summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/AP.nix77
-rw-r--r--lass/2configs/backup.nix20
-rw-r--r--lass/2configs/backups.nix173
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/bitcoin.nix10
-rw-r--r--lass/2configs/dcso-dev.nix1
-rw-r--r--lass/2configs/default.nix3
-rw-r--r--lass/2configs/dns-stuff.nix16
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/gc.nix2
-rw-r--r--lass/2configs/git.nix14
-rw-r--r--lass/2configs/go.nix19
-rw-r--r--lass/2configs/mail.nix5
-rw-r--r--lass/2configs/monitoring/client.nix26
-rw-r--r--lass/2configs/monitoring/monit-alarms.nix44
-rw-r--r--lass/2configs/monitoring/node-exporter.nix6
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix50
-rw-r--r--lass/2configs/monitoring/server.nix87
-rw-r--r--lass/2configs/websites/lassulus.nix56
-rw-r--r--lass/2configs/websites/util.nix53
-rw-r--r--lass/2configs/zsh.nix4
21 files changed, 239 insertions, 429 deletions
diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix
new file mode 100644
index 000000000..5ce7cfff8
--- /dev/null
+++ b/lass/2configs/AP.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+ wifi = "wlp0s29u1u2";
+in {
+ boot.extraModulePackages = [
+ pkgs.linuxPackages.rtl8814au
+ ];
+ networking.networkmanager.unmanaged = [ wifi ];
+
+ systemd.services.hostapd = {
+ description = "hostapd wireless AP";
+ path = [ pkgs.hostapd ];
+ wantedBy = [ "network.target" ];
+
+ after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
+
+ serviceConfig = {
+ ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
+ interface=${wifi}
+ hw_mode=a
+ channel=36
+ ieee80211d=1
+ country_code=DE
+ ieee80211n=1
+ ieee80211ac=1
+ wmm_enabled=1
+
+ # 5ghz
+ ssid=krebsing
+ auth_algs=1
+ wpa=2
+ wpa_key_mgmt=WPA-PSK
+ rsn_pairwise=CCMP
+ wpa_passphrase=aidsballz
+ ''}";
+ Restart = "always";
+ };
+ };
+
+ networking.interfaces.${wifi}.ipv4.addresses = [
+ { address = "10.99.0.1"; prefixLength = 24; }
+ ];
+ services.dhcpd4 = {
+ enable = true;
+ interfaces = [ wifi ];
+ extraConfig = ''
+ option subnet-mask 255.255.255.0;
+ option routers 10.99.0.1;
+ option domain-name-servers 1.1.1.1, 8.8.8.8;
+ subnet 10.99.0.0 netmask 255.255.255.0 {
+ range 10.99.0.100 10.99.0.200;
+ }
+ '';
+ };
+
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ ];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
+ ];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ #TODO find out what this is about?
+ { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
+
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ ];
+}
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix
new file mode 100644
index 000000000..27adf6d2a
--- /dev/null
+++ b/lass/2configs/backup.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+with import <stockholm/lib>;
+
+{
+ fileSystems = {
+ "/backups" = {
+ device = "/dev/pool/backup";
+ fsType = "ext4";
+ };
+ };
+ users.users.backup = {
+ useDefaultShell = true;
+ home = "/backups";
+ createHome = true;
+ openssh.authorizedKeys.keys = with config.krebs.hosts; [
+ mors.ssh.pubkey
+ prism.ssh.pubkey
+ ];
+ };
+}
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
deleted file mode 100644
index c4fb85420..000000000
--- a/lass/2configs/backups.nix
+++ /dev/null
@@ -1,173 +0,0 @@
-{ config, lib, ... }:
-with import <stockholm/lib>;
-{
-
- # TODO add timerConfig to krebs.backup and randomize startup
- # TODO define plans more abstract
- krebs.backup.plans = {
- } // mapAttrs (_: recursiveUpdate {
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
- }) {
- dishfire-http-prism = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
- startAt = "03:00";
- };
- dishfire-http-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
- startAt = "03:10";
- };
- dishfire-http-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
- startAt = "03:05";
- };
- dishfire-http-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
- startAt = "03:10";
- };
- dishfire-sql-prism = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
- startAt = "03:15";
- };
- dishfire-sql-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
- startAt = "03:25";
- };
- dishfire-sql-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
- startAt = "03:20";
- };
- dishfire-sql-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
- startAt = "03:25";
- };
- prism-bitlbee-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-bitlbee-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-bitlbee-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
- startAt = "03:25";
- };
- prism-chat-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; };
- startAt = "03:35";
- };
- prism-chat-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
- startAt = "03:30";
- };
- prism-chat-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
- startAt = "03:35";
- };
- prism-sql-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; };
- startAt = "03:45";
- };
- prism-sql-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
- startAt = "03:40";
- };
- prism-sql-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
- startAt = "03:45";
- };
- prism-http-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; };
- startAt = "03:55";
- };
- prism-http-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
- startAt = "03:50";
- };
- prism-http-shodan = {
- method = "pull";
- src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
- startAt = "03:55";
- };
- icarus-home-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.icarus; path = "/home"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; };
- startAt = "05:00";
- };
- icarus-home-shodan = {
- method = "push";
- src = { host = config.krebs.hosts.icarus; path = "/home"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; };
- startAt = "05:00";
- };
- mors-home-icarus = {
- method = "push";
- src = { host = config.krebs.hosts.mors; path = "/home"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; };
- startAt = "05:00";
- };
- mors-home-shodan = {
- method = "push";
- src = { host = config.krebs.hosts.mors; path = "/home"; };
- dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
- startAt = "05:00";
- };
- shodan-home-icarus = {
- method = "pull";
- src = { host = config.krebs.hosts.shodan; path = "/home"; };
- dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; };
- startAt = "04:00";
- };
- shodan-home-mors = {
- method = "pull";
- src = { host = config.krebs.hosts.shodan; path = "/home"; };
- dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
- startAt = "04:00";
- };
- };
-}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index ed179ded6..e2e44b6fc 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,7 +9,6 @@ in {
./power-action.nix
./copyq.nix
./livestream.nix
- ./dns-stuff.nix
./urxvt.nix
./network-manager.nix
{
diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix
index a405addfc..9f6fd3bf0 100644
--- a/lass/2configs/bitcoin.nix
+++ b/lass/2configs/bitcoin.nix
@@ -10,9 +10,6 @@ in {
krebs.per-user.bitcoin.packages = [
pkgs.electrum
];
- krebs.per-user.ethereum.packages = [
- pkgs.go-ethereum
- ];
users.extraUsers = {
bch = {
name = "bch";
@@ -28,13 +25,6 @@ in {
useDefaultShell = true;
createHome = true;
};
- ethereum = {
- name = "ethereum";
- description = "user for ethereum stuff";
- home = "/home/ethereum";
- useDefaultShell = true;
- createHome = true;
- };
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL
diff --git a/lass/2configs/dcso-dev.nix b/lass/2configs/dcso-dev.nix
index ae1c7bc8d..b985b67b3 100644
--- a/lass/2configs/dcso-dev.nix
+++ b/lass/2configs/dcso-dev.nix
@@ -9,6 +9,7 @@ in {
dev = {
name = "dev";
uid = genid "dev";
+ extraGroups = [ "docker" ];
description = "user for collaborative development";
home = "/home/dev";
useDefaultShell = true;
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 5a5f1b347..12a814605 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -6,10 +6,9 @@ with import <stockholm/lib>;
./gc.nix
./mc.nix
./vim.nix
- ./monitoring/client.nix
+ ./monitoring/node-exporter.nix
./zsh.nix
./htop.nix
- ./backups.nix
./security-workarounds.nix
{
users.extraUsers =
diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix
deleted file mode 100644
index cbcce8df9..000000000
--- a/lass/2configs/dns-stuff.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-{
- services.dnscrypt-proxy = {
- enable = true;
- localAddress = "127.1.0.1";
- customResolver = {
- address = config.krebs.hosts.gum.nets.internet.ip4.addr;
- port = 15251;
- name = "2.dnscrypt-cert.euer.krebsco.de";
- key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
- };
- };
- services.resolved.enable = true;
- services.resolved.fallbackDns = [ "127.1.0.1" ];
-}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 4455d2761..e05ed2427 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -79,6 +79,7 @@ with import <stockholm/lib>;
{ from = "ovh@lassul.us"; to = lass.mail; }
{ from = "hetzner@lassul.us"; to = lass.mail; }
{ from = "allygator@lassul.us"; to = lass.mail; }
+ { from = "immoscout@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
index ad015180a..c5073e384 100644
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@@ -3,6 +3,6 @@
with import <stockholm/lib>;
{
nix.gc = {
- automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
+ automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer);
};
}
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 1fe87c666..43085ba5e 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -57,6 +57,16 @@ let
cgit.desc = "Fork of nix-user-chroot my lethalman";
cgit.section = "software";
};
+ nixos-aws = {
+ collaborators = [ {
+ name = "fabio";
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
+ } ];
+ };
+ krops = {
+ cgit.desc = "krebs deployment";
+ cgit.section = "software";
+ };
} // mapAttrs make-public-repo-silent {
};
@@ -70,8 +80,8 @@ let
import <secrets/repos.nix> { inherit config lib pkgs; }
);
- make-public-repo = name: { cgit ? {}, ... }: {
- inherit cgit name;
+ make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: {
+ inherit cgit collaborators name;
public = true;
hooks = {
post-receive = pkgs.git-hooks.irc-announce {
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
new file mode 100644
index 000000000..ecf89b298
--- /dev/null
+++ b/lass/2configs/go.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+{
+ krebs.go = {
+ enable = true;
+ };
+ services.nginx = {
+ enable = true;
+ virtualHosts.go = {
+ locations."/".extraConfig = ''
+ proxy_set_header Host go.lassul.us;
+ proxy_pass http://localhost:1337;
+ '';
+ serverAliases = [
+ "go.lassul.us"
+ ];
+ };
+ };
+}
+
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 81db59617..2bb51b50a 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -206,8 +206,11 @@ in {
msmtp
mutt
pkgs.much
- pkgs.notmuch
tag-new-mails
tag-old-mails
];
+
+ nixpkgs.config.packageOverrides = opkgs: {
+ notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
+ };
}
diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix
deleted file mode 100644
index b8c245215..000000000
--- a/lass/2configs/monitoring/client.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{pkgs, config, ...}:
-with import <stockholm/lib>;
-{
- services.telegraf = {
- enable = true;
-
- extraConfig = {
- agent.interval = "1s";
- outputs = {
- influxdb = {
- urls = ["http://prism:8086"];
- database = "telegraf_db";
- user_agent = "telegraf";
- };
- };
- inputs = {
- cpu = {
- percpu = false;
- totalcpu = true;
- };
- mem = {};
- net = {};
- };
- };
- };
-}
diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix
deleted file mode 100644
index 2cfc292e5..000000000
--- a/lass/2configs/monitoring/monit-alarms.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{pkgs, config, ...}:
-with import <stockholm/lib>;
-let
- echoToIrc = msg:
- pkgs.writeDash "echo_irc" ''
- set -euf
- export LOGNAME=prism-alarm
- ${pkgs.irc-announce}/bin/irc-announce \
- irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
- '';
-
-in {
- krebs.monit = {
- enable = true;
- http.enable = true;
- alarms = {
- nirwanabluete = {
- test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'";
- alarm = echoToIrc "test nirwanabluete failed";
- };
- ubik = {
- test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'";
- alarm = echoToIrc "test ubik failed";
- };
- cac-panel = {
- test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'";
- alarm = echoToIrc "test cac-panel failed";
- };
- radio = {
- test = pkgs.writeBash "check_stream" ''
- ${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \
- | ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \
- | ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}"
- '';
- alarm = echoToIrc "test radio failed";
- };
- };
- };
-
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
- ];
-}
-
diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix
index 8c27e90d4..561e3a25c 100644
--- a/lass/2configs/monitoring/node-exporter.nix
+++ b/lass/2configs/monitoring/node-exporter.nix
@@ -1,7 +1,9 @@
{ config, lib, pkgs, ... }:
{
- networking.firewall.allowedTCPPorts = [ 9100 ];
-
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; }
+ { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; }
+ ];
services.prometheus.exporters = {
node = {
enable = true;
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
index d56d7e552..e16d421a0 100644
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -9,6 +9,12 @@
# useDHCP = true;
#};
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; }
+ ];
+
services = {
prometheus = {
enable = true;
@@ -124,11 +130,10 @@
static_configs = [
{
targets = [
- "localhost:9100"
- ];
- labels = {
- alias = "prometheus.example.com";
- };
+ ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts));
+ #labels = {
+ # alias = "prometheus.example.com";
+ #};
}
];
}
@@ -159,7 +164,7 @@
];
"webhook_configs" = [
{
- "url" = "https://example.com/prometheus-alerts";
+ "url" = "http://127.0.0.1:14813/prometheus-alerts";
"send_resolved" = true;
}
];
@@ -176,4 +181,37 @@
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
};
+ services.logstash = {
+ enable = true;
+ inputConfig = ''
+ http {
+ port => 14813
+ host => "127.0.0.1"
+ }
+ '';
+ filterConfig = ''
+ if ([alerts]) {
+ ruby {
+ code => '
+ lines = []
+ event["alerts"].each {|p|
+ lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}"
+ }
+ event["output"] = lines.join("\n")
+ '
+ }
+ }
+ '';
+ outputConfig = ''
+ file { path => "/tmp/logs.json" codec => "json_lines" }
+ irc {
+ channels => [ "#noise" ]
+ host => "irc.r"
+ nick => "alarm"
+ codec => "json_lines"
+ format => "%{output}"
+ }
+ '';
+ #plugins = [ ];
+ };
}
diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix
deleted file mode 100644
index adaecde2c..000000000
--- a/lass/2configs/monitoring/server.nix
+++ /dev/null
@@ -1,87 +0,0 @@
-{pkgs, config, ...}:
-with import <stockholm/lib>;
-{
- services.influxdb.enable = true;
-
- services.influxdb.extraConfig = {
- meta.hostname = config.krebs.build.host.name;
- # meta.logging-enabled = true;
- http.bind-address = ":8086";
- admin.bind-address = ":8083";
- http.log-enabled = false;
- monitoring = {
- enabled = false;
- # write-interval = "24h";
- };
- collectd = [{
- enabled = true;
- typesdb = "${pkgs.collectd}/share/collectd/types.db";
- database = "collectd_db";
- port = 25826;
- }];
- };
-
- krebs.kapacitor =
- let
- db = "telegraf_db";
- echoToIrc = pkgs.writeDash "echo_irc" ''
- set -euf
- data="$(${pkgs.jq}/bin/jq -r .message)"
- export LOGNAME=prism-alarm
- ${pkgs.irc-announce}/bin/irc-announce \
- irc.r 6667 prism-alarm \#noise "$data" >/dev/null
- '';
- in {
- enable = true;
- alarms = {
- cpu = {
- database = db;
- text = ''
- var data = batch
- |query(${"'''"}
- SELECT mean("usage_user") AS mean
- FROM "${db}"."default"."cpu"
- ${"'''"})
- .period(10m)
- .every(1m)
- .groupBy('host')
- data |alert()
- .crit(lambda: "mean" > 90)
- .exec('${echoToIrc}')
- data |deadman(1.0,5m)
- .stateChangesOnly()
- .exec('${echoToIrc}')
- '';
- };
- ram = {
- database = db;
- text = ''
- var data = batch
- |query(${"'''"}
- SELECT mean("used_percent") AS mean
- FROM "${db}"."default"."mem"
- ${"'''"})
- .period(10m)
- .every(1m)
- .groupBy('host')
- data |alert()
- .crit(lambda: "mean" > 90)
- .exec('${echoToIrc}')
- '';
- };
- };
- };
-
- services.grafana = {
- enable = true;
- addr = "0.0.0.0";
- auth.anonymous.enable = true;
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
- };
-
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; }
- { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; }
- { predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; }
- ];
-}
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 25ca1f455..53f1eea5c 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -6,66 +6,10 @@ let
genid
;
- servephpBB = domains:
- let
- domain = head domains;
-
- in {
- services.nginx.virtualHosts."${domain}" = {
- enableACME = true;
- forceSSL = true;
- serverAliases = domains;
- extraConfig = ''
- index index.php;
- root /srv/http/${domain}/;
- access_log /tmp/nginx_acc.log;
- error_log /tmp/nginx_err.log;
- error_page 404 /404.html;
- error_page 500 502 503 504 /50x.html;
- client_max_body_size 100m;
- '';
- locations."/".extraConfig = ''
- try_files $uri $uri/ /index.php?$args;
- '';
- locations."~ \.php(?:$|/)".extraConfig = ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- fastcgi_intercept_errors on;
- '';
- #Directives to send expires headers and turn off 404 error logging.
- locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
- access_log off;
- log_not_found off;
- expires max;
- '';
- };
- services.phpfpm.poolConfigs."${domain}" = ''
- listen = /srv/http/${domain}/phpfpm.pool
- user = nginx
- group = nginx
- pm = dynamic
- pm.max_children = 25
- pm.start_servers = 5
- pm.min_spare_servers = 3
- pm.max_spare_servers = 20
- listen.owner = nginx
- listen.group = nginx
- php_admin_value[error_log] = 'stderr'
- php_admin_flag[log_errors] = on
- catch_workers_output = yes
- '';
- };
-
in {
imports = [
./default.nix
../git.nix
- (servephpBB [ "rote-allez-fraktion.de" ])
];
security.acme = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 441b7af90..61b5543ce 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -28,6 +28,59 @@ rec {
};
};
+ servephpBB = domains:
+ let
+ domain = head domains;
+
+ in {
+ services.nginx.virtualHosts."${domain}" = {
+ serverAliases = domains;
+ extraConfig = ''
+ index index.php;
+ root /srv/http/${domain}/;
+ access_log /tmp/nginx_acc.log;
+ error_log /tmp/nginx_err.log;
+ error_page 404 /404.html;
+ error_page 500 502 503 504 /50x.html;
+ client_max_body_size 100m;
+ '';
+ locations."/".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
+ locations."~ \.php(?:$|/)".extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ fastcgi_intercept_errors on;
+ '';
+ #Directives to send expires headers and turn off 404 error logging.
+ locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
+ access_log off;
+ log_not_found off;
+