summaryrefslogtreecommitdiffstats
path: root/makefu/1systems/shoney
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2017-07-15 18:57:16 +0200
committermakefu <github@syntax-fehler.de>2017-07-15 18:57:16 +0200
commitfa38155eec9563dc9dc620a77900d87b97443cfe (patch)
tree6000436cba63e03a21556fb6c2d6ebb67eb5b3b0 /makefu/1systems/shoney
parent3698f2a40c2db7df0888974c9b2e347947088a98 (diff)
ma: move systems to subdir, init source
Diffstat (limited to 'makefu/1systems/shoney')
-rw-r--r--makefu/1systems/shoney/config.nix63
1 files changed, 63 insertions, 0 deletions
diff --git a/makefu/1systems/shoney/config.nix b/makefu/1systems/shoney/config.nix
new file mode 100644
index 000000000..9f04e97eb
--- /dev/null
+++ b/makefu/1systems/shoney/config.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+let
+ tinc-siem-ip = "10.8.10.1";
+
+ ip = "64.137.234.215";
+ alt-ip = "64.137.234.210"; # honeydrive honeyd
+ extra-ip1 = "64.137.234.114"; # floating tinc.siem
+ extra-ip2 = "64.137.234.232"; # honeydrive
+ gw = "64.137.234.1";
+in {
+ imports = [
+ ../.
+ ../2configs/save-diskspace.nix
+ ../2configs/hw/CAC.nix
+ ../2configs/fs/CAC-CentOS-7-64bit.nix
+ ../2configs/tinc/retiolum.nix
+ ../2configs/torrent.nix
+ ];
+
+
+ krebs = {
+ enable = true;
+ build.host = config.krebs.hosts.shoney;
+ tinc_graphs = {
+ enable = true;
+ network = "siem";
+ hostsPath = "/etc/tinc/siem/hosts";
+ nginx = {
+ enable = true;
+ # TODO: remove hard-coded hostname
+ anonymous-domain = "localhost.localdomain";
+ anonymous.extraConfig = "return 403;";
+ complete = {
+ serverAliases = [ "graph.siem" ];
+ extraConfig = ''
+ if ( $server_addr = "${ip}" ) {
+ return 403;
+ }
+ '';
+ };
+ };
+ };
+ };
+ makefu.forward-journal = {
+ enable = true;
+ src = "10.8.10.1";
+ dst = "10.8.10.6";
+ };
+ networking = {
+ interfaces.enp2s1.ip4 = [
+ { address = ip; prefixLength = 24; }
+ # { address = alt-ip; prefixLength = 24; }
+ ];
+
+ defaultGateway = gw;
+ nameservers = [ "8.8.8.8" ];
+ firewall = {
+ trustedInterfaces = [ "tinc.siem" ];
+ allowedUDPPorts = [ 655 1655 ];
+ allowedTCPPorts = [ 655 1655 ];
+ };
+ };
+}