From c6b4c7920fd9c0eb11f3bd3c5602980934fafd20 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:39:03 +0200 Subject: ma gum.r: handle new domain --- makefu/1systems/gum/config.nix | 4 ++++ makefu/2configs/nginx/misa-felix-hochzeit.ml.nix | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 makefu/2configs/nginx/misa-felix-hochzeit.ml.nix diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 40fa233d3..578e4add8 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -64,8 +64,10 @@ in { + # + @@ -222,6 +224,8 @@ in { 25 # http 80 443 + # httptunnel + 8080 8443 # tinc 655 # tinc-shack diff --git a/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix b/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix new file mode 100644 index 000000000..d0881a934 --- /dev/null +++ b/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."misa-felix-hochzeit.ml" = { + serverAliases = [ "www.misa-felix-hochzeit.ml" "misa-felix.ml" "www.misa-felix.ml" ]; + forceSSL = true; + enableACME = true; + locations = { + "/" = { + index = "index.html"; + root = "/var/www/misa-felix-hochzeit.ml"; + }; + }; + }; + }; +} -- cgit v1.2.3 From a2c1afe2a253589bc38380a75c7b156216b40667 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:39:44 +0200 Subject: ma x.r: allow automatic mounting by pcmanfm --- makefu/1systems/x/config.nix | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index f72f2a15b..483fc81e5 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -141,14 +141,47 @@ with import ; # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio hardware.bluetooth.enable = true; } - { # auto-mounting + { # auto-mounting via polkit services.udisks2.enable = true; - services.devmon.enable = true; + ## automount all disks: + # services.devmon.enable = true; # services.gnome3.gvfs.enable = true; + users.groups.storage = { + gid = genid "storage"; + members = [ "makefu" ]; + }; users.users.makefu.packages = with pkgs;[ gvfs pcmanfm lxmenu-data ]; environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; + + ## allow users in group "storage" to mount disk + # https://github.com/coldfix/udiskie/wiki/Permissions + security.polkit.extraConfig = + '' + polkit.addRule(function(action, subject) { + var YES = polkit.Result.YES; + var permission = { + "org.freedesktop.udisks.filesystem-mount": YES, + "org.freedesktop.udisks.luks-unlock": YES, + "org.freedesktop.udisks.drive-eject": YES, + "org.freedesktop.udisks.drive-detach": YES, + "org.freedesktop.udisks2.filesystem-mount": YES, + "org.freedesktop.udisks2.encrypted-unlock": YES, + "org.freedesktop.udisks2.eject-media": YES, + "org.freedesktop.udisks2.power-off-drive": YES, + "org.freedesktop.udisks2.filesystem-mount-other-seat": YES, + "org.freedesktop.udisks2.filesystem-unmount-others": YES, + "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES, + "org.freedesktop.udisks2.eject-media-other-seat": YES, + "org.freedesktop.udisks2.power-off-drive-other-seat": YES + }; + if (subject.isInGroup("storage")) { + return permission[action.id]; + } + }); + ''; + } ]; @@ -170,6 +203,7 @@ with import ; networking.extraHosts = '' 192.168.1.11 omo.local + 80.92.65.53 www.wifionice.de wifionice.de ''; # hard dependency because otherwise the device will not be unlocked boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; -- cgit v1.2.3 From 0d4bb21df59c08eccf5db522242d3cb80f2b9425 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:44:06 +0200 Subject: ma automatic-diskmount: put into separate config --- makefu/1systems/x/config.nix | 42 --------------------------- makefu/2configs/gui/automatic-diskmount.nix | 44 +++++++++++++++++++++++++++++ makefu/2configs/main-laptop.nix | 1 + 3 files changed, 45 insertions(+), 42 deletions(-) create mode 100644 makefu/2configs/gui/automatic-diskmount.nix diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 483fc81e5..93bb27efe 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -141,48 +141,6 @@ with import ; # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio hardware.bluetooth.enable = true; } - { # auto-mounting via polkit - services.udisks2.enable = true; - ## automount all disks: - # services.devmon.enable = true; - # services.gnome3.gvfs.enable = true; - users.groups.storage = { - gid = genid "storage"; - members = [ "makefu" ]; - }; - users.users.makefu.packages = with pkgs;[ - gvfs pcmanfm lxmenu-data - ]; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; - - ## allow users in group "storage" to mount disk - # https://github.com/coldfix/udiskie/wiki/Permissions - security.polkit.extraConfig = - '' - polkit.addRule(function(action, subject) { - var YES = polkit.Result.YES; - var permission = { - "org.freedesktop.udisks.filesystem-mount": YES, - "org.freedesktop.udisks.luks-unlock": YES, - "org.freedesktop.udisks.drive-eject": YES, - "org.freedesktop.udisks.drive-detach": YES, - "org.freedesktop.udisks2.filesystem-mount": YES, - "org.freedesktop.udisks2.encrypted-unlock": YES, - "org.freedesktop.udisks2.eject-media": YES, - "org.freedesktop.udisks2.power-off-drive": YES, - "org.freedesktop.udisks2.filesystem-mount-other-seat": YES, - "org.freedesktop.udisks2.filesystem-unmount-others": YES, - "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES, - "org.freedesktop.udisks2.eject-media-other-seat": YES, - "org.freedesktop.udisks2.power-off-drive-other-seat": YES - }; - if (subject.isInGroup("storage")) { - return permission[action.id]; - } - }); - ''; - - } ]; diff --git a/makefu/2configs/gui/automatic-diskmount.nix b/makefu/2configs/gui/automatic-diskmount.nix new file mode 100644 index 000000000..19933111a --- /dev/null +++ b/makefu/2configs/gui/automatic-diskmount.nix @@ -0,0 +1,44 @@ +{ pkgs, ... }: +with import ; #genid +{ # auto-mounting via polkit + services.udisks2.enable = true; +## automount all disks: +# services.devmon.enable = true; +# services.gnome3.gvfs.enable = true; + users.groups.storage = { + gid = genid "storage"; + members = [ "makefu" ]; + }; + users.users.makefu.packages = with pkgs;[ + gvfs pcmanfm lxmenu-data + ]; + environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; + +## allow users in group "storage" to mount disk +# https://github.com/coldfix/udiskie/wiki/Permissions + security.polkit.extraConfig = + '' + polkit.addRule(function(action, subject) { + var YES = polkit.Result.YES; + var permission = { + "org.freedesktop.udisks.filesystem-mount": YES, + "org.freedesktop.udisks.luks-unlock": YES, + "org.freedesktop.udisks.drive-eject": YES, + "org.freedesktop.udisks.drive-detach": YES, + "org.freedesktop.udisks2.filesystem-mount": YES, + "org.freedesktop.udisks2.encrypted-unlock": YES, + "org.freedesktop.udisks2.eject-media": YES, + "org.freedesktop.udisks2.power-off-drive": YES, + "org.freedesktop.udisks2.filesystem-mount-other-seat": YES, + "org.freedesktop.udisks2.filesystem-unmount-others": YES, + "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES, + "org.freedesktop.udisks2.eject-media-other-seat": YES, + "org.freedesktop.udisks2.power-off-drive-other-seat": YES + }; + if (subject.isInGroup("storage")) { + return permission[action.id]; + } + }); + ''; + +} diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index 827da0c8d..315fc4706 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -16,6 +16,7 @@ in { ./zsh-user.nix ./tools/core.nix ./tools/core-gui.nix + ./gui/automatic-diskmount.nix ]; users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ]; -- cgit v1.2.3 From bb41144dc0e18ea704ebea00f5f2da0573a443cc Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:44:28 +0200 Subject: ma wbob.r: put self into pulse group --- makefu/1systems/wbob/config.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index cfbcf0e9c..42f3bddb1 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -33,6 +33,9 @@ in { + { + users.users.makefu.extraGroups = [ "pulse" ]; + } # Sensors @@ -121,6 +124,7 @@ in { networking.firewall.allowedTCPPorts = [ 655 8081 #smokeping + 8086 #influx 49152 ]; networking.firewall.trustedInterfaces = [ "enp0s25" ]; -- cgit v1.2.3 From cab4eb5e430f0fce8698a0eb4a7f9825f133b519 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:45:30 +0200 Subject: ma bluetooth-mpd: provide anonymous unix socket for all programs --- makefu/2configs/bluetooth-mpd.nix | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/makefu/2configs/bluetooth-mpd.nix b/makefu/2configs/bluetooth-mpd.nix index 226f5cf1f..b59d3ce10 100644 --- a/makefu/2configs/bluetooth-mpd.nix +++ b/makefu/2configs/bluetooth-mpd.nix @@ -34,7 +34,7 @@ in { hardware.pulseaudio = { enable = true; package = pkgs.pulseaudioFull; - # systemWide = true; + # systemWide = true; support32Bit = true; zeroconf.discovery.enable = true; zeroconf.publish.enable = true; @@ -42,12 +42,13 @@ in { enable = true; # PULSE_SERVER=192.168.1.11 pavucontrol anonymousClients.allowAll = true; + anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.0.0/16" ]; }; configFile = pkgs.writeText "default.pa" '' load-module module-udev-detect load-module module-bluetooth-policy load-module module-bluetooth-discover - load-module module-native-protocol-unix + load-module module-native-protocol-unix auth-anonymous=1 load-module module-always-sink load-module module-console-kit load-module module-systemd-login @@ -56,13 +57,15 @@ in { load-module module-filter-heuristics load-module module-filter-apply load-module module-switch-on-connect + #load-module module-bluez5-device + #load-module module-bluez5-discover ''; }; - # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio + # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio hardware.bluetooth.enable = true; - #hardware.bluetooth.extraConfig = '' - # [general] - # Enable=Source,Sink,Media,Socket - #''; + # environment.etc."bluetooth/audio.conf".text = '' + # [General] + # Enable = Source,Sink,Media,Socket + # ''; }; } -- cgit v1.2.3 From fc3a10ebec641d49a83389d28ab45da519cb4727 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:45:45 +0200 Subject: ma cgit-retiolum: init arafetch --- makefu/2configs/git/cgit-retiolum.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 30d90f9e3..c209b83f6 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -30,6 +30,7 @@ let euer_blog = { }; ampel = { }; europastats = { }; + arafetch = { }; init-stockholm = { cgit.desc = "Init stuff for stockholm"; }; -- cgit v1.2.3 From d1542ef7739a61e9ee11ff86300ed6a3486569ac Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:46:15 +0200 Subject: ma arafetch: add extra logic for remote stats generation --- makefu/2configs/stats/arafetch.nix | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/makefu/2configs/stats/arafetch.nix b/makefu/2configs/stats/arafetch.nix index e04b12f9c..422676b24 100644 --- a/makefu/2configs/stats/arafetch.nix +++ b/makefu/2configs/stats/arafetch.nix @@ -3,7 +3,7 @@ with import ; let pkg = with pkgs.python3Packages;buildPythonPackage rec { rev = "762d747"; - name = "europastats-${rev}"; + name = "arafetch-${rev}"; propagatedBuildInputs = [ requests docopt @@ -25,12 +25,25 @@ in { }; systemd.services.arafetch = { - startAt = "Mon 09:15:00"; + startAt = "Mon,Wed,Fri 09:15:00"; wantedBy = [ "multi-user.target" ]; environment = { OUTDIR = home; }; path = [ pkg pkgs.git pkgs.wget ]; - script = "${pkg}/bin/weekrun"; + serviceConfig = { + User = "arafetch"; + WorkingDirectory = home; + PrivateTmp = true; + ExecStart = pkgs.writeDash "start-weekrun" '' + set -x + weekrun || echo "weekrun failed!" + find $OUTDIR/db -name \*.json | while read path;do + file=''${path##*/} + cantine=''${file%%.json} + ara2influx $path --cantine $cantine --host wbob.r + done + ''; + }; }; } -- cgit v1.2.3 From 402a0c9847df5b1195cb8b49e2f0cf632668ca71 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:46:44 +0200 Subject: ma hydra/stockholm: remove enable for postgres --- makefu/2configs/hydra/stockholm.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/makefu/2configs/hydra/stockholm.nix b/makefu/2configs/hydra/stockholm.nix index 4bdb09213..35999ae57 100644 --- a/makefu/2configs/hydra/stockholm.nix +++ b/makefu/2configs/hydra/stockholm.nix @@ -5,7 +5,6 @@ { # TODO postgres backup - services.postgresql.enable = true; services.hydra = { enable = true; -- cgit v1.2.3 From af5698307560b8cd1ab2ff2713684debab74fd5d Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:47:14 +0200 Subject: ma remote-build: rip --- makefu/2configs/remote-build/master.nix | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 makefu/2configs/remote-build/master.nix diff --git a/makefu/2configs/remote-build/master.nix b/makefu/2configs/remote-build/master.nix deleted file mode 100644 index 2a2c68119..000000000 --- a/makefu/2configs/remote-build/master.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, ...}: -let - sshKey = (toString ) + "/id_nixBuild"; -in { - nix.distributedBuilds = true; - # TODO: iterate over krebs.hosts - nix.buildMachines = map ( hostName: - { inherit hostName sshKey; - sshUser = "nixBuild"; - system = "x86_64-linux"; - maxJobs = 8; - }) [ "hotdog.r" ]; - # puyak.r "wbob.r" "omo.r" "gum.r" "latte.r" -} -- cgit v1.2.3 From 8f1907ef4eaa6b8be9838b69cf0243c441d52c3e Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:48:01 +0200 Subject: ma urlwatch: do not track oslo.config anymore --- makefu/2configs/urlwatch/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix index d0fb4fe41..f93d47caa 100644 --- a/makefu/2configs/urlwatch/default.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -25,7 +25,6 @@ in { # pypi https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/devpi-client/ - https://pypi.python.org/simple/oslo.config/ https://pypi.python.org/simple/sqlalchemy_migrate/ https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/pyserial/ -- cgit v1.2.3 From 5dd8342aafd204863e826327af9222f22b2dd040 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:48:18 +0200 Subject: ma pkgs.ampel: bump to 0.2.1 --- makefu/5pkgs/ampel/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/makefu/5pkgs/ampel/default.nix b/makefu/5pkgs/ampel/default.nix index 86518b9b8..9792c2c59 100644 --- a/makefu/5pkgs/ampel/default.nix +++ b/makefu/5pkgs/ampel/default.nix @@ -2,7 +2,7 @@ with pkgs.python3Packages;buildPythonPackage rec { name = "ampel-${version}"; - version = "0.2"; + version = "0.2.1"; propagatedBuildInputs = [ docopt @@ -16,8 +16,8 @@ with pkgs.python3Packages;buildPythonPackage rec { src = pkgs.fetchgit { url = "http://cgit.euer.krebsco.de/ampel"; - rev = "d8a0250"; - sha256 = "0n36lc17ca5db6pl6dswdqd5w9f881rfqck9yc4w33a5qpsxj85f"; + rev = "92321d7"; + sha256 = "0mvpbpf1rx8sc589qjb73gl8z6fir2zs3gl3br1pbhg5jgn0ij4n"; }; meta = { homepage = http://cgit.euer.krebsco.de/ampel; -- cgit v1.2.3 From d4fcbba9086cadad2de132e18e64cb66e87a7df6 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:48:59 +0200 Subject: ma pkgs.awesomecfg.full: use maximized instead of horizontal/vertical --- makefu/5pkgs/awesomecfg/full.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg index e748981c6..e49a88697 100644 --- a/makefu/5pkgs/awesomecfg/full.cfg +++ b/makefu/5pkgs/awesomecfg/full.cfg @@ -412,8 +412,7 @@ clientkeys = awful.util.table.join( end), awful.key({ modkey, }, "m", function (c) - c.maximized_horizontal = not c.maximized_horizontal - c.maximized_vertical = not c.maximized_vertical + c.maximized = not c.maximized end) ) -- cgit v1.2.3 From bd08fef3bd33658782cddc8bfa537de6c1f42c76 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:51:59 +0200 Subject: ma devpi-web: bump to latest version --- makefu/5pkgs/devpi/default.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/makefu/5pkgs/devpi/default.nix b/makefu/5pkgs/devpi/default.nix index 3ddcd9641..6515ea3d1 100644 --- a/makefu/5pkgs/devpi/default.nix +++ b/makefu/5pkgs/devpi/default.nix @@ -16,16 +16,17 @@ let }; devpi-web = pkgs.python3Packages.buildPythonPackage rec { name = "devpi-web"; - version = "3.1.1"; + version = "3.2.2"; src = pkgs.fetchurl { url = "mirror://pypi/d/devpi-web/devpi-web-${version}.tar.gz"; - sha256 = "0bvqv52jmasfm4sdyccwsgvk9a663d3grj7zjw8r9x7xm7l3svqv"; + sha256 = "1mwg2fcw88rn47ypnhg5f4s1r066129z922113shyinwrwfddhay"; }; - propagatedBuildInputs = with pkgs.python3Packages; - [ pkgs.devpi-server pyramid_chameleon beautifulsoup4 defusedxml readme-renderer ]; + propagatedBuildInputs = with pkgs.python3Packages; builtins.trace pkgs.devpi-server.version + [ pkgs.devpi-server pyramid_chameleon pygments docutils devpi-common + whoosh beautifulsoup4 defusedxml readme-renderer ]; meta = { homepage = https://bitbucket.org/hpk42/devpi; @@ -37,6 +38,6 @@ let in { devpi-web = pkgs.python3.buildEnv.override { - extraLibs = [ devpi-web devpi-server ]; - }; + extraLibs = [ devpi-web pkgs.devpi-server ]; + }; } -- cgit v1.2.3 From 1b740bf9ef32972f7242226699a75b39feeb18b2 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 4 Apr 2018 14:56:11 +0200 Subject: ma source: 18.03 --- makefu/source.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/makefu/source.nix b/makefu/source.nix index d25fe5528..bbc059947 100644 --- a/makefu/source.nix +++ b/makefu/source.nix @@ -21,9 +21,8 @@ let ]; }; # TODO: automate updating of this ref + cherry-picks - ref = "6583793"; # nixos-17.09 @ 2018-03-07 - # + do_sqlite3 ruby: 55a952be5b5 - # + signal: 0f19beef3, 50ad913, 9449782, b7046ab2 + ref = "a09afbfb8a4"; # nixos-18.03 @ 2018-04-04 + # + do_sqlite3 ruby: 55a952be5b5 in evalSource (toString _file) [ -- cgit v1.2.3 From 241973f2ec1f4fcf217c37fd102feba82bc0b66e Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 5 Apr 2018 09:32:22 +0200 Subject: ma source: follow musnix master --- makefu/source.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/source.nix b/makefu/source.nix index bbc059947..bcdb66a66 100644 --- a/makefu/source.nix +++ b/makefu/source.nix @@ -53,7 +53,7 @@ in (mkIf ( musnix ) { musnix.git = { url = https://github.com/musnix/musnix.git; - ref = "d8b989f"; + ref = "master"; # follow the musnix channel, lets see how this works out }; }) -- cgit v1.2.3 From f9fff51f9979982b12a3b8022651912ccaf25347 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 18 Apr 2018 08:20:21 +0200 Subject: pssh: RIP --- krebs/5pkgs/simple/pssh/default.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 krebs/5pkgs/simple/pssh/default.nix diff --git a/krebs/5pkgs/simple/pssh/default.nix b/krebs/5pkgs/simple/pssh/default.nix deleted file mode 100644 index 2676af0cf..000000000 --- a/krebs/5pkgs/simple/pssh/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ writeDashBin }: - -writeDashBin "pssh" '' - set -efu - case ''${1-} in - - # TODO create plog with -o json | jq ... | map date - - # usage: pssh {-j,--journal} host... - # Follow journal at each host. - -j|--journal) - shift - "$0" journalctl -n0 -ocat --follow --all ::: "$@" \ - | while read line; do - printf '%s %s\n' "$(date --rfc-3339=s)" "$line" - done - ;; - - -*) - echo $0: unknown option: $1 >&2 - exit 1 - ;; - - # usage: pssh command [arg...] ::: host... - # Run command at each host. - *) - exec parallel \ - --line-buffer \ - -j0 \ - --no-notice \ - --tagstring {} \ - ssh -T {} "$@" - ;; - - esac -'' -- cgit v1.2.3 From 105879da15cf7e3bf9cbc67029a3a2ecf50d616c Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 18 Apr 2018 08:21:17 +0200 Subject: urlwatch: use upstream --- krebs/5pkgs/simple/urlwatch/default.nix | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 krebs/5pkgs/simple/urlwatch/default.nix diff --git a/krebs/5pkgs/simple/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix deleted file mode 100644 index 64f3ad1ac..000000000 --- a/krebs/5pkgs/simple/urlwatch/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ stdenv, fetchFromGitHub, python3Packages }: - -python3Packages.buildPythonApplication rec { - name = "urlwatch-${version}"; - version = "2.8"; - - src = fetchFromGitHub { - owner = "thp"; - repo = "urlwatch"; - rev = version; - sha256 = "1nja7n6pc45azd3l1xyvav89855lvcgwabrvf34rps81dbl8cnl4"; - }; - - propagatedBuildInputs = with python3Packages; [ - appdirs - keyring - minidb - pycodestyle - pyyaml - requests - ]; - - meta = with stdenv.lib; { - description = "A tool for monitoring webpages for updates"; - homepage = https://thp.io/2008/urlwatch/; - license = licenses.bsd3; - maintainers = with maintainers; [ tv ]; - }; -} -- cgit v1.2.3 From 0fe9b28302c905523f2ecefadfd167e1547785f9 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 18 Apr 2018 08:23:38 +0200 Subject: ucspi-tcp: use upstream --- krebs/5pkgs/simple/ucspi-tcp/chmod.patch | 15 ------ krebs/5pkgs/simple/ucspi-tcp/default.nix | 86 -------------------------------- 2 files changed, 101 deletions(-) delete mode 100644 krebs/5pkgs/simple/ucspi-tcp/chmod.patch delete mode 100644 krebs/5pkgs/simple/ucspi-tcp/default.nix diff --git a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch b/krebs/5pkgs/simple/ucspi-tcp/chmod.patch deleted file mode 100644 index dd6933208..000000000 --- a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/hier.c b/hier.c -index 5663ada..1d73b84 100644 ---- a/hier.c -+++ b/hier.c -@@ -2,8 +2,8 @@ - - void hier() - { -- h(auto_home,-1,-1,02755); -- d(auto_home,"bin",-1,-1,02755); -+ h(auto_home,-1,-1,0755); -+ d(auto_home,"bin",-1,-1,0755); - - c(auto_home,"bin","tcpserver",-1,-1,0755); - c(auto_home,"bin","tcprules",-1,-1,0755); diff --git a/krebs/5pkgs/simple/ucspi-tcp/default.nix b/krebs/5pkgs/simple/ucspi-tcp/default.nix deleted file mode 100644 index 3b043be06..000000000 --- a/krebs/5pkgs/simple/ucspi-tcp/default.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ stdenv, fetchurl }: - -stdenv.mkDerivation rec { - name = "ucspi-tcp-0.88"; - - src = fetchurl { - url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz"; - sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja"; - }; - - # Plain upstream tarball doesn't build, get patches from Debian - patches = [ - (fetchurl { - url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz"; - sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6"; - }) - ./chmod.patch - ]; - - # Apply Debian patches - postPatch = '' - for fname in debian/diff/*.diff; do - echo "Applying patch $fname" - patch < "$fname" - done - ''; - - # The build system is weird; 'make install' doesn't install anything, instead - # it builds an executable called ./install (from C code) which installs - # binaries to the directory given on line 1 in ./conf-home. - # - # Also, assume getgroups and setgroups work, instead of doing a build time - # test that breaks on NixOS (I think because nixbld users lack CAP_SETGID - # capability). - preBuild = '' - echo "$out" > conf-home - - echo "main() { return 0; }" > chkshsgr.c - ''; - - installPhase = '' - mkdir -p "$out/bin" - mkdir -p "$out/share/man/man1" - - # run the newly built installer - ./install - - # Install Debian man pages (upstream has none) - cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1" - ''; - - meta = with stdenv.lib; { - description = "Command-line tools for building TCP client-server applications"; - longDescription = '' - tcpserver waits for incoming connections and, for each connection, runs a - program of your choice. Your program receives environment variables - showing the local and remote host names, IP addresses, and port numbers. - - tcpserver offers a concurrency limit to protect you from running out of - processes and memory. When you are handling 40 (by default) simultaneous - connections, tcpserver smoothly defers acceptance of new connections. - - tcpserver also provides TCP access control features, similar to - tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules - are compiled into a hashed format with cdb, so it can easily deal with - thousands of different hosts. - - This package includes a recordio tool that monitors all the input and - output of a server. - - tcpclient makes a TCP connection and runs a program of your choice. It - sets up the same environment variables as tcpserver. - - This package includes several sample clients built on top of tcpclient: - who@, date@, finger@, http@, tcpcat, and mconnect. - - tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program - Interface, using the TCP protocol. UCSPI tools are available for several - different networks. - ''; - homepage = http://cr.yp.to/ucspi-tcp.html; - license = licenses.publicDomain; - platforms = platforms.linux; - maintainers = [ maintainers.bjornfor ]; - }; -} -- cgit v1.2.3 From cc0dfeda397e812a9e6db2f65f6ed0a5a4d67571 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:25:36 +0200 Subject: Reaktor/plugins: limit url-title length --- krebs/5pkgs/simple/Reaktor/plugins.nix | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/krebs/5pkgs/simple/Reaktor/plugins.nix b/krebs/5pkgs/simple/Reaktor/plugins.nix index bcfcbf76b..f3b771190 100644 --- a/krebs/5pkgs/simple/Reaktor/plugins.nix +++ b/krebs/5pkgs/simple/Reaktor/plugins.nix @@ -120,11 +120,24 @@ rec { url-title = (buildSimpleReaktorPlugin "url-title" { pattern = "^.*(?Phttp[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$"; path = with pkgs; [ curl perl ]; - script = pkgs.writeDash "lambda-pl" '' - if [ "$#" -gt 0 ]; then - curl -SsL --max-time 5 "$1" | - perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' - fi + script = pkgs.writePython3 [ "beautifulsoup4" "lxml" ] "url-title" '' + import sys + import urllib.request + from bs4 import BeautifulSoup + + try: + soup = BeautifulSoup(urllib.request.urlopen(sys.argv[1]), "lxml") + title = soup.find('title').string + + if title: + if len(title) > 512: + print('message to long, skipped') + elif len(title.split('\n')) > 5: + print('to many lines, skipped') + else: + print(title) + except: # noqa: E722 + pass ''; }); -- cgit v1.2.3 From 4fac738ed2092c8922b5126903bac3f258bf22f4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:35:35 +0200 Subject: l: add restic service --- lass/3modules/default.nix | 1 + lass/3modules/restic.nix | 119 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 lass/3modules/restic.nix diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 0c10e1ec2..5e7e6dff3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -8,6 +8,7 @@ _: ./mysql-backup.nix ./news.nix ./pyload.nix + ./restic.nix ./screenlock.nix ./umts.nix ./usershadow.nix diff --git a/lass/3modules/restic.nix b/lass/3modules/restic.nix new file mode 100644 index 000000000..c720793b1 --- /dev/null +++ b/lass/3modules/restic.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with import ; + +{ + options.lass.restic = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.str; + default = config._module.args.name; + }; + passwordFile = mkOption { + type = types.str; + default = toString ; + description = '' + read the repository password from a file. + ''; + example = "/etc/nixos/restic-password"; + + }; + repo = mkOption { + type = types.str; + default = "sftp:backup@prism.r:/backups/${config.name}"; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${config.name}"; + }; + dirs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + which directories to backup. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + description = '' + When to run the backup. See man systemd.timer for details. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra arguments to append to the restic command. + ''; + example = [ + "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp" + ]; + }; + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + }; + })); + default = {}; + }; + + config = { + systemd.services = + mapAttrs' (_: plan: + let + extraArguments = concatMapStringsSep " " (arg: "-o ${arg}") plan.extraArguments; + connectTo = elemAt (splitString ":" plan.repo) 1; + resticCmd = "${pkgs.restic}/bin/restic ${extraArguments}"; + in nameValuePair "backup.${plan.name}" { + environment = { + RESTIC_PASSWORD_FILE = plan.passwordFile; + RESTIC_REPOSITORY = plan.repo; + }; + path = with pkgs; [ + openssh + ]; + restartIfChanged = false; + serviceConfig = { + ExecStartPre = mkIf plan.initialize (pkgs.writeScript "rustic-${plan.name}-init" '' + #! ${pkgs.bash}/bin/bash + ${resticCmd} snapshots || ${resticCmd} init + ''); + ExecStart = pkgs.writeDash "rustic-${plan.name}" ( + "#! ${pkgs.bash}/bin/bash\n" + + concatMapStringsSep "\n" (dir: "${resticCmd} backup ${dir}") plan.dirs + ); + User = plan.user; + }; + } + ) config.lass.restic; + systemd.timers = + mapAttrs' (_: plan: nameValuePair "backup.${plan.name}" { + wantedBy = [ "timers.target" ]; + timerConfig = plan.timerConfig; + }) config.lass.restic; + }; +} -- cgit v1.2.3 From ddb06a55426abe797b4ebad3165c4637c0b6975d Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:27:53 +0200 Subject: l mors.r: add btc price getter --- lass/1systems/mors/config.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index cd259d0fe..dab1910b4 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -141,6 +141,15 @@ with import ; dnsutils generate-secrets + (pkgs.writeDashBin "btc-coinbase" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' + '') + (pkgs.writeDashBin "btc-wex" '' + ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' + '') + (pkgs.writeDashBin "btc-kraken" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' + '') ]; #TODO: fix this shit -- cgit v1.2.3 From b0678507404bba2c12df39c1d21431ddd9102fcb Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:28:39 +0200 Subject: l mors.r: add restic backups --- lass/1systems/mors/config.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index dab1910b4..c59494e4d 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -186,4 +186,34 @@ with import ; programs.adb.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; virtualisation.docker.enable = true; + + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "prism" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/lass/src" + "/home/lass/work" + "/home/lass/.gnupg" + "/home/lass/Maildir" + "/home/lass/stockholm" + "/home/lass/.password-store" + "/home/bitcoin" + "/home/bch" + ]; + passwordFile = (toString ) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/mors"; + #sshPrivateKey = config.krebs.build.host.ssh.privkey.path; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); } -- cgit v1.2.3 From e77030e772899bcc747568752cdb2a997a6972bf Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:30:19 +0200 Subject: l prism.r: use iptables for hackerfleet --- lass/1systems/prism/config.nix | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c0e4620cc..e937db83a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -110,29 +110,13 @@ in { }; # TODO write function for proxy_pass (ssl/nonssl) - services.nginx.virtualHosts."hackerfleet.de" = { - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:80; - ''; - }; - services.nginx.virtualHosts."hackerfleet.de-s" = { - serverName = "hackerfleet.de"; - listen = [ - { - addr = "0.0.0.0"; - port = 443; - } - ]; - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:443; - ''; - }; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; } { users.users.tv = { -- cgit v1.2.3 From c85c0f1b39aed212bb128c674f194f124a9454ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:31:08 +0200 Subject: l prism.r: fix deprecation warnings --- lass/1systems/prism/config.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index e937db83a..983604f8e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -8,11 +8,15 @@ in { imports = [ { - networking.interfaces.et0.ip4 = [ + networking.interfaces.et0.ipv4.addresses = [ { address = ip; prefixLength = 27; } + { + address = "46.4.114.243"; + prefixLength = 27; + } ]; networking.defaultGateway = "46.4.114.225"; networking.nameservers = [ -- cgit v1.2.3 From 1d37fba51e4f4fbb7fe7acccc11e2b2ac5dcc5b7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:33:09 +0200 Subject: l reaktor-coders: /j #panthermoderns --- lass/2configs/reaktor-coders.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 5fa1611ae..922cd79cb 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -4,7 +4,7 @@ with import ; { krebs.Reaktor.coders = { nickname = "Reaktor|lass"; - channels = [ "#coders" "#germany" ]; + channels = [ "#coders" "#germany" "#panthermoderns" ]; extraEnviron = { REAKTOR_HOST = "irc.hackint.org"; }; -- cgit v1.2.3 From 824c19e81a5696018973be2d692fcd9f07f8ef10 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:33:26 +0200 Subject: l reaktor-coders: add google & blockchain command --- lass/2configs/reaktor-coders.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 922cd79cb..5a39f7115 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -87,6 +87,19 @@ with import ; exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 ''; }) + (buildSimpleReaktorPlugin "google" { + pattern = "^!g (?P.*)$$"; + script = pkgs.writeDash "google" '' + exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \ + ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"' + ''; + }) + (buildSimpleReaktorPlugin "blockchain" { + pattern = ".*[Bb]lockchain.*$$"; + script = pkgs.writeDash "blockchain" '' + exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline' + ''; + }) ]; }; } -- cgit v1.2.3 From 0521f960c8c93da7082722632309b533260781d5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:34:14 +0200 Subject: l syncthing: remove deprecated inotify --- lass/2configs/syncthing.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index cef43d1e6..17debf822 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,7 +3,6 @@ with import ; { services.syncthing = { enable = true; - useInotify = true; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} -- cgit v1.2.3 From 0164e142e3ce793cb98b237ba2384b3d88a3550c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:35:13 +0200 Subject: l websites: enableSSL -> onlySSL --- lass/2configs/websites/util.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 62055d0fd..441b7af90 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,7 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - enableSSL = true; + onlySSL = true; extraConfig = '' listen 80; listen [::]:80; @@ -34,7 +34,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; @@ -148,7 +148,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; -- cgit v1.2.3 From 2647f93715f73495d2b5cc1537a4ff47de085e1a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Apr 2018 12:42:30 +0200 Subject: l: generate-secrets -> l-gen-secrets --- lass/5pkgs/generate-secrets/default.nix | 46 --------------------------------- lass/5pkgs/l-gen-secrets/default.nix | 46 +++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 46 deletions(-) delete mode 100644 lass/5pkgs/generate-secrets/default.nix create mode 100644 lass/5pkgs/l-gen-secrets/default.nix diff --git a/lass/5pkgs/generate-secrets/default.nix b/lass/5pkgs/generate-secrets/default.nix deleted file mode 100644 index 5a4afe7c5..000000000 --- a/lass/5pkgs/generate-secrets/default.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs }: -pkgs.writeDashBin "generate-secrets" '' - HOSTNAME="$1" - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) - HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null - - ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null - ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null - ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null - cat < $TMPDIR/hashedPasswords.nix - { - root = "$HASHED_PASSWORD"; - mainUser = "$HASHED_PASSWORD"; - } - EOF - - cd $TMPDIR - for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null - done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/hosts/$HOSTNAME/pass > /dev/null - - cat <; - ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; - }; - EOF - - rm -rf $TMPDIR -'' - diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix new file mode 100644 index 000000000..4b25fbd4c --- /dev/null +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -0,0 +1,46 @@ +{ pkgs }: +pkgs.writeDashBin "l-gen-secrets" '' + HOSTNAME="$1" + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) + HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null + ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null + ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null + cat < $TMPDIR/hashedPasswords.nix + { + root = "$HASHED_PASSWORD"; + mainUser = "$HASHED_PASSWORD"; + } + EOF + + cd $TMPDIR + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m krebs-secrets/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/pass > /dev/null + + cat <; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + }; + EOF + + rm -rf $TMPDIR +'' + -- cgit v1.2.3 From ee30fc920e0512d9d2359404051ba12efc3ee6f2 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 21 Apr 2018 12:53:32 +0200 Subject: onebutton.r: init --- krebs/1systems/onebutton/config.nix | 32 ++++++++++++++++++++++++++++++++ krebs/1systems/onebutton/source.nix | 11 +++++++++++ 2 files changed, 43 insertions(+) create mode 100644 krebs/1systems/onebutton/config.nix create mode 100644 krebs/1systems/onebutton/source.nix diff --git a/krebs/1systems/onebutton/config.nix b/krebs/1systems/onebutton/config.nix new file mode 100644 index 000000000..08a9d6423 --- /dev/null +++ b/krebs/1systems/onebutton/config.nix @@ -0,0 +1,32 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + + ]; + # NixOS wants to enable GRUB by default + boot.loader.grub.enable = false; + # Enables the generation of /boot/extlinux/extlinux.conf + boot.loader.generic-extlinux-compatible.enable = true; + + # !!! If your board is a Raspberry Pi 1, select this: + boot.kernelPackages = pkgs.linuxPackages_rpi; + + nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ]; + nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ]; + + # !!! Needed for the virtual console to work on the RPi 3, as the default of 16M doesn't seem to be enough. + # boot.kernelParams = ["cma=32M"]; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/NIXOS_BOOT"; + fsType = "vfat"; + }; + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + }; + + swapDevices = [ { device = "/swapfile"; size = 1024; } ]; +} diff --git a/krebs/1systems/onebutton/source.nix b/krebs/1systems/onebutton/source.nix new file mode 100644 index 000000000..3ecaf9006 --- /dev/null +++ b/krebs/1systems/onebutton/source.nix @@ -0,0 +1,11 @@ +let + pkgs = import {}; +in import { + name = "onebutton"; + nixpkgs.file = pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs-channels"; + rev = "6c064e6b"; # only binary cache for unstable arm6 + sha256 = "0ssaaaaaaaaaaaawkgjk8c75mvhgn5z7g1dkb78r8vrih9428bb8"; + }; +} -- cgit v1.2.3 From 92f7e3e12bdaee3265f583f72e43972269268b1e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Apr 2018 13:02:48 +0200 Subject: generate-secrets: init --- krebs/5pkgs/simple/generate-secrets/default.nix | 46 +++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 krebs/5pkgs/simple/generate-secrets/default.nix diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix new file mode 100644 index 000000000..a800ff543 --- /dev/null +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -0,0 +1,46 @@ +{ pkgs }: +pkgs.writeDashBin "generate-secrets" '' + HOSTNAME="$1" + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) + HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null + ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null + ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null + cat < $TMPDIR/hashedPasswords.nix + { + root = "$HASHED_PASSWORD"; + } + EOF + + cd $TMPDIR + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.brain}/bin/brain insert -m hosts/$HOSTNAME/root > /dev/null + + cat <; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + }; + EOF + + rm -rf $TMPDIR +'' + -- cgit v1.2.3 From b08c606eabe87292e4dc792e7f6faa7d0b679d58 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Apr 2018 13:04:19 +0200 Subject: onebutton.r: init --- krebs/3modules/krebs/default.nix | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 1e626f0a0..a916c1873 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -91,6 +91,37 @@ in { ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp"; }; + onebutton = { + cores = 1; + owner = config.krebs.users.krebs; + nets = { + retiolum = { + ip4.addr = "10.243.0.101"; + ip6.addr = "42:0:0:0:0:0:0:101"; + aliases = [ + "onebutton.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA11w6votRExwE0ZEiQmPa + 9WGNsMfNAZEd14iHaHCZH7UPQEH+cH/T6isGPpaysindroMnqFe9mUf/cdYChb6N + aaFreApwGBQaJPUcdy4cfphrFpzmOClpOFuFbnV7ZvAk/wefBad3kUzsq/lK4HvB + 7nPKeOB9kljphLrkzuLL/h2yOenMpO2ZdvwxyWN8HKmUNgvpBQjIr+Hka6cgy7Gp + pBVFHfSnad/eHeEvq91O/bHxrAxzH5N5DVagPDpkbiWYGl+0XVGP/h0CApr15Ael + +j2pJYc0ZlaXIp4KmNRqbd/fLe52JLrWbnFX4rRuY/DhoMqK8kjECEZ7gLiNSpCC + KlnlJ2LXX9c+d79ubzl5yLAJ3d6T4IJqkbAWJDuCrj821M9ZDk/qZwerayhrrvkF + tMYkQoGSe8MvSOU0rTEoH5iSRwDC7M0XzUe4l8/yZLFyD4Prz/dq6coqANfk/tlE + DnH3vDu9lmFvYrLcd6yDWzFfI3mWDJoUa6AKKoScCOaCkRfIM4Aew0i73+h1nJLO + 59AAbZIkDYyWs53QniIG4EQteI9y/9j/628nPAVj68V5oIN76RDXfFHWDWq4DxmU + PpGVmoIKcKZmnl7RrDomRVpuGMdyQ+kCzIGH3XYe12v8Y5beHZBrd3OajgHZ/Tfp + jP873cT6h0hsGm9glgOYho8CAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe "; + }; puyak = { ci = true; owner = config.krebs.users.krebs; -- cgit v1.2.3 From 70052cb8c9fedcda1ba8d5270afdf92bc1dd13ff Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Apr 2018 16:01:31 +0200 Subject: onebutton.r: make it work --- krebs/1systems/onebutton/config.nix | 1 + krebs/1systems/onebutton/source.nix | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/krebs/1systems/onebutton/config.nix b/krebs/1systems/onebutton/config.nix index 08a9d6423..19159c8fb 100644 --- a/krebs/1systems/onebutton/config.nix +++ b/krebs/1systems/onebutton/config.nix @@ -29,4 +29,5 @@ }; swapDevices = [ { device = "/swapfile"; size = 1024; } ]; + services.openssh.enable = true; } diff --git a/krebs/1systems/onebutton/source.nix b/krebs/1systems/onebutton/source.nix index 3ecaf9006..8f25881c9 100644 --- a/krebs/1systems/onebutton/source.nix +++ b/krebs/1systems/onebutton/source.nix @@ -1,11 +1,16 @@ +with import ; let pkgs = import {}; -in import { - name = "onebutton"; - nixpkgs.file = pkgs.fetchFromGitHub { + nixpkgs = pkgs.fetchFromGitHub { owner = "nixos"; repo = "nixpkgs-channels"; rev = "6c064e6b"; # only binary cache for unstable arm6 - sha256 = "0ssaaaaaaaaaaaawkgjk8c75mvhgn5z7g1dkb78r8vrih9428bb8"; + sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd"; + }; +in import { + name = "onebutton"; + override.nixpkgs = mkForce { + file = toString nixpkgs; }; + } -- cgit v1.2.3 From 1501d9e3e6a96e80ed238431ec58b40eb7b1b552 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 21 Apr 2018 16:14:01 +0200 Subject: onebutton.r: minimal disk and default config --- krebs/1systems/onebutton/config.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/krebs/1systems/onebutton/config.nix b/krebs/1systems/onebutton/config.nix index 19159c8fb..c634d73ce 100644 --- a/krebs/1systems/onebutton/config.nix +++ b/krebs/1systems/onebutton/config.nix @@ -2,7 +2,18 @@ { imports = [ + + { # minimal disk usage + environment.noXlibs = true; + nix.gc.automatic = true; + nix.gc.dates = "03:10"; + programs.info.enable = false; + programs.man.enable = false; + services.journald.extraConfig = "SystemMaxUse=50M"; + services.nixosManual.enable = false; + } ]; + krebs.build.host = config.krebs.hosts.onebutton; # NixOS wants to enable GRUB by default boot.loader.grub.enable = false; # Enables the generation of /boot/extlinux/extlinux.conf -- cgit v1.2.3 From c99e8256b223761eb50cf5d6841ab64f989851c3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Apr 2018 17:52:45 +0200 Subject: l monitoring: add example prometheus config --- lass/2configs/monitoring/node-exporter.nix | 13 ++ lass/2configs/monitoring/prometheus-server.nix | 179 +++++++++++++++++++++++++ 2 files changed, 192 insertions(+) create mode 100644 lass/2configs/monitoring/node-exporter.nix create mode 100644 lass/2configs/monitoring/prometheus-server.nix diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix new file mode 100644 index 000000000..8c27e90d4 --- /dev/null +++ b/lass/2configs/monitoring/node-exporter.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: +{ + networking.firewall.allowedTCPPorts = [ 9100 ]; + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; +} diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix new file mode 100644 index 000000000..d56d7e552 --- /dev/null +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -0,0 +1,179 @@ +{ pkgs, lib, config, ... }: +{ + #networking = { + # firewall.allowedTCPPorts = [ + # 3000 # grafana + # 9090 # prometheus + # 9093 # alertmanager + # ]; + # useDHCP = true; + #}; + + services = { + prometheus = { + enable = true; + extraFlags = [ + "-storage.local.retention 8760h" + "-storage.local.series-file-shrink-ratio 0.3" + "-storage.local.memory-chunks 2097152" + "-storage.local.max-chunks-to-persist 1048576" + "-storage.local.index-cache-size.fingerprint-to-metric 2097152" + "-storage.local.index-cache-size.fingerprint-to-timerange 1048576" + "-storage.local.index-cache-size.label-name-to-label-values 2097152" + "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040" + ]; + alertmanagerURL = [ "http://localhost:9093" ]; + rules = [ + '' + ALERT node_down + IF up == 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Node is down.", + description = "{{$labels.alias}} has been down for more than 5 minutes." + } + ALERT node_systemd_service_failed + IF node_systemd_unit_state{state="failed"} == 1 + FOR 4m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", + description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." + } + ALERT node_filesystem_full_90percent + IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space soon.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." + } + ALERT node_filesystem_full_in_4h + IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" + } + ALERT node_filedescriptors_full_in_3h + IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum + FOR 20m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", + description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" + } + ALERT node_load1_90percent + IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Running on high load.", + description = "{{$labels.alias}} is running with > 90% total load for at least 1h." + } + ALERT node_cpu_util_90percent + IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: High CPU utilization.", + description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." + } + ALERT node_ram_using_90percent + IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 + FOR 30m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Using lots of RAM.", + description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", + } + ALERT node_swap_using_80percent + IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 + FOR 10m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Running out of swap soon.", + description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." + } + '' + ]; + scrapeConfigs = [ + { + job_name = "node"; + scrape_interval = "10s"; + static_configs = [ + { + targets = [ + "localhost:9100" + ]; + labels = { + alias = "prometheus.example.com"; + }; + } + ]; + } + ]; + alertmanager = { + enable = true; + listenAddress = "0.0.0.0"; + configuration = { + "global" = { + "smtp_smarthost" = "smtp.example.com:587"; + "smtp_from" = "alertmanager@example.com"; + }; + "route" = { + "group_by" = [ "alertname" "alias" ]; + "group_wait" = "30s"; + "group_interval" = "2m"; + "repeat_interval" = "4h"; + "receiver" = "team-admins"; + }; + "receivers" = [ + { + "name" = "team-admins"; + "email_configs" = [ + { + "to" = "devnull@example.com"; + "send_resolved" = true; + } + ]; + "webhook_configs" = [ + { + "url" = "https://example.com/pr