diff options
author | tv <tv@krebsco.de> | 2016-06-30 16:31:05 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-06-30 16:31:05 +0200 |
commit | d81b068113325fb7604089c3647c365a41804978 (patch) | |
tree | 4c43ad2142825ac7c0a7045e5c48a039b25f6786 /lass | |
parent | 1542f9bbee823025f703e6abf3836905cee416fd (diff) | |
parent | f12578c66f8b7b829c0dec5255f358778c0d3366 (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
57 files changed, 1448 insertions, 442 deletions
diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index a3cc9d7b3..5aa35f5a7 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -13,7 +13,6 @@ in { ../2configs/retiolum.nix ../2configs/git.nix ../2configs/realwallpaper.nix - ../2configs/realwallpaper-server.nix ../2configs/privoxy-retiolum.nix { networking.interfaces.enp2s1.ip4 = [ diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index b5e551952..ec9f53694 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -5,7 +5,7 @@ ../. <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ../2configs/default.nix - ../2configs/exim-retiolum.nix + #../2configs/exim-retiolum.nix ../2configs/git.nix { boot.loader.grub = { @@ -63,6 +63,35 @@ { predicate = "-p tcp --dport https"; target = "ACCEPT"; } ]; } + { + #TODO: abstract & move to own file + krebs.exim-smarthost = { + enable = true; + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + config.krebs.hosts.mors + config.krebs.hosts.uriel + config.krebs.hosts.helios + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "lass"; } + ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.dishfire; diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 97734a7bd..8d944ed40 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -11,7 +11,7 @@ in { ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/retiolum.nix - ../2configs/realwallpaper-server.nix + ../2configs/realwallpaper.nix ../2configs/privoxy-retiolum.nix ../2configs/git.nix #../2configs/redis.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index a7a1fd253..f26f0ed5f 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -3,6 +3,7 @@ { imports = [ ../. + ../2configs/hw/tp-x220.nix ../2configs/baseX.nix ../2configs/exim-retiolum.nix ../2configs/programs.nix @@ -14,22 +15,18 @@ ../2configs/elster.nix ../2configs/steam.nix ../2configs/wine.nix - #../2configs/texlive.nix - ../2configs/binary-caches.nix - #../2configs/ircd.nix ../2configs/chromium-patched.nix ../2configs/git.nix - #../2configs/wordpress.nix ../2configs/bitlbee.nix - #../2configs/firefoxPatched.nix ../2configs/skype.nix ../2configs/teamviewer.nix ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix - ../2configs/cbase.nix + ../2configs/c-base.nix ../2configs/mail.nix ../2configs/krebs-pass.nix - #../2configs/buildbot-standalone.nix + ../2configs/umts.nix + ../2configs/repo-sync.nix { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ @@ -57,17 +54,10 @@ # package = pkgs.postgresql; # }; #} - { - } ]; krebs.build.host = config.krebs.hosts.mors; - networking.wireless.enable = true; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - boot = { loader.grub.enable = true; loader.grub.version = 2; @@ -77,7 +67,6 @@ initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; }; fileSystems = { "/" = { @@ -131,8 +120,8 @@ }; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:85:c9", NAME="et0" ''; #TODO activationScripts seem broken, fix them! @@ -146,7 +135,7 @@ #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] #echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' #Autosuspend for USB device Biometric Coprocessor - echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' + #echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' #Runtime PMs echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' @@ -168,22 +157,6 @@ echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' ''; - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; - environment.systemPackages = with pkgs; [ acronym cac-api @@ -214,15 +187,11 @@ }; }; - services.mongodb = { - enable = true; + krebs.repo-sync.timerConfig = { + OnCalendar = "00:37"; }; - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } - ]; - }; + services.mongodb = { + enable = true; }; } diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 6ed80ac39..5477a8b86 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -19,6 +19,8 @@ in { ../2configs/privoxy-retiolum.nix ../2configs/radio.nix ../2configs/buildbot-standalone.nix + ../2configs/repo-sync.nix + ../2configs/binary-cache/server.nix { imports = [ ../2configs/git.nix @@ -66,8 +68,6 @@ in { } { - #boot.loader.gummiboot.enable = true; - #boot.loader.efi.canTouchEfiVariables = true; boot.loader.grub = { devices = [ "/dev/sda" @@ -110,10 +110,6 @@ in { { sound.enable = false; } - #{ - # #workaround for server dying after 6-7h - # boot.kernelPackages = pkgs.linuxPackages_4_2; - #} { nixpkgs.config.allowUnfree = true; } @@ -202,7 +198,7 @@ in { } { imports = [ - ../2configs/realwallpaper-server.nix + ../2configs/realwallpaper.nix ]; krebs.nginx.servers."lassul.us".locations = [ (lib.nameValuePair "/wallpaper.png" '' diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index 6829428ff..96d64bda3 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -4,7 +4,9 @@ with builtins; { imports = [ ../. + ../2configs/hw/tp-x220.nix ../2configs/baseX.nix + ../2configs/git.nix ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/programs.nix @@ -19,34 +21,10 @@ with builtins; # }; # }; #} - { - #x220 config from mors - #TODO: make x220 config file (or look in other user dir) - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; - } ]; krebs.build.host = config.krebs.hosts.shodan; - networking.wireless.enable = true; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - boot = { loader.grub.enable = true; loader.grub.version = 2; @@ -56,7 +34,6 @@ with builtins; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; }; fileSystems = { "/" = { @@ -67,10 +44,15 @@ with builtins; "/boot" = { device = "/dev/sda1"; }; + + "/home/lass" = { + device = "/dev/pool/home-lass"; + fsType = "ext4"; + }; }; - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - #''; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 16f7502ac..6d26ff89a 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -8,7 +8,13 @@ in { #./urxvt.nix ./xserver ./mpv.nix + #./pulse.nix + ./power-action.nix ]; + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; users.extraUsers.mainUser.extraGroups = [ "audio" ]; @@ -16,11 +22,6 @@ in { virtualisation.libvirtd.enable = true; - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - programs.ssh.startAgent = false; security.setuidPrograms = [ "slock" ]; @@ -32,6 +33,7 @@ in { environment.systemPackages = with pkgs; [ + acpi dmenu gitAndTools.qgit lm_sensors @@ -44,6 +46,7 @@ in { sxiv xclip xorg.xbacklight + xorg.xhost xsel zathura diff --git a/lass/2configs/binary-cache/client.nix b/lass/2configs/binary-cache/client.nix new file mode 100644 index 000000000..108ff7a1e --- /dev/null +++ b/lass/2configs/binary-cache/client.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + nix = { + binaryCaches = ["http://cache.prism.r"]; + binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="]; + }; +} + diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix new file mode 100644 index 000000000..22ec04307 --- /dev/null +++ b/lass/2configs/binary-cache/server.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ...}: + +{ + # generate private key with: + # nix-store --generate-binary-cache-key my-secret-key my-public-key + services.nix-serve = { + enable = true; + secretKeyFile = config.krebs.secret.files.nix-serve-key.path; + }; + + systemd.services.nix-serve = { + requires = ["secret.service"]; + after = ["secret.service"]; + }; + krebs.secret.files.nix-serve-key = { + path = "/run/secret/nix-serve.key"; + owner.name = "nix-serve"; + source-path = toString <secrets> + "/nix-serve.key"; + }; + krebs.nginx = { + enable = true; + servers.nix-serve = { + server-names = [ "cache.prism.r" ]; + locations = lib.singleton (lib.nameValuePair "/" '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + ''); + }; + }; +} + diff --git a/lass/2configs/binary-caches.nix b/lass/2configs/binary-caches.nix deleted file mode 100644 index c2727520d..000000000 --- a/lass/2configs/binary-caches.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - nix.sshServe.enable = true; - nix.sshServe.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" - ]; - nix.binaryCaches = [ - #"scp://nix-ssh@mors" - #"scp://nix-ssh@uriel" - ]; -} diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 604d0728d..04bdcf9d8 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -1,6 +1,14 @@ { lib, config, pkgs, ... }: -{ - krebs.buildbot.master = let + +with config.krebs.lib; + +let + sshWrapper = pkgs.writeDash "ssh-wrapper" '' + ${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@" + ''; + +in { + config.krebs.buildbot.master = let stockholm-mirror-url = http://cgit.prism/stockholm ; in { slaves = { @@ -25,20 +33,38 @@ sched.append(schedulers.SingleBranchScheduler( ## all branches change_filter=util.ChangeFilter(branch_re=".*"), - # treeStableTimer=10, + treeStableTimer=10, name="fast-all-branches", builderNames=["fast-tests"])) ''; + build-scheduler = '' + # build all hosts + sched.append(schedulers.SingleBranchScheduler( + change_filter=util.ChangeFilter(branch_re=".*"), + treeStableTimer=10, + name="prism-all-branches", + builderNames=["build-all"])) + ''; }; builder_pre = '' # prepare grab_repo step for stockholm grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') - env = {"LOGNAME": "lass", "NIX_REMOTE": "daemon"} + # TODO: get nixpkgs/stockholm paths from krebs + env_lass = { + "LOGNAME": "lass", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } + env_makefu = { + "LOGNAME": "makefu", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } # prepare nix-shell # the dependencies which are used by the test script - deps = [ "gnumake", "jq","nix","rsync" ] + deps = [ "gnumake", "jq", "nix", "rsync", "proot" ] # TODO: --pure , prepare ENV in nix-shell command: # SSL_CERT_FILE,LOGNAME,NIX_REMOTE nixshell = ["nix-shell", @@ -51,16 +77,45 @@ factory.addStep(steps.ShellCommand(**kwargs)) ''; builder = { + build-all = '' + f = util.BuildFactory() + f.addStep(grab_repo) + for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]: + addShell(f,name="build-{}".format(i),env=env_lass, + command=nixshell + \ + ["make \ + test \ + ssh=${sshWrapper} \ + target=build@localhost:${config.users.users.build.home}/testbuild \ + method=build \ + system={}".format(i)]) + + for i in [ "pornocauster", "wry" ]: + addShell(f,name="build-{}".format(i),env=env_makefu, + command=nixshell + \ + ["make \ + test \ + ssh=${sshWrapper} \ + target=build@localhost:${config.users.users.build.home}/testbuild \ + method=build \ + system={}".format(i)]) + + bu.append(util.BuilderConfig(name="build-all", + slavenames=slavenames, + factory=f)) + + ''; + fast-tests = '' f = util.BuildFactory() f.addStep(grab_repo) for i in [ "prism", "mors", "echelon" ]: - addShell(f,name="populate-{}".format(i),env=env, + addShell(f,name="populate-{}".format(i),env=env_lass, command=nixshell + \ ["{}( make system={} eval.config.krebs.build.populate \ | jq -er .)".format("!" if "failing" in i else "",i)]) - addShell(f,name="build-test-minimal",env=env, + addShell(f,name="build-test-minimal",env=env_lass, command=nixshell + \ ["nix-instantiate \ --show-trace --eval --strict --json \ @@ -86,17 +141,17 @@ }; }; - krebs.buildbot.slave = { + config.krebs.buildbot.slave = { enable = true; masterhost = "localhost"; username = "testslave"; password = "lasspass"; packages = with pkgs;[ git nix gnumake jq rsync ]; extraEnviron = { - NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; + NIX_PATH="nixpkgs=/var/src/nixpkgs"; }; }; - krebs.iptables = { + config.krebs.iptables = { tables = { filter.INPUT.rules = [ { predicate = "-p tcp --dport 8010"; target = "ACCEPT"; } @@ -104,4 +159,29 @@ |