diff options
Diffstat (limited to 'makefu')
| -rw-r--r-- | makefu/0tests/data/secrets/airdcpp-makefu.pw | 0 | ||||
| -rw-r--r-- | makefu/0tests/data/secrets/krebshub.pw | 0 | ||||
| -rw-r--r-- | makefu/1systems/nextgum/config.nix | 5 | ||||
| -rw-r--r-- | makefu/1systems/nextgum/hardware-config.nix | 13 | ||||
| -rw-r--r-- | makefu/2configs/dcpp/airdcpp.nix | 48 | ||||
| -rw-r--r-- | makefu/2configs/default.nix | 107 | ||||
| -rw-r--r-- | makefu/2configs/minimal.nix | 88 | ||||
| -rw-r--r-- | makefu/3modules/airdcpp.nix | 210 | ||||
| -rw-r--r-- | makefu/3modules/default.nix | 4 | ||||
| -rw-r--r-- | makefu/3modules/state.nix | 7 | ||||
| -rw-r--r-- | makefu/5pkgs/airdcpp-webclient/default.nix | 27 |
11 files changed, 173 insertions, 336 deletions
diff --git a/makefu/0tests/data/secrets/airdcpp-makefu.pw b/makefu/0tests/data/secrets/airdcpp-makefu.pw new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/makefu/0tests/data/secrets/airdcpp-makefu.pw diff --git a/makefu/0tests/data/secrets/krebshub.pw b/makefu/0tests/data/secrets/krebshub.pw new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/makefu/0tests/data/secrets/krebshub.pw diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix index db22cf9b8..64516fa98 100644 --- a/makefu/1systems/nextgum/config.nix +++ b/makefu/1systems/nextgum/config.nix @@ -25,11 +25,12 @@ in { <stockholm/makefu/2configs/git/cgit-retiolum.nix> <stockholm/makefu/2configs/backup.nix> - <stockholm/makefu/2configs/exim-retiolum.nix> + # <stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/tinc/retiolum.nix> # services <stockholm/makefu/2configs/sabnzbd.nix> + <stockholm/makefu/2configs/mail/mail.euer.nix> # sharing <stockholm/makefu/2configs/share/gum.nix> @@ -73,6 +74,7 @@ in { #<stockholm/makefu/2configs/nginx/update.connector.one.nix> #<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> + <stockholm/makefu/2configs/nginx/iso.euer.nix> <stockholm/makefu/2configs/deployment/events-publisher> #<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> @@ -94,6 +96,7 @@ in { <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/dcpp/airdcpp.nix> # <stockholm/makefu/2configs/logging/client.nix> ## Temporary: diff --git a/makefu/1systems/nextgum/hardware-config.nix b/makefu/1systems/nextgum/hardware-config.nix index 944210701..bfe29b46c 100644 --- a/makefu/1systems/nextgum/hardware-config.nix +++ b/makefu/1systems/nextgum/hardware-config.nix @@ -41,11 +41,12 @@ in { boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.devices = [ main-disk ]; + boot.initrd.kernelModules = [ "dm-raid" ]; boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" "xhci_pci" "ehci_pci" "ahci" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" "dm-raid" "dm_thin_pool" ]; + boot.kernelModules = [ "kvm-intel" ]; hardware.enableRedistributableFirmware = true; fileSystems."/" = { device = "/dev/mapper/nixos-root"; @@ -59,6 +60,10 @@ in { device = "/dev/mapper/nixos-download"; fsType = "ext4"; }; + fileSystems."/var/lib/borgbackup" = { + device = "/dev/mapper/nixos-backup"; + fsType = "ext4"; + }; fileSystems."/boot" = { device = "/dev/sda2"; fsType = "vfat"; @@ -79,8 +84,12 @@ in { #vgcreate nixos /dev/sda3 /dev/sdb1 #lvcreate -L 120G -m 1 -n root nixos #lvcreate -L 50G -m 1 -n lib nixos - #lvcreate -L 50G -n download nixos + #lvcreate -L 100G -n download nixos + #lvcreate -L 100G -n backup nixos #mkfs.ext4 /dev/mapper/nixos-root + #mkfs.ext4 /dev/mapper/nixos-lib + #mkfs.ext4 /dev/mapper/nixos-download + #mkfs.ext4 /dev/mapper/nixos-borgbackup #mount /dev/mapper/nixos-root /mnt #mkdir /mnt/boot #mount /dev/sda2 /mnt/boot diff --git a/makefu/2configs/dcpp/airdcpp.nix b/makefu/2configs/dcpp/airdcpp.nix new file mode 100644 index 000000000..fe05effd9 --- /dev/null +++ b/makefu/2configs/dcpp/airdcpp.nix @@ -0,0 +1,48 @@ +{ config, ... }: +{ + krebs.airdcpp = { + enable = true; + extraGroups = [ "download" ]; + web.port = 5600; + web.users.makefu.password = builtins.readFile <secrets/airdcpp-makefu.pw>; # watch out for newline! + hubs."krebshub" = + { Nick = "makefu-${config.krebs.build.host.name}"; + Password = builtins.readFile <secrets/krebshub.pw>; + Server = "adcs://hub.nsupdate.info:411"; + AutoConnect = true; + }; + dcpp = { + shares = { + # Incoming must be writeable! + incoming = { path = config.makefu.dl-dir + "/finished/dcpp"; incoming = true; }; + audiobooks.path = config.makefu.dl-dir + "/finished/audiobooks"; + }; + Nick = "makefu"; + DownloadSpeed = "1000"; + UploadSpeed = "1000"; + }; + }; + networking.firewall.allowedTCPPorts = + [ config.krebs.airdcpp.dcpp.InPort + config.krebs.airdcpp.dcpp.TLSPort + ]; + networking.firewall.allowedUDPPorts = [ config.krebs.airdcpp.dcpp.UDPPort ]; + + services.nginx.virtualHosts."dcpp.${config.krebs.build.host.name}.r".locations."/" = + { proxyPass = "http://localhost:${toString config.krebs.airdcpp.web.port}/"; + + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + gzip_types text/plain application/javascript; + + # Proxy websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + ''; + }; + +} diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 6192a92a5..61cba86d9 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -10,24 +10,11 @@ with import <stockholm/lib>; } ./editor/vim.nix ./binary-cache/nixos.nix + ./minimal.nix ]; - boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - - programs.command-not-found.enable = false; - - nix.package = pkgs.nixUnstable; - - nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); - krebs = { - enable = true; - - dns.providers.lan = "hosts"; - search-domain = "r"; - build.user = config.krebs.users.makefu; - }; - - users.extraUsers = { + # users are super important + users.users = { root = { openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; @@ -37,80 +24,39 @@ with import <stockholm/lib>; home = "/home/makefu"; createHome = true; useDefaultShell = true; - extraGroups = [ - "wheel" - ]; + extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; }; - networking.hostName = config.krebs.build.host.name; - nix.maxJobs = 2; - nix.buildCores = config.krebs.build.host.cores; + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - time.timeZone = "Europe/Berlin"; + nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); + krebs = { + enable = true; - programs.ssh = { - startAgent = false; + dns.providers.lan = "hosts"; + search-domain = "r"; + build.user = config.krebs.users.makefu; }; - services.openssh.enable = true; - nix.useSandbox = true; - users.mutableUsers = false; - boot.tmpOnTmpfs = true; - networking.firewall.rejectPackets = true; - networking.firewall.allowPing = true; + boot.tmpOnTmpfs = true; systemd.tmpfiles.rules = [ "d /tmp 1777 root root - -" ]; - nix.nixPath = [ "/var/src" ]; - environment.variables = let - ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - in { - NIX_PATH = mkForce "/var/src"; - EDITOR = mkForce "vim"; - CURL_CA_BUNDLE = ca-bundle; - GIT_SSL_CAINFO = ca-bundle; - SSL_CERT_FILE = ca-bundle; - }; environment.systemPackages = with pkgs; [ jq git - get gnumake rxvt_unicode.terminfo htop ]; - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=900001 - HISTFILESIZE=$HISTSIZE - - PYTHONSTARTUP="~/.pythonrc"; - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - ''; - - promptInit = '' - case $UID in - 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; - 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; - *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; - esac - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; + programs.bash.enableCompletion = true; environment.shellAliases = { # TODO: see .aliases @@ -126,12 +72,6 @@ with import <stockholm/lib>; tinc = pkgs.tinc_pre; }; - networking.timeServers = [ - "pool.ntp.org" - "time.windows.com" - "time.apple.com" - "time.nist.gov" - ]; nix.extraOptions = '' auto-optimise-store = true @@ -145,26 +85,5 @@ with import <stockholm/lib>; SystemMaxUse=1G RuntimeMaxUse=128M ''; - # Enable IPv6 Privacy Extensions - boot.kernel.sysctl = { - "net.ipv6.conf.all.use_tempaddr" = 2; - "net.ipv6.conf.default.use_tempaddr" = 2; - }; - i18n = { - consoleKeyMap = "us"; - defaultLocale = "en_US.UTF-8"; - }; - # suppress chrome autit event messages - security.audit = { - rules = [ - "-a task,never" - ]; - }; - system.activationScripts.state = optionalString (config.state != []) '' - cat << EOF - This machine is burdened with state: - ${concatMapStringsSep "\n" (d: "* ${d}") config.state} - EOF - ''; } diff --git a/makefu/2configs/minimal.nix b/makefu/2configs/minimal.nix new file mode 100644 index 000000000..d764e5624 --- /dev/null +++ b/makefu/2configs/minimal.nix @@ -0,0 +1,88 @@ +{ lib, pkgs, config, ... }: +# minimal subset of sane configuration for stockholm +{ + # nobody needs this + programs.command-not-found.enable = false; + + # the only true timezone (even after the the removal of DST) + time.timeZone = "Europe/Berlin"; + + networking.hostName = config.krebs.build.host.name; + nix.buildCores = config.krebs.build.host.cores; + + # we use gpg if necessary (or nothing at all) + programs.ssh.startAgent = false; + + # all boxes look the same + nix.useSandbox = true; + # we configure users via nix + users.mutableUsers = false; + + # sane firewalling + networking.firewall.rejectPackets = true; + networking.firewall.allowPing = true; + + # openssh all the way down + services.openssh.enable = true; + + # we use stockholm via populate + nix.nixPath = [ "/var/src" ]; + + environment.variables = let + ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + in { + NIX_PATH = lib.mkForce "/var/src"; + EDITOR = lib.mkForce "vim"; + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=900001 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + ''; + + promptInit = '' + case $UID in + 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; + 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; + *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + # trust the cool guys + networking.timeServers = [ + "pool.ntp.org" + "time.nist.gov" + ]; + + # the only locale you will ever need + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; + + # suppress chrome autit event messages + security.audit = { + rules = [ + "-a task,never" + ]; + }; + + # Enable IPv6 Privacy Extensions + boot.kernel.sysctl = { + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; +} diff --git a/makefu/3modules/airdcpp.nix b/makefu/3modules/airdcpp.nix deleted file mode 100644 index 5250ee67a..000000000 --- a/makefu/3modules/airdcpp.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ config, lib, pkgs, ... }: -with import <stockholm/lib>; #genid -let - cfg = config.makefu.airdcpp; - - out = { - options.makefu.airdcpp = api; - config = lib.mkIf cfg.enable imp; - }; - - api = with types;{ - enable = mkEnableOption "airdcpp"; - - package = mkOption { - type = package; - default = pkgs.airdcpp-webclient; - }; - - user = mkOption { - description = '' - user which will run udpt. if kept default a new user will be created - ''; - type = str; - default = "airdcpp"; - }; - extraGroups = mkOption { - description = ''extra groups for the user (only for default user)''; - type = listOf str; - default = []; - example = [ "nginx" ]; - }; - - stateDir = mkOption { - description = '' - directory for storing state (pid,config) - ''; - type = str; - default = "/var/lib/airdcpp"; - }; - dcpp = { - Nick = mkOption { - description = '' - Nick Name for connection - ''; - type = str; - default = "kevin"; - }; - InPort = mkOption { - description = "Input Port"; - type = int; - default = 16849; - }; - UDPPort = mkOption { - description = "UDP open Port"; - type = int; - default = 16849; - }; - TLSPort = mkOption { - description = "TLS open Port"; - type = int; - default = 16869; - }; - DownloadSpeed = mkOption { - description = "Total Download Speed in Mbps/s"; - type = str; - default = "100"; - }; - UploadSpeed = mkOption { - description = "Total Upload Speed in Mbp/s"; - type = str; - default = "100"; - }; - shares = mkOption { - default = {}; - type = attrsOf (submodule ( { config, ... }: { - options = { - path = mkOption { - description = "path to the share"; - type = str; - }; - incoming = mkOption { - description = "incoming"; - type = bool; - default = false; - }; - }; - })); - }; - initialConfigFile = mkOption { - description = '' - path inital DCPlusPlus.xml configuration if none exists - ''; - type = nullOr path; - default = null; - }; - }; - web = { - port = mkOption { - description = ''web-ui port - - NOTE: once the initial config had been written to the state directory it will not be replaced - ''; - type = int; - default = 5600; - }; - initialConfigFile = mkOption { - description = '' - path inital WebServer.xml configuration if none exists - ''; - type = nullOr path; - default = null; - }; - # TODO: tlsPort - users = mkOption { - type = attrsOf (submodule ( { config, ... }: { - options = { - password = mkOption { - description = "password of user"; - type = str; - }; - permissions = mkOption { - description = "user permissions"; - type = str; - default = "admin"; - }; - }; - })); - }; - }; - }; - - imp = let - genUsers = users: concatMapStringsSep "\n" (user: - ''<WebUser Username="${user.name}" Password="${user.password}" LastLogin="0" Permissions="${user.permissions}"/>'' ) - (mapAttrsToList (name: val: val // { inherit name; }) users); - genShares = shares: concatMapStringsSep "\n" (share: - ''<Directory Virtual="stockholm" Incoming="${ - if share.incoming then "1" else "0" - }" LastRefreshTime="0">${share.path}</Directory>'' ) - (mapAttrsToList (name: val: val // { inherit name; }) shares); - webConfigFile = if (cfg.web.initialConfigFile == null) then builtins.trace "warning: airdcpp passwords are stored in plain text" pkgs.writeText "initial-config" '' - <?xml version="1.0" encoding="utf-8" standalone="yes"?> - <WebServer> - <Config> - <Server Port="${toString cfg.web.port}"/> - <TLSServer Port="0" Certificate="" CertificateKey=""/> - </Config> - <WebUsers>${genUsers cfg.web.users} - </WebUsers> - </WebServer> - '' else cfg.web.initialConfigFile; - dcppConfigFile = if (cfg.dcpp.initialConfigFile == null) then pkgs.writeText "initial-config" '' - <?xml version="1.0" encoding="utf-8" standalone="yes"?> - <DCPlusPlus> - <Settings> - <Nick type="string">${cfg.dcpp.Nick}</Nick> - <ConfigVersion type="string">${cfg.package.version}</ConfigVersion> - <InPort type="int">${toString cfg.dcpp.InPort}</InPort> - <UDPPort type="int">${toString cfg.dcpp.UDPPort}</UDPPort> - <TLSPort type="int">${toString cfg.dcpp.TLSPort}</TLSPort> - <ConfigBuildNumber type="int">0</ConfigBuildNumber> - <AutoDetectIncomingConnection type="int">0</AutoDetectIncomingConnection> - <NoIpOverride type="int">1</NoIpOverride> - <WizardRunNew type="int">0</WizardRunNew> - <IPUpdate type="int">0</IPUpdate> - <AlwaysCCPM type="int">1</AlwaysCCPM> - <DownloadSpeed type="string">${cfg.dcpp.DownloadSpeed}</DownloadSpeed> - <UploadSpeed type="string">${cfg.dcpp.UploadSpeed}</UploadSpeed> - </Settings> - <Share Token="0" Name="Default"> - ${genShares cfg.dcpp.shares} - <NoShare/> - </Share> - <ChatFilterItems/> - </DCPlusPlus> - '' else cfg.dcpp.initialConfigFile; - in { - systemd.services.airdcpp = { - description = "airdcpp webui"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; - serviceConfig = { - Type = "simple"; - ExecStartPre = pkgs.writeDash "prepare-env" '' - d=${cfg.stateDir}/WebServer.xml - test -e $d || install -m700 -o${cfg.user} ${webConfigFile} $d - d=${cfg.stateDir}/DCPlusPlus.xml - test -e $d || install -m700 -o${cfg.user} ${dcppConfigFile} $d - ''; - PermissionsStartOnly = true; - ExecStart = "${cfg.package}/bin/airdcppd -c=${cfg.stateDir} -p=${cfg.stateDir}/airdcpp.pid"; - PrivateTmp = true; - WorkingDirectory = cfg.stateDir; - User = "${cfg.user}"; - }; - }; - users = lib.mkIf (cfg.user == "airdcpp") { - users.airdcpp = { - uid = genid "airdcpp"; - home = cfg.stateDir; - createHome = true; - inherit (cfg) extraGroups; - }; - groups.airdcpp.gid = genid "airdcpp"; - }; - }; -in -out - diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index f06ce3d53..7146174fb 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -2,17 +2,17 @@ _: { imports = [ - ./state.nix - ./populate.nix ./awesome-extra.nix ./deluge.nix ./forward-journal.nix ./opentracker.nix ./ps3netsrv.nix ./logging-config.nix + ./populate.nix ./sane-extra.nix ./server-config.nix ./snapraid.nix + ./state.nix ./torrent.nix ./udpt.nix ]; diff --git a/makefu/3modules/state.nix b/makefu/3modules/state.nix index 461b90152..a87f438fe 100644 --- a/makefu/3modules/state.nix +++ b/makefu/3modules/state.nix @@ -6,4 +6,11 @@ description = "state which is currently scattered on the machine"; default = []; }; + + config.system.activationScripts.state = lib.optionalString (config.state != []) '' + cat << EOF + This machine is burdened with state: + ${lib.concatMapStringsSep "\n" (d: "* ${d}") config.state} + EOF + ''; } diff --git a/makefu/5pkgs/airdcpp-webclient/default.nix b/makefu/5pkgs/airdcpp-webclient/default.nix deleted file mode 100644 index 361a7da65..000000000 --- a/makefu/5pkgs/airdcpp-webclient/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ stdenv, fetchurl -}: -stdenv.mkDerivation rec { - name = "airdcpp-webclient-${version}"; - version = "2.3.0"; - - src = fetchurl { - url = http://web-builds.airdcpp.net/stable/airdcpp_2.3.0_webui-2.3.0_64-bit_portable.tar.gz; - sha256 = "0yvcl0nc70fghc7vfsgvbpryi5q97arld8adql4way4qa0mdnyv1"; - }; - - phases = [ "unpackPhase" "installPhase" ]; - installPhase = '' - mkdir -p $out/{share,bin} - cp -r * $out/share - ln -s $out/share/airdcppd $out/bin/ - ''; - - meta = with stdenv.lib; { - # to start it: airdcpp -p=<pid-file> -c=<config-store-path (must be writeable)> --configure - description = "dcpp client (statically precompiled)"; - homepage = http://fixme; - license = licenses.gpl3; - maintainers = with maintainers; [ makefu ]; - platforms = with platforms; linux; - }; -} |