Merge remote-tracking branch 'gum/master'

author: tv <tv@krebsco.de> 2015-12-20 19:37:46 +0100
committer: tv <tv@krebsco.de> 2015-12-20 19:37:46 +0100
commit: c89907175546aa0c39bc6b2c4960f0ea6e6db8c9 (patch)
tree: 158bf1a5938fc37efc466b00b3f0906ac2a50d9f /shared
parent: c09bc6a29f21f1c6bd21575e385b8b3bc5c89b8a (diff)
parent: 5821d8438578db623a3e248c52fefa424fad0b51 (diff)
11 files changed, 391 insertions, 71 deletions
diff --git a/shared/1systems/test-arch.nix b/shared/1systems/test-arch.nix
new file mode 100644
index 000000000..ece209490
--- /dev/null
+++ b/shared/1systems/test-arch.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../2configs/base.nix
+    {
+      boot.loader.grub = {
+        device = "/dev/sda";
+        splashImage = null;
+      };
+
+      boot.initrd.availableKernelModules = [
+        "ata_piix"
+        "vmw_pvscsi"
+      ];
+
+      fileSystems."/" = {
+        device = "/dev/sda1";
+      };
+    }
+    {
+      networking.dhcpcd.allowInterfaces = [
+        "enp*"
+      ];
+    }
+    {
+      sound.enable = false;
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.test-arch;
+}
diff --git a/shared/1systems/test-centos6.nix b/shared/1systems/test-centos6.nix
new file mode 100644
index 000000000..a8b5f9b9c
--- /dev/null
+++ b/shared/1systems/test-centos6.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) head;
+
+  ip = "168.235.148.52";
+  gw = "168.235.148.1";
+in {
+  imports = [
+    ../2configs/base.nix
+    ../2configs/os-templates/CAC-CentOS-6.5-64bit.nix
+    {
+      networking.interfaces.enp11s0.ip4 = [
+        {
+          address = ip;
+          prefixLength = 24;
+        }
+      ];
+      networking.defaultGateway = gw;
+      networking.nameservers = [
+        "8.8.8.8"
+      ];
+    }
+    {
+      sound.enable = false;
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.test-centos6;
+}
diff --git a/shared/1systems/test-centos7.nix b/shared/1systems/test-centos7.nix
new file mode 100644
index 000000000..077a5d61b
--- /dev/null
+++ b/shared/1systems/test-centos7.nix
@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) head;
+
+in {
+  imports = [
+    ../2configs/base.nix
+    ../2configs/os-templates/CAC-CentOS-7-64bit.nix
+    ../2configs/os-templates/temp-networking.nix
+  ];
+
+  sound.enable = false;
+  krebs.build.host = config.krebs.hosts.test-centos7;
+}
diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix
index 60d1e8ce8..2c51ac8fe 100644
--- a/shared/1systems/wolf.nix
+++ b/shared/1systems/wolf.nix
@@ -1,46 +1,42 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
+let
+  shack-ip = lib.head config.krebs.build.host.nets.shack.addrs4;
+  internal-ip = lib.head config.krebs.build.host.nets.retiolum.addrs4;
+in
 {
   imports = [
+    ../2configs/base.nix
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
     ../2configs/collectd-base.nix
+    ../2configs/shack-nix-cacher.nix
+    ../2configs/shack-drivedroid.nix
+    ../2configs/cac-ci.nix
+    ../2configs/graphite.nix
   ];
+  # use your own binary cache, fallback use cache.nixos.org (which is used by
+  # apt-cacher-ng in first place)
+  nix.binaryCaches = [ "http://localhost:3142/nixos" "https://cache.nixos.org" ];
+
+  networking = {
+    firewall.enable = false;
+    interfaces.eth0.ip4 = [{
+      address = shack-ip;
+      prefixLength = 20;
+    }];
+
+    defaultGateway = "10.42.0.1";
+    nameservers = [ "10.42.0.100" "10.42.0.200" ];
+  };
 
+  #####################
+  # uninteresting stuff
+  #####################
   krebs.build.host = config.krebs.hosts.wolf;
   # TODO rename shared user to "krebs"
   krebs.build.user = config.krebs.users.shared;
   krebs.build.target = "wolf";
 
-  krebs.enable = true;
-  krebs.retiolum = {
-    enable = true;
-    connectTo = [
-      # TODO remove connectTo cd, this was only used for bootstrapping
-      "cd"
-      "gum"
-      "pigstarter"
-    ];
-  };
-
-  krebs.build.source = {
-    git.nixpkgs = {
-      url = https://github.com/NixOS/nixpkgs;
-      rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
-    };
-    dir.secrets = {
-      host = config.krebs.current.host;
-      path = "${getEnv "HOME"}/secrets/krebs/wolf";
-    };
-    dir.stockholm = {
-      host = config.krebs.current.host;
-      path = "${getEnv "HOME"}/stockholm";
-    };
-  };
-
-  networking.hostName = config.krebs.build.host.name;
-
   boot.kernel.sysctl = {
     # Enable IPv6 Privacy Extensions
     "net.ipv6.conf.all.use_tempaddr" = 2;
@@ -60,48 +56,8 @@ with lib;
   fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
 
   swapDevices = [
-    { device = "/dev/disk/by-label/swap"; }
-  ];
-
-  nix.maxJobs = 1;
-  nix.trustedBinaryCaches = [
-    "https://cache.nixos.org"
-    "http://cache.nixos.org"
-    "http://hydra.nixos.org"
-  ];
-  nix.useChroot = true;
-
-  nixpkgs.config.packageOverrides = pkgs: {
-    nano = pkgs.vim;
-  };
-
-  environment.systemPackages = with pkgs; [
-    git
-    rxvt_unicode.terminfo
+    { device = "/dev/disk/by-label/swap";  }
   ];
 
   time.timeZone = "Europe/Berlin";
-
-  programs.ssh.startAgent = false;
-
-  services.openssh = {
-    enable = true;
-    hostKeys = [
-      { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-    ];
-  };
-  services.cron.enable = false;
-  services.nscd.enable = false;
-  services.ntp.enable = false;
-
-  users.mutableUsers = false;
-  users.extraUsers.root.openssh.authorizedKeys.keys = [
-    # TODO
-    config.krebs.users.lass.pubkey
-    config.krebs.users.makefu.pubkey
-    config.krebs.users.tv.pubkey
-  ];
-
-  # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "15.09";
 }
diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix
new file mode 100644
index 000000000..df41eae1a
--- /dev/null
+++ b/shared/2configs/base.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  krebs.enable = true;
+  krebs.retiolum = {
+    enable = true;
+    connectTo = [
+      # TODO remove connectTo cd, this was only used for bootstrapping
+      "cd"
+      "gum"
+      "pigstarter"
+    ];
+  };
+
+  krebs.build.source = {
+    git.nixpkgs = {
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
+    };
+    dir.secrets = {
+      host = config.krebs.current.host;
+      path = "${getEnv "HOME"}/secrets/krebs/wolf";
+    };
+    dir.stockholm = {
+      host = config.krebs.current.host;
+      path = "${getEnv "HOME"}/stockholm";
+    };
+  };
+
+  networking.hostName = config.krebs.build.host.name;
+
+  nix.maxJobs = 1;
+  nix.trustedBinaryCaches = [
+    "https://cache.nixos.org"
+    "http://cache.nixos.org"
+    "http://hydra.nixos.org"
+  ];
+  nix.useChroot = true;
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    nano = pkgs.vim;
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    rxvt_unicode.terminfo
+  ];
+
+  programs.ssh.startAgent = false;
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+    ];
+  };
+  services.cron.enable = false;
+  services.nscd.enable = false;
+  services.ntp.enable = false;
+
+  users.mutableUsers = false;
+  users.extraUsers.root.openssh.authorizedKeys.keys = [
+    # TODO
+    config.krebs.users.lass.pubkey
+    config.krebs.users.makefu.pubkey
+    # TODO HARDER:
+    (readFile ../../krebs/Zpubkeys/makefu_omo.ssh.pub)
+    config.krebs.users.tv.pubkey
+  ];
+
+
+  # The NixOS release to be compatible with for stateful data such as databases.
+  system.stateVersion = "15.09";
+
+}
diff --git a/shared/2configs/cac-ci.nix b/shared/2configs/cac-ci.nix
new file mode 100644
index 000000000..06cce2746
--- /dev/null
+++ b/shared/2configs/cac-ci.nix
@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  environment.systemPackages = with pkgs;[
+    get
+    cac
+    cacpanel
+    jq
+  ];
+}
diff --git a/shared/2configs/graphite.nix b/shared/2configs/graphite.nix
new file mode 100644
index 000000000..707ec6e9a
--- /dev/null
+++ b/shared/2configs/graphite.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+
+# TODO: krebs.graphite.minimal.enable
+# TODO: configure firewall
+with lib;
+{
+  imports = [ ];
+
+  services.graphite = {
+    web = {
+      enable = true;
+      host = "0.0.0.0";
+    };
+    carbon = {
+      enableCache = true;
+      # save disk usage by restricting to 1 bulk update per second
+      config = ''
+        [cache]
+        MAX_CACHE_SIZE = inf
+        MAX_UPDATES_PER_SECOND = 1
+        MAX_CREATES_PER_MINUTE = 50
+        '';
+      storageSchemas = ''
+        [carbon]
+        pattern = ^carbon\.
+        retentions = 60:90d
+
+        [default]
+        pattern = .*
+        retentions = 60s:30d,300s:1y
+        '';
+    };
+  };
+}
diff --git a/shared/2configs/os-templates/CAC-CentOS-6.5-64bit.nix b/shared/2configs/os-templates/CAC-CentOS-6.5-64bit.nix
new file mode 100644
index 000000000..b5ec722a0
--- /dev/null
+++ b/shared/2configs/os-templates/CAC-CentOS-6.5-64bit.nix
@@ -0,0 +1,47 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/VolGroup/lv_root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/VolGroup/lv_swap"; }
+  ];
+
+  users.extraGroups = {
+    # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+    #    Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+    #    Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+    #      Docs: man:tmpfiles.d(5)
+    #            man:systemd-tmpfiles(8)
+    #   Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+    #  Main PID: 19272 (code=exited, status=1/FAILURE)
+    #
+    # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+    # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+    # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+    # warning: error(s) occured while switching to the new configuration
+    lock.gid = 10001;
+  };
+}
diff --git a/shared/2configs/os-templates/CAC-CentOS-7-64bit.nix b/shared/2configs/os-templates/CAC-CentOS-7-64bit.nix
new file mode 100644
index 000000000..168d1d97b
--- /dev/null
+++ b/shared/2configs/os-templates/CAC-CentOS-7-64bit.nix
@@ -0,0 +1,47 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/centos/root";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/sda1";
+    fsType = "xfs";
+  };
+
+  swapDevices = [
+    { device = "/dev/centos/swap"; }
+  ];
+
+  users.extraGroups = {
+    # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+    #    Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+    #    Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+    #      Docs: man:tmpfiles.d(5)
+    #            man:systemd-tmpfiles(8)
+    #   Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+    #  Main PID: 19272 (code=exited, status=1/FAILURE)
+    #
+    # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+    # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+    # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+    # warning: error(s) occured while switching to the new configuration
+    lock.gid = 10001;
+  };
+}
diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix
new file mode 100644
index 000000000..08a6b0697
--- /dev/null
+++ b/shared/2configs/shack-drivedroid.nix
@@ -0,0 +1,44 @@
+{ pkgs, lib, config, ... }:
+let
+  repodir = "/var/srv/drivedroid";
+  srepodir = lib.shell.escape repodir;
+in
+{
+  environment.systemPackages = [ pkgs.drivedroid-gen-repo ];
+
+  systemd.services.drivedroid = {
+    description = "generates drivedroid repo file";
+    restartIfChanged = true;
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+      ExecStartPre = pkgs.writeScript "prepare-drivedroid-gen-repo" ''
+        #!/bin/sh
+        mkdir -p ${srepodir}/repos
+      '';
+      ExecStart = pkgs.writeScript "start-drivedroid-gen-repo" ''
+        #!/bin/sh
+        while sleep 60; do
+          ${pkgs.inotify-tools}/bin/inotifywait -r ${srepodir} && ${pkgs.drivedroid-gen-repo}/bin/drivedroid-gen-repo --chdir "${srepodir}" repos/ > "${srepodir}/main.json"
+        done
+      '';
+    };
+  };
+
+  krebs.nginx = {
+    enable = lib.mkDefault true;
+    servers = {
+      drivedroid-repo = {
+        server-names = [ "drivedroid.shack" ];
+        # TODO: prepare this somehow
+        locations = lib.singleton (lib.nameValuePair "/" ''
+          root ${repodir};
+          index main.json;
+        '');
+      };
+    };
+  };
+
+}
diff --git a/shared/2configs/shack-nix-cacher.nix b/shared/2configs/shack-nix-cacher.nix
new file mode 100644
index 000000000..7519bb3ac
--- /dev/null
+++ b/shared/2configs/shack-nix-cacher.nix
@@ -0,0 +1,25 @@
+{ pkgs, lib, ... }:
+
+{
+  krebs.nginx = {
+    enable = lib.mkDefault true;
+    servers = {
+      apt-cacher-ng = {
+        server-names = [ "acng.shack" ];
+        locations = lib.singleton (lib.nameValuePair "/" ''
+          proxy_set_header   Host $host;
+          proxy_set_header   X-Real-IP          $remote_addr;
+          proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_pass http://localhost:3142/;
+        '');
+      };
+    };
+  };
+
+  krebs.apt-cacher-ng = {
+    enable = true;
+    port = 3142;
+    bindAddress = "localhost";
+    cacheExpiration = 30;
+  };
+}
author	tv <tv@krebsco.de>	2015-12-20 19:37:46 +0100
committer	tv <tv@krebsco.de>	2015-12-20 19:37:46 +0100
commit	c89907175546aa0c39bc6b2c4960f0ea6e6db8c9 (patch)
tree	158bf1a5938fc37efc466b00b3f0906ac2a50d9f /shared
parent	c09bc6a29f21f1c6bd21575e385b8b3bc5c89b8a (diff)
parent	5821d8438578db623a3e248c52fefa424fad0b51 (diff)