diff options
author | lassulus <lass@lassul.us> | 2016-12-23 18:38:28 +0100 |
---|---|---|
committer | lassulus <lass@lassul.us> | 2016-12-23 18:38:28 +0100 |
commit | b8975f6ed4cde4af3e72f0f83624221ee6351885 (patch) | |
tree | 53f0207a1b3009999b42b19c6c919b7c95b0a02b | |
parent | 1d2c9377bc7b21ff7d27c6c04873a46df083d655 (diff) | |
parent | c208b3fa19fc161f44c52433a4e266daade4ce53 (diff) |
Merge remote-tracking branch 'ni/master'
-rw-r--r-- | krebs/3modules/git.nix | 41 | ||||
-rw-r--r-- | tv/1systems/xu-qemu0.nix | 28 | ||||
-rw-r--r-- | tv/2configs/binary-cache/default.nix | 10 | ||||
-rw-r--r-- | tv/2configs/default.nix | 2 | ||||
-rw-r--r-- | tv/2configs/nginx/default.nix | 23 | ||||
-rw-r--r-- | tv/2configs/nginx/public_html.nix | 14 | ||||
-rw-r--r-- | tv/2configs/xu-qemu0.nix | 250 |
7 files changed, 47 insertions, 321 deletions
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 20907a3ed..164831846 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -400,29 +400,24 @@ let chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root} ''; - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.r" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; + services.nginx.virtualHosts.cgit = { + serverAliases = [ + "cgit.${config.networking.hostName}" + "cgit.${config.networking.hostName}.r" + "cgit.${config.networking.hostName}.retiolum" + ]; + locations."/".extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + ''; + locations."/static/".extraConfig = '' + root ${pkgs.cgit}/cgit; + rewrite ^/static(/.*)$ $1 break; + ''; }; }; diff --git a/tv/1systems/xu-qemu0.nix b/tv/1systems/xu-qemu0.nix deleted file mode 100644 index 8945c1907..000000000 --- a/tv/1systems/xu-qemu0.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.hosts.xu-qemu0 = { - cores = 1; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - # cannot define ssh.pubkey without at least one addr or alias - #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe51rD0ZqlMXNi/YpapnRzvdzCjI0icmxfCyBLSKG04"; - }; - krebs.build.host = config.krebs.hosts.xu-qemu0; - - imports = [ - ../. - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - ]; - - boot.loader.grub.device = "/dev/sda"; - - fileSystems = { - "/boot" = { - device = "/dev/sda1"; - }; - "/" = { - device = "/dev/sda2"; - fsType = "btrfs"; - }; - }; -} diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix index 5902f1895..39c944b1a 100644 --- a/tv/2configs/binary-cache/default.nix +++ b/tv/2configs/binary-cache/default.nix @@ -19,15 +19,15 @@ source-path = toString <secrets> + "/nix-serve.key"; }; - krebs.nginx = { + services.nginx = { enable = true; - servers.nix-serve = { - server-names = [ + virtualHosts.nix-serve = { + serverAliases = [ "cache.${config.krebs.build.host.name}.gg23" ]; - locations = singleton (nameValuePair "/" '' + locations."/".extraConfig = '' proxy_pass http://localhost:${toString config.services.nix-serve.port}; - ''); + ''; }; }; } diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index fcaec4925..dc26a6c6f 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import <stockholm/lib>; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "1dd0fb6b5a7c44d1b632466f936ca74268d13298"; + ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4"; }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 39995c052..b0acb9435 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -3,15 +3,26 @@ with import <stockholm/lib>; { - krebs.nginx = { - servers.default.locations = [ - (nameValuePair "= /etc/os-release" '' + services.nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts._http = { + default = true; + extraConfig = '' + return 404; + ''; + }; + + virtualHosts.default = { + locations."= /etc/os-release".extraConfig = '' default_type text/plain; alias /etc/os-release; - '') - ]; + ''; + }; }; - tv.iptables = optionalAttrs config.krebs.nginx.enable { + tv.iptables = { input-retiolum-accept-tcp = singleton "http"; }; } diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index 4c74d2250..9744da1e8 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -3,20 +3,18 @@ with import <stockholm/lib>; { - krebs.nginx = { + services.nginx = { enable = true; - servers.default = { - server-names = [ + virtualHosts.default = { + serverAliases = [ "localhost" "${config.krebs.build.host.name}" "${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.retiolum" ]; - locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + ''; }; }; tv.iptables.input-internet-accept-tcp = singleton "http"; diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix deleted file mode 100644 index 355a36650..000000000 --- a/tv/2configs/xu-qemu0.nix +++ /dev/null @@ -1,250 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - # XXX cannot use config.build.host.name here because infinite recursion when - # defining krebs.hosts.${host-name}.nets.retiolum.aliases below. - host-name = "xu"; -in - -# usage: -# echo set_password vnc correcthorze | xu-qemu0-monitor -# -# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return -# -# http://vnc.xu/vnc_auto.html?port=5701&host=xu&password=correcthorze -# -# make [install] system=xu-qemu0 target_host=10.56.0.101 - -with import <stockholm/lib>; - -{ - networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; - - tv.iptables.extra = { - nat.POSTROUTING = ["-j MASQUERADE"]; - filter.FORWARD = [ - "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" - "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT" - ]; - filter.INPUT = [ - "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT" - "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT" - ]; - }; - - systemd.network.enable = true; - systemd.services.systemd-networkd-wait-online.enable = false; - - services.resolved.enable = mkForce false; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - - systemd.network.networks.qemubr0 = { - matchConfig.Name = "qemubr0"; - address = ["10.56.0.1/24"]; - routes = [{ - routeConfig = { - Gateway = "*"; - Destination = "10.56.0.0"; - }; - }]; - }; - systemd.network.netdevs.qemubr0 = { - netdevConfig = { - Name = "qemubr0"; - Kind = "bridge"; - }; - }; - - users.groups.qemu-users.gid = genid "qemu-users"; - - environment.etc."qemu/bridge.conf".text = '' - allow qemubr0 - ''; - - krebs.per-user.tv.packages = [ - ]; - - users.users.xu-qemu0 = { - createHome = true; - group = "qemu-users"; - home = "/home/xu-qemu0"; - uid = genid "xu-qemu0"; - }; - - systemd.services.xu-qemu0 = let - in { - after = [ "network.target" "systemd-resolved.service" ]; - serviceConfig = { - User = "xu-qemu0"; - SyslogIdentifier = "xu-qemu0"; - ExecStart = pkgs.writeDash "xu-qemu0" '' - set -efu - ${pkgs.coreutils}/bin/mkdir -p "$HOME/tmp" - img=$HOME/tmp/xu-qemu0.raw - if ! test -e "$img"; then - ${pkgs.kvm}/bin/qemu-img create "$img" 10G - fi - exec ${pkgs.kvm}/bin/qemu-kvm \ - -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \ - -boot order=cd \ - -cdrom ${pkgs.fetchurl { - url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso; - sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9"; - }} \ - -m 1024 \ - -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \ - -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \ - -drive file="$img",format=raw \ - -display vnc=:1,websocket=5701,password,lossy \ - -name xu-qemu0 \ - ''; - }; - }; - - krebs.setuid.xu-qemu0-monitor = { - filename = pkgs.writeDash "xu-qemu0-monitor" '' - exec ${pkgs.socat}/bin/socat \ - stdio \ - UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \ - ''; - owner = "xu-qemu0"; - group = "tv"; - }; - - krebs.setuid.qemu-bridge-helper = { - filename = "${pkgs.qemu}/libexec/qemu-bridge-helper"; - group = "qemu-users"; - }; - - users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq"; - - # TODO need custom etc/dbus-1/system.d/dnsmasq.conf for different BusName - services.dbus.packages = [ pkgs.dnsmasq ]; - - systemd.services.qemu-dnsmasq = let - # bind-interfaces - conf = pkgs.writeText "qemu-dnsmasq.conf" '' - listen-address=10.56.0.1 - interface=qemubr0 - dhcp-range=10.56.0.200,10.56.0.250 - dhcp-no-override - dhcp-leasefile=/tmp/qemu-dnsmasq.leases - domain=${host-name}.local - dhcp-host=52:54:00:12:34:56,xu-qemu0,10.56.0.101,1440m - ''; - in { - after = [ "network.target" "systemd-resolved.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "dbus"; - BusName = "uk.org.thekelleys.dnsmasq"; - # -1 --enable-dbus[=uk.org.thekelleys.dnsmasq] - SyslogIdentifier = "qemu-dnsmasq"; - ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -1k -u qemu-dnsmasq -C ${conf}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - PrivateTmp = "true"; - }; - restartTriggers = [ config.environment.etc.hosts.source ]; - }; - - - krebs.nginx.servers.init = { - server-names = [ - "init.${host-name}" - "init.${host-name}.r" - "init.${host-name}.retiolum" - ]; - extraConfig = '' - index init.txt; - root ${pkgs.writeTextFile { - name = "init-pages"; - text = '' - #! /bin/sh - set -efu - - dev=/dev/sda - pttype=dos # gpt - - case $pttype in - dos) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = dos; then - parted -s "$dev" mklabel msdos - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = primary; then - parted -s "$dev" mkpart primary ext4 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - gpt) - if ! test "$(blkid -o value -s PTTYPE "$dev")" = gpt; then - parted -s "$dev" mklabel gpt - fi - if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = ESP; then - parted -s "$dev" mkpart ESP fat32 1MiB 513MiB - parted -s "$dev" set 1 boot on - fi - ;; - *) - echo "Error: bad pttype: $pttype" >&2 - exit -1 - esac - - if ! test "$(blkid -o value -s PARTLABEL "$dev"2)" = primary; then - parted -s "$dev" mkpart primary btrfs 513MiB 100% - fi - if ! test "$(blkid -o value -s TYPE "$dev"1)" = vfat; then - mkfs.vfat "$dev"1 - fi - if ! test "$(blkid -o value -s TYPE "$dev"2)" = btrfs; then - mkfs.btrfs "$dev"2 - fi - - parted "$dev" print - - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"2)" = /mnt; then - mount "$dev"2 /mnt - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$dev"1)" = /mnt/boot; then - mkdir -m 0000 -p /mnt/boot - mount "$dev"1 /mnt/boot - fi - - lsblk "$dev" - - key=${shell.escape config.krebs.users.tv-xu.pubkey} - - if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then - mkdir -p /root/.ssh - echo "$key" > /root/.ssh/authorized_keys - fi - systemctl start sshd - ip route - echo READY. - ''; - destination = "/init.txt"; - }}; - ''; - }; - - - krebs.hosts.${host-name}.nets.retiolum.aliases = [ - "init.${host-name}.r" - "init.${host-name}.retiolum" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - - krebs.nginx.servers.noVNC = { - server-names = [ - "vnc.${host-name}" - "vnc.${host-name}.r" - "vnc.${host-name}.retiolum" - ]; - #rewrite ^([^.]*)$ /vnc_auto.html?host=localhost&port=5701; - locations = singleton (nameValuePair "/" '' - index vnc.html; - root ${pkgs.noVNC}; - ''); - }; -} |