diff options
author | lassulus <lass@aidsballs.de> | 2016-08-24 08:49:16 +0200 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2016-08-24 08:49:16 +0200 |
commit | 662222f8c422ac8fa3daba8bc26ab5d5cd37fda1 (patch) | |
tree | 93d5629203803e06b6f9a60219ac7b0ce315399c | |
parent | a545159c08c6a748299111184ba5a34b40d7af67 (diff) | |
parent | 56e8681fd2d5a77fe539e5506b4b8f23bc0f4261 (diff) |
Merge remote-tracking branch 'gum/master'
-rw-r--r-- | krebs/3modules/makefu/default.nix | 29 | ||||
-rw-r--r-- | makefu/1systems/gum.nix | 1 | ||||
-rw-r--r-- | makefu/1systems/omo.nix | 13 | ||||
-rw-r--r-- | makefu/1systems/wbob.nix | 65 | ||||
-rw-r--r-- | makefu/2configs/opentracker.nix | 16 | ||||
-rw-r--r-- | makefu/2configs/rtorrent.nix | 19 | ||||
-rw-r--r-- | makefu/2configs/torrent.nix | 13 | ||||
-rw-r--r-- | makefu/3modules/default.nix | 2 | ||||
-rw-r--r-- | makefu/3modules/opentracker.nix | 55 | ||||
-rw-r--r-- | makefu/3modules/rtorrent.nix | 367 |
10 files changed, 550 insertions, 30 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index e45d907d3..de5be964f 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -360,7 +360,6 @@ with config.krebs.lib; ip6.addr = "42:f9f0::10"; aliases = [ "omo.retiolum" - "tracker.makefu.r" "omo.r" ]; tinc.pubkey = '' @@ -446,6 +445,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB "gum.r" "gum.retiolum" "cgit.gum.retiolum" + "tracker.makefu.r" + "tracker.makefu.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -761,6 +762,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; }; }; + tcac-0-1 = rec { + cores = 1; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcX7rlGmGp1zCStrERXZ3XuT/j69FDBXV4ceLn9RXsG tcac-0-1 + "; + nets = { + retiolum = { + ip4.addr = "10.243.144.142"; + ip6.addr = "42:4bf8:94b:eec5:69e2:c837:686e:f278"; + aliases = [ + "tcac-0-1.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+3zuZa8FhFBcUNdNGyTQph6Jes0WDQB4CDcEcnK9okP60Z0ONq8j + 7sKmxzQ43WFm04fd992Aa/KLbYBbXmGtYuu68DQwQGwk3HVNksp6ha7uVK1ibgNs + zJIKizpFqK4NAYit0OfAy7ugVSvtyIxg9CDhnASDZ5NRq8/OLhvo5M4c3r3lGOlO + Hv1nf4Tl2IYRln3c+AJEiw2369K46mRlt28yHeKUw1ur6hrbahnkYW+bjeliROIs + QLp8J8Jl6evtPOyZpgyGHLQ/WPsQRK5svVA9ou17R//m4KNL1kBjTfxs7GaJWHLl + HpSZTqRKsuK6K9R6kzu7NU81Wz0HXxw/qwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + } // { # hosts only maintained in stockholm, not owned by me muhbaasu = rec { diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 0d8ac0053..ab369d192 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -22,6 +22,7 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ../2configs/torrent.nix + ../2configs/opentracker.nix ]; services.smartd.devices = [ { device = "/dev/sda";} ]; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 3aa5e943e..96f7be9fc 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -50,11 +50,24 @@ in { #../2configs/share-user-sftp.nix ../2configs/omo-share.nix ../2configs/tinc/retiolum.nix + ../2configs/torrent.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; + makefu.full-populate = true; + makefu.deluge.cfg = { + max_active_seeding = 1; + stop_seed_ratio = 1; + natpmp = true; + upnp = true; + max_upload_speed = 200; + }; + users.groups.share = { + gid = config.krebs.lib.genid "share"; + members = [ "makefu" "misa" ]; + }; networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index ff593ab35..ff176edd9 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -1,32 +1,53 @@ -{ config, pkgs, ... }: -let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; +{ config, pkgs, lib, ... }: +let + rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; + datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F"; in { - makefu.awesome = { - modkey = "Mod1"; - #TODO: integrate kiosk config into full config by templating the autostart - baseConfig = pkgs.awesomecfg.kiosk; - }; imports = [ # Include the results of the hardware scan. ../. - ../2configs/main-laptop.nix + ../2configs/zsh-user.nix + ../2configs/base-gui.nix + ../2configs/laptop-utils.nix ../2configs/virtualization.nix ../2configs/tinc/retiolum.nix ]; + krebs = { enable = true; build.host = config.krebs.hosts.wbob; }; - networking.firewall.allowedUDPPorts = [ 1655 ]; - networking.firewall.allowedTCPPorts = [ 1655 49152 ]; - services.tinc.networks.siem = { - name = "display"; - extraConfig = '' - ConnectTo = sjump + + swapDevices = [ { device = "/var/swap"; } ]; + + services.xserver = { + layout = lib.mkForce "de"; + + windowManager = lib.mkForce { + awesome.enable = false; + default = "none"; + }; + desktopManager.xfce.enable = true; + + # xrandrHeads = [ "HDMI1" "HDMI2" ]; + # prevent screen from turning off, disable dpms + displayManager.sessionCommands = '' + xset s off -dpms + xrandr --output HDMI2 --right-of HDMI1 ''; }; + networking.firewall.allowedUDPPorts = [ 655 ]; + networking.firewall.allowedTCPPorts = [ 655 49152 ]; + #services.tinc.networks.siem = { + # name = "display"; + # extraConfig = '' + # ConnectTo = sjump + # Port = 1655 + # ''; + #}; + # rt2870.bin wifi card, part of linux-unfree hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -41,20 +62,18 @@ in { hardware.cpu.intel.updateMicrocode = true; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; - fileSystems."/" = { + fileSystems = { + "/" = { device = rootdisk + "-part1"; fsType = "ext4"; + }; + "/data" = { + device = datadisk + "-part1"; + fsType = "ext4"; + }; }; # DualHead on NUC - services.xserver = { - # xrandrHeads = [ "HDMI1" "HDMI2" ]; - # prevent screen from turning off, disable dpms - displayManager.sessionCommands = '' - xset s off -dpms - xrandr --output HDMI2 --right-of HDMI1 - ''; - }; # TODO: update synergy package with these extras (username) # TODO: add crypto layer systemd.services."synergy-client" = { diff --git a/makefu/2configs/opentracker.nix b/makefu/2configs/opentracker.nix new file mode 100644 index 000000000..f98105625 --- /dev/null +++ b/makefu/2configs/opentracker.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: + +let + daemon-port = 16969; + cfgfile = pkgs.writeText "opentracker-cfg" '' + ''; +in { + # Opentracker does not support local IPs (10.0.0.0/8 ) + makefu.opentracker = { + enable = true; + args = "-p ${toString daemon-port} -P ${toString daemon-port}"; + }; + networking.firewall.allowedTCPPorts = [ daemon-port ]; + networking.firewall.allowedUDPPorts = [ daemon-port ]; + +} diff --git a/makefu/2configs/rtorrent.nix b/makefu/2configs/rtorrent.nix new file mode 100644 index 000000000..9e2990cab --- /dev/null +++ b/makefu/2configs/rtorrent.nix @@ -0,0 +1,19 @@ +_: +let + listenPort = 60123; + xml-port = 5000; + authfile = <torrent-secrets/authfile>; +in { + makefu.rtorrent = { + enable = true; + web = { + enable = true; + enableAuth = true; + inherit authfile; + }; + rutorrent.enable = true; + enableXMLRPC = true; + logLevel = "debug"; + inherit listenPort; + }; +} diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix index c18db9fa3..09f3ca059 100644 --- a/makefu/2configs/torrent.nix +++ b/makefu/2configs/torrent.nix @@ -55,20 +55,21 @@ in { autoadd_enable = true; download_location = dl-dir + "/finished"; torrentfiles_location = dl-dir + "/torrents"; copy_torrent_file = true; - lsd = true; - dht = true; - upnp = true; - natpmp = true; + lsd = false; + dht = false; + upnp = false; + natpmp = false; add_paused = false; allow_remote = true; remove_seed_at_ratio = false; move_completed = false; daemon_port = daemon-port; + random_port = false; + random_outgoing_ports = true; listen_ports = [ peer-port peer-port ]; - outgoing_ports = [ peer-port peer-port ]; # performance tuning cache_expiry = 3600; - stop_seed_at_ratio = true; + stop_seed_at_ratio = false; }; }; diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 031ef1bc2..bddd96aa4 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -6,7 +6,9 @@ _: ./awesome-extra.nix ./deluge.nix ./forward-journal.nix + ./opentracker.nix ./ps3netsrv.nix + ./rtorrent.nix ./snapraid.nix ./taskserver.nix ./udpt.nix diff --git a/makefu/3modules/opentracker.nix b/makefu/3modules/opentracker.nix new file mode 100644 index 000000000..8847fc09a --- /dev/null +++ b/makefu/3modules/opentracker.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + cfg = config.makefu.opentracker; + + out = { + options.makefu.opentracker = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "opentracker"; + + package = mkOption { + type = types.package; + default = pkgs.opentracker; + }; + + args = mkOption { + type = types.string; + description = '' + see https://erdgeist.org/arts/software/opentracker/ for all params + ''; + default = ""; + }; + + user = mkOption { + description = '' + user which will run opentracker. by default opentracker drops all + privileges and runs in chroot after starting up as root. + ''; + type = types.str; + default = "root"; + }; + }; + + imp = { + systemd.services.opentracker = { + description = "opentracker server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + serviceConfig = { + Type = "simple"; + ExecStart = "${cfg.package}/bin/opentracker ${cfg.args}"; + PrivateTmp = true; + WorkingDirectory = "/tmp"; + User = "${cfg.user}"; + }; + }; + }; +in +out + diff --git a/makefu/3modules/rtorrent.nix b/makefu/3modules/rtorrent.nix new file mode 100644 index 000000000..441707727 --- /dev/null +++ b/makefu/3modules/rtorrent.nix @@ -0,0 +1,367 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + cfg = config.makefu.rtorrent; + webcfg = config.makefu.rtorrent.web; + rucfg = config.makefu.rtorrent.rutorrent; + + nginx-user = config.services.nginx.user; + nginx-group = config.services.nginx.group; + fpm-socket = "/var/run/php5-fpm-rutorrent.sock"; + + webdir = rucfg.webdir; + rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ + (if (config.nixpkgs.config.allowUnfree or false) then + trace "enabling unfree packages for rutorrent" [ unrar unzip ] else + trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []) +; + rutorrent = pkgs.stdenv.mkDerivation { + name = "rutorrent-src-3.7"; + src = pkgs.fetchFromGitHub { + owner = "Novik"; + repo = "rutorrent"; + rev = "b727523a153454d4976f04b0c47336ae57cc50d5"; + sha256 = "0s5wa0jnck781amln9c2p4pc0i5mq3j5693ra151lnwhz63aii4a"; + }; + phases = [ "patchPhase" "installPhase" ]; + patchPhase = '' + cp -r $src src/ + chmod u+w -R src/ + sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \ + -e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \ + "src/conf/config.php" + ''; + installPhase = '' + cp -r src/ $out + echo "replacing scgi port and host variable in conf/config.php" + ''; + }; + systemd-logfile = cfg.workDir + "/rtorrent-systemd.log"; + configFile = pkgs.writeText "rtorrent-config" '' + # THIS FILE IS AUTOGENERATED + ${optionalString (cfg.listenPort != null) '' + port_range = ${toString cfg.listenPort}-${toString cfg.listenPort} + port_random = no + ''} + + ${optionalString (cfg.watchDir != null) '' + schedule = watch_directory,5,5load_start=${cfg.watchDir}/*.torrent + ''} + + directory = ${cfg.downloadDir} + session = ${cfg.sessionDir} + + ${optionalString (cfg.enableXMLRPC ) '' + # prepare socket and set permissions. rtorrent user is part of group nginx + # TODO: configure a shared torrent group + execute_nothrow = rm,${cfg.xmlrpc-socket} + scgi_local = ${cfg.xmlrpc-socket} + schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}" + ''} + + system.file_allocate.set = ${if cfg.preAllocate then "yes" else "no"} + + # Prepare systemd logging + log.open_file = "rtorrent-systemd", ${systemd-logfile} + log.add_output = "warn", "rtorrent-systemd" + log.add_output = "notice", "rtorrent-systemd" + log.add_output = "info", "rtorrent-systemd" + # log.add_output = "debug", "rtorrent-systemd" + log.execute = ${systemd-logfile}.execute + log.xmlrpc = ${systemd-logfile}.xmlrpc + ${cfg.extraConfig} + ''; + + out = { + options.makefu.rtorrent = api; + # This only works because none of the attrsets returns the same key + config = with lib; mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf webcfg.enable rpcweb-imp) + # only build rutorrent-imp if webcfg is enabled as well + (lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp) + imp + ]); + }; + + api = { + enable = mkEnableOption "rtorrent"; + + web = { + # configure NGINX to provide /RPC2 for listen address + # authentication also applies to rtorrent.rutorrent + enable = mkEnableOption "rtorrent nginx web RPC"; + + listenAddress = mkOption { + type = types.str; + description ='' + nginx listen address for rtorrent web + ''; + default = "localhost:8006"; + }; + + enableAuth = mkEnableOption "rutorrent authentication"; + authfile = mkOption { + type = types.path; + description = '' + basic authentication file to be used. + Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file. + Only in use if authentication is enabled. + ''; + }; + }; + + rutorrent = { + enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable + + package = mkOption { + type = types.package; + description = '' + path to rutorrent package. When using your own ruTorrent package, + make sure you patch the scgi_port and scgi_host. + ''; + default = rutorrent; + }; + + + webdir = mkOption { + type = types.path; + description = '' + rutorrent php files will be written to this folder. + when using nginx, be aware that the the folder should be readable by nginx. + because rutorrent does not hold mutable data in a separate folder + these files must be writable. + ''; + default = "/var/lib/rutorrent"; + }; + + }; + + package = mkOption { + type = types.package; + default = pkgs.rtorrent; + }; + + # TODO: enable xmlrpc with web.enable + enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket"; + xmlrpc-socket = mkOption { + type = types.str; + description = '' + enable xmlrpc at given socket. Required for web-interface. + + for documentation see: + https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC + ''; + default = cfg.workDir + "/rtorrent.sock"; + }; + + preAllocate = mkOption { + type = types.bool; + description = '' + Pre-Allocate torrent files + ''; + default = true; + }; + + logLevel = mkOption { + type = types.str; + description = '' + Log level to be used for systemd log + ''; + default = "warn"; + }; + + downloadDir = mkOption { + type = types.path; + description = '' + directory where torrents are stored + ''; + default = cfg.workDir + "/downloads"; + }; + + sessionDir = mkOption { + type = types.path; + description = '' + directory where torrent progress is stored + ''; + default = cfg.workDir + "/rtorrent-session"; + }; + + watchDir = mkOption { + type = with types; nullOr str; + description = '' + directory to watch for torrent files. + If unset, no watch directory will be configured + ''; + default = null; + }; + + listenPort = mkOption { + type = with types; nullOr int; + description ='' + listening port. if you want multiple ports, use extraConfig port_range + ''; + }; + + extraConfig = mkOption { + type = types.string; + description = '' + config to be placed into ${cfg.workDir}/.rtorrent.rc + + see ${cfg.package}/share/doc/rtorrent/rtorrent.rc + ''; + default = ""; + }; + + user = mkOption { + description = '' + user which will run rtorrent. if kept default a new user will be created + ''; + type = types.str; + default = "rtorrent"; + }; + + workDir = mkOption { + description = '' + working directory. rtorrent will search in HOME for `.rtorrent.rc` + ''; + type = types.str; + default = "/var/lib/rtorrent"; + }; + + }; + + imp = { + systemd.services = { + rtorrent-daemon = { + description = "rtorrent headless"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + serviceConfig = { + Type = "forking"; + ExecStartPre = pkgs.writeDash "prepare-folder" '' + mkdir -p ${cfg.workDir} ${cfg.sessionDir} + chmod 770 ${cfg.workDir} ${cfg.sessionDir} + touch ${systemd-logfile} + cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc + ''; + ExecStart = "${pkgs.tmux.bin}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; + + # PrivateTmp = true; + ## now you can simply sudo -u rtorrent tmux a + ## otherwise the tmux session is stored in some private folder in /tmp + WorkingDirectory = cfg.workDir; + Restart = "on-failure"; + User = "${cfg.user}"; + }; + }; + rtorrent-log = { + after = [ "rtorrent-daemon.service" ]; + bindsTo = [ "rtorrent-daemon.service" ]; + wantedBy = [ "rtorrent-daemon.service" ]; + serviceConfig = { + ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; + User = "${cfg.user}"; + }; + }; + } // (optionalAttrs webcfg.enable { + rutorrent-prepare = { + after = [ "rtorrent-daemon.service" ]; + bindsTo = [ "rtorrent-daemon.service" ]; + wantedBy = [ "rtorrent-daemon.service" ]; + serviceConfig = { + Type = "oneshot"; + # we create the folder and set the permissions to allow nginx + # TODO: update files if the version of rutorrent changed + ExecStart = pkgs.writeDash "create-webconfig-dir" '' + if [ ! -e ${webdir} ];then + echo "creating webconfiguration directory for rutorrent: ${webdir}" + cp -r ${rucfg.package} ${webdir} + chown -R ${cfg.user}:${nginx-group} ${webdir} + chmod -R 770 ${webdir} + else + echo "not overwriting ${webdir}" + fi + ''; + }; + }; + }) + // (optionalAttrs rucfg.enable { }); + + users = lib.mkIf (cfg.user == "rtorrent") { + users.rtorrent = { + uid = genid "rtorrent"; + home = cfg.workDir; + group = nginx-group; + shell = "/bin/sh"; #required for tmux + isSystemUser = true; + createHome = true; + }; + groups.rtorrent.gid = genid "rtorrent"; + }; + }; + + rpcweb-imp = { + krebs.nginx.enable = mkDefault true; + krebs.nginx.servers.rtorrent = { + listen = [ webcfg.listenAddress ]; + server-names = [ "default" ]; + extraConfig = '' + ${optionalString webcfg.enableAuth '' + auth_basic "rtorrent"; + auth_basic_user_file ${webcfg.authfile}; + ''} + ${optionalString rucfg.enable '' + root ${webdir}; + ''} + ''; + locations = [ + (nameValuePair "/RPC2" '' + include ${pkgs.nginx}/conf/scgi_params; + scgi_param SCRIPT_NAME /RPC2; + scgi_pass unix:${cfg.xmlrpc-socket}; + '') + ] ++ (optional rucfg.enable + (nameValuePair "~ \.php$" '' + client_max_body_size 200M; + root ${webdir}; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm-socket}; + try_files $uri =404; + fastcgi_index index.php; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + ); + }; + }; + + rutorrent-imp = { + services.phpfpm = { + # phpfpm does not have an enable option + poolConfigs = { + rutorrent = '' + user = ${nginx-user} + group = ${nginx-group} + listen = ${fpm-socket} + listen.owner = ${nginx-user} + listen.group = ${nginx-group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + chdir = / + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + env[PATH] = ${makeBinPath rutorrent-deps} + ''; + }; + }; + }; +in +out + |