palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

delete terranix folder

Browse source
This commit is contained in:
Ingolf Wagner 2024-06-07 20:07:55 +02:00
parent 0671e6b3c5
commit 2f48fe597a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
70 changed files with 0 additions and 3349 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
terranix/.gitignore vendored
View file

@ -1,3 +0,0 @@
*.backup
.history
.terraform

3
terranix/gitlab/.gitignore vendored
View file

@ -1,3 +0,0 @@
.terraform*
terraform.tfstate*
config.tf.json

7
terranix/gitlab/README.md
View file

@ -1,7 +0,0 @@
# nix flake example
This example shows how you could use terranix as flake.
- `nix run` run `nix run ".#apply"`
- `nix run ".#apply"` run `terraform apply`
- `nix run ".#destroy"` run `terraform destroy`

31
terranix/gitlab/config.nix
View file

@ -1,31 +0,0 @@
# start with:
# export GITLAB_TOKEN=""
{ config, lib, ... }:
{
terraform.required_providers.gitlab.source = "gitlabhq/gitlab";
provider.gitlab = {
base_url = "https://gitlab.ingolf-wagner.de/api/v4/";
};
resource.gitlab_deploy_key =
let
ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNRzdW7SYizwrECoTJbL0peeTkaRfAT5Jjefgad+MmHFHsRRy/q2bDQLlhKGPC4I0gXsaYuZSeSpaCwa6JHwDXDUjeSwj/osKE7lDnRx0XmGKKwZPNU4KuI9CUH450p5M9w3KgSmKEXJKayUz1/8E4WlSjfSkqpGwkhCeHtuIVd6Wei+fU/7uzYrL6tg8ZZD3omvvD4AxCEzNvM3wuX915K0x52GySJLpQUt9xYZLb1qrQAkVAnOE2ZZLx5rVzDLJkPrPRQ5Og3Yi3mT469AbKM/XPPuVgluiMCLOq8avAOQGK2brKjdaw2m3bDKuH18WJfMwwu/0uzSe1CWBwNj8/gAQapevhoYwMLjK9eJvWBh2Wc7tgHO51uZM3mVTylWFlsundM2ASssVHueReNpnUtMvXdCPHb0ZmZNy/3NW0u+y7FnLRvnrRSF8TYPeUYTOoRd0nbvwb6R0mBvHFqjs6ILLL7+d+JHCBnGAxu3AwgWAsS8LP3G+VL7arb1pEVJK52Svjoi2tPXWaRixAB1KxMep44UtY+TCGs+5fx++y2sUGhcEJBxXywpFmAPjOZLRuiDcnsWxZfTSMkQowoG6PUtcplasY4+NzJ/ivBjfka111KRLURNIRkCGaBZKPAROkGd9iKdiSENdpXRwubFl5ISjEPR3tdZaTY97w+hj8OQ==";
work_repositories = {
mindcurv = "palo/mindcurv_nix";
timewarrior = "palo/timewarrior_mindcurv";
};
repository = name: project_path: {
name = name;
value = {
project = project_path;
title = "Deployment key";
key = ssh_key;
};
};
in
lib.mapAttrs' repository work_repositories;
}

129
terranix/gitlab/flake.lock
View file

@ -1,129 +0,0 @@
{
"nodes": {
"bats-assert": {
"flake": false,
"locked": {
"lastModified": 1636059754,
"narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
"owner": "bats-core",
"repo": "bats-assert",
"rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
"type": "github"
},
"original": {
"owner": "bats-core",
"repo": "bats-assert",
"type": "github"
}
},
"bats-support": {
"flake": false,
"locked": {
"lastModified": 1548869839,
"narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
"owner": "bats-core",
"repo": "bats-support",
"rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
"type": "github"
},
"original": {
"owner": "bats-core",
"repo": "bats-support",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1631561581,
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1633074215,
"narHash": "sha256-epmR1H1amgFWuU7xW9OXGjsAqltMqCSqkv1U2+9rOlM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "378d2c5dcec7fef958cca3760448c09a9be2b7a3",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"terranix": "terranix"
}
},
"terranix": {
"inputs": {
"bats-assert": "bats-assert",
"bats-support": "bats-support",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"terranix-examples": "terranix-examples"
},
"locked": {
"lastModified": 1636274003,
"narHash": "sha256-HDiyJGgyDUoLnpL8N+wDm3cM/vEfYYc/p4N1kKH/kLk=",
"owner": "terranix",
"repo": "terranix",
"rev": "87fe67a2c254e74c1c3f3206c504fe7ba76a3c59",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix",
"type": "github"
}
},
"terranix-examples": {
"locked": {
"lastModified": 1633465925,
"narHash": "sha256-BfXRW1ZHpK5jh5CVcw7eFpGsWE1CyVxL8R+V7uXemaU=",
"owner": "terranix",
"repo": "terranix-examples",
"rev": "70bf5d5a1ad4eabef1e4e71c1eb101021decd5a4",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix-examples",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

53
terranix/gitlab/flake.nix
View file

@ -1,53 +0,0 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs";
flake-utils.url = "github:numtide/flake-utils";
terranix = {
url = "github:terranix/terranix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, flake-utils, terranix }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
terraform = pkgs.terraform_0_15;
terraformConfiguration = terranix.lib.terranixConfiguration {
inherit system;
modules = [ ./config.nix ];
};
in
{
defaultPackage = terraformConfiguration;
# nix develop
devShell = pkgs.mkShell {
buildInputs = [
pkgs.terraform_0_15
terranix.defaultPackage.${system}
];
};
# nix run ".#apply"
apps.apply = {
type = "app";
program = toString (pkgs.writers.writeBash "apply" ''
if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi
cp ${terraformConfiguration} config.tf.json \
&& ${terraform}/bin/terraform init \
&& ${terraform}/bin/terraform apply
'');
};
# nix run ".#destroy"
apps.destroy = {
type = "app";
program = toString (pkgs.writers.writeBash "destroy" ''
if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi
cp ${terraformConfiguration} config.tf.json \
&& ${terraform}/bin/terraform init \
&& ${terraform}/bin/terraform destroy
'');
};
# nix run
defaultApp = self.apps.${system}.apply;
});
}

674
terranix/graylog/MyDashboards.json
View file

@ -1,674 +0,0 @@
{
"v": "1",
"id": "da023d7e-086a-4387-a5b1-02bd267d9c3f",
"rev": 2,
"name": "Dashboards",
"summary": "My Dashboards",
"description": "All my Dashboards focusing mainly on journald logs",
"vendor": "Ingolf Wagner",
"url": "",
"parameters": [],
"entities": [
{
"v": "1",
"type": {
"name": "dashboard",
"version": "2"
},
"id": "04d927ad-a217-43bf-aa9e-820777399cc3",
"data": {
"summary": {
"@type": "string",
"@value": "Overview on Graylog"
},
"search": {
"queries": [
{
"id": "bfb6a815-7213-484c-91ba-ebaeff542a66",
"timerange": {
"type": "relative",
"range": 300
},
"query": {
"type": "elasticsearch",
"query_string": ""
},
"search_types": [
{
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true AND syslog_facility:<4 AND (systemd_unit:elasticsearch.service OR systemd_unit:kibana.service OR systemd_unit:graylog.service)"
},
"name": "chart",
"timerange": {
"type": "relative",
"range": 86400
},
"streams": [],
"series": [
{
"type": "count",
"id": "count()",
"field": null
}
],
"filter": null,
"rollup": false,
"row_groups": [
{
"type": "time",
"field": "timestamp",
"interval": {
"type": "auto",
"scaling": 1
}
}
],
"type": "pivot",
"id": "8e1ed6ed-ff1f-4d86-8981-a987aaaa5eed",
"column_groups": [
{
"type": "values",
"field": "systemd_unit",
"limit": 15
}
],
"sort": []
},
{
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true"
},
"name": "chart",
"timerange": {
"type": "relative",
"range": 86400
},
"streams": [],
"series": [
{
"type": "count",
"id": "count()",
"field": null
}
],
"filter": null,
"rollup": false,
"row_groups": [
{
"type": "time",
"field": "timestamp",
"interval": {
"type": "auto",
"scaling": 1
}
}
],
"type": "pivot",
"id": "d7e2a713-28fd-46d1-8c7a-29bd2867bebd",
"column_groups": [
{
"type": "values",
"field": "source",
"limit": 15
}
],
"sort": []
}
]
}
],
"parameters": [],
"requires": {},
"owner": "admin",
"created_at": "2021-07-17T08:03:26.960Z"
},
"created_at": "2021-07-17T05:53:41.503Z",
"requires": {},
"state": {
"bfb6a815-7213-484c-91ba-ebaeff542a66": {
"selected_fields": null,
"static_message_list_id": null,
"titles": {
"widget": {
"b0d1972c-c917-4054-a946-d412859ee5f0": "Graylog Errors of last day",
"49928524-8949-42e2-b6a6-4f208e2febb5": "Graylog Input of last day",
"c535afa8-b27f-4cec-b117-483df2d439ec": "Graylog errors of last day",
"9a6682e0-8993-439a-bfff-62e4a3c99473": "Graylog errors of last day (copy)"
},
"tab": {
"title": "Last Day"
}
},
"widgets": [
{
"id": "c535afa8-b27f-4cec-b117-483df2d439ec",
"type": "aggregation",
"filter": null,
"timerange": {
"type": "relative",
"range": 86400
},
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true AND syslog_facility:<4 AND (systemd_unit:elasticsearch.service OR systemd_unit:kibana.service OR systemd_unit:graylog.service)"
},
"streams": [],
"config": {
"visualization": "line",
"event_annotation": false,
"row_pivots": [
{
"field": "timestamp",
"type": "time",
"config": {
"interval": {
"type": "auto",
"scaling": null
}
}
}
],
"series": [
{
"config": {
"name": null
},
"function": "count()"
}
],
"rollup": false,
"column_pivots": [
{
"field": "systemd_unit",
"type": "values",
"config": {
"limit": 15
}
}
],
"visualization_config": {
"interpolation": "spline"
},
"formatting_settings": null,
"sort": []
}
},
{
"id": "49928524-8949-42e2-b6a6-4f208e2febb5",
"type": "aggregation",
"filter": null,
"timerange": {
"type": "relative",
"range": 86400
},
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true"
},
"streams": [],
"config": {
"visualization": "line",
"event_annotation": false,
"row_pivots": [
{
"field": "timestamp",
"type": "time",
"config": {
"interval": {
"type": "auto",
"scaling": null
}
}
}
],
"series": [
{
"config": {
"name": null
},
"function": "count()"
}
],
"rollup": false,
"column_pivots": [
{
"field": "source",
"type": "values",
"config": {
"limit": 15
}
}
],
"visualization_config": {
"interpolation": "spline"
},
"formatting_settings": null,
"sort": []
}
}
],
"widget_mapping": {
"49928524-8949-42e2-b6a6-4f208e2febb5": [
"d7e2a713-28fd-46d1-8c7a-29bd2867bebd"
],
"c535afa8-b27f-4cec-b117-483df2d439ec": [
"8e1ed6ed-ff1f-4d86-8981-a987aaaa5eed"
]
},
"positions": {
"49928524-8949-42e2-b6a6-4f208e2febb5": {
"col": 1,
"row": 11,
"height": 3,
"width": "Infinity"
},
"c535afa8-b27f-4cec-b117-483df2d439ec": {
"col": 1,
"row": 8,
"height": 3,
"width": "Infinity"
}
},
"formatting": {
"highlighting": []
},
"display_mode_settings": {
"positions": {}
}
}
},
"properties": [],
"owner": "admin",
"title": {
"@type": "string",
"@value": "Graylog"
},
"type": "DASHBOARD",
"description": {
"@type": "string",
"@value": ""
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.9+abab7dc"
}
]
},
{
"v": "1",
"type": {
"name": "dashboard",
"version": "2"
},
"id": "40d84ea8-3f72-47b8-9819-722b3f5dcbd3",
"data": {
"summary": {
"@type": "string",
"@value": "Overview on Graylog"
},
"search": {
"queries": [
{
"id": "bfb6a815-7213-484c-91ba-ebaeff542a66",
"timerange": {
"type": "relative",
"range": 300
},
"query": {
"type": "elasticsearch",
"query_string": ""
},
"search_types": [
{
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true AND systemd_unit:init.scope AND syslog_priority:4"
},
"name": "chart",
"timerange": {
"type": "relative",
"range": 86400
},
"streams": [],
"series": [
{
"type": "count",
"id": "count()",
"field": null
}
],
"filter": null,
"rollup": true,
"row_groups": [
{
"type": "values",
"field": "custom_unit",
"limit": 15
}
],
"type": "pivot",
"id": "d480b368-2968-442c-94b9-e1e4e1830db7",
"column_groups": [],
"sort": []
},
{
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true"
},
"name": "chart",
"timerange": {
"type": "relative",
"range": 86400
},
"streams": [],
"series": [
{
"type": "count",
"id": "count()",
"field": null
}
],
"filter": null,
"rollup": false,
"row_groups": [
{
"type": "time",
"field": "timestamp",
"interval": {
"type": "auto",
"scaling": 1
}
}
],
"type": "pivot",
"id": "148df0da-281a-4266-a363-9565c9b851b6",
"column_groups": [
{
"type": "values",
"field": "source",
"limit": 15
}
],
"sort": []
},
{
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true AND syslog_facility:<4 AND (systemd_unit:elasticsearch.service OR systemd_unit:kibana.service OR systemd_unit:graylog.service)"
},
"name": "chart",
"timerange": {
"type": "relative",
"range": 86400
},
"streams": [],
"series": [
{
"type": "count",
"id": "count()",
"field": null
}
],
"filter": null,
"rollup": false,
"row_groups": [
{
"type": "time",
"field": "timestamp",
"interval": {
"type": "auto",
"scaling": 1
}
}
],
"type": "pivot",
"id": "fe958d96-6908-4516-848d-9490d810ed3e",
"column_groups": [
{
"type": "values",
"field": "systemd_unit",
"limit": 15
}
],
"sort": []
}
]
}
],
"parameters": [],
"requires": {},
"owner": "admin",
"created_at": "2021-07-17T11:41:39.203Z"
},
"created_at": "2021-07-17T05:53:41.503Z",
"requires": {},
"state": {
"bfb6a815-7213-484c-91ba-ebaeff542a66": {
"selected_fields": null,
"static_message_list_id": null,
"titles": {
"widget": {
"b0d1972c-c917-4054-a946-d412859ee5f0": "Graylog Errors of last day",
"49928524-8949-42e2-b6a6-4f208e2febb5": "Graylog Input of last day",
"c535afa8-b27f-4cec-b117-483df2d439ec": "Graylog errors of last day",
"9a6682e0-8993-439a-bfff-62e4a3c99473": "Graylog errors of last day (copy)",
"ac9ffdfc-8f48-4ed8-af3b-62120dc86bfa": "init.scope warnings",
"221557b8-5b8b-4c57-9449-00a1aaf91388": "Messages for custom_unit:backup.mount"
},
"tab": {
"title": "Last Day"
}
},
"widgets": [
{
"id": "c535afa8-b27f-4cec-b117-483df2d439ec",
"type": "aggregation",
"filter": null,
"timerange": {
"type": "relative",
"range": 86400
},
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true AND syslog_facility:<4 AND (systemd_unit:elasticsearch.service OR systemd_unit:kibana.service OR systemd_unit:graylog.service)"
},
"streams": [],
"config": {
"visualization": "line",
"event_annotation": false,
"row_pivots": [
{
"field": "timestamp",
"type": "time",
"config": {
"interval": {
"type": "auto",
"scaling": null
}
}
}
],
"series": [
{
"config": {
"name": null
},
"function": "count()"
}
],
"rollup": false,
"column_pivots": [
{
"field": "systemd_unit",
"type": "values",
"config": {
"limit": 15
}
}
],
"visualization_config": {
"interpolation": "spline"
},
"formatting_settings": null,
"sort": []
}
},
{
"id": "49928524-8949-42e2-b6a6-4f208e2febb5",
"type": "aggregation",
"filter": null,
"timerange": {
"type": "relative",
"range": 86400
},
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true"
},
"streams": [],
"config": {
"visualization": "line",
"event_annotation": false,
"row_pivots": [
{
"field": "timestamp",
"type": "time",
"config": {
"interval": {
"type": "auto",
"scaling": null
}
}
}
],
"series": [
{
"config": {
"name": null
},
"function": "count()"
}
],
"rollup": false,
"column_pivots": [
{
"field": "source",
"type": "values",
"config": {
"limit": 15
}
}
],
"visualization_config": {
"interpolation": "spline"
},
"formatting_settings": null,
"sort": []
}
},
{
"id": "ac9ffdfc-8f48-4ed8-af3b-62120dc86bfa",
"type": "aggregation",
"filter": null,
"timerange": {
"type": "relative",
"range": 86400
},
"query": {
"type": "elasticsearch",
"query_string": "from_journald:true AND systemd_unit:init.scope AND syslog_priority:4"
},
"streams": [],
"config": {
"visualization": "table",
"event_annotation": false,
"row_pivots": [
{
"field": "custom_unit",
"type": "values",
"config": {
"limit": 15
}
}
],
"series": [
{
"config": {
"name": null
},
"function": "count()"
}
],
"rollup": true,
"column_pivots": [],
"visualization_config": null,
"formatting_settings": null,
"sort": []
}
}
],
"widget_mapping": {
"c535afa8-b27f-4cec-b117-483df2d439ec": [
"fe958d96-6908-4516-848d-9490d810ed3e"
],
"ac9ffdfc-8f48-4ed8-af3b-62120dc86bfa": [
"d480b368-2968-442c-94b9-e1e4e1830db7"
],
"49928524-8949-42e2-b6a6-4f208e2febb5": [
"148df0da-281a-4266-a363-9565c9b851b6"
]
},
"positions": {
"ac9ffdfc-8f48-4ed8-af3b-62120dc86bfa": {
"col": 1,
"row": 6,
"height": 6,
"width": 4
},
"c535afa8-b27f-4cec-b117-483df2d439ec": {
"col": 5,
"row": 6,
"height": 3,
"width": 8
},
"49928524-8949-42e2-b6a6-4f208e2febb5": {
"col": 5,
"row": 9,
"height": 3,
"width": 8
}
},
"formatting": {
"highlighting": []
},
"display_mode_settings": {
"positions": {}
}
}
},
"properties": [],
"owner": "admin",
"title": {
"@type": "string",
"@value": "Graylog"
},
"type": "DASHBOARD",
"description": {
"@type": "string",
"@value": ""
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.9+abab7dc"
}
]
}
]
}

47
terranix/graylog/config.nix
View file

@ -1,47 +0,0 @@
with builtins; {
imports = [ ./provider.nix ./nginx.nix ./journald.nix ];
# create default index
resource.graylog_index_set.default =
let
maxIndexSize = 200;
maxIndexCount = 20;
isDefault = true;
in
{
title = "default";
description = ''
This is the default index set, where everything ends up which is
not specifically send to another index.
Be aware this index can only hold ${
toString (maxIndexCount * maxIndexSize)
}MB of logs!
'';
default = isDefault;
index_prefix = "graylog";
rotation_strategy_class =
"org.graylog2.indexer.rotation.strategies.SizeBasedRotationStrategy";
retention_strategy_class =
"org.graylog2.indexer.retention.strategies.DeletionRetentionStrategy";
index_analyzer = "standard";
index_optimization_disabled = false;
writable = true;
shards = 1;
replicas = 0;
index_optimization_max_num_segments = 1;
field_type_refresh_interval = 5000;
retention_strategy = toJSON ({
max_number_of_indices = maxIndexCount;
type =
"org.graylog2.indexer.retention.strategies.DeletionRetentionStrategyConfig";
});
rotation_strategy = toJSON ({
#max_docs_per_index = 30000000;
max_size = maxIndexSize * 1024 * 1024;
type =
"org.graylog2.indexer.rotation.strategies.SizeBasedRotationStrategyConfig";
});
};
}

115
terranix/graylog/journald.nix
View file

@ -1,115 +0,0 @@
with builtins; {
imports = [ ./journald/nextcloud.nix ./journald/kibana.nix ];
resource = {
graylog_input = {
journalbeat = {
title = "Journalbeat Logs";
# https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html
type = "org.graylog.plugins.beats.Beats2Input";
global = true;
attributes = toJSON ({
bind_address = "0.0.0.0";
no_beats_prefix = true;
number_worker_threads = 4;
port = 5044;
recv_buffer_size = 1048576;
tcp_keepalive = false;
tls_cert_file = "";
tls_client_auth = "disabled";
tls_client_auth_cert_file = "";
tls_enable = false;
tls_key_file = "";
tls_key_password = "";
});
};
};
graylog_input_static_fields.journalbeat = {
input_id = "\${graylog_input.journalbeat.id}";
fields = {
from_journald = true;
journalbeat = true;
};
};
graylog_stream.journald = {
title = "journald";
description = "journald processing stream";
index_set_id = "\${graylog_index_set.default.id}";
disabled = false;
matching_type = "AND";
};
graylog_stream_rule.journald = {
field = "from_journald";
value = true;
stream_id = "\${graylog_stream.journald.id}";
#description = "";
type = 1;
inverted = false;
};
graylog_pipeline_connection = {
journald = {
stream_id = "\${graylog_stream.journald.id}";
pipeline_ids = [
#"\${graylog_pipeline.journald_fix_loglevel.id}"
"\${graylog_pipeline.journald_iptable_parse.id}"
#"\${graylog_pipeline.journald_loglevel_int_to_str.id}"
];
};
};
graylog_pipeline = {
journald_iptable_parse.source = ''
pipeline "journald : ip table parse"
stage 0 match either
rule "journald : iptables split"
end
'';
};
graylog_pipeline_rule = {
iptableSplit.source = ''
rule "journald : iptables split"
when
has_field("facility") && $message.facility == "kernel"
then
let result = regex(
"^refused connection:\\s*IN=(.*) OUT=(.*) MAC=(.*) SRC=(.*) DST=(.*) LEN=.* TOS=.* PREC=.* TTL=(.*) ID=(.*) PROTO=(.*) SPT=(.*) DPT=(.*) WINDOW=(.*) RES=.*",
to_string($message.message),
["in_interface"
,"out_interface"
,"mac_addr"
,"src_addr"
,"dst_addr"
,"ttl"
,"iptables_id"
,"protocol"
,"src_port"
,"dst_port"
,"window"]
);
set_field("in_interface" ,result.in_interface);
set_field("out_interface" ,result.out_interface);
set_field("mac_addr" ,result.mac_addr);
set_field("src_addr" ,result.src_addr);
set_field("dst_addr" ,result.dst_addr);
set_field("ttl" ,result.ttl);
set_field("iptables_id" ,result.iptables_id);
set_field("protocol" ,result.protocol);
set_field("src_port" ,result.src_port);
set_field("dst_port" ,result.dst_port);
set_field("window" ,result.window);
end
'';
};
};
}

59
terranix/graylog/journald/kibana.nix
View file

@ -1,59 +0,0 @@
with builtins; {
resource = {
graylog_pipeline_connection = {
journald.pipeline_ids = [ "\${graylog_pipeline.kibana.id}" ];
};
graylog_pipeline = {
kibana.source = ''
pipeline "kibana : parsing"
stage 10 match either
rule "kibana : parse level 1"
stage 11 match either
rule "kibana : parse message"
end
'';
};
graylog_pipeline_rule = {
kibanaLevel1.source = ''
rule "kibana : parse level 1"
when
has_field("systemd_unit") && ($message.systemd_unit == "kibana.service")
then
let parsedJson = parse_json(to_string($message.message));
set_fields(to_map(parsedJson),"kibana_");
end
'';
kibanaLevelRequest.source = ''
rule "kibana : parse request"
when
has_field("kibana_req")
then
let parsedJson = parse_json(to_string($message.kibana_req));
set_fields(to_map(parsedJson),"kibana_req_");
end
'';
kibanaLevelResponse.source = ''
rule "kibana : parse response"
when
has_field("kibana_res")
then
let parsedJson = parse_json(to_string($message.kibana_res));
set_fields(to_map(parsedJson),"kibana_res_");
end
'';
kibanaLevelMessage.source = ''
rule "kibana : parse message"
when
has_field("kibana_message")
then
set_field("message", $message.kibana_message);
end
'';
};
};
}

62
terranix/graylog/journald/nextcloud.nix
View file

@ -1,62 +0,0 @@
with builtins; {
resource = {
graylog_pipeline_connection = {
journald.pipeline_ids = [ "\${graylog_pipeline.nextcloud.id}" ];
};
graylog_pipeline = {
nextcloud.source = ''
pipeline "nextcloud : parsing"
stage 10 match either
rule "nextcloud : parse level 1"
stage 11 match either
rule "nextcloud : parse level 2"
stage 12 match either
rule "nextcloud : parse level 3"
end
'';
};
graylog_pipeline_rule = {
nextcloudLevel1.source = ''
rule "nextcloud : parse level 1"
when
has_field("systemd_unit") && ($message.systemd_unit == "phpfpm-nextcloud.service" || $message.systemd_unit == "nextcloud-cron.service") && starts_with(to_string($message.message),"{")
then
let parsedJson = parse_json(to_string($message.message));
set_fields(to_map(parsedJson),"nextcloud_");
end
'';
#nextcloudLevel2.source = ''
# rule "nextcloud : parse level 2"
# when
# has_field("nextcloud_message")
# then
# let parsedJson = parse_json(to_string($message.nextcloud_message));
# set_field("message", $message.nextcloud_message);
# set_fields(to_map(parsedJson),"nextcloud_message_");
# end
#'';
nextcloudLevel2.source = ''
rule "nextcloud : parse level 2"
when
has_field("nextcloud_message")
then
set_field("message", $message.nextcloud_message);
end
'';
nextcloudLevel3.source = ''
rule "nextcloud : parse level 3"
when
has_field("nextcloud_message_Message")
then
remove_field("nextcloud_message");
set_field("message", $message.nextcloud_message_Message);
end
'';
};
};
}

311
terranix/graylog/nginx.nix
View file

@ -1,311 +0,0 @@
/* # use this nginx configuration
# to send data to these inputs
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"facility": "nginx", '
'"src_addr": "$remote_addr", '
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"response_status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';
access_log syslog:server=${access_log_input} graylog2_json;
error_log syslog:server=${error_log_input};
*/
with builtins; {
resource = {
graylog_input = {
nginx_access_logs = {
title = "nginx access log";
# https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html
type = "org.graylog2.inputs.syslog.udp.SyslogUDPInput";
global = true;
attributes = toJSON ({
allow_override_date = true;
bind_address = "0.0.0.0";
expand_structured_data = false;
force_rdns = false;
number_worker_threads = 4;
port = 12304;
recv_buffer_size = 1048576;
store_full_message = false;
});
};
nginx_error_logs = {
title = "nginx error log";
# https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html
type = "org.graylog2.inputs.syslog.udp.SyslogUDPInput";
global = true;
attributes = toJSON ({
allow_override_date = true;
bind_address = "0.0.0.0";
expand_structured_data = false;
force_rdns = false;
number_worker_threads = 4;
port = 12305;
recv_buffer_size = 1048576;
store_full_message = false;
});
};
};
graylog_extractor = {
# nginx error
nginx_error_timestamp = {
input_id = "\${graylog_input.nginx_error_logs.id}";
order = 0;
title = "Timestamp";
type = "regex";
extractor_config = toJSON ({
regex_value =
"^.*:\\s(\\d\\d\\d\\d/\\d\\d/\\d\\d\\s\\d\\d:\\d\\d:\\d\\d)\\s.*$";
});
target_field = "timestamp";
source_field = "message";
cursor_strategy = "copy";
condition_type = "none";
converters = {
config = toJSON ({ date_format = "yyyy/MM/dd HH:mm:ss "; });
type = "date";
};
};
nginx_error_server = {
input_id = "\${graylog_input.nginx_error_logs.id}";
type = "regex";
source_field = "message";
cursor_strategy = "copy";
condition_type = "string";
condition_value = "server";
extractor_config = toJSON ({ regex_value = "server:\\s(.+?)(,|$)"; });
order = 1;
target_field = "server";
title = "server";
};
nginx_error_remote_addr = {
input_id = "\${graylog_input.nginx_error_logs.id}";
type = "regex";
source_field = "message";
cursor_strategy = "copy";
condition_type = "string";
condition_value = "client";
extractor_config = toJSON ({ regex_value = "client:\\s(.+?)(,|$)"; });
order = 2;
target_field = "remote_addr";
title = "remote_addr/client";
};
nginx_error_host = {
input_id = "\${graylog_input.nginx_error_logs.id}";
type = "regex";
source_field = "message";
cursor_strategy = "copy";
condition_type = "string";
condition_value = "host";
extractor_config = toJSON ({ regex_value = ''host:\s"(.+?)"(,|$)''; });
order = 3;
target_field = "host";
title = "host";
};
nginx_error_request_path = {
input_id = "\${graylog_input.nginx_error_logs.id}";
type = "regex";
source_field = "message";
cursor_strategy = "copy";
condition_type = "string";
condition_value = "request";
extractor_config =
toJSON ({ regex_value = ''request:\s"(.+?)"(,|$)''; });
order = 4;
target_field = "request_path";
title = "request_path/request";
};
nginx_error_request_verb = {
input_id = "\${graylog_input.nginx_error_logs.id}";
type = "regex";
source_field = "message";
cursor_strategy = "copy";
condition_type = "string";
condition_value = "request";
extractor_config = toJSON ({
regex_value = ''
request:\s"(GET|HEAD|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH).+"(,|$)'';
});
order = 5;
target_field = "request_verb";
title = "request_verb";
};
# nginx access
nginx_access_json_from_syslog = {
input_id = "\${graylog_input.nginx_access_logs.id}";
title = "Get JSON from syslog message";
type = "regex";
cursor_strategy = "copy";
condition_type = "none";
source_field = "message";
target_field = "json";
order = 0;
extractor_config = toJSON ({ regex_value = "nginx:\\s+(.*)"; });
};
nginx_access_extract_json = {
input_id = "\${graylog_input.nginx_access_logs.id}";
title = "Extract JSON fields";
order = 1;
source_field = "json";
type = "json";
cursor_strategy = "copy";
condition_type = "none";
extractor_config = toJSON ({
flatten = true;
list_separator = ", ";
kv_separator = "=";
key_prefix = "";
key_separator = "_";
replace_key_whitespace = false;
key_whitespace_replacement = "_";
});
};
nginx_access_empty_json = {
input_id = "\${graylog_input.nginx_access_logs.id}";
order = 2;
title = "Empty JSON field";
type = "regex_replace";
extractor_config = toJSON ({
regex = ".*";
replacement = "-";
});
target_field = "json";
source_field = "json";
cursor_strategy = "copy";
condition_type = "none";
};
nginx_access_reduce_message = {
input_id = "\${graylog_input.nginx_access_logs.id}";
order = 3;
title = "Reduced message to path";
type = "regex_replace";
extractor_config = toJSON ({
regex = ''.*request": "(.*?)".*'';
replacement = "$1";
});
target_field = "message";
source_field = "message";
cursor_strategy = "copy";
condition_type = "none";
};
};
graylog_input_static_fields = {
nginx_access_logs = {
input_id = "\${graylog_input.nginx_access_logs.id}";
fields = {
from_nginx = true;
nginx_error = false;
nginx_access = true;
};
};
nginx_error_logs = {
input_id = "\${graylog_input.nginx_error_logs.id}";
fields = {
from_nginx = true;
nginx_error = true;
nginx_access = false;
};
};
};
graylog_stream = {
nginx5xx = {
title = "nginx 5xx";
description = "all requests answered with a 5xx response";
index_set_id = "\${graylog_index_set.default.id}";
disabled = false;
matching_type = "AND";
};
nginx4xx = {
title = "nginx 4xx";
description = "all requests answered with a 4xx response";
index_set_id = "\${graylog_index_set.default.id}";
disabled = false;
matching_type = "AND";
};
nginx2xx = {
title = "nginx 2xx";
description = "all requests answered with a 2xx response";
index_set_id = "\${graylog_index_set.default.id}";
disabled = false;
matching_type = "AND";
};
nginx_access = {
title = "nginx access";
description = "all requests";
index_set_id = "\${graylog_index_set.default.id}";
disabled = false;
matching_type = "AND";
};
nginx_error = {
title = "nginx error";
description = "all errors";
index_set_id = "\${graylog_index_set.default.id}";
disabled = false;
matching_type = "AND";
};
};
graylog_stream_rule =
let
nq_stream_rule = field: value: stream_id: {
inherit field value stream_id;
type = 1;
inverted = true;
};
eq_stream_rule = field: value: stream_id: {
inherit field value stream_id;
type = 1;
inverted = false;
};
gt_stream_rule = field: value: stream_id: {
inherit field value stream_id;
type = 3;
inverted = false;
};
lt_stream_rule = field: value: stream_id: {
inherit field value stream_id;
type = 4;
inverted = false;
};
between = min: max: stream_id: {
"is_nginx_access_${min}_${max}" =
(eq_stream_rule "nginx_access" true stream_id);
"nginx_above${min}" = (gt_stream_rule "response_status" min stream_id);
"nginx_below${max}" = (lt_stream_rule "response_status" max stream_id);
};
in
(between "499" "600" "\${graylog_stream.nginx5xx.id}")
// (between "399" "500" "\${graylog_stream.nginx4xx.id}")
// (between "199" "300" "\${graylog_stream.nginx2xx.id}") // {
is_nginx_access = (eq_stream_rule "nginx_access" true
"\${graylog_stream.nginx_access.id}");
is_nginx_error =
(eq_stream_rule "nginx_error" true "\${graylog_stream.nginx_error.id}");
};
};
}

13
terranix/graylog/provider.nix
View file

@ -1,13 +0,0 @@
{
terraform.required_providers.graylog = {
source = "terraform-provider-graylog/graylog";
version = "1.0.4";
};
provider.graylog = {
web_endpoint_uri = "http://graylog.workhorse.private/api";
api_version = "v3";
#auth_name = "GRAYLOG_AUTH_NAME";
auth_password = "token";
};
}

15
terranix/graylog/shell.nix
View file

@ -1,15 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
let pass_access_token_path = "development/graylog/access_token";
in pkgs.mkShell {
buildInputs = with pkgs; [
git-crypt
terranix
(writers.writeBashBin "terraform" ''
export GRAYLOG_AUTH_NAME=`${pkgs.pass}/bin/pass show ${pass_access_token_path}`
${pkgs.terraform_0_15}/bin/terraform "$@"
'')
];
}

BIN
terranix/graylog/terraform.tfstate
View file

Binary file not shown.

32
terranix/servers/config.nix
View file

@ -1,32 +0,0 @@
{ config, ... }:
let
get = element: object: "\${ ${object."_ref"}.${element} }";
getVariable = name: "\${ var.${name} }";
in
{
hcloud = {
enable = true;
resource.server."tinc_node" = {
name = "tinc-node-nurnberg";
image = "ubuntu-18.04";
server_type = "cx11";
backups = false;
# datacenter = "nbg1-dc3";
location = "nbg1";
labels = { system = "nixos"; };
};
};
output = {
"${config.hcloud.resource.server."tinc_node".name}-ip4_address".value =
get "ipv4_address" config.hcloud.resource.server."tinc_node";
"${config.hcloud.resource.server."tinc_node".name}-ip6_address".value =
get "ipv6_address" config.hcloud.resource.server."tinc_node";
};
}

35
terranix/servers/modules/nix-server.nix
View file

@ -1,35 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hcloud.nixserver;
in
{
options.hcloud.nixserver = {
enable = mkEnableOption ''
create a nixos server on hetzner.
this module will take car of everything needed
to be done, to install stuff on it.
wip
'';
};
config = mkIf cfg.enable {
hcloud.resource = {
server."todo" = {
name = "todo-module-created-server";
image = "ubuntu-18.04";
iso = "nixos-graphical-18.09.1195.bf7930d582b-x86_64-linux.iso";
server_type = "cx11";
location = "nbg1";
rescue = "linux64";
labels = { system = "nixos"; };
};
};
};
}

36
terranix/servers/shell.nix
View file

@ -1,36 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
let
#terraform = terraform-current;
terraform = pkgs.terraform;
terraform-current = pkgs.terraform.overrideAttrs (old: rec {
version = "0.11.10";
name = "terraform-${version}";
src = pkgs.fetchFromGitHub {
owner = "hashicorp";
repo = "terraform";
rev = "v${version}";
sha256 = "08mapla89g106bvqr41zfd7l4ki55by6207qlxq9caiha54nx4nb";
};
});
in
pkgs.mkShell {
# needed pkgs
# -----------
buildInputs = with pkgs;
[
(pkgs.writeShellScriptBin "terraform" ''
export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token`
${terraform}/bin/terraform "$@"
'')
];
# run this on start
# -----------------
shellHook = ''
HISTFILE=${toString ./.}/.history
'';
}

BIN
terranix/servers/terraform.tfstate
View file

Binary file not shown.

2
terranix/space-left/.gitignore vendored
View file

@ -1,2 +0,0 @@
plops/generated/
sshkey*

54
terranix/space-left/README.md
View file

@ -1,54 +0,0 @@
# NixOS Server Example with plops
This setup shows:
- how to use a terranix module
- how to use 3rd party provision software after terraform.
- how to run terranix and terraform
Setup containing opinionated modules to deploy
[NixOS servers](https://nixos.org/)
on
[hcloud](https://www.hetzner.com/cloud)
using
[nixos-infect](https://github.com/elitak/nixos-infect)
with my
[plops](https://github.com/mrVanDalo/plops)
provisioning tool for NixOS,
which is an overlay on
[krops](https://cgit.krebsco.de/krops/about/).
After server creation,
the initial provisioning uploads the
nixos-infect
script and applys it.
After server creation and initialization
terranix/terraform generates
files used for the "real" provisioning
done by plops.
Of course instead of plops you can use every provsioning tool you like
here (e.g. NixOps, Ansible, ... )
# How to Run
## What you need
- a setup [passwordstore](https://www.passwordstore.org/).
- a [hcloud token](https://docs.hetzner.cloud/#overview-getting-started)
stored under `development/hetzner.com/api-token`
## Steps
- `terraform-prepare`: to create ssh keys.
- `terraform-build`: to run terranix and terraform do create server.
- `terraform-destroy`: to delete server (don't forget that step, or else it gets costly)
- `terraform-cleanup`: to delete ssh keys and terraform data.
## DNS
define domains with your nameserver and update `jitsi.nix` and `workadventure.nix`.
- `meet.${domain}` to given ip4 address
- `party.${domain}` to given ip4 address
- `*.party.${domain}` to given ip4 address

52
terranix/space-left/config.nix
View file

@ -1,52 +0,0 @@
{ config, lib, pkgs, ... }:
let
hcloud-modules = pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix-hcloud.git";
rev = "5fa359a482892cd973dcc6ecfc607f4709f24495";
sha256 = "0smgmdiklj98y71fmcdjsqjq8l41i66hs8msc7k4m9dpkphqk86p";
};
in
{
imports = [ "${hcloud-modules}/default.nix" ];
# configure temporary admin ssh keys
users.admins.palo.publicKey = "${lib.fileContents ./sshkey.pub}";
# configure provisioning private Key to be used when running provisioning on the machines
provisioner.privateKeyFile = toString ./sshkey;
hcloud.nixserver = {
host = {
enable = true;
serverType = "cx31";
configurationFile = pkgs.writeText "configuration.nix" ''
{ pkgs, lib, config, ... }:
{
environment.systemPackages = [ pkgs.git ];
}
'';
};
};
# todo : put this in the hcloud module
resource.hcloud_server.nixserver-host.location = "hel1";
hcloud.export.nix = toString ./plops/generated/nixos-machines.nix;
resource.local_file.sshConfig = {
filename = "${toString ./plops/generated/ssh-configuration}";
content = with lib;
let
configPart = name: ''
Host ''${ hcloud_server.nixserver-${name}.ipv4_address }
IdentityFile ${toString ./sshkey}
ServerAliveInterval 60
ServerAliveCountMax 3
'';
in
concatStringsSep "\n"
(map configPart (attrNames config.hcloud.nixserver));
};
}

29
terranix/space-left/plops/configs/nixserver-host/codimd.nix
View file

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }: {
services.nginx.enable = true;
services.nginx.virtualHosts.codimd = {
enableACME = true;
addSSL = true;
serverName = "codimd.ingolf-wagner.de";
locations."/".extraConfig = ''
client_max_body_size 4G;
proxy_set_header Host $host;
proxy_pass http://localhost:3091;
'';
};
services.codimd = {
enable = true;
configuration = {
allowFreeURL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/codimd/db.codimd.sqlite";
useCDN = false;
};
port = 3091;
};
};
}

19
terranix/space-left/plops/configs/nixserver-host/configuration.nix
View file

@ -1,19 +0,0 @@
{ config, pkgs, lib, ... }: {
imports = [
#
#./codimd.nix
./hardware-configuration.nix
#/jitsi.nix
#./netdata.nix
./ssh.nix
#./workadventure.nix
];
environment.systemPackages = [ pkgs.git pkgs.ag pkgs.htop ];
networking.hostName = "space-left";
security.acme.email = "contact@ingolf-wagner.de";
security.acme.acceptTerms = true;
}

49
terranix/space-left/plops/configs/nixserver-host/gitlab.nix
View file

@ -1,49 +0,0 @@
{ config, pkgs, lib, ... }:
let domain = "gitlab.space-left.org";
in {
# setup gitlab
services.gitlab = {
enable = true;
host = domain;
databasePasswordFile = "path/todo";
initialRootPasswordFile = "path/todo";
secrets = {
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks
dbFile = "path/todo";
# openssl genrsa 2048
jwsFile = "path/todo";
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks
otpFile = "path/todo";
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks
secretFile = "path/todo";
};
# smtp?
# gitlab-runner?
};
# setup nginx for gitlab
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.gitlab.port}";
};
};
};
}

10
terranix/space-left/plops/configs/nixserver-host/hardware-configuration.nix
View file

@ -1,10 +0,0 @@
{ ... }: {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

61
terranix/space-left/plops/configs/nixserver-host/jitsi.nix
View file

@ -1,61 +0,0 @@
{
# + +
# | |
# | |
# v v
# 80, 443 TCP 443 TCP, 10000 UDP
# +--------------+ +---------------------+
# | nginx | 5222, 5347 TCP | |
# | jitsi-meet |<-------------------+| jitsi-videobridge |
# | prosody | | | |
# | jicofo | | +---------------------+
# +--------------+ |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | | |
# | +---------------------+
# |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | |
# +---------------------+
# This is a one server setup
services.jitsi-meet = {
enable = true;
hostName = "meet.ingolf-wagner.de";
# JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.
# https://github.com/jitsi/jicofo
jicofo.enable = true;
# Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server.
# Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME
# will be used to retrieve a TLS certificate by default. To disable this, set the
# services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for
# services.nginx.virtualHosts.<hostName>.forceSSL.
nginx.enable = true;
# https://github.com/jitsi/jitsi-meet/blob/master/config.js
config = {
enableWelcomePage = false;
defaultLang = "en";
};
# https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 10000 ];
};
}

15
terranix/space-left/plops/configs/nixserver-host/netdata.nix
View file

@ -1,15 +0,0 @@
{
services.netdata = {
enable = true;
config = {
#"exporting:global" = { "enabled" = "yes"; };
global = {
"memory mode" = "dbengine";
"dbengine disk space" = 1024 * 10; # in MB
"debug log" = "none";
"access log" = "none";
"error log" = "syslog";
};
};
};
}

14
terranix/space-left/plops/configs/nixserver-host/ssh.nix
View file

@ -1,14 +0,0 @@
{
# ssh configuration
# -----------------
services.sshd.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.banner = ''
[ Space Left Server ]
'';
# the public ssh key used at deployment
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
];
}

166
terranix/space-left/plops/configs/nixserver-host/workadventure.nix
View file

@ -1,166 +0,0 @@
{ config, pkgs, lib, ... }:
let
# If your Jitsi environment has authentication set up,
# you MUST set JITSI_PRIVATE_MODE to "true" and
# you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
jitsiPrivateMode = "false";
secretJitsiKey = "";
jitsiISS = "";
workadventureSecretKey = "YXNkZnNkZmxranNhZGxma2phc2RsZmtqYXNsa2Zkago=";
jitsiURL = "meet.ingolf-wagner.de";
domain = "party.ingolf-wagner.de";
# domain will redirect to this map. (not play.${domain})
defaultMap = "mrvandalo.github.io/workadventure-worlds/main.json";
apiURL = "api.${domain}";
apiPort = 9002;
frontURL = "play.${domain}";
frontPort = 9004;
pusherURL = "push.${domain}";
pusherPort = 9005;
uploaderURL = "upload.${domain}";
uploaderPort = 9006;
frontImage = "thecodingmachine/workadventure-front:develop";
pusherImage = "thecodingmachine/workadventure-pusher:develop";
apiImage = "thecodingmachine/workadventure-back:develop";
uploaderImage = "thecodingmachine/workadventure-uploader:develop";
in
{
virtualisation.docker.enable = true;
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 80 443 ];
};
services.nginx.enable = true;
services.nginx.recommendedProxySettings = true;
systemd.services.workadventure-network = {
enable = true;
wantedBy = [ "multi-user.target" ];
script = ''
${pkgs.docker}/bin/docker network create --driver bridge workadventure ||:
'';
after = [ "docker" ];
before = [
"docker-workadventure-back.service"
"docker-workadventure-pusher.service"
"docker-workadventure-uploader.service"
"docker-workadventure-website.service"
];
};
virtualisation.oci-containers.backend = "docker";
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
return = "302 $scheme://play.${domain}/_/global/${defaultMap}";
};
};
virtualisation.oci-containers.containers.workadventure-front = {
image = frontImage;
environment = {
API_URL = pusherURL;
JITSI_PRIVATE_MODE = jitsiPrivateMode;
JITSI_URL = jitsiURL;
SECRET_JITSI_KEY = secretJitsiKey;
UPLOADER_URL = uploaderURL;
};
ports = [ "127.0.0.1:${toString frontPort}:80" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${frontURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString frontPort}"; };
};
virtualisation.oci-containers.containers.workadventure-pusher = {
image = pusherImage;
environment = {
API_URL = "workadventure-back:50051";
JITSI_ISS = jitsiISS;
JITSI_URL = jitsiURL;
SECRET_KEY = workadventureSecretKey;
};
ports = [ "127.0.0.1:${toString pusherPort}:8080" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${pusherURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString pusherPort}";
proxyWebsockets = true;
};
locations."/room" = {
proxyPass = "http://127.0.0.1:${toString pusherPort}";
proxyWebsockets = true;
};
};
virtualisation.oci-containers.containers.workadventure-back = {
image = apiImage;
environment = {
#DEBUG = "*";
JITSI_ISS = jitsiISS;
JITSI_URL = jitsiURL;
SECRET_KEY = workadventureSecretKey;
};
ports = [ "127.0.0.1:${toString apiPort}:8080" "50051" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${apiURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString apiPort}"; };
};
virtualisation.oci-containers.containers.workadventure-uploader = {
image = uploaderImage;
ports = [ "127.0.0.1:${toString uploaderPort}:8080" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${uploaderURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString uploaderPort}";
proxyWebsockets = true;
};
};
systemd.services.docker-workadventure-front.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
systemd.services.docker-workadventure-uploader.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
systemd.services.docker-workadventure-pusher.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
systemd.services.docker-workadventure-back.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
}

74
terranix/space-left/plops/shell.nix
View file

@ -1,74 +0,0 @@
let
# import plops with pkgs and lib
opsImport = import ((import <nixpkgs> { }).fetchgit {
url = "https://github.com/mrVanDalo/plops.git";
rev = "9fabba016a3553ae6e13d5d17d279c4de2eb00ad";
sha256 = "193pajq1gcd9jyd12nii06q1sf49xdhbjbfqk3lcq83s0miqfs63";
});
ops =
let
overlay = self: super: {
# overwrite ssh to use the generated ssh configuration
openssh = super.writeShellScriptBin "ssh" ''
${super.openssh}/bin/ssh -F ${
toString ./generated/ssh-configuration
} "$@"
'';
};
in
opsImport { overlays = [ overlay ]; };
lib = ops.lib;
pkgs = ops.pkgs;
# define all sources
source = {
# nixpkgs (no need for channels anymore)
nixPkgs.nixpkgs.git = {
ref = "nixos-20.09";
url = "https://github.com/NixOS/nixpkgs";
};
# system configurations
system = name: {
configs.file = toString ./configs;
nixos-config.symlink = "configs/${name}/configuration.nix";
};
# secrets which are hold and stored by pass
secrets = name: {
secrets.pass = {
dir = toString ./secrets;
name = name;
};
};
};
servers = import ./generated/nixos-machines.nix;
deployServer = name:
{ user ? "root", host, ... }:
with ops;
jobs "deploy-${name}" "${user}@${host.ipv4}" [
# deploy secrets to /run/plops-secrets/secrets
# (populateTmpfs (source.secrets name))
# deploy system to /var/src/system
(populate (source.system name))
# deploy nixpkgs to /var/src/nixpkgs
(populate source.nixPkgs)
switch
];
in
pkgs.mkShell {
buildInputs = lib.mapAttrsToList deployServer servers;
shellHook = ''
export PASSWORD_STORE_DIR=./secrets
'';
}

49
terranix/space-left/shell.nix
View file

@ -1,49 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
let
#terranix = pkgs.callPackage (pkgs.fetchgit {
# url = "https://github.com/mrVanDalo/terranix.git";
# rev = "2.3.0";
# sha256 = "030067h3gjc02llaa7rx5iml0ikvw6szadm0nrss2sqzshsfimm4";
#}) { };
terranix = pkgs.terranix;
terraform = pkgs.writers.writeBashBin "terraform" ''
export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token`
${pkgs.terraform_0_12}/bin/terraform "$@"
'';
in
pkgs.mkShell {
buildInputs = [
terranix
terraform
(pkgs.writers.writeBashBin "terraform-prepare" ''
${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey
'')
(pkgs.writers.writeBashBin "terraform-build" ''
set -e
set -o pipefail
${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json
${terraform}/bin/terraform init
${terraform}/bin/terraform apply
'')
(pkgs.writers.writeBashBin "terraform-destroy" ''
${terraform}/bin/terraform destroy
rm ${toString ./.}/config.tf.json
'')
(pkgs.writers.writeBashBin "terraform-cleanup" ''
rm ${toString ./.}/sshkey
rm ${toString ./.}/sshkey.pub
rm ${toString ./.}/terraform.tfstate*
'')
];
}

BIN
terranix/space-left/terraform.tfstate
View file

Binary file not shown.

10
terranix/tinc-test/.gitignore vendored
View file

@ -1,10 +0,0 @@
.terraform
*.tf.json
*.swp
02-build/generated/**
!02-build/generated/.keep
terraform.tfstate
terraform.tfstate.backup
.terraform.tfstate.lock.info

32
terranix/tinc-test/01-terranix/config.nix
View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
let
#hcloud-modules = pkgs.fetchgit {
# #url = "https://github.com/mrVanDalo/terranix-hcloud.git";
# url = "https://git.ingolf-wagner.de/terranix/hcloud.git";
# rev = "b6896f385f45ecfd66e970663c55635c9fd8b26b";
# sha256 = "1bggnbry7is7b7cjl63q6r5wg9pqz0jn8i3nnc4rqixp0ckwdn85";
#};
hcloud-modules = /home/palo/dev/terranix-hcloud/terraform-0.11;
in
{
imports = [ (toString hcloud-modules) ./config/ssh-setup.nix ];
hcloud.export.nix = "${toString ../02-build/generated}/nixos-machines.nix";
hcloud.nixserver.server = {
configurationFile = pkgs.writeText "configuration.nix" ''
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
htop git vim mosh
];
networking.firewall.allowedUDPPorts = [ 60001 ];
}
'';
};
}

31
terranix/tinc-test/01-terranix/config/file-generation.nix
View file

@ -1,31 +0,0 @@
# --------------------------------------------------------------------------------
#
# collect all server information and generate files which get picked up
# by 02-build to deploy the machines properly.
#
# This makes it possible to deploy VPNs like tinc and wireguard.
#
# --------------------------------------------------------------------------------
{ config, lib, pkgs, ... }: {
resource.local_file = {
nixosMachines = {
content = with lib;
let
serverPart = name: ''
${name} = {
host = "''${ hcloud_server.${name}.ipv4_address }";
user = "root";
};
'';
allServerParts = map serverPart (attrNames config.hcloud.server);
in
''
{
${concatStringsSep "\n" allServerParts}
}
'';
filename = "${toString ../../02-build/generated/nixos-machines.nix}";
};
};
}

46
terranix/tinc-test/01-terranix/config/ssh-setup.nix
View file

@ -1,46 +0,0 @@
# --------------------------------------------------------------------------------
#
# configure ssh setup
#
# --------------------------------------------------------------------------------
{ config, lib, pkgs, ... }:
let
ssh = {
privateKeyFile = ../../sshkey;
publicKeyFile = ../../sshkey.pub;
};
target = file: "${toString ../../02-build/generated}/${file}";
in
{
# configure admin ssh keys
users.admins.palo.publicKey = lib.fileContents ssh.publicKeyFile;
# configure provisioning private Key to be used when running provisioning on the machines
provisioner.privateKeyFile = toString ssh.privateKeyFile;
resource.local_file = {
# provide ssh key for the server
sshKey = {
content = lib.fileContents ssh.publicKeyFile;
filename = target "sshkey.pub";
};
sshConfig = {
filename = target "ssh-configuration";
content = with lib;
let
configPart = name: ''
Host ''${ hcloud_server.${name}.ipv4_address }
IdentityFile ${toString ssh.privateKeyFile}
ServerAliveInterval 60
ServerAliveCountMax 3
'';
in
concatStringsSep "\n"
(map configPart (attrNames config.hcloud.server));
};
};
}

37
terranix/tinc-test/01-terranix/shell.nix
View file

@ -1,37 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
let
terranix = pkgs.callPackage
(pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix.git";
rev = "6097722f3a94972a92d810f3a707351cd425a4be";
sha256 = "1d8w82mvgflmscvq133pz9ynr79cgd5qjggng85byk8axj6fg6jw";
})
{ };
terraform = pkgs.writers.writeDashBin "terraform" ''
export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token`
${pkgs.terraform_0_11}/bin/terraform "$@"
'';
create = pkgs.writers.writeDashBin "create" ''
${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > ${
toString ./.
}/config.tf.json \
&& ${terraform}/bin/terraform init \
&& ${terraform}/bin/terraform apply
'';
destroy = pkgs.writers.writeBashBin "destroy" ''
${terraform}/bin/terraform destroy
rm ${toString ./.}/config.tf.json
rm ${toString ./.}/terraform.tfstate*
'';
in
pkgs.mkShell {
buildInputs = with pkgs; [ terranix terraform create destroy ];
}

4
terranix/tinc-test/02-build/assets/tinc/client/ed25519_key.priv
View file

@ -1,4 +0,0 @@
-----BEGIN ED25519 PRIVATE KEY-----
gTFtvOMvD5KTUZeGNcTh5ngY/BktUd0OW/37jT8w+61eLP0ntMkaBB8yovTbJvXR
vReDUb/hjIi7nhGgy2EzP6An4QtXWvTHWJSDefglGVlcFqPDbhRkJ8CpWbCGoIYt
-----END ED25519 PRIVATE KEY-----

14
terranix/tinc-test/02-build/assets/tinc/client/host_file
View file

@ -1,14 +0,0 @@
Ed25519PublicKey = OwJOU7l170hVi0g3HYpRVJXh6zwWYEZCvQq1mgBKCWL
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAwNR4EbAffxezhbmTIoetrUPPpo66rR9kPJkLCl/fTJbVE1ryjXNQ
Cq0lefDURLT4L3Iw/XgBUIy1xpH8InolnYlL2DRadOvbA0nCUzoekwshcV1N6tCe
HsxrVP5XSxGJ6Es7L0zzvqXCoYP4tic+N4ztZBknn9RRMY497qHPxLoejqPZndmj
9VPciWtiZMhLPka/r0mS/Y7h2t3IQg3J2QCXjQoojTpGym9wPlBXcE2Hv5hYKM8X
359/arLKlAi91I2SH1o6+rBoGaMB50goEnDvWqdha95CR9K/I7+eJm8/AiJCxus0
2KKCK7K5GvBPifEgMX4AVF8bqgTF9VZi0peG3dUEsg2L/6XqfH6IeFziWfuzuR9k
Ud0fzu235ssshMz/WHtTZiwTUc/xzs29PrF8ThieN/nt6tdBS3A0wdqeNfKjoD3k
zgqcc+ODUUR4gaq/46W0lU8aiP1w32YmKLnrBmFYjZXHqXNgYOZctoW/SjblvpCK
pYUxowFOXA8BU/eRiNZfa+b0ONe0XQOj8Q78st5XsCTlqHLkytdjwauZvM4jVuE9
7lhvvr1ft/QO3RdBMXAXgDN0F2eDnzqdRE/rrvqNJCeheS9rmHE6Aa0e5yTcJMMK
qCkys4lQn4y9RnfH3MpzRtRnpSKid31WcmCI+JYHLe4ZhFWXju4fKPECAwEAAQ==
-----END RSA PUBLIC KEY-----

51
terranix/tinc-test/02-build/assets/tinc/client/rsa_key.priv
View file

@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAwNR4EbAffxezhbmTIoetrUPPpo66rR9kPJkLCl/fTJbVE1ry
jXNQCq0lefDURLT4L3Iw/XgBUIy1xpH8InolnYlL2DRadOvbA0nCUzoekwshcV1N
6tCeHsxrVP5XSxGJ6Es7L0zzvqXCoYP4tic+N4ztZBknn9RRMY497qHPxLoejqPZ
ndmj9VPciWtiZMhLPka/r0mS/Y7h2t3IQg3J2QCXjQoojTpGym9wPlBXcE2Hv5hY
KM8X359/arLKlAi91I2SH1o6+rBoGaMB50goEnDvWqdha95CR9K/I7+eJm8/AiJC
xus02KKCK7K5GvBPifEgMX4AVF8bqgTF9VZi0peG3dUEsg2L/6XqfH6IeFziWfuz
uR9kUd0fzu235ssshMz/WHtTZiwTUc/xzs29PrF8ThieN/nt6tdBS3A0wdqeNfKj
oD3kzgqcc+ODUUR4gaq/46W0lU8aiP1w32YmKLnrBmFYjZXHqXNgYOZctoW/Sjbl
vpCKpYUxowFOXA8BU/eRiNZfa+b0ONe0XQOj8Q78st5XsCTlqHLkytdjwauZvM4j
VuE97lhvvr1ft/QO3RdBMXAXgDN0F2eDnzqdRE/rrvqNJCeheS9rmHE6Aa0e5yTc
JMMKqCkys4lQn4y9RnfH3MpzRtRnpSKid31WcmCI+JYHLe4ZhFWXju4fKPECAwEA
AQKCAgBp1PLlOlW/CkIUVcqkO/UdUEdqcZGRLNZ1z8VYd0/2GB5v1g2jhrNaeLdF
2uCVqQFCARlUNAX8sI2fo0XPolx8vvrqealf3IbCojvOM+rN52D+eCgohUETRDxw
VHuSjtiyrn+YMVLhwtY0kVrylk02bdlog8nUldHOMfRZwWNn5IKa5OCuGuI65kD3
BwHksG1ji67uxKGxGjdpSSn83tZ2jDWhSf8BrAdoWYswGCY1U8f6ZuGT3D2NFVv4
MpKudrHBM8YMARi3uBQaZfXIezjLDkK/7XexnTWhd9BCDYv+KjZZtHYT+MlzUJXC
5/9iApyU58s0fqQtqlljkeUYBsaLOyMDvBzuZE36PM7dC988Wtr8B/4qwkCaveN1
6Qz2i0iyNbtWJuGFqvorr+bNrvV8f/kinguWkpbE3uM3h43OAS2QIEGu9LAMsYic
dJz7AKUw2nTifBTqrUkWO9Vx2fBaUnU3FCW5SnkayKewIZ2Fgc0xKCIS68jlM6uD
p8z/FcKe9EEjb40lEcXMKmyEnMG7Qc/pAZa3M7t7UAmHSSLfG7zaECUxhQytHBPD
xa08L6DRMmzvI4Ezdrt7KawydDTGM9bcH5fe2qgfK48jx2T9aIV2Vs/tgcIim8WF
IK53oeJXMB8eXliGiPrwQkwFi3WoErsYkXF0Cn19IRayYNTOpQKCAQEA93l9mfCw
pkCb/gbdkARsbmOxjGzAUfOvRdEt+MmAjzovG3HG9oUQT4M5xGWDpxLPP0uMMGVF
XadUq1ZuSPK/mQaNHY5Tp/OBy3XC2YyiB1zYHrrbxmq54ikF+NwfaV2lVSeHt+TU
tu3ZHDs7wXG7UsgL9MrD2aaBC/Sk2/3BKo9xUPOu54YlZsBCB+2NiZugdQUVwHDl
Snj/dY1YhIEnRphY7CPj36vjDsSL1EqxKLTKKPJTJVU9cTQwCMGbR1OPoB8FjVVr
51pz9dWS6P9iHZitoqv+uf8fe2AkUs5t6U2yFcHQYqvlKyIFsZSTOcWFM5oAZChj
IBqsmbK7rUoHFwKCAQEAx3kPhwkkF1uvFCfnl+69UjDNovuJvCgf7eMNlzZbhzA5
BbQPLeDbj/8q/3Anqoo2WvvWKVf+7du0KK+Cn6o4+xXCtkCvMUMWIVIUDWe+nykw
STKfzAw5OrYr8ja4HsJu6y0Pm+qczksXCaRhqsRl120OHzyD8WOa758PE0+Lntjz
v1HkJgDSTFcx4+gKZCikKTxwUT17W4phorY3qnYxCnP8e8relNxBIaY/EEbXUPMU
5L3X60Hdscfde7N8/Yj9SQpRmL8qLEkHWSCeziLcN5zzc5wty5yQ/+0SZX4K1S2u
Orv50afYiXC3TAOfYxDKf2DdVJwAJhbCZHIQQitVNwKCAQEAl3O2tnti4Jwx22kA
N589bOF+S15S5NSps6Ss6dEH6J/HLJiZF02gCclZlSQ7Sghs5WOqzANuTD6XxrQC
kopdT51+x1PPRr3z9TyAnvs+PhtH+KaK0geG8y4ABalRX/57rH2gxZ45wCoX8Psf
OugLqEHdb1aYPZ904og6TJgjm5Rl2REJPZAPW67VulxbfpfLv1H5Wei9qrIaRSrX
vV/9VWrvILVmRADB2MvYd3eurCbYge6ri/F6xMkXjIRQL3qoL2pMz44zl0b4KL8o
RYfl2A8UVLXGErZb4fmYwUSsZ1exYTdX/MsOWTNdIKy43WZQeqAJFULSR1eLwhRs
X0UqyQKCAQB4cB3x+JD0EYWKc/WfhKSGxbTDnYCyPL/akGcaT9W/sFwdl3Q6zTOE
pBrAFGW+0Ki1Eq1iVSE1WJxUnHQQF2VEJQVlqXSeF9V61OYKmgM8clAXQhu9xfuf
+XJbUrKkz9zM3m44Q9XdsPT9+2SFCQQ8qDoIni9ERlG8MJuXm0W/6Vpyv+0zDPfs
5BDZfLcZdnh39WgThT3ALbN53O+LWsWNfC6MSBdQZhRlTs1w9HT5CWwqGH4QK7rB
pt2R3POw2U+lFDfkNDgweP+YzttTtzSj134e5cO41pWuEOQ0p3++60/xYqIZ9nAF
vCrQGLfZxr+dXU0F0xM77C3/G+e5LBTNAoIBAAf/z1zNTwc8v/dbkK9Esd/3VYUs
HEmVn7RguwbqmZcMFHLmyaWZxw3qu16bR7ktHm3NfVL5hyHJ58/UFwGvS/kVlIsz
+iAEoqjwpkNyCvT8ZdaB6grvCSV1Ac2m5YkQ9RxNCDtekLvBmw8izX/o0ESwwvkw
eb/119fSOWB60/QQQzFREUL6KpKc+OMCLV5XfbAxTeaDahAhSTWMJxCfWqYYhFU0
46bwiq+fo+DFHRo+BDJv7Wc8x/B/gzlSMFsxFZ0hUzXBk7Pqz3Rm/UK2cpn1DQ1/
zQNglB1DM4IwzoQ/DGVzYeneRLEBfU1wVlxUUatBC9oXY6zz85FbzSdyl74=
-----END RSA PRIVATE KEY-----

1
terranix/tinc-test/02-build/assets/tinc/client_host_file
View file

@ -1 +0,0 @@
client/host_file

1
terranix/tinc-test/02-build/assets/tinc/ed25519_key
View file

@ -1 +0,0 @@
server/ed25519_key

1
terranix/tinc-test/02-build/assets/tinc/rsa_key
View file

@ -1 +0,0 @@
server/rsa_key

4
terranix/tinc-test/02-build/assets/tinc/server/ed25519_key
View file

@ -1,4 +0,0 @@
-----BEGIN ED25519 PRIVATE KEY-----
wNkj/HdU70l7X5XC5YVlWp3FBa8cBaDRy1LbJCjkh83CYYieSQ2IUWgHQ4Vhx253
7bXVLSOnVIKMifAnBwSOSX7lTGI6gUP2aZCwa142WdxPDPiYv3sEMqK037VyfHVl
-----END ED25519 PRIVATE KEY-----

14
terranix/tinc-test/02-build/assets/tinc/server/host_file
View file

@ -1,14 +0,0 @@
Ed25519PublicKey = 1e5kBiOI1jtWmAsWNutVX8zwjI27NLBjqC99el83RVJ
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA1qFa0YFVefm3kVXGG5j26TF4JNJtBpZo1Jtd9XB6cErMG80vrdvb
RWNwCoY8SM21zN5ew9p7W/P8aClZShx7WRyIzPsTnc69N7zIosAIeXURgo8Ot2Yd
1us5RquPxc6NZ0JhDkz50EgQiJ4fRaCmaBb68hP36U8XdO7VTn93+l0YlmvbhAny
gB7iMOsXiDXxbzxOO+XC3ygaeO45ioEDduEv9Ny9KptXN08eOkxKL7dN4om2Nux0
2EurWqTBYTrWki+XxovfvsmiM5AELHtTaUM8FwwEX0e7dV1cDYYqz3hWPmYgZ4Bj
dp258VDa/sbUCiRVQfcxzHqbvd3UCoNG76YsGJ6s7TqoxvCCvB4ziH+d6/Uu+h5h
DtjccwVQmW22A5DQHix4T/DmXs1GB5qzOa8eEd6cHTpqp/qzGmvC0un5BezY+CVR
ZphzFoYGF6Q3T7JwC6LCMCNBOqby+bhZNYmkztRzhXvFFrBmj6E17+8Z5fgLgl6u
+1QhxQTjg3uvjZXmQh2+jjTwa3vO1pZR6k9yyLMo9zPpr7i7QY4tqPR8u4j0fkHj
aXtOOj2wl0gDCnVX3mWeUKCJusCDdJ2hPpuz11pPQt67mxtUXO31aMM9J3mHjj0y
PKl7NGKA7ozI9e4HV09KiozM6yrLrvLyoRTn8AgwVoMiEw91CHhDNRkCAwEAAQ==
-----END RSA PUBLIC KEY-----

51
terranix/tinc-test/02-build/assets/tinc/server/rsa_key
View file

@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA1qFa0YFVefm3kVXGG5j26TF4JNJtBpZo1Jtd9XB6cErMG80v
rdvbRWNwCoY8SM21zN5ew9p7W/P8aClZShx7WRyIzPsTnc69N7zIosAIeXURgo8O
t2Yd1us5RquPxc6NZ0JhDkz50EgQiJ4fRaCmaBb68hP36U8XdO7VTn93+l0Ylmvb
hAnygB7iMOsXiDXxbzxOO+XC3ygaeO45ioEDduEv9Ny9KptXN08eOkxKL7dN4om2
Nux02EurWqTBYTrWki+XxovfvsmiM5AELHtTaUM8FwwEX0e7dV1cDYYqz3hWPmYg
Z4Bjdp258VDa/sbUCiRVQfcxzHqbvd3UCoNG76YsGJ6s7TqoxvCCvB4ziH+d6/Uu
+h5hDtjccwVQmW22A5DQHix4T/DmXs1GB5qzOa8eEd6cHTpqp/qzGmvC0un5BezY
+CVRZphzFoYGF6Q3T7JwC6LCMCNBOqby+bhZNYmkztRzhXvFFrBmj6E17+8Z5fgL
gl6u+1QhxQTjg3uvjZXmQh2+jjTwa3vO1pZR6k9yyLMo9zPpr7i7QY4tqPR8u4j0
fkHjaXtOOj2wl0gDCnVX3mWeUKCJusCDdJ2hPpuz11pPQt67mxtUXO31aMM9J3mH
jj0yPKl7NGKA7ozI9e4HV09KiozM6yrLrvLyoRTn8AgwVoMiEw91CHhDNRkCAwEA
AQKCAgBSwt9ZP+zs3tzo/tEoXSCApSG12SpPSvpbWRmvBdNAr6bq5YEIImn35LMU
a9SdIi2DNRAHp5y/xWJD7AXRLRBnOTiLChnzVP/jmTkogLID25+H35AGKitBb2yj
ko4a8V3XPmJceFQv+0nc1FQsrhjctFfJtud2oJfj8CByZ3alJPbRMf/wd0F6I+6G
fHCThnF1uiRUtnEhSb6DeSDZBoyGb6jlW6TZ5BKKckiupDJLGfy/aOjJXv5jVTJa
/oLO8jhBIHb/CXqaf/e6uELTwC5WvaVTIcAh2XAwfnJ7iIvDepyO7SR7pKc12vYT
VmFLsvGag44YpLAgL/sUCJC2CQ71rtx79SNHegDkunqI+GZTSL1uuBHMXpSA75xm
t6m6hcn3E0rL6wSZ+mgpyL1+AULWOSbU4XybsXjORzTsJfn91s7k5dyySQSRDy30
z10fQzLPJI8kSmGtzUFpDMvOYpfmq5p0aMI58fvTqLgNc1wnJrj2SKfEQI0MnhKU
BESIh63yjPQuPkeqpO1zf8OgmvZ/PU7Egbb8YAHzC11KBh2zKem6zL0Q/bLBcur1
bcKT0VRq/5jpwLG1dpXf7KovatTjg44cjb+LFP6YnBhM1pc620Hc4G+TPJs3y56c
OdmX6UCCvl1c4pZJ4Mmg7I1LvZcPFIYFFOTmLLixfWWH4n7vrQKCAQEA+PjO4I8Z
RMMui1cpfoj3go4y/IY3bWF2Dgg6QgddagXxdFMVtFKD0LMlpbt3MUmGOjj7zepG
1zeRnvgkAk6ZX/nibMkDWnyVMoews1WJC3YpOZdavjzJ2j3517rvomhSQWzbyOAt
T1oR9dz2EYEFchYgJ+N5pmCvrhQd1nENpT9usxiVT+ecTE8sObJqY6a1otK969yO
urIckDx8SqKY6V5iuTjcsdrSfzIlFKKZ5S9XPqg98lqWekYA9R5WMzolQGFVoDMI
343HdE/oEExBR7X39E+D2YGwoepw6lVBHkmFd1px5Oc5kysAbvB1QiSoU1Oi85mN
uBmrzxmYkQ/d7wKCAQEA3LBgoWzoez81rDh+i9vXweI7vKHy1htJnRPgYuxWtlvu
RzgGK/FvOMOthVqpOR0fO1g+7/LupgNjBgGys+jTOeZiKwYEWuy0RCpjKmhc6j2y
jwdXjzHf0Ve3MFF23qhaXhQHEgg9W1VQJwt8xv28mY96YznYB/JC0vLG2ZdQ5ASJ
JHrrZNIk3h+32yBRq8312+cWRXmg27MSSfOrRAMSeoV0c7YvDakce9ZNaok/gbi9
hA+yqxZc0SrkOXLA0plHzyzH492sonsdLjIQNApJv36NqD6ZHzcPy2iHK3ymhj+z
QM/kt5QHFbK3OFBJbyHxtbSpMfJMvh5AgzyJhaildwKCAQAHe+MsGOEXkg5qHdqf
dRqLkB60PIyZ+x4DWff2WCZUs40IhB7Y5soTke8FxlbU4nLoeSIIlIxAl+kGsErU
zuwJWIeX4Yr6Q1hwxmdnXKDb+VdP5d7SbR1cNBS4iWP+q8gdM1p/9U0nX3u+uj+j
Uw+I2GVrDYlwmONvBifHdGqGlxuKwqhqWHn4SUD5EwXjrPU0ycTvvBeGQShepZLO
44hZK38oNi9cIUnGjQlUT3b0zrF+rqv+Bv8S+du5gonwzESmZMagJCiWH7rpIiXF
p6UmtK+ZZnJ+LUnT9CokwR9N+8PJTKyzxseSRu6iZxP/Qv7UUmVJkUoTSKJDfW96
nNF9AoIBAAOnU+I4SF0J/dx9DvNHz3mhQjXsRHXw+7YDBzr8CK96NCavscJ2e83n
x26mwph0d/jmjBwy3GqZMcF+s7OwzhZuTv/BWL8cnhtmzD9+fNNP9C3UBEoVnEv9
9MVzA9HJ3b0i/b75rfJeJjaPRSCSQNYV/wO3iHERPLP7WvltPOSZgp+8/TqtE/kt
c0DIdzGt9j0OxVqfGd+pRks9In+8wUiP/w6PXJYQT61pLdzuqsN+CH0wOVgFxcGc
wSyGTtTtvreaWTDXka0a9q+2GniSFwh5kuTPLH/MzJEkiOBabvNYCKKxDmtPoxJj
5A6lnaGeYT8N36M5DLY1EAJcNTamRR8CggEBAPgc5Wr2YM9rmAB/15H+xk8H/tsI
1hxgGtfdHdo9ZwIyowakuqQaIjbgFX64bE9cX9C62mJ12rP6YoTAz5zRBm4J1Eld
U2PlnCwLJbtrdF83tTSi8n9Yo/y3wMFB0C+z2apEqOkLTUaz3REM+1N8CWVKMtaW
CtEqfx2sIbwy/Y3i8kSyR8mZPiMlpGULLBPvcKSgZZnUzzo5gZh2mP9zwb0q669K
71k3LzM8EY/1by8xrhhg5Iyanoeq2PwecUR4XD8pvpYRdUk+bERUSPyJenWa1JQ/
df25AfKqmpoVp+LeICbZf4vNLxR1rs44fXPkMpu4SoQkSLuNYkoqpOngjjY=
-----END RSA PRIVATE KEY-----

1
terranix/tinc-test/02-build/assets/tinc/server_host_file
View file

@ -1 +0,0 @@
server/host_file

19
terranix/tinc-test/02-build/configs/nixserver-server/configuration.nix
View file

@ -1,19 +0,0 @@
{ pkgs, lib, ... }: {
imports = [ ./hardware-configuration.nix ./tinc-server.nix ];
networking.hostName = "server";
# ssh
environment.systemPackages = with pkgs; [ htop git vim mosh tmux ];
networking.firewall.allowedUDPPortRanges = [{
from = 60000;
to = 60100;
}];
services.sshd.enable = true;
users.users.root.openssh.authorizedKeys.keyFiles =
[ <test-generated/sshkey.pub> ];
# wireshark
programs.wireshark.enable = true;
}

8
terranix/tinc-test/02-build/configs/nixserver-server/hardware-configuration.nix
View file

@ -1,8 +0,0 @@
{ ... }: {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

11
terranix/tinc-test/02-build/configs/nixserver-server/tinc-server.nix
View file

@ -1,11 +0,0 @@
{
imports = [ ./tinc.nix ];
module.cluster.services.tinc = {
"test" = {
debugLevel = 5;
enable = true;
openPort = true;
};
};
}

33
terranix/tinc-test/02-build/configs/nixserver-server/tinc.nix
View file

@ -1,33 +0,0 @@
# shared tinc file between client and server
{ config, pkgs, lib, ... }:
let nixosMachines = import <test-generated/nixos-machines.nix>;
in {
imports = [ <cluster-module> ];
networking.firewall.trustedInterfaces = [ "tinc.private" ];
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
module.cluster.services.tinc = {
"test" = {
networkSubnet = "10.123.142.0/24";
extraConfig = ''
LocalDiscovery = yes
'';
privateEd25519KeyFile = toString <test-assets/tinc/ed25519_key>;
privateRsaKeyFile = toString <test-assets/tinc/rsa_key>;
hosts = {
server = {
tincIp = "10.123.142.1";
realAddress = [ nixosMachines.nixserver-server.host.ipv4 ];
publicKey = lib.fileContents <test-assets/tinc/server_host_file>;
};
sterni = {
tincIp = "10.123.142.100";
publicKey = lib.fileContents <test-assets/tinc/server_host_file>;
};
};
};
};
}

0
terranix/tinc-test/02-build/generated/.keep
View file

76
terranix/tinc-test/02-build/shell.nix
View file

@ -1,76 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
with pkgs.lib;
let
ops =
let
opsImport = import ((import <nixpkgs> { }).fetchgit {
url = "https://github.com/mrVanDalo/plops.git";
rev = "9fabba016a3553ae6e13d5d17d279c4de2eb00ad";
sha256 = "193pajq1gcd9jyd12nii06q1sf49xdhbjbfqk3lcq83s0miqfs63";
});
overlay = self: super: {
# overwrite ssh to use the generated ssh configuration
openssh = super.writers.writeBashBin "ssh" ''
${super.openssh}/bin/ssh -F ${
toString ./generated/ssh-configuration
} "$@"
'';
};
in
opsImport { overlays = [ overlay ]; };
lib = ops.lib;
pkgs = ops.pkgs;
source = {
nixPkgs.nixpkgs.git = {
ref = "nixos-19.09";
url = "https://github.com/NixOS/nixpkgs-channels";
};
system = name: {
configs.file = toString ./configs;
test-assets.file = toString ./assets;
test-generated.file = toString ./generated;
nixos-config.symlink = "configs/${name}/configuration.nix";
};
modules.cluster-module.git = {
url = "https://git.ingolf-wagner.de/nix-modules/cluster.git";
ref = "1.2.0";
};
};
servers = import ./generated/nixos-machines.nix;
deployServer = name:
{ user ? "root", host, ... }:
with ops;
jobs "deploy-${name}" "${user}@${host.ipv4}" [
(populate (source.system name))
(populate source.nixPkgs)
(populate source.modules)
switch
];
moshServer = name:
{ user ? "root", host, ... }:
pkgs.writers.writeDashBin "mosh-${name}" ''
${pkgs.mosh}/bin/mosh \
--ssh="${pkgs.openssh}/bin/ssh -F ${
toString ./generated/ssh-configuration
}" \
"${user}@${host.ipv4}"
'';
in
pkgs.mkShell {
buildInputs = lib.mapAttrsToList deployServer servers
++ mapAttrsToList moshServer servers;
}

73
terranix/tinc-test/README.md
View file

@ -1,73 +0,0 @@
A setup to test tinc on a hetzner box
# steps
## OPTIONAL: generate fresh ssh keys
```sh
ssh-keygen -P "" -f sshkey
```
## OPTIONAL: generate new tinc keys
```
nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
cat *.pub host_file
rm *.pub
```
## generate machine
```sh
cd ./01-terranix
nix-shell --run "create"
```
## provision machine
```sh
cd ./02-build
nix-shell --run deploy-server
```
## tracking and collecting
```
dumpcap \
-i ens3 \
-w /root/hardware-device_working.dcap
dumpcap \
-i tinc.test \
-w /root/tinc-device_working.dcap
```
and for the not working experiment
```
dumpcap \
-i ens3 \
-w /root/hardware-device_not-working.dcap
dumpcap \
-i tinc.test \
-w /root/tinc-device_not-working.dcap
```
logs
```
systemctl --from "2020-01-04 15:00" --until "2020-01-04 16:00" -o json > working-logs.json
systemctl --from "2020-01-04 17:00" --until "2020-01-04 18:00" -o json > nog-working-logs.json
```
and setup
```
tar cvzf etc.tgz /etc/tinc
```
## cleanup
```sh
cd ./01-terranix
nix-shell --run "clean"
```

27
terranix/tinc-test/sshkey
View file

@ -1,27 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqD70wK7MGSV6uBaP/IWxgr/eWm/LXsVu0rLOF8/VQdcPZgVw8eo6
ZyDnfJpSvaYMknP9JlaiawMTpwrON8A5y8i2prQDhdO8Uz1pK+VXfZgY6hEOcs1UJmacsV
82oyaYAHg8gYUsRp8FOYQUCyZPrVlQMJN4F854sCugVr9Zfgc8B3Q+zoLX13jO+QLCTefI
BRkKwBDHK3lGrNYyJ6qSTV/gA6LruwglPlK5BQsyB7djoLRgi7eNmJRyFqH7SotY40TzZR
w3BF7ssW4DFfqCXw/OtuOKls7+uivQgfUkAKvhGVbFbGRdEzRKTmgMzUNVXILZ5CYoTjEJ
FGzrB6APwQAAA8A3cOj/N3Do/wAAAAdzc2gtcnNhAAABAQCoPvTArswZJXq4Fo/8hbGCv9
5ab8texW7Sss4Xz9VB1w9mBXDx6jpnIOd8mlK9pgySc/0mVqJrAxOnCs43wDnLyLamtAOF
07xTPWkr5Vd9mBjqEQ5yzVQmZpyxXzajJpgAeDyBhSxGnwU5hBQLJk+tWVAwk3gXzniwK6
BWv1l+BzwHdD7OgtfXeM75AsJN58gFGQrAEMcreUas1jInqpJNX+ADouu7CCU+UrkFCzIH
t2OgtGCLt42YlHIWoftKi1jjRPNlHDcEXuyxbgMV+oJfD86244qWzv66K9CB9SQAq+EZVs
VsZF0TNEpOaAzNQ1VcgtnkJihOMQkUbOsHoA/BAAAAAwEAAQAAAQBwNZTNEYeD2fBP6JRd
adkrB8ZHcLolWe4AzkoPrYhgogteEpDydzI+Z76b5tz6KU3HO16B/FPUpTetN9KzchvZ4u
KWqgaTcdTve0yyfwHr/M3ZBkkpnfHarqMg1Qy+oVXNMmPASk5uR06XvpQTn5iSV7fYvfHh
hs4NSPtl/7azCxFK6PnQSKoUz1FSSdV/JT1Iptw5pSASMv6qCPWK04tIpfV9kVnxJMDRuD
f8DZqxhruien6YjIKaP2UOvVIj2cog5siELmkRN56naPEXdEKs2heSnQ1NtjexmKkzEJM7
vAbZJ1EBT2c4UbmLlCJ/M+3wgjTdDIzjUK7WHVRD1Mh1AAAAgBfcHhwEwStAZ2DUgrOFYE
kBUWZzBUmnFIK/HB0SX7CGk7V1I3PhpG8TF2PhC85dcC44i/wYdrEC/R+zA/iOf/94tO3l
T0pksYewfk+1uUPWxJtBLzDpYJk/RfskA+K5aLw1UI+4kGdtaoia/Y1qbHmwrBfNUYUZx6
NDo7X5teQKAAAAgQDTBDReUialFX046Qq6CXinMpvprgwKNaWgdUfnZ6ihKye3IoLkVqYk
IkIJDcDzyPiekJc2Xwi2uFVo//2T02aeisYgkOmFYYNXM4eHQfsEQyt6SqtpvlsoZ6BF7z
sB4QQsYnuwxsO6vbQSKItlX5qrodbnldNqjqwU9Eiz6S+5XwAAAIEAzByjPznLIcsYAk/u
bZ8TyX2Iigd8WAmuauvhfHJ9o65AQM1D5kYytD8c3Zn64iZxPaZX1UK9T5gkSQETJz/Ix8
EEulFiWyS1GtGImykJ1E32zM06xS+nMDKrbvQbAsUPDD0u52eMMLwex1GG8YWxcRKZyDL2
jz63bvm/l1vcKt8AAAALcGFsb0BzdGVybmk=
-----END OPENSSH PRIVATE KEY-----

1
terranix/tinc-test/sshkey.pub
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoPvTArswZJXq4Fo/8hbGCv95ab8texW7Sss4Xz9VB1w9mBXDx6jpnIOd8mlK9pgySc/0mVqJrAxOnCs43wDnLyLamtAOF07xTPWkr5Vd9mBjqEQ5yzVQmZpyxXzajJpgAeDyBhSxGnwU5hBQLJk+tWVAwk3gXzniwK6BWv1l+BzwHdD7OgtfXeM75AsJN58gFGQrAEMcreUas1jInqpJNX+ADouu7CCU+UrkFCzIHt2OgtGCLt42YlHIWoftKi1jjRPNlHDcEXuyxbgMV+oJfD86244qWzv66K9CB9SQAq+EZVsVsZF0TNEpOaAzNQ1VcgtnkJihOMQkUbOsHoA/B palo@sterni

2
terranix/workadventure-jitsi-setup/.gitignore vendored
View file

@ -1,2 +0,0 @@
plops/generated/
sshkey*

54
terranix/workadventure-jitsi-setup/README.md
View file

@ -1,54 +0,0 @@
# NixOS Server Example with plops
This setup shows:
- how to use a terranix module
- how to use 3rd party provision software after terraform.
- how to run terranix and terraform
Setup containing opinionated modules to deploy
[NixOS servers](https://nixos.org/)
on
[hcloud](https://www.hetzner.com/cloud)
using
[nixos-infect](https://github.com/elitak/nixos-infect)
with my
[plops](https://github.com/mrVanDalo/plops)
provisioning tool for NixOS,
which is an overlay on
[krops](https://cgit.krebsco.de/krops/about/).
After server creation,
the initial provisioning uploads the
nixos-infect
script and applys it.
After server creation and initialization
terranix/terraform generates
files used for the "real" provisioning
done by plops.
Of course instead of plops you can use every provsioning tool you like
here (e.g. NixOps, Ansible, ... )
# How to Run
## What you need
- a setup [passwordstore](https://www.passwordstore.org/).
- a [hcloud token](https://docs.hetzner.cloud/#overview-getting-started)
stored under `development/hetzner.com/api-token`
## Steps
- `terraform-prepare`: to create ssh keys.
- `terraform-build`: to run terranix and terraform do create server.
- `terraform-destroy`: to delete server (don't forget that step, or else it gets costly)
- `terraform-cleanup`: to delete ssh keys and terraform data.
## DNS
define domains with your nameserver and update `jitsi.nix` and `workadventure.nix`.
- `meet.${domain}` to given ip4 address
- `party.${domain}` to given ip4 address
- `*.party.${domain}` to given ip4 address

49
terranix/workadventure-jitsi-setup/config.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
let
hcloud-modules = pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix-hcloud.git";
rev = "5fa359a482892cd973dcc6ecfc607f4709f24495";
sha256 = "0smgmdiklj98y71fmcdjsqjq8l41i66hs8msc7k4m9dpkphqk86p";
};
in
{
imports = [ "${hcloud-modules}/default.nix" ];
# configure temporary admin ssh keys
users.admins.palo.publicKey = "${lib.fileContents ./sshkey.pub}";
# configure provisioning private Key to be used when running provisioning on the machines
provisioner.privateKeyFile = toString ./sshkey;
hcloud.nixserver = {
host = {
enable = true;
serverType = "cx51"; # 35€/month
configurationFile = pkgs.writeText "configuration.nix" ''
{ pkgs, lib, config, ... }:
{
environment.systemPackages = [ pkgs.git ];
}
'';
};
};
hcloud.export.nix = toString ./plops/generated/nixos-machines.nix;
resource.local_file.sshConfig = {
filename = "${toString ./plops/generated/ssh-configuration}";
content = with lib;
let
configPart = name: ''
Host ''${ hcloud_server.nixserver-${name}.ipv4_address }
IdentityFile ${toString ./sshkey}
ServerAliveInterval 60
ServerAliveCountMax 3
'';
in
concatStringsSep "\n"
(map configPart (attrNames config.hcloud.nixserver));
};
}

29
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/codimd.nix
View file

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }: {
services.nginx.enable = true;
services.nginx.virtualHosts.codimd = {
enableACME = true;
addSSL = true;
serverName = "codimd.${config.workadventure.domain}";
locations."/".extraConfig = ''
client_max_body_size 4G;
proxy_set_header Host $host;
proxy_pass http://localhost:3091;
'';
};
services.codimd = {
enable = true;
configuration = {
allowFreeURL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/codimd/db.codimd.sqlite";
useCDN = false;
};
port = 3091;
};
};
}

34
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/configuration.nix
View file

@ -1,34 +0,0 @@
{ config, pkgs, lib, ... }: {
imports = [
./options.nix
# codimd.${hostName}
./codimd.nix
./hardware-configuration.nix
# meet.${hostName}
./jitsi.nix
# netdata.${hostName}
#./netdata.nix
./ssh.nix
# party.${hostName}
# api.party.${hostName}
# push.party.${hostName}
# play.party.${hostName}
# upload.party.${hostName}
./workadventure.nix
];
environment.systemPackages =
[ pkgs.git pkgs.docker-compose pkgs.ag pkgs.htop ];
# party.${hostName}
# api.party.${hostName}
# push.party.${hostName}
# play.party.${hostName}
# upload.party.${hostName}
networking.hostName = "host";
workadventure.domain = "palovandalo.com";
security.acme.email = "contact@ingolf-wagner.de";
security.acme.acceptTerms = true;
}

10
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/hardware-configuration.nix
View file

@ -1,10 +0,0 @@
{ ... }: {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

60
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/jitsi.nix
View file

@ -1,60 +0,0 @@
{ config, ... }: {
# + +
# | |
# | |
# v v
# 80, 443 TCP 443 TCP, 10000 UDP
# +--------------+ +---------------------+
# | nginx | 5222, 5347 TCP | |
# | jitsi-meet |<-------------------+| jitsi-videobridge |
# | prosody | | | |
# | jicofo | | +---------------------+
# +--------------+ |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | | |
# | +---------------------+
# |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | |
# +---------------------+
# This is a one server setup
services.jitsi-meet = {
enable = true;
hostName = "meet.${config.workadventure.domain}";
# JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.
# https://github.com/jitsi/jicofo
jicofo.enable = true;
# Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server.
# Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME
# will be used to retrieve a TLS certificate by default. To disable this, set the
# services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for
# services.nginx.virtualHosts.<hostName>.forceSSL.
nginx.enable = true;
# https://github.com/jitsi/jitsi-meet/blob/master/config.js
config = {
enableWelcomePage = false;
defaultLang = "en";
};
# https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 10000 ];
};
}

26
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/netdata.nix
View file

@ -1,26 +0,0 @@
{ config, ... }: {
services.netdata = {
enable = true;
config = {
#"exporting:global" = { "enabled" = "yes"; };
global = {
"memory mode" = "dbengine";
"dbengine disk space" = 1024 * 10; # in MB
"debug log" = "none";
"access log" = "none";
"error log" = "syslog";
};
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."netdata.${config.workadventure.domain}" = {
enableACME = true;
forceSSL = true;
basicAuth.admin = "NYsXfBKRwkkS60WIeZONtFTv3nz4tPy52uqLkzJzuc";
locations."/" = {
proxyPass = "http://localhost:19999";
proxyWebsockets = true;
};
};
}

15
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/options.nix
View file

@ -1,15 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.workadventure;
in {
options.workadventure = {
domain = mkOption {
type = with types; str;
description = ''
domain of the server
'';
};
};
}

14
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/ssh.nix
View file

@ -1,14 +0,0 @@
{
# ssh configuration
# -----------------
services.sshd.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.banner = ''
[ JITSI Server ]
'';
# the public ssh key used at deployment
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
];
}

167
terranix/workadventure-jitsi-setup/plops/configs/nixserver-host/workadventure.nix
View file

@ -1,167 +0,0 @@
{ config, pkgs, lib, ... }:
let
# If your Jitsi environment has authentication set up,
# you MUST set JITSI_PRIVATE_MODE to "true" and
# you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
jitsiPrivateMode = "false";
secretJitsiKey = "";
jitsiISS = "";
workadventureSecretKey = "";
jitsiURL = "meet.${config.workadventure.domain}";
domain = "party.${config.workadventure.domain}";
# domain will redirect to this map. (not play.${domain})
defaultMap = "mrvandalo.github.io/workadventure-worlds/main.json";
apiURL = "api.${domain}";
apiPort = 9002;
frontURL = "play.${domain}";
frontPort = 9004;
pusherURL = "push.${domain}";
pusherPort = 9005;
uploaderURL = "upload.${domain}";
uploaderPort = 9006;
version = "v1.1.0";
frontImage = "thecodingmachine/workadventure-front:${version}";
pusherImage = "thecodingmachine/workadventure-pusher:${version}";
apiImage = "thecodingmachine/workadventure-back:${version}";
uploaderImage = "thecodingmachine/workadventure-uploader:${version}";
in
{
virtualisation.docker.enable = true;
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 80 443 ];
};
services.nginx.enable = true;
services.nginx.recommendedProxySettings = true;
systemd.services.workadventure-network = {
enable = true;
wantedBy = [ "multi-user.target" ];
script = ''
${pkgs.docker}/bin/docker network create --driver bridge workadventure ||:
'';
after = [ "docker" ];
before = [
"docker-workadventure-back.service"
"docker-workadventure-pusher.service"
"docker-workadventure-uploader.service"
"docker-workadventure-website.service"
];
};
virtualisation.oci-containers.backend = "docker";
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
return = "302 $scheme://play.${domain}/_/global/${defaultMap}";
};
};
virtualisation.oci-containers.containers.workadventure-front = {
image = frontImage;
environment = {
API_URL = pusherURL;
JITSI_PRIVATE_MODE = jitsiPrivateMode;
JITSI_URL = jitsiURL;
SECRET_JITSI_KEY = secretJitsiKey;
UPLOADER_URL = uploaderURL;
};
ports = [ "127.0.0.1:${toString frontPort}:80" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${frontURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString frontPort}"; };
};
virtualisation.oci-containers.containers.workadventure-pusher = {
image = pusherImage;
environment = {
API_URL = "workadventure-back:50051";
JITSI_ISS = jitsiISS;
JITSI_URL = jitsiURL;
SECRET_KEY = workadventureSecretKey;
};
ports = [ "127.0.0.1:${toString pusherPort}:8080" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${pusherURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString pusherPort}";
proxyWebsockets = true;
};
locations."/room" = {
proxyPass = "http://127.0.0.1:${toString pusherPort}";
proxyWebsockets = true;
};
};
virtualisation.oci-containers.containers.workadventure-back = {
image = apiImage;
environment = {
#DEBUG = "*";
JITSI_ISS = jitsiISS;
JITSI_URL = jitsiURL;
SECRET_KEY = workadventureSecretKey;
};
ports = [ "127.0.0.1:${toString apiPort}:8080" "50051" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${apiURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString apiPort}"; };
};
virtualisation.oci-containers.containers.workadventure-uploader = {
image = uploaderImage;
ports = [ "127.0.0.1:${toString uploaderPort}:8080" ];
extraOptions = [ "--network=workadventure" ];
};
services.nginx.virtualHosts."${uploaderURL}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString uploaderPort}";
proxyWebsockets = true;
};
};
systemd.services.docker-workadventure-front.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
systemd.services.docker-workadventure-uploader.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
systemd.services.docker-workadventure-pusher.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
systemd.services.docker-workadventure-back.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
}

74
terranix/workadventure-jitsi-setup/plops/shell.nix
View file

@ -1,74 +0,0 @@
let
# import plops with pkgs and lib
opsImport = import ((import <nixpkgs> { }).fetchgit {
url = "https://github.com/mrVanDalo/plops.git";
rev = "9fabba016a3553ae6e13d5d17d279c4de2eb00ad";
sha256 = "193pajq1gcd9jyd12nii06q1sf49xdhbjbfqk3lcq83s0miqfs63";
});
ops =
let
overlay = self: super: {
# overwrite ssh to use the generated ssh configuration
openssh = super.writeShellScriptBin "ssh" ''
${super.openssh}/bin/ssh -F ${
toString ./generated/ssh-configuration
} "$@"
'';
};
in
opsImport { overlays = [ overlay ]; };
lib = ops.lib;
pkgs = ops.pkgs;
# define all sources
source = {
# nixpkgs (no need for channels anymore)
nixPkgs.nixpkgs.git = {
ref = "nixos-20.09";
url = "https://github.com/NixOS/nixpkgs";
};
# system configurations
system = name: {
configs.file = toString ./configs;
nixos-config.symlink = "configs/${name}/configuration.nix";
};
# secrets which are hold and stored by pass
secrets = name: {
secrets.pass = {
dir = toString ./secrets;
name = name;
};
};
};
servers = import ./generated/nixos-machines.nix;
deployServer = name:
{ user ? "root", host, ... }:
with ops;
jobs "deploy-${name}" "${user}@${host.ipv4}" [
# deploy secrets to /run/plops-secrets/secrets
# (populateTmpfs (source.secrets name))
# deploy system to /var/src/system
(populate (source.system name))
# deploy nixpkgs to /var/src/nixpkgs
(populate source.nixPkgs)
switch
];
in
pkgs.mkShell {
buildInputs = lib.mapAttrsToList deployServer servers;
shellHook = ''
export PASSWORD_STORE_DIR=./secrets
'';
}

50
terranix/workadventure-jitsi-setup/shell.nix
View file

@ -1,50 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
let
terranix = pkgs.callPackage
(pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix.git";
rev = "2.3.0";
sha256 = "030067h3gjc02llaa7rx5iml0ikvw6szadm0nrss2sqzshsfimm4";
})
{ };
terraform = pkgs.writers.writeBashBin "terraform" ''
export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token`
${pkgs.terraform_0_12}/bin/terraform "$@"
'';
in
pkgs.mkShell {
buildInputs = [
terranix
terraform
(pkgs.writers.writeBashBin "terraform-prepare" ''
${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey
'')
(pkgs.writers.writeBashBin "terraform-build" ''
set -e
set -o pipefail
${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json
${terraform}/bin/terraform init
${terraform}/bin/terraform apply
'')
(pkgs.writers.writeBashBin "terraform-destroy" ''
${terraform}/bin/terraform destroy
rm ${toString ./.}/config.tf.json
'')
(pkgs.writers.writeBashBin "terraform-cleanup" ''
rm ${toString ./.}/sshkey
rm ${toString ./.}/sshkey.pub
rm ${toString ./.}/terraform.tfstate*
'')
];
}