9 files changed, 228 insertions, 21 deletions

diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix
index 8f7f5ea7c..97cf86a4e 100644
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@@ -21,6 +21,7 @@
 
       # applications
       ../2configs/exim-retiolum.nix
+      ../2configs/mail-client.nix
       #../2configs/virtualization.nix
       ../2configs/virtualization-virtualbox.nix
       ../2configs/wwan.nix
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 819a208ac..a7ed93c43 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -5,38 +5,50 @@ let
   ip = (lib.head config.krebs.build.host.nets.internet.addrs4);
 in {
   imports = [
-    ../../tv/2configs/CAC-CentOS-7-64bit.nix
-    ../2configs/base.nix
-    ../2configs/base-sources.nix
-    ../2configs/tinc-basic-retiolum.nix
+      # TODO: copy this config or move to krebs
+      ../../tv/2configs/CAC-CentOS-7-64bit.nix
+      ../2configs/base.nix
+      ../2configs/base-sources.nix
+      ../2configs/tinc-basic-retiolum.nix
+
+      ../2configs/iodined.nix
+
+      # Reaktor
+      ../2configs/Reaktor/simpleExtend.nix
   ];
 
+  krebs.Reaktor.enable = true;
+
   networking.firewall.allowPing = true;
   networking.interfaces.enp2s1.ip4 = [
-      {
-        address = ip;
-        prefixLength = 24;
-      }
-    ];
-    networking.defaultGateway = "104.233.87.1";
-    networking.nameservers = [
-      "8.8.8.8"
-    ];
+  {
+    address = ip;
+    prefixLength = 24;
+  }
+  ];
+  networking.defaultGateway = "104.233.87.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
 
   # based on ../../tv/2configs/CAC-Developer-2.nix
   sound.enable = false;
 
   # prepare graphs
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+
   krebs.nginx.enable = true;
+  krebs.retiolum-bootstrap.enable = true;
   makefu.tinc_graphs.enable = true;
+
   makefu.tinc_graphs.krebsNginx = {
     enable = true;
     # TODO: remove hard-coded hostname
     hostnames_complete  = [ "graphs.wry" ];
     hostnames_anonymous = [ "graphs.krebsco.de" ];
   };
-  networking.firewall.allowedTCPPorts = [80];
+
+  networking.firewall.allowedTCPPorts = [ 53 80 443 ];
 
   krebs.build = {
     user = config.krebs.users.makefu;
diff --git a/makefu/2configs/base-sources.nix b/makefu/2configs/base-sources.nix
index 826cd6fef..7e6bebec3 100644
--- a/makefu/2configs/base-sources.nix
+++ b/makefu/2configs/base-sources.nix
@@ -3,9 +3,9 @@
 {
   krebs.build.source = {
     git.nixpkgs = {
-      url = https://github.com/NixOS/nixpkgs;
-      #url = https://github.com/makefu/nixpkgs;
-      rev = "dc18f39bfb2f9d1ba62c7e8ad98544bb15cb26b2"; # nixos-15.09
+      #url = https://github.com/NixOS/nixpkgs;
+      url = https://github.com/makefu/nixpkgs;
+      rev = "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picked iodine
     };
 
     dir.secrets = {
diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
index 1277a014e..189dd66c8 100644
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -10,6 +10,9 @@ let
     stockholm = {
       desc = "Make all the systems into 1systems!";
     };
+    tinc_graphs = {
+      desc = "Tinc Advanced Graph Generation";
+    };
   };
 
   priv-repos = mapAttrs make-priv-repo {
diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix
new file mode 100644
index 000000000..db8a1bfed
--- /dev/null
+++ b/makefu/2configs/iodined.nix
@@ -0,0 +1,16 @@
+{ services,builtins,environment,pkgs, ... }:
+
+let
+  # TODO: make this a parameter
+  domain = "io.krebsco.de";
+  pw = import <secrets/iodinepw.nix>;
+in {
+
+  services.iodined = {
+    enable = true;
+    domain = domain;
+    ip = "172.16.10.1/24";
+    extraConfig = "-P ${pw}";
+  };
+
+}
diff --git a/makefu/2configs/mail-client.nix b/makefu/2configs/mail-client.nix
new file mode 100644
index 000000000..a6ae33d2f
--- /dev/null
+++ b/makefu/2configs/mail-client.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  environment.systemPackages = with pkgs; [
+    msmtp
+    mutt-kz
+    notmuch
+    offlineimap
+  ];
+
+}
diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix
new file mode 100644
index 000000000..d970652a4
--- /dev/null
+++ b/makefu/3modules/bepasty-server.nix
@@ -0,0 +1,160 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  gunicorn = pkgs.pythonPackages.gunicorn;
+  bepasty = pkgs.pythonPackages.bepasty-server;
+  gevent = pkgs.pythonPackages.gevent;
+  python = pkgs.pythonPackages.python;
+  cfg = config.makefu.bepasty-server;
+
+  out = {
+    options.makefu.bepasty-server = api;
+    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+  };
+
+  api = {
+    enable = mkEnableOption "Bepasty Servers";
+    serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx";
+
+    servers = mkOption {
+      type = with types; attrsOf optionSet;
+      options = singleton {
+        nginxCfg = mkOption {
+          # TODO use the correct type
+          type = with types; attrsOf unspecified;
+          description = ''
+            additional nginx configuration. see krebs.nginx for all options
+          '' ;
+        };
+        debug = mkOption {
+          type = types.bool;
+          description = ''
+            run server in debug mode
+          '';
+          default = false;
+        };
+
+        # TODO: assert secretKey
+        secretKey = mkOption {
+          type = types.str;
+          description = ''
+            server secret for safe session cookies, must be set.
+          '';
+        };
+
+        # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
+        workDir = mkOption {
+          type = types.str;
+          description = ''
+            Path to the working directory (used for sockets and pidfile).
+            Defaults to the users home directory. Must be accessible to nginx,
+            permissions will be set to 755
+          '';
+          default = config.users.extraUsers.bepasty.home;
+        };
+
+        dataDir = mkOption {
+          type = types.str;
+          description = ''
+            Defaults to the new users home dir which defaults to
+            /var/lib/bepasty-server/data
+            '';
+          default = "${config.users.extraUsers.bepasty.home}/data";
+        };
+
+        extraConfig = mkOption {
+          type = types.str;
+          default = "";
+          example = ''
+            PERMISSIONS = {
+              'myadminsecret': 'admin,list,create,read,delete',
+            }
+            MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
+            '';
+        };
+
+        defaultPermissions = mkOption {
+          type = types.str;
+          default = "list";
+        };
+
+      };
+      default = {};
+    };
+
+  };
+
+  imp = {
+    # Configures systemd services for each configured server
+    # environment.systemPackages = [ bepasty gunicorn gevent ];
+    systemd.services = mapAttrs' (name: server:
+      nameValuePair ("bepasty-server-${name}")
+        ({
+          description = "Bepasty Server ${name}";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          restartIfChanged = true;
+          environment = {
+            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+          };
+          serviceConfig = {
+            Type = "simple";
+            PrivateTmp = true;
+            ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" ''
+              #!/bin/sh
+              chmod 755 ${server.workDir}
+              mkdir -p ${server.dataDir}
+              cat > ${server.workDir}/bepasty-${name}.conf <<EOF
+              SITENAME="${name}"
+              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+              SECRET_KEY="${escapeShellArg server.secretKey}"
+              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+              ${server.extraConfig}
+              EOF
+            '';
+            Directory = "${bepasty}/lib/${python.libPrefix}/site-packages";
+            # we use Gunicorn to start a wsgi server
+            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+              --workers 3 --log-level=info \
+              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+              --pid ${server.workDir}/gunicorn-${name}.pid \
+              -k gevent
+            '';
+          };
+        })
+    ) cfg.servers;
+
+    users.extraUsers.bepasty = {
+      uid = 2796546855; #genid bepasty
+      home = "/var/lib/bepasty-server";
+      createHome = true;
+    };
+  };
+  nginx-imp = {
+    assertions = [ { assertion = config.krebs.nginx.enable;
+                      message = "krebs.nginx.enable must be true"; }];
+
+    krebs.nginx.servers = mapAttrs' (name: server:
+      nameValuePair("bepasty-server-${name}")
+      (server.nginxCfg // {
+        extraConfig = ''
+          client_max_body_size 32M;
+          '';
+        locations = [
+          (nameValuePair ("/")
+          (''
+            proxy_set_header Host $http_host;
+            proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
+          ''))
+          (nameValuePair ("/static/")
+          (''
+            alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+          ''))
+          ];
+      })
+    ) cfg.servers ;
+  };
+in
+out
diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix
index 62d607527..ff2f55873 100644
--- a/makefu/3modules/tinc_graphs.nix
+++ b/makefu/3modules/tinc_graphs.nix
@@ -83,7 +83,9 @@ let
 
         ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
           #!/bin/sh
-          mkdir -p "${external_dir}" "${internal_dir}"
+          if ! test -e "${cfg.workingDir}/internal/index.html"; then
+            cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}"
+          fi
         '';
 
         ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
@@ -94,10 +96,10 @@ let
           # this is needed because homedir is created with 700
           chmod 755  "${cfg.workingDir}"
         '';
+        PrivateTmp = "yes";
 
         User = "root"; # tinc cannot be queried as user,
                        #  seems to be a tinc-pre issue
-        privateTmp = true;
       };
     };
 
diff --git a/makefu/5pkgs/tinc_graphs/default.nix b/makefu/5pkgs/tinc_graphs/default.nix
index 5bc974157..62a787d30 100644
--- a/makefu/5pkgs/tinc_graphs/default.nix
+++ b/makefu/5pkgs/tinc_graphs/default.nix
@@ -2,20 +2,21 @@
 
 python3Packages.buildPythonPackage rec {
   name = "tinc_graphs-${version}";
-  version = "0.2.12";
+  version = "0.3.6";
   propagatedBuildInputs = with pkgs;[
     python3Packages.pygeoip
     ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
   ];
   src = fetchurl {
     url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
-    sha256 = "03jxvxahpcbpnz4668x32b629dwaaz5jcjkyaijm0zzpgcn4cbgp";
+    sha256 = "0ghdx9aaipmppvc2b6cgks4nxw6zsb0fhjrmnisbx7rz0vjvzc74";
   };
   preFixup = with pkgs;''
     wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"
     wrapProgram $out/bin/all-the-graphs --prefix PATH : "${imagemagick}/bin:${graphviz}/bin:$out/bin"
     wrapProgram $out/bin/tinc-stats2json --prefix PATH : "${tinc}/bin"
   '';
+
   meta = {
     homepage = http://krebsco.de/;
     description = "Create Graphs from Tinc Stats";