From 1d37fba51e4f4fbb7fe7acccc11e2b2ac5dcc5b7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:33:09 +0200 Subject: l reaktor-coders: /j #panthermoderns --- lass/2configs/reaktor-coders.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 5fa1611ae..922cd79cb 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -4,7 +4,7 @@ with import ; { krebs.Reaktor.coders = { nickname = "Reaktor|lass"; - channels = [ "#coders" "#germany" ]; + channels = [ "#coders" "#germany" "#panthermoderns" ]; extraEnviron = { REAKTOR_HOST = "irc.hackint.org"; }; -- cgit v1.2.3 From 824c19e81a5696018973be2d692fcd9f07f8ef10 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:33:26 +0200 Subject: l reaktor-coders: add google & blockchain command --- lass/2configs/reaktor-coders.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 922cd79cb..5a39f7115 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -87,6 +87,19 @@ with import ; exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 ''; }) + (buildSimpleReaktorPlugin "google" { + pattern = "^!g (?P.*)$$"; + script = pkgs.writeDash "google" '' + exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \ + ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"' + ''; + }) + (buildSimpleReaktorPlugin "blockchain" { + pattern = ".*[Bb]lockchain.*$$"; + script = pkgs.writeDash "blockchain" '' + exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline' + ''; + }) ]; }; } -- cgit v1.2.3 From 0521f960c8c93da7082722632309b533260781d5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:34:14 +0200 Subject: l syncthing: remove deprecated inotify --- lass/2configs/syncthing.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index cef43d1e6..17debf822 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,7 +3,6 @@ with import ; { services.syncthing = { enable = true; - useInotify = true; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} -- cgit v1.2.3 From 0164e142e3ce793cb98b237ba2384b3d88a3550c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:35:13 +0200 Subject: l websites: enableSSL -> onlySSL --- lass/2configs/websites/util.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 62055d0fd..441b7af90 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,7 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - enableSSL = true; + onlySSL = true; extraConfig = '' listen 80; listen [::]:80; @@ -34,7 +34,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; @@ -148,7 +148,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; -- cgit v1.2.3 From c99e8256b223761eb50cf5d6841ab64f989851c3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Apr 2018 17:52:45 +0200 Subject: l monitoring: add example prometheus config --- lass/2configs/monitoring/node-exporter.nix | 13 ++ lass/2configs/monitoring/prometheus-server.nix | 179 +++++++++++++++++++++++++ 2 files changed, 192 insertions(+) create mode 100644 lass/2configs/monitoring/node-exporter.nix create mode 100644 lass/2configs/monitoring/prometheus-server.nix (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix new file mode 100644 index 000000000..8c27e90d4 --- /dev/null +++ b/lass/2configs/monitoring/node-exporter.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: +{ + networking.firewall.allowedTCPPorts = [ 9100 ]; + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; +} diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix new file mode 100644 index 000000000..d56d7e552 --- /dev/null +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -0,0 +1,179 @@ +{ pkgs, lib, config, ... }: +{ + #networking = { + # firewall.allowedTCPPorts = [ + # 3000 # grafana + # 9090 # prometheus + # 9093 # alertmanager + # ]; + # useDHCP = true; + #}; + + services = { + prometheus = { + enable = true; + extraFlags = [ + "-storage.local.retention 8760h" + "-storage.local.series-file-shrink-ratio 0.3" + "-storage.local.memory-chunks 2097152" + "-storage.local.max-chunks-to-persist 1048576" + "-storage.local.index-cache-size.fingerprint-to-metric 2097152" + "-storage.local.index-cache-size.fingerprint-to-timerange 1048576" + "-storage.local.index-cache-size.label-name-to-label-values 2097152" + "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040" + ]; + alertmanagerURL = [ "http://localhost:9093" ]; + rules = [ + '' + ALERT node_down + IF up == 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Node is down.", + description = "{{$labels.alias}} has been down for more than 5 minutes." + } + ALERT node_systemd_service_failed + IF node_systemd_unit_state{state="failed"} == 1 + FOR 4m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", + description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." + } + ALERT node_filesystem_full_90percent + IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space soon.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." + } + ALERT node_filesystem_full_in_4h + IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" + } + ALERT node_filedescriptors_full_in_3h + IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum + FOR 20m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", + description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" + } + ALERT node_load1_90percent + IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Running on high load.", + description = "{{$labels.alias}} is running with > 90% total load for at least 1h." + } + ALERT node_cpu_util_90percent + IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: High CPU utilization.", + description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." + } + ALERT node_ram_using_90percent + IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 + FOR 30m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Using lots of RAM.", + description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", + } + ALERT node_swap_using_80percent + IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 + FOR 10m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Running out of swap soon.", + description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." + } + '' + ]; + scrapeConfigs = [ + { + job_name = "node"; + scrape_interval = "10s"; + static_configs = [ + { + targets = [ + "localhost:9100" + ]; + labels = { + alias = "prometheus.example.com"; + }; + } + ]; + } + ]; + alertmanager = { + enable = true; + listenAddress = "0.0.0.0"; + configuration = { + "global" = { + "smtp_smarthost" = "smtp.example.com:587"; + "smtp_from" = "alertmanager@example.com"; + }; + "route" = { + "group_by" = [ "alertname" "alias" ]; + "group_wait" = "30s"; + "group_interval" = "2m"; + "repeat_interval" = "4h"; + "receiver" = "team-admins"; + }; + "receivers" = [ + { + "name" = "team-admins"; + "email_configs" = [ + { + "to" = "devnull@example.com"; + "send_resolved" = true; + } + ]; + "webhook_configs" = [ + { + "url" = "https://example.com/prometheus-alerts"; + "send_resolved" = true; + } + ]; + } + ]; + }; + }; + }; + grafana = { + enable = true; + addr = "0.0.0.0"; + domain = "grafana.example.com"; + rootUrl = "https://grafana.example.com/"; + security = import ; # { AdminUser = ""; adminPassword = ""} + }; + }; +} -- cgit v1.2.3 From eca81992947815db2700a831aa1ec38a0e70216b Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 27 Apr 2018 16:52:48 +0200 Subject: l: kill legacy backups --- lass/2configs/backups.nix | 173 ---------------------------------------------- lass/2configs/default.nix | 1 - 2 files changed, 174 deletions(-) delete mode 100644 lass/2configs/backups.nix (limited to 'lass/2configs') diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix deleted file mode 100644 index c4fb85420..000000000 --- a/lass/2configs/backups.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, ... }: -with import ; -{ - - # TODO add timerConfig to krebs.backup and randomize startup - # TODO define plans more abstract - krebs.backup.plans = { - } // mapAttrs (_: recursiveUpdate { - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; - }) { - dishfire-http-prism = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; - startAt = "03:00"; - }; - dishfire-http-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; }; - startAt = "03:10"; - }; - dishfire-http-mors = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; - startAt = "03:05"; - }; - dishfire-http-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; - startAt = "03:10"; - }; - dishfire-sql-prism = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; - startAt = "03:15"; - }; - dishfire-sql-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; }; - startAt = "03:25"; - }; - dishfire-sql-mors = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; - startAt = "03:20"; - }; - dishfire-sql-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; - startAt = "03:25"; - }; - prism-bitlbee-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-bitlbee-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-bitlbee-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-chat-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; }; - startAt = "03:35"; - }; - prism-chat-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; - startAt = "03:30"; - }; - prism-chat-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; }; - startAt = "03:35"; - }; - prism-sql-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; }; - startAt = "03:45"; - }; - prism-sql-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; - startAt = "03:40"; - }; - prism-sql-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; }; - startAt = "03:45"; - }; - prism-http-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; }; - startAt = "03:55"; - }; - prism-http-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; - startAt = "03:50"; - }; - prism-http-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; }; - startAt = "03:55"; - }; - icarus-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.icarus; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; }; - startAt = "05:00"; - }; - icarus-home-shodan = { - method = "push"; - src = { host = config.krebs.hosts.icarus; path = "/home"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; }; - startAt = "05:00"; - }; - mors-home-icarus = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; }; - startAt = "05:00"; - }; - mors-home-shodan = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; }; - startAt = "05:00"; - }; - shodan-home-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; }; - startAt = "04:00"; - }; - shodan-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; - startAt = "04:00"; - }; - }; -} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 5a5f1b347..d56f89c2f 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -9,7 +9,6 @@ with import ; ./monitoring/client.nix ./zsh.nix ./htop.nix - ./backups.nix ./security-workarounds.nix { users.extraUsers = -- cgit v1.2.3 From 72abe80227ec5de5c2f7a55f6e2fe3da46c14538 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 27 Apr 2018 16:55:43 +0200 Subject: l: config for backup target --- lass/2configs/backup.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 lass/2configs/backup.nix (limited to 'lass/2configs') diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix new file mode 100644 index 000000000..27adf6d2a --- /dev/null +++ b/lass/2configs/backup.nix @@ -0,0 +1,20 @@ +{ config, lib, ... }: +with import ; + +{ + fileSystems = { + "/backups" = { + device = "/dev/pool/backup"; + fsType = "ext4"; + }; + }; + users.users.backup = { + useDefaultShell = true; + home = "/backups"; + createHome = true; + openssh.authorizedKeys.keys = with config.krebs.hosts; [ + mors.ssh.pubkey + prism.ssh.pubkey + ]; + }; +} -- cgit v1.2.3 From 2701bdd97f0f2ea8681b1d66670eb68ea0f11017 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 27 Apr 2018 19:34:36 +0200 Subject: l: use prometheus as monitoring --- lass/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index d56f89c2f..12a814605 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -6,7 +6,7 @@ with import ; ./gc.nix ./mc.nix ./vim.nix - ./monitoring/client.nix + ./monitoring/node-exporter.nix ./zsh.nix ./htop.nix ./security-workarounds.nix -- cgit v1.2.3 From ba1a8d0b5a0296e6f8673bd87983bfd482085e2c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 27 Apr 2018 19:43:38 +0200 Subject: l: kill dns-stuff --- lass/2configs/baseX.nix | 1 - lass/2configs/dns-stuff.nix | 16 ---------------- 2 files changed, 17 deletions(-) delete mode 100644 lass/2configs/dns-stuff.nix (limited to 'lass/2configs') diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index ed179ded6..e2e44b6fc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,7 +9,6 @@ in { ./power-action.nix ./copyq.nix ./livestream.nix - ./dns-stuff.nix ./urxvt.nix ./network-manager.nix { diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix deleted file mode 100644 index cbcce8df9..000000000 --- a/lass/2configs/dns-stuff.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: -with import ; -{ - services.dnscrypt-proxy = { - enable = true; - localAddress = "127.1.0.1"; - customResolver = { - address = config.krebs.hosts.gum.nets.internet.ip4.addr; - port = 15251; - name = "2.dnscrypt-cert.euer.krebsco.de"; - key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C"; - }; - }; - services.resolved.enable = true; - services.resolved.fallbackDns = [ "127.1.0.1" ]; -} -- cgit v1.2.3 From 102324c0d88a535f7518c97cb908da8d377a0bd8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 08:44:04 +0200 Subject: l bitcoin: remove ethereum --- lass/2configs/bitcoin.nix | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix index a405addfc..9f6fd3bf0 100644 --- a/lass/2configs/bitcoin.nix +++ b/lass/2configs/bitcoin.nix @@ -10,9 +10,6 @@ in { krebs.per-user.bitcoin.packages = [ pkgs.electrum ]; - krebs.per-user.ethereum.packages = [ - pkgs.go-ethereum - ]; users.extraUsers = { bch = { name = "bch"; @@ -28,13 +25,6 @@ in { useDefaultShell = true; createHome = true; }; - ethereum = { - name = "ethereum"; - description = "user for ethereum stuff"; - home = "/home/ethereum"; - useDefaultShell = true; - createHome = true; - }; }; security.sudo.extraConfig = '' ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL -- cgit v1.2.3 From 004b6a895ad7ee9f7bb8864f99f98c356d93a6f2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 09:10:40 +0200 Subject: l: add dev to docker group --- lass/2configs/dcso-dev.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/dcso-dev.nix b/lass/2configs/dcso-dev.nix index ae1c7bc8d..b985b67b3 100644 --- a/lass/2configs/dcso-dev.nix +++ b/lass/2configs/dcso-dev.nix @@ -9,6 +9,7 @@ in { dev = { name = "dev"; uid = genid "dev"; + extraGroups = [ "docker" ]; description = "user for collaborative development"; home = "/home/dev"; useDefaultShell = true; -- cgit v1.2.3 From dabd9f0f02b44b048b6355184fa64612201db72d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 09:41:43 +0200 Subject: l monitoring: open ports --- lass/2configs/monitoring/node-exporter.nix | 6 ++++-- lass/2configs/monitoring/prometheus-server.nix | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix index 8c27e90d4..561e3a25c 100644 --- a/lass/2configs/monitoring/node-exporter.nix +++ b/lass/2configs/monitoring/node-exporter.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: { - networking.firewall.allowedTCPPorts = [ 9100 ]; - + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; } + { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; } + ]; services.prometheus.exporters = { node = { enable = true; diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix index d56d7e552..c5c97412d 100644 --- a/lass/2configs/monitoring/prometheus-server.nix +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -9,6 +9,12 @@ # useDHCP = true; #}; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } + ]; + services = { prometheus = { enable = true; -- cgit v1.2.3 From a0862fa505ba8fb1d94c8bdac69a2077ba89bcdc Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 09:43:17 +0200 Subject: l monitoring: monitor more hosts --- lass/2configs/monitoring/prometheus-server.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix index c5c97412d..92bb0519f 100644 --- a/lass/2configs/monitoring/prometheus-server.nix +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -130,11 +130,10 @@ static_configs = [ { targets = [ - "localhost:9100" - ]; - labels = { - alias = "prometheus.example.com"; - }; + ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts)); + #labels = { + # alias = "prometheus.example.com"; + #}; } ]; } -- cgit v1.2.3 From da44ae1115af80bb71f38de20b7421d08e435ea7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 09:43:51 +0200 Subject: l monitoring: print alarms to irc --- lass/2configs/monitoring/prometheus-server.nix | 33 ++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix index 92bb0519f..1f9419e1a 100644 --- a/lass/2configs/monitoring/prometheus-server.nix +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -181,4 +181,37 @@ security = import ; # { AdminUser = ""; adminPassword = ""} }; }; + services.logstash = { + enable = true; + inputConfig = '' + http { + port => 14813 + host => "127.0.0.1" + } + ''; + filterConfig = '' + if ([alerts]) { + ruby { + code => ' + lines = [] + event["alerts"].each {|p| + lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}" + } + event["output"] = lines.join("\n") + ' + } + } + ''; + outputConfig = '' + file { path => "/tmp/logs.json" codec => "json_lines" } + irc { + channels => [ "#noise" ] + host => "irc.r" + nick => "alarm" + codec => "json_lines" + format => "%{output}" + } + ''; + #plugins = [ ]; + }; } -- cgit v1.2.3 From 1d1861fe7c3c2906a0deff9ae9598fa7ffe08c0d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 11:29:46 +0200 Subject: l notmuch: disable tests --- lass/2configs/mail.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 81db59617..2bb51b50a 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -206,8 +206,11 @@ in { msmtp mutt pkgs.much - pkgs.notmuch tag-new-mails tag-old-mails ]; + + nixpkgs.config.packageOverrides = opkgs: { + notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); + }; } -- cgit v1.2.3 From 4190562d1233e40b3364c1bd812f2702a0748e49 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 16:12:10 +0200 Subject: l monitoring: delete legacy config --- lass/2configs/monitoring/client.nix | 26 --------- lass/2configs/monitoring/monit-alarms.nix | 44 ---------------- lass/2configs/monitoring/server.nix | 87 ------------------------------- 3 files changed, 157 deletions(-) delete mode 100644 lass/2configs/monitoring/client.nix delete mode 100644 lass/2configs/monitoring/monit-alarms.nix delete mode 100644 lass/2configs/monitoring/server.nix (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix deleted file mode 100644 index b8c245215..000000000 --- a/lass/2configs/monitoring/client.nix +++ /dev/null @@ -1,26 +0,0 @@ -{pkgs, config, ...}: -with import ; -{ - services.telegraf = { - enable = true; - - extraConfig = { - agent.interval = "1s"; - outputs = { - influxdb = { - urls = ["http://prism:8086"]; - database = "telegraf_db"; - user_agent = "telegraf"; - }; - }; - inputs = { - cpu = { - percpu = false; - totalcpu = true; - }; - mem = {}; - net = {}; - }; - }; - }; -} diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix deleted file mode 100644 index 2cfc292e5..000000000 --- a/lass/2configs/monitoring/monit-alarms.nix +++ /dev/null @@ -1,44 +0,0 @@ -{pkgs, config, ...}: -with import ; -let - echoToIrc = msg: - pkgs.writeDash "echo_irc" '' - set -euf - export LOGNAME=prism-alarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null - ''; - -in { - krebs.monit = { - enable = true; - http.enable = true; - alarms = { - nirwanabluete = { - test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'"; - alarm = echoToIrc "test nirwanabluete failed"; - }; - ubik = { - test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'"; - alarm = echoToIrc "test ubik failed"; - }; - cac-panel = { - test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'"; - alarm = echoToIrc "test cac-panel failed"; - }; - radio = { - test = pkgs.writeBash "check_stream" '' - ${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \ - | ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \ - | ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}" - ''; - alarm = echoToIrc "test radio failed"; - }; - }; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; } - ]; -} - diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix deleted file mode 100644 index adaecde2c..000000000 --- a/lass/2configs/monitoring/server.nix +++ /dev/null @@ -1,87 +0,0 @@ -{pkgs, config, ...}: -with import ; -{ - services.influxdb.enable = true; - - services.influxdb.extraConfig = { - meta.hostname = config.krebs.build.host.name; - # meta.logging-enabled = true; - http.bind-address = ":8086"; - admin.bind-address = ":8083"; - http.log-enabled = false; - monitoring = { - enabled = false; - # write-interval = "24h"; - }; - collectd = [{ - enabled = true; - typesdb = "${pkgs.collectd}/share/collectd/types.db"; - database = "collectd_db"; - port = 25826; - }]; - }; - - krebs.kapacitor = - let - db = "telegraf_db"; - echoToIrc = pkgs.writeDash "echo_irc" '' - set -euf - data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=prism-alarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.r 6667 prism-alarm \#noise "$data" >/dev/null - ''; - in { - enable = true; - alarms = { - cpu = { - database = db; - text = '' - var data = batch - |query(${"'''"} - SELECT mean("usage_user") AS mean - FROM "${db}"."default"."cpu" - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" > 90) - .exec('${echoToIrc}') - data |deadman(1.0,5m) - .stateChangesOnly() - .exec('${echoToIrc}') - ''; - }; - ram = { - database = db; - text = '' - var data = batch - |query(${"'''"} - SELECT mean("used_percent") AS mean - FROM "${db}"."default"."mem" - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" > 90) - .exec('${echoToIrc}') - ''; - }; - }; - }; - - services.grafana = { - enable = true; - addr = "0.0.0.0"; - auth.anonymous.enable = true; - security = import ; # { AdminUser = ""; adminPassword = ""} - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; } - { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; } - { predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; } - ]; -} -- cgit v1.2.3 From 92c123397188ae6cf115197862e8d79015995356 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 17:26:43 +0200 Subject: l prism.r: run go-shortener --- lass/2configs/go.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 lass/2configs/go.nix (limited to 'lass/2configs') diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix new file mode 100644 index 000000000..ecf89b298 --- /dev/null +++ b/lass/2configs/go.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: +{ + krebs.go = { + enable = true; + }; + services.nginx = { + enable = true; + virtualHosts.go = { + locations."/".extraConfig = '' + proxy_set_header Host go.lassul.us; + proxy_pass http://localhost:1337; + ''; + serverAliases = [ + "go.lassul.us" + ]; + }; + }; +} + -- cgit v1.2.3 From b96f9d898a77bb5a735ad35d1bc1eeeea1833cae Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 23:14:34 +0200 Subject: l websites: move servephpBB to util --- lass/2configs/websites/lassulus.nix | 55 ------------------------------------- lass/2configs/websites/util.nix | 53 +++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 55 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 25ca1f455..b9811221c 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -6,61 +6,6 @@ let genid ; - servephpBB = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - serverAliases = domains; - extraConfig = '' - index index.php; - root /srv/http/${domain}/; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.poolConfigs."${domain}" = '' - listen = /srv/http/${domain}/phpfpm.pool - user = nginx - group = nginx - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - in { imports = [ ./default.nix diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 441b7af90..61b5543ce 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -28,6 +28,59 @@ rec { }; }; + servephpBB = domains: + let + domain = head domains; + + in { + services.nginx.virtualHosts."${domain}" = { + serverAliases = domains; + extraConfig = '' + index index.php; + root /srv/http/${domain}/; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + client_max_body_size 100m; + ''; + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; + locations."~ \.php(?:$|/)".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + ''; + #Directives to send expires headers and turn off 404 error logging. + locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' + access_log off; + log_not_found off; + expires max; + ''; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 25 + pm.start_servers = 5 + pm.min_spare_servers = 3 + pm.max_spare_servers = 20 + listen.owner = nginx + listen.group = nginx + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + serveOwncloud = domains: let domain = head domains; -- cgit v1.2.3 From 1820b1753011eb42bb9be30011e6fbd11993b201 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 23:18:05 +0200 Subject: l: add red.r --- lass/2configs/websites/lassulus.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index b9811221c..53f1eea5c 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -10,7 +10,6 @@ in { imports = [ ./default.nix ../git.nix - (servephpBB [ "rote-allez-fraktion.de" ]) ]; security.acme = { -- cgit v1.2.3 From 74b52f1c3e1db674adab2a397def13dda495a66f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 23:20:53 +0200 Subject: l: add immoscout@lassul.us --- lass/2configs/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 4455d2761..e05ed2427 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -79,6 +79,7 @@ with import ; { from = "ovh@lassul.us"; to = lass.mail; } { from = "hetzner@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; } + { from = "immoscout@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } -- cgit v1.2.3 From 7240963fb9a0a98696cae7d9a0d9ba248eb51676 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 23:27:25 +0200 Subject: l git: add collaborators to public repos --- lass/2configs/git.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 1fe87c666..2e3c6290f 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -70,8 +70,8 @@ let import { inherit config lib pkgs; } ); - make-public-repo = name: { cgit ? {}, ... }: { - inherit cgit name; + make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: { + inherit cgit collaborators name; public = true; hooks = { post-receive = pkgs.git-hooks.irc-announce { -- cgit v1.2.3 From 867db7d464f101f0be77199b7178b5f110d79bf7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 23:27:51 +0200 Subject: l git: add nixos-aws --- lass/2configs/git.nix | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 2e3c6290f..d18524cf5 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,6 +57,12 @@ let cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.section = "software"; }; + nixos-aws = { + collaborators = [ { + name = "fabio"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; + } ]; + }; } // mapAttrs make-public-repo-silent { }; -- cgit v1.2.3 From a7595f3ab19b8e94696fdca18c0b78cc605281b3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 May 2018 15:49:56 +0200 Subject: l gc: don't gc on containers --- lass/2configs/gc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index ad015180a..c5073e384 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import ; { nix.gc = { - automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; + automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer); }; } -- cgit v1.2.3 From 0f98216757cfeb3cfe318181fee0fc5c7b7f1c04 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 May 2018 16:04:21 +0200 Subject: l zsh: use recent LS_COLORS --- lass/2configs/zsh.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index aa3e6731d..76cac9f56 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -54,8 +54,8 @@ eval $(dircolors -b ${pkgs.fetchFromGitHub { owner = "trapd00r"; repo = "LS_COLORS"; - rev = "master"; - sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp"; + rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0"; + sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4"; }}/LS_COLORS) alias ls='ls --color' zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS} -- cgit v1.2.3 From 37fa7bff9339799984554b8ccbacf1f07281d6ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 May 2018 16:04:48 +0200 Subject: l git: add krops repo --- lass/2configs/git.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index d18524cf5..43085ba5e 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -63,6 +63,10 @@ let pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; } ]; }; + krops = { + cgit.desc = "krebs deployment"; + cgit.section = "software"; + }; } // mapAttrs make-public-repo-silent { }; -- cgit v1.2.3 From ecc09522d9073386c91fc61838ca418489ab648f Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 3 May 2018 12:13:14 +0200 Subject: l cabal.r: use as AP --- lass/2configs/AP.nix | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 lass/2configs/AP.nix (limited to 'lass/2configs') diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix new file mode 100644 index 000000000..5ce7cfff8 --- /dev/null +++ b/lass/2configs/AP.nix @@ -0,0 +1,77 @@ +{ config, pkgs, ... }: +with import ; +let + wifi = "wlp0s29u1u2"; +in { + boot.extraModulePackages = [ + pkgs.linuxPackages.rtl8814au + ]; + networking.networkmanager.unmanaged = [ wifi ]; + + systemd.services.hostapd = { + description = "hostapd wireless AP"; + path = [ pkgs.hostapd ]; + wantedBy = [ "network.target" ]; + + after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" '' + interface=${wifi} + hw_mode=a + channel=36 + ieee80211d=1 + country_code=DE + ieee80211n=1 + ieee80211ac=1 + wmm_enabled=1 + + # 5ghz + ssid=krebsing + auth_algs=1 + wpa=2 + wpa_key_mgmt=WPA-PSK + rsn_pairwise=CCMP + wpa_passphrase=aidsballz + ''}"; + Restart = "always"; + }; + }; + + networking.interfaces.${wifi}.ipv4.addresses = [ + { address = "10.99.0.1"; prefixLength = 24; } + ]; + services.dhcpd4 = { + enable = true; + interfaces = [ wifi ]; + extraConfig = '' + option subnet-mask 255.255.255.0; + option routers 10.99.0.1; + option domain-name-servers 1.1.1.1, 8.8.8.8; + subnet 10.99.0.0 netmask 255.255.255.0 { + range 10.99.0.100 10.99.0.200; + } + ''; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; } + { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; } + { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + #TODO find out what this is about? + { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; } + + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } + ]; +} -- cgit v1.2.3 From 28d6704a0d617ca7d379b836ab9fdd4d6a0be868 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 3 May 2018 18:04:38 +0200 Subject: l monitoring: use correct logstash url --- lass/2configs/monitoring/prometheus-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix index 1f9419e1a..e16d421a0 100644 --- a/lass/2configs/monitoring/prometheus-server.nix +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -164,7 +164,7 @@ ]; "webhook_configs" = [ { - "url" = "https://example.com/prometheus-alerts"; + "url" = "http://127.0.0.1:14813/prometheus-alerts"; "send_resolved" = true; } ]; -- cgit v1.2.3 From 66b55d0a27327b5f0f6adf675a779f8d09e9c703 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 3 May 2018 18:33:11 +0200 Subject: l repo-sync: RIP web-routes-wai-custom --- lass/2configs/repo-sync.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index ad44c67e1..1cf22552c 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -135,7 +135,6 @@ in { (sync-retiolum "populate") (sync-retiolum "stockholm") (sync-retiolum "wai-middleware-time") - (sync-retiolum "web-routes-wai-custom") (sync-retiolum "xmonad-stockholm") ]; } -- cgit v1.2.3 From c0f7f7bab5447ebf95f4873f7ff9679938ff6d27 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:56:26 +0200 Subject: l baseX: add dconf --- lass/2configs/baseX.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e2e44b6fc..809297655 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -74,6 +74,7 @@ in { gi git-preview gitAndTools.qgit + gnome3.dconf lm_sensors mpv-poll much -- cgit v1.2.3 From e8c4f7c0e40a1612731ad9f68ef7f5bb1ec7ce1c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:57:44 +0200 Subject: l websites utils: forceSSL --- lass/2configs/websites/util.nix | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 61b5543ce..a11e8e692 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,11 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - onlySSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; + forceSSL = true; serverAliases = domains; locations."/".extraConfig = '' root /srv/http/${domain}; @@ -87,12 +83,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - onlySSL = true; + forceSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; @@ -201,12 +194,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - onlySSL = true; + forceSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - root /srv/http/${domain}/; index index.php; access_log /tmp/nginx_acc.log; -- cgit v1.2.3 From 8b1d1b8d913004951e0c2fd46c6b7d2a3c27148a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 19:35:28 +0200 Subject: l git: don't announce nixos-aws --- lass/2configs/git.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 43085ba5e..f9e326333 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,17 +57,17 @@ let cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.section = "software"; }; + krops = { + cgit.desc = "krebs deployment"; + cgit.section = "software"; + }; + } // mapAttrs make-public-repo-silent { nixos-aws = { collaborators = [ { name = "fabio"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; } ]; }; - krops = { - cgit.desc = "krebs deployment"; - cgit.section = "software"; - }; - } // mapAttrs make-public-repo-silent { }; restricted-repos = mapAttrs make-restricted-repo ( -- cgit v1.2.3 From 619131d246ead21ba001644be82686ce31138773 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 22:27:15 +0200 Subject: l git: add icarus to admin users --- lass/2configs/git.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index f9e326333..712a15342 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -121,7 +121,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-shodan ]; + user = [ lass lass-shodan lass-icarus ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ -- cgit v1.2.3 From 91b1eec4162bf16ce3c4ae698cebd7236b968f9f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:04:59 +0200 Subject: l: set 32bit dri in games.nix --- lass/2configs/games.nix | 1 + lass/2configs/steam.nix | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 3ee3a98a5..81f53bf69 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -80,6 +80,7 @@ in { }; }; + hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.support32Bit = true; security.sudo.extraConfig = '' diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index 225ddd308..e1b523e3a 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -10,8 +10,6 @@ # source: https://nixos.org/wiki/Talk:Steam # ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - nixpkgs.config.steam.java = true; environment.systemPackages = with pkgs; [ steam -- cgit v1.2.3 From 9e95c2b2d12cf18fcda266cc3b69d685d288b77f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:05:49 +0200 Subject: l baseX: add thesauron --- lass/2configs/baseX.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 809297655..a387f2c5d 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -69,11 +69,12 @@ in { environment.systemPackages = with pkgs; [ acpi bank + cabal2nix dic dmenu gi - git-preview gitAndTools.qgit + git-preview gnome3.dconf lm_sensors mpv-poll @@ -87,19 +88,18 @@ in { rxvt_unicode_with-plugins slock sxiv - timewarrior taskwarrior termite + thesauron + timewarrior xclip + xephyrify xorg.xbacklight xorg.xhost xsel youtube-tools yt-next zathura - - cabal2nix - xephyrify ]; fonts.fonts = with pkgs; [ -- cgit v1.2.3 From aecf06a8bfa5e5d444bff6d5c4430250a2684d34 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:06:50 +0200 Subject: l websites domsen: remove old, add new --- lass/2configs/websites/domsen.nix | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 7a72499c9..c75cc81fc 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -26,12 +26,7 @@ in { ./default.nix ./sqlBackup.nix (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ - "habsys.de" - "habsys.eu" - "www.habsys.de" - "www.habsys.eu" - ]) + (servePage [ "freemonkey.art" ]) (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ "ubikmedia.de" -- cgit v1.2.3 From cb41b35641eba3c0e88c87604072405ecc8fc5f7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:09:50 +0200 Subject: l websites domsen: add akayguen --- lass/2configs/websites/domsen.nix | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index c75cc81fc..4e8361a17 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -115,6 +115,7 @@ in { { from = "jms@ubikmedia.eu"; to = "jms"; } { from = "ms@ubikmedia.eu"; to = "ms"; } { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } + { from = "akayguen@freemonkey.art"; to ="akayguen"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -172,5 +173,12 @@ in { createHome = true; }; + users.users.akayguen = { + uid = genid_signed "akayguen"; + home = "/home/akayguen"; + useDefaultShell = true; + createHome = true; + }; + } -- cgit v1.2.3 From 3fc6ff613ff9a1c5e439d6061a2580271dcfc368 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:15:54 +0200 Subject: l mails: add elitedangerous@lassul.us --- lass/2configs/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index e05ed2427..fe79ce82b 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -80,6 +80,7 @@ with import ; { from = "hetzner@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; } { from = "immoscout@lassul.us"; to = lass.mail; } + { from = "elitedangerous@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } -- cgit v1.2.3 From efb7452a0c5f0d4109ae188dc6abda46a20e394c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:20:08 +0200 Subject: l websites util: make ssl optional again --- lass/2configs/websites/util.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index a11e8e692..816449c14 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,7 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - forceSSL = true; + addSSL = true; serverAliases = domains; locations."/".extraConfig = '' root /srv/http/${domain}; @@ -83,7 +83,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - forceSSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' # Add headers to serve security related headers @@ -194,7 +194,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - forceSSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' root /srv/http/${domain}/; -- cgit v1.2.3 From 2e7bcebfd07080db071f07c3ad8e42e136857c31 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:32:00 +0200 Subject: l container-networking: set ipv4.ip_forward --- lass/2configs/container-networking.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index 3dae3420d..98b56bd41 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -1,4 +1,4 @@ -{ ... }: +{ lib, ... }: { #krebs.iptables.tables.filter.INPUT.rules = [ @@ -24,4 +24,5 @@ { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; } -- cgit v1.2.3 From 2ed1a763c8db130262394649a0cc0ca3eb6cf8f2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 20:19:57 +02