diff options
author | tv <tv@krebsco.de> | 2017-07-14 00:17:58 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2017-07-14 00:21:02 +0200 |
commit | 58380c82848c3db0bd6c3d74904153f3464c2098 (patch) | |
tree | dcefa424c037ef13edba18967143b3290dc739cb /krebs | |
parent | c213968c44befe32f115ec0122accebdabd89582 (diff) |
merge shared into krebs
Diffstat (limited to 'krebs')
41 files changed, 1236 insertions, 9 deletions
diff --git a/krebs/1systems/test-all-krebs-modules/config.nix b/krebs/1systems/test-all-krebs-modules/config.nix new file mode 100644 index 000000000..c0c14b71f --- /dev/null +++ b/krebs/1systems/test-all-krebs-modules/config.nix @@ -0,0 +1,55 @@ +{ config, pkgs, lib, ... }: +let + en = { enable = true;}; +in { + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + ]; + krebs = { + enable = true; + build.user = config.krebs.users.krebs; + build.host = config.krebs.hosts.test-all-krebs-modules; + Reaktor.test = {}; + apt-cacher-ng.enable = true; + backup.enable = true; + bepasty.enable = true; + # FIXME fast-tests / instantiate-test-all-modules fails at wolfbot + # http://wolf:8010/builders/fast-tests/builds/442 + #buildbot.master.enable = true; + buildbot.worker = { + enable = true; + username = "lol"; + password = "wut"; + }; + # XXX exim-retiolum and exim-smarthost are mutually exclusive + #exim-retiolum = { + # enable = true; + # primary_hostname = "test.r"; + #}; + exim-smarthost = { + enable = true; + primary_hostname = "test.r"; + system-aliases = [ { from = "dick"; to = "butt"; } ]; + }; + go.enable = true; + iptables = { + enable = true; + tables = {}; + }; + realwallpaper.enable = true; + tinc.retiolum.enable = true; + retiolum-bootstrap.enable = true; + tinc_graphs.enable = true; + urlwatch.enable = true; + fetchWallpaper = { + enable = true; + url ="localhost"; + }; + }; + # just get the system running + boot.loader.grub.devices = ["/dev/sda"]; + fileSystems."/" = { + device = "/dev/lol"; + }; +} diff --git a/krebs/1systems/test-all-krebs-modules/source.nix b/krebs/1systems/test-all-krebs-modules/source.nix new file mode 100644 index 000000000..66fdaa773 --- /dev/null +++ b/krebs/1systems/test-all-krebs-modules/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "test-all-krebs-modules"; +} diff --git a/krebs/1systems/test-arch/config.nix b/krebs/1systems/test-arch/config.nix new file mode 100644 index 000000000..b5a4234e7 --- /dev/null +++ b/krebs/1systems/test-arch/config.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: + +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + { + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/sda1"; + }; + } + { + networking.dhcpcd.allowInterfaces = [ + "enp*" + ]; + } + { + sound.enable = false; + } + ]; + + krebs.build.host = config.krebs.hosts.test-arch; +} diff --git a/krebs/1systems/test-arch/source.nix b/krebs/1systems/test-arch/source.nix new file mode 100644 index 000000000..bff9d4325 --- /dev/null +++ b/krebs/1systems/test-arch/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "test-arch"; +} diff --git a/krebs/1systems/test-centos6/config.nix b/krebs/1systems/test-centos6/config.nix new file mode 100644 index 000000000..968f8b8f0 --- /dev/null +++ b/krebs/1systems/test-centos6/config.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) head; + + ip = "168.235.148.52"; + gw = "168.235.148.1"; +in { + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + <stockholm/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix> + { + networking.interfaces.enp11s0.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = gw; + networking.nameservers = [ + "8.8.8.8" + ]; + } + { + sound.enable = false; + } + ]; + + krebs.build.host = config.krebs.hosts.test-centos6; +} diff --git a/krebs/1systems/test-centos6/source.nix b/krebs/1systems/test-centos6/source.nix new file mode 100644 index 000000000..3693bbb29 --- /dev/null +++ b/krebs/1systems/test-centos6/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "test-centos6"; +} diff --git a/krebs/1systems/test-centos7/config.nix b/krebs/1systems/test-centos7/config.nix new file mode 100644 index 000000000..732bc4f17 --- /dev/null +++ b/krebs/1systems/test-centos7/config.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) head; + +in { + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix> + <stockholm/krebs/2configs/temp/networking.nix> + <stockholm/krebs/2configs/temp/dirs.nix> + ]; + + sound.enable = false; + krebs.build.host = config.krebs.hosts.test-centos7; +} diff --git a/krebs/1systems/test-centos7/source.nix b/krebs/1systems/test-centos7/source.nix new file mode 100644 index 000000000..44230f08d --- /dev/null +++ b/krebs/1systems/test-centos7/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "test-centos7"; +} diff --git a/krebs/1systems/test-failing/config.nix b/krebs/1systems/test-failing/config.nix new file mode 100644 index 000000000..0dc8e6bf8 --- /dev/null +++ b/krebs/1systems/test-failing/config.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + ]; + programs.ssh.startAgent = true; + programs.ssh.startAgent = false; +} diff --git a/krebs/1systems/test-failing/source.nix b/krebs/1systems/test-failing/source.nix new file mode 100644 index 000000000..60b77a0a0 --- /dev/null +++ b/krebs/1systems/test-failing/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "test-failing"; +} diff --git a/krebs/1systems/test-minimal-deploy/config.nix b/krebs/1systems/test-minimal-deploy/config.nix new file mode 100644 index 000000000..9974b4f7c --- /dev/null +++ b/krebs/1systems/test-minimal-deploy/config.nix @@ -0,0 +1,17 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + ]; + krebs = { + enable = true; + build.user = config.krebs.users.krebs; + build.host = config.krebs.hosts.test-all-krebs-modules; + }; + # just get the system to eval in nixos without errors + boot.loader.grub.devices = ["/dev/sda"]; + fileSystems."/" = { + device = "/dev/lol"; + }; +} diff --git a/krebs/1systems/test-minimal-deploy/source.nix b/krebs/1systems/test-minimal-deploy/source.nix new file mode 100644 index 000000000..032ab12bb --- /dev/null +++ b/krebs/1systems/test-minimal-deploy/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "test-minimal-deploy"; +} diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix new file mode 100644 index 000000000..b8cc1b4a1 --- /dev/null +++ b/krebs/1systems/wolf/config.nix @@ -0,0 +1,108 @@ +{ config, pkgs, ... }: +let + shack-ip = config.krebs.build.host.nets.shack.ip4.addr; +in +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + <stockholm/krebs/2configs/collectd-base.nix> + <stockholm/krebs/2configs/central-stats-client.nix> + <stockholm/krebs/2configs/save-diskspace.nix> + + <stockholm/krebs/2configs/cgit-mirror.nix> + <stockholm/krebs/2configs/graphite.nix> + <stockholm/krebs/2configs/repo-sync.nix> + <stockholm/krebs/2configs/shared-buildbot.nix> + + <stockholm/krebs/2configs/shack/worlddomination.nix> + <stockholm/krebs/2configs/shack/drivedroid.nix> + # <stockholm/krebs/2configs/shack/nix-cacher.nix> + <stockholm/krebs/2configs/shack/mqtt_sub.nix> + <stockholm/krebs/2configs/shack/muell_caller.nix> + <stockholm/krebs/2configs/shack/radioactive.nix> + <stockholm/krebs/2configs/shack/share.nix> + + ]; + # use your own binary cache, fallback use cache.nixos.org (which is used by + # apt-cacher-ng in first place) + + services.influxdb.enable = true; + + # local discovery in shackspace + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + krebs.tinc.retiolum.extraConfig = "TCPOnly = yes"; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + users.allowSignUp = true; + users.allowOrgCreate = true; + users.autoAssignOrg = true; + auth.anonymous.enable = true; + security = import <secrets/grafana_security.nix>; + }; + + nix = { + # use the up to date prism cache + binaryCaches = [ + "http://cache.prism.r" + "https://cache.nixos.org/" + ]; + binaryCachePublicKeys = [ + "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + ]; + }; + + networking = { + firewall.enable = false; + firewall.allowedTCPPorts = [ 8088 8086 8083 ]; + interfaces.enp0s3.ip4 = [{ + address = shack-ip; + prefixLength = 20; + }]; + + defaultGateway = "10.42.0.1"; + nameservers = [ "10.42.0.100" "10.42.0.200" ]; + }; + + ##################### + # uninteresting stuff + ##################### + krebs.build.host = config.krebs.hosts.wolf; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" + ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; + # fallout of ipv6calypse + networking.extraHosts = '' + hass.shack 10.42.2.191 + heidi.shack 10.42.2.135 + ''; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + config.krebs.users.ulrich.pubkey + ]; + + time.timeZone = "Europe/Berlin"; + sound.enable = false; +} diff --git a/krebs/1systems/wolf/source.nix b/krebs/1systems/wolf/source.nix new file mode 100644 index 000000000..c292bfa62 --- /dev/null +++ b/krebs/1systems/wolf/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "wolf"; +} diff --git a/krebs/2configs/central-stats-client.nix b/krebs/2configs/central-stats-client.nix new file mode 100644 index 000000000..0412eba9a --- /dev/null +++ b/krebs/2configs/central-stats-client.nix @@ -0,0 +1,68 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + <Plugin "interface"> + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + </Plugin> + + LoadPlugin df + <Plugin "df"> + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + </Plugin> + + LoadPlugin cpu + <Plugin cpu> + ReportByCpu true + ReportByState true + ValuesPercentage true + </Plugin> + + LoadPlugin network + <Plugin "network"> + Server "stats.makefu.r" "25826" + </Plugin> + + LoadPlugin curl + <Plugin curl> + <Page "smarthome"> + URL "http://smarthome.shack/"; + MeasureResponseTime true + </Page> + </Plugin> + ''; + }; +} diff --git a/krebs/2configs/cgit-mirror.nix b/krebs/2configs/cgit-mirror.nix new file mode 100644 index 000000000..c2326a5cc --- /dev/null +++ b/krebs/2configs/cgit-mirror.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + rules = with git; singleton { + user = [ wolf-repo-sync ]; + repo = [ stockholm-mirror ]; + perm = push ''refs/*'' [ non-fast-forward create delete merge ]; + }; + + stockholm-mirror = { + public = true; + name = "stockholm-mirror"; + cgit.desc = "mirror for all stockholm branches"; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + nick = config.networking.hostName; + verbose = false; + channel = "#retiolum"; + server = "ni.r"; + }; + }; + }; + + wolf-repo-sync = { + name = "wolf-repo-sync"; + mail = "spam@krebsco.de"; + # TODO put git-sync pubkey somewhere more appropriate + pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; + }; + +in { + krebs.users.wolf-repo-sync = wolf-repo-sync; + krebs.git = { + enable = true; + cgit = { + settings = { + root-title = "Shared Repos"; + root-desc = "keep on krebsing"; + }; + }; + inherit rules; + repos.stockholm-mirror = stockholm-mirror; + }; +} diff --git a/krebs/2configs/collectd-base.nix b/krebs/2configs/collectd-base.nix new file mode 100644 index 000000000..440f83fce --- /dev/null +++ b/krebs/2configs/collectd-base.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +# TODO: krebs.collectd.plugins +with import <stockholm/lib>; +let + connect-time-cfg = with pkgs; writeText "collectd-connect-time.conf" '' + LoadPlugin python + <Plugin python> + ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/" + Import "collectd_connect_time" + <Module collectd_connect_time> + target "localhost:22" "google.com" "google.de" "gum.r:22" "gum.krebsco.de" "heidi.shack:22" "10.42.0.1:22" "heise.de" "t-online.de" + interval 10 + </Module> + </Plugin> + ''; + graphite-cfg = pkgs.writeText "collectd-graphite.conf" '' + LoadPlugin write_graphite + <Plugin "write_graphite"> + <Carbon> + Host "heidi.shack" + Port "2003" + Prefix "retiolum." + EscapeCharacter "_" + StoreRates false + AlwaysAppendDS false + </Carbon> + </Plugin> + ''; +in { + imports = [ ]; + + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + collectd = pkgs.collectd.override { python= pkgs.python; }; + }; + services.collectd = { + enable = true; + include = [ (toString connect-time-cfg) (toString graphite-cfg) ]; + }; + +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix new file mode 100644 index 000000000..53ad56d65 --- /dev/null +++ b/krebs/2configs/default.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +{ + krebs.enable = true; + krebs.tinc.retiolum.enable = true; + + krebs.build.user = mkDefault config.krebs.users.krebs; + + networking.hostName = config.krebs.build.host.name; + + nix.maxJobs = 1; + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + nix.useSandbox = true; + + environment.systemPackages = with pkgs; [ + git + rxvt_unicode.terminfo + ]; + + programs.ssh.startAgent = false; + + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + + users.mutableUsers = false; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + # TODO + config.krebs.users.lass.pubkey + config.krebs.users.makefu.pubkey + # TODO HARDER: + config.krebs.users.makefu-omo.pubkey + config.krebs.users.tv.pubkey + ]; + + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + +} diff --git a/krebs/2configs/graphite.nix b/krebs/2configs/graphite.nix new file mode 100644 index 000000000..64222e43a --- /dev/null +++ b/krebs/2configs/graphite.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) + +# TODO: krebs.graphite.minimal.enable +# TODO: configure firewall +with import <stockholm/lib>; +{ + imports = [ ]; + + services.graphite = { + api = { + enable = true; + listenAddress = "0.0.0.0"; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 50 + MAX_UPDATES_PER_SECOND_ONSHUTDOWN = 9001 + + LOG_CACHE_HITS = False + LOG_CACHE_QUEUE_SORTS = False + LOG_UPDATES = False + LOG_LISTENER_CONNECTIONS = False + LOG_CREATES = True + ''; + storageAggregation = '' + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + + [radiation_sensor] + pattern = ^sensors\.radiation\. + retentions = 1m:30d,5m:180d,10m:3y + + [motion_sensors] + pattern = ^sensors\.motion\. + retentions = 1s:1h,60s:30d,300s:1y + + [motion_sensors] + pattern = ^retiolum\. + retentions = 10s:1h,30s:30d,300s:1y + + [homeassistant] + pattern = ^homeassistant\. + retentions = 10s:24h,30s:30d,300s:1y,3600s:5y + + [ara] + pattern = ^ara\. + retentions = 60s:30d,300s:1y + + [openweathermap] + pattern = ^weather\.openweathermap + retentions = 30m:30d,1h:5y + + [stadtklima] + pattern = ^weather\.stadtklima-stuttgart + retentions = 15m:30d,30m:5y + + [sensebox] + pattern = ^weather\.sensebox + retentions = 1m:90d,30m:5y + + [elchos] + pattern = ^elchos\. + retentions = 10s:14d,1m:90d,10m:5y + + [icinga_default] + pattern = ^icinga + retentions = 10s:14d,5m:90d,10m:5y + + [icinga_internals] + pattern = ^icinga.*\.(max_check_attempts|reachable|current_attempt|execution_time|latency|state|state_type) + retentions = 5m:7d + + [default] + pattern = .* + retentions = 60s:30d,300s:1y + ''; + }; + }; + systemd.services.carbonCache.serviceConfig.Restart="always"; + systemd.services.graphiteApi.serviceConfig.Restart="always"; +} diff --git a/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix new file mode 100644 index 000000000..b5ec722a0 --- /dev/null +++ b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/VolGroup/lv_root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/VolGroup/lv_swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --crea |