summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/bepasty-server.nix50
-rw-r--r--krebs/3modules/git.nix41
-rw-r--r--krebs/3modules/makefu/default.nix25
-rw-r--r--krebs/3modules/rtorrent.nix54
-rw-r--r--krebs/3modules/tinc_graphs.nix75
5 files changed, 128 insertions, 117 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 50e04cf80..4e035e725 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -22,6 +22,16 @@ let
servers = mkOption {
type = with types; attrsOf optionSet;
+ example = ''
+ {
+ "paste.r" = {
+ defaultPermissions = "read,delete,create";
+ };
+ "paste.krebsco.de" = {
+ defaultPermissions = "read";
+ };
+ }
+ '';
options = singleton {
nginx = mkOption {
# TODO use the correct type
@@ -30,7 +40,6 @@ let
additional nginx configuration. see krebs.nginx for all options
'';
};
-
secretKey = mkOption {
type = types.str;
description = ''
@@ -39,6 +48,7 @@ let
default = "";
};
+
# we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
workDir = mkOption {
type = types.str;
@@ -143,25 +153,25 @@ let
};
nginx-imp = {
- assertions = [{ assertion = config.krebs.nginx.enable;
- message = "krebs.nginx.enable must be true"; }];
-
- krebs.nginx.servers = mapAttrs' (name: server:
- nameValuePair("bepasty-server-${name}")
- (mkMerge [ server.nginx {
- extraConfig = ''
- client_max_body_size 32M;
- '';
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $http_host;
- proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
- '')
- (nameValuePair "/static/" ''
- alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
- '')
- ];
- }])) cfg.servers ;
+ assertions = [{ assertion = config.services.nginx.enable;
+ message = "services.nginx.enable must be true"; }];
+
+ services.nginx.virtualHosts = mapAttrs ( name: server:
+ (mkMerge [
+ server.nginx
+ {
+ extraConfig = ''
+ client_max_body_size 32M;
+ '';
+ locations = {
+ "/".extraConfig = "proxy_set_header Host $http_host;";
+ "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock";
+ "/static/".extraConfig = ''
+ alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+ '';
+ };
+ }])
+ ) cfg.servers ;
};
in
out
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 20907a3ed..164831846 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -400,29 +400,24 @@ let
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
'';
- krebs.nginx = {
- enable = true;
- servers.cgit = {
- server-names = [
- "cgit.${config.networking.hostName}"
- "cgit.${config.networking.hostName}.r"
- "cgit.${config.networking.hostName}.retiolum"
- ];
- locations = [
- (nameValuePair "/" ''
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param QUERY_STRING $args;
- fastcgi_param HTTP_HOST $server_name;
- fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
- '')
- (nameValuePair "/static/" ''
- root ${pkgs.cgit}/cgit;
- rewrite ^/static(/.*)$ $1 break;
- '')
- ];
- };
+ services.nginx.virtualHosts.cgit = {
+ serverAliases = [
+ "cgit.${config.networking.hostName}"
+ "cgit.${config.networking.hostName}.r"
+ "cgit.${config.networking.hostName}.retiolum"
+ ];
+ locations."/".extraConfig = ''
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+ '';
+ locations."/static/".extraConfig = ''
+ root ${pkgs.cgit}/cgit;
+ rewrite ^/static(/.*)$ $1 break;
+ '';
};
};
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index ff187b878..c85bf1ccd 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -26,6 +26,31 @@ with import <stockholm/lib>;
};
};
};
+ fileleech = rec {
+ cores = 4;
+ ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech";
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.113.98";
+ ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
+ aliases = [
+ "fileleech.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA2W20+jYvuFUjPQ+E+7Xlabf8fW/XSnTTelfo2uRcJ3FMLYQ9H3rF
+ 8L8StPmxn8Q20FFH/MvRmgW8pU9z4RQ3nAi+utVYqAJQtOYA9FPMxssC08w82r0K
+ YC6sgc9MeRjnCjQxQrQs4fqA6KpqSLxRf2c6kfNwYRgCxFMns2ncxOiPOoGLZait
+ nJR3m0cSRm8yCTMbznlGH99+5+3HgvuBE/UYXmmGBs7w8DevaX76butzprZ8fm4z
+ e5C7R9ofdVW70GGksfSI81y5xODWMbfjTRHKm4OBX7NOCiOTwx1wu8bYDN3EzN6V
+ UM5PJfU42sViPEZmVuC8cDcP1xemHTkh9QIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+
pnp = {
cores = 1;
nets = {
diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix
index bcc52fb6e..0c478aded 100644
--- a/krebs/3modules/rtorrent.nix
+++ b/krebs/3modules/rtorrent.nix
@@ -73,22 +73,23 @@ let
# authentication also applies to rtorrent.rutorrent
enable = mkEnableOption "rtorrent nginx web RPC";
- listenAddress = mkOption {
- type = types.str;
+ port = mkOption {
+ type = types.nullOr types.int;
description =''
- nginx listen address for rtorrent web
+ nginx listen port for rtorrent
'';
- default = "localhost:8006";
+ default = 8006;
};
- enableAuth = mkEnableOption "rutorrent authentication";
- authfile = mkOption {
- type = types.path;
+ basicAuth = mkOption {
+ type = types.attrsOf types.str ;
description = ''
- basic authentication file to be used.
- Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file.
- Only in use if authentication is enabled.
+ basic authentication to be used. If unset, no authentication will be
+ enabled.
+
+ Refer to `services.nginx.virtualHosts.<name>.basicAuth`
'';
+ default = {};
};
};
@@ -104,7 +105,6 @@ let
default = pkgs.rutorrent;
};
-
webdir = mkOption {
type = types.path;
description = ''
@@ -286,36 +286,28 @@ let
};
rpcweb-imp = {
- krebs.nginx.enable = mkDefault true;
- krebs.nginx.servers.rtorrent = {
- listen = [ webcfg.listenAddress ];
- server-names = [ "default" ];
- extraConfig = ''
- ${optionalString webcfg.enableAuth ''
- auth_basic "rtorrent";
- auth_basic_user_file ${webcfg.authfile};
- ''}
- ${optionalString rucfg.enable ''
- root ${webdir};
- ''}
- '';
- locations = [
- (nameValuePair "/RPC2" ''
+ services.nginx.enable = mkDefault true;
+ services.nginx.virtualHosts.rtorrent = {
+ default = mkDefault true;
+ inherit (webcfg) basicAuth port;
+ root = optionalString rucfg.enable webdir;
+
+ locations = {
+ "/RPC2".extraConfig = ''
include ${pkgs.nginx}/conf/scgi_params;
scgi_param SCRIPT_NAME /RPC2;
scgi_pass unix:${cfg.xmlrpc-socket};
- '')
- ] ++ (optional rucfg.enable
- (nameValuePair "~ \.php$" ''
+ '';
+ } // (optionalAttrs rucfg.enable {
+ "~ \.php$".extraConfig = ''
client_max_body_size 200M;
- root ${webdir};
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${fpm-socket};
try_files $uri =404;
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
+ ''; }
);
};
};
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 26a51de00..197835e73 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -35,35 +35,28 @@ let
nginx = {
enable = mkEnableOption "enable tinc_graphs to be served with nginx";
- anonymous = {
- server-names = mkOption {
- type = with types; listOf str;
- description = "hostnames which serve anonymous graphs";
- default = [ "graphs.${config.krebs.build.host.name}" ];
- };
-
- listen = mkOption {
- # use the type of the nginx listen option
- type = with types; listOf str;
- description = "listen address for anonymous graphs";
- default = [ "80" ];
- };
-
+ anonymous = mkOption {
+ type = types.attrsOf types.unspecified;
+ description = ''
+ nginx virtualHost options to be merged into the anonymous graphs
+ vhost entry.
+ '';
+ };
+ anonymous-domain = mkOption {
+ type = types.str;
+ description = ''
+ external domainname to be used for anonymous graphs
+ it will be used if you want to enable ACME
+ '';
+ default = "graphs.krebsco.de";
};
- complete = {
- server-names = mkOption {
- type = with types; listOf str;
- description = "hostname which serves complete graphs";
- default = [ "graphs.${config.krebs.build.host.name}" ];
- };
-
- listen = mkOption {
- type = with types; listOf str;
- description = "listen address for complete graphs";
- default = [ "127.0.0.1:80" ];
- };
-
+ complete = mkOption {
+ type = types.attrsOf types.unspecified;
+ description = ''
+ nginx virtualHost options to be merged into the complete graphs
+ vhost entry.
+ '';
};
};
@@ -134,24 +127,20 @@ let
uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs";
};
- krebs.nginx = mkIf cfg.nginx.enable {
+ services.nginx = mkIf cfg.nginx.enable {
enable = mkDefault true;
- servers = {
+ virtualHosts = {
tinc_graphs_complete = mkMerge [ cfg.nginx.complete {
- locations = [
- (nameValuePair "/" ''
- autoindex on;
- root ${internal_dir};
- '')
- ];
- }] ;
- tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
- locations = [
- (nameValuePair "/" ''
- autoindex on;
- root ${external_dir};
- '')
- ];
+ locations = {
+ "/".extraConfig = "autoindex on;";
+ "/".root = internal_dir;
+ };
+ }];
+ "${cfg.nginx.anonymous-domain}" = mkMerge [ cfg.nginx.anonymous {
+ locations = {
+ "/".extraConfig = "autoindex on;";
+ "/".root = external_dir;
+ };
}];
};
};