diff options
author | tv <tv@krebsco.de> | 2015-12-20 19:37:46 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2015-12-20 19:37:46 +0100 |
commit | c89907175546aa0c39bc6b2c4960f0ea6e6db8c9 (patch) | |
tree | 158bf1a5938fc37efc466b00b3f0906ac2a50d9f /makefu | |
parent | c09bc6a29f21f1c6bd21575e385b8b3bc5c89b8a (diff) | |
parent | 5821d8438578db623a3e248c52fefa424fad0b51 (diff) |
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'makefu')
27 files changed, 1037 insertions, 84 deletions
diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index fb1a57552..66ea2ce90 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -7,8 +7,6 @@ { imports = [ # Include the results of the hardware scan. - ../2configs/default.nix - ../2configs/fs/vm-single-partition.nix ../2configs/fs/single-partition-ext4.nix ../2configs/tinc-basic-retiolum.nix ]; diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 85cf4c533..417a020fa 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -9,24 +9,71 @@ in { # TODO: copy this config or move to krebs ../2configs/tinc-basic-retiolum.nix ../2configs/headless.nix + ../2configs/fs/simple-swap.nix + ../2configs/fs/single-partition-ext4.nix # ../2configs/iodined.nix - - # Reaktor - ../2configs/Reaktor/simpleExtend.nix + ../2configs/git/cgit-retiolum.nix + ../2configs/mattermost-docker.nix + ../2configs/nginx/euer.test.nix ]; + + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + + ###### stable + krebs.build.target = "root@gum.krebsco.de"; krebs.build.host = config.krebs.hosts.gum; + krebs.retiolum.extraConfig = '' + ListenAddress = ${external-ip} 53 + ListenAddress = ${external-ip} 655 + ListenAddress = ${external-ip} 21031 + ''; - krebs.Reaktor.enable = true; + # Chat + environment.systemPackages = with pkgs;[ + weechat + bepasty-client-cli + get + ]; + services.bitlbee.enable = true; - # prepare graphs - krebs.nginx.enable = true; + # Hardware + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "pata_via" "uhci_hcd" ]; + boot.kernelModules = [ "kvm-intel" ]; + # Network + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0" + ''; + boot.kernelParams = [ "ipv6.disable=1" ]; networking = { - firewall.allowPing = true; - firewall.allowedTCPPorts = [ 80 443 655 ]; - firewall.allowedUDPPorts = [ 655 ]; - interfaces.enp2s1.ip4 = [{ + enableIPv6 = false; + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ + # smtp + 25 + # http + 80 443 + # tinc + 655 + # tinc-shack + 21032 + # tinc-retiolum + 21031 + ]; + allowedUDPPorts = [ + # tinc + 655 53 + # tinc-retiolum + 21031 + # tinc-shack + 21032 + ]; + }; + interfaces.et0.ip4 = [{ address = external-ip; prefixLength = 24; }]; @@ -34,5 +81,4 @@ in { nameservers = [ "8.8.8.8" ]; }; - # based on ../../tv/2configs/CAC-Developer-2.nix } diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix new file mode 100644 index 000000000..6ae79398a --- /dev/null +++ b/makefu/1systems/omo.nix @@ -0,0 +1,37 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../2configs/fs/single-partition-ext4.nix + ../2configs/tinc-basic-retiolum.nix + ../2configs/exim-retiolum.nix + ]; + krebs.build.host = config.krebs.hosts.omo; + + # AMD E350 + boot = { + loader.grub.device = "/dev/sda"; + + initrd.availableKernelModules = [ + "usb_storage" + "ahci" + "xhci_hcd" + "ata_piix" + "uhci_hcd" + "ehci_pci" + ]; + + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; + + networking.firewall.allowPing = true; +} diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 8624cb2d1..28b77d330 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -6,21 +6,21 @@ { imports = [ # Include the results of the hardware scan. - ../2configs/main-laptop.nix #< base-gui + ../2configs/main-laptop.nix #< base-gui + zsh # Krebs ../2configs/tinc-basic-retiolum.nix #../2configs/disable_v6.nix - # environment - ../2configs/zsh-user.nix # applications + ../2configs/exim-retiolum.nix ../2configs/mail-client.nix + ../2configs/printer.nix #../2configs/virtualization.nix ../2configs/virtualization.nix - #../2configs/virtualization-virtualbox.nix + ../2configs/virtualization-virtualbox.nix ../2configs/wwan.nix # services @@ -34,15 +34,23 @@ # ../2configs/mediawiki.nix #../2configs/wordpress.nix ]; + nixpkgs.config.packageOverrides = pkgs: { + tinc = pkgs.tinc_pre; + buildbot = let + pkgs1509 = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {}; + in pkgs1509.buildbot; + }; + makefu.buildbot.master.enable = true; + #krebs.Reaktor.enable = true; #krebs.Reaktor.nickname = "makefu|r"; - - krebs.build.host = config.krebs.hosts.pornocauster; + # nix.binaryCaches = [ "http://acng.shack/nixos" "https://cache.nixos.org" ]; environment.systemPackages = with pkgs;[ get virtmanager gnome3.dconf + krebspaste ]; services.logind.extraConfig = "HandleLidSwitch=ignore"; @@ -54,4 +62,5 @@ 25 ]; + krebs.build.host = config.krebs.hosts.pornocauster; } diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix new file mode 100644 index 000000000..a24cefd0d --- /dev/null +++ b/makefu/1systems/vbob.nix @@ -0,0 +1,88 @@ +# +# +# +{ lib, config, pkgs, ... }: +let + pkgs-unst = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {}; +in { + krebs.build.host = config.krebs.hosts.vbob; + krebs.build.target = "root@10.10.10.220"; + imports = + [ # Include the results of the hardware scan. + <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix> + ../2configs/main-laptop.nix #< base-gui + + # environment + + ]; + nixpkgs.config.packageOverrides = pkgs: { + tinc = pkgs.tinc_pre; + buildbot = pkgs-unst.buildbot; + buildbot-slave = pkgs-unst.buildbot-slave; + }; + + makefu.buildbot.master = { + enable = true; + irc = { + enable = true; + server = "cd.retiolum"; + channel = "retiolum"; + allowForce = true; + }; + }; + makefu.buildbot.slave = { + enable = true; + masterhost = "localhost"; + username = "testslave"; + password = "krebspass"; + packages = with pkgs;[ git nix ]; + extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; }; + }; + + krebs.build.source.git.nixpkgs = { + #url = https://github.com/nixos/nixpkgs; + # HTTP Everywhere + rev = "a3974e"; + }; + fileSystems."/nix" = { + device ="/dev/disk/by-label/nixstore"; + fsType = "ext4"; + }; + #makefu.buildbot.master.enable = true; + # allow vbob to deploy self + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ]; + }; + }; + environment.systemPackages = with pkgs;[ + buildbot + buildbot-slave + get + genid + ]; + + networking.firewall.allowedTCPPorts = [ + 25 + 80 + 8010 + ]; + + krebs.retiolum = { + enable = true; + extraConfig = "Proxy = http global.proxy.alcatel-lucent.com 8000"; + hosts = ../../krebs/Zhosts; + connectTo = [ + "gum" + ]; + }; + + networking.proxy.default = "http://global.proxy.alcatel-lucent.com:8000"; + fileSystems."/media/share" = { + fsType = "vboxsf"; + device = "share"; + options = "rw,uid=9001,gid=9001"; + }; + +} + diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index ba94972fb..cd2b3f657 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -24,11 +24,11 @@ in { # other nginx ../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.blog.nix + ../2configs/nginx/euer.test.nix # collectd ../2configs/collectd/collectd-base.nix ]; - krebs.build.host = config.krebs.hosts.wry; krebs.Reaktor.enable = true; @@ -59,9 +59,12 @@ in { }; networking = { - firewall.allowPing = true; - firewall.allowedTCPPorts = [ 53 80 443 ]; - firewall.allowedUDPPorts = [ 655 ]; + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ 53 80 443 ]; + allowedUDPPorts = [ 655 ]; + }; interfaces.enp2s1.ip4 = [{ address = external-ip; prefixLength = 24; @@ -70,5 +73,9 @@ in { nameservers = [ "8.8.8.8" ]; }; - environment.systemPackages = [ pkgs.translate-shell ]; + # small machine - do not forget to gc every day + nix.gc.automatic = true; + nix.gc.dates = "03:10"; + + environment.systemPackages = [ ]; } diff --git a/makefu/2configs/Reaktor/full.nix b/makefu/2configs/Reaktor/full.nix new file mode 100644 index 000000000..50620890f --- /dev/null +++ b/makefu/2configs/Reaktor/full.nix @@ -0,0 +1,18 @@ +_: +{ + # implementation of the complete Reaktor bot + imports = [ + #./stockholmLentil.nix + ./simpleExtend.nix + ./random-emoji.nix + ./titlebot.nix + ./shack-correct.nix + ./sed-plugin.nix + ]; + krebs.Reaktor.nickname = "Reaktor|bot"; + krebs.Reaktor.enable = true; + + krebs.Reaktor.extraEnviron = { + REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace"; + }; +} diff --git a/makefu/2configs/Reaktor/sed-plugin.nix b/makefu/2configs/Reaktor/sed-plugin.nix new file mode 100644 index 000000000..a451e0d3e --- /dev/null +++ b/makefu/2configs/Reaktor/sed-plugin.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +with pkgs; +let + script = ./sed-plugin.py; +in { + #TODO: this will eat up the last regex, fix Reaktor + krebs.Reaktor.extraConfig = '' + public_commands.append({ + 'capname' : "sed-plugin", + # only support s///gi + 'pattern' : '^(?P<args>.*)$$', + 'argv' : ["${pkgs.python3}/bin/python3","${script}"], + 'env' : { 'state_dir' : workdir, + 'PATH':'${lib.makeSearchPath "bin" [pkgs.gnused]}' }}) + ''; +} + diff --git a/makefu/2configs/Reaktor/sed-plugin.py b/makefu/2configs/Reaktor/sed-plugin.py new file mode 100644 index 000000000..8103c9585 --- /dev/null +++ b/makefu/2configs/Reaktor/sed-plugin.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 + +# Usage: +# _from=krebs state_dir=. python sed-plugin.py 'dick butt' +# _from=krebs state_dir=. python sed-plugin.py 's/t/l/g' +## dick bull +import shelve +from os import environ +from os.path import join +from sys import argv +d = shelve.open(join(environ['state_dir'],'sed-plugin.shelve'),writeback=True) +usr = environ['_from'] +import re + +def is_regex(line): + myre = re.compile(r'^s/((?:\\/|[^/])+)/((?:\\/|[^/])*)/([ig]*)$') + return myre.match(line) + +line = argv[1] +m = is_regex(line) + +if m: + f,t,flagstr = m.groups() + fn = f.replace('\/','/') + tn = t.replace('\/','/') + flags = 0 + count = 1 + if flagstr: + if 'i' in flagstr: + flags = re.IGNORECASE + if 'g' in flagstr: + count = 0 + else: + flagstr = '' + last = d.get(usr,None) + if last: + #print(re.sub(fn,tn,last,count=count,flags=flags)) + from subprocess import Popen,PIPE + p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE ) + so,se = p.communicate(bytes("{}\n".format(last),"UTF-8")) + if p.returncode: + print("something went wrong when trying to process your regex: {}".format(se.decode())) + ret = so.decode() + print("\x1b[1m{}\x1b[0m meinte: {}".format(usr,ret.strip())) + if ret: + d[usr] = ret + + else: + print("no last message") +else: + d[usr] = line + +d.close() diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index 7b7f85f13..1d6750284 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -10,6 +10,17 @@ # # if this is not enough, check out main-laptop.nix +## TODO: .Xdefaults: +# URxvt*termName: rxvt +# URxvt.scrollBar : false +# URxvt*scrollBar_right: false +# URxvt*borderLess: false +# URxvt.foreground: white +# URxvt.background: black +# URxvt.urgentOnBell: true +# URxvt.visualBell: false +# URxvt.font : xft:Terminus + with lib; let mainUser = config.krebs.build.user.name; @@ -62,4 +73,33 @@ in enable = true; # systemWide = true; }; + services.xserver.displayManager.sessionCommands = let + xdefaultsfile = pkgs.writeText "Xdefaults" '' + cat |derp <<EOF + XTerm*background: black + XTerm*foreground: white + XTerm*FaceName : Terminus:pixelsize=14 + + URxvt*termName: rxvt + URxvt.scrollBar : False + URxvt*scrollBar_right: false + URxvt*borderLess: false + URxvt.foreground: white + URxvt.background: black + URxvt.urgentOnBell: true + URxvt.visualBell: false + URxvt.font : xft:Terminus + + ! blue + URxvt*color4: #268bd2 + + + URxvt.perl-ext: default,url-select + URxvt.keysym.M-u: perl:url-select:select_next + #URxvt.url-select.launcher: firefox -new-tab + URxvt.url-select.launcher: chromium + URxvt.url-select.underline: true + URxvt.searchable-scrollback: CM-s + ''; + in "cat ${xdefaultsfile} | xrdb -merge"; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 3d9174788..c0d7685e3 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -65,6 +65,7 @@ with lib; time.timeZone = "Europe/Berlin"; #nix.maxJobs = 1; + programs.ssh.startAgent = false; services.openssh.enable = true; nix.useChroot = true; @@ -79,7 +80,14 @@ with lib; "d /tmp 1777 root root - -" ]; - environment.variables.EDITOR = mkForce "vim"; + environment.variables = { + NIX_PATH = with config.krebs.build.source; with dir; with git; + mkForce (concatStringsSep ":" [ + "nixpkgs=${nixpkgs.target-path}" + "${nixpkgs.target-path}" + ]); + EDITOR = mkForce "vim"; + }; environment.systemPackages = with pkgs; [ jq @@ -96,6 +104,8 @@ with lib; HISTSIZE=900001 HISTFILESIZE=$HISTSIZE + PYTHONSTARTUP="~/.pythonrc"; + shopt -s checkhash shopt -s histappend histreedit histverify shopt -s no_empty_cmd_completion @@ -115,6 +125,9 @@ with lib; environment.shellAliases = { lsl = "ls -lAtr"; + psg = "ps -ef | grep"; + nmap = "nmap -oN $HOME/loot/scan-`date +\%s`.nmap -oX $HOME/loot/scan-`date +%s`.xml"; + grep = "grep --color=auto"; }; nixpkgs.config.packageOverrides = pkgs: { @@ -123,6 +136,14 @@ with lib; services.cron.enable = false; services.nscd.enable = false; + services.ntp.enable = false; + services.timesyncd.enable = true; + services.ntp.servers = [ + "pool.ntp.org" + "time.windows.com" + "time.apple.com" + "time.nist.gov" + ]; security.setuidPrograms = [ "sendmail" ]; services.journald.extraConfig = '' diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix new file mode 100644 index 000000000..b071a128d --- /dev/null +++ b/makefu/2configs/fetchWallpaper.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +let + # check if laptop runs on umts + weaksauce-internet = with pkgs;writeScript "weaksauce-internet" '' + #! /bin/sh + if ${iproute}/bin/ip addr show dev ppp0 2>/dev/null \ + | ${gnugrep}/bin/grep -q inet;then + exit 1 + fi + ''; + +in { + krebs.fetchWallpaper = { + enable = true; + display = ":0"; + predicate = weaksauce-internet; + timerConfig = { + OnCalendar = "*:0/30"; + }; + url = "http://echelon/wallpaper.png"; + }; +} + diff --git a/makefu/2configs/fs/simple-swap.nix b/makefu/2configs/fs/simple-swap.nix new file mode 100644 index 000000000..8c161b287 --- /dev/null +++ b/makefu/2configs/fs/simple-swap.nix @@ -0,0 +1,11 @@ +_: +{ + # do not swap that often + boot.kernel.sysctl = { + "vm.swappiness" = 25; + }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; +} diff --git a/makefu/2configs/git/brain-retiolum.nix b/makefu/2configs/git/brain-retiolum.nix index 793373859..25ef584bf 100644 --- a/makefu/2configs/git/brain-retiolum.nix +++ b/makefu/2configs/git/brain-retiolum.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # TODO: remove tv lib :) -with import ../../../tv/4lib { inherit lib pkgs; }; +with lib; let repos = priv-repos // krebs-repos ; @@ -26,7 +26,7 @@ let inherit name desc; public = false; hooks = { - post-receive = git.irc-announce { + post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; channel = "#retiolum"; # TODO remove the hardcoded hostname @@ -59,16 +59,7 @@ let set-owners repo all-makefu ++ set-ro-access repo krebsminister; in { - imports = [{ - krebs.users.makefu-omo = { - name = "makefu-omo" ; - pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub; - }; - krebs.users.makefu-tsp = { - name = "makefu-tsp" ; - pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub; - }; - }]; + imports = [ ]; krebs.git = { enable = true; cgit = false; diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 189dd66c8..35bb169cf 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -1,10 +1,12 @@ { config, lib, pkgs, ... }: # TODO: remove tv lib :) -with import ../../../tv/4lib { inherit lib pkgs; }; +with lib; let - repos = priv-repos // krebs-repos ; - rules = concatMap krebs-rules (attrValues krebs-repos) ++ concatMap priv-rules (attrValues priv-repos); + repos = priv-repos // krebs-repos // connector-repos ; + rules = concatMap krebs-rules (attrValues krebs-repos) + ++ concatMap priv-rules (attrValues priv-repos) + ++ concatMap connector-rules (attrValues connector-repos); krebs-repos = mapAttrs make-krebs-repo { stockholm = { @@ -13,12 +15,21 @@ let tinc_graphs = { desc = "Tinc Advanced Graph Generation"; }; + cac = { }; }; priv-repos = mapAttrs make-priv-repo { autosync = { }; }; + connector-repos = mapAttrs make-priv-repo { + connector = { }; + minikrebs = { }; + mattermost = { + desc = "Mattermost Docker files"; + }; + }; + # TODO move users to separate module make-priv-repo = name: { desc ? null, ... }: { @@ -30,9 +41,9 @@ let inherit name desc; public = true; hooks = { - post-receive = git.irc-announce { + post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; - verbose = config.krebs.build.host.name == "pnp"; + verbose = config.krebs.build.host.name == "gum"; channel = "#retiolum"; # TODO remove the hardcoded hostname server = "cd.retiolum"; @@ -40,40 +51,35 @@ let }; }; - set-owners = with git;repo: user: - singleton { - inherit user; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - }; - set-ro-access = with git; repo: user: - optional repo.public { - inherit user; - repo = [ repo ]; - perm = fetch; - }; # TODO: get the list of all krebsministers krebsminister = with config.krebs.users; [ lass tv uriel ]; - all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ]; + all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob ]; + all-exco = with config.krebs.users; [ exco ]; priv-rules = repo: set-owners repo all-makefu; + connector-rules = repo: set-owners repo all-makefu ++ set-owners repo all-exco; + krebs-rules = repo: set-owners repo all-makefu ++ set-ro-access repo krebsminister; + set-ro-access = with git; repo: user: + optional repo.public { + inherit user; + repo = [ repo ]; + perm = fetch; + }; + + set-owners = with git;repo: user: + singleton { + inherit user; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + }; + in { - imports = [{ - krebs.users.makefu-omo = { - name = "makefu-omo" ; - pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub; - }; - krebs.users.makefu-tsp = { - name = "makefu-tsp" ; - pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub; - }; - }]; krebs.git = { enable = true; root-title = "public repositories"; diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index 294ee7510..b725f661d 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -6,13 +6,17 @@ with lib; { - imports = [ ./base-gui.nix ]; + imports = [ + ./base-gui.nix + ./fetchWallpaper.nix + ./zsh-user.nix + ]; environment.systemPackages = with pkgs;[ vlc firefox chromium keepassx - + ntfs3g virtmanager at_spi2_core # dep for virtmanager? ]; diff --git a/makefu/2configs/mattermost-docker.nix b/makefu/2configs/mattermost-docker.nix new file mode 100644 index 000000000..20a93dff1 --- /dev/null +++ b/makefu/2configs/mattermost-docker.nix @@ -0,0 +1,47 @@ +{config, lib, ...}: + +with lib; +let + sec = toString <secrets>; + ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + ssl_key = "${sec}/wildcard.krebsco.de.key"; +in { + # mattermost docker config and deployment guide: git.euer.krebsco.de + virtualisation.docker.enable = true; + users.extraUsers.${config.krebs.build.user.name}.extraGroups = [ "docker" ]; + krebs.nginx = { + enable = true; + servers.mattermost = { + listen = [ "80" "443 ssl" ]; + server-names = [ "mattermost.euer.krebsco.de" ]; + extraConfig = '' + gzip on; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/css; + ssl_certificate ${ssl_cert}; + ssl_certificate_key ${ssl_key}; + default_type text/plain; + + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + + client_max_body_size 4G; + keepalive_timeout 10; + + ''; + locations = [ + (nameValuePair "/" '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect off; + proxy_pass http://localhost:8065/; + '') + ]; + }; + }; +} diff --git a/makefu/2configs/nginx/euer.test.nix b/makefu/2configs/nginx/euer.test.nix new file mode 100644 index 000000000..ffdc0bc60 --- /dev/null +++ b/makefu/2configs/nginx/euer.test.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.krebs.build.host.name; + user = config.services.nginx.user; + group = config.services.nginx.group; + external-ip = head config.krebs.build.host.nets.internet.addrs4; + internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; +in { + krebs.nginx = { + enable = mkDefault true; + servers = { + euer-share = { + listen = [ ]; + server-names = [ "share.euer.krebsco.de" ]; + locations = singleton (nameValuePair "/" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:8000/; + ''); + } |