diff options
-rw-r--r-- | makefu/2configs/git/cgit-retiolum.nix | 1 | ||||
-rw-r--r-- | makefu/2configs/hub.nix | 102 | ||||
-rw-r--r-- | makefu/source.nix | 2 |
3 files changed, 104 insertions, 1 deletions
diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index c209b83f6..61182f6c3 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -38,6 +38,7 @@ let priv-repos = mapAttrs make-priv-repo { autosync = { }; + fenkins = { }; pass = { }; }; diff --git a/makefu/2configs/hub.nix b/makefu/2configs/hub.nix new file mode 100644 index 000000000..a121157d4 --- /dev/null +++ b/makefu/2configs/hub.nix @@ -0,0 +1,102 @@ +{ config, lib, pkgs, ... }: + +# search also generates ddclient entries for all other logs + +with import <stockholm/lib>; +let + ddclientUser = "ddclient"; + sec = toString <secrets>; + nsupdate = import "${sec}/nsupdate-hub.nix"; + stateDir = "/var/spool/ddclient"; + cfg = "${stateDir}/cfg"; + ext-if = config.makefu.server.primary-itf; + ddclientPIDFile = "${stateDir}/ddclient.pid"; + + # TODO: correct cert generation requires a `real` internet ip address + + gen-cfg = dict: '' + ssl=yes + cache=${stateDir}/ddclient.cache + pid=${ddclientPIDFile} + ${concatStringsSep "\n" (mapAttrsToList (user: pass: '' + + protocol=dyndns2 + use=web, web=http://ipv4.nsupdate.info/myip + ssl=yes + server=ipv4.nsupdate.info + login=${user} + password='${pass}' + ${user} + + '') dict)} + ''; + +in { + users.extraUsers = singleton { + name = ddclientUser; + uid = genid "ddclient"; + description = "ddclient daemon user"; + home = stateDir; + createHome = true; + }; + + systemd.services = { + redis.serviceConfig.LimitNOFILE=10032; + ddclient-nsupdate-uhub = { + wantedBy = [ "multi-user.target" ]; + after = [ "ip-up.target" ]; + serviceConfig = { + Type = "forking"; + User = ddclientUser; + PIDFile = ddclientPIDFile; + ExecStartPre = pkgs.writeDash "init-nsupdate" '' + cp -vf ${pkgs.writeText "ddclient-config" (gen-cfg nsupdate)} ${cfg} + chmod 700 ${cfg} + ''; + ExecStart = "${pkgs.ddclient}/bin/ddclient -verbose -daemon 1 -noquiet -file ${cfg}"; + }; + }; + }; + + networking.firewall.extraCommands = '' + iptables -A PREROUTING -t nat -i ${ext-if} -p tcp --dport 411 -j REDIRECT --to-port 1511 + ''; + systemd.services.uhub.serviceConfig = { + PrivateTmp = true; + PermissionsStartOnly = true; + ExecStartPre = pkgs.writeDash "uhub-pre" '' + cp ${toString <secrets/wildcard.krebsco.de.crt>} /tmp/uhub.crt + cp ${toString <secrets/wildcard.krebsco.de.key>} /tmp/uhub.key + cp ${toString <secrets/uhub.sql>} /tmp/uhub.sql + chown uhub /tmp/* + ''; + + }; + services.uhub = { + enable = true; + port = 1511; + enableTLS = true; + hubConfig = '' + hub_name = "krebshub" + tls_certificate = /tmp/uhub.crt + tls_private_key = /tmp/uhub.key + registered_users_only = true + ''; + plugins = { + welcome = { + enable = true; + motd = "shareit"; + rules = "1. Don't be an asshole"; + }; + history = { + enable = true; + }; + authSqlite = { + enable = true; + file = "/tmp/uhub.sql"; + }; + + }; + }; + networking.firewall.allowedTCPPorts = [ 411 1511 ]; +} diff --git a/makefu/source.nix b/makefu/source.nix index c1e291b8a..fac1c0282 100644 --- a/makefu/source.nix +++ b/makefu/source.nix @@ -24,7 +24,7 @@ let ]; }; # TODO: automate updating of this ref + cherry-picks - ref = "ef4c5fbf5c2"; # nixos-18.03 @ 2018-05-31 + ref = "14946ec63a1"; # nixos-18.03 @ 2018-05-31 # + do_sqlite3 ruby: 55a952be5b5 # + exfat-nofuse bump: ee6a5296a35 # + uhub/sqlite: 5dd7610401747 |