From 19d5be268368f073401d07f6657cf61827c9d59c Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 10 Jun 2016 10:27:07 +0200 Subject: m 3 umts: use 1509 for wvdial package --- makefu/3modules/umts.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/3modules/umts.nix b/makefu/3modules/umts.nix index e527a5cb..300467e1 100644 --- a/makefu/3modules/umts.nix +++ b/makefu/3modules/umts.nix @@ -3,6 +3,14 @@ with config.krebs.lib; let + nixpkgs-1509 = import (pkgs.fetchFromGitHub { + owner = "NixOS"; repo = "nixpkgs-channels"; + rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda"; + sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73"; + }) {}; + + wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113 + # TODO: currently it is only netzclub umts-bin = pkgs.writeScriptBin "umts" '' #!/bin/sh @@ -62,7 +70,7 @@ let Type = "simple"; Restart = "always"; RestartSec = "10s"; - ExecStart = "${pkgs.wvdial}/bin/wvdial -n"; + ExecStart = "${wvdial}/bin/wvdial -n"; }; }; }; -- cgit v1.2.3 From 3eee2d3c860629404bf25dc55098f31b9d8bf318 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:43:50 +0200 Subject: ma 1 omo: finish hw merge for omo --- makefu/1systems/omo.nix | 47 +++++++++++++++++++--------------- makefu/2configs/fs/sda-crypto-root.nix | 6 ++--- 2 files changed, 29 insertions(+), 24 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index fbd06a9c..e71055f5 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -5,9 +5,10 @@ { config, pkgs, lib, ... }: let byid = dev: "/dev/disk/by-id/" + dev; - keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; - rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; - homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3"; + keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; + rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; + rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; + primaryInterface = "enp1s0"; # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 # cryptsetup luksAddKey $dev tmpkey # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 @@ -15,14 +16,14 @@ let # omo Chassis: # __FRONT_ - # |* d2 | + # |* d0 | # | | # |* d3 | # | | - # |* d0 | + # |* d3 | # | | - # |* d1 | # |* | + # |* d2 | # | * r0 | # |_______| cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; @@ -38,27 +39,31 @@ in { [ ../. # TODO: unlock home partition via ssh - ../2configs/fs/single-partition-ext4.nix + ../2configs/fs/sda-crypto-root.nix ../2configs/zsh-user.nix ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix - ../2configs/share-user-sftp.nix - ../2configs/graphite-standalone.nix + #../2configs/graphite-standalone.nix + #../2configs/share-user-sftp.nix ../2configs/omo-share.nix + + ## as long as pyload is not in nixpkgs: + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; krebs.retiolum.enable = true; - networking.firewall.trustedInterfaces = [ "enp3s0" ]; + networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files # tcp:655 udp:655 - tinc # tcp:8111 - graphite + # tcp:8112 - pyload # tcp:9090 - sabnzbd # tcp:9200 - elasticsearch # tcp:5601 - kibana networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ]; + networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ]; # services.openssh.allowSFTP = false; @@ -66,6 +71,9 @@ in { services.sabnzbd.enable = true; systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + virtualisation.docker.enable = true; + + # HDD Array stuff services.smartd.devices = builtins.map (x: { device = x; }) allDisks; @@ -76,15 +84,11 @@ in { disks = map toMapper [ 0 1 ]; parity = toMapper 2; }; + fileSystems = let cryptMount = name: { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; - in { - "/home" = { - device = "/dev/mapper/home"; - fsType = "ext4"; - }; - } // cryptMount "crypt0" + in cryptMount "crypt0" // cryptMount "crypt1" // cryptMount "crypt2"; @@ -101,15 +105,16 @@ in { usbkey = name: device: { inherit name device keyFile; keyFileSize = 4096; + allowDiscards = true; }; in [ - (usbkey "home" homePartition) + (usbkey "luksroot" rootPartition) (usbkey "crypt0" cryptDisk0) (usbkey "crypt1" cryptDisk1) (usbkey "crypt2" cryptDisk2) ]; }; - loader.grub.device = rootDisk; + loader.grub.device = lib.mkForce rootDisk; initrd.availableKernelModules = [ "ahci" @@ -121,12 +126,12 @@ in { "usbhid" ]; - kernelModules = [ "kvm-amd" ]; + kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; }; hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; + hardware.cpu.intel.updateMicrocode = true; zramSwap.enable = true; diff --git a/makefu/2configs/fs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix index b82c0e44..5c7cdf71 100644 --- a/makefu/2configs/fs/sda-crypto-root.nix +++ b/makefu/2configs/fs/sda-crypto-root.nix @@ -1,16 +1,16 @@ { config, lib, pkgs, ... }: # sda: bootloader grub2 -# sda1: boot ext4 (label nixboot) +# sda1: boot ext4 (label nixboot) - must be unlocked on boot if required: + # boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; # sda2: cryptoluks -> ext4 with config.krebs.lib; { boot = { loader.grub.enable = true; loader.grub.version = 2; - loader.grub.device = "/dev/sda"; + loader.grub.device = lib.mkDefault "/dev/sda"; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; }; -- cgit v1.2.3 From 365b6f3859c5f1a67cfe476a3478f62aeceff5aa Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:44:23 +0200 Subject: ma 2 fingerprint-reader: init --- makefu/2configs/hw/fingerprint-reader.nix | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 makefu/2configs/hw/fingerprint-reader.nix (limited to 'makefu') diff --git a/makefu/2configs/hw/fingerprint-reader.nix b/makefu/2configs/hw/fingerprint-reader.nix new file mode 100644 index 00000000..1f2f00b0 --- /dev/null +++ b/makefu/2configs/hw/fingerprint-reader.nix @@ -0,0 +1,6 @@ +_: { + # add fingerprint with fprintd-enroll + services.fprintd.enable = true; + security.pam.services.login.fprintAuth = true; + security.pam.services.xscreensaver.fprintAuth = true; +} -- cgit v1.2.3 From 501897654670ef89a99a45749af63b9e98064dd5 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:44:54 +0200 Subject: ma 1 pornocauster: add boot unlock --- makefu/1systems/pornocauster.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index fa39b121..2fb93798 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -31,6 +31,7 @@ # hardware specifics are in here ../2configs/hw/tp-x220.nix + ../2configs/hw/rtl8812au.nix # mount points ../2configs/fs/sda-crypto-root-home.nix # ../2configs/mediawiki.nix @@ -59,7 +60,6 @@ networking.firewall.allowedUDPPorts = [ 665 ]; krebs.build.host = config.krebs.hosts.pornocauster; - krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.retiolum = { enable = true; @@ -68,4 +68,6 @@ networking.extraHosts = '' 192.168.1.11 omo.local ''; + # hard dependency because otherwise the device will not be unlocked + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; } -- cgit v1.2.3 From 0bfa1dbaf0eae32fe972a42d8f9c9d16caae8b11 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:45:21 +0200 Subject: ma 2 tp-x220: minor tweaks --- makefu/2configs/hw/tp-x220.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix index be3d1eb7..1c9a3496 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x220.nix @@ -5,7 +5,7 @@ with config.krebs.lib; imports = [ ./tp-x2x0.nix ]; boot = { - kernelModules = [ "kvm-intel" "acpi_call" ]; + kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; }; @@ -28,7 +28,7 @@ with config.krebs.lib; # enable HDMI output switching with pulseaudio hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" '' - ${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"} + ${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"} load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI" ''; -- cgit v1.2.3 From 50f4b1d79dce0560137f5118eb18b7af4b0e37d8 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:46:16 +0200 Subject: ma 2 tp-x2x0: add remark why to not start charge at 80 --- makefu/2configs/hw/tp-x2x0.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 7f9dc67a..c10ec131 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -22,7 +22,8 @@ with config.krebs.lib; services.tlp.enable = true; services.tlp.extraConfig = '' - START_CHARGE_THRESH_BAT0=80 + # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery + #START_CHARGE_THRESH_BAT0=80 STOP_CHARGE_THRESH_BAT0=95 CPU_SCALING_GOVERNOR_ON_AC=performance -- cgit v1.2.3 From 7dd825bed421a773db185983fdc50d2b5f704c59 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:47:21 +0200 Subject: m 2 defaut: fix .nix-defexpr in activation script" --- makefu/2configs/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'makefu') diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 62daed8b..e7366e18 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -154,6 +154,15 @@ with config.krebs.lib; "net.ipv6.conf.default.use_tempaddr" = 2; }; + system.activationScripts.nix-defexpr = '' + (set -euf + for i in /home/makefu /root/;do + f="$i/.nix-defexpr" + rm -fr "$f" + ln -s /var/src/nixpkgs "$f" + done) + ''; + i18n = { consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; -- cgit v1.2.3 From b9c0c46b4d0f9907f1b3fc96494be96abc60c8db Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 12 Jun 2016 19:48:15 +0200 Subject: m shoney: init --- makefu/1systems/shoney.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 makefu/1systems/shoney.nix (limited to 'makefu') diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix new file mode 100644 index 00000000..ebe5222c --- /dev/null +++ b/makefu/1systems/shoney.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: +let + ip = "64.137.235.70"; + gw = "64.137.235.1"; +in { + imports = [ + ../. + ../../tv/2configs/hw/CAC.nix + ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix + + ]; + + # minimal resources + services.nixosManual.enable = false; + programs.man.enable = false; + nix.gc.automatic = true; + nix.gc.dates = "03:10"; + + krebs = { + enable = true; + retiolum.enable = true; + build.host = config.krebs.hosts.shoney; + }; + networking.interfaces.enp2s1.ip4 = [ { + address = ip; + prefixLength = 24; + } ]; + networking.defaultGateway = gw; + networking.nameservers = [ "8.8.8.8" ]; +} -- cgit v1.2.3 From f256bbcb11565138e92266e97856438061b623a0 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 13 Jun 2016 16:22:51 +0200 Subject: cp tv/2/*CAC -> makefu/2/ --- makefu/1systems/shoney.nix | 22 ++++++++++++++-------- makefu/1systems/wry.nix | 4 ++-- makefu/2configs/fs/CAC-CentOS-7-64bit.nix | 20 ++++++++++++++++++++ makefu/2configs/hw/CAC.nix | 13 +++++++++++++ 4 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 makefu/2configs/fs/CAC-CentOS-7-64bit.nix create mode 100644 makefu/2configs/hw/CAC.nix (limited to 'makefu') diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index ebe5222c..16e89199 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -1,15 +1,19 @@ { config, pkgs, ... }: let - ip = "64.137.235.70"; - gw = "64.137.235.1"; + ip = "64.137.234.215"; + alt-ip = "64.137.234.210"; + extra-ip = "64.137.234.114"; #currently unused + gw = "64.137.234.1"; in { imports = [ ../. - ../../tv/2configs/hw/CAC.nix - ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/hw/CAC.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix ]; + + # minimal resources services.nixosManual.enable = false; programs.man.enable = false; @@ -21,10 +25,12 @@ in { retiolum.enable = true; build.host = config.krebs.hosts.shoney; }; - networking.interfaces.enp2s1.ip4 = [ { - address = ip; - prefixLength = 24; - } ]; + networking.interfaces.enp2s1.ip4 = [ + { address = ip; prefixLength = 24; } + { address = alt-ip; prefixLength = 24; } + ]; networking.defaultGateway = gw; networking.nameservers = [ "8.8.8.8" ]; + networking.firewall.allowedUDPPorts = [ 655 1655 ]; + networking.firewall.allowedTCPPorts = [ 655 1655 ]; } diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index d9f8ded8..ed48c6ab 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -9,8 +9,8 @@ in { imports = [ ../. # TODO: copy this config or move to krebs - ../../tv/2configs/hw/CAC.nix - ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/hw/CAC.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/headless.nix ../2configs/bepasty-dual.nix diff --git a/makefu/2configs/fs/CAC-CentOS-7-64bit.nix b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix new file mode 100644 index 00000000..c9eb97f4 --- /dev/null +++ b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix @@ -0,0 +1,20 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + }; + fileSystems = { + "/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + "/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + }; + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; +} diff --git a/makefu/2configs/hw/CAC.nix b/makefu/2configs/hw/CAC.nix new file mode 100644 index 00000000..9ed18344 --- /dev/null +++ b/makefu/2configs/hw/CAC.nix @@ -0,0 +1,13 @@ +_: +{ + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + boot.loader.grub.splashImage = null; + nix = { + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + sound.enable = false; +} -- cgit v1.2.3 From c9a8bdf50f3cb2cd3b70b4669d454910bcd69654 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 14 Jun 2016 01:33:20 +0200 Subject: ma 1 dartH: fix nat from tinc --- makefu/1systems/darth.nix | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 2f2358dd..08ac7e66 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -17,19 +17,37 @@ in { ../2configs/exim-retiolum.nix ../2configs/virtualization.nix ]; - - networking.firewall.allowedUDPPorts = [ 80 655 67 ]; - networking.firewall.allowedTCPPorts = [ 80 655 ]; - networking.firewall.checkReversePath = false; + services.tinc.networks.siem = { + name = "sdarth"; + extraConfig = "ConnectTo = sjump"; + }; #networking.firewall.enable = false; - # virtualisation.nova.enableSingleNode = true; krebs.retiolum.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; - networking.wireless.enable = true; + networking = { + wireless.enable = true; + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedUDPPorts = [ 80 655 67 ]; + allowedTCPPorts = [ 80 655 ]; + }; + nat = { + enable = true; + internalIPs = [ "10.8.10.0/24" ]; + #internalInterfaces = [ "tinc.siem" ]; + externalIP = "10.8.8.2"; + externalInterface = "virbr3"; + }; + interfaces.virbr3.ip4 = [{ + address = "10.8.8.2"; + prefixLength = 24; + }]; + }; # TODO smartd omo darth gum all-in-one services.smartd.devices = builtins.map (x: { device = x; }) allDisks; -- cgit v1.2.3 From 6ac8034a47f840206d999be8ec39fedbc6b7b350 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 14 Jun 2016 01:33:41 +0200 Subject: ma 1 shoney: init siem tinc --- makefu/1systems/shoney.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'makefu') diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 16e89199..48679fe5 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -13,6 +13,7 @@ in { ]; + services.tinc.networks.siem.name = "sjump"; # minimal resources services.nixosManual.enable = false; @@ -29,6 +30,7 @@ in { { address = ip; prefixLength = 24; } { address = alt-ip; prefixLength = 24; } ]; + networking.defaultGateway = gw; networking.nameservers = [ "8.8.8.8" ]; networking.firewall.allowedUDPPorts = [ 655 1655 ]; -- cgit v1.2.3 From 5894ecc94233b72003ac859fab8b12c8ade7766a Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 16:45:44 +0200 Subject: add siem internal network --- makefu/2configs/default.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'makefu') diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index e7366e18..a753e677 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -16,6 +16,8 @@ with config.krebs.lib; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); krebs = { enable = true; + + dns.providers.siem = "hosts"; search-domain = "retiolum"; build = { user = config.krebs.users.makefu; -- cgit v1.2.3 From 55905dabdf6b6e0bbed99b6ab1349d4e24d7578a Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 16:56:13 +0200 Subject: ma 1 darth: remove nat --- makefu/1systems/darth.nix | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 08ac7e66..5f1d6e12 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -33,16 +33,10 @@ in { firewall = { allowPing = true; logRefusedConnections = false; - allowedUDPPorts = [ 80 655 67 ]; - allowedTCPPorts = [ 80 655 ]; - }; - nat = { - enable = true; - internalIPs = [ "10.8.10.0/24" ]; - #internalInterfaces = [ "tinc.siem" ]; - externalIP = "10.8.8.2"; - externalInterface = "virbr3"; + allowedUDPPorts = [ 80 655 1655 67 ]; + allowedTCPPorts = [ 80 655 1655 ]; }; + # fallback connection to the internal virtual network interfaces.virbr3.ip4 = [{ address = "10.8.8.2"; prefixLength = 24; -- cgit v1.2.3 From 9287a667b666a65bbabdce9394eac22843cc1d27 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 16:56:45 +0200 Subject: ma 1 pornocauster: add siem network --- makefu/1systems/pornocauster.nix | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'makefu') diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 2fb93798..7b6c1834 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -44,6 +44,14 @@ # ../2configs/temp/sabnzbd.nix ]; + services.tinc.networks.siem = { + name = "makefu"; + extraConfig = '' + ConnectTo = sdarth + ConnectTo = sjump + ''; + }; + krebs.nginx = { default404 = false; servers.default.listen = [ "80 default_server" ]; -- cgit v1.2.3 From b399ff906dc96c654d989b007c24fe7301ebd848 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 16:57:19 +0200 Subject: ma 1 shoney: enable tinc_graphs for siem tinc --- makefu/1systems/shoney.nix | 46 +++++++++++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 15 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 48679fe5..1fe8871d 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: let + tinc-siem-ip = "10.8.10.1"; + ip = "64.137.234.215"; alt-ip = "64.137.234.210"; extra-ip = "64.137.234.114"; #currently unused @@ -7,32 +9,46 @@ let in { imports = [ ../. + ../2configs/save-diskspace.nix ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ]; - services.tinc.networks.siem.name = "sjump"; - # minimal resources - services.nixosManual.enable = false; - programs.man.enable = false; - nix.gc.automatic = true; - nix.gc.dates = "03:10"; + services.tinc.networks.siem.name = "sjump"; krebs = { enable = true; retiolum.enable = true; build.host = config.krebs.hosts.shoney; + nginx.enable = true; + tinc_graphs = { + enable = true; + network = "siem"; + hostsPath = "/etc/tinc/siem/hosts"; + nginx = { + enable = true; + # TODO: remove hard-coded hostname + complete = { + listen = [ "${tinc-siem-ip}:80" ]; + server-names = [ "graphs.siem" ]; + }; + }; + }; }; - networking.interfaces.enp2s1.ip4 = [ - { address = ip; prefixLength = 24; } - { address = alt-ip; prefixLength = 24; } - ]; + networking = { + interfaces.enp2s1.ip4 = [ + { address = ip; prefixLength = 24; } + { address = alt-ip; prefixLength = 24; } + ]; - networking.defaultGateway = gw; - networking.nameservers = [ "8.8.8.8" ]; - networking.firewall.allowedUDPPorts = [ 655 1655 ]; - networking.firewall.allowedTCPPorts = [ 655 1655 ]; + defaultGateway = gw; + nameservers = [ "8.8.8.8" ]; + firewall = { + trustedInterfaces = [ "tinc.siem" ]; + allowedUDPPorts = [ 655 1655 ]; + allowedTCPPorts = [ 655 1655 ]; + }; + }; } -- cgit v1.2.3 From d5e0dcccd074d7e63cfa7fff35782cb92c101270 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 16:57:36 +0200 Subject: ma 2 save-diskspace: init --- makefu/1systems/wry.nix | 9 ++------- makefu/2configs/save-diskspace.nix | 9 +++++++++ 2 files changed, 11 insertions(+), 7 deletions(-) create mode 100644 makefu/2configs/save-diskspace.nix (limited to 'makefu') diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index ed48c6ab..5788cb65 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -11,7 +11,7 @@ in { # TODO: copy this config or move to krebs ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/headless.nix + ../2configs/save-diskspace.nix ../2configs/bepasty-dual.nix @@ -27,8 +27,7 @@ in { ../2configs/collectd/collectd-base.nix ]; krebs.retiolum.enable = true; - services.nixosManual.enable = false; - programs.man.enable = false; + krebs.build.host = config.krebs.hosts.wry; krebs.Reaktor = { @@ -83,9 +82,5 @@ in { nameservers = [ "8.8.8.8" ]; }; - # small machine - do not forget to gc every day - nix.gc.automatic = true; - nix.gc.dates = "03:10"; - environment.systemPackages = [ ]; } diff --git a/makefu/2configs/save-diskspace.nix b/makefu/2configs/save-diskspace.nix new file mode 100644 index 00000000..cc2b29ca --- /dev/null +++ b/makefu/2configs/save-diskspace.nix @@ -0,0 +1,9 @@ +_: +# TODO: do not check out nixpkgs master but fetch revision from github +{ + services.nixosManual.enable = false; + programs.man.enable = false; + services.journald.extraConfig = "SystemMaxUse=50M"; + nix.gc.automatic = true; + nix.gc.dates = "03:10"; +} -- cgit v1.2.3 From 0b633d01e50e4d1d022cce56ad771153f6888534 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 17:50:48 +0200 Subject: add dummy secrets --- makefu/6tests/data/secrets/bepasty-secret.nix | 1 + makefu/6tests/data/secrets/hashedPasswords.nix | 1 + makefu/6tests/data/secrets/iodinepw.nix | 1 + makefu/6tests/data/secrets/retiolum-ci.rsa_key.priv | 0 makefu/6tests/data/secrets/retiolum.rsa_key.priv | 0 makefu/6tests/data/secrets/retiolum.rsa_key.pub | 0 makefu/6tests/data/secrets/sambacred | 0 makefu/6tests/data/secrets/ssh.makefu.id_rsa | 0 makefu/6tests/data/secrets/ssh.makefu.id_rsa.pub | 0 makefu/6tests/data/secrets/ssh_host_ed25519_key | 0 makefu/6tests/data/secrets/tinc.krebsco.de.crt | 0 makefu/6tests/data/secrets/tinc.krebsco.de.key | 0 makefu/6tests/data/secrets/tw-pass.ini | 0 makefu/6tests/data/secrets/wildcard.krebsco.de.crt | 0 makefu/6tests/data/secrets/wildcard.krebsco.de.key | 0 15 files changed, 3 insertions(+) create mode 100644 makefu/6tests/data/secrets/bepasty-secret.nix create mode 100644 makefu/6tests/data/secrets/hashedPasswords.nix create mode 100644 makefu/6tests/data/secrets/iodinepw.nix create mode 100644 makefu/6tests/data/secrets/retiolum-ci.rsa_key.priv create mode 100644 makefu/6tests/data/secrets/retiolum.rsa_key.priv create mode 100644 makefu/6tests/data/secrets/retiolum.rsa_key.pub create mode 100644 makefu/6tests/data/secrets/sambacred create mode 100644 makefu/6tests/data/secrets/ssh.makefu.id_rsa create mode 100644 makefu/6tests/data/secrets/ssh.makefu.id_rsa.pub create mode 100644 makefu/6tests/data/secrets/ssh_host_ed25519_key create mode 100644 makefu/6tests/data/secrets/tinc.krebsco.de.crt create mode 100644 makefu/6tests/data/secrets/tinc.krebsco.de.key create mode 100644 makefu/6tests/data/secrets/tw-pass.ini create mode 100644 makefu/6tests/data/secrets/wildcard.krebsco.de.crt create mode 100644 makefu/6tests/data/secrets/wildcard.krebsco.de.key (limited to 'makefu') diff --git a/makefu/6tests/data/secrets/bepasty-secret.nix b/makefu/6tests/data/secrets/bepasty-secret.nix new file mode 100644 index 00000000..f5e70470 --- /dev/null +++ b/makefu/6tests/data/secrets/bepasty-secret.nix @@ -0,0 +1 @@ +"derp" diff --git a/makefu/6tests/data/secrets/hashedPasswords.nix b/makefu/6tests/data/secrets/hashedPasswords.nix new file mode 100644 index 00000000..0967ef42 --- /dev/null +++ b/makefu/6tests/data/secrets/hashedPasswords.nix @@ -0,0 +1 @@ +{} diff --git a/makefu/6tests/data/secrets/iodinepw.nix b/makefu/6tests/data/secrets/iodinepw.nix new file mode 100644 index 00000000..f5e70470 --- /dev/null +++ b/makefu/6tests/data/secrets/iodinepw.nix @@ -0,0 +1 @@ +"derp" diff --git a/makefu/6tests/data/secrets/retiolum-ci.rsa_key.priv b/makefu/6tests/data/secrets/retiolum-ci.rsa_key.priv new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/retiolum.rsa_key.priv b/makefu/6tests/data/secrets/retiolum.rsa_key.priv new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/retiolum.rsa_key.pub b/makefu/6tests/data/secrets/retiolum.rsa_key.pub new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/sambacred b/makefu/6tests/data/secrets/sambacred new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/ssh.makefu.id_rsa b/makefu/6tests/data/secrets/ssh.makefu.id_rsa new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/ssh.makefu.id_rsa.pub b/makefu/6tests/data/secrets/ssh.makefu.id_rsa.pub new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/ssh_host_ed25519_key b/makefu/6tests/data/secrets/ssh_host_ed25519_key new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/tinc.krebsco.de.crt b/makefu/6tests/data/secrets/tinc.krebsco.de.crt new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/tinc.krebsco.de.key b/makefu/6tests/data/secrets/tinc.krebsco.de.key new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/tw-pass.ini b/makefu/6tests/data/secrets/tw-pass.ini new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/wildcard.krebsco.de.crt b/makefu/6tests/data/secrets/wildcard.krebsco.de.crt new file mode 100644 index 00000000..e69de29b diff --git a/makefu/6tests/data/secrets/wildcard.krebsco.de.key b/makefu/6tests/data/secrets/wildcard.krebsco.de.key new file mode 100644 index 00000000..e69de29b -- cgit v1.2.3 From b709634ce9e61323b19aaf1b31c433f79f556fad Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 17:54:12 +0200 Subject: ma 2 add support for dummy secrets --- makefu/2configs/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index a753e677..422927b2 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -26,7 +26,9 @@ with config.krebs.lib; url = https://github.com/nixos/nixpkgs; rev = "63b9785"; # stable @ 2016-06-01 }; - secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/"; + secrets = if getEnv "dummy_secrets" == "true" + then toString + else "/home/makefu/secrets/${config.krebs.build.host.name}"; stockholm = "/home/makefu/stockholm"; # Defaults for all stockholm users? -- cgit v1.2.3 From 3716ece83b97500e39d08b45acf34dbb78af4b29 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jun 2016 23:13:50 +0200 Subject: m 5 bintray-upload:init --- makefu/5pkgs/bintray-upload/default.nix | 19 +++++++++++++++++++ makefu/5pkgs/default.nix | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 makefu/5pkgs/bintray-upload/default.nix (limited to 'makefu') diff --git a/makefu/5pkgs/bintray-upload/default.nix b/makefu/5pkgs/bintray-upload/default.nix new file mode 100644 index 00000000..1e9582cc --- /dev/null +++ b/makefu/5pkgs/bintray-upload/default.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +pkgs.python3Packages.buildPythonPackage rec { + name = "bintray-upload-${version}"; + version = "0.1.2"; + src = pkgs.fetchFromGitHub { + owner = "makefu"; + repo = "bintray-upload"; + rev = "4e76724"; + sha256 = "1401saisk98n5wgw73nwh8hb484vayw5c6dlypxc1fp4ybym4zi9"; + }; + + propagatedBuildInputs = with pkgs.python3Packages; [ requests2 ]; + + meta = { + description = "Simple BinTray utility for uploading packages"; + license = pkgs.stdenv.lib.licenses.asl20; + }; +} diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 6d227fa6..bb6290af 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -13,7 +13,8 @@ in nodemcu-uploader = callPackage ./nodemcu-uploader {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; inherit (callPackage ./devpi {}) devpi-web devpi-server; - skytraq-logger = callPackage ./skytraq-logger/ {}; + skytraq-logger = callPackage ./skytraq-logger {}; taskserver = callPackage ./taskserver {}; + bintray-upload = callPackage ./bintray-upload {}; }; } -- cgit v1.2.3