summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/lass/default.nix48
-rw-r--r--krebs/3modules/lass/ssh/xerxes.rsa1
-rw-r--r--krebs/3modules/makefu/default.nix4
-rw-r--r--lass/1systems/mors/config.nix2
-rw-r--r--lass/1systems/prism/config.nix9
-rw-r--r--lass/1systems/xerxes/config.nix40
-rw-r--r--lass/1systems/xerxes/source.nix11
-rw-r--r--lass/2configs/default.nix1
-rw-r--r--lass/2configs/hw/gpd-pocket.nix29
-rw-r--r--lass/source.nix2
-rw-r--r--makefu/1systems/gum/config.nix35
-rw-r--r--makefu/1systems/omo/config.nix1
-rw-r--r--makefu/1systems/tsp/config.nix2
-rw-r--r--makefu/1systems/wbob/config.nix46
-rw-r--r--makefu/1systems/wbob/source.nix2
-rw-r--r--makefu/2configs/deployment/bgt/hidden_service.nix48
-rw-r--r--makefu/2configs/deployment/bureautomation/default.nix41
-rw-r--r--makefu/2configs/deployment/led-fader.nix28
-rw-r--r--makefu/2configs/deployment/scrape/default.nix6
-rw-r--r--makefu/2configs/deployment/scrape/selenium.nix65
-rw-r--r--makefu/2configs/share/omo.nix14
-rw-r--r--makefu/2configs/share/wbob.nix38
-rw-r--r--makefu/2configs/stats/telegraf/airsensor.nix19
-rw-r--r--makefu/2configs/stats/telegraf/default.nix3
-rw-r--r--makefu/2configs/tools/dev.nix2
-rw-r--r--makefu/2configs/tools/extra-gui.nix1
-rw-r--r--makefu/2configs/tools/games.nix1
-rw-r--r--makefu/2configs/zsh-user.nix15
-rw-r--r--makefu/5pkgs/PkgDecrypt/default.nix27
-rw-r--r--makefu/5pkgs/airsensor-py/default.nix17
-rw-r--r--makefu/5pkgs/default.nix2
-rw-r--r--makefu/5pkgs/devpi/default.nix60
-rw-r--r--makefu/5pkgs/pkg2zip/default.nix29
-rw-r--r--makefu/6tests/data/secrets/bgt_cyberwar_hidden_service/hostname1
-rw-r--r--makefu/source.nix2
35 files changed, 546 insertions, 106 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 772d96009..ecf549df9 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -574,6 +574,47 @@ with import <stockholm/lib>;
};
};
};
+ xerxes = {
+ cores = 2;
+ nets = rec {
+ retiolum = {
+ ip4.addr = "10.243.1.3";
+ ip6.addr = "42::1:3";
+ aliases = [
+ "xerxes.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
+ MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
+ gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
+ /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
+ mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
+ X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
+ +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
+ hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
+ 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
+ H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
+ JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
+ hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
+ SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
+ 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
+ vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
+ Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
+ scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
+ jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
+ Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
+ /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
+ bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
+ sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ secure = true;
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
+ };
};
users = {
lass = {
@@ -602,6 +643,10 @@ with import <stockholm/lib>;
mail = "lass@icarus.r";
pubkey = builtins.readFile ./ssh/icarus.rsa;
};
+ lass-xerxes = {
+ mail = "lass@xerxes.r";
+ pubkey = builtins.readFile ./ssh/xerxes.rsa;
+ };
fritz = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
};
@@ -622,5 +667,8 @@ with import <stockholm/lib>;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
mail = "joerg@higgsboson.tk";
};
+ jeschli = {
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
+ };
};
}
diff --git a/krebs/3modules/lass/ssh/xerxes.rsa b/krebs/3modules/lass/ssh/xerxes.rsa
new file mode 100644
index 000000000..2b5da7b25
--- /dev/null
+++ b/krebs/3modules/lass/ssh/xerxes.rsa
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGjBN0aFs6GxNwMjCvlddbN6+vb6LZuWiWWe+wbAynaGuGbae0TXCLp0/eMNy7fH8poDjpdW9M4mKbBFKOqyG8WJLCPFoQw761tjKl1hccJn0hFSkQAEGKxtfzHlAl/Mz+59yvqNg7/WNSivv41hE7btYltzRy238VQDYFv2eLM7acyxrgGo7tWOtkbpfELj5cM8Qw1j3TF9bGV5pK6IOEtaHbmalS8Iiz77syAu+6E/y6zKBTtGMHI15l6RNJ/Y7A1LM/WwuNL+9dJMYWJFVHy3/4dpaxiioHREiSawUbz9wNHknCrT6vaPCIVVcujhz9Oee1C5UiYUyyfJrFYdlzaTg7FuLNIt2hKMY6NYx1D8/Pwpq1JOsaEfK/K5ytCgaJb115mRevcaUA5s7KYNWHmmZvy08JzCgSM6ZPRtfkQIcha77wVq6DugJ+KgBz+oADQRKiaMrumOMldd0B3q4Oxb71gDTE1XLAbWJnd/0Up1H5GAtZZUUrMUslZiU/23R6SOkyEMLWQTx/KgkWcz8DZLtib5o03uZpfJDVqp2CR+sjmy4x9aa+lSaOzuZP0KRyg+mOKl0o3zL7TNAzrzSCORVBg7nOh+0SPJkDxVRkc6dVY1L3ZOfdm2P/19fhWEr5ECgVrmYYKnDPwWY1iWJlZsiEc3Mj7KB1m44ov0FJg2hiNnydImqcXTCoszp515MBmeHnpqJsqEZuWS8dAnaEiOwZaSKIO1E7lQ7CoP86+eD4yAwLq6fb2tgjHT69LgDMaIha4hMfrO2o4UDVw9OZMfnPtyatI4pxplaQDoQM1p0dej0rZ7uxL1tfoKAyT0UCdtjhxfnNs0x1gOQbML4eGbqyKuyF82eOQRgKRDqH/tParoE4SRBVi7o3s0kILRmXA3ng3n1uhEiGwPTH8JsQ9huM+XOhH8+CzQeg4yb/jCrhsDzvLaW654+ouq9G+kjwqmO4vLNs5eZxfae84rppbS2MJqK1x8rkJixvKBKEfvYJOuDNV+hXyMbToaq8qtGy7cCSq4+UDio3DsSHY0Tpt9e+yEzoOOqFQLQyq6uHv/+u9MY+VADoa4N64U3S2SXul9tE3g6hOAY0F5BYMbxQSuj59kzwghlAmbsyWN2FCmWdsfCQkkZX7wCTj20DtZB/GdVSGNgHGAoU5JZrXKca3A2Yc9hzbYjyNYr0NmQ9NUbkbaOkcYJRIUXtS2OBOHP+FoUkkqL3ieKXR07l5xJbWLzbyVUxN9Zii4Baj5xnDO/RLZPDvTUxbER/0d1orMZztL2EKmfSn4j4uhWqpi04Rg9sWH+WVLAq22EKhAuqcFEOUimjcyZWYKxcAq5Z51NJNBQB7euz55eCJUZkBUYEpNuYr0UDlmBxKB2r6ZWDeNXT7eLxBdwDHCHSqXV7qOG1vMhHtjbbxmQMnkQ4InhO9TdpaN3tj67nGmc6hhgYO4b7NvyL1/pvDPrHrR/3GzkDkwqvt3uESdVdqAJSCk6gFh9V1aGs= lass@xerxes
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 080b8fced..9f1842b88 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -107,7 +107,7 @@ with import <stockholm/lib>;
ci = true;
cores = 1;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
+ # ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
nets = {
internet = {
ip4.addr = "185.215.224.160";
@@ -500,7 +500,7 @@ with import <stockholm/lib>;
};
retiolum = {
ip4.addr = "10.243.214.15";
- ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
+ # ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
aliases = [
"wbob.r"
];
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index fee43f8cd..ad133802f 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -179,7 +179,7 @@ with import <stockholm/lib>;
echo 'secrets are crypted' >&2
exit 23
else
- exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
+ exec nix-shell -I stockholm="$PWD" --run 'deploy --diff --system="$SYSTEM"'
fi
'';
predeploy = pkgs.writeDash "predeploy" ''
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index b18abf509..87270b8b8 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -287,6 +287,15 @@ in {
}
<stockholm/krebs/2configs/reaktor-krebs.nix>
<stockholm/lass/2configs/dcso-dev.nix>
+ {
+ krebs.git.rules = [
+ {
+ user = [ config.krebs.users.jeschli ];
+ repo = [ config.krebs.git.repos.stockholm ];
+ perm = with git; push "refs/heads/staging/jeschli" [ fast-forward non-fast-forward create delete merge ];
+ }
+ ];
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix
new file mode 100644
index 000000000..0669748f5
--- /dev/null
+++ b/lass/1systems/xerxes/config.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs/hw/gpd-pocket.nix>
+ <stockholm/lass/2configs/boot/stock-x220.nix>
+
+ <stockholm/lass/2configs/retiolum.nix>
+ <stockholm/lass/2configs/exim-retiolum.nix>
+ <stockholm/lass/2configs/baseX.nix>
+ <stockholm/lass/2configs/browsers.nix>
+ <stockholm/lass/2configs/programs.nix>
+ <stockholm/lass/2configs/fetchWallpaper.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.xerxes;
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
+ '';
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
+ fsType = "btrfs";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/16C8-D053";
+ fsType = "vfat";
+ };
+
+ fileSystems."/home" = {
+ device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
+ fsType = "btrfs";
+ };
+
+ boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
+ networking.wireless.enable = true;
+}
diff --git a/lass/1systems/xerxes/source.nix b/lass/1systems/xerxes/source.nix
new file mode 100644
index 000000000..11f5bf796
--- /dev/null
+++ b/lass/1systems/xerxes/source.nix
@@ -0,0 +1,11 @@
+with import <stockholm/lib>;
+import <stockholm/lass/source.nix> {
+ name = "xerxes";
+ secure = true;
+ override = {
+ nixpkgs.git = mkForce {
+ url = https://github.com/lassulus/nixpkgs;
+ ref = "3eccd0b";
+ };
+ };
+}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index f8b750093..0e00dc2fd 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -22,6 +22,7 @@ with import <stockholm/lib>;
config.krebs.users.lass.pubkey
config.krebs.users.lass-shodan.pubkey
config.krebs.users.lass-icarus.pubkey
+ config.krebs.users.lass-xerxes.pubkey
];
};
mainUser = {
diff --git a/lass/2configs/hw/gpd-pocket.nix b/lass/2configs/hw/gpd-pocket.nix
new file mode 100644
index 000000000..193c12c13
--- /dev/null
+++ b/lass/2configs/hw/gpd-pocket.nix
@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+
+let
+ dummy_firmware = pkgs.writeTextFile {
+ name = "brcmfmac4356-pcie.txt";
+ text = builtins.readFile ./brcmfmac4356-pcie.txt;
+ destination = "/lib/firmware/brcm/brcmfmac4356-pcie.txt";
+ };
+in {
+ #imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+ hardware.firmware = [ dummy_firmware ];
+ hardware.enableRedistributableFirmware = true;
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" "sdhci_pci" ];
+ boot.kernelPackages = pkgs.linuxPackages_4_14;
+ boot.kernelParams = [
+ "fbcon=rotate:1"
+ ];
+ services.tlp.enable = true;
+ services.xserver.displayManager.sessionCommands = ''
+ (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right)
+ (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1)
+ '';
+ services.xserver.dpi = 200;
+ fonts.fontconfig.dpi = 200;
+ lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola";
+ lass.fonts.bold = "xft:Hack-Bold:pixelsize=22,xft:Symbola";
+ lass.fonts.italic = "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
+}
diff --git a/lass/source.nix b/lass/source.nix
index 292b92a9e..b60a6cb6c 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "f9390d6";
+ ref = "b4a0c01";
};
secrets.file = getAttr builder {
buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 98d5d2988..b66ef1ab8 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -46,7 +46,7 @@ in {
# services
<stockholm/makefu/2configs/share/gum.nix>
- <stockholm/makefu/2configs/sabnzbd.nix>
+ # <stockholm/makefu/2configs/sabnzbd.nix>
<stockholm/makefu/2configs/torrent.nix>
<stockholm/makefu/2configs/iodined.nix>
<stockholm/makefu/2configs/vpn/openvpn-server.nix>
@@ -65,6 +65,8 @@ in {
<stockholm/makefu/2configs/deployment/graphs.nix>
<stockholm/makefu/2configs/deployment/owncloud.nix>
<stockholm/makefu/2configs/deployment/boot-euer.nix>
+ <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
+
{
services.taskserver.enable = true;
services.taskserver.fqdn = config.krebs.build.host.name;
@@ -84,13 +86,40 @@ in {
# Temporary:
# <stockholm/makefu/2configs/temp/rst-issue.nix>
+ <stockholm/makefu/2configs/virtualisation/docker.nix>
+
+ #{
+ # services.dockerRegistry.enable = true;
+ # networking.firewall.allowedTCPPorts = [ 8443 ];
+
+ # services.nginx.virtualHosts."euer.krebsco.de" = {
+ # forceSSL = true;
+ # enableACME = true;
+ # extraConfig = ''
+ # client_max_body_size 1000M;
+ # '';
+ # locations."/".proxyPass = "http://localhost:5000";
+ # };
+ #}
+ { # wireguard server
+ networking.firewall.allowedUDPPorts = [ 51820 ];
+ #networking.wireguard.interfaces.wg0 = {
+ # ips = [ "10.244.0.1/24" ];
+ # privateKeyFile = (toString <secrets>) + "/wireguard.key";
+ # allowedIPsAsRoutes = true;
+ # peers = [{
+ # allowedIPs = [ "0.0.0.0/0" "::/0" ];
+ # publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+ # }];
+ #};
+ }
];
makefu.dl-dir = "/var/download";
services.openssh.hostKeys = [
- { bits = 4096; path = <secrets/ssh_host_rsa_key>; type = "rsa"; }
- { path = <secrets/ssh_host_ed25519_key>; type = "ed25519"; } ];
+ { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
+ { path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ];
###### stable
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum;
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index 1d157460b..4af87dc10 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -61,6 +61,7 @@ in {
# logs to influx
<stockholm/makefu/2configs/stats/external/aralast.nix>
<stockholm/makefu/2configs/stats/telegraf>
+ <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
# services
<stockholm/makefu/2configs/syncthing.nix>
diff --git a/makefu/1systems/tsp/config.nix b/makefu/1systems/tsp/config.nix
index 7b751e514..680fa2cbc 100644
--- a/makefu/1systems/tsp/config.nix
+++ b/makefu/1systems/tsp/config.nix
@@ -32,6 +32,8 @@
# acer aspire
networking.wireless.enable = lib.mkDefault true;
+ services.xserver.synaptics.enable = true;
+
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix
index ac51fd9ca..c30ee4c58 100644
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@@ -3,6 +3,7 @@ let
rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F";
user = config.makefu.gui.user;
+ primaryIP = "192.168.8.11";
in {
imports =
@@ -10,16 +11,18 @@ in {
<stockholm/makefu>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/tools/core.nix>
- <stockholm/makefu/2configs/tools/core-gui.nix>
- <stockholm/makefu/2configs/tools/extra-gui.nix>
- <stockholm/makefu/2configs/tools/media.nix>
+ <stockholm/makefu/2configs/disable_v6.nix>
+ # <stockholm/makefu/2configs/tools/core-gui.nix>
+ # <stockholm/makefu/2configs/tools/extra-gui.nix>
+ # <stockholm/makefu/2configs/tools/media.nix>
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/mqtt.nix>
- <stockholm/makefu/2configs/deployment/led-fader.nix>
# <stockholm/makefu/2configs/gui/wbob-kiosk.nix>
+
<stockholm/makefu/2configs/stats/client.nix>
+
# <stockholm/makefu/2configs/gui/studio-virtual.nix>
# <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
# <stockholm/makefu/2configs/audio/realtime-audio.nix>
@@ -27,6 +30,41 @@ in {
# Services
<stockholm/makefu/2configs/remote-build/slave.nix>
+ <stockholm/makefu/2configs/share/wbob.nix>
+
+ <stockholm/makefu/2configs/stats/telegraf>
+ <stockholm/makefu/2configs/deployment/led-fader.nix>
+ <stockholm/makefu/2configs/stats/external/aralast.nix>
+ <stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
+ <stockholm/makefu/2configs/deployment/bureautomation>
+ (let
+ collectd-port = 25826;
+ influx-port = 8086;
+ grafana-port = 3000; # TODO nginx forward
+ db = "collectd_db";
+ logging-interface = "enp0s25";
+ in {
+ services.grafana.enable = true;
+ services.grafana.addr = "0.0.0.0";
+
+ services.influxdb.enable = true;
+ services.influxdb.extraConfig = {
+ meta.hostname = config.krebs.build.host.name;
+ # meta.logging-enabled = true;
+ http.bind-address = ":${toString influx-port}";
+ admin.bind-address = ":8083";
+ collectd = [{
+ enabled = true;
+ typesdb = "${pkgs.collectd}/share/collectd/types.db";
+ database = db;
+ bind-address = ":${toString collectd-port}";
+ }];
+ };
+
+ networking.firewall.extraCommands = ''
+ iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
+ '';
+ })
# temporary
# <stockholm/makefu/2configs/temp/rst-issue.nix>
diff --git a/makefu/1systems/wbob/source.nix b/makefu/1systems/wbob/source.nix
index 6f079d712..b768aa87d 100644
--- a/makefu/1systems/wbob/source.nix
+++ b/makefu/1systems/wbob/source.nix
@@ -1,4 +1,4 @@
import <stockholm/makefu/source.nix> {
name="wbob";
- musnix = true;
+ # musnix = true;
}
diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/deployment/bgt/hidden_service.nix
new file mode 100644
index 000000000..c1a31b8dc
--- /dev/null
+++ b/makefu/2configs/deployment/bgt/hidden_service.nix
@@ -0,0 +1,48 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+ name = "bgt_cyberwar_hidden_service";
+ sec = (toString <secrets>) + "/";
+ secdir = sec + name;
+ srvdir = "/var/lib/tor/onion/";
+ basedir = srvdir + name;
+ hn = builtins.readFile (secdir + "/hostname");
+in
+{
+ systemd.services.prepare-hidden-service = {
+ wantedBy = [ "local-fs.target" ];
+ before = [ "tor.service" ];
+ serviceConfig = {
+ ExecStart = pkgs.writeScript "prepare-euer-blog-service" ''
+ #!/bin/sh
+ set -euf
+ if ! test -d "${basedir}" ;then
+ mkdir -p "${srvdir}"
+ cp -r "${secdir}" "${srvdir}"
+ chown -R tor:tor "${srvdir}"
+ chmod -R 700 "${basedir}"
+ else
+ echo "not overwriting ${basedir}"
+ fi
+ '';
+ Type = "oneshot";
+ RemainAfterExit = "yes";
+ TimeoutSec = "0";
+ };
+ };
+ services.nginx.virtualHosts."${hn}".locations."/" = {
+ proxyPass = "https://blog.binaergewitter.de";
+ extraConfig = ''
+ proxy_set_header Host blog.binaergewitter.de;
+ proxy_ssl_server_name on;
+ '';
+ };
+ services.tor = {
+ enable = true;
+ hiddenServices."${name}".map = [
+ { port = "80"; }
+ # { port = "443"; toHost = "blog.binaergewitter.de"; }
+ ];
+ };
+}
diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/deployment/bureautomation/default.nix
new file mode 100644
index 000000000..3897537ea
--- /dev/null
+++ b/makefu/2configs/deployment/bureautomation/default.nix
@@ -0,0 +1,41 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+ port = 3001;
+ runit = pkgs.writeDash "runit" ''
+ set -xeuf
+ PATH=${pkgs.curl}/bin:${pkgs.coreutils}/bin
+ name=''${1?must provide name as first arg}
+ state=''${2?must provide state as second arg}
+ # val=''${3?must provide val as third arg}
+
+ # we ignore non-alerting events
+ test $state = alerting || exit 0
+
+ echo $name - $state
+ curl 'http://bauarbeiterlampe/ay?o=1'
+ sleep 5
+ curl 'http://bauarbeiterlampe/ay?o=1'
+ '';
+in {
+ services.logstash = {
+ package = pkgs.logstash5;
+ enable = true;
+ inputConfig = ''
+ http {
+ port => ${toString port}
+ host => "127.0.0.1"
+ }
+ '';
+ filterConfig = ''
+ '';
+ outputConfig = ''
+ stdout { codec => json }
+ exec { command => "${runit} '%{ruleName}' '%{state}'" }
+ '';
+ extraSettings = ''
+ path.plugins: [ "${pkgs.logstash-output-exec}" ]
+ '';
+ };
+}
diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix
index 4c17a1d50..292b6679d 100644
--- a/makefu/2configs/deployment/led-fader.nix
+++ b/makefu/2configs/deployment/led-fader.nix
@@ -1,27 +1,25 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, buildPythonPackage, ... }:
-with import <stockholm/lib>;
let
mq = "192.168.8.11";
- pkg = pkgs.stdenv.mkDerivation {
+ pkg = pkgs.python3Packages.buildPythonPackage {
name = "ampel-master";
+
src = pkgs.fetchgit {
url = "http://cgit.euer.krebsco.de/ampel";
- rev = "07a6791de368e16cc0864d2676fd255eba522cee";
- sha256 = "1jxjapvkfglvgapy7gjbr1nra3ay418nvz70bvypcmv7wc8d4h8q";
+ rev = "531741b";
+ sha256 = "110yij53jz074zbswylbzcd8jy7z49r9fg6i3j1gk2y3vl91g81c";
};
- buildInputs = [
- (pkgs.python35.withPackages (pythonPackages: with pythonPackages; [
+ propagatedBuildInputs = with pkgs.python3Packages; [
docopt
paho-mqtt
- ]))
+ requests
+ pytz
+ influxdb
+ httplib2
+ google_api_python_client
];
- installPhase = ''
- install -m755 -D fade.py $out/bin/fade.py
- install -m755 -D ampel.py $out/bin/ampel
- install -m755 -D times.json $out/share/times.json
- '';
};
in {
systemd.services.led-fader = {
@@ -34,7 +32,9 @@ in {
serviceConfig = {
# User = "nobody"; # need a user with permissions to run nix-shell
ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2";
- ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json";
+ ExecStart = "${pkg}/bin/ampel 4";
+ Restart = "always";
+ RestartSec = 10;
PrivateTmp = true;
};
};
diff --git a/makefu/2configs/deployment/scrape/default.nix b/makefu/2configs/deployment/scrape/default.nix
new file mode 100644
index 000000000..c7a5b5c14
--- /dev/null
+++ b/makefu/2configs/deployment/scrape/default.nix
@@ -0,0 +1,6 @@
+{
+ imports = [
+ ./elkstack.nix
+ ./selenium.nix
+ ];
+}
diff --git a/makefu/2configs/deployment/scrape/selenium.nix b/makefu/2configs/deployment/scrape/selenium.nix
new file mode 100644
index 000000000..d700259ba
--- /dev/null
+++ b/makefu/2configs/deployment/scrape/selenium.nix
@@ -0,0 +1,65 @@
+{config, pkgs, lib, ...}:
+with <stockholm/lib>;
+let
+ selenium-pw = <secrets/selenium-vncpasswd>;
+in {
+ services.jenkinsSlave.enable = true;
+ users.users.selenium = {
+ uid = genid "selenium";
+ extraGroups = [ "plugdev" ];
+ };
+
+ fonts.enableFontDir = true;
+
+ # networking.firewall.allowedTCPPorts = [ 5910 ];
+
+ systemd.services.selenium-X11 =
+ {
+ description = "X11 vnc for selenium";
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.xorg.xorgserver pkgs.tightvnc pkgs.dwm ];
+ environment =
+ {
+ DISPLAY = ":10";
+ };
+ script = ''
+ set -ex
+ [ -e /tmp/.X10-lock ] && ( set +e ; chmod u+w /tmp/.X10-lock ; rm /tmp/.X10-lock )
+ [ -e /tmp/.X11-unix/X10 ] && ( set +e ; chmod u+w /tmp/.X11-unix/X10 ; rm /tmp/.X11-unix/X10 )
+ mkdir -p ~/.vnc
+ cp -f ${selenium-pw} ~/.vnc/passwd
+ chmod go-rwx ~/.vnc/passwd
+ echo > ~/.vnc/xstartup
+ chmod u+x ~/.vnc/xstartup
+ vncserver $DISPLAY -geometry 1280x1024 -depth 24 -name jenkins -ac
+ dwm
+ '';
+ preStop = ''
+ vncserver -kill $DISPLAY
+ '';
+ serviceConfig = {
+ User = "selenium";
+ };
+ };
+
+ systemd.services.selenium-server =
+ {
+ description = "selenium-server";
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "selenium-X11.s