From fc627d0b999edb8bb7c58f2efa7dcbe1ccb83e7d Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2017 23:44:31 +0100 Subject: l 1 prism: remove obsolete nin stuff --- lass/1systems/prism.nix | 13 +------------ lass/2configs/buildbot-standalone.nix | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 12 deletions(-) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index d8980a10c..86c2c7416 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -227,6 +227,7 @@ in { }; } { + # Nin stuff users.users.nin = { uid = genid "nin"; inherit (config.krebs.users.nin) home; @@ -240,18 +241,6 @@ in { "libvirtd" ]; }; - krebs.git.rules = [ - { - user = [ config.krebs.users.nin ]; - repo = [ config.krebs.git.repos.stockholm ]; - perm = with git; push "refs/heads/nin" [ fast-forward non-fast-forward create delete merge ]; - } - ]; - krebs.repo-sync.repos.stockholm.nin = { - origin.url = "http://cgit.prism/stockholm"; - origin.ref = "heads/nin"; - mirror.url = "git@${config.networking.hostName}:stockholm"; - }; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; } ]; diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 7057d0c3d..c9e2928b3 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -58,6 +58,11 @@ in { "NIX_REMOTE": "daemon", "dummy_secrets": "true", } + env_nin = { + "LOGNAME": "nin", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } env_shared = { "LOGNAME": "shared", "NIX_REMOTE": "daemon", @@ -126,6 +131,18 @@ in { ] ) + for i in [ "hiawatha", "onondaga" ]: + addShell(f,name="build-{}".format(i),env=env_nin, + command=nixshell + \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ + test \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ + method=build \ + system={}".format(i) + ] + ) + bu.append( util.BuilderConfig( name="build-hosts", -- cgit v1.2.3 From b4537403f85417937f08fba04d01fc5fb23bc3a4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2017 23:44:57 +0100 Subject: l 2 git: remove nin from announced branches --- lass/2configs/git.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index d7ec39f2d..bdd65ce09 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,7 +57,7 @@ let server = "ni.r"; verbose = config.krebs.build.host.name == "prism"; # TODO define branches in some kind of option per repo - branches = [ "master" "newest" "nin" ]; + branches = [ "master" "newest" ]; }; }; }; -- cgit v1.2.3 From 53015a63cb6fd3f20350c37a67e593e5c87cbc9c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2017 23:45:43 +0100 Subject: l 2 repo-sync: merge from onondaga --- lass/2configs/repo-sync.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass') diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index 765769936..b1a26b171 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -44,6 +44,10 @@ let origin.url = "http://cgit.ni.r/${name}"; mirror.url = "${mirror}${name}"; }; + nin = { + origin.url = "http://cgit.onondaga.r/${name}"; + mirror.url = "${mirror}${name}"; + }; lassulus = { origin.url = "http://cgit.prism/${name}"; mirror.url = "${mirror}${name}"; -- cgit v1.2.3 From c363534571075914bc4bdbab2988c809f3499300 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2017 23:53:46 +0100 Subject: l 1 prism: I'm not proud of this commit --- lass/1systems/prism.nix | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 86c2c7416..386bcf812 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -316,16 +316,16 @@ in { script = pkgs.writePython2 "rup" '' #!${pkgs.python2}/bin/python t1 = """ - _. - ;=',_ () - 8===D~~ S" .--`|| - sS \__ || - __.' ( \-->|| - _=/ _./-\/ || - 8===D~~ ((\( /-' -'l || - ) |/ \\ (_)) - \\ \\ - '~ '~ + _. + ;=',_ () + 8===D~~ S" .--`|| + sS \__ || + __.' ( \-->|| + _=/ _./-\/ || + 8===D~~ ((\( /-' -'l || + ) |/ \\ (_)) + \\ \\ + '~ '~ """ print(t1) ''; -- cgit v1.2.3 From 97edec1f2dd9785d515fe99e031b38f8f379258a Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2017 23:59:54 +0100 Subject: l 2 fetchWallpaper: add maxTime of 10 secs --- lass/2configs/fetchWallpaper.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix index cf084ea8f..29f321994 100644 --- a/lass/2configs/fetchWallpaper.nix +++ b/lass/2configs/fetchWallpaper.nix @@ -7,6 +7,7 @@ in { enable = true; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; url = "prism/wallpaper.png"; + maxTime = 10; }; systemd.services.fetchWallpaper = { after = [ "xmonad.service" ]; -- cgit v1.2.3 From 0112e59b1f40097fb1fe4dcc239ed082cc1ac0e7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2017 18:36:53 +0100 Subject: l 3 kapacitor: add alert definition --- lass/3modules/kapacitor.nix | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'lass') diff --git a/lass/3modules/kapacitor.nix b/lass/3modules/kapacitor.nix index 8524c8198..a2ee71732 100644 --- a/lass/3modules/kapacitor.nix +++ b/lass/3modules/kapacitor.nix @@ -21,6 +21,14 @@ let type = types.str; default = "kapacitor"; }; + alarms = mkOption { + type = with types; attrsOf str; + default = {}; + }; + check_db = mkOption { + type = types.str; + default = "kapacitor_example"; + }; config = mkOption { type = types.str; #TODO: find a good default @@ -216,6 +224,29 @@ let ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${configFile}"; }; }; + + systemd.services.kapacitor-alarms = { + description = "kapacitor-alarms"; + after = [ "kapacitor.service" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.writeDash "add_alarms" '' + ${pkgs.kapacitor}/bin/kapacitor delete tasks \* + ${concatStrings (mapAttrsToList (name: alarm: '' + ${pkgs.kapacitor}/bin/kapacitor define ${name} \ + -type batch \ + -tick ${pkgs.writeText "${name}.tick" alarm} \ + -dbrp ${cfg.check_db}.default + ${pkgs.kapacitor}/bin/kapacitor enable ${name} + '') cfg.alarms)} + ''; + }; + }; + }; in out -- cgit v1.2.3 From 5d76418bcd977d815c0305c88ef611d16cddb7d4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:52:25 +0100 Subject: l 1 mors: cleanup --- lass/1systems/mors.nix | 192 +++++++++++++------------------------------------ 1 file changed, 50 insertions(+), 142 deletions(-) (limited to 'lass') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index dde867eb3..afe37e958 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -31,13 +31,6 @@ with import ; ]; } #{ - # services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = "/mysql_rootPassword"; - # }; - #} - #{ # services.elasticsearch = { # enable = true; # plugins = [ @@ -83,140 +76,56 @@ with import ; { services.redis.enable = true; } - { - virtualisation.libvirtd.enable = true; - } - { - services.nginx = { - enable = mkDefault true; - virtualHosts = { - "stats.mors" = { - locations = { - "/" = { - proxyPass = "http://localhost:3000/"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - }; - }; - }; - }; - - services.grafana = { - enable = true; - addr = "127.0.0.1"; - users.allowSignUp = false; - users.allowOrgCreate = false; - users.autoAssignOrg = false; - auth.anonymous.enable = true; - security = import ; # { AdminUser = ""; adminPassword = ""} - }; - - services.graphite = { - api = { - enable = true; - listenAddress = "127.0.0.1"; - port = 18080; - }; - carbon = { - enableCache = true; - # save disk usage by restricting to 1 bulk update per second - config = '' - [cache] - MAX_CACHE_SIZE = inf - MAX_UPDATES_PER_SECOND = 1 - MAX_CREATES_PER_MINUTE = 500 - ''; - storageSchemas = '' - [carbon] - pattern = ^carbon\. - retentions = 60:90d - - [elchos] - patterhn = ^elchos\. - retentions = 10s:30d,60s:3y - - [default] - pattern = .* - retentions = 30s:30d,300s:1y - ''; - }; - }; - - services.collectd = { - enable = true; - include = [ (toString (pkgs.writeText "collectd-graphite-cfg" '' - LoadPlugin write_graphite - - - Host "localhost" - Port "2003" - EscapeCharacter "_" - StoreRates false - AlwaysAppendDS false - - - '')) - ]; - extraConfig = '' - LoadPlugin interface - LoadPlugin battery - LoadPlugin load - LoadPlugin cpu - LoadPlugin entropy - LoadPlugin write_graphite - - Interface "et0" - Interface "wl0" - Interface "retiolum" - - ''; - }; - services.graphite.beacon = { - enable = true; - config = { - graphite_url = "http://localhost:18080"; - cli = { - command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' ''; - }; - smtp = { - from = "beacon@mors.r"; - to = [ - "lass@mors.r" - ]; - }; - normal_handlers = [ - "smtp" - "cli" - ]; - warning_handlers = [ - "smtp" - "cli" - ]; - critical_handlers = [ - "smtp" - "cli" - ]; - alerts = [ - { - name = "testbattery"; - query = "*.battery-0.capacity"; - method = "last_value"; - interval = "1minute"; - logging = "info"; - repeat_interval = "5minute"; - rules = [ - "warning: < 30.0" - "critical: < 10.0" - ]; - } - ]; - }; - }; - } + #{ + # #gitit magic + # imports = [ ]; + # services.gitit = { + # enable = true; + # haskellPackages = pkgs.haskell.packages.ghc7103; + # }; + #} + #{ + # lass.icinga2 = { + # enable = true; + # configFiles = [ + # '' + # template Service "generic-service" { + # max_check_attempts = 3 + # check_interval = 5m + # retry_interval = 1m + # enable_perfdata = true + # } + # apply Service "ping4" { + # } + # '' + # ]; + # }; + # services.mysql = { + # enable = true; + # package = pkgs.mariadb; + # rootPassword = "/mysql_rootPassword"; + # }; + # lass.icingaweb2 = { + # enable = true; + # initialRootPasswordHash = "$1$HpWDCehI$ITbAoyfOB6HEN1ftooxZq0"; + # resources = { + # icinga2db = { + # type = "mysql"; + # host = "localhost"; + # user = "icingaweb2"; + # db = "icinga"; + # passfile = ; + # }; + # icingaweb2db = { + # type = "mysql"; + # host = "localhost"; + # user = "icingaweb2"; + # db = "icingaweb2"; + # passfile = ; + # }; + # }; + # }; + #} ]; krebs.build.host = config.krebs.hosts.mors; @@ -229,7 +138,6 @@ with import ; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; }; fileSystems = { "/" = { -- cgit v1.2.3 From 6edbfeb6f5f048e5646b72b7bca241df3bdd9002 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:53:28 +0100 Subject: l 3 kapacitor: better defaults --- lass/3modules/kapacitor.nix | 117 +------------------------------------------- 1 file changed, 2 insertions(+), 115 deletions(-) (limited to 'lass') diff --git a/lass/3modules/kapacitor.nix b/lass/3modules/kapacitor.nix index a2ee71732..a1e82b830 100644 --- a/lass/3modules/kapacitor.nix +++ b/lass/3modules/kapacitor.nix @@ -27,7 +27,7 @@ let }; check_db = mkOption { type = types.str; - default = "kapacitor_example"; + default = "all_data"; }; config = mkOption { type = types.str; @@ -82,115 +82,7 @@ let [logging] file = "STDERR" - level = "INFO" - - [collectd] - enabled = false - bind-address = ":25826" - database = "collectd" - retention-policy = "" - batch-size = 5000 - batch-pending = 10 - batch-timeout = "10s" - read-buffer = 0 - typesdb = "/usr/share/collectd/types.db" - - [opentsdb] - enabled = false - bind-address = ":4242" - database = "opentsdb" - retention-policy = "" - consistency-level = "one" - tls-enabled = false - certificate = "/etc/ssl/influxdb.pem" - batch-size = 1000 - batch-pending = 5 - batch-timeout = "1s" - log-point-errors = true - - [smtp] - enabled = false - host = "localhost" - port = 25 - username = "" - password = "" - no-verify = false - global = false - state-changes-only = false - from = "" - idle-timeout = "30s" - - [opsgenie] - enabled = false - api-key = "" - url = "https://api.opsgenie.com/v1/json/alert" - recovery_url = "https://api.opsgenie.com/v1/json/alert/note" - global = false - - [victorops] - enabled = false - api-key = "" - routing-key = "" - url = "https://alert.victorops.com/integrations/generic/20131114/alert" - global = false - - [pagerduty] - enabled = false - url = "https://events.pagerduty.com/generic/2010-04-15/create_event.json" - service-key = "" - global = false - - [sensu] - enabled = false - addr = "" - source = "Kapacitor" - - [slack] - enabled = false - url = "" - channel = "" - global = false - state-changes-only = false - - [telegram] - enabled = false - url = "https://api.telegram.org/bot" - token = "" - chat-id = "" - parse-mode = "" - disable-web-page-preview = false - disable-notification = false - global = false - state-changes-only = false - - [hipchat] - enabled = false - url = "" - token = "" - room = "" - global = false - state-changes-only = false - - [alerta] - enabled = false - url = "" - token = "" - environment = "" - origin = "" - - [reporting] - enabled = true - url = "https://usage.influxdata.com" - - [stats] - enabled = true - stats-interval = "10s" - database = "_kapacitor" - retention-policy = "autogen" - timing-sample-rate = 0.1 - timing-movavg-size = 1000 - - [udf] + level = "DEBUG" [deadman] interval = "10s" @@ -198,11 +90,6 @@ let id = "{{ .Group }}:NODE_NAME for task '{{ .TaskName }}'" message = "{{ .ID }} is {{ if eq .Level \"OK\" }}alive{{ else }}dead{{ end }}: {{ index .Fields \"emitted\" | printf \"%0.3f\" }} points/INTERVAL." global = false - - [talk] - enabled = false - url = "" - author_name = "" ''; description = "configuration kapacitor is started with"; }; -- cgit v1.2.3 From ece8aa5ab92e8e59eb9fcfbbb2d2d0380bd1a5a6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:54:44 +0100 Subject: l 2 hw tp-x220: remove broken sna acceleration --- lass/2configs/hw/tp-x220.nix | 7 ------- 1 file changed, 7 deletions(-) (limited to 'lass') diff --git a/lass/2configs/hw/tp-x220.nix b/lass/2configs/hw/tp-x220.nix index ec36fa96a..d551cd44e 100644 --- a/lass/2configs/hw/tp-x220.nix +++ b/lass/2configs/hw/tp-x220.nix @@ -47,12 +47,5 @@ with import ; pkgs.vaapiVdpau ]; - services.xserver = { - videoDriver = "intel"; - deviceSection = '' - Option "AccelMethod" "sna" - ''; - }; - security.rngd.enable = true; } -- cgit v1.2.3 From d9c5f0d8de9e49ac0b406412e781ed1390c6ece6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:55:30 +0100 Subject: l 1 prism: remove obsolete public_html --- lass/1systems/prism.nix | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 386bcf812..b89fcf013 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -202,20 +202,6 @@ in { ]; }; } - { - services.nginx = { - enable = true; - virtualHosts.public = { - port = 8088; - locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' - alias /home/$1/public_html$2; - ''; - }; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8088"; target = "ACCEPT"; } - ]; - } { krebs.repo-sync.timerConfig = { OnCalendar = "*:0/5"; -- cgit v1.2.3 From 26b3298f774f95806af7b253edeb3624c32cc9a1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:55:46 +0100 Subject: l 2: remove deprecated MANPAGER declaration --- lass/2configs/default.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 911b7738a..38f70c2b5 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -98,7 +98,6 @@ with import ; # multiple-definition-problem when defining environment.variables.EDITOR environment.extraInit = '' EDITOR=vim - MANPAGER=most ''; nixpkgs.config.allowUnfree = true; -- cgit v1.2.3 From f0a345d79b0ab80d2e38baddba7f19e40241c79a Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:56:12 +0100 Subject: l 3 telegraf: split config into inputs/outputs --- lass/3modules/telegraf.nix | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) (limited to 'lass') diff --git a/lass/3modules/telegraf.nix b/lass/3modules/telegraf.nix index 64b323460..a54e71a9d 100644 --- a/lass/3modules/telegraf.nix +++ b/lass/3modules/telegraf.nix @@ -21,6 +21,26 @@ let type = types.str; default = "telegraf"; }; + outputs = mkOption { + type = types.str; + default = '' + [outputs.influxdb] + urls = ["http://localhost:8086"] + database = "all_data" + user_agent = "telegraf" + ''; + }; + inputs = mkOption { + type = with types; listOf str; + default = [ + '' + [cpu] + percpu = false + totalcpu = true + drop = ["cpu_time"] + '' + ]; + }; config = mkOption { type = types.str; #TODO: find a good default @@ -30,17 +50,10 @@ let [outputs] - # Configuration to send data to InfluxDB. - [outputs.influxdb] - urls = ["http://localhost:8086"] - database = "kapacitor_example" - user_agent = "telegraf" + ${cfg.outputs} + + ${concatStringsSep "\n" cfg.inputs} - # Collect metrics about cpu usage - [cpu] - percpu = false - totalcpu = true - drop = ["cpu_time"] ''; description = "configuration telegraf is started with"; }; -- cgit v1.2.3 From 1d2c058d78f9cb5d4a51dd2ffb1bfd4b09623055 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:56:43 +0100 Subject: l 2 monitoring: introduce {client,server}.nix --- lass/2configs/monitoring/client.nix | 32 ++++++++++++++++++++ lass/2configs/monitoring/server.nix | 59 +++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 lass/2configs/monitoring/client.nix create mode 100644 lass/2configs/monitoring/server.nix (limited to 'lass') diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix new file mode 100644 index 000000000..eebf2f2e9 --- /dev/null +++ b/lass/2configs/monitoring/client.nix @@ -0,0 +1,32 @@ +{pkgs, config, ...}: +with import ; +{ + lass.telegraf = { + enable = true; + outputs = '' + [outputs.influxdb] + urls = ["http://prism:8086"] + database = "all_data" + user_agent = "telegraf" + ''; + inputs = [ + '' + [cpu] + percpu = false + totalcpu = true + drop = ["cpu_time"] + '' + '' + [[inputs.mem]] + '' + '' + [[inputs.ping]] + urls = ["8.8.8.8"] + '' + ]; + }; + systemd.services.telegraf.path = with pkgs; [ + iputils + lm_sensors + ]; +} diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix new file mode 100644 index 000000000..335820bc7 --- /dev/null +++ b/lass/2configs/monitoring/server.nix @@ -0,0 +1,59 @@ +{pkgs, config, ...}: +with import ; +{ + services.influxdb = { + enable = true; + }; + + services.influxdb.extraConfig = { + meta.hostname = config.krebs.build.host.name; + # meta.logging-enabled = true; + http.bind-address = ":8086"; + admin.bind-address = ":8083"; + monitoring = { + enabled = false; + # write-interval = "24h"; + }; + }; + + lass.kapacitor = + let + echoToIrc = pkgs.writeDash "echo_irc" '' + set -euf + data="$(${pkgs.jq}/bin/jq -r .message)" + export LOGNAME=prism-alarm + ${pkgs.irc-announce}/bin/irc-announce \ + irc.freenode.org 6667 prism-alarm \#krebs-bots "$data" >/dev/null + ''; + in { + enable = true; + alarms = { + test2 = '' + batch + |query(${"'''"} + SELECT mean("usage_user") AS mean + FROM "${config.lass.kapacitor.check_db}"."default"."cpu" + ${"'''"}) + .every(3m) + .period(1m) + .groupBy('host') + |alert() + .crit(lambda: "mean" > 90) + // Whenever we get an alert write it to a file. + .log('/tmp/alerts.log') + .exec('${echoToIrc}') + ''; + }; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; } + { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; } + ]; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + auth.anonymous.enable = true; + security = import ; # { AdminUser = ""; adminPassword = ""} + }; +} -- cgit v1.2.3 From d70028d9e788c6156ad674678734c546f1fcc246 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:58:39 +0100 Subject: l 1 prism: import monitoring server --- lass/1systems/prism.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index b89fcf013..839e52f81 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -43,6 +43,7 @@ in { ../2configs/libvirt.nix ../2configs/hfos.nix ../2configs/makefu-sip.nix + ../2configs/monitoring/server.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.2.3 From 072a1adde199ac875d6a56a04f3948ae4f436663 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2017 22:58:54 +0100 Subject: l 2: enable monitoring on every host --- lass/2configs/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 38f70c2b5..d1810c00c 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -9,6 +9,7 @@ with import ; ../2configs/mc.nix ../2configs/nixpkgs.nix ../2configs/vim.nix + ../2configs/monitoring/client.nix ./backups.nix { users.extraUsers = -- cgit v1.2.3 From 9bc0b9d8a2b5139fb694f1415fe3ef798d0e9980 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 00:33:22 +0100 Subject: l 2 nixpkgs: 3909827 -> 5fff5a9 --- lass/2configs/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 27b7c2439..4a1b0379b 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "39098270855c171f0824c09d071b606ae991ff87"; + ref = "5fff5a902594b34471b613eb2babcec923e1e1f1"; }; } -- cgit v1.2.3 From 9d0b47c3d9ab03bef348262b58fa0839c5f7d399 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 15:28:46 +0100 Subject: l 2 websites domsen: add joemisch.com to ubikmedia --- lass/2configs/websites/domsen.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e79973a66..66fc681b1 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -66,6 +66,7 @@ in { "karlaskop.ubikmedia.de" "nb.ubikmedia.de" "youthtube.ubikmedia.de" + "joemisch.com" ]) ]; -- cgit v1.2.3 From 8f98fde52310f21e5aceafb5fd1dfe1707227739 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 16:57:42 +0100 Subject: l 2: add bepasty.nix --- lass/2configs/bepasty.nix | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 lass/2configs/bepasty.nix (limited to 'lass') diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix new file mode 100644 index 000000000..a3c6d0f28 --- /dev/null +++ b/lass/2configs/bepasty.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: +with import ; + +# secrets used: +# wildcard.krebsco.de.crt +# wildcard.krebsco.de.key +# bepasty-secret.nix <- contains single string + +with import ; +let + secKey = import ; + ext-dom = "paste.lassul.us" ; +in { + + services.nginx.enable = mkDefault true; + krebs.bepasty = { + enable = true; + serveNginx= true; + + servers = { + "paste.r" = { + nginx = { + serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + }; + defaultPermissions = "admin,list,create,read,delete"; + secretKey = secKey; + }; + + "${ext-dom}" = { + nginx = { + enableSSL = true; + forceSSL = true; + enableACME = true; + }; + defaultPermissions = "read"; + secretKey = secKey; + }; + }; + }; +} -- cgit v1.2.3 From 8f4ed1af13a6ef0533f36dc22117434aea22a764 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 16:57:56 +0100 Subject: l 1 prism: import bepasty.nix --- lass/1systems/prism.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 839e52f81..b92c8d900 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -44,6 +44,7 @@ in { ../2configs/hfos.nix ../2configs/makefu-sip.nix ../2configs/monitoring/server.nix + ../2configs/bepasty.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.2.3 From 904d75b482e78ec2386e2e9cca4751b2bcdb8106 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 16:58:11 +0100 Subject: l 2 tests dummy-secrets: add bepasty-secret.nix --- lass/2configs/tests/dummy-secrets/bepasty-secret.nix | 1 + 1 file changed, 1 insertion(+) create mode 100644 lass/2configs/tests/dummy-secrets/bepasty-secret.nix (limited to 'lass') diff --git a/lass/2configs/tests/dummy-secrets/bepasty-secret.nix b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix new file mode 100644 index 000000000..e16c76dff --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix @@ -0,0 +1 @@ +"" -- cgit v1.2.3 From dfa32223172e6d5324c3d186d4720461e684cd7f Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 17:14:30 +0100 Subject: l 1 prism: protect bepasty from external ip --- lass/1systems/prism.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index b92c8d900..5fa86da4d 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -44,7 +44,16 @@ in { ../2configs/hfos.nix ../2configs/makefu-sip.nix ../2configs/monitoring/server.nix - ../2configs/bepasty.nix + { + imports = [ + ../2configs/bepasty.nix + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.2.3 From 611c26439ebeec200f02d1344b6a668e64908fda Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2017 17:30:25 +0100 Subject: l 2 tests dummy-secrets bepasty: fix assertion --- lass/2configs/tests/dummy-secrets/bepasty-secret.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/tests/dummy-secrets/bepasty-secret.nix b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix index e16c76dff..6e08144d0 100644 --- a/lass/2configs/tests/dummy-secrets/bepasty-secret.nix +++ b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix @@ -1 +1 @@ -"" +"bla" -- cgit v1.2.3 From 698894853abba6e1730f10a64d35c2a01af96d99 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:21:34 +0100 Subject: l 1 mors: remove /mnt/public --- lass/1systems/mors.nix | 5 ----- 1 file changed, 5 deletions(-) (limited to 'lass') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index afe37e958..a5eaaed9d 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -174,11 +174,6 @@ with import ; fsType = "ext4"; }; - "/mnt/public" = { - device = "/dev/big/public"; - fsType = "ext4"; - }; - "/mnt/conf" = { device = "/dev/big/conf"; fsType = "ext4"; -- cgit v1.2.3 From 48dc0a6aa973f9c069b860bedaffdb4dd0583b08 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:21:49 +0100 Subject: l 1 prism: remvoe sed-plugin from #coders bot --- lass/1systems/prism.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 5fa86da4d..f9654ac4c 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -258,7 +258,6 @@ in { -XFlexibleInstances -XMultiParamTypeClasses \ -XOverloadedStrings -XFunctionalDependencies \''; in [ - sed-plugin url-title (buildSimpleReaktorPlugin "lambdabot-pl" { pattern = "^@pl (?P.*)$$"; -- cgit v1.2.3 From 93e79da6f929749a1b8c4735e38bd5ce8034a18b Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:22:10 +0100 Subject: l 2 downloading: add icarus to authorized_keys --- lass/2configs/downloading.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 27b6d22d5..eb9575018 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -16,6 +16,7 @@ with import ; lass.pubkey lass-shodan.pubkey lass-helios.pubkey + lass-icarus.pubkey makefu.pubkey ]; }; -- cgit v1.2.3 From 561d4f7bf52a48eca4f4a88c32b4621e5ef3425e Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:23:00 +0100 Subject: l 2 monitoring server: add collectdb support --- lass/2configs/monitoring/server.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lass') diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix index 335820bc7..2e1c15ca1 100644 --- a/lass/2configs/monitoring/server.nix +++ b/lass/2configs/monitoring/server.nix @@ -14,6 +14,12 @@ with import ; enabled = false; # write-interval = "24h"; }; + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = "collectd_db"; + port = 25826; + }]; }; lass.kapacitor = @@ -49,6 +55,7 @@ with import ; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; } { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; } + { predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; } ]; services.grafana = { enable = true; -- cgit v1.2.3 From 920cb3456045f7ec431de68a2613e478a7e30751 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:23:23 +0100 Subject: l 3 telegraf: set default db to `telegraf_db` --- lass/3modules/telegraf.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/3modules/telegraf.nix b/lass/3modules/telegraf.nix index a54e71a9d..6ef775090 100644 --- a/lass/3modules/telegraf.nix +++ b/lass/3modules/telegraf.nix @@ -26,7 +26,7 @@ let default = '' [outputs.influxdb] urls = ["http://localhost:8086"] - database = "all_data" + database = "telegraf_db" user_agent = "telegraf" ''; }; -- cgit v1.2.3 From 7d9bd2024826928c028d63b6448f126966e6552c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:23:59 +0100 Subject: l 3 telegraf: add interval option --- lass/3modules/telegraf.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/3modules/telegraf.nix b/lass/3modules/telegraf.nix index 6ef775090..0b3be2d69 100644 --- a/lass/3modules/telegraf.nix +++ b/lass/3modules/telegraf.nix @@ -41,12 +41,16 @@ let '' ]; }; + interval = mkOption { + type = types.str; + default = "10s"; + }; config = mkOption { type = types.str; #TODO: find a good default default = '' [agent] - interval = "1s" + interval = "${cfg.interval}" [outputs] -- cgit v1.2.3 From 10b97adc5fb76d7558280f865381f61662cc19c4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:24:21 +0100 Subject: l 2 monitoring client: add more telegraf defaults --- lass/2configs/monitoring/client.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix index eebf2f2e9..fc2c2ff40 100644 --- a/lass/2configs/monitoring/client.nix +++ b/lass/2configs/monitoring/client.nix @@ -3,10 +3,13 @@ with import ; { lass.telegraf = { enable = true; + interval = "1s"; + + outputs = '' [outputs.influxdb] urls = ["http://prism:8086"] - database = "all_data" + database = "telegraf_db" user_agent = "telegraf" ''; inputs = [ -- cgit v1.2.3 From 8daef993dcb6149a02c72a4895d6e808a6c6a8d4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Feb 2017 00:24:39 +0100 Subject: l 2 monitoring client: add collectd config --- lass/2configs/monitoring/client.nix | 59 +++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) (limited to 'lass') diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix index fc2c2ff40..e879d6960 100644 --- a/lass/2configs/monitoring/client.nix +++ b/lass/2configs/monitoring/client.nix @@ -26,10 +26,69 @@ with import ; [[inputs.ping]] urls = ["8.8.8.8"] '' + '' + [[inputs.net]] + '' + '' + [[inputs.dns_query]] + servers = ["8.8.8.8"] + '' ]; }; systemd.services.telegraf.path = with pkgs; [ iputils lm_sensors ]; + + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + Interval 30.0 + + LoadPlugin interface + + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + + + LoadPlugin df + + MountPoint "/nix/store" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + + + LoadPlugin cpu + + ReportByCpu true + ReportByState true + ValuesPercentage true + + + LoadPlugin network + + Server "prism" "25826" + + ''; + }; } -- cgit v1.2.3