From 9f807aa83808e9d48e13321a960a3dd5f7ccdb92 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 27 Jan 2019 00:27:32 +0100 Subject: [PATCH 01/14] nix/os,steveej-t480s-work: add podman and dependencies --- .../steveej-t480s-work/configuration.nix | 2 + nix/os/profiles/podman/configuration.nix | 187 ++++++++++++++++++ nix/overlay.nix | 2 + nix/pkgs/slirp4netns.nix | 49 +++++ 4 files changed, 240 insertions(+) create mode 100644 nix/os/profiles/podman/configuration.nix create mode 100644 nix/pkgs/slirp4netns.nix diff --git a/nix/os/devices/steveej-t480s-work/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix index a7700f1..17a021d 100644 --- a/nix/os/devices/steveej-t480s-work/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -15,5 +15,7 @@ ./system.nix ./hw.nix ./pkg.nix + + ../../profiles/podman/configuration.nix ]; } diff --git a/nix/os/profiles/podman/configuration.nix b/nix/os/profiles/podman/configuration.nix new file mode 100644 index 0000000..3d2b3a7 --- /dev/null +++ b/nix/os/profiles/podman/configuration.nix @@ -0,0 +1,187 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + podman + runc + conmon + cni + cni-plugins + slirp4netns + ]; + + environment.etc."containers/registries.conf".text = '' + # This is a system-wide configuration file used to + # keep track of registries for various container backends. + # It adheres to TOML format and does not support recursive + # lists of registries. + + [registries.search] + registries = [ 'docker.io' + , 'registry.fedoraproject.org' + , 'registry.access.redhat.com' + , 'quay.io' + ] + + # If you need to access insecure registries, add the registry's fully-qualified name. + # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. + [registries.insecure] + registries = ['localhost:5000'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; + + environment.etc."cni/net.d/00-loopback.conf".text = '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + + environment.etc."containers/libpod.conf".text = '' + # libpod.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the Conmon container manager binary + runtime_path = [ + "${pkgs.runc}/bin/runc" + ] + + + # Paths to look for the Conmon container manager binary + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + + # Environment variables to pass into conmon + conmon_env_vars = [ + # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + # Container init binary + #init_path = "/usr/libexec/podman/catatonit" + + # Directory for persistent libpod files (database, etc) + # By default, this will be configured relative to where containers/storage + # stores containers + # Uncomment to change location from this default + #static_dir = "/var/lib/containers/storage/libpod" + + # Directory for temporary files. Must be tmpfs (wiped after reboot) + tmp_dir = "/var/run/libpod" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "/etc/cni/net.d/" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + #enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + + # Paths to look for a valid OCI runtime (runc, runv, etc) + # FIXME: this doesn't seem to take effect + [runtimes] + runc = [ + "${pkgs.runc}/bin/runc" + ] +''; + + environment.etc."subuid".text = '' + steveej:10000:65536 + ''; + environment.etc."subgid".text = '' + steveej:10000:65536 + ''; +} diff --git a/nix/overlay.nix b/nix/overlay.nix index 0306421..ff97c8b 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -6,10 +6,12 @@ let in self: super: { podman = nixpkgs-master.podman; + conmon = nixpkgs-master.conmon; duplicacy = super.callPackage ./pkgs/duplicacy {}; just = super.callPackage ./pkgs/just.nix {}; mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {}; + slirp4netns = super.callPackage ./pkgs/slirp4netns.nix {}; staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; }; busyboxStatic = super.busybox.override { diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix new file mode 100644 index 0000000..8d456d6 --- /dev/null +++ b/nix/pkgs/slirp4netns.nix @@ -0,0 +1,49 @@ +{ stdenv +, fetchFromGitHub +, autoconf +, automake +, libtool +, gnumake +, gcc +}: + +stdenv.mkDerivation rec { + name = "slirp4netns-${version}"; + version = "v0.2.1"; + + src = fetchFromGitHub { + owner = "rootless-containers"; + repo = "slirp4netns"; + rev = "${version}"; + sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; + }; + + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; + + configurePhase = '' + ./autogen.sh + ./configure --prefix="" + ''; + + buildPhase = '' + make + ''; + + installPhase = '' + make DESTDIR="$out" install + ''; + + meta = with stdenv.lib; { + description = "User-mode networking for unprivileged network namespaces"; + homepage = https://github.com/rootless-containers/slirp4netns; + license = null; + maintainers = [ maintainers.steveej ]; + platforms = platforms.all; + }; +} From 8f0b7550aa9d61f17df6384f8f1c2a4f30f6d3db Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 28 Jan 2019 15:50:31 +0100 Subject: [PATCH 02/14] nix/os,CFB4ED74: add mailserver container --- nix/os/containers/mailserver.nix | 141 +++++++++++++++++++++++++++++ nix/os/devices/CFB4ED74/system.nix | 13 +++ nix/variables/passwords.crypt.nix | Bin 283 -> 500 bytes 3 files changed, 154 insertions(+) create mode 100644 nix/os/containers/mailserver.nix diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix new file mode 100644 index 0000000..afc16b4 --- /dev/null +++ b/nix/os/containers/mailserver.nix @@ -0,0 +1,141 @@ +{ ... } @ args: + +let + passwords = import ../../variables/passwords.crypt.nix; + +in args // { + config = { pkgs, ... }: { + imports = [ + ../profiles/common/user.nix + ]; + + networking.firewall.enable = false; + + services.dovecot2 = { + enable = true; + + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; + + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = "/etc/secrets/server.pem"; + sslServerKey = "/etc/secrets/server.key"; + + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } + + ''; + + }; + + environment.etc."dovecot/users".text = '' + steveej:${passwords.email.steveej} + ''; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "users"; + description = "Getmail service"; + path = [ pkgs.getmail ]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password = ${passwords.email.mailStefanjunkerDe} + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "users"; + description = "Getmail service"; + path = [ pkgs.getmail ]; + serviceConfig.RestartSec = 900; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password = ${passwords.email.schtifATwebDe} + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} + ''; + }; + }; + + autoStart = true; + + bindMounts = { + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; + isReadOnly = false; + }; + + "/home" = { + hostPath = "/var/lib/container-volumes/mailserver/home"; + isReadOnly = false; + }; + }; + + privateNetwork = true ; + forwardPorts = [ + { + # imaps + containerPort = 993; + hostPort = 993; + protocol = "tcp"; + } + + { + # sieve + containerPort = 4190; + hostPort = 4190; + protocol = "tcp"; + } + ]; +} diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index 257996d..9aab114 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -29,6 +29,12 @@ in { interface = "eth0"; }; + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + # Kubernetes # services.kubernetes.roles = ["master" "node"]; @@ -57,4 +63,11 @@ in { ip link set $iface down done ''; + + containers = { + mailserver = import ../../containers/mailserver.nix { + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + }; + }; } diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 2ff89f73359171e1e0f5e91f79a8da423d56eaaf..e84fce153f4f96fd82f183bf849816de49518059 100644 GIT binary patch literal 500 zcmZQ@_Y83kiVO&0kY7<+{O`!2le&Jr;=A`+q~5vZo4MxpKa05w_Guo@IT~`HaKXwm z8`>CoDx`ze{;lN8f4Sg?X8x|WqV{Dx31`>+k_~^uen~$okK^y3FG)#47bgC@!1X2W zgLGTDf9Ch@b9Fo$UcOshVxd#^-LuLq_f!6q?Lo@PcmHd(Z7$+eSu>k6LFIU@_@}*r z8#GRKsC^B!&6k&mp5B`%-+A(07uPQ1Q?660z6;CFED&2DedG!MG@;KoPR^T5yqHc{JgABj<{o zLjLI0Z*10``*AU#;qc|%b9G`(Tnr?feObGhQ*{>$+P~L(Hp%D5gZ)-B+&=uV;koC! zO^QoCSbf$Pk7t7Cnf<%}^(5TUYyFm_+fcnF)PyxqmH*@xsaDpTpA7yz4hj6xtFgqg z>c{s>tr6+k+5BZ)ONGyfcb(bgeK<-ez3dCue$!qNhTEnSWZZq6Qwqzjmzvvcb*kex z(@Hw}$oihM)9U&O*ZS6$Yv;cyl}P*jpG7&}ts{1s`HQOe2^b%7 literal 283 zcmZQ@_Y83kiVO&0n3Axr(@Z2lCHbBItZBM0O}W=<-RTbf8E~$IUB-67E6pE!Pwv&c zaqRx}??)ECJ$mqpW!&YMZTFZ?CZ7{cRDT`4wj{4>^Sm`#{SArfAI?sA6jYzuxE1zsy)xlWY_6_0Ru>a%#RJ203N-BZ`DyykJ5|v zOBQc;SuA%X-FoHc?Jsf_{><7Cki7SNbLE=lF8?=e_#!(Y|E&3TjV84?r8%;?-gP(F zoYqXay?NHj-c9xj8FQDtdofY+)OyXvg{-^G(<1DjW|T}+WuIdxr9JViRb9mYLdGTg uG9IdBGwJ)JE4OP^oxF84t*oI Date: Mon, 28 Jan 2019 15:52:42 +0100 Subject: [PATCH 03/14] nix/home/{graphical-fullblown,text-minimal}: gparted and telnet --- nix/home-manager/configuration/graphical-fullblown.nix | 1 + nix/home-manager/configuration/text-minimal.nix | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 70d9557..7f892fc 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -303,6 +303,7 @@ in { testdisk python27Packages.binwalk gptfdisk + gparted # games zeroad diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix index 79d653d..f755a57 100644 --- a/nix/home-manager/configuration/text-minimal.nix +++ b/nix/home-manager/configuration/text-minimal.nix @@ -23,5 +23,6 @@ in { home.packages = [] ++ (with pkgs; [ iperf3 - ]); + telnet + ]); } From 5815e4656b31340e44b427e4167ccc86ad3c604c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 28 Jan 2019 15:55:14 +0100 Subject: [PATCH 04/14] *: fix whitespaces --- nix/home-manager/configuration/text-minimal.nix | 2 +- nix/os/devices/steveej-laptop/configuration.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix index f755a57..c049f24 100644 --- a/nix/home-manager/configuration/text-minimal.nix +++ b/nix/home-manager/configuration/text-minimal.nix @@ -1,5 +1,5 @@ { pkgs -, config, +, config, ... }: let diff --git a/nix/os/devices/steveej-laptop/configuration.nix b/nix/os/devices/steveej-laptop/configuration.nix index da100b3..794bafd 100644 --- a/nix/os/devices/steveej-laptop/configuration.nix +++ b/nix/os/devices/steveej-laptop/configuration.nix @@ -1,7 +1,7 @@ { ... }: { - imports = [ + imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix From aa1393cdb81225829c85af43add39a30e37b574d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 28 Jan 2019 15:50:31 +0100 Subject: [PATCH 05/14] nix/os,CFB4ED74: add webserver container --- nix/os/containers/webserver.nix | 132 +++++++++++++++++++++++++++++ nix/os/devices/CFB4ED74/system.nix | 5 ++ 2 files changed, 137 insertions(+) create mode 100644 nix/os/containers/webserver.nix diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix new file mode 100644 index 0000000..276cc2f --- /dev/null +++ b/nix/os/containers/webserver.nix @@ -0,0 +1,132 @@ +{ ... } @ args: + +let + +in args // { + config = { pkgs, ... }: { + networking.firewall.enable = false; + + systemd.services.mysql-deprecated = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RootDirectory="/var/lib/machines/webserver"; + MountAPIVFS="yes"; + BindReadOnlyPaths="/nix"; + }; + script = '' + export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin + mkdir /var/run/mysqld -p + chown mysql /var/run/mysqld/ + /usr/sbin/mysqld + ''; + }; + + systemd.services.nginx-deprecated = { + enable = true; + wantedBy = [ "multi-user.target" ]; + description = "webserver-deprecated service"; + serviceConfig = { + RootDirectory="/var/lib/machines/webserver"; + MountAPIVFS="yes"; + BindReadOnlyPaths="/nix"; + }; + script = '' + export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin + /usr/sbin/nginx -g "daemon off;" + ''; + }; + + systemd.services.php-fpm-deprecated = { + enable = true; + wantedBy = [ "multi-user.target" ]; + description = "webserver-deprecated service"; + serviceConfig = { + RootDirectory="/var/lib/machines/webserver"; + MountAPIVFS="yes"; + BindReadOnlyPaths="/nix"; + }; + script = '' + export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin + /usr/lib/php5.5/bin/php-fpm -y /etc/php/fpm-php5.5/php-fpm.conf --pid /run/php-fpm.pid -F + ''; + }; + + ## FIXME: make the following work instead of using the old Gentoo rootfs binaries + # + # services.nginx.enable = true; + # services.nginx.virtualHosts."stefanjunker.de" = { + # default = true; + # onlySSL = true; + # root = "/var/www/stefanjunker.de/htdocs"; + + # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + # locations."/fi" = { + # index = "index.php"; + # }; + + # locations."~ ^(.+\.php)(.*)$".extraConfig = '' + # fastcgi_split_path_info ^(.+\.php)(.*)$; + + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # ''; + # }; + + # services.phpfpm.poolConfigs.mypool = '' + # listen = 127.0.0.1:9000 + # user = nobody + # pm = dynamic + # pm.max_children = 5 + # pm.start_servers = 2 + # pm.min_spare_servers = 1 + # pm.max_spare_servers = 3 + # pm.max_requests = 500 + + # php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED + # ''; + + # services.mysql = { + # enable = true; + # package = pkgs.mysql; + # }; + }; + + autoStart = true; + + bindMounts = { + "/var/lib/machines/webserver/" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-machines-webserver"; + isReadOnly = false; + }; + + ## FIXME: make the following work instead of using the old Gentoo rootfs + # + # "/etc/secrets/" = { + # hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + # isReadOnly = false; + # }; + + # "/var/www" = { + # hostPath = "/var/lib/container-volumes/webserver/var-www"; + # isReadOnly = false; + # }; + + # "/var/lib/mysql" = { + # hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; + # isReadOnly = false; + # }; + }; + + privateNetwork = true; + forwardPorts = [ + { + # https/custom + containerPort = 443; + hostPort = 443; + protocol = "tcp"; + } + ]; +} diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index 9aab114..e8c224b 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -69,5 +69,10 @@ in { hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; }; + + webserver = import ../../containers/webserver.nix { + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + }; }; } From 2ffdc1ea509407c962514d76e5f3bf9269b12821 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 01:46:04 +0100 Subject: [PATCH 06/14] devices/CFB4ED74: attempt to fix SSH connectivy --- nix/os/devices/CFB4ED74/system.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index e8c224b..c38a1be 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -16,10 +16,16 @@ in { # iperf3 5201 ]; + networking.firewall.logRefusedConnections = false; - networking.useDHCP = true; networking.usePredictableInterfaceNames = false; + networking.dhcpcd = { + enable = true; + persistent = true; + }; + networking.interfaces.eth0 = { + useDHCP = true; ipv6.addresses = [ { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } ]; From a3effb5d290b0ca552457c3ebf9648122e9f826c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 01:47:17 +0100 Subject: [PATCH 07/14] steveej-480s-work: add Satellite certificate --- .../sat-r220-02.lab.eng.rdu2.redhat.com.crt | 98 +++++++++++++++++++ nix/os/devices/steveej-t480s-work/system.nix | 5 + 2 files changed, 103 insertions(+) create mode 100644 certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt diff --git a/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt new file mode 100644 index 0000000..a836e9b --- /dev/null +++ b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d0:17:d1:86:81:d4:f1:28 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com + Validity + Not Before: Nov 2 15:37:13 2018 GMT + Not After : Jan 17 15:37:13 2038 GMT + Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ba:03:39:e3:af:3e:c7:89:bd:d0:07:66:83:18: + 9c:c0:da:56:e8:bb:37:fe:03:67:94:9a:1c:9d:47: + da:6a:a7:6e:56:6d:0a:73:05:79:0e:44:61:71:78: + 33:33:79:b1:ce:a6:9d:87:d0:01:81:10:d5:e3:21: + 0f:d0:e9:ef:86:dc:13:34:62:42:47:81:f6:ce:d8: + 78:de:00:0c:a6:5d:25:d8:cc:72:6a:c4:7c:e1:5b: + 84:2b:e2:3c:b6:51:7e:8e:e6:e1:55:7d:b4:c8:e7: + 98:76:eb:20:15:48:6f:2e:91:ca:b7:17:d4:d9:76: + 5b:40:1c:7e:4c:0b:6f:2c:63:fa:78:c5:8b:b5:36: + b6:01:d9:da:58:a9:06:76:32:18:ca:b2:7c:2d:aa: + 4f:4e:f5:67:30:4c:a6:a3:e3:ef:7c:1d:d3:67:de: + da:a5:b9:57:0d:74:01:c3:24:a9:03:61:98:91:c2: + 1f:1d:a4:36:d2:a6:f4:95:6f:01:6a:99:41:ea:f0: + 8c:7a:7d:a0:0d:34:93:a3:80:cb:19:fb:1a:e1:c4: + 0b:60:5c:8d:33:ea:90:ed:98:d2:2a:06:6e:a2:02: + 1f:f8:2c:1e:d4:d0:d4:8f:93:8d:c9:fe:21:39:6a: + 5b:7b:60:5d:2a:9c:1e:3f:51:31:b1:be:56:28:cb: + 4d:cd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Key Usage: + Digital Signature, Key Encipherment, Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Netscape Cert Type: + SSL Server, SSL CA + Netscape Comment: + Katello SSL Tool Generated Certificate + X509v3 Subject Key Identifier: + 72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF + X509v3 Authority Key Identifier: + keyid:72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF + DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=sat-r220-02.lab.eng.rdu2.redhat.com + serial:D0:17:D1:86:81:D4:F1:28 + + Signature Algorithm: sha256WithRSAEncryption + 70:fe:c6:9f:1a:62:e8:b0:a6:25:df:e8:51:6c:e9:08:48:00: + 72:2b:d8:a2:95:6e:57:01:8e:2a:9c:a0:14:f8:c9:8a:e3:5d: + 48:64:f9:0f:81:e7:3e:b1:c2:cb:a0:ec:55:d6:e4:7f:c0:46: + 7b:bc:66:15:88:61:73:3b:ea:9e:ea:cb:32:79:35:bc:dc:eb: + 6f:d8:d0:89:c2:ae:fd:02:43:cd:e0:38:d6:9c:16:d7:6d:bb: + 2c:73:53:3c:82:56:51:d8:96:71:e1:28:49:31:be:fb:ed:23: + 08:e5:8d:eb:48:c7:25:5d:ef:0e:30:22:d3:93:7f:f1:66:b8: + 7f:8f:5c:d2:97:e7:13:0e:5b:06:1d:fd:97:1d:a5:24:93:d9: + 8a:d2:ba:51:00:b3:71:c8:61:da:79:31:64:75:96:d0:b8:d8: + 45:57:24:40:2f:11:d6:63:70:f5:bf:8d:fc:7f:1b:b9:ad:e0: + 16:6a:89:9b:6a:0c:d3:e3:b5:14:b4:5c:36:8a:b0:dd:15:4d: + 4e:77:e9:9b:29:df:e9:e3:27:dc:87:f8:6e:5d:a9:14:42:5c: + 8b:7b:13:9d:8b:c7:7a:4d:6d:52:7e:5f:02:9f:21:15:de:98: + 5d:f5:25:30:d3:fa:b4:34:f3:ff:8d:36:c7:e3:1c:d3:b1:f7: + b6:7b:ad:40 +-----BEGIN CERTIFICATE----- +MIIFEDCCA/igAwIBAgIJANAX0YaB1PEoMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD +VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp +Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYD +VQQDDCNzYXQtcjIyMC0wMi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTAeFw0xODEx +MDIxNTM3MTNaFw0zODAxMTcxNTM3MTNaMIGOMQswCQYDVQQGEwJVUzEXMBUGA1UE +CAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB0th +dGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYDVQQDDCNzYXQtcjIyMC0w +Mi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALoDOeOvPseJvdAHZoMYnMDaVui7N/4DZ5SaHJ1H2mqnblZtCnMF +eQ5EYXF4MzN5sc6mnYfQAYEQ1eMhD9Dp74bcEzRiQkeB9s7YeN4ADKZdJdjMcmrE +fOFbhCviPLZRfo7m4VV9tMjnmHbrIBVIby6RyrcX1Nl2W0AcfkwLbyxj+njFi7U2 +tgHZ2lipBnYyGMqyfC2qT071ZzBMpqPj73wd02fe2qW5Vw10AcMkqQNhmJHCHx2k +NtKm9JVvAWqZQerwjHp9oA00k6OAyxn7GuHEC2BcjTPqkO2Y0ioGbqICH/gsHtTQ +1I+Tjcn+ITlqW3tgXSqcHj9RMbG+VijLTc0CAwEAAaOCAW0wggFpMAwGA1UdEwQF +MAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD +AjARBglghkgBhvhCAQEEBAMCAkQwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM +IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRyzYgGA/5dotCz +IMc3dAaEqKgT3zCBwwYDVR0jBIG7MIG4gBRyzYgGA/5dotCzIMc3dAaEqKgT36GB +lKSBkTCBjjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw +DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l +T3JnVW5pdDEsMCoGA1UEAwwjc2F0LXIyMjAtMDIubGFiLmVuZy5yZHUyLnJlZGhh +dC5jb22CCQDQF9GGgdTxKDANBgkqhkiG9w0BAQsFAAOCAQEAcP7Gnxpi6LCmJd/o +UWzpCEgAcivYopVuVwGOKpygFPjJiuNdSGT5D4HnPrHCy6DsVdbkf8BGe7xmFYhh +czvqnurLMnk1vNzrb9jQicKu/QJDzeA41pwW1227LHNTPIJWUdiWceEoSTG+++0j +COWN60jHJV3vDjAi05N/8Wa4f49c0pfnEw5bBh39lx2lJJPZitK6UQCzcchh2nkx +ZHWW0LjYRVckQC8R1mNw9b+N/H8bua3gFmqJm2oM0+O1FLRcNoqw3RVNTnfpmynf +6eMn3If4bl2pFEJci3sTnYvHek1tUn5fAp8hFd6YXfUlMNP6tDTz/402x+Mc07H3 +tnutQA== +-----END CERTIFICATE----- diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index c280844..7d3aa74 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -72,4 +72,9 @@ in { authorizedKeys = keys.users.steveej.openssh; }; }; + + security.pki.certificateFiles = [ + "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + ../../../../certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt + ]; } From fdf01604587ed98917225ecbfd0b0c199704a0a8 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 11:55:23 +0100 Subject: [PATCH 08/14] nix/os/modules: add ddclient-ovh module --- nix/os/modules/ddclient-ovh.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 nix/os/modules/ddclient-ovh.nix diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix new file mode 100644 index 0000000..43d9c1c --- /dev/null +++ b/nix/os/modules/ddclient-ovh.nix @@ -0,0 +1,30 @@ +{ lib +, config +, ... }: + +let + cfg = config.services.ddclientovh; + + passwords = import ../../variables/passwords.crypt.nix; + +in { + + options.services.ddclientovh = with lib; { + enable = mkEnableOption "Enable ddclient-ovh"; + domain = mkOption { + type = types.string; + }; + }; + + config = lib.mkIf cfg.enable { + services.ddclient = { + enable = true; + protocol = "dyndns2"; + server = "www.ovh.com"; + ssl = true; + domains = [ cfg.domain ]; + use = "web, web=ifconfig.co"; + inherit (passwords.dyndns.${cfg.domain}) username password; + }; + }; +} From b115e73ac7340f776afc0e512118710d4cd7d618 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 11:55:43 +0100 Subject: [PATCH 09/14] nix/os/devices: renname CFB4ED74 -> vmd32387.contaboserver.net This is in accordance to the reverse IPv4 entry --- .../devices/{CFB4ED74 => vmd32387.contaboserver.net}/boot.nix | 0 .../configuration.nix | 0 .../devices/{CFB4ED74 => vmd32387.contaboserver.net}/hw.nix | 0 .../devices/{CFB4ED74 => vmd32387.contaboserver.net}/pkg.nix | 0 .../{CFB4ED74 => vmd32387.contaboserver.net}/system.nix | 4 ++-- .../{CFB4ED74 => vmd32387.contaboserver.net}/versions.nix | 0 6 files changed, 2 insertions(+), 2 deletions(-) rename nix/os/devices/{CFB4ED74 => vmd32387.contaboserver.net}/boot.nix (100%) rename nix/os/devices/{CFB4ED74 => vmd32387.contaboserver.net}/configuration.nix (100%) rename nix/os/devices/{CFB4ED74 => vmd32387.contaboserver.net}/hw.nix (100%) rename nix/os/devices/{CFB4ED74 => vmd32387.contaboserver.net}/pkg.nix (100%) rename nix/os/devices/{CFB4ED74 => vmd32387.contaboserver.net}/system.nix (93%) rename nix/os/devices/{CFB4ED74 => vmd32387.contaboserver.net}/versions.nix (100%) diff --git a/nix/os/devices/CFB4ED74/boot.nix b/nix/os/devices/vmd32387.contaboserver.net/boot.nix similarity index 100% rename from nix/os/devices/CFB4ED74/boot.nix rename to nix/os/devices/vmd32387.contaboserver.net/boot.nix diff --git a/nix/os/devices/CFB4ED74/configuration.nix b/nix/os/devices/vmd32387.contaboserver.net/configuration.nix similarity index 100% rename from nix/os/devices/CFB4ED74/configuration.nix rename to nix/os/devices/vmd32387.contaboserver.net/configuration.nix diff --git a/nix/os/devices/CFB4ED74/hw.nix b/nix/os/devices/vmd32387.contaboserver.net/hw.nix similarity index 100% rename from nix/os/devices/CFB4ED74/hw.nix rename to nix/os/devices/vmd32387.contaboserver.net/hw.nix diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix similarity index 100% rename from nix/os/devices/CFB4ED74/pkg.nix rename to nix/os/devices/vmd32387.contaboserver.net/pkg.nix diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/vmd32387.contaboserver.net/system.nix similarity index 93% rename from nix/os/devices/CFB4ED74/system.nix rename to nix/os/devices/vmd32387.contaboserver.net/system.nix index c38a1be..51dc7b4 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix @@ -8,8 +8,8 @@ let in { # TASK: new device - networking.hostName = "contabo1"; # Define your hostname. - networking.domain = "bootstrap.clusters.stefanjunker.de"; + networking.hostName = "vmd32387"; # Define your hostname. + networking.domain = "contaboserver.net"; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ diff --git a/nix/os/devices/CFB4ED74/versions.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.nix similarity index 100% rename from nix/os/devices/CFB4ED74/versions.nix rename to nix/os/devices/vmd32387.contaboserver.net/versions.nix From 5b46aa8385473e6a241ef03141a6f264d7d96df8 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 11:58:07 +0100 Subject: [PATCH 10/14] nix/os/containers: configure ddclient-ovh respectively --- nix/os/containers/mailserver.nix | 6 ++++++ nix/os/containers/webserver.nix | 9 +++++++++ nix/variables/passwords.crypt.nix | Bin 500 -> 721 bytes 3 files changed, 15 insertions(+) diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index afc16b4..cce2fdd 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -7,10 +7,16 @@ in args // { config = { pkgs, ... }: { imports = [ ../profiles/common/user.nix + ../modules/ddclient-ovh.nix ]; networking.firewall.enable = false; + services.ddclientovh = { + enable = true; + domain = "mailserver.svc.stefanjunker.de"; + }; + services.dovecot2 = { enable = true; diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 276cc2f..bef7c3c 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -4,8 +4,17 @@ let in args // { config = { pkgs, ... }: { + imports = [ + ../modules/ddclient-ovh.nix + ]; + networking.firewall.enable = false; + services.ddclientovh = { + enable = true; + domain = "www.stefanjunker.de"; + }; + systemd.services.mysql-deprecated = { enable = true; wantedBy = [ "multi-user.target" ]; diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index e84fce153f4f96fd82f183bf849816de49518059..f2d3a022b2561c7625bbc964c4e731ab5a66ed4b 100644 GIT binary patch literal 721 zcmZQ@_Y83kiVO&0a9NOIE2^w`^w)y^a~%}YbXOrF(!J99)um89`uWsw&jX9FRl}rB%eydGXQs`S%owS@I zr{#U7hLp8}sio19Grl)N0xs~1H7%Gkef#wX>*Q;%KRNsP+}8OF;o=wCcL*=3`1I1k zZLxh}$d_sLic4RfySwUX zrJorP81i8DE*`lwV~escX}7I246=rk z1QusxhHX3jKq641#!zJW%omHY{#BdUGTSP*th~Kr-yVgB^By|Qn%I0)p=`#Ad&!Yn zswUG8M&Hhn`uAz>IYqZO9(z{J+xWTA%`<8G;eYoGm;H-AT<$ghUXeuwmxTA5xj&h{ z?D;F~^m$hPoc8Lb7Z1;@T%{lFyXs#_McQnen~&ujd$g4$pZ%pFI-Lhb8q6BhtpP0-0C$oWVOnhnoWJ;XFh*YDhPHcJE_RB z%>VLSF|)Z2CuZ9RocUOt!{6lDsHAd)lckMyQ;upA&w-BFi>}+8*;+M4R;cT)nRHm- zlxt^%-=;+9h0EWY`(?GDvtAL~Bt*3yp4*e|7X5LdfSq&Z zfoGqKjwn_{T+L&XVGib>@oUE#gOh8Q$TQ3=ydU7(Ai477yf3QrpE4*Mk-b)S{Bc#q pvU#$cL7U>b->9A`D|)0Z{3_$06#zJda3KHy literal 500 zcmZQ@_Y83kiVO&0kY7<+{O`!2le&Jr;=A`+q~5vZo4MxpKa05w_Guo@IT~`HaKXwm z8`>CoDx`ze{;lN8f4Sg?X8x|WqV{Dx31`>+k_~^uen~$okK^y3FG)#47bgC@!1X2W zgLGTDf9Ch@b9Fo$UcOshVxd#^-LuLq_f!6q?Lo@PcmHd(Z7$+eSu>k6LFIU@_@}*r z8#GRKsC^B!&6k&mp5B`%-+A(07uPQ1Q?660z6;CFED&2DedG!MG@;KoPR^T5yqHc{JgABj<{o zLjLI0Z*10``*AU#;qc|%b9G`(Tnr?feObGhQ*{>$+P~L(Hp%D5gZ)-B+&=uV;koC! zO^QoCSbf$Pk7t7Cnf<%}^(5TUYyFm_+fcnF)PyxqmH*@xsaDpTpA7yz4hj6xtFgqg z>c{s>tr6+k+5BZ)ONGyfcb(bgeK<-ez3dCue$!qNhTEnSWZZq6Qwqzjmzvvcb*kex z(@Hw}$oihM)9U&O*ZS6$Yv;cyl}P*jpG7&}ts{1s`HQOe2^b%7 From c93103113b2f43fedcc62b56288852459df5b348 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 13:00:25 +0100 Subject: [PATCH 11/14] graphical-fullblown: add prefetch github --- nix/home-manager/configuration/graphical-fullblown.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 7f892fc..9f2b880 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -87,6 +87,7 @@ in { nix-index nox nix-prefetch-scripts + nix-prefetch-github # Version Control Systems unstablepkgs.pijul From d049d728a78093a6457c63782b1733e06fe1c3fd Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 14:26:23 +0100 Subject: [PATCH 12/14] nix/overlay: add latest php56 --- nix/overlay.nix | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/nix/overlay.nix b/nix/overlay.nix index ff97c8b..de75f52 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -1,10 +1,19 @@ +self: super: + let nixpkgs-master = import (builtins.fetchTarball { url = "https://github.com/NixOS/nixpkgs-channels/archive/de5fd9e6110489722e8667664dce9fdc17331866.tar.gz"; sha256 = "0z1j2pmvn15m2ir2i9l2prr81cq7f1x8xs4cv2s7q4fslz586ghn"; }) {}; + # one application requires php5 + nixpkgsWithPhp5 = super.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs-channels"; + rev = "846d8f8305192dcc3a63139102698b4ac6b9ef9f"; + sha256 = "1qifgc1q2i4g0ivpfjnxp4jl2cc82gfjws08dsllgw7q7kw4b4rb"; + }; -in self: super: { +in { podman = nixpkgs-master.podman; conmon = nixpkgs-master.conmon; @@ -25,4 +34,18 @@ in self: super: { dropbearStatic = super.dropbear.override { enableStatic = true; }; + + php56 = (super.callPackages + "${nixpkgsWithPhp5}/pkgs/development/interpreters/php/default.nix" {}) + .php56.overrideAttrs(drv: rec { + # See https://secure.php.net/ChangeLog-5.php + version = "5.6.40"; + name = "php-${version}"; + + sha256 = "005s7w167dypl41wlrf51niryvwy1hfv53zxyyr3lm938v9jbl7z"; + src = super.fetchurl { + url = "http://www.php.net/distributions/php-${version}.tar.bz2"; + inherit sha256; + }; + }); } From 247096c808870926efad312db06c40fa039e59cb Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 14:31:21 +0100 Subject: [PATCH 13/14] nix/os/containers: add new profile --- nix/os/containers/mailserver.nix | 2 +- nix/os/containers/webserver.nix | 2 +- nix/os/profiles/containers/configuration.nix | 11 +++++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 nix/os/profiles/containers/configuration.nix diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index cce2fdd..d750eed 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -6,8 +6,8 @@ let in args // { config = { pkgs, ... }: { imports = [ + ../profiles/containers/configuration.nix ../profiles/common/user.nix - ../modules/ddclient-ovh.nix ]; networking.firewall.enable = false; diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index bef7c3c..72a8b97 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -5,7 +5,7 @@ let in args // { config = { pkgs, ... }: { imports = [ - ../modules/ddclient-ovh.nix + ../profiles/containers/configuration.nix ]; networking.firewall.enable = false; diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix new file mode 100644 index 0000000..b6f3f61 --- /dev/null +++ b/nix/os/profiles/containers/configuration.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + nixpkgs.overlays = [ + (import ../../../overlay.nix) + ]; + + imports = [ + ../../modules/ddclient-ovh.nix + ]; +} From 7bad36ed7533406c49931b9e8892c92305b78468 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 3 Feb 2019 12:58:56 +0100 Subject: [PATCH 14/14] nix/os/containers/webserver: use php56 and drop the chroot --- nix/os/containers/webserver.nix | 147 ++++++++++---------------------- 1 file changed, 47 insertions(+), 100 deletions(-) diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 72a8b97..56d201d 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -3,7 +3,7 @@ let in args // { - config = { pkgs, ... }: { + config = { config, pkgs, ... }: { imports = [ ../profiles/containers/configuration.nix ]; @@ -15,124 +15,71 @@ in args // { domain = "www.stefanjunker.de"; }; - systemd.services.mysql-deprecated = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - RootDirectory="/var/lib/machines/webserver"; - MountAPIVFS="yes"; - BindReadOnlyPaths="/nix"; + services.nginx.enable = true; + services.nginx.virtualHosts."stefanjunker.de" = { + default = true; + onlySSL = true; + root = "/var/www/stefanjunker.de/htdocs"; + + sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + locations."/fi" = { + index = "index.php"; }; - script = '' - export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin - mkdir /var/run/mysqld -p - chown mysql /var/run/mysqld/ - /usr/sbin/mysqld + + locations."~ ^(.+\.php)(.*)$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(.*)$; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; ''; }; - systemd.services.nginx-deprecated = { + services.phpfpm.phpPackage = pkgs.php56; + + services.phpfpm.poolConfigs.mypool = '' + listen = 127.0.0.1:9000 + user = nobody + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + pm.max_requests = 500 + + php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED + ''; + + services.mysql = { enable = true; - wantedBy = [ "multi-user.target" ]; - description = "webserver-deprecated service"; - serviceConfig = { - RootDirectory="/var/lib/machines/webserver"; - MountAPIVFS="yes"; - BindReadOnlyPaths="/nix"; - }; - script = '' - export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin - /usr/sbin/nginx -g "daemon off;" - ''; + package = pkgs.mariadb; }; - - systemd.services.php-fpm-deprecated = { - enable = true; - wantedBy = [ "multi-user.target" ]; - description = "webserver-deprecated service"; - serviceConfig = { - RootDirectory="/var/lib/machines/webserver"; - MountAPIVFS="yes"; - BindReadOnlyPaths="/nix"; - }; - script = '' - export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin - /usr/lib/php5.5/bin/php-fpm -y /etc/php/fpm-php5.5/php-fpm.conf --pid /run/php-fpm.pid -F - ''; - }; - - ## FIXME: make the following work instead of using the old Gentoo rootfs binaries - # - # services.nginx.enable = true; - # services.nginx.virtualHosts."stefanjunker.de" = { - # default = true; - # onlySSL = true; - # root = "/var/www/stefanjunker.de/htdocs"; - - # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; - # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; - - # locations."/fi" = { - # index = "index.php"; - # }; - - # locations."~ ^(.+\.php)(.*)$".extraConfig = '' - # fastcgi_split_path_info ^(.+\.php)(.*)$; - - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # ''; - # }; - - # services.phpfpm.poolConfigs.mypool = '' - # listen = 127.0.0.1:9000 - # user = nobody - # pm = dynamic - # pm.max_children = 5 - # pm.start_servers = 2 - # pm.min_spare_servers = 1 - # pm.max_spare_servers = 3 - # pm.max_requests = 500 - - # php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED - # ''; - - # services.mysql = { - # enable = true; - # package = pkgs.mysql; - # }; }; autoStart = true; bindMounts = { - "/var/lib/machines/webserver/" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-machines-webserver"; + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + isReadOnly = true; + }; + + "/var/www" = { + hostPath = "/var/lib/container-volumes/webserver/var-www"; isReadOnly = false; }; - ## FIXME: make the following work instead of using the old Gentoo rootfs - # - # "/etc/secrets/" = { - # hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; - # isReadOnly = false; - # }; - - # "/var/www" = { - # hostPath = "/var/lib/container-volumes/webserver/var-www"; - # isReadOnly = false; - # }; - - # "/var/lib/mysql" = { - # hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; - # isReadOnly = false; - # }; + "/var/lib/mysql" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; + isReadOnly = false; + }; }; privateNetwork = true; forwardPorts = [ { - # https/custom + # https containerPort = 443; hostPort = 443; protocol = "tcp";