diff options
author | lassulus <lassulus@lassul.us> | 2017-10-01 17:54:06 +0200 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2017-10-01 17:54:06 +0200 |
commit | d7f65ea679866f24e4ca52b51bd6f068a6b38195 (patch) | |
tree | 6a09e7cc2a4c9af0507bdc189652c78832a2f952 /makefu | |
parent | d973c779eb71749af464edb1ed0216b0d5317eb2 (diff) | |
parent | e62f376e6177f3efb0e0bcd3aad97a991c3b6d60 (diff) |
Merge branch 'master' into staging/17.09
Diffstat (limited to 'makefu')
42 files changed, 1140 insertions, 167 deletions
diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix new file mode 100644 index 000000000..0630d19ad --- /dev/null +++ b/makefu/1systems/cake/config.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: +{ + imports = [ + <stockholm/makefu> + # configure your hw: + # <stockholm/makefu/2configs/hw/CAC.nix> + # <stockholm/makefu/2configs/fs/CAC-CentOS-7-64bit.nix> + # <stockholm/makefu/2configs/save-diskspace.nix + ]; + krebs = { + enable = true; + tinc.retiolum.enable = true; + build.host = config.krebs.hosts.cake; + }; + # You want to change these :) + boot.loader.grub.device = "/dev/sda"; + fileSystems."/" = { + device = "/dev/sda1"; + }; +}
\ No newline at end of file diff --git a/makefu/1systems/cake/source.nix b/makefu/1systems/cake/source.nix new file mode 100644 index 000000000..797417a1d --- /dev/null +++ b/makefu/1systems/cake/source.nix @@ -0,0 +1,3 @@ +import <stockholm/makefu/source.nix> { + name="cake"; +}
\ No newline at end of file diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 934bfa685..e1357ff01 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -44,6 +44,7 @@ in { <stockholm/makefu/2configs/iodined.nix> <stockholm/makefu/2configs/vpn/openvpn-server.nix> <stockholm/makefu/2configs/dnscrypt/server.nix> + <stockholm/makefu/2configs/remote-build/slave.nix> ## Web <stockholm/makefu/2configs/nginx/share-download.nix> @@ -74,6 +75,9 @@ in { <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> + # Temporary: + <stockholm/makefu/2configs/temp/rst-issue.nix> + ]; makefu.dl-dir = "/var/download"; @@ -143,6 +147,8 @@ in { 53589 # temp vnc 18001 + # temp reverseshell + 31337 ]; allowedUDPPorts = [ # tinc diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix new file mode 100644 index 000000000..d532f216f --- /dev/null +++ b/makefu/1systems/latte/config.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: +let + + # external-ip = config.krebs.build.host.nets.internet.ip4.addr; + # internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + # default-gw = "185.215.224.1"; + # prefixLength = 24; + # external-mac = "46:5b:fc:f4:44:c9"; + # ext-if = "et0"; +in { + + imports = [ + <stockholm/makefu> + # configure your hw: + <stockholm/makefu/2configs/hw/CAC.nix> + <stockholm/makefu/2configs/tinc/retiolum.nix> + <stockholm/makefu/2configs/save-diskspace.nix> + + # Security + <stockholm/makefu/2configs/sshd-totp.nix> + <stockholm/makefu/2configs/stats/client.nix> + + # Tools + <stockholm/makefu/2configs/tools/core.nix> + <stockholm/makefu/2configs/vim.nix> + <stockholm/makefu/2configs/zsh-user.nix> + # Services + <stockholm/makefu/2configs/remote-build/slave.nix> + + ]; + krebs = { + enable = true; + build.host = config.krebs.hosts.latte; + }; + boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; + + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.copyKernels = true; + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + networking = { + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ 655 ]; + }; + # network interface receives dhcp address + nameservers = [ "8.8.8.8" ]; + }; +} diff --git a/makefu/1systems/latte/source.nix b/makefu/1systems/latte/source.nix new file mode 100644 index 000000000..d997fb3f0 --- /dev/null +++ b/makefu/1systems/latte/source.nix @@ -0,0 +1,3 @@ +import <stockholm/makefu/source.nix> { + name="latte"; +} diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 4c93a7a3e..a22ff10bd 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -60,10 +60,13 @@ in { <stockholm/makefu/2configs/stats/nodisk-client.nix> # logs to influx <stockholm/makefu/2configs/stats/external/aralast.nix> + <stockholm/makefu/2configs/stats/telegraf> # services <stockholm/makefu/2configs/syncthing.nix> <stockholm/makefu/2configs/mqtt.nix> + <stockholm/makefu/2configs/remote-build/slave.nix> + # security <stockholm/makefu/2configs/sshd-totp.nix> @@ -77,6 +80,9 @@ in { ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload + + # Temporary: + <stockholm/makefu/2configs/temp/rst-issue.nix> ]; makefu.full-populate = true; makefu.server.primary-itf = primaryInterface; diff --git a/makefu/1systems/pnp/config.nix b/makefu/1systems/pnp/config.nix index 5fbaaabc7..6c9fc0606 100644 --- a/makefu/1systems/pnp/config.nix +++ b/makefu/1systems/pnp/config.nix @@ -34,10 +34,11 @@ krebs.Reaktor.debug = { debug = true; extraEnviron = { - REAKTOR_HOST = "ni.r"; + # TODO: remove hard-coded server + REAKTOR_HOST = "irc.r"; }; plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ]; - channels = [ "#retiolum" ]; + channels = [ "#xxx" ]; }; krebs.build.host = config.krebs.hosts.pnp; diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index b776b49d6..3a53b70cb 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -25,7 +25,9 @@ in { # <stockholm/makefu/2configs/audio/realtime-audio.nix> # <stockholm/makefu/2configs/vncserver.nix> <stockholm/makefu/2configs/temp/rst-issue.nix> - ]; + # Services + <stockholm/makefu/2configs/remote-build/slave.nix> + ]; krebs = { enable = true; @@ -33,10 +35,48 @@ in { }; swapDevices = [ { device = "/var/swap"; } ]; + services.collectd.extraConfig = lib.mkAfter '' + #LoadPlugin ping + # does not work because it requires privileges + #<Plugin "ping"> + # Host "google.de" + # Host "heise.de" + #</Plugin> + + LoadPlugin curl + <Plugin curl> + TotalTime true + NamelookupTime true + ConnectTime true + + <Page "google"> + MeasureResponseTime true + MeasureResponseCode true + URL "https://google.de" + </Page> + + <Page "webde"> + MeasureResponseTime true + MeasureResponseCode true + URL "http://web.de" + </Page> + + </Plugin> + #LoadPlugin netlink + #<Plugin "netlink"> + # Interface "enp0s25" + # Interface "wlp2s0" + # IgnoreSelected false + #</Plugin> + ''; networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 655 49152 ]; + networking.firewall.allowedTCPPorts = [ + 655 + 8081 #smokeping + 49152 + ]; networking.firewall.trustedInterfaces = [ "enp0s25" ]; #services.tinc.networks.siem = { # name = "display"; @@ -90,4 +130,66 @@ in { serverAddress = "x.r"; }; }; + security.wrappers.fping = { + source = "${pkgs.fping}/bin/fping"; + setuid = true; + }; + services.smokeping = { + enable = true; + targetConfig = '' + probe = FPing + menu = Top + title = Network Latency Grapher + remark = Welcome to this SmokePing website. + + + network + menu = Net latency + title = Network latency (ICMP pings) + + ++ google + probe = FPing + host = google.de + ++ webde + probe = FPing + host = web.de + + + services + menu = Service latency + title = Service latency (DNS, HTTP) + + ++ HTTP + menu = HTTP latency + title = Service latency (HTTP) + + +++ webdeping + probe = EchoPingHttp + host = web.de + + +++ googwebping + probe = EchoPingHttp + host = google.de + + #+++ webwww + #probe = Curl + #host = web.de + + #+++ googwebwww + #probe = Curl + #host = google.de + ''; + probeConfig = '' + + FPing + binary = /run/wrappers/bin/fping + + EchoPingHttp + pings = 5 + url = / + + #+ Curl + ## probe-specific variables + #binary = ${pkgs.curl}/bin/curl + #step = 60 + ## a default for this target-specific variable + #urlformat = http://%host%/ + ''; + }; } diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index faa29f3db..443f912d8 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -56,8 +56,8 @@ with import <stockholm/lib>; <stockholm/makefu/2configs/git/brain-retiolum.nix> <stockholm/makefu/2configs/tor.nix> <stockholm/makefu/2configs/vpn/vpngate.nix> - <stockholm/makefu/2configs/steam.nix> # <stockholm/makefu/2configs/buildbot-standalone.nix> + <stockholm/makefu/2configs/remote-build/master.nix> # Hardware <stockholm/makefu/2configs/hw/tp-x230.nix> diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix index 678370c69..4c17a1d50 100644 --- a/makefu/2configs/deployment/led-fader.nix +++ b/makefu/2configs/deployment/led-fader.nix @@ -29,11 +29,11 @@ in { environment = { NIX_PATH = "/var/src"; }; - # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; + after = [ "network-online.target" ] ++ (lib.optional config.services.mosquitto.enable "mosquitto.service"); wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; serviceConfig = { # User = "nobody"; # need a user with permissions to run nix-shell + ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2"; ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json"; PrivateTmp = true; }; diff --git a/makefu/2configs/git/brain-retiolum.nix b/makefu/2configs/git/brain-retiolum.nix index 05754dc7f..3be3fccef 100644 --- a/makefu/2configs/git/brain-retiolum.nix +++ b/makefu/2configs/git/brain-retiolum.nix @@ -19,9 +19,9 @@ let post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = true; - channel = "#retiolum"; + channel = "#xxx"; # TODO remove the hardcoded hostname - server = "ni.r"; + server = "irc.r"; }; }; }; diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 30c0b0b87..ed890fe40 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -24,6 +24,7 @@ let cac-api = { }; euer_blog = { }; ampel = { }; + europastats = { }; init-stockholm = { cgit.desc = "Init stuff for stockholm"; }; @@ -56,9 +57,9 @@ let post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = config.krebs.build.host.name == "gum"; - channel = "#retiolum"; + channel = "#xxx"; # TODO remove the hardcoded hostname - server = "ni.r"; + server = "irc.r"; }; }; }; diff --git a/makefu/2configs/gui/base.nix b/makefu/2configs/gui/base.nix index 0247010b1..daa0282b8 100644 --- a/makefu/2configs/gui/base.nix +++ b/makefu/2configs/gui/base.nix @@ -58,7 +58,7 @@ in hardware.pulseaudio = { enable = true; - systemWide = true; + # systemWide = true; }; services.xserver.displayManager.sessionCommands = let xdefaultsfile = pkgs.writeText "Xdefaults" '' diff --git a/makefu/2configs/printer.nix b/makefu/2configs/printer.nix index 0865a0841..51e69d8b7 100644 --- a/makefu/2configs/printer.nix +++ b/makefu/2configs/printer.nix @@ -14,17 +14,20 @@ in { # scanners are printers just in reverse anyway services.saned.enable = true; - users.users."${mainUser}".extraGroups = [ "scanner" ]; + users.users."${mainUser}".extraGroups = [ "scanner" "lp" ]; hardware.sane = { enable = true; - extraBackends = [ pkgs.samsungUnifiedLinuxDriver ]; + extraBackends = [ ]; # $ scanimage -p --format=jpg --mode=Gray --source="Automatic Document Feeder" -v --batch="lol%d.jpg" --resolution=150 # requires 'sane-extra', scan via: - extraConfig."magicolor" = '' - net 10.42.20.30 0x2098 - ''; # 10.42.20.30: uhrenkind.shack magicolor 1690mf + #extraConfig."magicolor" = '' + # net 10.42.20.30 0x2098 + #''; # 10.42.20.30: uhrenkind.shack magicolor 1690mf + extraConfig."xerox_mfp" = '' + tcp 192.168.1.5 + ''; #home printer SCX-3205W }; } diff --git a/makefu/2configs/remote-build/master.nix b/makefu/2configs/remote-build/master.nix new file mode 100644 index 000000000..4ad2c5ed8 --- /dev/null +++ b/makefu/2configs/remote-build/master.nix @@ -0,0 +1,14 @@ +{ pkgs, ...}: +let + sshKey = (toString <secrets>) + "/id_nixBuild"; +in { + nix.distributedBuilds = true; + # TODO: iterate over krebs.hosts + nix.buildMachines = map ( hostName: + { inherit hostName sshKey; + sshUser = "nixBuild"; + system = "x86_64-linux"; + maxJobs = 1; + }) [ "omo.r" "gum.r" "latte.r" ]; + # puyak.r "wbob.r" +} diff --git a/makefu/2configs/remote-build/slave.nix b/makefu/2configs/remote-build/slave.nix new file mode 100644 index 000000000..b6e000a34 --- /dev/null +++ b/makefu/2configs/remote-build/slave.nix @@ -0,0 +1,11 @@ +{ + nix.trustedUsers = [ "nixBuild" ]; + users.users.nixBuild = { + name = "nixBuild"; + useDefaultShell = true; + # TODO: put this somewhere else + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild" + ]; + }; +} diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix index 8f9935658..7548c733e 100644 --- a/makefu/2configs/stats/server.nix +++ b/makefu/2configs/stats/server.nix @@ -2,6 +2,8 @@ with import <stockholm/lib>; let + irc-server = "rc.r"; + irc-nick = "m-alarm"; collectd-port = 25826; influx-port = 8086; grafana-port = 3000; # TODO nginx forward @@ -37,9 +39,9 @@ in { echoToIrc = pkgs.writeDash "echo_irc" '' set -euf data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=malarm + export LOGNAME=${irc-nick} ${pkgs.irc-announce}/bin/irc-announce \ - irc.freenode.org 6667 malarm \#krebs-bots "$data" >/dev/null + ${irc-server} 6667 ${irc-nick} \#noise "$data" >/dev/null ''; in { enable = true; diff --git a/makefu/2configs/stats/telegraf/default.nix b/makefu/2configs/stats/telegraf/default.nix new file mode 100644 index 000000000..4da6561d6 --- /dev/null +++ b/makefu/2configs/stats/telegraf/default.nix @@ -0,0 +1,20 @@ +{...}: +let + url = "http://localhost:8086"; +in { + imports = [ + ./europastats.nix + ]; + services.telegraf = { + enable = true; + extraConfig = { + agent.debug = true; + outputs = { + influxdb = [{ + urls = [ url ]; + database = "telegraf"; + }]; + }; + }; + }; +} diff --git a/makefu/2configs/stats/telegraf/europastats.nix b/makefu/2configs/stats/telegraf/europastats.nix new file mode 100644 index 000000000..9249280c5 --- /dev/null +++ b/makefu/2configs/stats/telegraf/europastats.nix @@ -0,0 +1,43 @@ +{ pkgs, ...}: +let + pkg = with pkgs.python3Packages;buildPythonPackage rec { + rev = "be31da7"; + name = "europastats-${rev}"; + propagatedBuildInputs = [ + requests2 + docopt + ]; + src = pkgs.fetchgit { + url = "http://cgit.euer.krebsco.de/europastats"; + inherit rev; + sha256 = "0qj18vgj9nm6aisyqhk3iz3rf8xp7mn5jc6sfylcaw588a9sjfvc"; + }; + }; +in { + services.telegraf.extraConfig.inputs.exec = [ + { + commands = [ "${pkg}/bin/europa-attractions"]; + timeout = "1m"; + data_format = "json"; + name_override = "europawaiting"; + interval = "1m"; + tag_keys = [ + "status" + "type" + "name" + ]; + } + { + commands = [ "${pkg}/bin/europa-weather"]; + timeout = "20s"; + data_format = "json"; + name_override = "europaweather"; + interval = "10m"; + tag_keys = [ + "type" + "name" + "offset" + ]; + } + ]; +} diff --git a/makefu/2configs/tools/all.nix b/makefu/2configs/tools/all.nix index c7a116918..7755e2872 100644 --- a/makefu/2configs/tools/all.nix +++ b/makefu/2configs/tools/all.nix @@ -7,6 +7,7 @@ ./extra-gui.nix ./games.nix ./media.nix + ./scanner-tools.nix ./sec.nix ./sec-gui.nix ./studio.nix diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix index 0538647ae..2f80b08c9 100644 --- a/makefu/2configs/tools/core-gui.nix +++ b/makefu/2configs/tools/core-gui.nix @@ -13,7 +13,6 @@ keepassx pcmanfm evince - skype mirage tightvnc gnome3.dconf diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix index b2d616764..bcc068d82 100644 --- a/makefu/2configs/tools/extra-gui.nix +++ b/makefu/2configs/tools/extra-gui.nix @@ -6,7 +6,7 @@ gimp inkscape libreoffice - skype + # skype synergy tdesktop virtmanager diff --git a/makefu/2configs/tools/games.nix b/makefu/2configs/tools/games.nix index 47f06287b..8e815da5e 100644 --- a/makefu/2configs/tools/games.nix +++ b/makefu/2configs/tools/games.nix @@ -1,8 +1,10 @@ { pkgs, ... }: { - krebs.per-user.makefu.packages = with pkgs; [ - steam + imports = [ + ./steam.nix + ]; + users.users.makefu.packages = with pkgs; [ games-user-env ]; } diff --git a/makefu/2configs/tools/scanner-tools.nix b/makefu/2configs/tools/scanner-tools.nix new file mode 100644 index 000000000..ef2e913e4 --- /dev/null +++ b/makefu/2configs/tools/scanner-tools.nix @@ -0,0 +1,7 @@ +{ + # ln -s /run/current-system/sw/bin/xsane ~/.gimp-2.8/plug-ins/xsane + nixpkgs.config.packageOverrides = pkgs: { + xsaneGimp = pkgs.xsane.override { gimpSupport = true; }; + }; +} + diff --git a/makefu/2configs/steam.nix b/makefu/2configs/tools/steam.nix index d4ec84abf..200ea4719 100644 --- a/makefu/2configs/steam.nix +++ b/makefu/2configs/tools/steam.nix @@ -1,6 +1,10 @@ {pkgs, ...}: { - environment.systemPackages = [ pkgs.steam ]; + users.users.makefu.packages = [ + (pkgs.steam.over |