diff options
Diffstat (limited to 'makefu/2configs')
| -rw-r--r-- | makefu/2configs/backup.nix | 3 | ||||
| -rw-r--r-- | makefu/2configs/deployment/owncloud.nix | 145 | ||||
| -rw-r--r-- | makefu/2configs/elchos/log.nix | 6 | ||||
| -rw-r--r-- | makefu/2configs/elchos/stats.nix | 67 | ||||
| -rw-r--r-- | makefu/2configs/logging/central-stats-client.nix | 60 | ||||
| -rw-r--r-- | makefu/2configs/logging/central-stats-server.nix | 36 | ||||
| -rw-r--r-- | makefu/2configs/nginx/share-download.nix | 18 | ||||
| -rw-r--r-- | makefu/2configs/omo-share.nix | 6 | ||||
| -rw-r--r-- | makefu/2configs/openvpn/vpngate.nix | 280 | ||||
| -rw-r--r-- | makefu/2configs/torrent.nix | 4 |
10 files changed, 564 insertions, 61 deletions
diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix index 38fd93e2b..280dc1df4 100644 --- a/makefu/2configs/backup.nix +++ b/makefu/2configs/backup.nix @@ -29,6 +29,7 @@ let }; in { krebs.backup.plans = { - wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/"; + wry-to-omo_root = defaultPull config.krebs.hosts.wry "/"; + gum-to-omo_root = defaultPull config.krebs.hosts.gum "/"; }; } diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix new file mode 100644 index 000000000..d692ef72d --- /dev/null +++ b/makefu/2configs/deployment/owncloud.nix @@ -0,0 +1,145 @@ +{ lib, pkgs, config, ... }: +with lib; + +let + # TODO: copy-paste from lass/2/websites/util.nix + serveCloud = domains: + let + domain = head domains; + root = "/var/www/${domain}/"; + socket = "/var/run/${domain}-phpfpm.sock"; + in { + system.activationScripts."prepare-nextcloud-${domain}" = '' + if test ! -e ${root} ;then + echo "copying latest ${pkgs.owncloud.name} release to ${root}" + mkdir -p $(dirname "${root}") + cp -r ${pkgs.owncloud} "${root}" + chown -R nginx:nginx "${root}" + chmod 770 "${root}" + fi + ''; + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + enableSSL = true; + serverAliases = domains; + extraConfig = '' + + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + + # Path to the root of your installation + root ${root}; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + fastcgi_read_timeout 120; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; + locations."/robots.txt".extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = '' + deny all; + ''; + + locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = '' + deny all; + ''; + + locations."/".extraConfig = '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + ''; + + locations."~ \.php(?:$|/)".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:${socket}; + fastcgi_intercept_errors on; + ''; + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) block + locations."~* \.(?:css|js)$".extraConfig = '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + ''; + # Optional: Don't log access to other assets + locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = '' + access_log off; + ''; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = ${socket} + user = nginx + group = nginx + pm = dynamic + pm.max_children = 32 + pm.max_requests = 500 + pm.start_servers = 2 + pm.min_spare_servers = 2 + pm.max_spare_servers = 5 + listen.owner = nginx + listen.group = nginx + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + env[PATH] = ${lib.makeBinPath [ pkgs.php ]} + catch_workers_output = yes + ''; + }; +in { + imports = [ + ( serveCloud [ "o.euer.krebsco.de" ] ) + ]; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + rootPassword = config.krebs.secret.files.mysql_rootPassword.path; + }; + + krebs.secret.files.mysql_rootPassword = { + path = "${config.services.mysql.dataDir}/mysql_rootPassword"; + owner.name = "root"; + source-path = toString <secrets> + "/mysql_rootPassword"; + }; +} diff --git a/makefu/2configs/elchos/log.nix b/makefu/2configs/elchos/log.nix index 3facd1ceb..34bd2494d 100644 --- a/makefu/2configs/elchos/log.nix +++ b/makefu/2configs/elchos/log.nix @@ -21,9 +21,9 @@ in { } ''; outputConfig = '' - stdout { - codec => rubydebug - } + #stdout { + # codec => rubydebug + #} elasticsearch { } ''; }; diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix index feb8c5bae..2036b391f 100644 --- a/makefu/2configs/elchos/stats.nix +++ b/makefu/2configs/elchos/stats.nix @@ -7,6 +7,11 @@ with import <stockholm/lib>; { + networking.firewall = { + allowedTCPPorts = [ 2003 80 443 18080 ]; + allowedUDPPorts = [ 2003 ]; + }; + services.nginx = { enable = mkDefault true; virtualHosts = { @@ -39,58 +44,11 @@ with import <stockholm/lib>; }; services.graphite = { - beacon = { - enable = true; - config = { - graphite_url = "http://localhost:18080"; - - no_data = "critical"; - loading_error = "normal"; - - prefix = "[elchos]"; - - cli = { - command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 alert0r \#elchos ' [elchos] ''${level} ''${name} ''${value}' ''; - }; - #smtp = { - # from = "beacon@mors.r"; - # to = [ - # "lass@mors.r" - # ]; - #}; - normal_handlers = [ - # "smtp" - "cli" - ]; - warning_handlers = [ - # "smtp" - "cli" - ]; - critical_handlers = [ - # "smtp" - "cli" - ]; - alerts = let - high-load = hostid: let - host = "elch-${toString hostid}"; in { - name = "high-cpu-load-${host}"; - query = "aliasByNode(perSecond(elchos.${host}.cpu.0.cpu.idle),1)"; - method = "average"; - interval = "1minute"; - logging = "info"; - repeat_interval = "5minute"; - rules = [ - # "warning: < 30.0" - "critical: < 1.0" - ]; - }; - in map high-load [ 1 2 3 4 5 6 7 8 ]; - }; - }; api = { enable = true; - package = pkgs.graphiteApi; - listenAddress = "127.0.0.1"; + # package = pkgs.graphiteApi; + #listenAddress = "127.0.0.1"; + listenAddress = "0.0.0.0"; port = 18080; }; carbon = { @@ -99,8 +57,11 @@ with import <stockholm/lib>; config = '' [cache] MAX_CACHE_SIZE = inf - MAX_UPDATES_PER_SECOND = 10 + MAX_UPDATES_PER_SECOND = 3 MAX_CREATES_PER_MINUTE = 5000 + LOG_UPDATES = False + LOG_CACHE_HITS = False + LOG_CACHE_QUEUE_SORTS = False ''; storageSchemas = '' [carbon] @@ -122,8 +83,4 @@ with import <stockholm/lib>; }; }; - networking.firewall = { - allowedTCPPorts = [ 2003 80 443 ]; - allowedUDPPorts = [ 2003 ]; - }; } diff --git a/makefu/2configs/logging/central-stats-client.nix b/makefu/2configs/logging/central-stats-client.nix new file mode 100644 index 000000000..dd6ddddaf --- /dev/null +++ b/makefu/2configs/logging/central-stats-client.nix @@ -0,0 +1,60 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + <Plugin "interface"> + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + </Plugin> + + LoadPlugin df + <Plugin "df"> + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + </Plugin> + + LoadPlugin cpu + <Plugin cpu> + ReportByCpu true + ReportByState true + ValuesPercentage true + </Plugin> + + LoadPlugin network + <Plugin "network"> + Server "${config.makefu.stats-server}" "25826" + </Plugin> + ''; + }; +} diff --git a/makefu/2configs/logging/central-stats-server.nix b/makefu/2configs/logging/central-stats-server.nix new file mode 100644 index 000000000..69e37e493 --- /dev/null +++ b/makefu/2configs/logging/central-stats-server.nix @@ -0,0 +1,36 @@ +{pkgs, config, ...}: + +with import <stockholm/lib>; +let + collectd-port = 25826; + influx-port = 8086; + grafana-port = 3000; # TODO nginx forward +in { + services.grafana.enable = true; + services.grafana.addr = "0.0.0.0"; + + services.influxdb.enable = true; + + # forward these via nginx + services.influxdb.extraConfig = { + meta.hostname = config.krebs.build.host.name; + # meta.logging-enabled = true; + http.bind-address = ":${toString influx-port}"; + admin.bind-address = ":8083"; + monitoring = { + enabled = false; + # write-interval = "24h"; + }; + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = "collectd_db"; + port = collectd-port; + }]; + }; + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT + iptables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT + iptables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT + ''; +} diff --git a/makefu/2configs/nginx/share-download.nix b/makefu/2configs/nginx/share-download.nix new file mode 100644 index 000000000..65c44b294 --- /dev/null +++ b/makefu/2configs/nginx/share-download.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +{ + services.nginx = { + enable = mkDefault true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + virtualHosts."dl.euer.krebsco.de" = { + root = config.makefu.dl-dir; + extraConfig = "autoindex on;"; + forceSSL = true; + enableSSL = true; + enableACME = true; + basicAuth = import <secrets/dl.euer.krebsco.de-auth.nix>; + }; + }; +} diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix index d1a9fabd7..8a3eab98a 100644 --- a/makefu/2configs/omo-share.nix +++ b/makefu/2configs/omo-share.nix @@ -42,6 +42,12 @@ in { browseable = "yes"; "guest ok" = "yes"; }; + crypt0 = { + path = "/media/crypt0"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; crypt0-rw = { path = "/media/crypt0/"; "read only" = "no"; diff --git a/makefu/2configs/openvpn/vpngate.nix b/makefu/2configs/openvpn/vpngate.nix new file mode 100644 index 000000000..bf3101b19 --- /dev/null +++ b/makefu/2configs/openvpn/vpngate.nix @@ -0,0 +1,280 @@ +{ pkgs, ... }: +{ + services.openvpn.servers.vpngate-japan = { + config = '' + dev tun + proto udp + remote vpn311786078.opengw.net 1573 + cipher AES-128-CBC + auth SHA1 + resolv-retry infinite + nobind + persist-key + persist-tun + client + verb 3 + #auth-user-pass + + <ca> + -----BEGIN CERTIFICATE----- + MIIDHDCCAgSgAwIBAgIFAIRyJXcwDQYJKoZIhvcNAQELBQAwRTEYMBYGA1UEAwwP + a3JqejV3YXE1YXliLmpwMRwwGgYDVQQKDBNlcnp6eTBxZnhwaiAxNHQzZGJnMQsw + CQYDVQQGEwJVUzAeFw0xNzAxMDMwMjE3MDNaFw0yNDA1MDEwMjE3MDNaMEUxGDAW + BgNVBAMMD2tyano1d2FxNWF5Yi5qcDEcMBoGA1UECgwTZXJ6enkwcWZ4cGogMTR0 + M2RiZzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB + AQDBRSiY0DMxjUZWRtpq892vPdk+TQ4Pgxnscfzsw3MMJBGaNhIzLvNSzUdFWJq1 + p6SpCD8pJsxQifDzM5t7KGqWUmY2vgucAaGCZtbrqijm74rJOEfyF3D8stYBkTmb + AOBkRXtxoi62M+d3xgNox1VaDXndgOqQhnj4INChWf4b8lc33I/2NmwVa2d9jh+e + Qx1OsnbYGi9EM/RfTKfGcPxtusN8IEzwo2q0s7PLxgiIbCZs3aAMZIvOdi9CkFkQ + +T9wQlC1BJwbWFXqUPR2r4ugE0iYepjhEd19KuaGqW0PYivHGM9lRU2JjfJujBeF + vaOjMExvi+Mwl78Qmm7wbH1BAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ + KoZIhvcNAQELBQADggEBABoJhTO8WHB6MEWbsTXUVYG/Ino1TQTkha/0BtJ02Mdi + AV0QLOjZM0Q5F2Tg2puRK92nDp7VLA8VUqlrvLqBh6ljMEEhEwaVkV/ZigqUmGlV + nOE8NABj1mmsJSeh8DQjNclPkkOrKC6sudk9NsU4I51kDPr3M6jCd+/vBoZ6/lVR + oOLVnHOhWVsOdw/I792j4DEpVB8U8g2LhYdAJZNoKvfc6F32TEZphFxU3yDA4Kb5 + BqC8IU3O5eL7vrkVpvHdzaO+Q6wJ148/PbWXpsxm8mI39I6sQ820mGw/PGrmBAgh + WgJ52Kr48Vq0TVmdew0mz+xzU7SnpndmhVyFk9nN3c8= + -----END CERTIFICATE----- + </ca> + + <cert> + -----BEGIN CERTIFICATE----- + MIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs + aWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz + MTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA + 5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD + 4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ + CjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67 + XCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h + p/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD + ywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8 + hQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe + UBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h + +mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT + Fku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/ + 6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk + -----END CERTIFICATE----- + </cert> + + <key> + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R + wReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc + zW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci + 55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN + /2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA + mrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK + k8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY + fjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou + QiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3 + lP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho + zXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS + oRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt + KY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z + 4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby + dGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq + 5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY + DADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr + LymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7 + TnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds + Fq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs + H/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n + KxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g + va8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB + wmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA + M7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg== + -----END RSA PRIVATE KEY----- + </key> + + ''; + autoStart = false; + updateResolvConf = false; + }; + services.openvpn.servers.vpngate-usa1 = { + config = '' + dev tun + proto udp + remote vpn854005480.opengw.net 1434 + cipher AES-128-CBC + auth SHA1 + resolv-retry infinite + nobind + persist-key + persist-tun + client + verb 3 + + <ca> + -----BEGIN CERTIFICATE----- + MIIDEDCCAfigAwIBAgIFFzQRkTQwDQYJKoZIhvcNAQELBQAwPzEUMBIGA1UEAwwL + MWh6NWFzMWYuanAxGjAYBgNVBAoMEXYyMjZvdmdjIHJ0YTc3NXR6MQswCQYDVQQG + EwJVUzAeFw0xNjEwMjIxODE4MjRaFw0yNDAxMTkxODE4MjRaMD8xFDASBgNVBAMM + CzFoejVhczFmLmpwMRowGAYDVQQKDBF2MjI2b3ZnYyBydGE3NzV0ejELMAkGA1UE + BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX6yJXCpA95oPU + /vO1wD6UiJnZfDB1fjJOa8gwgK6qbLHo5Cx2gEmUzYOGTlT2Fbser2kHA3xTRxDu + L+1dufGp8zEi116I5SkLDKRQqO/8h1bWQO7MB4k6K0YlYrWJGTLCanZB3zIS3F7P + 2qCALdZ40Y1QUQlMEqzg1exeaMDdgOPXDKe1f2L06RpZKQ3ozzHlFgMKamWlLk+/ + N+Flo0s5Z2cfgUBqoBmuXVGBX4ZFxozSojcpREp+sLstdJ56vsW3KztTYTjj6y9Q + MXNadwsTI6sB/kmex3R0phFlw/ucloXQTecbqWDvJrumQHjiI1HqP95c3Z/y4PoD + lZvUb15HAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD + ggEBAJKHl41QHHuCBC8c3/0PNed3Y0+qRCnB7JB6SraYT5VRSA1dcpvmCESZE3WC + Sn7OaIBpIm6dBKFkCJgS7lEoMYzmazlfv/RpeRj8fmzcaOcoZdWHk/e1Mkzt5UAz + 2rsBxDgWmVJfmUR2gnEltvSWQKLdM/F+GB7LNckg58n4yBViCF3pp1HTq1Q59laV + QQNG8dSqy9EY8WI7oj/I60G6Gcd2dOt9+RXCCA3RZ/9zSGEi4AmDV7oRNfGEdmcy + YN2K13NlMO+Sdh4S90KVxGOXo2Q0G9HDWJ60f/I+3bxQFb+n85WAM38ZqX/9D72S + YD3YtJG14xlsO1BDPUgm1t6H8gc= + -----END CERTIFICATE----- + </ca> + + <cert> + -----BEGIN CERTIFICATE----- + MIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs + aWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz + MTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA + 5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD + 4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ + CjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67 + XCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h + p/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD + ywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8 + hQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe + UBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h + +mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT + Fku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/ + 6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk + -----END CERTIFICATE----- + </cert> + + <key> + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R + wReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc + zW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci + 55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN + /2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA + mrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK + k8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY + fjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou + QiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3 + lP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho + zXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS + oRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt + KY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z + 4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby + dGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq + 5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY + DADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr + LymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7 + TnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds + Fq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs + H/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n + KxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g + va8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB + wmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA + M7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg== + -----END RSA PRIVATE KEY----- + </key> + ''; + autoStart = false; + updateResolvConf = false; + }; + services.openvpn.servers.vpngate-usa2 = { + config = '' + dev tun + + proto udp + + remote vpn444417710.opengw.net 1195 + + cipher AES-128-CBC + auth SHA1 + + resolv-retry infinite + nobind + persist-key + persist-tun + client + verb 3 + #auth-user-pass + + <ca> + -----BEGIN CERTIFICATE----- + MIIDIzCCAgugAwIBAgIEMERikDANBgkqhkiG9w0BAQsFADBJMR8wHQYDVQQDDBZz + cmlnbGh6dWwxamtraDdtY2UubmV0MRkwFwYDVQQKDBBkY2c3MTQ4bnQgb3Rmdjd0 + MQswCQYDVQQGEwJVUzAeFw0xNjEyMDUyMzMzNTdaFw0yMTA4MjkyMzMzNTdaMEkx + HzAdBgNVBAMMFnNyaWdsaHp1bDFqa2toN21jZS5uZXQxGTAXBgNVBAoMEGRjZzcx + NDhudCBvdGZ2N3QxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEA8ASCMZyeVeTkRELTVJKzWFufi9LFq6N1euhOK9KNLeCn5OJXxeJ6 + FoRD2QtDHwHscEPrJ2uIVqqxvm/uuZ7aWKXVuRzCbYeQih6tUK4M/Q55iKeynPMt + vCBH28IasH33fGbw95S82nXEwWK6tR3+WdIcHFJ7RZz1QkmsWOzI/vn2pNeyZCIG + QjuFJEfiSTNorqhR29vJhWR3pRLWgorAQav7ukgAdQqKIldX0LQr4BoN5HLDe7AC + 9jO3Xs6dQieyxnF183XVigZZ+cfaD9kK1m/+4JKWNphIGi9bsGRumjJwQgrv35CA + 6+FCMXRUM7PQljjlgDhdW4VeYtX0tg46uwIDAQABoxMwETAPBgNVHRMBAf8EBTAD + AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDUjycraBUWrVvtQ4touYR1T9+msLhFc3RO + clHnyw+2PEyNdTy8ra13dUXkWqIgWnyxj8CSFJmfLCdxuQrNEQ8jF7rJNGqujVI1 + +xjao5fIt33EAwg2CFDs5DETEcwb7/lJIs1uwwiDPIZrmXyoL9My9ZZ8DKkRy4LS + 1+GZx4Y9v/G1AFKfQ4n//v8s+SYQS3JZxspEONj8M9VkKjuYonFR6eegKWo37QaY + hy9+4qTRGbviET1si+fZ0LVweyfG3t0Fg8BJn+1YP9kpLJdjOtzKCFbdIrjY3XSS + 3ehfN8C5mGWk0pQMWJs+xYIfB0OvDRgehICw0PIvps8Sv8gu4Bve + -----END CERTIFICATE----- + + </ca> + + <cert> + -----BEGIN CERTIFICATE----- + MIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs + aWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz + MTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA + 5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD + 4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ + CjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67 + XCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h + p/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD + ywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8 + hQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe + UBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h + +mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT + Fku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/ + 6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk + -----END CERTIFICATE----- + + </cert> + + <key> + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R + wReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc + zW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci + 55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN + /2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA + mrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK + k8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY + fjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou + QiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3 + lP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho + zXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS + oRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt + KY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z + 4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby + dGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq + 5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY + DADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr + LymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7 + TnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds + Fq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs + H/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n + KxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g + va8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB + wmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA + M7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg== + -----END RSA PRIVATE KEY----- + + </key> + ''; + autoStart = false; + updateResolvConf = false; + }; +} diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix index f3bc9091b..69d40094f 100644 --- a/makefu/2configs/torrent.nix +++ b/makefu/2configs/torrent.nix @@ -8,13 +8,13 @@ let peer-port = 51412; web-port = 8112; daemon-port = 58846; - dl-dir = "/var/download"; + dl-dir = config.makefu.dl-dir; in { # prepare secrets krebs.build.source.torrent-secrets.file = if getEnv "dummy_secrets" == "true" then toString <stockholm/makefu/6tests/data/secrets> - else "/home/makefu/secrets/torrent"; + else config.makefu.torrent-secrets ; users.users = { download = { |