diff options
Diffstat (limited to 'makefu')
26 files changed, 437 insertions, 393 deletions
| diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix new file mode 100644 index 000000000..1eac141dc --- /dev/null +++ b/makefu/1systems/fileleech.nix @@ -0,0 +1,111 @@ +{ config, pkgs, lib, ... }: +let +  toMapper = id: "/media/crypt${builtins.toString id}"; +  byid = dev: "/dev/disk/by-id/" + dev; +  keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0"; +  rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; +  rootPartition = rootDisk + "-part3"; + +	dataDisks =  let +		idpart = dev: byid  dev + "-part1"; +	in [ +		{ name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";} +	  {	name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";} +	  {	name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";} +	  {	name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";} +	  {	name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";} +	  {	name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";} +	  {	name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";} +	  {	name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity +	]; + +  disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks; +in { +    imports = [ +      ../. +      ../2configs/tinc/retiolum.nix +      ../2configs/disable_v6.nix +      ../2configs/torrent.nix +      ../2configs/fs/sda-crypto-root.nix + +      ../2configs/elchos/irc-token.nix +      ../2configs/elchos/log.nix +      ../2configs/elchos/search.nix +      ../2configs/elchos/stats.nix + +    ]; +  makefu.server.primary-itf = "enp8s0f0"; +  krebs = { +      enable = true; +      build.host = config.krebs.hosts.fileleech; +  }; +	# git clone https://github.com/makefu/docker-pyload +	# docker build . +  # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload + +  virtualisation.docker.enable = true; # for pyload +  networking.firewall.allowedTCPPorts =  [ +    51412 # torrent +    8112  # rutorrent-web +    8113  # pyload +    8080  # sabnzbd +    9090  # sabnzbd-ssl +    655   # tinc +  ]; +  networking.firewall.allowedUDPPorts = [ +    655 # tinc +    51412 # torrent +  ]; + +  services.sabnzbd.enable = true; +  systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + +  boot.initrd.luks = { +    devices = let +      usbkey = name: device: { +        inherit name device keyFile; +        keyFileSize = 4096; +        allowDiscards = true; +      }; +    in builtins.map (x: usbkey x.name x.device) disks; +  }; +  environment.systemPackages = with pkgs;[ mergerfs ]; + +  fileSystems = let +    cryptMount = name: +      { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; +  in  cryptMount "crypt0" +		// cryptMount "crypt1" +		// cryptMount "crypt2" +		// cryptMount "crypt3" +		// cryptMount "crypt4" +		// cryptMount "crypt5" +		// cryptMount "crypt6" +		// cryptMount "crypt7" + +    # this entry sometimes creates issues +    // { "/media/cryptX" = { +          device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]); +          fsType = "mergerfs"; +          noCheck = true; +          options = [ "defaults" "nofail" "allow_other" "nonempty" ]; }; +        } + +    ; +  makefu.snapraid = { +    enable = true; +    disks = map toMapper [ 0 1 2 3 4 5 6 ]; +    parity = toMapper 7; +  }; + +  boot.loader.grub.device = rootDisk; + +  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ]; +  boot.kernelModules = [ "kvm-intel" ]; +  boot.extraModulePackages = [ ]; + +  # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html +  boot.extraModprobeConfig = '' +    options ixgbe allow_unsupported_sfp=1 +  ''; +} diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index e8a368fa2..e7761a642 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -15,6 +15,7 @@ in {        ../2configs/git/cgit-retiolum.nix        # ../2configs/mattermost-docker.nix        ../2configs/nginx/euer.test.nix +      ../2configs/nginx/public_html.nix        ../2configs/nginx/update.connector.one.nix        ../2configs/deployment/mycube.connector.one.nix @@ -31,7 +32,9 @@ in {    ];    services.smartd.devices = [ { device = "/dev/sda";} ]; +    ###### stable +  services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];    krebs.build.host = config.krebs.hosts.gum;    krebs.tinc.retiolum = {      extraConfig = '' @@ -48,10 +51,6 @@ in {    makefu.taskserver.enable = true; -  krebs.nginx.servers.cgit = { -    server-names = [ "cgit.euer.krebsco.de" ]; -    listen = [ "${external-ip}:80" "${internal-ip}:80" ]; -  };    # access    users.users = { @@ -76,9 +75,8 @@ in {    services.udev.extraRules = ''      SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0"    ''; -  boot.kernelParams = [ "ipv6.disable=1" ]; +  boot.kernelParams = [ ];    networking = { -    enableIPv6 = false;      firewall = {          allowPing = true;          logRefusedConnections = false; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 4fbbd653d..609d52134 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -48,12 +48,16 @@ in {        ../2configs/exim-retiolum.nix        ../2configs/smart-monitor.nix        ../2configs/mail-client.nix -      ../2configs/disable_v6.nix +      # ../2configs/disable_v6.nix        #../2configs/graphite-standalone.nix        #../2configs/share-user-sftp.nix        ../2configs/omo-share.nix        ../2configs/tinc/retiolum.nix -      ../2configs/torrent.nix +      # ../2configs/torrent.nix + +      # ../2configs/elchos/search.nix +      # ../2configs/elchos/log.nix +      # ../2configs/elchos/irc-token.nix        ## as long as pyload is not in nixpkgs:        # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload @@ -121,7 +125,8 @@ in {      // { "/media/cryptX" = {              device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);              fsType = "mergerfs"; -            options = [ "defaults" "allow_other" ]; +            noCheck = true; +            options = [ "defaults" "allow_other" "nofail" "nonempty" ];            };         }; diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 17e81f793..81ee37bbe 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -13,7 +13,7 @@ in {        ../2configs/fs/CAC-CentOS-7-64bit.nix        ../2configs/save-diskspace.nix -      ../2configs/bepasty-dual.nix +      # ../2configs/bepasty-dual.nix        ../2configs/iodined.nix        ../2configs/backup.nix @@ -21,9 +21,7 @@ in {        # other nginx        ../2configs/nginx/euer.wiki.nix        ../2configs/nginx/euer.blog.nix -      ../2configs/nginx/euer.test.nix - -      #../2configs/elchos/stats.nix +      # ../2configs/nginx/euer.test.nix        # collectd        # ../2configs/collectd/collectd-base.nix @@ -52,7 +50,7 @@ in {    krebs.bepasty.servers.external.nginx.listen  = [ "${external-ip}:80" "${external-ip}:443 ssl" ];    # prepare graphs -  krebs.nginx.enable = true; +  services.nginx.enable = true;    krebs.retiolum-bootstrap.enable = true;    krebs.tinc_graphs = { @@ -61,12 +59,17 @@ in {        enable = true;        # TODO: remove hard-coded hostname        complete = { -        listen = [ "${internal-ip}:80" ]; -        server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ]; +        extraConfig = '' +          if ( $server_addr = "${external-ip}" ) { +            return 403; +          } +        ''; +        serverAliases = [  "graphs.retiolum" "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ];        };        anonymous = { -        listen = [ "${external-ip}:80" ] ; -        server-names = [ "graphs.krebsco.de" ]; +        enableSSL = true; +        forceSSL = true; +        enableACME = true;        };      };    }; diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index a6be04876..936aaf004 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -20,54 +20,29 @@ let    ext-dom = "paste.krebsco.de" ;  in { -  krebs.nginx.enable = mkDefault true; +  services.nginx.enable = mkDefault true;    krebs.bepasty = {      enable = true;      serveNginx= true;      servers = { -      internal = { +      "paste.r" = {          nginx = { -          server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; +          serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];          };          defaultPermissions = "admin,list,create,read,delete";          secretKey = secKey;        }; -      external = { +      "${ext-dom}" = {          nginx = { -          server-names = [ ext-dom ]; -          ssl = { -            enable = true; -            certificate = "${acmepath}/${ext-dom}/fullchain.pem"; -            certificate_key = "${acmepath}/${ext-dom}/key.pem"; -            # these certs will be needed if acme has not yet created certificates: -            #certificate =   "${sec}/wildcard.krebsco.de.crt"; -            #certificate_key = "${sec}/wildcard.krebsco.de.key"; -            ciphers = "RC4:HIGH:!aNULL:!MD5" ; -            force_encryption = true; -          }; -          locations = singleton ( nameValuePair  "/.well-known/acme-challenge" '' -            root ${acmechall}/${ext-dom}/; -          ''); -          extraConfig = '' -          ssl_session_cache    shared:SSL:1m; -          ssl_session_timeout  10m; -          ssl_verify_client off; -          proxy_ssl_session_reuse off; -          ''; +          enableSSL = true; +          forceSSL = true; +          enableACME = true;          };          defaultPermissions = "read";          secretKey = secKey;        };      };    }; -  security.acme.certs."${ext-dom}" = { -    email = "acme@syntax-fehler.de"; -    webroot = "${acmechall}/${ext-dom}/"; -    group = "nginx"; -    allowKeysForGroup = true; -    postRun = "systemctl reload nginx.service"; -    extraDomains."${ext-dom}" = null ; -  };  } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 9a2adbc3e..9e3f3eb61 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -22,7 +22,7 @@ with import <stockholm/lib>;        user = config.krebs.users.makefu;        source = let            inherit (config.krebs.build) host user; -          ref = "f52eaf4"; # stable @ 2016-12-12 +          ref = "ee13b9af"; # stable @ 2016-12-12        in {          nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then            { diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 091b7f21b..379176f78 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -27,23 +27,18 @@ in {      };    }; -  krebs.nginx = { +  services.nginx = {      enable = mkDefault true; -    servers = { -      mybox-connector-one = { -        listen = [ "${external-ip}:80" ]; -        server-names = [ -          "mycube.connector.one" -          "mybox.connector.one" -        ]; -        locations = singleton (nameValuePair "/" '' +    virtualHosts."mybox.connector.one" = { +        locations = { +          "/".extraConfig = ''            uwsgi_pass unix://${wsgi-sock};            uwsgi_param         UWSGI_CHDIR     ${pkgs.mycube-flask}/${pkgs.python.sitePackages};            uwsgi_param         UWSGI_MODULE    mycube.websrv;            uwsgi_param         UWSGI_CALLABLE  app;            include ${pkgs.nginx}/conf/uwsgi_params; -        ''); +        '';        };      };    }; diff --git a/makefu/2configs/disable_v6.nix b/makefu/2configs/disable_v6.nix index 37db172ef..0a8c8d53d 100644 --- a/makefu/2configs/disable_v6.nix +++ b/makefu/2configs/disable_v6.nix @@ -1,4 +1,3 @@  {    networking.enableIPv6 = false; -  boot.kernelParams = [ "ipv6.disable=1" ];  } diff --git a/makefu/2configs/elchos/irc-token.nix b/makefu/2configs/elchos/irc-token.nix new file mode 100644 index 000000000..3f3c4ffc3 --- /dev/null +++ b/makefu/2configs/elchos/irc-token.nix @@ -0,0 +1,62 @@ +{pkgs, ...}: +with import <stockholm/lib>; +let +  secret = (import <secrets/elchos-token.nix>); +in { +  systemd.services.elchos-irctoken = { +    startAt = "*:0/30"; +    serviceConfig = { +      RuntimeMaxSec = "20"; +    }; +    script = '' +      set -euf +      now=$(date -u +%Y-%m-%dT%H:%M) +      sec=$(echo -n "${secret}$now" | md5sum | cut -d\  -f1) +      message="The secret valid for 30 minutes is $sec" +      echo "token for $now (UTC) is $sec" +      LOGNAME=sec-announcer +      HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static) +      IRC_SERVER=irc.freenode.net +      IRC_PORT=6667 +      IRC_NICK=$HOSTNAME-$$ +      IRC_CHANNEL='#eloop' + +      export IRC_CHANNEL # for privmsg_cat + +      echo2() { echo "$*"; echo "$*" >&2; } + +      privmsg_cat() { ${pkgs.gawk}/bin/awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + +      tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" +      cd "$tmpdir" +      mkfifo ircin +      trap " +        rm ircin +        cd '$OLDPWD' +        rmdir '$tmpdir' +        trap - EXIT INT QUIT +      " EXIT INT QUIT + +      { +        echo2 "USER $LOGNAME 0 * :$LOGNAME@$HOSTNAME" +        echo2 "NICK $IRC_NICK" + +        # wait for MODE message +        ${pkgs.gnused}/bin/sed -un '/^:[^ ]* MODE /q' + +        echo2 "JOIN $IRC_CHANNEL" + +        printf '%s' "$message" \ +          | privmsg_cat + +        echo2 "PART $IRC_CHANNEL" + +        # wait for PART confirmation +        sed -un '/:'"$IRC_NICK"'![^ ]* PART /q' + +        echo2 'QUIT :Gone to have lunch' +      } < ircin \ +        | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin +    ''; +  }; +} diff --git a/makefu/2configs/elchos/log.nix b/makefu/2configs/elchos/log.nix new file mode 100644 index 000000000..3facd1ceb --- /dev/null +++ b/makefu/2configs/elchos/log.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let +in { +  networking.firewall.allowedTCPPorts = [ 80 443 514 ]; +  networking.firewall.allowedUDPPorts = [ 80 443 514 ]; +	services.logstash = { +			enable = true; +			enableWeb = true; +      inputConfig = '' +				syslog { +          timezone => "Etc/UTC" +        } +      ''; +      filterConfig = '' +        if ( [program] == "proftpd") { +          kv { +            field_split => "	" +          } +        } +      ''; +      outputConfig = '' +        stdout { +          codec => rubydebug +        } +        elasticsearch { } +        ''; +	}; +	services.elasticsearch = { +			enable = true; +	}; +	services.kibana = { +			enable = true; +      port = 9332; +	}; +  services.nginx = { +    virtualHosts = { +      "log.nsupdate.info" = { +        enableACME = true; +        forceSSL = true; +        basicAuth = import <secrets/kibana-auth.nix>; +        locations = { +          "/" = { +            proxyPass = "http://localhost:9332"; +            extraConfig = '' +              proxy_set_header   Host             $host; +              proxy_set_header   X-Real-IP        $remote_addr; +              proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for; +            ''; +          }; +        }; +      }; +    }; +  }; +} diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix index 5adaa0c6f..5777be373 100644 --- a/makefu/2configs/elchos/search.nix +++ b/makefu/2configs/elchos/search.nix @@ -1,11 +1,12 @@  { config, lib, pkgs, ... }: -# graphite-web on port 8080 -# carbon cache on port 2003 (tcp/udp) +# search also generates ddclient entries for all other logs +  with import <stockholm/lib>;  let    #primary-itf = "eth0"; -  primary-itf = "wlp2s0"; +  #primary-itf = "wlp2s0"; +  primary-itf = config.makefu.server.primary-itf;    elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock";    ddclientUser = "ddclient";    sec = toString <secrets>; @@ -14,15 +15,7 @@ let    cfg = "${stateDir}/cfg";    ddclientPIDFile = "${stateDir}/ddclient.pid"; -  acmepath = "/var/lib/acme/"; -  acmechall = acmepath + "/challenges/";    # TODO: correct cert generation requires a `real` internet ip address -  stats-dom = "stats.nsupdate.info"; -  search-dom = "search.nsupdate.info"; -  search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem"; -  search_ssl_key = "${acmepath}/${search-dom}/key.pem"; -  stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem"; -  stats_ssl_key = "${acmepath}/${stats-dom}/key.pem";    gen-cfg = dict: ''      ssl=yes @@ -64,75 +57,22 @@ in {      };    }; -  security.acme.certs = { -    "${stats-dom}" = { -      email = "acme@syntax-fehler.de"; -      webroot = "${acmechall}/${stats-dom}/"; -      group = "nginx"; -      allowKeysForGroup = true; -      postRun = "systemctl reload nginx.service"; -      extraDomains = { -        "${stats-dom}" = null ; -      }; -    }; -    "${search-dom}" = { -      email = "acme@syntax-fehler.de"; -      webroot = "${acmechall}/${search-dom}/"; -      group = "nginx"; -      allowKeysForGroup = true; -      postRun = "systemctl reload nginx.service"; -      extraDomains = { -        "${stats-dom}" = null ; -      }; -    }; -  }; - -  krebs.nginx = { +  services.nginx = {      enable = mkDefault true; -    servers = { -      elch-stats = { -        server-names = [ stats-dom ]; -        # listen = [ "80" "443 ssl" ]; -        ssl = { -            enable = true; -            certificate =   stats_ssl_cert; -            certificate_key = stats_ssl_key; -            force_encryption = true; +    virtualHosts = { +      "search.nsupdate.info" = { +        enableACME = true; +        forceSSL = true; +        locations = { +          "/".extraConfig = '' +            uwsgi_pass unix://${elch-sock}; +            uwsgi_param         UWSGI_CHDIR     ${pkgs.elchhub}/${pkgs.python3.sitePackages}; +            uwsgi_param         UWSGI_MODULE    elchhub.wsgi; +            uwsgi_param         UWSGI_CALLABLE  app; + +            include ${pkgs.nginx}/conf/uwsgi_params; +          '';          }; - -        locations = [ -            (nameValuePair "/" '' -              proxy_set_header   Host $host; -              proxy_set_header   X-Real-IP          $remote_addr; -              proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; -              proxy_pass http://localhost:3000/; -            '') -            (nameValuePair  "/.well-known/acme-challenge" '' -             root ${acmechall}/${search-dom}/; -            '') -        ]; -      }; -      elchhub = { -        server-names = [ "search.nsupdate.info" ]; -        # listen = [ "80" "443 ssl" ]; -        ssl = { -            enable = true; -            certificate =   search_ssl_cert; -            certificate_key = search_ssl_key; -            force_encryption = true; -        }; -        locations = [ (nameValuePair "/" '' -          uwsgi_pass unix://${elch-sock}; -          uwsgi_param         UWSGI_CHDIR     ${pkgs.elchhub}/${pkgs.python3.sitePackages}; -          uwsgi_param         UWSGI_MODULE    elchhub.wsgi; -          uwsgi_param         UWSGI_CALLABLE  app; - -          include ${pkgs.nginx}/conf/uwsgi_params; -        '') -        (nameValuePair  "/.well-known/acme-challenge" '' -          root ${acmechall}/${search-dom}/; -        '') -        ];        };      };    }; @@ -147,7 +87,7 @@ in {          ExecStart = "${pkgs.elchhub}/bin/elch-manager";        };      }; -    register-elchos-nsupdate = { +    ddclient-nsupdate-elchos = {        wantedBy = [ "multi-user.target" ];        after = [ "ip-up.target" ];        serviceConfig = { @@ -163,49 +103,8 @@ in {      };    }; -  services.grafana = { -    enable = true; -    addr = "127.0.0.1"; -    users.allowSignUp = false; -    users.allowOrgCreate = false; -    users.autoAssignOrg = false; -    auth.anonymous.enable = true; -    security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} -  }; - -  services.graphite = { -    api = { -      enable = true; -      listenAddress = "127.0.0.1"; -      port = 8080; -    }; -    carbon = { -      enableCache = true; -      # save disk usage by restricting to 1 bulk update per second -      config = '' -        [cache] -        MAX_CACHE_SIZE = inf -        MAX_UPDATES_PER_SECOND = 1 -        MAX_CREATES_PER_MINUTE = 500 -        ''; -      storageSchemas = '' -        [carbon] -        pattern = ^carbon\. -        retentions = 60:90d - -        [elchos] -        patterhn = ^elchos\. -        retentions = 10s:30d,60s:3y - -        [default] -        pattern = .* -        retentions = 30s:30d,300s:1y -        ''; -    }; -  }; -    networking.firewall = { -    allowedTCPPorts = [ 2003 80 443 ]; -    allowedUDPPorts = [ 2003 ]; +    allowedTCPPorts = [ 80 443 ]; +    allowedUDPPorts = [ ];    };  } diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix index 9f27b6647..b6133205f 100644 --- a/makefu/2configs/elchos/stats.nix +++ b/makefu/2configs/elchos/stats.nix @@ -1,73 +1,48 @@  { config, lib, pkgs, ... }: +# requires nsupdate to get correct hostname (from ./search.nix)  # graphite-web on port 8080  # carbon cache on port 2003 (tcp/udp) +  with import <stockholm/lib>; -let -  sec = toString <secrets>; -  acmepath = "/var/lib/acme/"; -  acmechall = acmepath + "/challenges/"; -  ext-dom = "stats.nsupdate.info"; -  #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; -  #ssl_key  = "${sec}/wildcard.krebsco.de.key"; -  ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; -  ssl_key = "${acmepath}/${ext-dom}/key.pem"; -in { -  networking.firewall = { -    allowedTCPPorts = [ 2003 80 443 ]; -    allowedUDPPorts = [ 2003 ]; +{ + +  services.nginx = { +    enable = mkDefault true; +    virtualHosts = { +      "stats.nsupdate.info" = { +        enableACME = true; +        forceSSL = true; + +        locations = { +          "/"  = { +            proxyPass  = "http://localhost:3000/"; +            extraConfig = '' +              proxy_set_header   Host             $host; +              proxy_set_header   X-Real-IP        $remote_addr; +              proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for; +            ''; +          }; +        }; +      }; +    };    };    services.grafana = {      enable = true;      addr = "127.0.0.1"; -    extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };      users.allowSignUp = false;      users.allowOrgCreate = false;      users.autoAssignOrg = false; +    auth.anonymous.enable = true;      security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}    }; -  krebs.nginx = { -    enable = true; -    servers.elch-stats = { -      server-names = [ ext-dom ]; -      listen = [ "80" "443 ssl" ]; -      ssl = { -          enable = true; -          # these certs will be needed if acme has not yet created certificates: -          certificate =   ssl_cert; -          certificate_key = ssl_key; -          force_encryption = true; -      }; - -      locations = [ -          (nameValuePair "/" '' -            proxy_set_header   Host $host; -            proxy_set_header   X-Real-IP          $remote_addr; -            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; -            proxy_pass http://localhost:3000/; -          '') -          (nameValuePair  "/.well-known/acme-challenge" '' -            root ${acmechall}/${ext-dom}/; -          '') -      ]; -    }; -  }; - -  security.acme.certs."${ext-dom}" = { -    email = "acme@syntax-fehler.de"; -    webroot = "${acmechall}/${ext-dom}/"; -    group = "nginx"; -    allowKeysForGroup = true; -    postRun = "systemctl reload nginx.service"; -    extraDomains."${ext-dom}" = null ; -  };    services.graphite = { -    web = { +    api = {        enable = true; -      host = "127.0.0.1"; -      port = 8080; +      listenAddress = "127.0.0.1"; +      port = 18080;      };      carbon = {        enableCache = true; @@ -85,7 +60,7 @@ in {          [elchos]          patterhn = ^elchos\. -        retention = 10s:30d,60s:1y +        retentions = 10s:30d,60s:3y          [default]          pattern = .* @@ -93,4 +68,9 @@ in {          '';      };    }; + +  networking.firewall = { +    allowedTCPPorts = [ 2003 80 443 ]; +    allowedUDPPorts = [ 2003 ]; +  };  } diff --git a/makefu/2configs/elchos/test/ftpservers.nix b/makefu/2configs/elchos/test/ftpservers.nix new file mode 100644 index 000000000..bc7517209 --- /dev/null +++ b/makefu/2configs/elchos/test/ftpservers.nix @@ -0,0 +1,7 @@ +{...}: +{ +  services.vsftpd.anonymousUser = true; +  services.vsftpd.enable = true; +  services.vsftpd.chrootlocalUser = true; +  networking.firewall.allowedTCPPorts = [ 21 ]; +} diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index ef8a3b88f..e1c3d20ff 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -71,5 +71,15 @@ in {      latitude = "48.7";      longitude = "9.1"; | 
