diff options
35 files changed, 546 insertions, 106 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 772d96009..ecf549df9 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -574,6 +574,47 @@ with import <stockholm/lib>; }; }; }; + xerxes = { + cores = 2; + nets = rec { + retiolum = { + ip4.addr = "10.243.1.3"; + ip6.addr = "42::1:3"; + aliases = [ + "xerxes.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U + MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk + gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W + /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb + mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO + X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj + +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim + hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9 + 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4 + H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5 + JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4 + hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe + SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo + 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe + vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3 + Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO + scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv + jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ + Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u + /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0 + bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ + sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; + }; }; users = { lass = { @@ -602,6 +643,10 @@ with import <stockholm/lib>; mail = "lass@icarus.r"; pubkey = builtins.readFile ./ssh/icarus.rsa; }; + lass-xerxes = { + mail = "lass@xerxes.r"; + pubkey = builtins.readFile ./ssh/xerxes.rsa; + }; fritz = { pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540"; }; @@ -622,5 +667,8 @@ with import <stockholm/lib>; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE"; mail = "joerg@higgsboson.tk"; }; + jeschli = { + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01"; + }; }; } diff --git a/krebs/3modules/lass/ssh/xerxes.rsa b/krebs/3modules/lass/ssh/xerxes.rsa new file mode 100644 index 000000000..2b5da7b25 --- /dev/null +++ b/krebs/3modules/lass/ssh/xerxes.rsa @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGjBN0aFs6GxNwMjCvlddbN6+vb6LZuWiWWe+wbAynaGuGbae0TXCLp0/eMNy7fH8poDjpdW9M4mKbBFKOqyG8WJLCPFoQw761tjKl1hccJn0hFSkQAEGKxtfzHlAl/Mz+59yvqNg7/WNSivv41hE7btYltzRy238VQDYFv2eLM7acyxrgGo7tWOtkbpfELj5cM8Qw1j3TF9bGV5pK6IOEtaHbmalS8Iiz77syAu+6E/y6zKBTtGMHI15l6RNJ/Y7A1LM/WwuNL+9dJMYWJFVHy3/4dpaxiioHREiSawUbz9wNHknCrT6vaPCIVVcujhz9Oee1C5UiYUyyfJrFYdlzaTg7FuLNIt2hKMY6NYx1D8/Pwpq1JOsaEfK/K5ytCgaJb115mRevcaUA5s7KYNWHmmZvy08JzCgSM6ZPRtfkQIcha77wVq6DugJ+KgBz+oADQRKiaMrumOMldd0B3q4Oxb71gDTE1XLAbWJnd/0Up1H5GAtZZUUrMUslZiU/23R6SOkyEMLWQTx/KgkWcz8DZLtib5o03uZpfJDVqp2CR+sjmy4x9aa+lSaOzuZP0KRyg+mOKl0o3zL7TNAzrzSCORVBg7nOh+0SPJkDxVRkc6dVY1L3ZOfdm2P/19fhWEr5ECgVrmYYKnDPwWY1iWJlZsiEc3Mj7KB1m44ov0FJg2hiNnydImqcXTCoszp515MBmeHnpqJsqEZuWS8dAnaEiOwZaSKIO1E7lQ7CoP86+eD4yAwLq6fb2tgjHT69LgDMaIha4hMfrO2o4UDVw9OZMfnPtyatI4pxplaQDoQM1p0dej0rZ7uxL1tfoKAyT0UCdtjhxfnNs0x1gOQbML4eGbqyKuyF82eOQRgKRDqH/tParoE4SRBVi7o3s0kILRmXA3ng3n1uhEiGwPTH8JsQ9huM+XOhH8+CzQeg4yb/jCrhsDzvLaW654+ouq9G+kjwqmO4vLNs5eZxfae84rppbS2MJqK1x8rkJixvKBKEfvYJOuDNV+hXyMbToaq8qtGy7cCSq4+UDio3DsSHY0Tpt9e+yEzoOOqFQLQyq6uHv/+u9MY+VADoa4N64U3S2SXul9tE3g6hOAY0F5BYMbxQSuj59kzwghlAmbsyWN2FCmWdsfCQkkZX7wCTj20DtZB/GdVSGNgHGAoU5JZrXKca3A2Yc9hzbYjyNYr0NmQ9NUbkbaOkcYJRIUXtS2OBOHP+FoUkkqL3ieKXR07l5xJbWLzbyVUxN9Zii4Baj5xnDO/RLZPDvTUxbER/0d1orMZztL2EKmfSn4j4uhWqpi04Rg9sWH+WVLAq22EKhAuqcFEOUimjcyZWYKxcAq5Z51NJNBQB7euz55eCJUZkBUYEpNuYr0UDlmBxKB2r6ZWDeNXT7eLxBdwDHCHSqXV7qOG1vMhHtjbbxmQMnkQ4InhO9TdpaN3tj67nGmc6hhgYO4b7NvyL1/pvDPrHrR/3GzkDkwqvt3uESdVdqAJSCk6gFh9V1aGs= lass@xerxes diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 080b8fced..9f1842b88 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -107,7 +107,7 @@ with import <stockholm/lib>; ci = true; cores = 1; ssh.privkey.path = <secrets/ssh_host_ed25519_key>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte"; + # ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte"; nets = { internet = { ip4.addr = "185.215.224.160"; @@ -500,7 +500,7 @@ with import <stockholm/lib>; }; retiolum = { ip4.addr = "10.243.214.15"; - ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"; + # ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"; aliases = [ "wbob.r" ]; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index fee43f8cd..ad133802f 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -179,7 +179,7 @@ with import <stockholm/lib>; echo 'secrets are crypted' >&2 exit 23 else - exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"' + exec nix-shell -I stockholm="$PWD" --run 'deploy --diff --system="$SYSTEM"' fi ''; predeploy = pkgs.writeDash "predeploy" '' diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index b18abf509..87270b8b8 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -287,6 +287,15 @@ in { } <stockholm/krebs/2configs/reaktor-krebs.nix> <stockholm/lass/2configs/dcso-dev.nix> + { + krebs.git.rules = [ + { + user = [ config.krebs.users.jeschli ]; + repo = [ config.krebs.git.repos.stockholm ]; + perm = with git; push "refs/heads/staging/jeschli" [ fast-forward non-fast-forward create delete merge ]; + } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix new file mode 100644 index 000000000..0669748f5 --- /dev/null +++ b/lass/1systems/xerxes/config.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs/hw/gpd-pocket.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/exim-retiolum.nix> + <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/browsers.nix> + <stockholm/lass/2configs/programs.nix> + <stockholm/lass/2configs/fetchWallpaper.nix> + ]; + + krebs.build.host = config.krebs.hosts.xerxes; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0" + ''; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/16C8-D053"; + fsType = "vfat"; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ]; + networking.wireless.enable = true; +} diff --git a/lass/1systems/xerxes/source.nix b/lass/1systems/xerxes/source.nix new file mode 100644 index 000000000..11f5bf796 --- /dev/null +++ b/lass/1systems/xerxes/source.nix @@ -0,0 +1,11 @@ +with import <stockholm/lib>; +import <stockholm/lass/source.nix> { + name = "xerxes"; + secure = true; + override = { + nixpkgs.git = mkForce { + url = https://github.com/lassulus/nixpkgs; + ref = "3eccd0b"; + }; + }; +} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index f8b750093..0e00dc2fd 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -22,6 +22,7 @@ with import <stockholm/lib>; config.krebs.users.lass.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey + config.krebs.users.lass-xerxes.pubkey ]; }; mainUser = { diff --git a/lass/2configs/hw/gpd-pocket.nix b/lass/2configs/hw/gpd-pocket.nix new file mode 100644 index 000000000..193c12c13 --- /dev/null +++ b/lass/2configs/hw/gpd-pocket.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: + +let + dummy_firmware = pkgs.writeTextFile { + name = "brcmfmac4356-pcie.txt"; + text = builtins.readFile ./brcmfmac4356-pcie.txt; + destination = "/lib/firmware/brcm/brcmfmac4356-pcie.txt"; + }; +in { + #imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + hardware.firmware = [ dummy_firmware ]; + hardware.enableRedistributableFirmware = true; + + boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" "sdhci_pci" ]; + boot.kernelPackages = pkgs.linuxPackages_4_14; + boot.kernelParams = [ + "fbcon=rotate:1" + ]; + services.tlp.enable = true; + services.xserver.displayManager.sessionCommands = '' + (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right) + (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1) + ''; + services.xserver.dpi = 200; + fonts.fontconfig.dpi = 200; + lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola"; + lass.fonts.bold = "xft:Hack-Bold:pixelsize=22,xft:Symbola"; + lass.fonts.italic = "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol"; +} diff --git a/lass/source.nix b/lass/source.nix index 292b92a9e..b60a6cb6c 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -10,7 +10,7 @@ in nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "f9390d6"; + ref = "b4a0c01"; }; secrets.file = getAttr builder { buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>; diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 98d5d2988..b66ef1ab8 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -46,7 +46,7 @@ in { # services <stockholm/makefu/2configs/share/gum.nix> - <stockholm/makefu/2configs/sabnzbd.nix> + # <stockholm/makefu/2configs/sabnzbd.nix> <stockholm/makefu/2configs/torrent.nix> <stockholm/makefu/2configs/iodined.nix> <stockholm/makefu/2configs/vpn/openvpn-server.nix> @@ -65,6 +65,8 @@ in { <stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/boot-euer.nix> + <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix> + { services.taskserver.enable = true; services.taskserver.fqdn = config.krebs.build.host.name; @@ -84,13 +86,40 @@ in { # Temporary: # <stockholm/makefu/2configs/temp/rst-issue.nix> + <stockholm/makefu/2configs/virtualisation/docker.nix> + + #{ + # services.dockerRegistry.enable = true; + # networking.firewall.allowedTCPPorts = [ 8443 ]; + + # services.nginx.virtualHosts."euer.krebsco.de" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # client_max_body_size 1000M; + # ''; + # locations."/".proxyPass = "http://localhost:5000"; + # }; + #} + { # wireguard server + networking.firewall.allowedUDPPorts = [ 51820 ]; + #networking.wireguard.interfaces.wg0 = { + # ips = [ "10.244.0.1/24" ]; + # privateKeyFile = (toString <secrets>) + "/wireguard.key"; + # allowedIPsAsRoutes = true; + # peers = [{ + # allowedIPs = [ "0.0.0.0/0" "::/0" ]; + # publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; + # }]; + #}; + } ]; makefu.dl-dir = "/var/download"; services.openssh.hostKeys = [ - { bits = 4096; path = <secrets/ssh_host_rsa_key>; type = "rsa"; } - { path = <secrets/ssh_host_ed25519_key>; type = "ed25519"; } ]; + { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; } + { path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ]; ###### stable services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 1d157460b..4af87dc10 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -61,6 +61,7 @@ in { # logs to influx <stockholm/makefu/2configs/stats/external/aralast.nix> <stockholm/makefu/2configs/stats/telegraf> + <stockholm/makefu/2configs/stats/telegraf/europastats.nix> # services <stockholm/makefu/2configs/syncthing.nix> diff --git a/makefu/1systems/tsp/config.nix b/makefu/1systems/tsp/config.nix index 7b751e514..680fa2cbc 100644 --- a/makefu/1systems/tsp/config.nix +++ b/makefu/1systems/tsp/config.nix @@ -32,6 +32,8 @@ # acer aspire networking.wireless.enable = lib.mkDefault true; + services.xserver.synaptics.enable = true; + hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index ac51fd9ca..c30ee4c58 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -3,6 +3,7 @@ let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F"; user = config.makefu.gui.user; + primaryIP = "192.168.8.11"; in { imports = @@ -10,16 +11,18 @@ in { <stockholm/makefu> <stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/tools/core.nix> - <stockholm/makefu/2configs/tools/core-gui.nix> - <stockholm/makefu/2configs/tools/extra-gui.nix> - <stockholm/makefu/2configs/tools/media.nix> + <stockholm/makefu/2configs/disable_v6.nix> + # <stockholm/makefu/2configs/tools/core-gui.nix> + # <stockholm/makefu/2configs/tools/extra-gui.nix> + # <stockholm/makefu/2configs/tools/media.nix> <stockholm/makefu/2configs/virtualisation/libvirt.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> <stockholm/makefu/2configs/mqtt.nix> - <stockholm/makefu/2configs/deployment/led-fader.nix> # <stockholm/makefu/2configs/gui/wbob-kiosk.nix> + <stockholm/makefu/2configs/stats/client.nix> + # <stockholm/makefu/2configs/gui/studio-virtual.nix> # <stockholm/makefu/2configs/audio/jack-on-pulse.nix> # <stockholm/makefu/2configs/audio/realtime-audio.nix> @@ -27,6 +30,41 @@ in { # Services <stockholm/makefu/2configs/remote-build/slave.nix> + <stockholm/makefu/2configs/share/wbob.nix> + + <stockholm/makefu/2configs/stats/telegraf> + <stockholm/makefu/2configs/deployment/led-fader.nix> + <stockholm/makefu/2configs/stats/external/aralast.nix> + <stockholm/makefu/2configs/stats/telegraf/airsensor.nix> + <stockholm/makefu/2configs/deployment/bureautomation> + (let + collectd-port = 25826; + influx-port = 8086; + grafana-port = 3000; # TODO nginx forward + db = "collectd_db"; + logging-interface = "enp0s25"; + in { + services.grafana.enable = true; + services.grafana.addr = "0.0.0.0"; + + services.influxdb.enable = true; + services.influxdb.extraConfig = { + meta.hostname = config.krebs.build.host.name; + # meta.logging-enabled = true; + http.bind-address = ":${toString influx-port}"; + admin.bind-address = ":8083"; + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = db; + bind-address = ":${toString collectd-port}"; + }]; + }; + + networking.firewall.extraCommands = '' + iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT + ''; + }) # temporary # <stockholm/makefu/2configs/temp/rst-issue.nix> diff --git a/makefu/1systems/wbob/source.nix b/makefu/1systems/wbob/source.nix index 6f079d712..b768aa87d 100644 --- a/makefu/1systems/wbob/source.nix +++ b/makefu/1systems/wbob/source.nix @@ -1,4 +1,4 @@ import <stockholm/makefu/source.nix> { name="wbob"; - musnix = true; + # musnix = true; } diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/deployment/bgt/hidden_service.nix new file mode 100644 index 000000000..c1a31b8dc --- /dev/null +++ b/makefu/2configs/deployment/bgt/hidden_service.nix @@ -0,0 +1,48 @@ +{ pkgs, lib, ... }: + +with lib; +let + name = "bgt_cyberwar_hidden_service"; + sec = (toString <secrets>) + "/"; + secdir = sec + name; + srvdir = "/var/lib/tor/onion/"; + basedir = srvdir + name; + hn = builtins.readFile (secdir + "/hostname"); +in +{ + systemd.services.prepare-hidden-service = { + wantedBy = [ "local-fs.target" ]; + before = [ "tor.service" ]; + serviceConfig = { + ExecStart = pkgs.writeScript "prepare-euer-blog-service" '' + #!/bin/sh + set -euf + if ! test -d "${basedir}" ;then + mkdir -p "${srvdir}" + cp -r "${secdir}" "${srvdir}" + chown -R tor:tor "${srvdir}" + chmod -R 700 "${basedir}" + else + echo "not overwriting ${basedir}" + fi + ''; + Type = "oneshot"; + RemainAfterExit = "yes"; + TimeoutSec = "0"; + }; + }; + services.nginx.virtualHosts."${hn}".locations."/" = { + proxyPass = "https://blog.binaergewitter.de"; + extraConfig = '' + proxy_set_header Host blog.binaergewitter.de; + proxy_ssl_server_name on; + ''; + }; + services.tor = { + enable = true; + hiddenServices."${name}".map = [ + { port = "80"; } + # { port = "443"; toHost = "blog.binaergewitter.de"; } + ]; + }; +} diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/deployment/bureautomation/default.nix new file mode 100644 index 000000000..3897537ea --- /dev/null +++ b/makefu/2configs/deployment/bureautomation/default.nix @@ -0,0 +1,41 @@ +{ pkgs, lib, ... }: + +with lib; +let + port = 3001; + runit = pkgs.writeDash "runit" '' + set -xeuf + PATH=${pkgs.curl}/bin:${pkgs.coreutils}/bin + name=''${1?must provide name as first arg} + state=''${2?must provide state as second arg} + # val=''${3?must provide val as third arg} + + # we ignore non-alerting events + test $state = alerting || exit 0 + + echo $name - $state + curl 'http://bauarbeiterlampe/ay?o=1' + sleep 5 + curl 'http://bauarbeiterlampe/ay?o=1' + ''; +in { + services.logstash = { + package = pkgs.logstash5; + enable = true; + inputConfig = '' + http { + port => ${toString port} + host => "127.0.0.1" + } + ''; + filterConfig = '' + ''; + outputConfig = '' + stdout { codec => json } + exec { command => "${runit} '%{ruleName}' '%{state}'" } + ''; + extraSettings = '' + path.plugins: [ "${pkgs.logstash-output-exec}" ] + ''; + }; +} diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix index 4c17a1d50..292b6679d 100644 --- a/makefu/2configs/deployment/led-fader.nix +++ b/makefu/2configs/deployment/led-fader.nix @@ -1,27 +1,25 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, buildPythonPackage, ... }: -with import <stockholm/lib>; let mq = "192.168.8.11"; - pkg = pkgs.stdenv.mkDerivation { + pkg = pkgs.python3Packages.buildPythonPackage { name = "ampel-master"; + src = pkgs.fetchgit { url = "http://cgit.euer.krebsco.de/ampel"; - rev = "07a6791de368e16cc0864d2676fd255eba522cee"; - sha256 = "1jxjapvkfglvgapy7gjbr1nra3ay418nvz70bvypcmv7wc8d4h8q"; + rev = "531741b"; + sha256 = "110yij53jz074zbswylbzcd8jy7z49r9fg6i3j1gk2y3vl91g81c"; }; - buildInputs = [ - (pkgs.python35.withPackages (pythonPackages: with pythonPackages; [ + propagatedBuildInputs = with pkgs.python3Packages; [ docopt paho-mqtt - ])) + requests + pytz + influxdb + httplib2 + google_api_python_client ]; - installPhase = '' - install -m755 -D fade.py $out/bin/fade.py - install -m755 -D ampel.py $out/bin/ampel - install -m755 -D times.json $out/share/times.json - ''; }; in { systemd.services.led-fader = { @@ -34,7 +32,9 @@ in { serviceConfig = { # User = "nobody"; # need a user with permissions to run nix-shell ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2"; - ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json"; + ExecStart = "${pkg}/bin/ampel 4"; + Restart = "always"; + RestartSec = 10; PrivateTmp = true; }; }; diff --git a/makefu/2configs/deployment/scrape/default.nix b/makefu/2configs/deployment/scrape/default.nix new file mode 100644 index 000000000..c7a5b5c14 --- /dev/null +++ b/makefu/2configs/deployment/scrape/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./elkstack.nix + ./selenium.nix + ]; +} diff --git a/makefu/2configs/deployment/scrape/selenium.nix b/makefu/2configs/deployment/scrape/selenium.nix new file mode 100644 index 000000000..d700259ba --- /dev/null +++ b/makefu/2configs/deployment/scrape/selenium.nix @@ -0,0 +1,65 @@ +{config, pkgs, lib, ...}: +with <stockholm/lib>; +let + selenium-pw = <secrets/selenium-vncpasswd>; +in { + services.jenkinsSlave.enable = true; + users.users.selenium = { + uid = genid "selenium"; + extraGroups = [ "plugdev" ]; + }; + + fonts.enableFontDir = true; + + # networking.firewall.allowedTCPPorts = [ 5910 ]; + + systemd.services.selenium-X11 = + { + description = "X11 vnc for selenium"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.xorg.xorgserver pkgs.tightvnc pkgs.dwm ]; + environment = + { + DISPLAY = ":10"; + }; + script = '' + set -ex + [ -e /tmp/.X10-lock ] && ( set +e ; chmod u+w /tmp/.X10-lock ; rm /tmp/.X10-lock ) + [ -e /tmp/.X11-unix/X10 ] && ( set +e ; chmod u+w /tmp/.X11-unix/X10 ; rm /tmp/.X11-unix/X10 ) + mkdir -p ~/.vnc + cp -f ${selenium-pw} ~/.vnc/passwd + chmod go-rwx ~/.vnc/passwd + echo > ~/.vnc/xstartup + chmod u+x ~/.vnc/xstartup + vncserver $DISPLAY -geometry 1280x1024 -depth 24 -name jenkins -ac + dwm + ''; + preStop = '' + vncserver -kill $DISPLAY + ''; + serviceConfig = { + User = "selenium"; + }; + }; + + systemd.services.selenium-server = + { + description = "selenium-server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "selenium-X11.s |