From 6df0b60f8af8a486ec89f6630e827720efd445ca Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:45:32 +0200 Subject: wolf: cleanup --- shared/1systems/wolf.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'shared') diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 722a08812..0b4448022 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -1,20 +1,18 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: let shack-ip = config.krebs.build.host.nets.shack.ip4.addr; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ ../. + ../2configs/cgit-mirror.nix ../2configs/collectd-base.nix - ../2configs/shack-nix-cacher.nix + ../2configs/graphite.nix + ../2configs/repo-sync.nix ../2configs/shack-drivedroid.nix + ../2configs/shack-nix-cacher.nix ../2configs/shared-buildbot.nix - ../2configs/cgit-mirror.nix - ../2configs/repo-sync.nix - ../2configs/graphite.nix ../2configs/share-shack.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by -- cgit v1.3.1 From 6b453f7068e4eff470821341e9fcfdbb6d5483ca Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:46:45 +0200 Subject: shared shack-drivedroid: krebs.nginx -> services.nginx --- shared/2configs/shack-drivedroid.nix | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'shared') diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix index 3581f9e96..07fcffa42 100644 --- a/shared/2configs/shack-drivedroid.nix +++ b/shared/2configs/shack-drivedroid.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, ... }: +{ config, pkgs, ... }: with import ; let repodir = "/var/srv/drivedroid"; @@ -7,6 +7,20 @@ in { environment.systemPackages = [ pkgs.drivedroid-gen-repo ]; + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-drivedroid = { + serverAliases = [ + "drivedroid.shack" + ]; + # TODO: prepare this somehow + locations."/".extraConfig = '' + root ${repodir}; + index main.json; + ''; + }; + }; + systemd.services.drivedroid = { description = "generates drivedroid repo file"; restartIfChanged = true; @@ -27,18 +41,4 @@ in ''; }; }; - - krebs.nginx = { - enable = lib.mkDefault true; - servers = { - drivedroid-repo = { - server-names = [ "drivedroid.shack" ]; - # TODO: prepare this somehow - locations = lib.singleton (lib.nameValuePair "/" '' - root ${repodir}; - index main.json; - ''); - }; - }; - }; } -- cgit v1.3.1 From 82aa7c6f101c16d7e2607f3429cfbb222c572438 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:47:07 +0200 Subject: shared shack-nix-cacher: krebs.nginx -> services.nginx --- shared/2configs/shack-nix-cacher.nix | 37 +++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) (limited to 'shared') diff --git a/shared/2configs/shack-nix-cacher.nix b/shared/2configs/shack-nix-cacher.nix index 7519bb3ac..4fcbf3a4e 100644 --- a/shared/2configs/shack-nix-cacher.nix +++ b/shared/2configs/shack-nix-cacher.nix @@ -1,25 +1,28 @@ -{ pkgs, lib, ... }: - +{ config, pkgs, ... }: +with import ; +let + cfg = config.krebs.apt-cacher-ng; +in { - krebs.nginx = { - enable = lib.mkDefault true; - servers = { - apt-cacher-ng = { - server-names = [ "acng.shack" ]; - locations = lib.singleton (lib.nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:3142/; - ''); - }; - }; - }; - krebs.apt-cacher-ng = { enable = true; port = 3142; bindAddress = "localhost"; cacheExpiration = 30; }; + + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-nix-cacher = { + serverAliases = [ + "acng.shack" + ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:${toString cfg.port}/; + ''; + }; + }; } -- cgit v1.3.1 From d34d95ec3ed4230faa2dc9dd90938e9991dd73d7 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:59:27 +0200 Subject: shared shack-drivedroid: cleanup --- shared/2configs/shack-drivedroid.nix | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) (limited to 'shared') diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix index 07fcffa42..12e4a39c3 100644 --- a/shared/2configs/shack-drivedroid.nix +++ b/shared/2configs/shack-drivedroid.nix @@ -1,8 +1,7 @@ { config, pkgs, ... }: with import ; let - repodir = "/var/srv/drivedroid"; - srepodir = shell.escape repodir; + root = "/var/srv/drivedroid"; in { environment.systemPackages = [ pkgs.drivedroid-gen-repo ]; @@ -15,28 +14,34 @@ in ]; # TODO: prepare this somehow locations."/".extraConfig = '' - root ${repodir}; + root ${root}; index main.json; ''; }; }; - systemd.services.drivedroid = { + systemd.services.drivedroid-gen-repo = { description = "generates drivedroid repo file"; - restartIfChanged = true; + path = [ + pkgs.coreutils + pkgs.drivedroid-gen-repo + pkgs.inotify-tools + ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; Restart = "always"; - ExecStartPre = pkgs.writeScript "prepare-drivedroid-gen-repo" '' - #!/bin/sh - mkdir -p ${srepodir}/repos + ExecStartPre = pkgs.writeDash "prepare-drivedroid-gen-repo" '' + mkdir -p ${root}/repos ''; - ExecStart = pkgs.writeScript "start-drivedroid-gen-repo" '' - #!/bin/sh + ExecStart = pkgs.writeDash "start-drivedroid-gen-repo" '' + set -efu + cd ${root} while sleep 60; do - ${pkgs.inotify-tools}/bin/inotifywait -r ${srepodir} && ${pkgs.drivedroid-gen-repo}/bin/drivedroid-gen-repo --chdir "${srepodir}" repos/ > "${srepodir}/main.json" + if inotifywait -r .; then + drivedroid-gen-repo repos > main.json + fi done ''; }; -- cgit v1.3.1 From c577d6b9972203941c577d9fb5488345d5fe84b5 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 16:22:09 +0200 Subject: krebs.nginx: RIP --- krebs/3modules/bepasty-server.nix | 2 +- krebs/3modules/buildbot/master.nix | 1 - krebs/3modules/default.nix | 1 - krebs/3modules/nginx.nix | 190 ----------------------------- shared/1systems/test-all-krebs-modules.nix | 1 - 5 files changed, 1 insertion(+), 194 deletions(-) delete mode 100644 krebs/3modules/nginx.nix (limited to 'shared') diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 4e035e725..0ca13366b 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -37,7 +37,7 @@ let # TODO use the correct type type = with types; attrsOf unspecified; description = '' - additional nginx configuration. see krebs.nginx for all options + Additional nginx configuration. ''; }; secretKey = mkOption { diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index b31661572..d75e6c880 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -78,7 +78,6 @@ let # stopAllBuilds = 'auth', # cancelPendingBuild = 'auth' #) - # TODO: configure krebs.nginx c['www'] = dict( port = ${toString cfg.web.port}, plugins = { 'waterfall_view':{}, 'console_view':{} } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 37db5bfe7..d539d4166 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -26,7 +26,6 @@ let ./kapacitor.nix ./monit.nix ./newsbot-js.nix - ./nginx.nix ./nixpkgs.nix ./on-failure.nix ./os-release.nix diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix deleted file mode 100644 index b28e97e37..000000000 --- a/krebs/3modules/nginx.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - default404 = mkOption { - type = types.bool; - default = true; - description = '' - By default all requests not directed to an explicit hostname are - replied with a 404 error to avoid accidental exposition of nginx - services. - - Set this value to `false` to disable this behavior - you will then be - able to configure a new `default_server` in the listen address entries - again. - ''; - }; - - servers = mkOption { - type = types.attrsOf (types.submodule { - options = { - server-names = mkOption { - type = with types; listOf str; - default = - [config.krebs.build.host.name] ++ - concatMap (getAttr "aliases") - (attrValues config.krebs.build.host.nets); - }; - listen = mkOption { - type = with types; either str (listOf str); - default = "80"; - apply = x: - if typeOf x != "list" - then [x] - else x; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - default = []; - }; - extraConfig = mkOption { - type = with types; string; - default = ""; - }; - ssl = mkOption { - type = with types; submodule ({ config, ... }: { - options = { - enable = mkEnableOption "ssl"; - acmeEnable = mkOption { - type = bool; - apply = x: - if x && config.enable - #conflicts because of certificate/certificate_key location - then throw "can't use ssl.enable and ssl.acmeEnable together" - else x; - default = false; - description = '' - enables automatical generation of lets-encrypt certificates and setting them as certificate - conflicts with ssl.enable - ''; - }; - certificate = mkOption { - type = str; - }; - certificate_key = mkOption { - type = str; - }; - #TODO: check for valid cipher - ciphers = mkOption { - type = str; - default = "AES128+EECDH:AES128+EDH"; - }; - prefer_server_ciphers = mkOption { - type = bool; - default = true; - }; - force_encryption = mkOption { - type = bool; - default = false; - description = '' - redirect all `http` traffic to the same domain but with ssl - protocol. - ''; - }; - protocols = mkOption { - type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); - default = [ "TLSv1.1" "TLSv1.2" ]; - - }; - }; - }); - default = {}; - }; - }; - }); - default = {}; - }; - }; - - imp = { - security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); - services.nginx = { - enable = true; - httpConfig = '' - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - - ${optionalString cfg.default404 '' - server { - listen 80 default_server; - server_name _; - return 404; - }''} - - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - to-acme = { server-names, ssl, ... }: - optionalAttrs ssl.acmeEnable { - email = "lassulus@gmail.com"; - webroot = "${config.security.acme.directory}/${head server-names}"; - }; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let - domain = head server-names; - acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' - root ${config.security.acme.certs.${domain}.webroot}; - ''); - in '' - server { - server_name ${toString (unique server-names)}; - ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} - ${optionalString ssl.enable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${optionalString ssl.acmeEnable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; - ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${indent extraConfig} - ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} - ${indent (concatMapStrings to-location locations)} - } - ''; - -in -out diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix index b42968cfb..39d7c494b 100644 --- a/shared/1systems/test-all-krebs-modules.nix +++ b/shared/1systems/test-all-krebs-modules.nix @@ -36,7 +36,6 @@ in { enable = true; tables = {}; }; - nginx.enable = true; realwallpaper.enable = true; tinc.retiolum.enable = true; retiolum-bootstrap.enable = true; -- cgit v1.3.1