From 6986e1aaf396736c994c2684eef23b379a3022e1 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 22 Dec 2016 06:33:10 +0100 Subject: tv netcup: bump rev/sha256 --- tv/5pkgs/netcup/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tv/5pkgs/netcup/default.nix b/tv/5pkgs/netcup/default.nix index 6d2ec6896..d1f46299d 100644 --- a/tv/5pkgs/netcup/default.nix +++ b/tv/5pkgs/netcup/default.nix @@ -17,8 +17,8 @@ stdenv.mkDerivation { name = "netcup-1.0.0"; src = fetchgit { url = "http://cgit.ni.krebsco.de/netcup"; - rev = "tags/v1.0.0"; - sha256 = "0m6mk16pblvnapxykxdccvphslbv1gjfziyr86bnqin1xb1g99bq"; + rev = "refs/tags/v1.0.0"; + sha256 = "1rn7bncfhjw0bqjbvj38m7lks4nyf5qcvkj9dg0zr99ba6dylzx5"; }; phases = [ "unpackPhase" "patchPhase" "installPhase" ]; patchPhase = '' -- cgit v1.2.3 From 11b9f250ad43db043f539d86699c981c81d74c0a Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 22 Dec 2016 06:33:39 +0100 Subject: tv nixpkgs: 81428dd -> 1dd0fb6 --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index ea97b1957..fcaec4925 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import ; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "81428dd022c26764e9066d381ece90b1e88bd0d2"; + ref = "1dd0fb6b5a7c44d1b632466f936ca74268d13298"; }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; -- cgit v1.2.3 From 72f465f719d362fb54c061979d2ad87a5c203b5b Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 22 Dec 2016 20:53:04 +0100 Subject: krebs.backup: shellcheck disable=SC2174 --- krebs/3modules/backup.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 96b283002..bfb0ab591 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -137,6 +137,9 @@ let echo >&2 "update snapshot current; $rsync_dst <- $rsync_src" ''; }} + # In `dst-rsync`'s `mkdir m 0700 -p` above, we care only about permission + # of the deepest directory: + # shellcheck disable=SC2174 ${local.rsync} >&2 \ -aAXF --delete \ --rsh=${shell.escape ssh} \ -- cgit v1.2.3 From 60a753e9d54ceef30f58b0fa689d666ebc06452d Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 22 Dec 2016 21:53:09 +0100 Subject: tv public_html: add server names --- tv/2configs/nginx/public_html.nix | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index e0bbb8d57..4c74d2250 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -5,11 +5,19 @@ with import ; { krebs.nginx = { enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + servers.default = { + server-names = [ + "localhost" + "${config.krebs.build.host.name}" + "${config.krebs.build.host.name}.r" + "${config.krebs.build.host.name}.retiolum" + ]; + locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; }; tv.iptables.input-internet-accept-tcp = singleton "http"; } -- cgit v1.2.3 From f063555edaf420dd31e4496c4de0dad5eb3c8b9e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 08:18:09 +0100 Subject: tv nixpkgs: 1dd0fb6 -> 5d03aab --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index fcaec4925..dc26a6c6f 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import ; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "1dd0fb6b5a7c44d1b632466f936ca74268d13298"; + ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4"; }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; -- cgit v1.2.3 From 4955ba48c140008f4ccbec73eb52e28a0e64d807 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 09:07:23 +0100 Subject: cgit service: use services.nginx.virtualHosts --- krebs/3modules/git.nix | 41 ++++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 20907a3ed..164831846 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -400,29 +400,24 @@ let chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root} ''; - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.r" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; + services.nginx.virtualHosts.cgit = { + serverAliases = [ + "cgit.${config.networking.hostName}" + "cgit.${config.networking.hostName}.r" + "cgit.${config.networking.hostName}.retiolum" + ]; + locations."/".extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + ''; + locations."/static/".extraConfig = '' + root ${pkgs.cgit}/cgit; + rewrite ^/static(/.*)$ $1 break; + ''; }; }; -- cgit v1.2.3 From 03689799d66e8a58caf340e721e229524091eb2d Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 09:47:06 +0100 Subject: tv: RIP xu-qemu0 --- tv/1systems/xu-qemu0.nix | 28 ------ tv/1systems/xu.nix | 1 - tv/2configs/xu-qemu0.nix | 250 ----------------------------------------------- 3 files changed, 279 deletions(-) delete mode 100644 tv/1systems/xu-qemu0.nix delete mode 100644 tv/2configs/xu-qemu0.nix diff --git a/tv/1systems/xu-qemu0.nix b/tv/1systems/xu-qemu0.nix deleted file mode 100644 index 8945c1907..000000000 --- a/tv/1systems/xu-qemu0.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.hosts.xu-qemu0 = { - cores = 1; - ssh.privkey.path = ; - # cannot define ssh.pubkey without at least one addr or alias - #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe51rD0ZqlMXNi/YpapnRzvdzCjI0icmxfCyBLSKG04"; - }; - krebs.build.host = config.krebs.hosts.xu-qemu0; - - imports = [ - ../. - - ]; - - boot.loader.grub.device = "/dev/sda"; - - fileSystems = { - "/boot" = { - device = "/dev/sda1"; - }; - "/" = { - device = "/dev/sda2"; - fsType = "btrfs"; - }; - }; -} diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index b6fe6dc5c..974d820d5 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -17,7 +17,6 @@ with import ; ../2configs/retiolum.nix ../2configs/binary-cache ../2configs/xserver - ../2configs/xu-qemu0.nix { environment.systemPackages = with pkgs; [ diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix deleted file mode 100644 index 355a36650..000000000 --- a/tv/2configs/xu-qemu0.nix +++ /dev/null @@ -1,250 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - # XXX cannot use config.build.host.name here because infinite recursion when - # defining krebs.hosts.${host-name}.nets.retiolum.aliases below. - host-name = "xu"; -in - -# usage: -# echo set_password vnc correcthorze | xu-qemu0-monitor -# -# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return -# -# http://vnc.xu/vnc_auto.html?port=5701&host=xu&password=correcthorze -# -# make [install] system=xu-qemu0 target_host=10.56.0.101 - -with import ; - -{ - networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; - - tv.iptables.extra = { - nat.POSTROUTING = ["-j MASQUERADE"]; - filter.FORWARD = [ - "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" - "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT" - ]; - filter.INPUT = [ - "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT" - "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT" - ]; - }; - - systemd.network.enable = true; - systemd.services.systemd-networkd-wait-online.enable = false; - - services.resolved.enable = mkForce false; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - - systemd.network.networks.qemubr0 = { - matchConfig.Name = "qemubr0"; - address = ["10.56.0.1/24"]; - routes = [{ - routeConfig = { - Gateway = "*"; - Destination = "10.56.0.0"; - }; - }]; - }; - systemd.network.netdevs.qemubr0 = { - netdevConfig = { - Name = "qemubr0"; - Kind = "bridge"; - }; - }; - - users.groups.qemu-users.gid = genid "qemu-users"; - - environment.etc."qemu/bridge.conf".text = '' - allow qemubr0 - ''; - - krebs.per-user.tv.packages = [ - ]; - - users.users.xu-qemu0 = { - createHome = true; - group = "qemu-users"; - home = "/home/xu-qemu0"; - uid = genid "xu-qemu0"; - }; - - systemd.services.xu-qemu0 = let - in { - after = [ "network.target" "systemd-resolved.service" ]; - serviceConfig = { - User = "xu-qemu0"; - SyslogIdentifier = "xu-qemu0"; - ExecStart = pkgs.writeDash "xu-qemu0" '' - set -efu - ${pkgs.coreutils}/bin/mkdir -p "$HOME/tmp" - img=$HOME/tmp/xu-qemu0.raw - if ! test -e "$img"; then - ${pkgs.kvm}/bin/qemu-img create "$img" 10G - fi - exec ${pkgs.kvm}/bin/qemu-kvm \ - -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \ - -boot order=cd \ - -cdrom ${pkgs.fetchurl { - url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso; - sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9"; - }} \ - -m 1024 \ - -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \ - -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \ - -drive file="$img",format=raw \ - -display vnc=:1,websocket=5701,password,lossy \ - -name xu-qemu0 \ - ''; - }; - }; - - krebs.setuid.xu-qemu0-monitor = { - filename = pkgs.writeDash "xu-qemu0-monitor" '' - exec ${pkgs.socat}/bin/socat \ - stdio \ - UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \ - ''; - owner = "xu-qemu0"; - group = "tv"; - }; - - krebs.setuid.qemu-bridge-helper = { - filename = "${pkgs.qemu}/libexec/qemu-bridge-helper"; - group = "qemu-users"; - }; - - users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq"; - - # TODO need custom etc/dbus-1/system.d/dnsmasq.conf for different BusName - services.dbus.packages = [ pkgs.dnsmasq ]; - - systemd.services.qemu-dnsmasq = let - # bind-interfaces - conf = pkgs.writeText "qemu-dnsmasq.conf" '' - listen-address=10.56.0.1 - interface=qemubr0 - dhcp-range=10.56.0.200,10.56.0.250 - dhcp-no-override - dhcp-leasefile=/tmp/qemu-dnsmasq.leases - domain=${host-name}.local - dhcp-host=52:54:00:12:34:56,xu-qemu0,10.56.0.101,1440m - ''; - in { - after = [ "network.target" "systemd-resolved.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "dbus"; - BusName = "uk.org.thekelleys.dnsmasq"; - # -1 --enable-dbus[=uk.org.thekelleys.dnsmasq] - SyslogIdentifier = "qemu-dnsmasq"; - ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -1k -u qemu-dnsmasq -C ${conf}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - PrivateTmp = "true"; - }; - restartTriggers = [ config.environment.etc.hosts.source ]; - }; - - - krebs.nginx.servers.init = { - server-names = [ - "init.${host-name}" - "init.${host-name}.r" - "init.${host-name}.retiolum" - ]; - extraConfig = '' - index init.txt; - root ${pkgs.writeTextFile { - name = "init-pages"; - text = '' - #! /bin/sh - set -efu - - dev=/dev/sda - pttype=dos # gpt - - case $pttype in - dos) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = dos; then - parted -s "$dev" mklabel msdos - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = primary; then - parted -s "$dev" mkpart primary ext4 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - gpt) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = gpt; then - parted -s "$dev" mklabel gpt - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = ESP; then - parted -s "$dev" mkpart ESP fat32 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - *) - echo "Error: bad pttype: $pttype" >&2 - exit -1 - esac - - if ! test "$(blkid -o value -s PARTLABEL "$dev"2)" = primary; then - parted -s "$dev" mkpart primary btrfs 513MiB 100% - fi - if ! test "$(blkid -o value -s TYPE "$dev"1)" = vfat; then - mkfs.vfat "$dev"1 - fi - if ! test "$(blkid -o value -s TYPE "$dev"2)" = btrfs; then - mkfs.btrfs "$dev"2 - fi - - parted "$dev" print - - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"2)" = /mnt; then - mount "$dev"2 /mnt - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"1)" = /mnt/boot; then - mkdir -m 0000 -p /mnt/boot - mount "$dev"1 /mnt/boot - fi - - lsblk "$dev" - - key=${shell.escape config.krebs.users.tv-xu.pubkey} - - if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then - mkdir -p /root/.ssh - echo "$key" > /root/.ssh/authorized_keys - fi - systemctl start sshd - ip route - echo READY. - ''; - destination = "/init.txt"; - }}; - ''; - }; - - - krebs.hosts.${host-name}.nets.retiolum.aliases = [ - "init.${host-name}.r" - "init.${host-name}.retiolum" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - - krebs.nginx.servers.noVNC = { - server-names = [ - "vnc.${host-name}" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - #rewrite ^([^.]*)$ /vnc_auto.html?host=localhost&port=5701; - locations = singleton (nameValuePair "/" '' - index vnc.html; - root ${pkgs.noVNC}; - ''); - }; -} -- cgit v1.2.3 From eafa36c2b10ddf16163007aa58ed5e2444c251b6 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 09:46:32 +0100 Subject: tv: replace krebs.nginx by services.nginx.virtualHosts --- tv/2configs/binary-cache/default.nix | 10 +++++----- tv/2configs/nginx/default.nix | 12 ++++++------ tv/2configs/nginx/public_html.nix | 14 ++++++-------- 3 files changed, 17 insertions(+), 19 deletions(-) diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix index 5902f1895..39c944b1a 100644 --- a/tv/2configs/binary-cache/default.nix +++ b/tv/2configs/binary-cache/default.nix @@ -19,15 +19,15 @@ source-path = toString + "/nix-serve.key"; }; - krebs.nginx = { + services.nginx = { enable = true; - servers.nix-serve = { - server-names = [ + virtualHosts.nix-serve = { + serverAliases = [ "cache.${config.krebs.build.host.name}.gg23" ]; - locations = singleton (nameValuePair "/" '' + locations."/".extraConfig = '' proxy_pass http://localhost:${toString config.services.nix-serve.port}; - ''); + ''; }; }; } diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 39995c052..277f459f0 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -3,15 +3,15 @@ with import ; { - krebs.nginx = { - servers.default.locations = [ - (nameValuePair "= /etc/os-release" '' + services.nginx = { + virtualHosts.default = { + locations."= /etc/os-release".extraConfig = '' default_type text/plain; alias /etc/os-release; - '') - ]; + ''; + }; }; - tv.iptables = optionalAttrs config.krebs.nginx.enable { + tv.iptables = { input-retiolum-accept-tcp = singleton "http"; }; } diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index 4c74d2250..9744da1e8 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -3,20 +3,18 @@ with import ; { - krebs.nginx = { + services.nginx = { enable = true; - servers.default = { - server-names = [ + virtualHosts.default = { + serverAliases = [ "localhost" "${config.krebs.build.host.name}" "${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.retiolum" ]; - locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + ''; }; }; tv.iptables.input-internet-accept-tcp = singleton "http"; -- cgit v1.2.3 From 7efec736b299d1c0235d2c12064b3afc1e5e13ff Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 10:46:26 +0100 Subject: tv nginx: return 404 by default --- tv/2configs/nginx/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 277f459f0..0e6c2df0e 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,6 +4,13 @@ with import ; { services.nginx = { + virtualHosts._http = { + default = true; + extraConfig = '' + return 404; + ''; + }; + virtualHosts.default = { locations."= /etc/os-release".extraConfig = '' default_type text/plain; -- cgit v1.2.3 From bece7d9da29adde2c79e49c40d975dc46eed4c1e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 11:09:36 +0100 Subject: tv nginx: enable recommendations --- tv/2configs/nginx/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 0e6c2df0e..b0acb9435 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,6 +4,10 @@ with import ; { services.nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts._http = { default = true; extraConfig = '' -- cgit v1.2.3