summaryrefslogtreecommitdiffstats
path: root/lass/1systems/prism
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-05-09 11:07:27 +0200
committertv <tv@krebsco.de>2018-05-09 11:07:27 +0200
commit3f3c12dcd06ba211a484aabf011880a83e5832fd (patch)
treee713b5f6e9084c3ff5cf185a1aafc12437822ea8 /lass/1systems/prism
parentedafe24e94252e2be936a760ce47485c8e4fa0af (diff)
parentaf75b96fbe412527c4bf9129de850bcab3e7c7cb (diff)
Merge remote-tracking branch 'prism/master' (despite bad style)
Diffstat (limited to 'lass/1systems/prism')
-rw-r--r--lass/1systems/prism/config.nix96
1 files changed, 74 insertions, 22 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 983604f8e..d4be2faaf 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -104,6 +104,7 @@ in {
];
}
{ # TODO make new hfos.nix out of this vv
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
uid = genid "riot";
isNormalUser = true;
@@ -190,26 +191,6 @@ in {
};
}
{
- #kaepsele
- systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
- containers.kaepsele = {
- config = { ... }: {
- imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
- lass.pubkey
- tv.pubkey
- ];
- };
- autoStart = true;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.3";
- localAddress = "10.233.2.4";
- };
- }
- {
#onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false;
containers.onondaga = {
@@ -237,13 +218,12 @@ in {
<stockholm/lass/2configs/repo-sync.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix>
- <stockholm/lass/2configs/monitoring/server.nix>
- <stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix
imports = [
<stockholm/lass/2configs/bepasty.nix>
@@ -324,6 +304,78 @@ in {
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
+ <stockholm/lass/2configs/go.nix>
+ {
+ environment.systemPackages = [ pkgs.cryptsetup ];
+ systemd.services."container@red".reloadIfChanged = mkForce false;
+ containers.red = {
+ config = { ... }: {
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.3";
+ localAddress = "10.233.2.4";
+ };
+ services.nginx.virtualHosts."rote-allez-fraktion.de" = {
+ enableACME = true;
+ addSSL = true;
+ locations."/" = {
+ extraConfig = ''
+ proxy_set_header Host rote-allez-fraktion.de;
+ proxy_pass http://10.233.2.4;
+ '';
+ };
+ };
+ }
+ {
+ imports = [ <stockholm/lass/2configs/backup.nix> ];
+ lass.restic = genAttrs [
+ "daedalus"
+ "icarus"
+ "littleT"
+ "mors"
+ "shodan"
+ "skynet"
+ ] (dest: {
+ dirs = [
+ "/home/chat/.weechat"
+ "/bku/sql_dumps"
+ ];
+ passwordFile = (toString <secrets>) + "/restic/${dest}";
+ repo = "sftp:backup@${dest}.r:/backups/prism";
+ extraArguments = [
+ "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+ ];
+ timerConfig = {
+ OnCalendar = "00:05";
+ RandomizedDelaySec = "5h";
+ };
+ });
+ }
+ {
+ users.users.download.openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
+ ];
+ }
+ {
+ lass.nichtparasoup.enable = true;
+ services.nginx = {
+ enable = true;
+ virtualHosts."lol.lassul.us" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:5001;
+ '';
+ };
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;