6 files changed, 55 insertions, 31 deletions

diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix
index 08ac7e66..5f1d6e12 100644
--- a/makefu/1systems/darth.nix
+++ b/makefu/1systems/darth.nix
@@ -33,16 +33,10 @@ in {
     firewall = {
       allowPing = true;
       logRefusedConnections = false;
-      allowedUDPPorts = [ 80 655 67 ];
-      allowedTCPPorts = [ 80 655 ];
-    };
-    nat = {
-      enable = true;
-      internalIPs = [ "10.8.10.0/24" ];
-      #internalInterfaces = [ "tinc.siem" ];
-      externalIP = "10.8.8.2";
-      externalInterface = "virbr3";
+      allowedUDPPorts = [ 80 655 1655 67 ];
+      allowedTCPPorts = [ 80 655 1655 ];
     };
+    # fallback connection to the internal virtual network
     interfaces.virbr3.ip4 =  [{
       address = "10.8.8.2";
       prefixLength = 24;
diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix
index 2fb93798..7b6c1834 100644
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@@ -44,6 +44,14 @@
       # ../2configs/temp/sabnzbd.nix
     ];
 
+  services.tinc.networks.siem = {
+    name = "makefu";
+    extraConfig = ''
+      ConnectTo = sdarth
+      ConnectTo = sjump
+    '';
+  };
+
   krebs.nginx = {
     default404 = false;
     servers.default.listen = [ "80 default_server" ];
diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 48679fe5..1fe8871d 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -1,5 +1,7 @@
 { config, pkgs, ... }:
 let
+  tinc-siem-ip = "10.8.10.1";
+
   ip     = "64.137.234.215";
   alt-ip = "64.137.234.210";
   extra-ip = "64.137.234.114"; #currently unused
@@ -7,32 +9,46 @@ let
 in {
   imports = [
     ../.
+    ../2configs/save-diskspace.nix
     ../2configs/hw/CAC.nix
     ../2configs/fs/CAC-CentOS-7-64bit.nix
-
   ];
 
 
-  services.tinc.networks.siem.name = "sjump";
 
-  # minimal resources
-  services.nixosManual.enable = false;
-  programs.man.enable = false;
-  nix.gc.automatic = true;
-  nix.gc.dates = "03:10";
+  services.tinc.networks.siem.name = "sjump";
 
   krebs = {
     enable = true;
     retiolum.enable = true;
     build.host = config.krebs.hosts.shoney;
+    nginx.enable = true;
+    tinc_graphs = {
+      enable = true;
+      network = "siem";
+      hostsPath = "/etc/tinc/siem/hosts";
+      nginx = {
+        enable = true;
+        # TODO: remove hard-coded hostname
+        complete = {
+          listen = [ "${tinc-siem-ip}:80" ];
+          server-names = [ "graphs.siem" ];
+        };
+      };
+    };
   };
-  networking.interfaces.enp2s1.ip4 = [
-    { address = ip; prefixLength = 24; }
-    { address = alt-ip; prefixLength = 24; }
-  ];
+  networking =  {
+    interfaces.enp2s1.ip4 = [
+      { address = ip; prefixLength = 24; }
+      { address = alt-ip; prefixLength = 24; }
+    ];
 
-  networking.defaultGateway = gw;
-  networking.nameservers = [ "8.8.8.8" ];
-  networking.firewall.allowedUDPPorts = [ 655 1655 ];
-  networking.firewall.allowedTCPPorts = [ 655 1655 ];
+    defaultGateway = gw;
+    nameservers = [ "8.8.8.8" ];
+    firewall = {
+      trustedInterfaces = [ "tinc.siem" ];
+      allowedUDPPorts = [ 655 1655 ];
+      allowedTCPPorts = [ 655 1655 ];
+    };
+  };
 }
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index ed48c6ab..5788cb65 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -11,7 +11,7 @@ in {
       # TODO: copy this config or move to krebs
       ../2configs/hw/CAC.nix
       ../2configs/fs/CAC-CentOS-7-64bit.nix
-      ../2configs/headless.nix
+      ../2configs/save-diskspace.nix
 
       ../2configs/bepasty-dual.nix
 
@@ -27,8 +27,7 @@ in {
       ../2configs/collectd/collectd-base.nix
   ];
   krebs.retiolum.enable = true;
-  services.nixosManual.enable = false;
-  programs.man.enable = false;
+
   krebs.build.host = config.krebs.hosts.wry;
 
   krebs.Reaktor = {
@@ -83,9 +82,5 @@ in {
     nameservers = [ "8.8.8.8" ];
   };
 
-  # small machine - do not forget to gc every day
-  nix.gc.automatic = true;
-  nix.gc.dates = "03:10";
-
   environment.systemPackages = [ ];
 }
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index e7366e18..a753e677 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -16,6 +16,8 @@ with config.krebs.lib;
   nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
   krebs = {
     enable = true;
+
+    dns.providers.siem = "hosts";
     search-domain = "retiolum";
     build =  {
       user = config.krebs.users.makefu;
diff --git a/makefu/2configs/save-diskspace.nix b/makefu/2configs/save-diskspace.nix
new file mode 100644
index 00000000..cc2b29ca
--- /dev/null
+++ b/makefu/2configs/save-diskspace.nix
@@ -0,0 +1,9 @@
+_:
+# TODO: do not check out nixpkgs master but fetch revision from github
+{
+  services.nixosManual.enable = false;
+  programs.man.enable = false;
+  services.journald.extraConfig = "SystemMaxUse=50M";
+  nix.gc.automatic = true;
+  nix.gc.dates = "03:10";
+}