From 6df0b60f8af8a486ec89f6630e827720efd445ca Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:45:32 +0200 Subject: wolf: cleanup --- shared/1systems/wolf.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'shared/1systems') diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 722a08812..0b4448022 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -1,20 +1,18 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: let shack-ip = config.krebs.build.host.nets.shack.ip4.addr; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ ../. + ../2configs/cgit-mirror.nix ../2configs/collectd-base.nix - ../2configs/shack-nix-cacher.nix + ../2configs/graphite.nix + ../2configs/repo-sync.nix ../2configs/shack-drivedroid.nix + ../2configs/shack-nix-cacher.nix ../2configs/shared-buildbot.nix - ../2configs/cgit-mirror.nix - ../2configs/repo-sync.nix - ../2configs/graphite.nix ../2configs/share-shack.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by -- cgit v1.3.1 From c577d6b9972203941c577d9fb5488345d5fe84b5 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 16:22:09 +0200 Subject: krebs.nginx: RIP --- krebs/3modules/bepasty-server.nix | 2 +- krebs/3modules/buildbot/master.nix | 1 - krebs/3modules/default.nix | 1 - krebs/3modules/nginx.nix | 190 ----------------------------- shared/1systems/test-all-krebs-modules.nix | 1 - 5 files changed, 1 insertion(+), 194 deletions(-) delete mode 100644 krebs/3modules/nginx.nix (limited to 'shared/1systems') diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 4e035e725..0ca13366b 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -37,7 +37,7 @@ let # TODO use the correct type type = with types; attrsOf unspecified; description = '' - additional nginx configuration. see krebs.nginx for all options + Additional nginx configuration. ''; }; secretKey = mkOption { diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index b31661572..d75e6c880 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -78,7 +78,6 @@ let # stopAllBuilds = 'auth', # cancelPendingBuild = 'auth' #) - # TODO: configure krebs.nginx c['www'] = dict( port = ${toString cfg.web.port}, plugins = { 'waterfall_view':{}, 'console_view':{} } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 37db5bfe7..d539d4166 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -26,7 +26,6 @@ let ./kapacitor.nix ./monit.nix ./newsbot-js.nix - ./nginx.nix ./nixpkgs.nix ./on-failure.nix ./os-release.nix diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix deleted file mode 100644 index b28e97e37..000000000 --- a/krebs/3modules/nginx.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - default404 = mkOption { - type = types.bool; - default = true; - description = '' - By default all requests not directed to an explicit hostname are - replied with a 404 error to avoid accidental exposition of nginx - services. - - Set this value to `false` to disable this behavior - you will then be - able to configure a new `default_server` in the listen address entries - again. - ''; - }; - - servers = mkOption { - type = types.attrsOf (types.submodule { - options = { - server-names = mkOption { - type = with types; listOf str; - default = - [config.krebs.build.host.name] ++ - concatMap (getAttr "aliases") - (attrValues config.krebs.build.host.nets); - }; - listen = mkOption { - type = with types; either str (listOf str); - default = "80"; - apply = x: - if typeOf x != "list" - then [x] - else x; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - default = []; - }; - extraConfig = mkOption { - type = with types; string; - default = ""; - }; - ssl = mkOption { - type = with types; submodule ({ config, ... }: { - options = { - enable = mkEnableOption "ssl"; - acmeEnable = mkOption { - type = bool; - apply = x: - if x && config.enable - #conflicts because of certificate/certificate_key location - then throw "can't use ssl.enable and ssl.acmeEnable together" - else x; - default = false; - description = '' - enables automatical generation of lets-encrypt certificates and setting them as certificate - conflicts with ssl.enable - ''; - }; - certificate = mkOption { - type = str; - }; - certificate_key = mkOption { - type = str; - }; - #TODO: check for valid cipher - ciphers = mkOption { - type = str; - default = "AES128+EECDH:AES128+EDH"; - }; - prefer_server_ciphers = mkOption { - type = bool; - default = true; - }; - force_encryption = mkOption { - type = bool; - default = false; - description = '' - redirect all `http` traffic to the same domain but with ssl - protocol. - ''; - }; - protocols = mkOption { - type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); - default = [ "TLSv1.1" "TLSv1.2" ]; - - }; - }; - }); - default = {}; - }; - }; - }); - default = {}; - }; - }; - - imp = { - security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); - services.nginx = { - enable = true; - httpConfig = '' - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - - ${optionalString cfg.default404 '' - server { - listen 80 default_server; - server_name _; - return 404; - }''} - - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - to-acme = { server-names, ssl, ... }: - optionalAttrs ssl.acmeEnable { - email = "lassulus@gmail.com"; - webroot = "${config.security.acme.directory}/${head server-names}"; - }; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let - domain = head server-names; - acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' - root ${config.security.acme.certs.${domain}.webroot}; - ''); - in '' - server { - server_name ${toString (unique server-names)}; - ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} - ${optionalString ssl.enable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${optionalString ssl.acmeEnable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; - ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${indent extraConfig} - ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} - ${indent (concatMapStrings to-location locations)} - } - ''; - -in -out diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix index b42968cfb..39d7c494b 100644 --- a/shared/1systems/test-all-krebs-modules.nix +++ b/shared/1systems/test-all-krebs-modules.nix @@ -36,7 +36,6 @@ in { enable = true; tables = {}; }; - nginx.enable = true; realwallpaper.enable = true; tinc.retiolum.enable = true; retiolum-bootstrap.enable = true; -- cgit v1.3.1 From 55b77bd2ece03769e6df3ebdfa891bc255f92665 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:05:12 +0200 Subject: s 1 wolf: send stats to omo --- shared/1systems/wolf.nix | 1 + shared/2configs/central-stats-client.nix | 68 ++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 shared/2configs/central-stats-client.nix (limited to 'shared/1systems') diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 0b4448022..75307be12 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -14,6 +14,7 @@ in ../2configs/shack-nix-cacher.nix ../2configs/shared-buildbot.nix ../2configs/share-shack.nix + ../2configs/central-stats-client.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by # apt-cacher-ng in first place) diff --git a/shared/2configs/central-stats-client.nix b/shared/2configs/central-stats-client.nix new file mode 100644 index 000000000..0412eba9a --- /dev/null +++ b/shared/2configs/central-stats-client.nix @@ -0,0 +1,68 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + + + LoadPlugin df + + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + + + LoadPlugin cpu + + ReportByCpu true + ReportByState true + ValuesPercentage true + + + LoadPlugin network + + Server "stats.makefu.r" "25826" + + + LoadPlugin curl + + + URL "http://smarthome.shack/"; + MeasureResponseTime true + + + ''; + }; +} -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/0a300000.lock: No such file or directory (2)