summaryrefslogtreecommitdiffstats
path: root/makefu/2configs
diff options
context:
space:
mode:
authorjeschli <jeschli@gmail.com>2018-07-09 14:31:18 +0200
committerjeschli <jeschli@gmail.com>2018-07-09 14:31:18 +0200
commitd1c6baf00e98a0229fc7fd96874623efc8417b05 (patch)
treeeaba9481ed208af1086690a9c07ca948b047389a /makefu/2configs
parentb439342e7533e3f695db8a46576c54d180f56a58 (diff)
parentd6df7ae483b984b90bdc8d4540301ef394885a98 (diff)
Merge remote-tracking branch 'origin/staging/jeschli'
Diffstat (limited to 'makefu/2configs')
-rw-r--r--makefu/2configs/git/cgit-retiolum.nix1
-rw-r--r--makefu/2configs/hub.nix102
2 files changed, 103 insertions, 0 deletions
diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
index c209b83f6..61182f6c3 100644
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -38,6 +38,7 @@ let
priv-repos = mapAttrs make-priv-repo {
autosync = { };
+ fenkins = { };
pass = { };
};
diff --git a/makefu/2configs/hub.nix b/makefu/2configs/hub.nix
new file mode 100644
index 000000000..a121157d4
--- /dev/null
+++ b/makefu/2configs/hub.nix
@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+# search also generates ddclient entries for all other logs
+
+with import <stockholm/lib>;
+let
+ ddclientUser = "ddclient";
+ sec = toString <secrets>;
+ nsupdate = import "${sec}/nsupdate-hub.nix";
+ stateDir = "/var/spool/ddclient";
+ cfg = "${stateDir}/cfg";
+ ext-if = config.makefu.server.primary-itf;
+ ddclientPIDFile = "${stateDir}/ddclient.pid";
+
+ # TODO: correct cert generation requires a `real` internet ip address
+
+ gen-cfg = dict: ''
+ ssl=yes
+ cache=${stateDir}/ddclient.cache
+ pid=${ddclientPIDFile}
+ ${concatStringsSep "\n" (mapAttrsToList (user: pass: ''
+
+ protocol=dyndns2
+ use=web, web=http://ipv4.nsupdate.info/myip
+ ssl=yes
+ server=ipv4.nsupdate.info
+ login=${user}
+ password='${pass}'
+ ${user}
+
+ '') dict)}
+ '';
+
+in {
+ users.extraUsers = singleton {
+ name = ddclientUser;
+ uid = genid "ddclient";
+ description = "ddclient daemon user";
+ home = stateDir;
+ createHome = true;
+ };
+
+ systemd.services = {
+ redis.serviceConfig.LimitNOFILE=10032;
+ ddclient-nsupdate-uhub = {
+ wantedBy = [ "multi-user.target" ];
+ after = [ "ip-up.target" ];
+ serviceConfig = {
+ Type = "forking";
+ User = ddclientUser;
+ PIDFile = ddclientPIDFile;
+ ExecStartPre = pkgs.writeDash "init-nsupdate" ''
+ cp -vf ${pkgs.writeText "ddclient-config" (gen-cfg nsupdate)} ${cfg}
+ chmod 700 ${cfg}
+ '';
+ ExecStart = "${pkgs.ddclient}/bin/ddclient -verbose -daemon 1 -noquiet -file ${cfg}";
+ };
+ };
+ };
+
+ networking.firewall.extraCommands = ''
+ iptables -A PREROUTING -t nat -i ${ext-if} -p tcp --dport 411 -j REDIRECT --to-port 1511
+ '';
+ systemd.services.uhub.serviceConfig = {
+ PrivateTmp = true;
+ PermissionsStartOnly = true;
+ ExecStartPre = pkgs.writeDash "uhub-pre" ''
+ cp ${toString <secrets/wildcard.krebsco.de.crt>} /tmp/uhub.crt
+ cp ${toString <secrets/wildcard.krebsco.de.key>} /tmp/uhub.key
+ cp ${toString <secrets/uhub.sql>} /tmp/uhub.sql
+ chown uhub /tmp/*
+ '';
+
+ };
+ services.uhub = {
+ enable = true;
+ port = 1511;
+ enableTLS = true;
+ hubConfig = ''
+ hub_name = "krebshub"
+ tls_certificate = /tmp/uhub.crt
+ tls_private_key = /tmp/uhub.key
+ registered_users_only = true
+ '';
+ plugins = {
+ welcome = {
+ enable = true;
+ motd = "shareit";
+ rules = "1. Don't be an asshole";
+ };
+ history = {
+ enable = true;
+ };
+ authSqlite = {
+ enable = true;
+ file = "/tmp/uhub.sql";
+ };
+
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 411 1511 ];
+}