From 29ef105c46287bb9964269004a56c51d4a2834bd Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jul 2016 19:19:18 +0200 Subject: l 2 buildbot: uss ssh sockets --- lass/2configs/buildbot-standalone.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 5afb23687..7c7693ab7 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -3,8 +3,13 @@ with config.krebs.lib; let + sshHostConfig = pkgs.writeText "ssh-config" '' + ControlMaster auto + ControlPath /tmp/%u_sshmux_%r@%h:%p + ControlPersist 4h + ''; sshWrapper = pkgs.writeDash "ssh-wrapper" '' - ${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@" + ${pkgs.openssh}/bin/ssh -F ${sshHostConfig} -i ${shell.escape config.lass.build-ssh-privkey.path} "$@" ''; in { -- cgit v1.3.1 From 947f79a399dd9ca6dd8a177d31d8b016692040f7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jul 2016 18:03:47 +0200 Subject: l 2 git: allow all users to fetch public repos --- lass/2configs/git.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 9a1cab176..ab4450715 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -80,7 +80,7 @@ let perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ optional repo.public { - user = [ tv makefu ]; + user = attrValues config.krebs.users; repo = [ repo ]; perm = fetch; } ++ -- cgit v1.3.1 From b139155bee6006f21993f3b2b6bfd5adde6fff6f Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 26 Jul 2016 21:36:47 +0200 Subject: l 3 power-action -> k 3 power-action --- krebs/3modules/default.nix | 1 + krebs/3modules/power-action.nix | 97 +++++++++++++++++++++++++++++++++++++++++ lass/1systems/helios.nix | 2 +- lass/2configs/power-action.nix | 4 +- lass/3modules/default.nix | 1 - lass/3modules/power-action.nix | 97 ----------------------------------------- 6 files changed, 101 insertions(+), 101 deletions(-) create mode 100644 krebs/3modules/power-action.nix delete mode 100644 lass/3modules/power-action.nix (limited to 'lass') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index d64d8047a..9af42acc9 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./on-failure.nix ./os-release.nix ./per-user.nix + ./power-action.nix ./Reaktor.nix ./realwallpaper.nix ./retiolum-bootstrap.nix diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix new file mode 100644 index 000000000..4c2533eb7 --- /dev/null +++ b/krebs/3modules/power-action.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +let + cfg = config.krebs.power-action; + + out = { + options.krebs.power-action = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "power-action"; + battery = mkOption { + type = types.str; + default = "BAT0"; + }; + user = mkOption { + type = types.user; + default = { + name = "power-action"; + }; + }; + startAt = mkOption { + type = types.str; + default = "*:0/1"; + }; + plans = mkOption { + type = with types; attrsOf (submodule { + options = { + charging = mkOption { + type = nullOr bool; + default = null; + description = '' + check for charging status. + null = don't care + true = only if system is charging + false = only if system is discharging + ''; + }; + upperLimit = mkOption { + type = int; + }; + lowerLimit = mkOption { + type = int; + }; + action = mkOption { + type = path; + }; + }; + }); + }; + }; + + imp = { + systemd.services.power-action = { + serviceConfig = rec { + ExecStart = startScript; + User = cfg.user.name; + }; + startAt = cfg.startAt; + }; + users.users.${cfg.user.name} = { + inherit (cfg.user) name uid; + }; + }; + + startScript = pkgs.writeDash "power-action" '' + set -euf + + power="$(${powerlvl})" + state="$(${state})" + ${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)} + ''; + charging_check = plan: + if (plan.charging == null) then "" else + if plan.charging + then ''&& [ "$state" = "true" ]'' + else ''&& ! [ "$state" = "true" ]'' + ; + + writeRule = _: plan: + "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; + + powerlvl = pkgs.writeDash "powerlvl" '' + cat /sys/class/power_supply/${cfg.battery}/capacity + ''; + + state = pkgs.writeDash "state" '' + if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] + then echo "false" + else echo "true" + fi + ''; + +in out diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 5f161d731..53026a6fb 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -58,7 +58,7 @@ with config.krebs.lib; # }; #} { - lass.power-action.battery = "BAT1"; + krebs.power-action.battery = "BAT1"; } ]; diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix index 0ff8547c7..133966498 100644 --- a/lass/2configs/power-action.nix +++ b/lass/2configs/power-action.nix @@ -11,7 +11,7 @@ let ''; in { - lass.power-action = { + krebs.power-action = { enable = true; plans.low-battery = { upperLimit = 30; @@ -36,6 +36,6 @@ in { ]; security.sudo.extraConfig = '' - ${config.lass.power-action.user.name} ALL= (root) NOPASSWD: ${suspend} + ${config.krebs.power-action.user.name} ALL= (root) NOPASSWD: ${suspend} ''; } diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 6a3b41ca4..60370b230 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -4,7 +4,6 @@ _: ./ejabberd ./folderPerms.nix ./mysql-backup.nix - ./power-action.nix ./umts.nix ./urxvtd.nix ./wordpress_nginx.nix diff --git a/lass/3modules/power-action.nix b/lass/3modules/power-action.nix deleted file mode 100644 index 30875c9a9..000000000 --- a/lass/3modules/power-action.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - cfg = config.lass.power-action; - - out = { - options.lass.power-action = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "power-action"; - battery = mkOption { - type = types.str; - default = "BAT0"; - }; - user = mkOption { - type = types.user; - default = { - name = "power-action"; - }; - }; - startAt = mkOption { - type = types.str; - default = "*:0/1"; - }; - plans = mkOption { - type = with types; attrsOf (submodule { - options = { - charging = mkOption { - type = nullOr bool; - default = null; - description = '' - check for charging status. - null = don't care - true = only if system is charging - false = only if system is discharging - ''; - }; - upperLimit = mkOption { - type = int; - }; - lowerLimit = mkOption { - type = int; - }; - action = mkOption { - type = path; - }; - }; - }); - }; - }; - - imp = { - systemd.services.power-action = { - serviceConfig = rec { - ExecStart = startScript; - User = cfg.user.name; - }; - startAt = cfg.startAt; - }; - users.users.${cfg.user.name} = { - inherit (cfg.user) name uid; - }; - }; - - startScript = pkgs.writeDash "power-action" '' - set -euf - - power="$(${powerlvl})" - state="$(${state})" - ${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)} - ''; - charging_check = plan: - if (plan.charging == null) then "" else - if plan.charging - then ''&& [ "$state" = "true" ]'' - else ''&& ! [ "$state" = "true" ]'' - ; - - writeRule = _: plan: - "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; - - powerlvl = pkgs.writeDash "powerlvl" '' - cat /sys/class/power_supply/${cfg.battery}/capacity - ''; - - state = pkgs.writeDash "state" '' - if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] - then echo "false" - else echo "true" - fi - ''; - -in out -- cgit v1.3.1 From b1569158057042aa50e6816e38f0305bab8e5f9c Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 28 Jul 2016 12:58:54 +0200 Subject: makefu: pornocauster -> x --- krebs/3modules/makefu/default.nix | 16 ++++--- lass/2configs/buildbot-standalone.nix | 2 +- makefu/1systems/pornocauster.nix | 81 ----------------------------------- makefu/1systems/wbob.nix | 2 +- makefu/1systems/x.nix | 73 +++++++++++++++++++++++++++++++ makefu/2configs/tinc/siem.nix | 12 ++++++ 6 files changed, 96 insertions(+), 90 deletions(-) delete mode 100644 makefu/1systems/pornocauster.nix create mode 100644 makefu/1systems/x.nix create mode 100644 makefu/2configs/tinc/siem.nix (limited to 'lass') diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index a878f50ee..dffb6b0a1 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -126,15 +126,15 @@ with config.krebs.lib; }; }; }; - pornocauster = { + x = { cores = 2; nets = { retiolum = { ip4.addr = "10.243.0.91"; ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"; aliases = [ - "pornocauster.retiolum" - "pornocauster.r" + "x.retiolum" + "x.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -167,7 +167,7 @@ with config.krebs.lib; }; }; ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster"; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@x"; }; @@ -441,8 +441,9 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; shoney = rec { cores = 1; - nets = { + nets = rec { siem = { + via = internet; ip4.addr = "10.8.10.1"; ip4.prefix = "10.8.10.0/24"; aliases = [ @@ -459,6 +460,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB L+xhIsiMXQIo2hv8aOUnf/7Ac9DXNR83GwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.port = 1655; }; internet = { ip4.addr = "64.137.234.215"; @@ -790,8 +792,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; users = rec { makefu = { - mail = "makefu@pornocauster.retiolum"; - pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster"; + mail = "makefu@x.retiolum"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@x"; pgp.pubkeys.default = builtins.readFile ./default.pgp; pgp.pubkeys.brain = builtins.readFile ./brain.pgp; }; diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 7c7693ab7..766fd715e 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -95,7 +95,7 @@ in { method=build \ system={}".format(i)]) - for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]: + for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: addShell(f,name="build-{}".format(i),env=env_makefu, command=nixshell + \ ["make \ diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix deleted file mode 100644 index b683e5630..000000000 --- a/makefu/1systems/pornocauster.nix +++ /dev/null @@ -1,81 +0,0 @@ -# -# -# -{ config, pkgs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ../. - ../2configs/main-laptop.nix #< base-gui + zsh - ../2configs/laptop-utils.nix - - # Krebs - #../2configs/disable_v6.nix - - - # applications - - ../2configs/exim-retiolum.nix - ../2configs/mail-client.nix - ../2configs/printer.nix - ../2configs/virtualization.nix - ../2configs/virtualization-virtualbox.nix - ../2configs/wwan.nix - - # services - ../2configs/git/brain-retiolum.nix - ../2configs/tor.nix - ../2configs/steam.nix - # ../2configs/buildbot-standalone.nix - - # hardware specifics are in here - ../2configs/hw/tp-x220.nix - ../2configs/hw/rtl8812au.nix - # mount points - ../2configs/fs/sda-crypto-root-home.nix - # ../2configs/mediawiki.nix - #../2configs/wordpress.nix - ../2configs/nginx/public_html.nix - - ../2configs/tinc/retiolum.nix - # temporary modules - ../2configs/temp/share-samba.nix - # ../2configs/temp/elkstack.nix - # ../2configs/temp/sabnzbd.nix - ]; - - services.tinc.networks.siem = { - name = "makefu"; - extraConfig = '' - ConnectTo = sdarth - ConnectTo = sjump - ''; - }; - - krebs.nginx = { - default404 = false; - servers.default.listen = [ "80 default_server" ]; - servers.default.server-names = [ "_" ]; - }; - - environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; - - virtualisation.docker.enable = true; - - # configure pulseAudio to provide a HDMI sink as well - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 24800 ]; - networking.firewall.allowedUDPPorts = [ 665 ]; - - krebs.build.host = config.krebs.hosts.pornocauster; - krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; - - krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; - - networking.extraHosts = '' - 192.168.1.11 omo.local - ''; - # hard dependency because otherwise the device will not be unlocked - boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; -} diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index e8e0b091f..ff593ab35 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -66,7 +66,7 @@ in { client = { enable = true; screenName = "wbob"; - serverAddress = "pornocauster.r"; + serverAddress = "x.r"; }; }; } diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix new file mode 100644 index 000000000..d41edfa46 --- /dev/null +++ b/makefu/1systems/x.nix @@ -0,0 +1,73 @@ +# +# +# +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../. + ../2configs/main-laptop.nix #< base-gui + zsh + ../2configs/laptop-utils.nix + + # Krebs + #../2configs/disable_v6.nix + + + # applications + + ../2configs/exim-retiolum.nix + ../2configs/mail-client.nix + ../2configs/printer.nix + ../2configs/virtualization.nix + ../2configs/virtualization-virtualbox.nix + ../2configs/wwan.nix + + # services + ../2configs/git/brain-retiolum.nix + ../2configs/tor.nix + ../2configs/steam.nix + # ../2configs/buildbot-standalone.nix + + # hardware specifics are in here + ../2configs/hw/tp-x220.nix + ../2configs/hw/rtl8812au.nix + # mount points + ../2configs/fs/sda-crypto-root-home.nix + # ../2configs/mediawiki.nix + #../2configs/wordpress.nix + ../2configs/nginx/public_html.nix + + ../2configs/tinc/retiolum.nix + # temporary modules + ../2configs/temp/share-samba.nix + # ../2configs/temp/elkstack.nix + # ../2configs/temp/sabnzbd.nix + ../2configs/tinc/siem.nix + ]; + krebs.nginx = { + default404 = false; + servers.default.listen = [ "80 default_server" ]; + servers.default.server-names = [ "_" ]; + }; + + environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; + + virtualisation.docker.enable = true; + + # configure pulseAudio to provide a HDMI sink as well + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 24800 26061 ]; + networking.firewall.allowedUDPPorts = [ 665 26061 ]; + + krebs.build.host = config.krebs.hosts.x; + krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; + + krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; + + networking.extraHosts = '' + 192.168.1.11 omo.local + ''; + # hard dependency because otherwise the device will not be unlocked + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; +} diff --git a/makefu/2configs/tinc/siem.nix b/makefu/2configs/tinc/siem.nix new file mode 100644 index 000000000..fae72590f --- /dev/null +++ b/makefu/2configs/tinc/siem.nix @@ -0,0 +1,12 @@ +{lib, config, ... }: +{ + # TODO do not know why we need to force it, port is only set via default to 655 + krebs.build.host.nets.siem.tinc.port = lib.mkForce 1655; + + networking.firewall.allowedUDPPorts = [ 1665 ]; + networking.firewall.allowedTCPPorts = [ 1655 ]; + krebs.tinc.siem = { + enable = true; + connectTo = [ "shoney" ]; + }; +} -- cgit v1.3.1 From 127b8c0989f1dc71313af67fb5e69c709df019f3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 2 Aug 2016 15:00:15 +0200 Subject: l 2 power-action: reflect api change --- lass/2configs/power-action.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix index 133966498..c83dc80dc 100644 --- a/lass/2configs/power-action.nix +++ b/lass/2configs/power-action.nix @@ -29,6 +29,7 @@ in { /var/setuid-wrappers/sudo ${suspend} ''; }; + user = "lass"; }; users.users.power-action.extraGroups = [ @@ -36,6 +37,6 @@ in { ]; security.sudo.extraConfig = '' - ${config.krebs.power-action.user.name} ALL= (root) NOPASSWD: ${suspend} + ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend} ''; } -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/65300000.lock: No such file or directory (2)