summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/bepasty-server.nix50
-rw-r--r--krebs/3modules/lass/default.nix32
-rw-r--r--krebs/3modules/lass/ssh/icarus.rsa1
-rw-r--r--krebs/3modules/makefu/default.nix25
-rw-r--r--krebs/3modules/rtorrent.nix54
-rw-r--r--krebs/3modules/tinc_graphs.nix75
6 files changed, 143 insertions, 94 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 50e04cf80..4e035e725 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -22,6 +22,16 @@ let
servers = mkOption {
type = with types; attrsOf optionSet;
+ example = ''
+ {
+ "paste.r" = {
+ defaultPermissions = "read,delete,create";
+ };
+ "paste.krebsco.de" = {
+ defaultPermissions = "read";
+ };
+ }
+ '';
options = singleton {
nginx = mkOption {
# TODO use the correct type
@@ -30,7 +40,6 @@ let
additional nginx configuration. see krebs.nginx for all options
'';
};
-
secretKey = mkOption {
type = types.str;
description = ''
@@ -39,6 +48,7 @@ let
default = "";
};
+
# we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
workDir = mkOption {
type = types.str;
@@ -143,25 +153,25 @@ let
};
nginx-imp = {
- assertions = [{ assertion = config.krebs.nginx.enable;
- message = "krebs.nginx.enable must be true"; }];
-
- krebs.nginx.servers = mapAttrs' (name: server:
- nameValuePair("bepasty-server-${name}")
- (mkMerge [ server.nginx {
- extraConfig = ''
- client_max_body_size 32M;
- '';
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $http_host;
- proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
- '')
- (nameValuePair "/static/" ''
- alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
- '')
- ];
- }])) cfg.servers ;
+ assertions = [{ assertion = config.services.nginx.enable;
+ message = "services.nginx.enable must be true"; }];
+
+ services.nginx.virtualHosts = mapAttrs ( name: server:
+ (mkMerge [
+ server.nginx
+ {
+ extraConfig = ''
+ client_max_body_size 32M;
+ '';
+ locations = {
+ "/".extraConfig = "proxy_set_header Host $http_host;";
+ "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock";
+ "/static/".extraConfig = ''
+ alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+ '';
+ };
+ }])
+ ) cfg.servers ;
};
in
out
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 5af1e37cd..2d1819dee 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -202,6 +202,7 @@ with import <stockholm/lib>;
"mors.retiolum"
"mors.r"
"cgit.mors.retiolum"
+ "cgit.mors.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -273,6 +274,33 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
};
+ icarus = {
+ cores = 2;
+ nets = rec {
+ retiolum = {
+ ip4.addr = "10.243.133.114";
+ ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1214";
+ aliases = [
+ "icarus.retiolum"
+ "icarus.r"
+ "cgit.icarus.retiolum"
+ "cgit.icarus.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr
+ Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK
+ 7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t
+ k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7
+ zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt
+ gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
+ };
};
users = {
@@ -294,6 +322,10 @@ with import <stockholm/lib>;
pubkey = builtins.readFile ./ssh/shodan.rsa;
pgp.pubkeys.default = builtins.readFile ./pgp/shodan.pgp;
};
+ lass-icarus = {
+ mail = "lass@icarus.retiolum";
+ pubkey = builtins.readFile ./ssh/icarus.rsa;
+ };
fritz = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
};
diff --git a/krebs/3modules/lass/ssh/icarus.rsa b/krebs/3modules/lass/ssh/icarus.rsa
new file mode 100644
index 000000000..da99fcfdf
--- /dev/null
+++ b/krebs/3modules/lass/ssh/icarus.rsa
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDz97C5WVGXgKZ3I7FMvL4TyUv+0rsrSOGI7jj5uQaaHx0SSR0V4tnZtv2hXYrfnkaPHwu2PYUeeUdMBHfbZS6l2dmaXRI9f2WG7182G3IUskMktpi84DMyh0kwK2pWmHoS+Kwo//q+lu4WXIRy4X5wVMVpPT1Oc7boDtqJt4rK8uZkuVmVzGi+5SFaBxspCsdZsX/uDWOeC4/U2l+2Pd4YYl8UdmgN3bJceKTwqKIcbK7AL91My0jrnRSU6XLuED0hcVKzjkjc6bcj1R+Mlch9cflsMQV8TfT6p7VGGvUOtVwhG1+CjraHfilzFn76wINClsQXF/ncKrGabTEWO3zTi12ukAzL2/B0IB0q61tror9uYqeI74WgLjwhnuF98hUL7hnqgV3KB1ytpt6yzXqf1Uz784z9dh0n9r0fLTkeTDbJ4uOz1XzpmAMRwuo0o7/Op7rRBLHohu2Tp6AV8sISKJN5hDGe0wD6861pH9ZrRBiUux6uylzfWp2qrZmERnk0brBl+oDQNhKs3Z0CZmLG4DZWMc5pxpQ5751/8bb6nEorg2ulDZ/h+G3myC+9Zbc/owb/HHOGOBMEpyYYYMvYAfchu50e4xtHd+wMqzFxzjfcM7u6dTdyDEXi6+TFXKBEZyvaAhW2J27HKj4iK6Td2GyK59myPG6OtCnIbw9BPw== lass@icarus
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index ff187b878..c85bf1ccd 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -26,6 +26,31 @@ with import <stockholm/lib>;
};
};
};
+ fileleech = rec {
+ cores = 4;
+ ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech";
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.113.98";
+ ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
+ aliases = [
+ "fileleech.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA2W20+jYvuFUjPQ+E+7Xlabf8fW/XSnTTelfo2uRcJ3FMLYQ9H3rF
+ 8L8StPmxn8Q20FFH/MvRmgW8pU9z4RQ3nAi+utVYqAJQtOYA9FPMxssC08w82r0K
+ YC6sgc9MeRjnCjQxQrQs4fqA6KpqSLxRf2c6kfNwYRgCxFMns2ncxOiPOoGLZait
+ nJR3m0cSRm8yCTMbznlGH99+5+3HgvuBE/UYXmmGBs7w8DevaX76butzprZ8fm4z
+ e5C7R9ofdVW70GGksfSI81y5xODWMbfjTRHKm4OBX7NOCiOTwx1wu8bYDN3EzN6V
+ UM5PJfU42sViPEZmVuC8cDcP1xemHTkh9QIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+
pnp = {
cores = 1;
nets = {
diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix
index bcc52fb6e..0c478aded 100644
--- a/krebs/3modules/rtorrent.nix
+++ b/krebs/3modules/rtorrent.nix
@@ -73,22 +73,23 @@ let
# authentication also applies to rtorrent.rutorrent
enable = mkEnableOption "rtorrent nginx web RPC";
- listenAddress = mkOption {
- type = types.str;
+ port = mkOption {
+ type = types.nullOr types.int;
description =''
- nginx listen address for rtorrent web
+ nginx listen port for rtorrent
'';
- default = "localhost:8006";
+ default = 8006;
};
- enableAuth = mkEnableOption "rutorrent authentication";
- authfile = mkOption {
- type = types.path;
+ basicAuth = mkOption {
+ type = types.attrsOf types.str ;
description = ''
- basic authentication file to be used.
- Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file.
- Only in use if authentication is enabled.
+ basic authentication to be used. If unset, no authentication will be
+ enabled.
+
+ Refer to `services.nginx.virtualHosts.<name>.basicAuth`
'';
+ default = {};
};
};
@@ -104,7 +105,6 @@ let
default = pkgs.rutorrent;
};
-
webdir = mkOption {
type = types.path;
description = ''
@@ -286,36 +286,28 @@ let
};
rpcweb-imp = {
- krebs.nginx.enable = mkDefault true;
- krebs.nginx.servers.rtorrent = {
- listen = [ webcfg.listenAddress ];
- server-names = [ "default" ];
- extraConfig = ''
- ${optionalString webcfg.enableAuth ''
- auth_basic "rtorrent";
- auth_basic_user_file ${webcfg.authfile};
- ''}
- ${optionalString rucfg.enable ''
- root ${webdir};
- ''}
- '';
- locations = [
- (nameValuePair "/RPC2" ''
+ services.nginx.enable = mkDefault true;
+ services.nginx.virtualHosts.rtorrent = {
+ default = mkDefault true;
+ inherit (webcfg) basicAuth port;
+ root = optionalString rucfg.enable webdir;
+
+ locations = {
+ "/RPC2".extraConfig = ''
include ${pkgs.nginx}/conf/scgi_params;
scgi_param SCRIPT_NAME /RPC2;
scgi_pass unix:${cfg.xmlrpc-socket};
- '')
- ] ++ (optional rucfg.enable
- (nameValuePair "~ \.php$" ''
+ '';
+ } // (optionalAttrs rucfg.enable {
+ "~ \.php$".extraConfig = ''
client_max_body_size 200M;
- root ${webdir};
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${fpm-socket};
try_files $uri =404;
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
+ ''; }
);
};
};
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 26a51de00..197835e73 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -35,35 +35,28 @@ let
nginx = {
enable = mkEnableOption "enable tinc_graphs to be served with nginx";
- anonymous = {
- server-names = mkOption {
- type = with types; listOf str;
- description = "hostnames which serve anonymous graphs";
- default = [ "graphs.${config.krebs.build.host.name}" ];
- };
-
- listen = mkOption {
- # use the type of the nginx listen option
- type = with types; listOf str;
- description = "listen address for anonymous graphs";
- default = [ "80" ];
- };
-
+ anonymous = mkOption {
+ type = types.attrsOf types.unspecified;
+ description = ''
+ nginx virtualHost options to be merged into the anonymous graphs
+ vhost entry.
+ '';
+ };
+ anonymous-domain = mkOption {
+ type = types.str;
+ description = ''
+ external domainname to be used for anonymous graphs
+ it will be used if you want to enable ACME
+ '';
+ default = "graphs.krebsco.de";
};
- complete = {
- server-names = mkOption {
- type = with types; listOf str;
- description = "hostname which serves complete graphs";
- default = [ "graphs.${config.krebs.build.host.name}" ];
- };
-
- listen = mkOption {
- type = with types; listOf str;
- description = "listen address for complete graphs";
- default = [ "127.0.0.1:80" ];
- };
-
+ complete = mkOption {
+ type = types.attrsOf types.unspecified;
+ description = ''
+ nginx virtualHost options to be merged into the complete graphs
+ vhost entry.
+ '';
};
};
@@ -134,24 +127,20 @@ let
uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs";
};
- krebs.nginx = mkIf cfg.nginx.enable {
+ services.nginx = mkIf cfg.nginx.enable {
enable = mkDefault true;
- servers = {
+ virtualHosts = {
tinc_graphs_complete = mkMerge [ cfg.nginx.complete {
- locations = [
- (nameValuePair "/" ''
- autoindex on;
- root ${internal_dir};
- '')
- ];
- }] ;
- tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
- locations = [
- (nameValuePair "/" ''
- autoindex on;
- root ${external_dir};
- '')
- ];
+ locations = {
+ "/".extraConfig = "autoindex on;";
+ "/".root = internal_dir;
+ };
+ }];
+ "${cfg.nginx.anonymous-domain}" = mkMerge [ cfg.nginx.anonymous {
+ locations = {
+ "/".extraConfig = "autoindex on;";
+ "/".root = external_dir;
+ };
}];
};
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-02 08:23:26 +0000