From fa38155eec9563dc9dc620a77900d87b97443cfe Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 15 Jul 2017 18:57:16 +0200 Subject: ma: move systems to subdir, init source --- makefu/1systems/darth.nix | 80 -------------- makefu/1systems/darth/config.nix | 80 ++++++++++++++ makefu/1systems/drop.nix | 40 ------- makefu/1systems/drop/config.nix | 40 +++++++ makefu/1systems/fileleech.nix | 169 ----------------------------- makefu/1systems/fileleech/config.nix | 169 +++++++++++++++++++++++++++++ makefu/1systems/filepimp.nix | 91 ---------------- makefu/1systems/filepimp/config.nix | 91 ++++++++++++++++ makefu/1systems/gum.nix | 163 ---------------------------- makefu/1systems/gum/config.nix | 163 ++++++++++++++++++++++++++++ makefu/1systems/iso.nix | 55 ---------- makefu/1systems/iso/config.nix | 55 ++++++++++ makefu/1systems/omo.nix | 204 ----------------------------------- makefu/1systems/omo/config.nix | 204 +++++++++++++++++++++++++++++++++++ makefu/1systems/pnp.nix | 50 --------- makefu/1systems/pnp/config.nix | 50 +++++++++ makefu/1systems/repunit.nix | 40 ------- makefu/1systems/repunit/config.nix | 40 +++++++ makefu/1systems/sdev.nix | 56 ---------- makefu/1systems/sdev/config.nix | 56 ++++++++++ makefu/1systems/shoney.nix | 63 ----------- makefu/1systems/shoney/config.nix | 63 +++++++++++ makefu/1systems/studio.nix | 77 ------------- makefu/1systems/studio/config.nix | 77 +++++++++++++ makefu/1systems/tsp.nix | 29 ----- makefu/1systems/tsp/config.nix | 29 +++++ makefu/1systems/vbob.nix | 73 ------------- makefu/1systems/vbob/config.nix | 73 +++++++++++++ makefu/1systems/wbob.nix | 92 ---------------- makefu/1systems/wbob/config.nix | 92 ++++++++++++++++ makefu/1systems/wry.nix | 54 ---------- makefu/1systems/wry/config.nix | 54 ++++++++++ makefu/1systems/x.nix | 91 ---------------- makefu/1systems/x/config.nix | 91 ++++++++++++++++ 34 files changed, 1427 insertions(+), 1427 deletions(-) delete mode 100644 makefu/1systems/darth.nix create mode 100644 makefu/1systems/darth/config.nix delete mode 100644 makefu/1systems/drop.nix create mode 100644 makefu/1systems/drop/config.nix delete mode 100644 makefu/1systems/fileleech.nix create mode 100644 makefu/1systems/fileleech/config.nix delete mode 100644 makefu/1systems/filepimp.nix create mode 100644 makefu/1systems/filepimp/config.nix delete mode 100644 makefu/1systems/gum.nix create mode 100644 makefu/1systems/gum/config.nix delete mode 100644 makefu/1systems/iso.nix create mode 100644 makefu/1systems/iso/config.nix delete mode 100644 makefu/1systems/omo.nix create mode 100644 makefu/1systems/omo/config.nix delete mode 100644 makefu/1systems/pnp.nix create mode 100644 makefu/1systems/pnp/config.nix delete mode 100644 makefu/1systems/repunit.nix create mode 100644 makefu/1systems/repunit/config.nix delete mode 100644 makefu/1systems/sdev.nix create mode 100644 makefu/1systems/sdev/config.nix delete mode 100644 makefu/1systems/shoney.nix create mode 100644 makefu/1systems/shoney/config.nix delete mode 100644 makefu/1systems/studio.nix create mode 100644 makefu/1systems/studio/config.nix delete mode 100644 makefu/1systems/tsp.nix create mode 100644 makefu/1systems/tsp/config.nix delete mode 100644 makefu/1systems/vbob.nix create mode 100644 makefu/1systems/vbob/config.nix delete mode 100644 makefu/1systems/wbob.nix create mode 100644 makefu/1systems/wbob/config.nix delete mode 100644 makefu/1systems/wry.nix create mode 100644 makefu/1systems/wry/config.nix delete mode 100644 makefu/1systems/x.nix create mode 100644 makefu/1systems/x/config.nix (limited to 'makefu/1systems') diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix deleted file mode 100644 index b39021176..000000000 --- a/makefu/1systems/darth.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, pkgs, lib, ... }: - -with import ; -let - byid = dev: "/dev/disk/by-id/" + dev; - rootDisk = byid "ata-ADATA_SSD_S599_64GB_10460000000000000039"; - auxDisk = byid "ata-HGST_HTS721010A9E630_JR10006PH3A02F"; - dataPartition = auxDisk + "-part1"; - - allDisks = [ rootDisk ]; # auxDisk -in { - imports = [ - ../. - ../2configs/fs/single-partition-ext4.nix - ../2configs/zsh-user.nix - ../2configs/smart-monitor.nix - ../2configs/exim-retiolum.nix - ../2configs/virtualization.nix - - ../2configs/tinc/retiolum.nix - ../2configs/temp-share-samba.nix - ]; - services.samba.shares = { - isos = { - path = "/data/isos/"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - services.tinc.networks.siem = { - name = "sdarth"; - extraConfig = "ConnectTo = sjump"; - }; - - makefu.forward-journal = { - enable = true; - src = "10.8.10.2"; - dst = "10.8.10.6"; - }; - - #networking.firewall.enable = false; - - boot.kernelModules = [ "coretemp" "f71882fg" ]; - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - networking = { - wireless.enable = true; - firewall = { - allowPing = true; - logRefusedConnections = false; - trustedInterfaces = [ "eno1" ]; - allowedUDPPorts = [ 80 655 1655 67 ]; - allowedTCPPorts = [ 80 655 1655 ]; - }; - # fallback connection to the internal virtual network - interfaces.virbr3.ip4 = [{ - address = "10.8.8.2"; - prefixLength = 24; - }]; - }; - - # TODO smartd omo darth gum all-in-one - services.smartd.devices = builtins.map (x: { device = x; }) allDisks; - zramSwap.enable = true; - - #fileSystems."/data" = { - # device = dataPartition; - # fsType = "ext4"; - #}; - - boot.loader.grub.device = rootDisk; - - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.makefu-omo.pubkey - config.krebs.users.makefu-vbob.pubkey - ]; - - krebs.build.host = config.krebs.hosts.darth; -} diff --git a/makefu/1systems/darth/config.nix b/makefu/1systems/darth/config.nix new file mode 100644 index 000000000..b39021176 --- /dev/null +++ b/makefu/1systems/darth/config.nix @@ -0,0 +1,80 @@ +{ config, pkgs, lib, ... }: + +with import ; +let + byid = dev: "/dev/disk/by-id/" + dev; + rootDisk = byid "ata-ADATA_SSD_S599_64GB_10460000000000000039"; + auxDisk = byid "ata-HGST_HTS721010A9E630_JR10006PH3A02F"; + dataPartition = auxDisk + "-part1"; + + allDisks = [ rootDisk ]; # auxDisk +in { + imports = [ + ../. + ../2configs/fs/single-partition-ext4.nix + ../2configs/zsh-user.nix + ../2configs/smart-monitor.nix + ../2configs/exim-retiolum.nix + ../2configs/virtualization.nix + + ../2configs/tinc/retiolum.nix + ../2configs/temp-share-samba.nix + ]; + services.samba.shares = { + isos = { + path = "/data/isos/"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + services.tinc.networks.siem = { + name = "sdarth"; + extraConfig = "ConnectTo = sjump"; + }; + + makefu.forward-journal = { + enable = true; + src = "10.8.10.2"; + dst = "10.8.10.6"; + }; + + #networking.firewall.enable = false; + + boot.kernelModules = [ "coretemp" "f71882fg" ]; + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + networking = { + wireless.enable = true; + firewall = { + allowPing = true; + logRefusedConnections = false; + trustedInterfaces = [ "eno1" ]; + allowedUDPPorts = [ 80 655 1655 67 ]; + allowedTCPPorts = [ 80 655 1655 ]; + }; + # fallback connection to the internal virtual network + interfaces.virbr3.ip4 = [{ + address = "10.8.8.2"; + prefixLength = 24; + }]; + }; + + # TODO smartd omo darth gum all-in-one + services.smartd.devices = builtins.map (x: { device = x; }) allDisks; + zramSwap.enable = true; + + #fileSystems."/data" = { + # device = dataPartition; + # fsType = "ext4"; + #}; + + boot.loader.grub.device = rootDisk; + + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.makefu-omo.pubkey + config.krebs.users.makefu-vbob.pubkey + ]; + + krebs.build.host = config.krebs.hosts.darth; +} diff --git a/makefu/1systems/drop.nix b/makefu/1systems/drop.nix deleted file mode 100644 index 4a94c3f61..000000000 --- a/makefu/1systems/drop.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: -let - external-ip = "45.55.145.62"; - default-gw = "45.55.128.1"; - prefixLength = 18; -in { - imports = [ - ../. - ../2configs/hw/CAC.nix - ../2configs/save-diskspace.nix - ../2configs/torrent.nix - ]; - krebs = { - enable = true; - tinc.retiolum.enable = true; - build.host = config.krebs.hosts.drop; - }; - - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; - fileSystems."/" = { - device = "/dev/vda1"; - fsType = "ext4"; - }; - - networking = { - firewall = { - allowPing = true; - logRefusedConnections = false; - allowedTCPPorts = [ ]; - allowedUDPPorts = [ 655 ]; - }; - interfaces.enp0s3.ip4 = [{ - address = external-ip; - inherit prefixLength; - }]; - defaultGateway = default-gw; - nameservers = [ "8.8.8.8" ]; - }; -} diff --git a/makefu/1systems/drop/config.nix b/makefu/1systems/drop/config.nix new file mode 100644 index 000000000..4a94c3f61 --- /dev/null +++ b/makefu/1systems/drop/config.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: +let + external-ip = "45.55.145.62"; + default-gw = "45.55.128.1"; + prefixLength = 18; +in { + imports = [ + ../. + ../2configs/hw/CAC.nix + ../2configs/save-diskspace.nix + ../2configs/torrent.nix + ]; + krebs = { + enable = true; + tinc.retiolum.enable = true; + build.host = config.krebs.hosts.drop; + }; + + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + + networking = { + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ 655 ]; + }; + interfaces.enp0s3.ip4 = [{ + address = external-ip; + inherit prefixLength; + }]; + defaultGateway = default-gw; + nameservers = [ "8.8.8.8" ]; + }; +} diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix deleted file mode 100644 index 3aa5a54f8..000000000 --- a/makefu/1systems/fileleech.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ config, pkgs, lib, ... }: -let - toMapper = id: "/media/crypt${builtins.toString id}"; - byid = dev: "/dev/disk/by-id/" + dev; - keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0"; - rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; - rootPartition = rootDisk + "-part3"; - - dataDisks = let - idpart = dev: byid dev + "-part1"; - in [ - { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";} - { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";} - { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";} - { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";} - { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";} - { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";} - { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";} - { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity - ]; - - disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks; -in { - imports = [ - ../. - ../2configs/tinc/retiolum.nix - ../2configs/disable_v6.nix - # ../2configs/torrent.nix - ../2configs/fs/sda-crypto-root.nix - - #../2configs/elchos/irc-token.nix - ../2configs/elchos/log.nix - ../2configs/elchos/search.nix - ../2configs/elchos/stats.nix - - ]; - systemd.services.grafana.serviceConfig.LimitNOFILE=10032; - systemd.services.graphiteApi.serviceConfig.LimitNOFILE=10032; - systemd.services.carbonCache.serviceConfig.LimitNOFILE=10032; - makefu.server.primary-itf = "enp8s0f0"; - krebs = { - enable = true; - build.host = config.krebs.hosts.fileleech; - }; - # git clone https://github.com/makefu/docker-pyload - # docker build . - # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload - - virtualisation.docker.enable = true; # for pyload - networking.firewall.allowPing = true; - networking.firewall.logRefusedConnections = false; - networking.firewall.allowedTCPPorts = [ - 51412 # torrent - 8112 # rutorrent-web - 8113 # pyload - 8080 # sabnzbd - 9090 # sabnzbd-ssl - 655 # tinc - 21 # ftp - ]; - services.nginx.virtualHosts._download = { - default = true; - root = "/media/cryptX"; - extraConfig = '' - autoindex on; - ''; - basicAuth = import ; - }; - networking.firewall.allowedUDPPorts = [ - 655 # tinc - 51412 # torrent - ]; - - services.vsftpd.enable = true; - services.vsftpd.localUsers = true; - services.vsftpd.userlist = [ "download" ]; - services.vsftpd.userlistEnable = true; - # services.vsftpd.chrootlocalUser = true; - - services.sabnzbd.enable = true; - systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - - services.openssh.extraConfig = let banner = pkgs.writeText "openssh-banner" '' - Services: - ssh://download@fileleech - ssh via filebitch.shack - ftp://download@fileleech - access to /media/cryptX - http://fileleech:8112 - rutorrent - http://fileleech:8113 - pyload - https://fileleech:9090 - sabnzb - ''; in "Banner ${banner}"; - - boot.initrd.luks = { - devices = let - usbkey = name: device: { - inherit name device keyFile; - keyFileSize = 4096; - allowDiscards = true; - }; - in builtins.map (x: usbkey x.name x.device) disks; - }; - environment.systemPackages = with pkgs;[ mergerfs ]; - - fileSystems = let - cryptMount = name: - { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; - in cryptMount "crypt0" - // cryptMount "crypt1" - // cryptMount "crypt2" - // cryptMount "crypt3" - // cryptMount "crypt4" - // cryptMount "crypt5" - // cryptMount "crypt6" - // cryptMount "crypt7" - - # this entry sometimes creates issues - // { "/media/cryptX" = { - device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]); - fsType = "mergerfs"; - noCheck = true; - options = [ "defaults" "nofail" "allow_other" "nonempty" ]; }; - } - - ; - users.users.download = { - useDefaultShell = true; - # name = "download"; - home = "/media/cryptX/"; - # createHome = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.makefu.pubkey - config.krebs.users.lass.pubkey - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo2z8zsI+YF3ho0hvYzzCZi05mNyjk4iFK08+nNFCdXSG07jmRROWzTcC2ysTKZ56XD2al2abLxy4FZfmDcu9b2zJoPnIiXv/Jw0TKeZ71OyN3bILtv+6Xj1FTJ+kAUMXBfEew7UCgZZ8u8RQsFmlhqB9XqCBXmzP7I2EM1wWSzwEAgG/k6C+Ir054JjAj+fLr/wBduD1GAe8bXXF3Ojiky8OMs2oJaoGV96mrVAtVN+ftfWSvHCK31Y/KgCoPDE4LdoTir1IRfx2pZUMPkyzRW/etXT0PKD96I+/3d1xNPzNNjFpd6GqADC3xnfY3WslNgjL7gqwsC9SlEyuT1Xkd lotho@mercurius" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClaVl9Fwp4wdGLeTZdfy5MpJf+hM6fpL1k6UmtYXWgVYU7tgmStdlpLlbyMQspoFRtT7/76n4kPwCmM0c82xNXaJJMuWa98pwMp+bAwSSdOGAP/vjfzL/TUAX+Xtrw6ehF7r1O+zqw/E/bWt6UezKj08wDLWjByzdDQwslJV6lrGek4mmYRdgmHHeZ1oG89ePEZJZOM6jcZqv0AfIj0NID3ir9Z0kz9uSSXb1279Qt4953mfjs5xwhtc1B7vrxJ3qtTZUsBoAkUkLeulUEIjkfn60wvDGu/66GP5ZClXyk2gck/ZNmtFYrQoqx9EtF1KK02cC17A0nfRySQy5BnfWn root@filebitch" - ]; - }; - makefu.snapraid = { - enable = true; - disks = map toMapper [ 0 1 2 3 4 5 6 ]; - parity = toMapper 7; - }; - networking.nameservers = [ "8.8.8.8" ]; - #networking.interfaces.enp6s0f0.ip4 = [{ - # address = "151.217.173.20"; - # prefixLength = 22; - #}]; - #networking.defaultGateway = "151.217.172.1"; - networking.interfaces.enp8s0f1.ip4 = [{ - address = "192.168.126.1"; - prefixLength = 24; - }]; - #interfaces.enp6s0f1.ip4 = [{ - # address = external-ip; - # prefixLength = 22; - #}]; - - boot.loader.grub.device = rootDisk; - - boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html - boot.extraModprobeConfig = '' - options ixgbe allow_unsupported_sfp=1 - ''; -} diff --git a/makefu/1systems/fileleech/config.nix b/makefu/1systems/fileleech/config.nix new file mode 100644 index 000000000..3aa5a54f8 --- /dev/null +++ b/makefu/1systems/fileleech/config.nix @@ -0,0 +1,169 @@ +{ config, pkgs, lib, ... }: +let + toMapper = id: "/media/crypt${builtins.toString id}"; + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0"; + rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; + rootPartition = rootDisk + "-part3"; + + dataDisks = let + idpart = dev: byid dev + "-part1"; + in [ + { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";} + { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";} + { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";} + { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";} + { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";} + { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";} + { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";} + { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity + ]; + + disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks; +in { + imports = [ + ../. + ../2configs/tinc/retiolum.nix + ../2configs/disable_v6.nix + # ../2configs/torrent.nix + ../2configs/fs/sda-crypto-root.nix + + #../2configs/elchos/irc-token.nix + ../2configs/elchos/log.nix + ../2configs/elchos/search.nix + ../2configs/elchos/stats.nix + + ]; + systemd.services.grafana.serviceConfig.LimitNOFILE=10032; + systemd.services.graphiteApi.serviceConfig.LimitNOFILE=10032; + systemd.services.carbonCache.serviceConfig.LimitNOFILE=10032; + makefu.server.primary-itf = "enp8s0f0"; + krebs = { + enable = true; + build.host = config.krebs.hosts.fileleech; + }; + # git clone https://github.com/makefu/docker-pyload + # docker build . + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload + + virtualisation.docker.enable = true; # for pyload + networking.firewall.allowPing = true; + networking.firewall.logRefusedConnections = false; + networking.firewall.allowedTCPPorts = [ + 51412 # torrent + 8112 # rutorrent-web + 8113 # pyload + 8080 # sabnzbd + 9090 # sabnzbd-ssl + 655 # tinc + 21 # ftp + ]; + services.nginx.virtualHosts._download = { + default = true; + root = "/media/cryptX"; + extraConfig = '' + autoindex on; + ''; + basicAuth = import ; + }; + networking.firewall.allowedUDPPorts = [ + 655 # tinc + 51412 # torrent + ]; + + services.vsftpd.enable = true; + services.vsftpd.localUsers = true; + services.vsftpd.userlist = [ "download" ]; + services.vsftpd.userlistEnable = true; + # services.vsftpd.chrootlocalUser = true; + + services.sabnzbd.enable = true; + systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + services.openssh.extraConfig = let banner = pkgs.writeText "openssh-banner" '' + Services: + ssh://download@fileleech - ssh via filebitch.shack + ftp://download@fileleech - access to /media/cryptX + http://fileleech:8112 - rutorrent + http://fileleech:8113 - pyload + https://fileleech:9090 - sabnzb + ''; in "Banner ${banner}"; + + boot.initrd.luks = { + devices = let + usbkey = name: device: { + inherit name device keyFile; + keyFileSize = 4096; + allowDiscards = true; + }; + in builtins.map (x: usbkey x.name x.device) disks; + }; + environment.systemPackages = with pkgs;[ mergerfs ]; + + fileSystems = let + cryptMount = name: + { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; + in cryptMount "crypt0" + // cryptMount "crypt1" + // cryptMount "crypt2" + // cryptMount "crypt3" + // cryptMount "crypt4" + // cryptMount "crypt5" + // cryptMount "crypt6" + // cryptMount "crypt7" + + # this entry sometimes creates issues + // { "/media/cryptX" = { + device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]); + fsType = "mergerfs"; + noCheck = true; + options = [ "defaults" "nofail" "allow_other" "nonempty" ]; }; + } + + ; + users.users.download = { + useDefaultShell = true; + # name = "download"; + home = "/media/cryptX/"; + # createHome = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + config.krebs.users.lass.pubkey + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo2z8zsI+YF3ho0hvYzzCZi05mNyjk4iFK08+nNFCdXSG07jmRROWzTcC2ysTKZ56XD2al2abLxy4FZfmDcu9b2zJoPnIiXv/Jw0TKeZ71OyN3bILtv+6Xj1FTJ+kAUMXBfEew7UCgZZ8u8RQsFmlhqB9XqCBXmzP7I2EM1wWSzwEAgG/k6C+Ir054JjAj+fLr/wBduD1GAe8bXXF3Ojiky8OMs2oJaoGV96mrVAtVN+ftfWSvHCK31Y/KgCoPDE4LdoTir1IRfx2pZUMPkyzRW/etXT0PKD96I+/3d1xNPzNNjFpd6GqADC3xnfY3WslNgjL7gqwsC9SlEyuT1Xkd lotho@mercurius" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClaVl9Fwp4wdGLeTZdfy5MpJf+hM6fpL1k6UmtYXWgVYU7tgmStdlpLlbyMQspoFRtT7/76n4kPwCmM0c82xNXaJJMuWa98pwMp+bAwSSdOGAP/vjfzL/TUAX+Xtrw6ehF7r1O+zqw/E/bWt6UezKj08wDLWjByzdDQwslJV6lrGek4mmYRdgmHHeZ1oG89ePEZJZOM6jcZqv0AfIj0NID3ir9Z0kz9uSSXb1279Qt4953mfjs5xwhtc1B7vrxJ3qtTZUsBoAkUkLeulUEIjkfn60wvDGu/66GP5ZClXyk2gck/ZNmtFYrQoqx9EtF1KK02cC17A0nfRySQy5BnfWn root@filebitch" + ]; + }; + makefu.snapraid = { + enable = true; + disks = map toMapper [ 0 1 2 3 4 5 6 ]; + parity = toMapper 7; + }; + networking.nameservers = [ "8.8.8.8" ]; + #networking.interfaces.enp6s0f0.ip4 = [{ + # address = "151.217.173.20"; + # prefixLength = 22; + #}]; + #networking.defaultGateway = "151.217.172.1"; + networking.interfaces.enp8s0f1.ip4 = [{ + address = "192.168.126.1"; + prefixLength = 24; + }]; + #interfaces.enp6s0f1.ip4 = [{ + # address = external-ip; + # prefixLength = 22; + #}]; + + boot.loader.grub.device = rootDisk; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html + boot.extraModprobeConfig = '' + options ixgbe allow_unsupported_sfp=1 + ''; +} diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix deleted file mode 100644 index e143d0046..000000000 --- a/makefu/1systems/filepimp.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, pkgs, lib, ... }: -let - byid = dev: "/dev/disk/by-id/" + dev; - part1 = disk: disk + "-part1"; - rootDisk = byid "ata-SanDisk_SDSSDP064G_140237402890"; - primary-interface = "enp3s0"; # c8:cb:b8:cf:e4:dc - # N54L Chassis: - # ____________________ - # |______FRONT_______| - # | [ ]| - # | [ d1 ** d3 d4 ]| - # |___[_____________]| - jDisk1 = byid "ata-ST4000DM000-1F2168_Z3040NEA"; - - # transfer to omo - # jDisk0 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; - jDisk2 = byid "ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E0621363"; - jDisk3 = byid "ata-TOSHIBA_MD04ACA400_156GK89OFSBA"; - allDisks = [ rootDisk jDisk1 jDisk2 jDisk3 ]; -in { - imports = - [ # Include the results of the hardware scan. - ../. - ../2configs/fs/single-partition-ext4.nix - ../2configs/smart-monitor.nix - ../2configs/tinc/retiolum.nix - ../2configs/filepimp-share.nix - ]; - - krebs.build.host = config.krebs.hosts.filepimp; - # AMD N54L - boot = { - loader.grub.device = rootDisk; - - initrd.availableKernelModules = [ - "ahci" - "ohci_pci" - "ehci_pci" - "pata_atiixp" - "usb_storage" - "usbhid" - ]; - - kernelModules = [ "kvm-amd" ]; - extraModulePackages = [ ]; - }; - hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; - - zramSwap.enable = true; - zramSwap.numDevices = 2; - - makefu.snapraid = let - toMedia = name: "/media/" + name; - in { - enable = true; - # todo combine creation when enabling the mount point - disks = map toMedia [ - # "j0" - "j1" - "j2" - ]; - parity = toMedia "par0"; - }; - # TODO: refactor, copy-paste from omo - services.smartd.devices = builtins.map (x: { device = x; }) allDisks; - powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' - ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} - ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} - ${pkgs.hdparm}/sbin/hdparm -y ${disk} - '') allDisks); - fileSystems = let - xfsmount = name: dev: - { "/media/${name}" = { device = dev; fsType = "xfs"; }; }; - in - # (xfsmount "j0" (part1 jDisk0)) // - (xfsmount "j1" (part1 jDisk1)) // - (xfsmount "j2" (part1 jDisk2)) // - (xfsmount "par0" (part1 jDisk3)) - ; - - networking.firewall.trustedInterfaces = [ primary-interface ]; - - services.wakeonlan.interfaces = [ - { - interface = primary-interface; - method = "password"; - password = "CA:FE:BA:BE:13:37"; - } - ]; -} diff --git a/makefu/1systems/filepimp/config.nix b/makefu/1systems/filepimp/config.nix new file mode 100644 index 000000000..e143d0046 --- /dev/null +++ b/makefu/1systems/filepimp/config.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: +let + byid = dev: "/dev/disk/by-id/" + dev; + part1 = disk: disk + "-part1"; + rootDisk = byid "ata-SanDisk_SDSSDP064G_140237402890"; + primary-interface = "enp3s0"; # c8:cb:b8:cf:e4:dc + # N54L Chassis: + # ____________________ + # |______FRONT_______| + # | [ ]| + # | [ d1 ** d3 d4 ]| + # |___[_____________]| + jDisk1 = byid "ata-ST4000DM000-1F2168_Z3040NEA"; + + # transfer to omo + # jDisk0 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; + jDisk2 = byid "ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E0621363"; + jDisk3 = byid "ata-TOSHIBA_MD04ACA400_156GK89OFSBA"; + allDisks = [ rootDisk jDisk1 jDisk2 jDisk3 ]; +in { + imports = + [ # Include the results of the hardware scan. + ../. + ../2configs/fs/single-partition-ext4.nix + ../2configs/smart-monitor.nix + ../2configs/tinc/retiolum.nix + ../2configs/filepimp-share.nix + ]; + + krebs.build.host = config.krebs.hosts.filepimp; + # AMD N54L + boot = { + loader.grub.device = rootDisk; + + initrd.availableKernelModules = [ + "ahci" + "ohci_pci" + "ehci_pci" + "pata_atiixp" + "usb_storage" + "usbhid" + ]; + + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; + + zramSwap.enable = true; + zramSwap.numDevices = 2; + + makefu.snapraid = let + toMedia = name: "/media/" + name; + in { + enable = true; + # todo combine creation when enabling the mount point + disks = map toMedia [ + # "j0" + "j1" + "j2" + ]; + parity = toMedia "par0"; + }; + # TODO: refactor, copy-paste from omo + services.smartd.devices = builtins.map (x: { device = x; }) allDisks; + powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' + ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} + ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} + ${pkgs.hdparm}/sbin/hdparm -y ${disk} + '') allDisks); + fileSystems = let + xfsmount = name: dev: + { "/media/${name}" = { device = dev; fsType = "xfs"; }; }; + in + # (xfsmount "j0" (part1 jDisk0)) // + (xfsmount "j1" (part1 jDisk1)) // + (xfsmount "j2" (part1 jDisk2)) // + (xfsmount "par0" (part1 jDisk3)) + ; + + networking.firewall.trustedInterfaces = [ primary-interface ]; + + services.wakeonlan.interfaces = [ + { + interface = primary-interface; + method = "password"; + password = "CA:FE:BA:BE:13:37"; + } + ]; +} diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix deleted file mode 100644 index 51761d3fd..000000000 --- a/makefu/1systems/gum.nix +++ /dev/null @@ -1,163 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - external-mac = "3a:66:48:8e:82:b2"; - external-ip = config.krebs.build.host.nets.internet.ip4.addr; - external-ip6 = config.krebs.build.host.nets.internet.ip6.addr; - external-gw = "188.68.40.1"; - external-gw6 = "fe80::1"; - external-netmask = 22; - external-netmask6 = 64; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; - main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; -in { - imports = [ - ../. - - ../2configs/headless.nix - ../2configs/fs/single-partition-ext4.nix - # ../2configs/smart-monitor.nix - ../2configs/git/cgit-retiolum.nix - ../2configs/backup.nix - # ../2configs/mattermost-docker.nix - # ../2configs/disable_v6.nix - ../2configs/exim-retiolum.nix - ../2configs/tinc/retiolum.nix - ../2configs/urlwatch - - # Security - ../2configs/sshd-totp.nix - - # Tools - ../2configs/tools/core.nix - ../2configs/tools/dev.nix - ../2configs/tools/sec.nix - - # services - ../2configs/share/gum.nix - ../2configs/sabnzbd.nix - ../2configs/torrent.nix - ../2configs/iodined.nix - - ## Web - ../2configs/nginx/share-download.nix - ../2configs/nginx/euer.test.nix - ../2configs/nginx/euer.wiki.nix - ../2configs/nginx/euer.blog.nix - ../2configs/nginx/public_html.nix - ../2configs/nginx/update.connector.one.nix - - ../2configs/deployment/mycube.connector.one.nix - ../2configs/deployment/graphs.nix - ../2configs/deployment/owncloud.nix - ../2configs/deployment/wiki-irc-bot - ../2configs/deployment/boot-euer.nix - ../2configs/deployment/hound - { - services.taskserver.enable = true; - services.taskserver.fqdn = config.krebs.build.host.name; - services.taskserver.listenHost = "::"; - services.taskserver.organisations.home.users = [ "makefu" ]; - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT - ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT - ''; - } - # ../2configs/ipfs.nix - ../2configs/syncthing.nix - - # ../2configs/opentracker.nix - ../2configs/stats/client.nix - # ../2configs/logging/client.nix - - ]; - makefu.dl-dir = "/var/download"; - - - ###### stable - services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; - krebs.build.host = config.krebs.hosts.gum; - - krebs.tinc.retiolum = { - extraConfig = '' - ListenAddress = ${external-ip} 53 - ListenAddress = ${external-ip} 655 - ListenAddress = ${external-ip} 21031 - ''; - connectTo = [ - "muhbaasu" "tahoe" "flap" "wry" - "ni" - "fastpoke" "prism" "dishfire" "echelon" "cloudkrebs" - ]; - }; - - - - # access - users.users = { - root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ]; - makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; - }; - - # Chat - environment.systemPackages = with pkgs;[ - weechat - bepasty-client-cli - get - ]; - services.bitlbee.enable = true; - - # Hardware - boot.loader.grub.device = main-disk; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - - # Network - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="et0" - ''; - boot.kernelParams = [ ]; - networking = { - firewall = { - allowPing = true; - logRefusedConnections = false; - allowedTCPPorts = [ - # smtp - 25 - # http - 80 443 - # tinc - 655 - # tinc-shack - 21032 - # tinc-retiolum - 21031 - # taskserver - 53589 - # temp vnc - 18001 - ]; - allowedUDPPorts = [ - # tinc - 655 53 - # tinc-retiolum - 21031 - # tinc-shack - 21032 - ]; - }; - interfaces.et0.ip4 = [{ - address = external-ip; - prefixLength = external-netmask; - }]; - interfaces.et0.ip6 = [{ - address = external-ip6; - prefixLength = external-netmask6; - }]; - defaultGateway6 = external-gw6; - defaultGateway = external-gw; - nameservers = [ "8.8.8.8" ]; - }; - -} diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix new file mode 100644 index 000000000..51761d3fd --- /dev/null +++ b/makefu/1systems/gum/config.nix @@ -0,0 +1,163 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + external-mac = "3a:66:48:8e:82:b2"; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + external-ip6 = config.krebs.build.host.nets.internet.ip6.addr; + external-gw = "188.68.40.1"; + external-gw6 = "fe80::1"; + external-netmask = 22; + external-netmask6 = 64; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; +in { + imports = [ + ../. + + ../2configs/headless.nix + ../2configs/fs/single-partition-ext4.nix + # ../2configs/smart-monitor.nix + ../2configs/git/cgit-retiolum.nix + ../2configs/backup.nix + # ../2configs/mattermost-docker.nix + # ../2configs/disable_v6.nix + ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix + ../2configs/urlwatch + + # Security + ../2configs/sshd-totp.nix + + # Tools + ../2configs/tools/core.nix + ../2configs/tools/dev.nix + ../2configs/tools/sec.nix + + # services + ../2configs/share/gum.nix + ../2configs/sabnzbd.nix + ../2configs/torrent.nix + ../2configs/iodined.nix + + ## Web + ../2configs/nginx/share-download.nix + ../2configs/nginx/euer.test.nix + ../2configs/nginx/euer.wiki.nix + ../2configs/nginx/euer.blog.nix + ../2configs/nginx/public_html.nix + ../2configs/nginx/update.connector.one.nix + + ../2configs/deployment/mycube.connector.one.nix + ../2configs/deployment/graphs.nix + ../2configs/deployment/owncloud.nix + ../2configs/deployment/wiki-irc-bot + ../2configs/deployment/boot-euer.nix + ../2configs/deployment/hound + { + services.taskserver.enable = true; + services.taskserver.fqdn = config.krebs.build.host.name; + services.taskserver.listenHost = "::"; + services.taskserver.organisations.home.users = [ "makefu" ]; + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT + ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT + ''; + } + # ../2configs/ipfs.nix + ../2configs/syncthing.nix + + # ../2configs/opentracker.nix + ../2configs/stats/client.nix + # ../2configs/logging/client.nix + + ]; + makefu.dl-dir = "/var/download"; + + + ###### stable + services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; + krebs.build.host = config.krebs.hosts.gum; + + krebs.tinc.retiolum = { + extraConfig = '' + ListenAddress = ${external-ip} 53 + ListenAddress = ${external-ip} 655 + ListenAddress = ${external-ip} 21031 + ''; + connectTo = [ + "muhbaasu" "tahoe" "flap" "wry" + "ni" + "fastpoke" "prism" "dishfire" "echelon" "cloudkrebs" + ]; + }; + + + + # access + users.users = { + root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ]; + makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; + }; + + # Chat + environment.systemPackages = with pkgs;[ + weechat + bepasty-client-cli + get + ]; + services.bitlbee.enable = true; + + # Hardware + boot.loader.grub.device = main-disk; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + + # Network + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="et0" + ''; + boot.kernelParams = [ ]; + networking = { + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ + # smtp + 25 + # http + 80 443 + # tinc + 655 + # tinc-shack + 21032 + # tinc-retiolum + 21031 + # taskserver + 53589 + # temp vnc + 18001 + ]; + allowedUDPPorts = [ + # tinc + 655 53 + # tinc-retiolum + 21031 + # tinc-shack + 21032 + ]; + }; + interfaces.et0.ip4 = [{ + address = external-ip; + prefixLength = external-netmask; + }]; + interfaces.et0.ip6 = [{ + address = external-ip6; + prefixLength = external-netmask6; + }]; + defaultGateway6 = external-gw6; + defaultGateway = external-gw; + nameservers = [ "8.8.8.8" ]; + }; + +} diff --git a/makefu/1systems/iso.nix b/makefu/1systems/iso.nix deleted file mode 100644 index c679241e5..000000000 --- a/makefu/1systems/iso.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, pkgs, lib, ... }: - -with import ; -{ - imports = [ - ../. - - - ../2configs/tools/core.nix - ]; - # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now - # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos - krebs.build.host = config.krebs.hosts.iso; - krebs.hidden-ssh.enable = true; - environment.systemPackages = with pkgs; [ - aria2 - ddrescue - ]; - environment.extraInit = '' - EDITOR=vim - ''; - # iso-specific - boot.kernelParams = [ "copytoram" ]; - services.openssh = { - enable = true; - hostKeys = [ - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - # enable ssh in the iso boot process - systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; - # hack `tee` behavior - nixpkgs.config.packageOverrides = super: { - irc-announce = super.callPackage { - pkgs = pkgs // { - coreutils = pkgs.symlinkJoin { - name = "coreutils-hack"; - paths = [ - pkgs.coreutils - (pkgs.writeDashBin "tee" '' - if test "$1" = /dev/stderr; then - while read -r line; do - echo "$line" - echo "$line" >&2 - done - else - ${super.coreutils}/bin/tee "$@" - fi - '') - ]; - }; - }; - }; - }; -} diff --git a/makefu/1systems/iso/config.nix b/makefu/1systems/iso/config.nix new file mode 100644 index 000000000..c679241e5 --- /dev/null +++ b/makefu/1systems/iso/config.nix @@ -0,0 +1,55 @@ +{ config, pkgs, lib, ... }: + +with import ; +{ + imports = [ + ../. + + + ../2configs/tools/core.nix + ]; + # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now + # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos + krebs.build.host = config.krebs.hosts.iso; + krebs.hidden-ssh.enable = true; + environment.systemPackages = with pkgs; [ + aria2 + ddrescue + ]; + environment.extraInit = '' + EDITOR=vim + ''; + # iso-specific + boot.kernelParams = [ "copytoram" ]; + services.openssh = { + enable = true; + hostKeys = [ + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + # enable ssh in the iso boot process + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + # hack `tee` behavior + nixpkgs.config.packageOverrides = super: { + irc-announce = super.callPackage { + pkgs = pkgs // { + coreutils = pkgs.symlinkJoin { + name = "coreutils-hack"; + paths = [ + pkgs.coreutils + (pkgs.writeDashBin "tee" '' + if test "$1" = /dev/stderr; then + while read -r line; do + echo "$line" + echo "$line" >&2 + done + else + ${super.coreutils}/bin/tee "$@" + fi + '') + ]; + }; + }; + }; + }; +} diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix deleted file mode 100644 index 0f1b8e0da..000000000 --- a/makefu/1systems/omo.nix +++ /dev/null @@ -1,204 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, lib, ... }: -let - toMapper = id: "/media/crypt${builtins.toString id}"; - byid = dev: "/dev/disk/by-id/" + dev; - keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; - rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; - rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; - primaryInterface = "enp1s0"; - # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 - # cryptsetup luksAddKey $dev tmpkey - # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 - # mkfs.xfs /dev/mapper/crypt0 -L crypt0 - - # omo Chassis: - # __FRONT_ - # |* d0 | - # | | - # |* d3 | - # | | - # |* d3 | - # | | - # |* | - # |* d2 | - # | * r0 | - # |_______| - cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; - cryptDisk1 = byid "ata-TP02000GB_TPW151006050068"; - cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; - # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907"; - # all physical disks - - # TODO callPackage ../3modules/MonitorDisks { disks = allDisks } - dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ]; - allDisks = [ rootDisk ] ++ dataDisks; -in { - imports = - [ - ../. - # TODO: unlock home partition via ssh - ../2configs/fs/sda-crypto-root.nix - ../2configs/zsh-user.nix - ../2configs/backup.nix - ../2configs/exim-retiolum.nix - ../2configs/smart-monitor.nix - ../2configs/mail-client.nix - # ../2configs/disable_v6.nix - #../2configs/graphite-standalone.nix - #../2configs/share-user-sftp.nix - ../2configs/share/omo.nix - ../2configs/tinc/retiolum.nix - - # Logging - ../2configs/stats/server.nix #influx + grafana - ../2configs/stats/client.nix - ../2configs/stats/external/aralast.nix # logs to influx - - # services - ../2configs/syncthing.nix - ../2configs/mqtt.nix - # ../2configs/logging/central-logging-client.nix - - # ../2configs/torrent.nix - - # ../2configs/elchos/search.nix - # ../2configs/elchos/log.nix - # ../2configs/elchos/irc-token.nix - - ## as long as pyload is not in nixpkgs: - # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload - ]; - makefu.full-populate = true; - makefu.server.primary-itf = primaryInterface; - krebs.rtorrent = { - downloadDir = lib.mkForce "/media/crypt0/torrent"; - extraConfig = '' - upload_rate = 200 - ''; - }; - users.groups.share = { - gid = (import ).genid "share"; - members = [ "makefu" "misa" ]; - }; - networking.firewall.trustedInterfaces = [ primaryInterface ]; - # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net - # tcp:80 - nginx for sharing files - # tcp:655 udp:655 - tinc - # tcp:8111 - graphite - # tcp:8112 - pyload - # tcp:9090 - sabnzbd - # tcp:9200 - elasticsearch - # tcp:5601 - kibana - networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ]; - - # services.openssh.allowSFTP = false; - - # copy config from to /var/lib/sabnzbd/ - services.sabnzbd.enable = true; - systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - - virtualisation.docker.enable = true; - makefu.ps3netsrv = { - enable = true; - servedir = "/media/cryptX/emu/ps3"; - }; - # HDD Array stuff - services.smartd.devices = builtins.map (x: { device = x; }) allDisks; - - makefu.snapraid = { - enable = true; - disks = map toMapper [ 0 1 ]; - parity = toMapper 2; - }; - - # TODO create folders in /media - system.activationScripts.createCryptFolders = '' - ${lib.concatMapStringsSep "\n" - (d: "install -m 755 -d " + (toMapper d) ) - [ 0 1 2 "X" ]} - ''; - environment.systemPackages = with pkgs;[ - mergerfs # hard requirement for mount - wol # wake up filepimp - f3 - ]; - fileSystems = let - cryptMount = name: - { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; - in cryptMount "crypt0" - // cryptMount "crypt1" - // cryptMount "crypt2" - // { "/media/cryptX" = { - device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]); - fsType = "mergerfs"; - noCheck = true; - options = [ "defaults" "allow_other" "nofail" "nonempty" ]; - }; - }; - - powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' - ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} - ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} - ${pkgs.hdparm}/sbin/hdparm -y ${disk} - '') allDisks); - - # crypto unlocking - boot = { - initrd.luks = { - devices = let - usbkey = name: device: { - inherit name device keyFile; - keyFileSize = 4096; - allowDiscards = true; - }; - in [ - (usbkey "luksroot" rootPartition) - (usbkey "crypt0" cryptDisk0) - (usbkey "crypt1" cryptDisk1) - (usbkey "crypt2" cryptDisk2) - ]; - }; - loader.grub.device = lib.mkForce rootDisk; - - initrd.availableKernelModules = [ - "ahci" - "ohci_pci" - "ehci_pci" - "pata_atiixp" - "firewire_ohci" - "usb_storage" - "usbhid" - ]; - - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - }; - users.users.misa = { - uid = 9002; - name = "misa"; - }; - # hardware.enableAllFirmware = true; - hardware.enableRedistributableFirmware = true; - hardware.cpu.intel.updateMicrocode = true; - - zramSwap.enable = true; - - krebs.Reaktor.reaktor = { - nickname = "Reaktor|bot"; - channels = [ "#krebs" "#shackspace" "#binaergewitter" ]; - plugins = with pkgs.ReaktorPlugins;[ - titlebot - # stockholm-issue - nixos-version - shack-correct - sed-plugin - random-emoji ]; - }; - - krebs.build.host = config.krebs.hosts.omo; -} diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix new file mode 100644 index 000000000..0f1b8e0da --- /dev/null +++ b/makefu/1systems/omo/config.nix @@ -0,0 +1,204 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: +let + toMapper = id: "/media/crypt${builtins.toString id}"; + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; + rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; + rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; + primaryInterface = "enp1s0"; + # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 + # cryptsetup luksAddKey $dev tmpkey + # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 + # mkfs.xfs /dev/mapper/crypt0 -L crypt0 + + # omo Chassis: + # __FRONT_ + # |* d0 | + # | | + # |* d3 | + # | | + # |* d3 | + # | | + # |* | + # |* d2 | + # | * r0 | + # |_______| + cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; + cryptDisk1 = byid "ata-TP02000GB_TPW151006050068"; + cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; + # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907"; + # all physical disks + + # TODO callPackage ../3modules/MonitorDisks { disks = allDisks } + dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ]; + allDisks = [ rootDisk ] ++ dataDisks; +in { + imports = + [ + ../. + # TODO: unlock home partition via ssh + ../2configs/fs/sda-crypto-root.nix + ../2configs/zsh-user.nix + ../2configs/backup.nix + ../2configs/exim-retiolum.nix + ../2configs/smart-monitor.nix + ../2configs/mail-client.nix + # ../2configs/disable_v6.nix + #../2configs/graphite-standalone.nix + #../2configs/share-user-sftp.nix + ../2configs/share/omo.nix + ../2configs/tinc/retiolum.nix + + # Logging + ../2configs/stats/server.nix #influx + grafana + ../2configs/stats/client.nix + ../2configs/stats/external/aralast.nix # logs to influx + + # services + ../2configs/syncthing.nix + ../2configs/mqtt.nix + # ../2configs/logging/central-logging-client.nix + + # ../2configs/torrent.nix + + # ../2configs/elchos/search.nix + # ../2configs/elchos/log.nix + # ../2configs/elchos/irc-token.nix + + ## as long as pyload is not in nixpkgs: + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload + ]; + makefu.full-populate = true; + makefu.server.primary-itf = primaryInterface; + krebs.rtorrent = { + downloadDir = lib.mkForce "/media/crypt0/torrent"; + extraConfig = '' + upload_rate = 200 + ''; + }; + users.groups.share = { + gid = (import ).genid "share"; + members = [ "makefu" "misa" ]; + }; + networking.firewall.trustedInterfaces = [ primaryInterface ]; + # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net + # tcp:80 - nginx for sharing files + # tcp:655 udp:655 - tinc + # tcp:8111 - graphite + # tcp:8112 - pyload + # tcp:9090 - sabnzbd + # tcp:9200 - elasticsearch + # tcp:5601 - kibana + networking.firewall.allowedUDPPorts = [ 655 ]; + networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ]; + + # services.openssh.allowSFTP = false; + + # copy config from to /var/lib/sabnzbd/ + services.sabnzbd.enable = true; + systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + virtualisation.docker.enable = true; + makefu.ps3netsrv = { + enable = true; + servedir = "/media/cryptX/emu/ps3"; + }; + # HDD Array stuff + services.smartd.devices = builtins.map (x: { device = x; }) allDisks; + + makefu.snapraid = { + enable = true; + disks = map toMapper [ 0 1 ]; + parity = toMapper 2; + }; + + # TODO create folders in /media + system.activationScripts.createCryptFolders = '' + ${lib.concatMapStringsSep "\n" + (d: "install -m 755 -d " + (toMapper d) ) + [ 0 1 2 "X" ]} + ''; + environment.systemPackages = with pkgs;[ + mergerfs # hard requirement for mount + wol # wake up filepimp + f3 + ]; + fileSystems = let + cryptMount = name: + { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; + in cryptMount "crypt0" + // cryptMount "crypt1" + // cryptMount "crypt2" + // { "/media/cryptX" = { + device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]); + fsType = "mergerfs"; + noCheck = true; + options = [ "defaults" "allow_other" "nofail" "nonempty" ]; + }; + }; + + powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' + ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} + ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} + ${pkgs.hdparm}/sbin/hdparm -y ${disk} + '') allDisks); + + # crypto unlocking + boot = { + initrd.luks = { + devices = let + usbkey = name: device: { + inherit name device keyFile; + keyFileSize = 4096; + allowDiscards = true; + }; + in [ + (usbkey "luksroot" rootPartition) + (usbkey "crypt0" cryptDisk0) + (usbkey "crypt1" cryptDisk1) + (usbkey "crypt2" cryptDisk2) + ]; + }; + loader.grub.device = lib.mkForce rootDisk; + + initrd.availableKernelModules = [ + "ahci" + "ohci_pci" + "ehci_pci" + "pata_atiixp" + "firewire_ohci" + "usb_storage" + "usbhid" + ]; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + users.users.misa = { + uid = 9002; + name = "misa"; + }; + # hardware.enableAllFirmware = true; + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + zramSwap.enable = true; + + krebs.Reaktor.reaktor = { + nickname = "Reaktor|bot"; + channels = [ "#krebs" "#shackspace" "#binaergewitter" ]; + plugins = with pkgs.ReaktorPlugins;[ + titlebot + # stockholm-issue + nixos-version + shack-correct + sed-plugin + random-emoji ]; + }; + + krebs.build.host = config.krebs.hosts.omo; +} diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix deleted file mode 100644 index 971676b79..000000000 --- a/makefu/1systems/pnp.nix +++ /dev/null @@ -1,50 +0,0 @@ -# Usage: -# NIX_PATH=secrets=/home/makefu/secrets/wry:nixpkgs=/var/src/nixpkgs nix-build -A users.makefu.pnp.config.system.build.vm -# result/bin/run-pnp-vm -virtfs local,path=/home/makefu/secrets/pnp,security_model=none,mount_tag=secrets -{ config, pkgs, ... }: - -{ - imports = - [ - ../. - ../2configs/headless.nix - ../../krebs/3modules/Reaktor.nix - - # these will be overwritten by qemu-vm.nix but will be used if the system - # is directly deployed - - ../2configs/fs/vm-single-partition.nix - - ../2configs/tinc/retiolum.nix - - # config.system.build.vm - (toString ) - ]; - - virtualisation.graphics = false; - # also export secrets, see Usage above - fileSystems = pkgs.lib.mkVMOverride { - "${builtins.toString }" = - { device = "secrets"; - fsType = "9p"; - options = "trans=virtio,version=9p2000.L,cache=loose"; - neededForBoot = true; - }; - }; - - krebs.Reaktor.debug = { - debug = true; - extraEnviron = { - REAKTOR_HOST = "ni.r"; - }; - plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ]; - channels = [ "#retiolum" ]; - }; - - krebs.build.host = config.krebs.hosts.pnp; - - networking.firewall.allowedTCPPorts = [ - 25 - ]; - -} diff --git a/makefu/1systems/pnp/config.nix b/makefu/1systems/pnp/config.nix new file mode 100644 index 000000000..971676b79 --- /dev/null +++ b/makefu/1systems/pnp/config.nix @@ -0,0 +1,50 @@ +# Usage: +# NIX_PATH=secrets=/home/makefu/secrets/wry:nixpkgs=/var/src/nixpkgs nix-build -A users.makefu.pnp.config.system.build.vm +# result/bin/run-pnp-vm -virtfs local,path=/home/makefu/secrets/pnp,security_model=none,mount_tag=secrets +{ config, pkgs, ... }: + +{ + imports = + [ + ../. + ../2configs/headless.nix + ../../krebs/3modules/Reaktor.nix + + # these will be overwritten by qemu-vm.nix but will be used if the system + # is directly deployed + + ../2configs/fs/vm-single-partition.nix + + ../2configs/tinc/retiolum.nix + + # config.system.build.vm + (toString ) + ]; + + virtualisation.graphics = false; + # also export secrets, see Usage above + fileSystems = pkgs.lib.mkVMOverride { + "${builtins.toString }" = + { device = "secrets"; + fsType = "9p"; + options = "trans=virtio,version=9p2000.L,cache=loose"; + neededForBoot = true; + }; + }; + + krebs.Reaktor.debug = { + debug = true; + extraEnviron = { + REAKTOR_HOST = "ni.r"; + }; + plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ]; + channels = [ "#retiolum" ]; + }; + + krebs.build.host = config.krebs.hosts.pnp; + + networking.firewall.allowedTCPPorts = [ + 25 + ]; + +} diff --git a/makefu/1systems/repunit.nix b/makefu/1systems/repunit.nix deleted file mode 100644 index 7102b8f81..000000000 --- a/makefu/1systems/repunit.nix +++ /dev/null @@ -1,40 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ../. - - ../2configs/git/cgit-retiolum.nix - ../2configs/tinc/retiolum.nix - ]; - krebs.build.host = config.krebs.hosts.repunit; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/vda"; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; - -# networking.firewall is enabled by default - networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; - - fileSystems."/" = - { device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - -# $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - jq - ]; -} diff --git a/makefu/1systems/repunit/config.nix b/makefu/1systems/repunit/config.nix new file mode 100644 index 000000000..7102b8f81 --- /dev/null +++ b/makefu/1systems/repunit/config.nix @@ -0,0 +1,40 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page