diff options
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/shodan.nix | 8 | ||||
| -rw-r--r-- | lass/2configs/hfos.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 40 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 2 | ||||
| -rw-r--r-- | lass/3modules/kapacitor.nix | 101 | ||||
| -rw-r--r-- | lass/3modules/telegraf.nix | 67 |
6 files changed, 182 insertions, 38 deletions
diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index 095898380..232e91d90 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -59,17 +59,13 @@ with import <stockholm/lib>; fileSystems = { "/" = { device = "/dev/pool/nix"; - fsType = "ext4"; + fsType = "btrfs"; }; "/boot" = { device = "/dev/sda1"; }; - "/home/lass" = { - device = "/dev/pool/home-lass"; - fsType = "ext4"; - }; "/tmp" = { device = "tmpfs"; fsType = "tmpfs"; @@ -77,7 +73,7 @@ with import <stockholm/lib>; }; "/bku" = { device = "/dev/pool/bku"; - fsType = "ext4"; + fsType = "btrfs"; }; }; diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index f6f09e226..fc211dc92 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -21,12 +21,14 @@ with import <stockholm/lib>; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; krebs.iptables.tables.filter.FORWARD.rules = [ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } ]; diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 2bbfe7333..01699001e 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -7,7 +7,6 @@ let genid_signed ; inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) - ssl servePage serveOwncloud serveWordpress; @@ -25,47 +24,16 @@ let in { imports = [ ./sqlBackup.nix - (ssl [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (ssl [ "karlaskop.de" "www.karlaskop.de" ]) (servePage [ "karlaskop.de" "www.karlaskop.de" ]) - (ssl [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ]) (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ]) - (ssl [ "pixelpocket.de" ]) (servePage [ "pixelpocket.de" ]) - (ssl [ "o.ubikmedia.de" ]) (serveOwncloud [ "o.ubikmedia.de" ]) - (ssl [ - "ubikmedia.de" - "aldona.ubikmedia.de" - "apanowicz.de" - "nirwanabluete.de" - "aldonasiech.com" - "360gradvideo.tv" - "ubikmedia.eu" - "facts.cloud" - "youthtube.xyz" - "illucloud.eu" - "illucloud.de" - "illucloud.com" - "www.ubikmedia.de" - "www.aldona.ubikmedia.de" - "www.apanowicz.de" - "www.nirwanabluete.de" - "www.aldonasiech.com" - "www.360gradvideo.tv" - "www.ubikmedia.eu" - "www.facts.cloud" - "www.youthtube.xyz" - "www.illucloud.eu" - "www.illucloud.de" - "www.illucloud.com" - ]) (serveWordpress [ "ubikmedia.de" "apanowicz.de" @@ -88,6 +56,14 @@ in { "www.illucloud.eu" "www.illucloud.de" "www.illucloud.com" + "apanowicz.ubikmedia.de" + "karlaskop.ubikmedia.de" + "nb.ubikmedia.de" + "cinevita.ubikmedia.de" + "factscloud.ubikmedia.de" + "youthtube.ubikmedia.de" + "aldona2.ubikmedia.de" + "illucloud.ubikmedia.de" ]) ]; diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index b169fea40..2bf2df8b3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -9,5 +9,7 @@ _: ./urxvtd.nix ./usershadow.nix ./xresources.nix + ./kapacitor.nix + ./telegraf.nix ]; } diff --git a/lass/3modules/kapacitor.nix b/lass/3modules/kapacitor.nix new file mode 100644 index 000000000..023801987 --- /dev/null +++ b/lass/3modules/kapacitor.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; + +let + cfg = config.lass.kapacitor; + + out = { + options.lass.kapacitor = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "kapacitor"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/kapacitor"; + }; + user = mkOption { + type = types.str; + default = "kapacitor"; + }; + config = mkOption { + type = types.str; + #TODO: find a good default + default = '' + hostname = "localhost" + data_dir = "/home/lass/.kapacitor" + + [http] + bind-address = ":9092" + auth-enabled = false + log-enabled = true + write-tracing = false + pprof-enabled = false + https-enabled = false + https-certificate = "/etc/ssl/kapacitor.pem" + shutdown-timeout = "10s" + shared-secret = "" + + [replay] + dir = "${cfg.dataDir}/replay" + + [storage] + boltdb = "${cfg.dataDir}/kapacitor.db" + + [task] + dir = "${cfg.dataDir}/tasks" + snapshot-interval = "1m0s" + + [[influxdb]] + enabled = true + name = "default" + default = false + urls = ["http://localhost:8086"] + username = "" + password = "" + ssl-ca = "" + ssl-cert = "" + ssl-key = "" + insecure-skip-verify = false + timeout = "0s" + disable-subscriptions = false + subscription-protocol = "http" + udp-bind = "" + udp-buffer = 1000 + udp-read-buffer = 0 + startup-timeout = "5m0s" + subscriptions-sync-interval = "1m0s" + [influxdb.subscriptions] + [influxdb.excluded-subscriptions] + _kapacitor = ["autogen"] + + [logging] + file = "STDERR" + level = "INFO" + ''; + description = "configuration kapacitor is started with"; + }; + }; + + configFile = pkgs.writeText "kapacitor.conf" cfg.config; + + imp = { + + systemd.services.kapacitor = { + description = "kapacitor"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = true; + + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${configFile}"; + }; + }; + }; + +in out diff --git a/lass/3modules/telegraf.nix b/lass/3modules/telegraf.nix new file mode 100644 index 000000000..64b323460 --- /dev/null +++ b/lass/3modules/telegraf.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; + +let + cfg = config.lass.telegraf; + + out = { + options.lass.telegraf = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "telegraf"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/telegraf"; + }; + user = mkOption { + type = types.str; + default = "telegraf"; + }; + config = mkOption { + type = types.str; + #TODO: find a good default + default = '' + [agent] + interval = "1s" + + [outputs] + + # Configuration to send data to InfluxDB. + [outputs.influxdb] + urls = ["http://localhost:8086"] + database = "kapacitor_example" + user_agent = "telegraf" + + # Collect metrics about cpu usage + [cpu] + percpu = false + totalcpu = true + drop = ["cpu_time"] + ''; + description = "configuration telegraf is started with"; + }; + }; + + configFile = pkgs.writeText "telegraf.conf" cfg.config; + + imp = { + + systemd.services.telegraf = { + description = "telegraf"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = true; + + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.telegraf}/bin/telegraf -config ${configFile}"; + }; + }; + }; + +in out |