diff options
-rw-r--r-- | krebs/2configs/binary-cache/prism.nix | 2 | ||||
-rw-r--r-- | krebs/2configs/cache.nsupdate.info.nix | 8 | ||||
-rw-r--r-- | krebs/3modules/cachecache.nix | 20 | ||||
-rw-r--r-- | krebs/3modules/makefu/ssh/ulrich.pub | 2 | ||||
-rw-r--r-- | makefu/0tests/data/secrets/nsupdate-cache.nix | 1 | ||||
-rw-r--r-- | makefu/1systems/gum/config.nix | 12 | ||||
-rw-r--r-- | makefu/1systems/gum/hardware-config.nix | 11 | ||||
-rw-r--r-- | makefu/1systems/gum/rescue.txt | 4 | ||||
-rw-r--r-- | makefu/1systems/gum/source.nix | 2 | ||||
-rw-r--r-- | makefu/2configs/bgt/auphonic.pub | 1 | ||||
-rw-r--r-- | makefu/2configs/bgt/download.binaergewitter.de.nix (renamed from makefu/2configs/nginx/download.binaergewitter.de.nix) | 23 | ||||
-rw-r--r-- | makefu/2configs/bgt/hidden_service.nix (renamed from makefu/2configs/deployment/bgt/hidden_service.nix) | 0 | ||||
-rw-r--r-- | makefu/2configs/bureautomation/default.nix (renamed from makefu/2configs/deployment/bureautomation/default.nix) | 0 | ||||
-rw-r--r-- | makefu/2configs/bureautomation/hass.nix (renamed from makefu/2configs/deployment/bureautomation/hass.nix) | 0 | ||||
-rw-r--r-- | makefu/2configs/bureautomation/mpd.nix (renamed from makefu/2configs/deployment/bureautomation/mpd.nix) | 0 | ||||
-rw-r--r-- | makefu/2configs/homeautomation/default.nix (renamed from makefu/2configs/deployment/homeautomation/default.nix) | 0 | ||||
-rw-r--r-- | makefu/2configs/homeautomation/google-muell.nix (renamed from makefu/2configs/deployment/google-muell.nix) | 0 | ||||
-rw-r--r-- | makefu/2configs/homeautomation/mqtt.nix (renamed from makefu/2configs/deployment/homeautomation/mqtt.nix) | 0 | ||||
-rw-r--r-- | makefu/krops.nix | 15 | ||||
-rwxr-xr-x | makefu/update-channel.sh | 2 |
20 files changed, 67 insertions, 36 deletions
diff --git a/krebs/2configs/binary-cache/prism.nix b/krebs/2configs/binary-cache/prism.nix index 46b386e14..51b4a1afc 100644 --- a/krebs/2configs/binary-cache/prism.nix +++ b/krebs/2configs/binary-cache/prism.nix @@ -3,7 +3,7 @@ { nix = { binaryCaches = [ - "http://cache.prism.r" + "https://cache.krebsco.de" ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix index 056667d8c..74f345614 100644 --- a/krebs/2configs/cache.nsupdate.info.nix +++ b/krebs/2configs/cache.nsupdate.info.nix @@ -1,4 +1,4 @@ -{lib, ... }: +{ pkgs, lib, ... }: with lib; let domain = "cache.nsupdate.info"; @@ -17,9 +17,13 @@ in { }; krebs.cachecache = { enable = true; - enableSSL = false; # disable letsencrypt for testing + enableSSL = true; # disable letsencrypt for testing cacheDir = "/var/cache/nix-cache-cache"; maxSize = "10g"; + indexFile = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html"; + sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0"; + }; # assumes that the domain is reachable from the internet virtualHost = domain; diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix index 989320480..2c2d07ff5 100644 --- a/krebs/3modules/cachecache.nix +++ b/krebs/3modules/cachecache.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: # fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b @@ -59,15 +59,6 @@ in ''; }; - # webRoot = mkOption { - # type = types.str; - # default = "/"; - # description = '' - # Directory on virtual host that serves the cache. Must end in - # <literal>/</literal>. - # ''; - # }; - resolver = mkOption { type = types.str; description = "Address of DNS resolver."; @@ -82,6 +73,13 @@ in Where nginx should store cached data. ''; }; + indexFile = mkOption { + type = types.path; + default = pkgs.writeText "myindex" "<html>hello world</html>"; + description = '' + Path to index.html file. + ''; + }; maxSize = mkOption { type = types.str; @@ -98,6 +96,7 @@ in systemd.services.nginx.preStart = '' mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache + ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html chown ${nginxCfg.user}:${nginxCfg.group} \ ${cfg.cacheDir} /srv/www/nix-cache-cache ''; @@ -143,6 +142,7 @@ in locations."/" = { root = "/srv/www/nix-cache-cache"; + index = "index.html"; extraConfig = '' expires max; add_header Cache-Control $nix_cache_cache_header always; diff --git a/krebs/3modules/makefu/ssh/ulrich.pub b/krebs/3modules/makefu/ssh/ulrich.pub index 88313ee7c..8ac69004c 100644 --- a/krebs/3modules/makefu/ssh/ulrich.pub +++ b/krebs/3modules/makefu/ssh/ulrich.pub @@ -1 +1 @@ -AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de diff --git a/makefu/0tests/data/secrets/nsupdate-cache.nix b/makefu/0tests/data/secrets/nsupdate-cache.nix new file mode 100644 index 000000000..f5e704702 --- /dev/null +++ b/makefu/0tests/data/secrets/nsupdate-cache.nix @@ -0,0 +1 @@ +"derp" diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 3d2cbac6f..a1691da3a 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -4,13 +4,14 @@ with import <stockholm/lib>; let external-ip = config.krebs.build.host.nets.internet.ip4.addr; ext-if = config.makefu.server.primary-itf; + allDisks = [ "/dev/sda" "/dev/sdb" ]; in { imports = [ <stockholm/makefu> ./hardware-config.nix { users.users.lass = { - uid = 9002; + uid = 19002; isNormalUser = true; createHome = true; useDefaultShell = true; @@ -21,7 +22,7 @@ in { }; } <stockholm/makefu/2configs/headless.nix> - # <stockholm/makefu/2configs/smart-monitor.nix> + <stockholm/makefu/2configs/smart-monitor.nix> # Security <stockholm/makefu/2configs/sshd-totp.nix> @@ -93,13 +94,15 @@ in { <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix> <stockholm/makefu/2configs/nginx/iso.euer.nix> + <stockholm/krebs/2configs/cache.nsupdate.info.nix> <stockholm/makefu/2configs/shack/events-publisher> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/boot-euer.nix> - <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix> + <stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix> + <stockholm/makefu/2configs/bgt/hidden_service.nix> <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> @@ -132,7 +135,7 @@ in { ListenAddress = ${external-ip} 21031 ''; connectTo = [ - "prism" "ni" "enklave" "dishfire" "echelon" "hotdog" + "prism" "ni" "enklave" "eve" "archprism" ]; }; @@ -189,6 +192,7 @@ in { nameservers = [ "8.8.8.8" ]; }; users.users.makefu.extraGroups = [ "download" "nginx" ]; + services.smartd.devices = builtins.map (x: { device = x; }) allDisks; boot.tmpOnTmpfs = true; state = [ "/home/makefu/.weechat" ]; } diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix index bfe29b46c..e9670a5a4 100644 --- a/makefu/1systems/gum/hardware-config.nix +++ b/makefu/1systems/gum/hardware-config.nix @@ -46,7 +46,7 @@ in { "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" "xhci_pci" "ehci_pci" "ahci" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ]; hardware.enableRedistributableFirmware = true; fileSystems."/" = { device = "/dev/mapper/nixos-root"; @@ -56,10 +56,19 @@ in { device = "/dev/mapper/nixos-lib"; fsType = "ext4"; }; + fileSystems."/var/log" = { + device = "/dev/mapper/nixos-log"; + fsType = "ext4"; + }; fileSystems."/var/download" = { device = "/dev/mapper/nixos-download"; fsType = "ext4"; }; + fileSystems."/var/www/binaergewitter" = { + device = "/dev/mapper/nixos-binaergewitter"; + fsType = "ext4"; + options = [ "nofail" ]; + }; fileSystems."/var/lib/borgbackup" = { device = "/dev/mapper/nixos-backup"; fsType = "ext4"; diff --git a/makefu/1systems/gum/rescue.txt b/makefu/1systems/gum/rescue.txt index 30276b7db..0a3ed96ee 100644 --- a/makefu/1systems/gum/rescue.txt +++ b/makefu/1systems/gum/rescue.txt @@ -1,10 +1,14 @@ +ssh gum.i -o StrictHostKeyChecking=no + mount /dev/mapper/nixos-root /mnt mount /dev/sda2 /mnt/boot chroot-prepare /mnt chroot /mnt /bin/sh + journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub) +# ... activating ... export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin /nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix index 6940498f1..1e36c6e87 100644 --- a/makefu/1systems/gum/source.nix +++ b/makefu/1systems/gum/source.nix @@ -1,5 +1,5 @@ { - name="nextgum"; + name="gum"; torrent = true; clever_kexec = true; } diff --git a/makefu/2configs/bgt/auphonic.pub b/makefu/2configs/bgt/auphonic.pub new file mode 100644 index 000000000..37b8e0599 --- /dev/null +++ b/makefu/2configs/bgt/auphonic.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx diff --git a/makefu/2configs/nginx/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix index 6b5687e72..6d64848f5 100644 --- a/makefu/2configs/nginx/download.binaergewitter.de.nix +++ b/makefu/2configs/bgt/download.binaergewitter.de.nix @@ -1,12 +1,25 @@ { config, lib, pkgs, ... }: +with import <stockholm/lib>; let - ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519"; + ident = (builtins.readFile ./auphonic.pub); in { - systemd.services.mirrorsync = { - startAt = "08:00:00"; - path = with pkgs; [ rsync openssh ]; - script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter''; + services.openssh = { + allowSFTP = true; + sftpFlags = [ "-l VERBOSE" ]; + extraConfig = '' + Match User auphonic + ForceCommand internal-sftp + AllowTcpForwarding no + X11Forwarding no + PasswordAuthentication no + ''; + }; + users.users.auphonic = { + uid = genid "auphonic"; + group = "nginx"; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ]; }; services.nginx = { enable = lib.mkDefault true; diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/bgt/hidden_service.nix index c1a31b8dc..c1a31b8dc 100644 --- a/makefu/2configs/deployment/bgt/hidden_service.nix +++ b/makefu/2configs/bgt/hidden_service.nix diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/bureautomation/default.nix index 3897537ea..3897537ea 100644 --- a/makefu/2configs/deployment/bureautomation/default.nix +++ b/makefu/2configs/bureautomation/default.nix diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/bureautomation/hass.nix index 443484a34..443484a34 100644 --- a/makefu/2configs/deployment/bureautomation/hass.nix +++ b/makefu/2configs/bureautomation/hass.nix diff --git a/makefu/2configs/deployment/bureautomation/mpd.nix b/makefu/2configs/bureautomation/mpd.nix index 1f5acb357..1f5acb357 100644 --- a/makefu/2configs/deployment/bureautomation/mpd.nix +++ b/makefu/2configs/bureautomation/mpd.nix diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/homeautomation/default.nix index 94799b11d..94799b11d 100644 --- a/makefu/2configs/deployment/homeautomation/default.nix +++ b/makefu/2configs/homeautomation/default.nix diff --git a/makefu/2configs/deployment/google-muell.nix b/makefu/2configs/homeautomation/google-muell.nix index 235cc1546..235cc1546 100644 --- a/makefu/2configs/deployment/google-muell.nix +++ b/makefu/2configs/homeautomation/google-muell.nix diff --git a/makefu/2configs/deployment/homeautomation/mqtt.nix b/makefu/2configs/homeautomation/mqtt.nix index cd1c328d7..cd1c328d7 100644 --- a/makefu/2configs/deployment/homeautomation/mqtt.nix +++ b/makefu/2configs/homeautomation/mqtt.nix diff --git a/makefu/krops.nix b/makefu/krops.nix index 6c510eba3..2a2f70a05 100644 --- a/makefu/krops.nix +++ b/makefu/krops.nix @@ -7,7 +7,6 @@ host-src = { secure = false; - full = false; torrent = false; hw = false; musnix = false; @@ -23,7 +22,11 @@ { # nixos-18.09 @ 2018-09-18 # + uhub/sqlite: 5dd7610401747 - nixpkgs = if test then { + # + hovercraft: 7134801b17d72 + nixpkgs = if host-src.arm6 then { + # TODO: we want to track the unstable channel + symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; + } else { file = { path = toString (pkgs.fetchFromGitHub { owner = "makefu"; @@ -33,14 +36,6 @@ }); useChecksum = true; }; - } else if host-src.full then { - git.ref = nixpkgs-src.rev; - git.url = nixpkgs-src.url; - } else if host-src.arm6 then { - # TODO: we want to track the unstable channel - symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; - } else { - file = "/home/makefu/store/${nixpkgs-src.rev}"; }; nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix"; diff --git a/makefu/update-channel.sh b/makefu/update-channel.sh index 59d3c434f..0899581ec 100755 --- a/makefu/update-channel.sh +++ b/makefu/update-channel.sh @@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --rev refs/heads/master' \ > $dir/nixpkgs.json newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref" +echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'" |