diff options
Diffstat (limited to 'modules/tv')
31 files changed, 0 insertions, 3167 deletions
diff --git a/modules/tv/base-cac-CentOS-7-64bit.nix b/modules/tv/base-cac-CentOS-7-64bit.nix deleted file mode 100644 index 42ab481b3..000000000 --- a/modules/tv/base-cac-CentOS-7-64bit.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, pkgs, ... }: - -{ - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - ]; - - fileSystems."/" = { - device = "/dev/centos/root"; - fsType = "xfs"; - }; - - fileSystems."/boot" = { - device = "/dev/sda1"; - fsType = "xfs"; - }; - - swapDevices = [ - { device = "/dev/centos/swap"; } - ]; -} - diff --git a/modules/tv/base.nix b/modules/tv/base.nix deleted file mode 100644 index 94f3609cc..000000000 --- a/modules/tv/base.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: - -{ - time.timeZone = "Europe/Berlin"; - - # TODO check if both are required: - nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; - - nix.trustedBinaryCaches = [ - "https://cache.nixos.org" - "http://cache.nixos.org" - "http://hydra.nixos.org" - ]; - - nix.useChroot = true; -} diff --git a/modules/tv/config/consul-client.nix b/modules/tv/config/consul-client.nix deleted file mode 100644 index 0a8bf4d75..000000000 --- a/modules/tv/config/consul-client.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ ./consul-server.nix ]; - - tv.consul = { - server = pkgs.lib.mkForce false; - }; -} diff --git a/modules/tv/config/consul-server.nix b/modules/tv/config/consul-server.nix deleted file mode 100644 index 4cedbd349..000000000 --- a/modules/tv/config/consul-server.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, ... }: - -{ - imports = [ ../../tv/consul ]; - tv.consul = rec { - enable = true; - - inherit (config.tv.identity) self; - inherit (self) dc; - - server = true; - - hosts = with config.tv.identity.hosts; [ - # TODO get this list automatically from each host where tv.consul.enable is true - cd - mkdir - nomic - rmdir - #wu - ]; - }; -} diff --git a/modules/tv/consul/default.nix b/modules/tv/consul/default.nix deleted file mode 100644 index 2ee6fb8c2..000000000 --- a/modules/tv/consul/default.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ config, lib, pkgs, ... }: - -# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect -# but -bootstrap -# TODO consul-bootstrap HOST that actually does is -# TODO tools to inspect state of a cluster in outage state - -with builtins; -with lib; -let - cfg = config.tv.consul; - - out = { - imports = [ ../../tv/iptables ]; - options.tv.consul = api; - config = mkIf cfg.enable (mkMerge [ - imp - { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; } - # TODO udp for 8301 - ]); - }; - - api = { - # TODO inherit (lib) api.options.enable; oder so - enable = mkOption { - type = types.bool; - default = false; - description = "enable tv.consul"; - }; - dc = mkOption { - type = types.unspecified; - }; - hosts = mkOption { - type = with types; listOf unspecified; - }; - encrypt-file = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/etc/consul/encrypt.json"; - }; - data-dir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/consul"; - }; - self = mkOption { - type = types.unspecified; - }; - server = mkOption { - type = types.bool; - default = false; - }; - GOMAXPROCS = mkOption { - type = types.int; - default = cfg.self.cores; - }; - }; - - consul-config = { - datacenter = cfg.dc; - data_dir = cfg.data-dir; - log_level = "INFO"; - #node_name = - server = cfg.server; - bind_addr = cfg.self.addr; # TODO cfg.addr - enable_syslog = true; - retry_join = map (getAttr "addr") (filter (host: host.fqdn != cfg.self.fqdn) cfg.hosts); - leave_on_terminate = true; - } // optionalAttrs cfg.server { - bootstrap_expect = length cfg.hosts; - leave_on_terminate = false; - }; - - imp = { - environment.systemPackages = with pkgs; [ - consul - ]; - - systemd.services.consul = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - consul - ]; - environment = { - GOMAXPROCS = toString cfg.GOMAXPROCS; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "consul"; - User = user.name; - PrivateTmp = "true"; - Restart = "always"; - ExecStartPre = pkgs.writeScript "consul-init" '' - #! /bin/sh - mkdir -p ${cfg.data-dir} - chown consul: ${cfg.data-dir} - ''; - ExecStart = pkgs.writeScript "consul-service" '' - #! /bin/sh - set -euf - exec >/dev/null - exec consul agent \ - -config-file=${toFile "consul.json" (toJSON consul-config)} \ - -config-file=${cfg.encrypt-file} \ - ''; - #-node=${cfg.self.fqdn} \ - #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "consul"; - uid = 2983239726; # genid consul - }; - -in -out diff --git a/modules/tv/ejabberd.nix b/modules/tv/ejabberd.nix deleted file mode 100644 index 54a9aad0f..000000000 --- a/modules/tv/ejabberd.nix +++ /dev/null @@ -1,867 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) ejabberd writeScript writeScriptBin utillinux; - inherit (lib) makeSearchPath; - - cfg = config.services.ejabberd-cd; - - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; - -in - -{ - - ####### interface - - options = { - - services.ejabberd-cd = { - - enable = mkOption { - default = false; - description = "Whether to enable ejabberd server"; - }; - - certFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.string; - default = "/etc/ejabberd/ejabberd.pem"; - description = '' - TODO - ''; - }; - - config = mkOption { - type = types.string; - default = ""; - description = '' - TODO - ''; - }; - - user = mkOption { - type = types.string; - default = "ejabberd"; - description = '' - TODO - ''; - }; - - group = mkOption { - type = types.string; - default = "ejabberd"; - description = '' - TODO - ''; - }; - - - # spoolDir = mkOption { - # default = "/var/lib/ejabberd"; - # description = "Location of the spooldir of ejabberd"; - # }; - - # logsDir = mkOption { - # default = "/var/log/ejabberd"; - # description = "Location of the logfile directory of ejabberd"; - # }; - - # confDir = mkOption { - # default = "/var/ejabberd"; - # description = "Location of the config directory of ejabberd"; - # }; - - # virtualHosts = mkOption { - # default = "\"localhost\""; - # description = "Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas"; - # }; - - # loadDumps = mkOption { - # default = []; - # description = "Configuration dump that should be loaded on the first startup"; - # example = literalExample "[ ./myejabberd.dump ]"; - # }; - - # config - }; - - }; - - - ####### implementation - - config = - let - my-ejabberdctl = writeScriptBin "ejabberdctl" '' - #! /bin/sh - set -euf - exec env \ - SPOOLDIR=/var/ejabberd \ - EJABBERD_CONFIG_PATH=/etc/ejabberd.cfg \ - ${ejabberd}/bin/ejabberdctl \ - --logs /var/ejabberd \ - "$@" - ''; - in - mkIf cfg.enable { - #environment.systemPackages = [ pkgs.ejabberd ]; - - environment = { - etc."ejabberd.cfg".text = '' - %%% - %%% ejabberd configuration file - %%% - %%%' - - %%% The parameters used in this configuration file are explained in more detail - %%% in the ejabberd Installation and Operation Guide. - %%% Please consult the Guide in case of doubts, it is included with - %%% your copy of ejabberd, and is also available online at - %%% http://www.process-one.net/en/ejabberd/docs/ - - %%% This configuration file contains Erlang terms. - %%% In case you want to understand the syntax, here are the concepts: - %%% - %%% - The character to comment a line is % - %%% - %%% - Each term ends in a dot, for example: - %%% override_global. - %%% - %%% - A tuple has a fixed definition, its elements are - %%% enclosed in {}, and separated with commas: - %%% {loglevel, 4}. - %%% - %%% - A list can have as many elements as you want, - %%% and is enclosed in [], for example: - %%% [http_poll, web_admin, tls] - %%% - %%% - A keyword of ejabberd is a word in lowercase. - %%% Strings are enclosed in "" and can contain spaces, dots, ... - %%% {language, "en"}. - %%% {ldap_rootdn, "dc=example,dc=com"}. - %%% - %%% - This term includes a tuple, a keyword, a list, and two strings: - %%% {hosts, ["jabber.example.net", "im.example.com"]}. - %%% - - - %%%. ======================= - %%%' OVERRIDE STORED OPTIONS - - %% - %% Override the old values stored in the database. - %% - - %% - %% Override global options (shared by all ejabberd nodes in a cluster). - %% - %%override_global. - - %% - %% Override local options (specific for this particular ejabberd node). - %% - %%override_local. - - %% - %% Remove the Access Control Lists before new ones are added. - %% - %%override_acls. - - - %%%. ========= - %%%' DEBUGGING - - %% - %% loglevel: Verbosity of log files generated by ejabberd. - %% 0: No ejabberd log at all (not recommended) - %% 1: Critical - %% 2: Error - %% 3: Warning - %% 4: Info - %% 5: Debug - %% - {loglevel, 3}. - - %% - %% watchdog_admins: Only useful for developers: if an ejabberd process - %% consumes a lot of memory, send live notifications to these XMPP - %% accounts. - %% - %%{watchdog_admins, ["bob@example.com"]}. - - - %%%. ================ - %%%' SERVED HOSTNAMES - - %% - %% hosts: Domains served by ejabberd. - %% You can define one or several, for example: - %% {hosts, ["example.net", "example.com", "example.org"]}. - %% - {hosts, ["jabber.viljetic.de"]}. - - %% - %% route_subdomains: Delegate subdomains to other XMPP servers. - %% For example, if this ejabberd serves example.org and you want - %% to allow communication with an XMPP server called im.example.org. - %% - %%{route_subdomains, s2s}. - - - %%%. =============== - %%%' LISTENING PORTS - - %% - %% listen: The ports ejabberd will listen on, which service each is handled - %% by and what options to start it with. - %% - {listen, - [ - - {5222, ejabberd_c2s, [ - - %% - %% If TLS is compiled in and you installed a SSL - %% certificate, specify the full path to the - %% file and uncomment this line: - %% - starttls, - {certfile, ${toErlang cfg.certFile}}, - - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - - %% - %% ejabberd_service: Interact with external components (transports, ...) - %% - %%{8888, ejabberd_service, [ - %% {access, all}, - %% {shaper_rule, fast}, - %% {ip, {127, 0, 0, 1}}, - %% {hosts, ["icq.example.org", "sms.example.org"], - %% [{password, "secret"}] - %% } - %% ]}, - - %% - %% ejabberd_stun: Handles STUN Binding requests - %% - %%{{3478, udp}, ejabberd_stun, []}, - - {5280, ejabberd_http, [ - %%{request_handlers, - %% [ - %% {["pub", "archive"], mod_http_fileserver} - %% ]}, - captcha, - http_bind, - http_poll, - %%register, - web_admin - ]} - - ]}. - - %% - %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. - %% Allowed values are: false optional required required_trusted - %% You must specify a certificate file. - %% - {s2s_use_starttls, required}. - - %% - %% s2s_certfile: Specify a certificate file. - %% - {s2s_certfile, ${toErlang cfg.certFile}}. - - %% - %% domain_certfile: Specify a different certificate for each served hostname. - %% - %%{domain_certfile, "example.org", "/path/to/example_org.pem"}. - %%{domain_certfile, "example.com", "/path/to/example_com.pem"}. - - %% - %% S2S whitelist or blacklist - %% - %% Default s2s policy for undefined hosts. - %% - %%{s2s_default_policy, allow}. - - %% - %% Allow or deny communication with specific servers. - %% - %%{{s2s_host, "goodhost.org"}, allow}. - %%{{s2s_host, "badhost.org"}, deny}. - - %% - %% Outgoing S2S options - %% - %% Preferred address families (which to try first) and connect timeout - %% in milliseconds. - %% - %%{outgoing_s2s_options, [ipv4, ipv6], 10000}. - - - %%%. ============== - %%%' AUTHENTICATION - - %% - %% auth_method: Method used to authenticate the users. - %% The default method is the internal. - %% If you want to use a different method, - %% comment this line and enable the correct ones. - %% - {auth_method, internal}. - %% - %% Store the plain passwords or hashed for SCRAM: - %%{auth_password_format, plain}. - %%{auth_password_format, scram}. - %% - %% Define the FQDN if ejabberd doesn't detect it: - %%{fqdn, "server3.example.com"}. - - %% - %% Authentication using external script - %% Make sure the script is executable by ejabberd. - %% - %%{auth_method, external}. - %{extauth_program, "$ {ejabberd-auth}"}. - - %% - %% Authentication using ODBC - %% Remember to setup a database in the next section. - %% - %%{auth_method, odbc}. - - %% - %% Authentication using PAM - %% - %%{auth_method, pam}. - %%{pam_service, "pamservicename"}. - - %% - %% Authentication using LDAP - %% - %%{auth_method, ldap}. - %% - %% List of LDAP servers: - %%{ldap_servers, ["localhost"]}. - %% - %% Encryption of connection to LDAP servers: - %%{ldap_encrypt, none}. - %%{ldap_encrypt, tls}. - %% - %% Port to connect to on LDAP servers: - %%{ldap_port, 389}. - %%{ldap_port, 636}. - %% - %% LDAP manager: - %%{ldap_rootdn, "dc=example,dc=com"}. - %% - %% Password of LDAP manager: - %%{ldap_password, "******"}. - %% - %% Search base of LDAP directory: - %%{ldap_base, "dc=example,dc=com"}. - %% - %% LDAP attribute that holds user ID: - %%{ldap_uids, [{"mail", "%u@mail.example.org"}]}. - %% - %% LDAP filter: - %%{ldap_filter, "(objectClass=shadowAccount)"}. - - %% - %% Anonymous login support: - %% auth_method: anonymous - %% anonymous_protocol: sasl_anon | login_anon | both - %% allow_multiple_connections: true | false - %% - %%{host_config, "public.example.org", [{auth_method, anonymous}, - %% {allow_multiple_connections, false}, - %% {anonymous_protocol, sasl_anon}]}. - %% - %% To use both anonymous and internal authentication: - %% - %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}. - - - %%%. ============== - %%%' DATABASE SETUP - - %% ejabberd by default uses the internal Mnesia database, - %% so you do not necessarily need this section. - %% This section provides configuration examples in case - %% you want to use other database backends. - %% Please consult the ejabberd Guide for details on database creation. - - %% - %% MySQL server: - %% - %%{odbc_server, {mysql, "server", "database", "username", "password"}}. - %% - %% If you want to specify the port: - %%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}. - - %% - %% PostgreSQL server: - %% - %%{odbc_server, {pgsql, "server", "database", "username", "password"}}. - %% - %% If you want to specify the port: - %%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}. - %% - %% If you use PostgreSQL, have a large database, and need a - %% faster but inexact replacement for "select count(*) from users" - %% - %%{pgsql_users_number_estimate, true}. - - %% - %% ODBC compatible or MSSQL server: - %% - %%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}. - - %% - %% Number of connections to open to the database for each virtual host - %% - %%{odbc_pool_size, 10}. - - %% - %% Interval to make a dummy SQL request to keep the connections to the - %% database alive. Specify in seconds: for example 28800 means 8 hours - %% - %%{odbc_keepalive_interval, undefined}. - - - %%%. =============== - %%%' TRAFFIC SHAPERS - - %% - %% The "normal" shaper limits traffic speed to 1000 B/s - %% - {shaper, normal, {maxrate, 1000}}. - - %% - %% The "fast" shaper limits traffic speed to 50000 B/s - %% - {shaper, fast, {maxrate, 50000}}. - - %% - %% This option specifies the maximum number of elements in the queue - %% of the FSM. Refer to the documentation for details. - %% - {max_fsm_queue, 1000}. - - - %%%. ==================== - %%%' ACCESS CONTROL LISTS - - %% - %% The 'admin' ACL grants administrative privileges to XMPP accounts. - %% You can put here as many accounts as you want. - %% - %%{acl, admin, {user, "aleksey", "localhost"}}. - %%{acl, admin, {user, "ermine", "example.org"}}. - - %% - %% Blocked users - %% - %%{acl, blocked, {user, "baduser", "example.org"}}. - %%{acl, blocked, {user, "test"}}. - - %% - %% Local users: don't modify this line. - %% - {acl, local, {user_regexp, ""}}. - - %% - %% More examples of ACLs - %% - %%{acl, jabberorg, {server, "jabber.org"}}. - %%{acl, aleksey, {user, "aleksey", "jabber.ru"}}. - %%{acl, test, {user_regexp, "^test"}}. - %%{acl, test, {user_glob, "test*"}}. - - %% - %% Define specific ACLs in a virtual host. - %% - %%{host_config, "localhost", - %% [ - %% {acl, admin, {user, "bob-local", "localhost"}} - %% ] - %%}. - - - %%%. ============ - %%%' ACCESS RULES - - %% Maximum number of simultaneous sessions allowed for a single user: - {access, max_user_sessions, [{10, all}]}. - - %% Maximum number of offline messages that users can have: - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - - %% This rule allows access only for local users: - {access, local, [{allow, local}]}. - - %% Only non-blocked users can use c2s connections: - {access, c2s, [{deny, blocked}, - {allow, all}]}. - - %% For C2S connections, all users except admins use the "normal" shaper - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - - %% All S2S connections use the "fast" shaper - {access, s2s_shaper, [{fast, all}]}. - - %% Only admins can send announcement messages: - {access, announce, [{allow, admin}]}. - - %% Only admins can use the configuration interface: - {access, configure, [{allow, admin}]}. - - %% Admins of this server are also admins of the MUC service: - {access, muc_admin, [{allow, admin}]}. - - %% Only accounts of the local ejabberd server can create rooms: - {access, muc_create, [{allow, local}]}. - - %% All users are allowed to use the MUC service: - {access, muc, [{allow, all}]}. - - %% Only accounts on the local ejabberd server can create Pubsub nodes: - {access, pubsub_createnode, [{allow, local}]}. - - %% In-band registration allows registration of any possible username. - %% To disable in-band registration, replace 'allow' with 'deny'. - {access, register, [{allow, all}]}. - - %% By default the frequency of account registrations from the same IP - %% is limited to 1 account every 10 minutes. To disable, specify: infinity - %%{registration_timeout, 600}. - - %% - %% Define specific Access Rules in a virtual host. - %% - %%{host_config, "localhost", - %% [ - %% {access, c2s, [{allow, admin}, {deny, all}]}, - %% {access, register, [{deny, all}]} - %% ] - %%}. - - - %%%. ================ - %%%' DEFAULT LANGUAGE - - %% - %% language: Default language used for server messages. - %% - {language, "en"}. - - %% - %% Set a different default language in a virtual host. - %% - %%{host_config, "localhost", - %% [{language, "ru"}] - %%}. - - - %%%. ======= - %%%' CAPTCHA - - %% - %% Full path to a script that generates the image. - |