8080;
+    };
+    carbon = {
+      enableCache = true;
+      # save disk usage by restricting to 1 bulk update per second
+      config = ''
+        [cache]
+        MAX_CACHE_SIZE = inf
+        MAX_UPDATES_PER_SECOND = 1
+        MAX_CREATES_PER_MINUTE = 500
+        '';
+      storageSchemas = ''
+        [carbon]
+        pattern = ^carbon\.
+        retentions = 60:90d
+
+        [elchos]
+        patterhn = ^elchos\.
+        retention = 10s:30d,60s:1y
+
+        [default]
+        pattern = .*
+        retentions = 30s:30d,300s:1y
+        '';
+    };
+  };
+}
diff --git a/makefu/2configs/filepimp-share.nix b/makefu/2configs/filepimp-share.nix
new file mode 100644
index 00000000..23fa8da0
--- /dev/null
+++ b/makefu/2configs/filepimp-share.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+let
+  hostname = config.krebs.build.host.name;
+in {
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/var/empty";
+  };
+  services.samba = {
+    enable = true;
+    shares = {
+      media = {
+        path = "/media/";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}
diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix
index 58390e48..2ec531e5 100644
--- a/makefu/2configs/hw/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x220.nix
@@ -5,7 +5,7 @@ with config.krebs.lib;
 
   imports = [ ./tp-x2x0.nix ];
   boot = {
-    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
+    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
   };
   hardware.opengl.extraPackages =  [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix
index 9047cfb6..368465a8 100644
--- a/makefu/2configs/hw/tp-x2x0.nix
+++ b/makefu/2configs/hw/tp-x2x0.nix
@@ -38,4 +38,8 @@ with config.krebs.lib;
     CPU_MIN_PERF_ON_BAT=0
     CPU_MAX_PERF_ON_BAT=30
   '';
+
+  powerManagement.resumeCommands = ''
+    {pkgs.rfkill}/bin/rfkill unblock all
+  '';
 }
diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix
index ca489d07..b1446eab 100644
--- a/makefu/2configs/iodined.nix
+++ b/makefu/2configs/iodined.nix
@@ -5,8 +5,9 @@ let
   domain = "io.krebsco.de";
   pw = import <secrets/iodinepw.nix>;
 in {
+  networking.firewall.allowedUDPPorts = [ 53 ];
 
-  services.iodined = {
+  services.iodine = {
     server = {
       enable = true;
       domain = domain;
diff --git a/makefu/2configs/nginx/icecult.nix b/makefu/2configs/nginx/icecult.nix
new file mode 100644
index 00000000..a11f92af
--- /dev/null
+++ b/makefu/2configs/nginx/icecult.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, lib, ... }:
+
+with config.krebs.lib;
+
+let
+  icecult = pkgs.fetchFromGitHub {
+    owner = "kraiz";
+    repo = "icecult";
+    rev = "1942d43381a97f30111a48725f7532c343a6f4d7";
+    sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58";
+  };
+in{
+  krebs.nginx = {
+    enable = true;
+    servers.default = {
+        extraConfig = ''
+          root ${icecult}/app;
+        '';
+        locations = [
+          (nameValuePair "/rpc" ''
+        rewrite /rpc/(.*) /$1 break;
+        proxy_http_version 1.1;
+        proxy_pass http://10.42.22.163:3121;
+          '')
+      ];
+    };
+  };
+}
diff --git a/makefu/2configs/rad1o.nix b/makefu/2configs/rad1o.nix
index 03bb9bc7..6eca69e0 100644
--- a/makefu/2configs/rad1o.nix
+++ b/makefu/2configs/rad1o.nix
@@ -3,7 +3,7 @@
 {
 
   environment.systemPackages = with pkgs; [
-    gnuradio-full
+    gnuradio-with-packages
     gnuradio-osmosdr
     gqrx
     ];
diff --git a/makefu/2configs/solr.nix b/makefu/2configs/solr.nix
new file mode 100644
index 00000000..cad9eabc
--- /dev/null
+++ b/makefu/2configs/solr.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+  solrHome = "/var/db/solr";
+in {
+  imports = [ ];
+  users.users.solr = {
+    home = solrHome;
+    uid = genid "solr";
+    createHome = true;
+    group = "solr";
+  };
+  users.groups.solr.gid = genid "solr";
+
+  services.solr = {
+    enable = true;
+    inherit solrHome;
+    user = "solr";
+    group = "solr";
+  };
+}
diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix
index e0fbefa3..0d8f888f 100644
--- a/makefu/2configs/urlwatch.nix
+++ b/makefu/2configs/urlwatch.nix
@@ -14,6 +14,8 @@
       https://pypi.python.org/simple/xstatic/
       http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
       http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
+      https://github.com/amadvance/snapraid/releases.atom
+      https://erdgeist.org/gitweb/opentracker/commit/
     ];
   };
 }
author	tv <tv@krebsco.de>	2016-10-20 20:22:29 +0200
committer	tv <tv@krebsco.de>	2016-10-20 20:22:29 +0200
commit	9329c1e47ddda0653d7e9824a01632ce3766e8f0 (patch)
tree	2bfb70737a757d0bd61ca0aa895c77d740b21e73 /makefu/2configs
parent	844d347ce7cf0b7646e9ecba3fbdc0b90e608501 (diff)
parent	0f2a9778315c3126794c0f1ad63710d38e7a67f7 (diff)