summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lass@lassul.us>2016-12-23 18:38:28 +0100
committerlassulus <lass@lassul.us>2016-12-23 18:38:28 +0100
commitb8975f6ed4cde4af3e72f0f83624221ee6351885 (patch)
tree53f0207a1b3009999b42b19c6c919b7c95b0a02b
parent1d2c9377bc7b21ff7d27c6c04873a46df083d655 (diff)
parentc208b3fa19fc161f44c52433a4e266daade4ce53 (diff)
Merge remote-tracking branch 'ni/master'
-rw-r--r--krebs/3modules/git.nix41
-rw-r--r--tv/1systems/xu-qemu0.nix28
-rw-r--r--tv/2configs/binary-cache/default.nix10
-rw-r--r--tv/2configs/default.nix2
-rw-r--r--tv/2configs/nginx/default.nix23
-rw-r--r--tv/2configs/nginx/public_html.nix14
-rw-r--r--tv/2configs/xu-qemu0.nix250
7 files changed, 47 insertions, 321 deletions
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 20907a3ed..164831846 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -400,29 +400,24 @@ let
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
'';
- krebs.nginx = {
- enable = true;
- servers.cgit = {
- server-names = [
- "cgit.${config.networking.hostName}"
- "cgit.${config.networking.hostName}.r"
- "cgit.${config.networking.hostName}.retiolum"
- ];
- locations = [
- (nameValuePair "/" ''
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param QUERY_STRING $args;
- fastcgi_param HTTP_HOST $server_name;
- fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
- '')
- (nameValuePair "/static/" ''
- root ${pkgs.cgit}/cgit;
- rewrite ^/static(/.*)$ $1 break;
- '')
- ];
- };
+ services.nginx.virtualHosts.cgit = {
+ serverAliases = [
+ "cgit.${config.networking.hostName}"
+ "cgit.${config.networking.hostName}.r"
+ "cgit.${config.networking.hostName}.retiolum"
+ ];
+ locations."/".extraConfig = ''
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+ '';
+ locations."/static/".extraConfig = ''
+ root ${pkgs.cgit}/cgit;
+ rewrite ^/static(/.*)$ $1 break;
+ '';
};
};
diff --git a/tv/1systems/xu-qemu0.nix b/tv/1systems/xu-qemu0.nix
deleted file mode 100644
index 8945c1907..000000000
--- a/tv/1systems/xu-qemu0.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
- krebs.hosts.xu-qemu0 = {
- cores = 1;
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- # cannot define ssh.pubkey without at least one addr or alias
- #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe51rD0ZqlMXNi/YpapnRzvdzCjI0icmxfCyBLSKG04";
- };
- krebs.build.host = config.krebs.hosts.xu-qemu0;
-
- imports = [
- ../.
- <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
- ];
-
- boot.loader.grub.device = "/dev/sda";
-
- fileSystems = {
- "/boot" = {
- device = "/dev/sda1";
- };
- "/" = {
- device = "/dev/sda2";
- fsType = "btrfs";
- };
- };
-}
diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index 5902f1895..39c944b1a 100644
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -19,15 +19,15 @@
source-path = toString <secrets> + "/nix-serve.key";
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.nix-serve = {
- server-names = [
+ virtualHosts.nix-serve = {
+ serverAliases = [
"cache.${config.krebs.build.host.name}.gg23"
];
- locations = singleton (nameValuePair "/" ''
+ locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
- '');
+ '';
};
};
}
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index fcaec4925..dc26a6c6f 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
stockholm.file = "/home/tv/stockholm";
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
- ref = "1dd0fb6b5a7c44d1b632466f936ca74268d13298";
+ ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4";
};
} // optionalAttrs host.secure {
secrets-master.file = "/home/tv/secrets/master";
diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 39995c052..b0acb9435 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -3,15 +3,26 @@
with import <stockholm/lib>;
{
- krebs.nginx = {
- servers.default.locations = [
- (nameValuePair "= /etc/os-release" ''
+ services.nginx = {
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+
+ virtualHosts._http = {
+ default = true;
+ extraConfig = ''
+ return 404;
+ '';
+ };
+
+ virtualHosts.default = {
+ locations."= /etc/os-release".extraConfig = ''
default_type text/plain;
alias /etc/os-release;
- '')
- ];
+ '';
+ };
};
- tv.iptables = optionalAttrs config.krebs.nginx.enable {
+ tv.iptables = {
input-retiolum-accept-tcp = singleton "http";
};
}
diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix
index 4c74d2250..9744da1e8 100644
--- a/tv/2configs/nginx/public_html.nix
+++ b/tv/2configs/nginx/public_html.nix
@@ -3,20 +3,18 @@
with import <stockholm/lib>;
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default = {
- server-names = [
+ virtualHosts.default = {
+ serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r"
"${config.krebs.build.host.name}.retiolum"
];
- locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
+ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ '';
};
};
tv.iptables.input-internet-accept-tcp = singleton "http";
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
deleted file mode 100644
index 355a36650..000000000
--- a/tv/2configs/xu-qemu0.nix
+++ /dev/null
@@ -1,250 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
- # XXX cannot use config.build.host.name here because infinite recursion when
- # defining krebs.hosts.${host-name}.nets.retiolum.aliases below.
- host-name = "xu";
-in
-
-# usage:
-# echo set_password vnc correcthorze | xu-qemu0-monitor
-#
-# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return
-#
-# http://vnc.xu/vnc_auto.html?port=5701&host=xu&password=correcthorze
-#
-# make [install] system=xu-qemu0 target_host=10.56.0.101
-
-with import <stockholm/lib>;
-
-{
- networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
-
- tv.iptables.extra = {
- nat.POSTROUTING = ["-j MASQUERADE"];
- filter.FORWARD = [
- "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
- "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
- ];
- filter.INPUT = [
- "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
- "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
- ];
- };
-
- systemd.network.enable = true;
- systemd.services.systemd-networkd-wait-online.enable = false;
-
- services.resolved.enable = mkForce false;
-
- boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
- systemd.network.networks.qemubr0 = {
- matchConfig.Name = "qemubr0";
- address = ["10.56.0.1/24"];
- routes = [{
- routeConfig = {
- Gateway = "*";
- Destination = "10.56.0.0";
- };
- }];
- };
- systemd.network.netdevs.qemubr0 = {
- netdevConfig = {
- Name = "qemubr0";
- Kind = "bridge";
- };
- };
-
- users.groups.qemu-users.gid = genid "qemu-users";
-
- environment.etc."qemu/bridge.conf".text = ''
- allow qemubr0
- '';
-
- krebs.per-user.tv.packages = [
- ];
-
- users.users.xu-qemu0 = {
- createHome = true;
- group = "qemu-users";
- home = "/home/xu-qemu0";
- uid = genid "xu-qemu0";
- };
-
- systemd.services.xu-qemu0 = let
- in {
- after = [ "network.target" "systemd-resolved.service" ];
- serviceConfig = {
- User = "xu-qemu0";
- SyslogIdentifier = "xu-qemu0";
- ExecStart = pkgs.writeDash "xu-qemu0" ''
- set -efu
- ${pkgs.coreutils}/bin/mkdir -p "$HOME/tmp"
- img=$HOME/tmp/xu-qemu0.raw
- if ! test -e "$img"; then
- ${pkgs.kvm}/bin/qemu-img create "$img" 10G
- fi
- exec ${pkgs.kvm}/bin/qemu-kvm \
- -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
- -boot order=cd \
- -cdrom ${pkgs.fetchurl {
- url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
- sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9";
- }} \
- -m 1024 \
- -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \
- -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \
- -drive file="$img",format=raw \
- -display vnc=:1,websocket=5701,password,lossy \
- -name xu-qemu0 \
- '';
- };
- };
-
- krebs.setuid.xu-qemu0-monitor = {
- filename = pkgs.writeDash "xu-qemu0-monitor" ''
- exec ${pkgs.socat}/bin/socat \
- stdio \
- UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
- '';
- owner = "xu-qemu0";
- group = "tv";
- };
-
- krebs.setuid.qemu-bridge-helper = {
- filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
- group = "qemu-users";
- };
-
- users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";
-
- # TODO need custom etc/dbus-1/system.d/dnsmasq.conf for different BusName
- services.dbus.packages = [ pkgs.dnsmasq ];
-
- systemd.services.qemu-dnsmasq = let
- # bind-interfaces
- conf = pkgs.writeText "qemu-dnsmasq.conf" ''
- listen-address=10.56.0.1
- interface=qemubr0
- dhcp-range=10.56.0.200,10.56.0.250
- dhcp-no-override
- dhcp-leasefile=/tmp/qemu-dnsmasq.leases
- domain=${host-name}.local
- dhcp-host=52:54:00:12:34:56,xu-qemu0,10.56.0.101,1440m
- '';
- in {
- after = [ "network.target" "systemd-resolved.service" ];
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- Type = "dbus";
- BusName = "uk.org.thekelleys.dnsmasq";
- # -1 --enable-dbus[=uk.org.thekelleys.dnsmasq]
- SyslogIdentifier = "qemu-dnsmasq";
- ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -1k -u qemu-dnsmasq -C ${conf}";
- ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
- PrivateTmp = "true";
- };
- restartTriggers = [ config.environment.etc.hosts.source ];
- };
-
-
- krebs.nginx.servers.init = {
- server-names = [
- "init.${host-name}"
- "init.${host-name}.r"
- "init.${host-name}.retiolum"
- ];
- extraConfig = ''
- index init.txt;
- root ${pkgs.writeTextFile {
- name = "init-pages";
- text = ''
- #! /bin/sh
- set -efu
-
- dev=/dev/sda
- pttype=dos # gpt
-
- case $pttype in
- dos)
- if ! test "$(blkid -o value -s PTTYPE "$dev")" = dos; then
- parted -s "$dev" mklabel msdos
- fi
- if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = primary; then
- parted -s "$dev" mkpart primary ext4 1MiB 513MiB
- parted -s "$dev" set 1 boot on
- fi
- ;;
- gpt)
- if ! test "$(blkid -o value -s PTTYPE "$dev")" = gpt; then
- parted -s "$dev" mklabel gpt
- fi
- if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = ESP; then
- parted -s "$dev" mkpart ESP fat32 1MiB 513MiB
- parted -s "$dev" set 1 boot on
- fi
- ;;
- *)
- echo "Error: bad pttype: $pttype" >&2
- exit -1
- esac
-
- if ! test "$(blkid -o value -s PARTLABEL "$dev"2)" = primary; then
- parted -s "$dev" mkpart primary btrfs 513MiB 100%
- fi
- if ! test "$(blkid -o value -s TYPE "$dev"1)" = vfat; then
- mkfs.vfat "$dev"1
- fi
- if ! test "$(blkid -o value -s TYPE "$dev"2)" = btrfs; then
- mkfs.btrfs "$dev"2
- fi
-
- parted "$dev" print
-
- if ! test "$(lsblk -n -o MOUNTPOINT "$dev"2)" = /mnt; then
- mount "$dev"2 /mnt
- fi
- if ! test "$(lsblk -n -o MOUNTPOINT "$dev"1)" = /mnt/boot; then
- mkdir -m 0000 -p /mnt/boot
- mount "$dev"1 /mnt/boot
- fi
-
- lsblk "$dev"
-
- key=${shell.escape config.krebs.users.tv-xu.pubkey}
-
- if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then
- mkdir -p /root/.ssh
- echo "$key" > /root/.ssh/authorized_keys
- fi
- systemctl start sshd
- ip route
- echo READY.
- '';
- destination = "/init.txt";
- }};
- '';
- };
-
-
- krebs.hosts.${host-name}.nets.retiolum.aliases = [
- "init.${host-name}.r"
- "init.${host-name}.retiolum"
- "vnc.${host-name}.r"
- "vnc.${host-name}.retiolum"
- ];
-
- krebs.nginx.servers.noVNC = {
- server-names = [
- "vnc.${host-name}"
- "vnc.${host-name}.r"
- "vnc.${host-name}.retiolum"
- ];
- #rewrite ^([^.]*)$ /vnc_auto.html?host=localhost&port=5701;
- locations = singleton (nameValuePair "/" ''
- index vnc.html;
- root ${pkgs.noVNC};
- '');
- };
-}