diff options
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/bepasty-server.nix | 50 | ||||
-rw-r--r-- | krebs/3modules/git.nix | 41 | ||||
-rw-r--r-- | krebs/3modules/makefu/default.nix | 25 | ||||
-rw-r--r-- | krebs/3modules/rtorrent.nix | 54 | ||||
-rw-r--r-- | krebs/3modules/tinc_graphs.nix | 75 |
5 files changed, 128 insertions, 117 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 50e04cf80..4e035e725 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -22,6 +22,16 @@ let servers = mkOption { type = with types; attrsOf optionSet; + example = '' + { + "paste.r" = { + defaultPermissions = "read,delete,create"; + }; + "paste.krebsco.de" = { + defaultPermissions = "read"; + }; + } + ''; options = singleton { nginx = mkOption { # TODO use the correct type @@ -30,7 +40,6 @@ let additional nginx configuration. see krebs.nginx for all options ''; }; - secretKey = mkOption { type = types.str; description = '' @@ -39,6 +48,7 @@ let default = ""; }; + # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi workDir = mkOption { type = types.str; @@ -143,25 +153,25 @@ let }; nginx-imp = { - assertions = [{ assertion = config.krebs.nginx.enable; - message = "krebs.nginx.enable must be true"; }]; - - krebs.nginx.servers = mapAttrs' (name: server: - nameValuePair("bepasty-server-${name}") - (mkMerge [ server.nginx { - extraConfig = '' - client_max_body_size 32M; - ''; - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $http_host; - proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock; - '') - (nameValuePair "/static/" '' - alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; - '') - ]; - }])) cfg.servers ; + assertions = [{ assertion = config.services.nginx.enable; + message = "services.nginx.enable must be true"; }]; + + services.nginx.virtualHosts = mapAttrs ( name: server: + (mkMerge [ + server.nginx + { + extraConfig = '' + client_max_body_size 32M; + ''; + locations = { + "/".extraConfig = "proxy_set_header Host $http_host;"; + "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock"; + "/static/".extraConfig = '' + alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; + ''; + }; + }]) + ) cfg.servers ; }; in out diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 20907a3ed..164831846 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -400,29 +400,24 @@ let chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root} ''; - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.r" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; + services.nginx.virtualHosts.cgit = { + serverAliases = [ + "cgit.${config.networking.hostName}" + "cgit.${config.networking.hostName}.r" + "cgit.${config.networking.hostName}.retiolum" + ]; + locations."/".extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + ''; + locations."/static/".extraConfig = '' + root ${pkgs.cgit}/cgit; + rewrite ^/static(/.*)$ $1 break; + ''; }; }; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index ff187b878..c85bf1ccd 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -26,6 +26,31 @@ with import <stockholm/lib>; }; }; }; + fileleech = rec { + cores = 4; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech"; + nets = { + retiolum = { + ip4.addr = "10.243.113.98"; + ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096"; + aliases = [ + "fileleech.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA2W20+jYvuFUjPQ+E+7Xlabf8fW/XSnTTelfo2uRcJ3FMLYQ9H3rF + 8L8StPmxn8Q20FFH/MvRmgW8pU9z4RQ3nAi+utVYqAJQtOYA9FPMxssC08w82r0K + YC6sgc9MeRjnCjQxQrQs4fqA6KpqSLxRf2c6kfNwYRgCxFMns2ncxOiPOoGLZait + nJR3m0cSRm8yCTMbznlGH99+5+3HgvuBE/UYXmmGBs7w8DevaX76butzprZ8fm4z + e5C7R9ofdVW70GGksfSI81y5xODWMbfjTRHKm4OBX7NOCiOTwx1wu8bYDN3EzN6V + UM5PJfU42sViPEZmVuC8cDcP1xemHTkh9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + pnp = { cores = 1; nets = { diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix index bcc52fb6e..0c478aded 100644 --- a/krebs/3modules/rtorrent.nix +++ b/krebs/3modules/rtorrent.nix @@ -73,22 +73,23 @@ let # authentication also applies to rtorrent.rutorrent enable = mkEnableOption "rtorrent nginx web RPC"; - listenAddress = mkOption { - type = types.str; + port = mkOption { + type = types.nullOr types.int; description ='' - nginx listen address for rtorrent web + nginx listen port for rtorrent ''; - default = "localhost:8006"; + default = 8006; }; - enableAuth = mkEnableOption "rutorrent authentication"; - authfile = mkOption { - type = types.path; + basicAuth = mkOption { + type = types.attrsOf types.str ; description = '' - basic authentication file to be used. - Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file. - Only in use if authentication is enabled. + basic authentication to be used. If unset, no authentication will be + enabled. + + Refer to `services.nginx.virtualHosts.<name>.basicAuth` ''; + default = {}; }; }; @@ -104,7 +105,6 @@ let default = pkgs.rutorrent; }; - webdir = mkOption { type = types.path; description = '' @@ -286,36 +286,28 @@ let }; rpcweb-imp = { - krebs.nginx.enable = mkDefault true; - krebs.nginx.servers.rtorrent = { - listen = [ webcfg.listenAddress ]; - server-names = [ "default" ]; - extraConfig = '' - ${optionalString webcfg.enableAuth '' - auth_basic "rtorrent"; - auth_basic_user_file ${webcfg.authfile}; - ''} - ${optionalString rucfg.enable '' - root ${webdir}; - ''} - ''; - locations = [ - (nameValuePair "/RPC2" '' + services.nginx.enable = mkDefault true; + services.nginx.virtualHosts.rtorrent = { + default = mkDefault true; + inherit (webcfg) basicAuth port; + root = optionalString rucfg.enable webdir; + + locations = { + "/RPC2".extraConfig = '' include ${pkgs.nginx}/conf/scgi_params; scgi_param SCRIPT_NAME /RPC2; scgi_pass unix:${cfg.xmlrpc-socket}; - '') - ] ++ (optional rucfg.enable - (nameValuePair "~ \.php$" '' + ''; + } // (optionalAttrs rucfg.enable { + "~ \.php$".extraConfig = '' client_max_body_size 200M; - root ${webdir}; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm-socket}; try_files $uri =404; fastcgi_index index.php; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; - '') + ''; } ); }; }; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 26a51de00..197835e73 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -35,35 +35,28 @@ let nginx = { enable = mkEnableOption "enable tinc_graphs to be served with nginx"; - anonymous = { - server-names = mkOption { - type = with types; listOf str; - description = "hostnames which serve anonymous graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; - }; - - listen = mkOption { - # use the type of the nginx listen option - type = with types; listOf str; - description = "listen address for anonymous graphs"; - default = [ "80" ]; - }; - + anonymous = mkOption { + type = types.attrsOf types.unspecified; + description = '' + nginx virtualHost options to be merged into the anonymous graphs + vhost entry. + ''; + }; + anonymous-domain = mkOption { + type = types.str; + description = '' + external domainname to be used for anonymous graphs + it will be used if you want to enable ACME + ''; + default = "graphs.krebsco.de"; }; - complete = { - server-names = mkOption { - type = with types; listOf str; - description = "hostname which serves complete graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; - }; - - listen = mkOption { - type = with types; listOf str; - description = "listen address for complete graphs"; - default = [ "127.0.0.1:80" ]; - }; - + complete = mkOption { + type = types.attrsOf types.unspecified; + description = '' + nginx virtualHost options to be merged into the complete graphs + vhost entry. + ''; }; }; @@ -134,24 +127,20 @@ let uid = genid "tinc_graphs"; home = "/var/spool/tinc_graphs"; }; - krebs.nginx = mkIf cfg.nginx.enable { + services.nginx = mkIf cfg.nginx.enable { enable = mkDefault true; - servers = { + virtualHosts = { tinc_graphs_complete = mkMerge [ cfg.nginx.complete { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${internal_dir}; - '') - ]; - }] ; - tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${external_dir}; - '') - ]; + locations = { + "/".extraConfig = "autoindex on;"; + "/".root = internal_dir; + }; + }]; + "${cfg.nginx.anonymous-domain}" = mkMerge [ cfg.nginx.anonymous { + locations = { + "/".extraConfig = "autoindex on;"; + "/".root = external_dir; + }; }]; }; }; |