summaryrefslogtreecommitdiffstats
path: root/makefu
diff options
context:
space:
mode:
Diffstat (limited to 'makefu')
-rw-r--r--makefu/1systems/fileleech.nix111
-rw-r--r--makefu/1systems/gum.nix10
-rw-r--r--makefu/1systems/omo.nix11
-rw-r--r--makefu/1systems/shoney.nix11
-rw-r--r--makefu/1systems/wry.nix29
-rw-r--r--makefu/2configs/bepasty-dual.nix39
-rw-r--r--makefu/2configs/default.nix2
-rw-r--r--makefu/2configs/deployment/mycube.connector.one.nix15
-rw-r--r--makefu/2configs/disable_v6.nix1
-rw-r--r--makefu/2configs/elchos/irc-token.nix62
-rw-r--r--makefu/2configs/elchos/log.nix56
-rw-r--r--makefu/2configs/elchos/search.nix143
-rw-r--r--makefu/2configs/elchos/stats.nix86
-rw-r--r--makefu/2configs/elchos/test/ftpservers.nix7
-rw-r--r--makefu/2configs/main-laptop.nix12
-rw-r--r--makefu/2configs/nginx/euer.blog.nix29
-rw-r--r--makefu/2configs/nginx/euer.test.nix14
-rw-r--r--makefu/2configs/nginx/euer.wiki.nix84
-rw-r--r--makefu/2configs/nginx/icecult.nix20
-rw-r--r--makefu/2configs/nginx/public_html.nix17
-rw-r--r--makefu/2configs/nginx/update.connector.one.nix30
-rw-r--r--makefu/2configs/omo-share.nix38
-rw-r--r--makefu/2configs/torrent.nix7
-rw-r--r--makefu/3modules/default.nix1
-rw-r--r--makefu/3modules/server-config.nix10
-rw-r--r--makefu/6tests/data/secrets/auth.nix3
-rw-r--r--makefu/6tests/data/secrets/authfile1
27 files changed, 449 insertions, 400 deletions
diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix
new file mode 100644
index 000000000..1eac141dc
--- /dev/null
+++ b/makefu/1systems/fileleech.nix
@@ -0,0 +1,111 @@
+{ config, pkgs, lib, ... }:
+let
+ toMapper = id: "/media/crypt${builtins.toString id}";
+ byid = dev: "/dev/disk/by-id/" + dev;
+ keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0";
+ rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
+ rootPartition = rootDisk + "-part3";
+
+ dataDisks = let
+ idpart = dev: byid dev + "-part1";
+ in [
+ { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";}
+ { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";}
+ { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";}
+ { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";}
+ { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";}
+ { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";}
+ { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";}
+ { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity
+ ];
+
+ disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks;
+in {
+ imports = [
+ ../.
+ ../2configs/tinc/retiolum.nix
+ ../2configs/disable_v6.nix
+ ../2configs/torrent.nix
+ ../2configs/fs/sda-crypto-root.nix
+
+ ../2configs/elchos/irc-token.nix
+ ../2configs/elchos/log.nix
+ ../2configs/elchos/search.nix
+ ../2configs/elchos/stats.nix
+
+ ];
+ makefu.server.primary-itf = "enp8s0f0";
+ krebs = {
+ enable = true;
+ build.host = config.krebs.hosts.fileleech;
+ };
+ # git clone https://github.com/makefu/docker-pyload
+ # docker build .
+ # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload
+
+ virtualisation.docker.enable = true; # for pyload
+ networking.firewall.allowedTCPPorts = [
+ 51412 # torrent
+ 8112 # rutorrent-web
+ 8113 # pyload
+ 8080 # sabnzbd
+ 9090 # sabnzbd-ssl
+ 655 # tinc
+ ];
+ networking.firewall.allowedUDPPorts = [
+ 655 # tinc
+ 51412 # torrent
+ ];
+
+ services.sabnzbd.enable = true;
+ systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+
+ boot.initrd.luks = {
+ devices = let
+ usbkey = name: device: {
+ inherit name device keyFile;
+ keyFileSize = 4096;
+ allowDiscards = true;
+ };
+ in builtins.map (x: usbkey x.name x.device) disks;
+ };
+ environment.systemPackages = with pkgs;[ mergerfs ];
+
+ fileSystems = let
+ cryptMount = name:
+ { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
+ in cryptMount "crypt0"
+ // cryptMount "crypt1"
+ // cryptMount "crypt2"
+ // cryptMount "crypt3"
+ // cryptMount "crypt4"
+ // cryptMount "crypt5"
+ // cryptMount "crypt6"
+ // cryptMount "crypt7"
+
+ # this entry sometimes creates issues
+ // { "/media/cryptX" = {
+ device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]);
+ fsType = "mergerfs";
+ noCheck = true;
+ options = [ "defaults" "nofail" "allow_other" "nonempty" ]; };
+ }
+
+ ;
+ makefu.snapraid = {
+ enable = true;
+ disks = map toMapper [ 0 1 2 3 4 5 6 ];
+ parity = toMapper 7;
+ };
+
+ boot.loader.grub.device = rootDisk;
+
+ boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html
+ boot.extraModprobeConfig = ''
+ options ixgbe allow_unsupported_sfp=1
+ '';
+}
diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index e8a368fa2..e7761a642 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -15,6 +15,7 @@ in {
../2configs/git/cgit-retiolum.nix
# ../2configs/mattermost-docker.nix
../2configs/nginx/euer.test.nix
+ ../2configs/nginx/public_html.nix
../2configs/nginx/update.connector.one.nix
../2configs/deployment/mycube.connector.one.nix
@@ -31,7 +32,9 @@ in {
];
services.smartd.devices = [ { device = "/dev/sda";} ];
+
###### stable
+ services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum;
krebs.tinc.retiolum = {
extraConfig = ''
@@ -48,10 +51,6 @@ in {
makefu.taskserver.enable = true;
- krebs.nginx.servers.cgit = {
- server-names = [ "cgit.euer.krebsco.de" ];
- listen = [ "${external-ip}:80" "${internal-ip}:80" ];
- };
# access
users.users = {
@@ -76,9 +75,8 @@ in {
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0"
'';
- boot.kernelParams = [ "ipv6.disable=1" ];
+ boot.kernelParams = [ ];
networking = {
- enableIPv6 = false;
firewall = {
allowPing = true;
logRefusedConnections = false;
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index 4fbbd653d..609d52134 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -48,12 +48,16 @@ in {
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
- ../2configs/disable_v6.nix
+ # ../2configs/disable_v6.nix
#../2configs/graphite-standalone.nix
#../2configs/share-user-sftp.nix
../2configs/omo-share.nix
../2configs/tinc/retiolum.nix
- ../2configs/torrent.nix
+ # ../2configs/torrent.nix
+
+ # ../2configs/elchos/search.nix
+ # ../2configs/elchos/log.nix
+ # ../2configs/elchos/irc-token.nix
## as long as pyload is not in nixpkgs:
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
@@ -121,7 +125,8 @@ in {
// { "/media/cryptX" = {
device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);
fsType = "mergerfs";
- options = [ "defaults" "allow_other" ];
+ noCheck = true;
+ options = [ "defaults" "allow_other" "nofail" "nonempty" ];
};
};
diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 1c5d2352e..96aeb2856 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -21,7 +21,6 @@ in {
krebs = {
enable = true;
build.host = config.krebs.hosts.shoney;
- nginx.enable = true;
tinc_graphs = {
enable = true;
network = "siem";
@@ -29,9 +28,15 @@ in {
nginx = {
enable = true;
# TODO: remove hard-coded hostname
+ anonymous-domain = "localhost.localdomain";
+ anonymous.extraConfig = "return 403;";
complete = {
- listen = [ "${tinc-siem-ip}:80" ];
- server-names = [ "graphs.siem" ];
+ serverAliases = [ "graphs.siem" ];
+ extraConfig = ''
+ if ( $server_addr = "${ip}" ) {
+ return 403;
+ }
+ '';
};
};
};
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 17e81f793..6290ff6e9 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -21,9 +21,7 @@ in {
# other nginx
../2configs/nginx/euer.wiki.nix
../2configs/nginx/euer.blog.nix
- ../2configs/nginx/euer.test.nix
-
- #../2configs/elchos/stats.nix
+ # ../2configs/nginx/euer.test.nix
# collectd
# ../2configs/collectd/collectd-base.nix
@@ -47,26 +45,31 @@ in {
random-emoji ];
};
- # bepasty to listen only on the correct interfaces
- krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ];
- krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
-
# prepare graphs
- krebs.nginx.enable = true;
+ services.nginx.enable = true;
krebs.retiolum-bootstrap.enable = true;
-
+ krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+ if ( $server_addr = "${external-ip}" ) {
+ return 403;
+ }
+ '';
krebs.tinc_graphs = {
enable = true;
nginx = {
enable = true;
# TODO: remove hard-coded hostname
complete = {
- listen = [ "${internal-ip}:80" ];
- server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];
+ extraConfig = ''
+ if ( $server_addr = "${external-ip}" ) {
+ return 403;
+ }
+ '';
+ serverAliases = [ "graphs.retiolum" "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];
};
anonymous = {
- listen = [ "${external-ip}:80" ] ;
- server-names = [ "graphs.krebsco.de" ];
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
};
};
};
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index a6be04876..936aaf004 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -20,54 +20,29 @@ let
ext-dom = "paste.krebsco.de" ;
in {
- krebs.nginx.enable = mkDefault true;
+ services.nginx.enable = mkDefault true;
krebs.bepasty = {
enable = true;
serveNginx= true;
servers = {
- internal = {
+ "paste.r" = {
nginx = {
- server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
+ serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey;
};
- external = {
+ "${ext-dom}" = {
nginx = {
- server-names = [ ext-dom ];
- ssl = {
- enable = true;
- certificate = "${acmepath}/${ext-dom}/fullchain.pem";
- certificate_key = "${acmepath}/${ext-dom}/key.pem";
- # these certs will be needed if acme has not yet created certificates:
- #certificate = "${sec}/wildcard.krebsco.de.crt";
- #certificate_key = "${sec}/wildcard.krebsco.de.key";
- ciphers = "RC4:HIGH:!aNULL:!MD5" ;
- force_encryption = true;
- };
- locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${ext-dom}/;
- '');
- extraConfig = ''
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 10m;
- ssl_verify_client off;
- proxy_ssl_session_reuse off;
- '';
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
};
defaultPermissions = "read";
secretKey = secKey;
};
};
};
- security.acme.certs."${ext-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${ext-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains."${ext-dom}" = null ;
- };
}
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index 9a2adbc3e..9e3f3eb61 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -22,7 +22,7 @@ with import <stockholm/lib>;
user = config.krebs.users.makefu;
source = let
inherit (config.krebs.build) host user;
- ref = "f52eaf4"; # stable @ 2016-12-12
+ ref = "ee13b9af"; # stable @ 2016-12-12
in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
{
diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix
index 091b7f21b..379176f78 100644
--- a/makefu/2configs/deployment/mycube.connector.one.nix
+++ b/makefu/2configs/deployment/mycube.connector.one.nix
@@ -27,23 +27,18 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- mybox-connector-one = {
- listen = [ "${external-ip}:80" ];
- server-names = [
- "mycube.connector.one"
- "mybox.connector.one"
- ];
- locations = singleton (nameValuePair "/" ''
+ virtualHosts."mybox.connector.one" = {
+ locations = {
+ "/".extraConfig = ''
uwsgi_pass unix://${wsgi-sock};
uwsgi_param UWSGI_CHDIR ${pkgs.mycube-flask}/${pkgs.python.sitePackages};
uwsgi_param UWSGI_MODULE mycube.websrv;
uwsgi_param UWSGI_CALLABLE app;
include ${pkgs.nginx}/conf/uwsgi_params;
- '');
+ '';
};
};
};
diff --git a/makefu/2configs/disable_v6.nix b/makefu/2configs/disable_v6.nix
index 37db172ef..0a8c8d53d 100644
--- a/makefu/2configs/disable_v6.nix
+++ b/makefu/2configs/disable_v6.nix
@@ -1,4 +1,3 @@
{
networking.enableIPv6 = false;
- boot.kernelParams = [ "ipv6.disable=1" ];
}
diff --git a/makefu/2configs/elchos/irc-token.nix b/makefu/2configs/elchos/irc-token.nix
new file mode 100644
index 000000000..3f3c4ffc3
--- /dev/null
+++ b/makefu/2configs/elchos/irc-token.nix
@@ -0,0 +1,62 @@
+{pkgs, ...}:
+with import <stockholm/lib>;
+let
+ secret = (import <secrets/elchos-token.nix>);
+in {
+ systemd.services.elchos-irctoken = {
+ startAt = "*:0/30";
+ serviceConfig = {
+ RuntimeMaxSec = "20";
+ };
+ script = ''
+ set -euf
+ now=$(date -u +%Y-%m-%dT%H:%M)
+ sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1)
+ message="The secret valid for 30 minutes is $sec"
+ echo "token for $now (UTC) is $sec"
+ LOGNAME=sec-announcer
+ HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static)
+ IRC_SERVER=irc.freenode.net
+ IRC_PORT=6667
+ IRC_NICK=$HOSTNAME-$$
+ IRC_CHANNEL='#eloop'
+
+ export IRC_CHANNEL # for privmsg_cat
+
+ echo2() { echo "$*"; echo "$*" >&2; }
+
+ privmsg_cat() { ${pkgs.gawk}/bin/awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
+
+ tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
+ cd "$tmpdir"
+ mkfifo ircin
+ trap "
+ rm ircin
+ cd '$OLDPWD'
+ rmdir '$tmpdir'
+ trap - EXIT INT QUIT
+ " EXIT INT QUIT
+
+ {
+ echo2 "USER $LOGNAME 0 * :$LOGNAME@$HOSTNAME"
+ echo2 "NICK $IRC_NICK"
+
+ # wait for MODE message
+ ${pkgs.gnused}/bin/sed -un '/^:[^ ]* MODE /q'
+
+ echo2 "JOIN $IRC_CHANNEL"
+
+ printf '%s' "$message" \
+ | privmsg_cat
+
+ echo2 "PART $IRC_CHANNEL"
+
+ # wait for PART confirmation
+ sed -un '/:'"$IRC_NICK"'![^ ]* PART /q'
+
+ echo2 'QUIT :Gone to have lunch'
+ } < ircin \
+ | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin
+ '';
+ };
+}
diff --git a/makefu/2configs/elchos/log.nix b/makefu/2configs/elchos/log.nix
new file mode 100644
index 000000000..3facd1ceb
--- /dev/null
+++ b/makefu/2configs/elchos/log.nix
@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+in {
+ networking.firewall.allowedTCPPorts = [ 80 443 514 ];
+ networking.firewall.allowedUDPPorts = [ 80 443 514 ];
+ services.logstash = {
+ enable = true;
+ enableWeb = true;
+ inputConfig = ''
+ syslog {
+ timezone => "Etc/UTC"
+ }
+ '';
+ filterConfig = ''
+ if ( [program] == "proftpd") {
+ kv {
+ field_split => " "
+ }
+ }
+ '';
+ outputConfig = ''
+ stdout {
+ codec => rubydebug
+ }
+ elasticsearch { }
+ '';
+ };
+ services.elasticsearch = {
+ enable = true;
+ };
+ services.kibana = {
+ enable = true;
+ port = 9332;
+ };
+ services.nginx = {
+ virtualHosts = {
+ "log.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+ basicAuth = import <secrets/kibana-auth.nix>;
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:9332";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix
index 5adaa0c6f..5777be373 100644
--- a/makefu/2configs/elchos/search.nix
+++ b/makefu/2configs/elchos/search.nix
@@ -1,11 +1,12 @@
{ config, lib, pkgs, ... }:
-# graphite-web on port 8080
-# carbon cache on port 2003 (tcp/udp)
+# search also generates ddclient entries for all other logs
+
with import <stockholm/lib>;
let
#primary-itf = "eth0";
- primary-itf = "wlp2s0";
+ #primary-itf = "wlp2s0";
+ primary-itf = config.makefu.server.primary-itf;
elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock";
ddclientUser = "ddclient";
sec = toString <secrets>;
@@ -14,15 +15,7 @@ let
cfg = "${stateDir}/cfg";
ddclientPIDFile = "${stateDir}/ddclient.pid";
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
# TODO: correct cert generation requires a `real` internet ip address
- stats-dom = "stats.nsupdate.info";
- search-dom = "search.nsupdate.info";
- search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem";
- search_ssl_key = "${acmepath}/${search-dom}/key.pem";
- stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem";
- stats_ssl_key = "${acmepath}/${stats-dom}/key.pem";
gen-cfg = dict: ''
ssl=yes
@@ -64,75 +57,22 @@ in {
};
};
- security.acme.certs = {
- "${stats-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${stats-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains = {
- "${stats-dom}" = null ;
- };
- };
- "${search-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${search-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains = {
- "${stats-dom}" = null ;
- };
- };
- };
-
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- elch-stats = {
- server-names = [ stats-dom ];
- # listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- certificate = stats_ssl_cert;
- certificate_key = stats_ssl_key;
- force_encryption = true;
+ virtualHosts = {
+ "search.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/".extraConfig = ''
+ uwsgi_pass unix://${elch-sock};
+ uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages};
+ uwsgi_param UWSGI_MODULE elchhub.wsgi;
+ uwsgi_param UWSGI_CALLABLE app;
+
+ include ${pkgs.nginx}/conf/uwsgi_params;
+ '';
};
-
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:3000/;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${search-dom}/;
- '')
- ];
- };
- elchhub = {
- server-names = [ "search.nsupdate.info" ];
- # listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- certificate = search_ssl_cert;
- certificate_key = search_ssl_key;
- force_encryption = true;
- };
- locations = [ (nameValuePair "/" ''
- uwsgi_pass unix://${elch-sock};
- uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages};
- uwsgi_param UWSGI_MODULE elchhub.wsgi;
- uwsgi_param UWSGI_CALLABLE app;
-
- include ${pkgs.nginx}/conf/uwsgi_params;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${search-dom}/;
- '')
- ];
};
};
};
@@ -147,7 +87,7 @@ in {
ExecStart = "${pkgs.elchhub}/bin/elch-manager";
};
};
- register-elchos-nsupdate = {
+ ddclient-nsupdate-elchos = {
wantedBy = [ "multi-user.target" ];
after = [ "ip-up.target" ];
serviceConfig = {
@@ -163,49 +103,8 @@ in {
};
};
- services.grafana = {
- enable = true;
- addr = "127.0.0.1";
- users.allowSignUp = false;
- users.allowOrgCreate = false;
- users.autoAssignOrg = false;
- auth.anonymous.enable = true;
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
- };
-
- services.graphite = {
- api = {
- enable = true;
- listenAddress = "127.0.0.1";
- port = 8080;
- };
- carbon = {
- enableCache = true;
- # save disk usage by restricting to 1 bulk update per second
- config = ''
- [cache]
- MAX_CACHE_SIZE = inf
- MAX_UPDATES_PER_SECOND = 1
- MAX_CREATES_PER_MINUTE = 500
- '';
- storageSchemas = ''
- [carbon]
- pattern = ^carbon\.
- retentions = 60:90d
-
- [elchos]
- patterhn = ^elchos\.
- retentions = 10s:30d,60s:3y
-
- [default]
- pattern = .*
- retentions = 30s:30d,300s:1y
- '';
- };
- };
-
networking.firewall = {
- allowedTCPPorts = [ 2003 80 443 ];
- allowedUDPPorts = [ 2003 ];
+ allowedTCPPorts = [ 80 443 ];
+ allowedUDPPorts = [ ];
};
}
diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix
index 9f27b6647..b6133205f 100644
--- a/makefu/2configs/elchos/stats.nix
+++ b/makefu/2configs/elchos/stats.nix
@@ -1,73 +1,48 @@
{ config, lib, pkgs, ... }:
+# requires nsupdate to get correct hostname (from ./search.nix)
# graphite-web on port 8080
# carbon cache on port 2003 (tcp/udp)
+
with import <stockholm/lib>;
-let
- sec = toString <secrets>;
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
- ext-dom = "stats.nsupdate.info";
- #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
- #ssl_key = "${sec}/wildcard.krebsco.de.key";
- ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
- ssl_key = "${acmepath}/${ext-dom}/key.pem";
-in {
- networking.firewall = {
- allowedTCPPorts = [ 2003 80 443 ];
- allowedUDPPorts = [ 2003 ];
+{
+
+ services.nginx = {
+ enable = mkDefault true;
+ virtualHosts = {
+ "stats.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:3000/";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ };
+ };
+ };
};
services.grafana = {
enable = true;
addr = "127.0.0.1";
- extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
users.allowSignUp = false;
users.allowOrgCreate = false;
users.autoAssignOrg = false;
+ auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
- krebs.nginx = {
- enable = true;
- servers.elch-stats = {
- server-names = [ ext-dom ];
- listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- # these certs will be needed if acme has not yet created certificates:
- certificate = ssl_cert;
- certificate_key = ssl_key;
- force_encryption = true;
- };
-
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:3000/;