diff options
38 files changed, 431 insertions, 129 deletions
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index 5dde50ea4..bd17c3765 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -3,8 +3,15 @@ with config.krebs.lib; let - buildbot = pkgs.buildbot; - buildbot-master-config = pkgs.writePython2 "buildbot-master.cfg" '' + # https://github.com/NixOS/nixpkgs/issues/14026 + nixpkgs-fix = import (pkgs.fetchgit { + url = https://github.com/nixos/nixpkgs; + rev = "e026b5c243ea39810826e68362718f5d703fb5d0"; + sha256 = "87e0724910a6df0371f883f99a8cf42e366fb4119f676f6f74ffb404beca2632"; + }) {}; + + buildbot = nixpkgs-fix.buildbot; + buildbot-master-config = pkgs.writeText "buildbot-master.cfg" '' # -*- python -*- from buildbot.plugins import * import re diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index f5190b6ba..e79e54aa6 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -374,8 +374,8 @@ with config.krebs.lib; ''; }; }; - #ssh.privkey.path = <secrets/ssh_host_ed25519_key>; - #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch"; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBGboU/P00yYiwYje53G0oqDFWmcSJ+hIpMsl4f/HH"; }; wbob = rec { cores = 1; @@ -512,6 +512,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; }; + sdev = rec { + cores = 1; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtm6ETzNgLcXNkrKs2VUEiGsTKBmOFpW2fazbzdUfOg sdev"; + nets = { + retiolum = { + ip4.addr = "10.243.83.237"; + ip6.addr = "42:af50:99cf:c185:f1a8:14d5:acb:8101"; + aliases = [ + "sdev.retiolum" + "sdev.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA8BwHwQ4pLZpskVnQONJsmzRPll4ZKMjAC56sY5p+GfT9ZBMkVDn+ + LeH9wuTRiX/ehgtBiyu8w37cz62hz/71H+3mnWJlTm9bbBTc5N0y8l9b+YYeExW4 + XPm4bUbJWKNRG9tHQAns/OREYDsHLsY6UoyNFmB0wTDpgs7egDCoe7E2eT+pG428 + ysCDYlaZaigOyW+bj/HFLj8FSfpF5C/ug7NE/D7QocadsRUiLtVYrJsfmT+KHWf+ + f5rLWLvuFiz1SWf7wZ9sICF3RCaC9Qhz7zplgHbvwbOHtF+Z/6DxduRMkggZUsUD + nm+40Ex1XJTe+s4V4GKLgh/fDKBTS6JwewIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + # non-stockholm diff --git a/krebs/5pkgs/go/default.nix b/krebs/5pkgs/go/default.nix index fb8b65ea1..2871e5a99 100644 --- a/krebs/5pkgs/go/default.nix +++ b/krebs/5pkgs/go/default.nix @@ -1,9 +1,9 @@ -{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }: +{ stdenv, makeWrapper, callPackage, lib, buildEnv, fetchgit, nodePackages, nodejs }: with lib; let - np = nodePackages.override { + np = (callPackage <nixpkgs/pkgs/top-level/node-packages.nix>) { generated = ./packages.nix; self = np; }; @@ -18,7 +18,7 @@ let ignoreCollisions = true; }; -in nodePackages.buildNodePackage { +in np.buildNodePackage { name = "go"; src = fetchgit { diff --git a/krebs/5pkgs/haskell-overrides/megaparsec.nix b/krebs/5pkgs/haskell-overrides/megaparsec.nix deleted file mode 100644 index 5ade6006e..000000000 --- a/krebs/5pkgs/haskell-overrides/megaparsec.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ mkDerivation, base, bytestring, fetchzip, HUnit, mtl, QuickCheck -, stdenv, test-framework, test-framework-hunit -, test-framework-quickcheck2, text, transformers -}: -mkDerivation { - pname = "megaparsec"; - version = "4.1.0"; - src = fetchzip { - url = "https://hackage.haskell.org/package/megaparsec-4.1.0/megaparsec-4.1.0.tar.gz"; - sha256 = "1a1ka53a3r91lwnlvzaa8nyk1dxvfd1ij1i5x5vp83q2r9z9dcmi"; - }; - libraryHaskellDepends = [ base bytestring mtl text transformers ]; - testHaskellDepends = [ - base HUnit mtl QuickCheck test-framework test-framework-hunit - test-framework-quickcheck2 transformers - ]; - homepage = "https://github.com/mrkkrp/megaparsec"; - description = "Monadic parser combinators"; - license = stdenv.lib.licenses.bsd3; -} diff --git a/krebs/5pkgs/newsbot-js/default.nix b/krebs/5pkgs/newsbot-js/default.nix index 9e4a51306..b52454ca4 100644 --- a/krebs/5pkgs/newsbot-js/default.nix +++ b/krebs/5pkgs/newsbot-js/default.nix @@ -1,9 +1,9 @@ -{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }: +{ stdenv, makeWrapper, callPackage, lib, buildEnv, fetchgit, nodePackages, nodejs }: with lib; let - np = nodePackages.override { + np = (callPackage <nixpkgs/pkgs/top-level/node-packages.nix>) { generated = ./packages.nix; self = np; }; @@ -21,7 +21,7 @@ let ignoreCollisions = true; }; -in nodePackages.buildNodePackage { +in np.buildNodePackage { name = "newsbot-js"; src = fetchgit { diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 51d106b5e..8b4f1d7a2 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -25,26 +25,6 @@ in { ../2configs/binary-cache/server.nix ../2configs/iodined.nix { - imports = [ - ../2configs/git.nix - ]; - krebs.nginx.servers.cgit = { - server-names = [ - "cgit.lassul.us" - ]; - locations = [ - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/cgit.lassul.us/; - '') - ]; - ssl = { - enable = true; - certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem"; - }; - }; - } - { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) @@ -164,7 +144,6 @@ in { users.users.chat.openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHF9tijlMoEevRZCG1AggukxWggfxPHUwg6Ye113ODG6PZ2m98oSmnsjixDy4GfIJjy+8HBbkwS6iH+fsNk86QtAgFNMjBl+9YvEzNRBzcyCqdOkZFvvZvV2oYA7I15il4ln62PDPKjEIS3YPhZPSwc6GhrlsFTnIG56NF/93IhF7R/FA== JuiceSSH" config.krebs.users.lass-uriel.pubkey - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQ8DJhHAqmdrB2+qkV/OuKjR4QDXUww2TWItyDrs+/6F58WacMozgaZr2goA5JQJ5d19nC3LzYb4yLGguADsp987I6cAu5iXPT5PHKc0eRWDN+AGlpTgUtN1BvVrnJZaUJrR9WlHhFYlkOkzAsB15fKYciVWsyxBCVZ+3oiTEjs2L/sfbrgailWqHIUWDftUnJx8EFmSUVZ2GZWklMcgBo0FJD1i0x5u2dQGguNY+28DzQmKgUMS+xD/uUZvrFIWr9I6CBqhsuHJo8n85BT3B3QdG8ARLt5FKPr5L3My6UjlxOkKrDNLjJFjERFCsuIxnrO3tQhvKXQYlOyskHokocYSdcIq8svghJLA3kmRYIjHjZ4y1BNENsk79WyYNMAi5y+A0Evmu+g3ks/DiW3vI/Sw/D3Uc7ilbImpaoL5qUC4+WZM3J2b3Z1AU5D1QiojpKkB9Qt1bokCm8hrRCG9ZDKqAD6IqmI1ARRjfgA4zKwKUhmMqG4p55YGGVf9OeK0rXgX0Z2InyFXeBaU2aBcDfdKD/65w5MnC9CsJnjELdd4r9u2ugTPExzOo3WUlNuOTB1WoZ8CiY2OVGle/E/MzKUDfGuIFhUsFeX0YcLHPbo+mesISNUPaeadSuMuHE8W4FOeEq51toBo/gkxgjtqqWMOd9SxnDQTMBKq3L/w7nEQ== lass@mors" ]; } { @@ -174,6 +153,7 @@ in { imports = [ ../2configs/websites/wohnprojekt-rhh.de.nix ../2configs/websites/domsen.nix + ../2configs/websites/lassulus.nix ]; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport http"; target = "ACCEPT"; } @@ -186,34 +166,6 @@ in { }; } { - security.acme = { - certs."lassul.us" = { - email = "lass@lassul.us"; - webroot = "/var/lib/acme/challenges/lassul.us"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - "full.pem" - ]; - allowKeysForGroup = true; - group = "lasscert"; - }; - }; - users.groups.lasscert.members = [ - "dovecot2" - "ejabberd" - "exim" - "nginx" - ]; - krebs.nginx.servers."lassul.us" = { - server-names = [ "lassul.us" ]; - locations = [ - (lib.nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/lassul.us/; - '') - ]; - }; lass.ejabberd = { enable = true; hosts = [ "lassul.us" ]; diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index aa5286ae0..e1417c83d 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -9,6 +9,7 @@ with config.krebs.lib; ../2configs/exim-retiolum.nix { # locke config + i18n.defaultLocale ="de_DE.UTF-8"; time.timeZone = "Europe/Berlin"; services.xserver.enable = true; users.users.locke = { @@ -28,6 +29,7 @@ with config.krebs.lib; systemWide = true; }; environment.systemPackages = with pkgs; [ + pavucontrol firefox hexchat networkmanagerapplet @@ -51,8 +53,8 @@ with config.krebs.lib; #loader.grub.version = 2; #loader.grub.device = "/dev/sda"; - loader.gummiboot.enable = true; - loader.gummiboot.timeout = 5; + loader.systemd-boot.enable = true; + loader.timeout = 5; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 2649ecab9..4b05e3296 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -49,6 +49,8 @@ in { mpv-poll yt-next + + youtube-tools #window manager stuff #haskellPackages.xmobar #haskellPackages.yeganesh diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 2fc3d3732..628fdf61f 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -172,7 +172,6 @@ in { "hashPassword", "haskellPackages.blessings", "haskellPackages.email-header", - "haskellPackages.megaparsec", "haskellPackages.scanner", "haskellPackages.xmonad-stockholm", "krebspaste", diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 00a3612fd..3ed8be77f 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -29,6 +29,8 @@ with config.krebs.lib; { from = "finanzamt@lassul.us"; to = lass.mail; } { from = "netzclub@lassul.us"; to = lass.mail; } { from = "nebenan@lassul.us"; to = lass.mail; } + { from = "feed@lassul.us"; to = lass.mail; } + { from = "art@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 6e9138b61..73c96e876 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "354fd3728952c229fee4f2924737c601d7ab4725"; + ref = "b8ede35d2efa96490857c22c751e75d600bea44f"; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index 027f31fe0..eae583a84 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -92,6 +92,7 @@ in { (sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger") (sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") + (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-retiolum "go") (sync-retiolum "much") diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e05f40d97..3a3e60d39 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -191,7 +191,7 @@ in { server_set_id = $auth1 ''; internet-aliases = [ - { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } + { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } { from = "testuser@lassul.us"; to = "testuser"; } ]; diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix new file mode 100644 index 000000000..04c19fad0 --- /dev/null +++ b/lass/2configs/websites/lassulus.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) + genid + ; + +in { + imports = [ + ../git.nix + ]; + + security.acme = { + certs."lassul.us" = { + email = "lass@lassul.us"; + webroot = "/var/lib/acme/challenges/lassul.us"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + "full.pem" + ]; + allowKeysForGroup = true; + group = "lasscert"; + }; + certs."cgit.lassul.us" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/cgit.lassul.us"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + }; + }; + + users.groups.lasscert.members = [ + "dovecot2" + "ejabberd" + "exim" + "nginx" + ]; + + krebs.nginx.servers."lassul.us" = { + server-names = [ "lassul.us" ]; + locations = [ + (nameValuePair "/" '' + root /srv/http/lassul.us; + '') + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/lassul.us/; + '') + ]; + ssl = { + enable = true; + certificate = "/var/lib/acme/lassul.us/fullchain.pem"; + certificate_key = "/var/lib/acme/lassul.us/key.pem"; + }; + }; + + krebs.nginx.servers.cgit = { + server-names = [ + "cgit.lassul.us" + ]; + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/cgit.lassul.us/; + '') + ]; + ssl = { + enable = true; + certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; + certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem"; + }; + }; + + users.users.blog = { + uid = genid "blog"; + description = "lassul.us blog deployment"; + home = "/srv/http/lassul.us"; + useDefaultShell = true; + createHome = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; +} + diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index 4037f693d..0fabf6d93 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -24,7 +24,9 @@ in { ../2configs/fs/single-partition-ext4.nix ../2configs/smart-monitor.nix ../2configs/tinc/retiolum.nix + ../2configs/filepimp-share.nix ]; + krebs.build.host = config.krebs.hosts.filepimp; # AMD N54L boot = { @@ -76,6 +78,9 @@ in { (xfsmount "j2" (part1 jDisk2)) // (xfsmount "par0" (part1 jDisk3)) ; + + networking.firewall.trustedInterfaces = [ primary-interface ]; + services.wakeonlan.interfaces = [ { interface = primary-interface; diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 401ec6093..20731c847 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -22,6 +22,7 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ../2configs/torrent.nix + ../2configs/graphite-standalone.nix ../2configs/sabnzbd.nix ../2configs/opentracker.nix diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 71fb85ff6..2e09e345e 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -44,6 +44,7 @@ in { ../2configs/fs/sda-crypto-root.nix ../2configs/zsh-user.nix ../2configs/urlwatch.nix + ../2configs/backup.nix ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index ff176edd9..184f74147 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -55,6 +55,10 @@ in { # rt2870 with nonfree creates wlp2s0 from wlp0s20u2 # not explicitly setting the interface results in wpa_supplicant to crash networking.wireless.interfaces = [ "wlp2s0" ]; + networking.interfaces.virbr1.ip4 = [{ + address = "10.8.8.11"; + prefixLength = 24; + }]; # nuc hardware diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 81cd362e6..238b740a6 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -16,13 +16,15 @@ in { ../2configs/bepasty-dual.nix ../2configs/iodined.nix - + ../2configs/backup.nix # other nginx ../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.blog.nix ../2configs/nginx/euer.test.nix + #../2configs/elchos/stats.nix + # collectd # ../2configs/collectd/collectd-base.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index 0243856ab..00eca87c4 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -63,11 +63,10 @@ # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 ]; + networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ]; networking.firewall.allowedUDPPorts = [ 665 26061 ]; krebs.build.host = config.krebs.hosts.x; - krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix index 6f79ed4f4..57fd7a64d 100644 --- a/makefu/2configs/backup.nix +++ b/makefu/2configs/backup.nix @@ -1,6 +1,10 @@ { config, lib, ... }: with config.krebs.lib; let + # preparation: + # mkdir -p defaultBackupDir/host.name/src + # as root on omo: + # ssh-copy-id root@src startAt = "0,6,12,18:00"; defaultBackupServer = config.krebs.hosts.omo; defaultBackupDir = "/home/backup"; @@ -12,7 +16,7 @@ let }; dst = { host = defaultBackupServer; - path = defaultBackupDir + src; + path = "${defaultBackupDir}/${host.name}${src}"; }; startAt = "0,6,12,18:00"; snapshots = { @@ -25,6 +29,6 @@ let }; in { krebs.backup.plans = { - wry-to-omo_var-www = defaultPull wry "/var/www"; + wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/"; }; } diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index b039c12ca..cbc3efbac 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -82,7 +82,6 @@ in URxvt.perl-ext: default,url-select URxvt.keysym.M-u: perl:url-select:select_next - #URxvt.url-select.launcher: firefox -new-tab URxvt.url-select.launcher: chromium URxvt.url-select.underline: true URxvt.searchable-scrollback: CM-s diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index a7c2a983e..56a87d7af 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -21,10 +21,13 @@ with config.krebs.lib; search-domain = "retiolum"; build = { user = config.krebs.users.makefu; - source = let inherit (config.krebs.build) host user; in { + source = let + inherit (config.krebs.build) host user; + ref = "b8ede35"; # stable @ 2016-10-19 + in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then - { # stable @ 2016-07-20 - git = { url = https://github.com/nixos/nixpkgs; ref = "125ffff"; }; + { + git = { url = https://github.com/nixos/nixpkgs; inherit ref; }; } else # TODO use http, once it is implemented @@ -32,7 +35,7 @@ with config.krebs.lib; ## prepare so we do not have to wait for rsync: ## cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/125ffff -L | tar zx && mv NixOS-nixpkgs-125ffff nixpkgs - { file = "/home/makefu/store/125ffff";}; + { file = "/home/makefu/store/${ref}";}; secrets.file = if getEnv "dummy_secrets" == "true" then toString <stockholm/makefu/6tests/data/secrets> diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix new file mode 100644 index 000000000..0282b04cf --- /dev/null +++ b/makefu/2configs/elchos/stats.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) +with config.krebs.lib; +let + sec = toString <secrets>; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "stats.nsupdate.info"; + #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + #ssl_key = "${sec}/wildcard.krebsco.de.key"; + ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; + ssl_key = "${acmepath}/${ext-dom}/key.pem"; +in { + networking.firewall = { + allowedTCPPorts = [ 2003 80 443 ]; + allowedUDPPorts = [ 2003 ]; + }; + + services.grafana = { + enable = true; + addr = "127.0.0.1"; + extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; }; + users.allowSignUp = false; + users.allowOrgCreate = false; + users.autoAssignOrg = false; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; + krebs.nginx = { + enable = true; + servers.elch-stats = { + server-names = [ ext-dom ]; + listen = [ "80" "443 ssl" ]; + ssl = { + enable = true; + # these certs will be needed if acme has not yet created certificates: + certificate = ssl_cert; + certificate_key = ssl_key; + force_encryption = true; + }; + + locations = [ + (nameValuePair "/" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:3000/; + '') + (nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + '') + ]; + }; + }; + + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; + + services.graphite = { + web = { + enable = true; + host = "127.0.0.1"; + port = 8080; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 500 + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [elchos] + patterhn = ^elchos\. + retention = 10s:30d,60s:1y + + [default] + pattern = .* |