summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2022-01-26 17:59:53 +0100
committermakefu <github@syntax-fehler.de>2022-01-26 17:59:53 +0100
commit54aaf5af8ed4d62a2e6645b7ca662ffac310e86c (patch)
treeb3b1a1797791cd8cf763254a3fd88f7d35a2340c
parentef48f536a3e539b215bb004b512e62c2d0f96907 (diff)
parent31fc5a95c735ab3b9b832d407195e422c07cd4c0 (diff)
Merge remote-tracking branch 'lass/master'
-rw-r--r--krebs/1systems/hotdog/config.nix2
-rw-r--r--krebs/2configs/default.nix1
-rw-r--r--krebs/2configs/ergo.nix13
-rw-r--r--krebs/2configs/ircd.nix149
-rw-r--r--krebs/2configs/mud.nix3
-rw-r--r--krebs/2configs/news.nix8
-rw-r--r--krebs/2configs/reaktor2.nix2
-rw-r--r--krebs/2configs/security-workarounds.nix6
-rw-r--r--krebs/3modules/backup.nix6
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/ergo.nix15
-rw-r--r--krebs/3modules/external/default.nix160
-rw-r--r--krebs/3modules/external/kmein.nix146
-rw-r--r--krebs/3modules/external/mic92.nix28
-rw-r--r--krebs/3modules/external/ssh/kmein.kabsa.pub (renamed from krebs/3modules/external/ssh/kmein.pub)1
-rw-r--r--krebs/3modules/external/ssh/kmein.manakish.pub1
-rw-r--r--krebs/3modules/external/ssh/qubasa.pub1
-rw-r--r--krebs/3modules/go.nix12
-rw-r--r--krebs/3modules/lass/default.nix2
-rw-r--r--krebs/3modules/tv/default.nix26
-rw-r--r--krebs/5pkgs/haskell/brockman/default.nix4
-rw-r--r--krebs/5pkgs/haskell/much.nix6
-rw-r--r--krebs/5pkgs/simple/K_belwagen.nix38
-rw-r--r--krebs/5pkgs/simple/ergo/default.nix10
-rw-r--r--krebs/5pkgs/simple/git-hooks/default.nix1
-rw-r--r--krebs/5pkgs/simple/painload/default.nix12
-rw-r--r--krebs/5pkgs/simple/reaktor2-plugins.nix10
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
-rw-r--r--lass/1systems/prism/config.nix1
-rw-r--r--lass/1systems/prism/physical.nix8
-rw-r--r--lass/2configs/baseX.nix2
-rw-r--r--lass/2configs/default.nix2
-rw-r--r--lass/2configs/fysiirc.nix51
-rw-r--r--lass/2configs/network-manager.nix4
-rw-r--r--lass/2configs/pipewire.nix51
-rw-r--r--lass/2configs/retiolum.nix7
-rw-r--r--lass/2configs/security-workarounds.nix8
-rw-r--r--lass/2configs/yubikey.nix43
-rw-r--r--lass/3modules/xjail.nix32
-rw-r--r--tv/1systems/bu/config.nix40
-rw-r--r--tv/1systems/bu/disks.nix19
-rw-r--r--tv/2configs/backup.nix24
43 files changed, 586 insertions, 386 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 6a51bf45f..cf07d3b4d 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -7,7 +7,7 @@
<stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
- <stockholm/krebs/2configs/ergo.nix>
+ <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix>
<stockholm/krebs/2configs/acme.nix>
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 9200d41fe..38d770316 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -4,6 +4,7 @@ with import <stockholm/lib>;
{
imports = [
./backup.nix
+ ./security-workarounds.nix
];
krebs.announce-activation.enable = true;
krebs.enable = true;
diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix
deleted file mode 100644
index db0bc5748..000000000
--- a/krebs/2configs/ergo.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.firewall.allowedTCPPorts = [
- 6667
- ];
-
- krebs.ergo = {
- enable = true;
- };
-}
-
-
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 904878731..c6c91e074 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -1,121 +1,44 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [
- 6667 6669
+ 6667
];
- systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384;
-
- services.solanum = {
+ krebs.ergo = {
enable = true;
- motd = ''
- hello
- '';
- config = ''
- loadmodule "extensions/m_omode";
- serverinfo {
- name = "${config.krebs.build.host.name}.irc.r";
- sid = "1as";
- description = "irc!";
- network_name = "irc.r";
-
- vhost = "0.0.0.0";
- vhost6 = "::";
-
- #ssl_private_key = "etc/ssl.key";
- #ssl_cert = "etc/ssl.cert";
- #ssl_dh_params = "etc/dh.pem";
- #ssld_count = 1;
-
- default_max_clients = 2048;
- #nicklen = 30;
- };
-
- listen {
- defer_accept = yes;
-
- /* If you want to listen on a specific IP only, specify host.
- * host definitions apply only to the following port line.
- */
- host = "0.0.0.0";
- port = 6667;
- #sslport = 6697;
-
- /* Listen on IPv6 (if you used host= above). */
- host = "::";
- port = 6667;
- #sslport = 6697;
- };
-
- class "users" {
- ping_time = 2 minutes;
- number_per_ident = 10;
- number_per_ip = 4096;
- number_per_ip_global = 4096;
- cidr_ipv4_bitlen = 24;
- cidr_ipv6_bitlen = 64;
- number_per_cidr = 65535;
- max_number = 65535;
- sendq = 1000 megabyte;
- };
-
- privset "op" {
- privs = oper:admin, oper:general;
- };
-
- operator "aids" {
- user = "*@*";
- password = "balls";
- flags = ~encrypted;
- snomask = "+s";
- privset = "op";
- };
-
- exempt {
- ip = "127.0.0.1";
- };
-
- exempt {
- ip = "10.243.0.0/16";
- };
-
- auth {
- user = "*@*";
- class = "users";
- flags = kline_exempt, exceed_limit, flood_exempt;
- };
-
- channel {
- autochanmodes = "+t";
- use_invex = yes;
- use_except = yes;
- use_forward = yes;
- use_knock = yes;
- knock_delay = 5 minutes;
- knock_delay_channel = 1 minute;
- max_chans_per_user = 150;
- max_bans = 100;
- max_bans_large = 500;
- default_split_user_count = 0;
- default_split_server_count = 0;
- no_create_on_split = no;
- no_join_on_split = no;
- burst_topicwho = yes;
- kick_on_split_riding = no;
- only_ascii_channels = no;
- resv_forcepart = yes;
- channel_target_change = yes;
- disable_local_channels = no;
- };
-
- general {
- #maybe we want ident someday?
- default_floodcount = 10000;
- disable_auth = yes;
- throttle_duration = 1;
- throttle_count = 10000;
- };
- '';
+ config = {
+ server.secure-nets = [
+ "42::0/16"
+ "10.240.0.0/12"
+ ];
+ oper-classes.server-admin = {
+ title = "admin";
+ capabilities = [
+ "kill" # disconnect user sessions
+ "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
+ "nofakelag" # remove "fakelag" restrictions on rate of message sending
+ "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
+ "vhosts" # add and remove vhosts from users
+ "sajoin" # join arbitrary channels, including private channels
+ "samode" # modify arbitrary channel and user modes
+ "snomasks" # subscribe to arbitrary server notice masks
+ "roleplay" # use the (deprecated) roleplay commands in any channel
+ "rehash" # rehash the server, i.e. reload the config at runtime
+ "accreg" # modify arbitrary account registrations
+ "chanreg" # modify arbitrary channel registrations
+ "history" # modify or delete history messages
+ "defcon" # use the DEFCON command (restrict server capabilities)
+ "massmessage" # message all users on the server
+ ];
+ };
+ opers.aids = {
+ class = "server-admin";
+ hidden = false;
+ password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
+ };
+ };
};
}
+
+
diff --git a/krebs/2configs/mud.nix b/krebs/2configs/mud.nix
index d5e4c89c1..30f232b64 100644
--- a/krebs/2configs/mud.nix
+++ b/krebs/2configs/mud.nix
@@ -156,7 +156,8 @@ in {
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
makefu.pubkey
- kmein.pubkey
+ kmein-kabsa.pubkey
+ kmein-manakish.pubkey
tv.pubkey
];
packages = with pkgs; [
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 84a39f95b..9ea4cbf8d 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -68,7 +68,13 @@
wantedBy = [ "multi-user.target" ];
};
- systemd.services.brockman.bindsTo = [ "solanum.service" ];
+ krebs.ergo.openFilesLimit = 16384;
+ krebs.ergo.config = {
+ limits.nicklen = 100;
+ limits.identlen = 100;
+ history.enabled = false;
+ };
+ systemd.services.brockman.bindsTo = [ "ergo.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = {
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index df66fd798..305d31405 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -95,7 +95,7 @@ let
}
hooks.sed
(generators.command_hook {
- inherit (commands) random-emoji nixos-version;
+ inherit (commands) dance random-emoji nixos-version;
tell = {
filename =
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>;
diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix
new file mode 100644
index 000000000..27d1f8485
--- /dev/null
+++ b/krebs/2configs/security-workarounds.nix
@@ -0,0 +1,6 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+{
+ # https://github.com/berdav/CVE-2021-4034
+ security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" "");
+}
diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix
index c5cb1cae6..4a88582a2 100644
--- a/krebs/3modules/backup.nix
+++ b/krebs/3modules/backup.nix
@@ -157,7 +157,8 @@ let
# of the deepest directory:
# shellcheck disable=SC2174
${local.rsync} >&2 \
- -aAXF --delete \
+ -aAX --delete \
+ --filter='dir-merge /.backup-filter' \
--rsh=${shell.escape ssh} \
--rsync-path=${shell.escape remote.rsync} \
--link-dest=${shell.escape plan.dst.path}/current \
@@ -191,7 +192,8 @@ let
echo >&2 "create snapshot: $ns/$name"
mkdir -m 0700 -p "$dst_path/$ns"
rsync >&2 \
- -aAXF --delete \
+ -aAX --delete \
+ --filter='dir-merge /.backup-filter' \
--link-dest="$dst_path/current" \
"$dst_path/current/" \
"$dst_path/$ns/.partial.$name"
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index f76d3c536..b58b52038 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -108,6 +108,7 @@ let
{ krebs = import ./makefu { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./external/mic92.nix { inherit config; }; }
+ { krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./tv { inherit config; }; }
{
krebs.dns.providers = {
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
index 3153e4cfc..50c5ab628 100644
--- a/krebs/3modules/ergo.nix
+++ b/krebs/3modules/ergo.nix
@@ -2,6 +2,13 @@
options = {
krebs.ergo = {
enable = lib.mkEnableOption "Ergo IRC daemon";
+ openFilesLimit = lib.mkOption {
+ type = lib.types.int;
+ default = 1024;
+ description = ''
+ Maximum number of open files. Limits the clients and server connections.
+ '';
+ };
config = lib.mkOption {
type = (pkgs.formats.json {}).type;
description = ''
@@ -54,8 +61,8 @@
multiclient = {
enabled = true;
allowed-by-default = true;
- always-on = "opt-in";
- auto-away = "opt-in";
+ always-on = "opt-out";
+ auto-away = "opt-out";
};
};
channels = {
@@ -111,13 +118,15 @@
systemd.services.ergo = {
description = "Ergo IRC daemon";
wantedBy = [ "multi-user.target" ];
- reloadIfChanged = true;
+ # reload currently not working as expected
+ # reloadIfChanged = true;
restartTriggers = [ configFile ];
serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true;
StateDirectory = "ergo";
+ LimitNOFILE = "${toString cfg.openFilesLimit}";
};
};
});
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 66914797d..1b51f0223 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -16,37 +16,7 @@ with import <stockholm/lib>;
tinc-for = name: builtins.readFile (./tinc + "/${name}.pub");
in {
-
hosts = mapAttrs hostDefaults {
- kabsa = {
- owner = config.krebs.users.kmein;
- nets = {
- retiolum = {
- ip4.addr = "10.243.2.4";
- aliases = [
- "kabsa.r"
- "kabsa.kmein.r"
- ];
- tinc.pubkey = ''
- -----BEGIN PUBLIC KEY-----
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
- g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
- 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
- uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
- a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
- IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
- C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
- sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
- 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
- 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
- lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
- QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
- -----END PUBLIC KEY-----
- '';
- tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN";
- };
- };
- };
helsinki = {
owner = config.krebs.users.ajs124;
nets = {
@@ -142,65 +112,6 @@ in {
};
};
};
- makanek = {
- owner = config.krebs.users.kmein;
- nets = {
- retiolum = {
- ip4.addr = "10.243.2.84";
- aliases = [
- "makanek.r"
- "makanek.kmein.r"
- "grafana.kmein.r"
- "names.kmein.r"
- "graph.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb
- VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u
- JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5
- hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X
- Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39
- de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK
- Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE
- uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G
- zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO
- Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV
- oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC";
- };
- };
- };
- manakish = {
- owner = config.krebs.users.kmein;
- nets = {
- retiolum = {
- ip4.addr = "10.243.2.85";
- aliases = [
- "manakish.r"
- "manakish.kmein.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH
- Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy
- 7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB
- dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF
- 1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb
- GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ
- EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw
- U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM//
- +FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64
- I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c
- qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN";
- };
- };
- };
qubasa = {
owner = config.krebs.users.qubasa;
nets = {
@@ -226,7 +137,6 @@ in {
};
};
};
-
keller = {
owner = config.krebs.users.qubasa;
nets = {
@@ -279,13 +189,6 @@ in {
};
};
- rilke = {
- owner = config.krebs.users.kmein;
- nets.wiregrill = {
- aliases = [ "rilke.w" ];
- wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
- };
- };
rtjure = {
owner = config.krebs.users.rtjure;
nets = {
@@ -312,37 +215,6 @@ in {
};
};
};
- zaatar = {
- owner = config.krebs.users.kmein;
- nets = {
- retiolum = {
- ip4.addr = "10.243.2.34";
- aliases = [
- "zaatar.r"
- "zaatar.kmein.r"
- "grocy.kmein.r"
- "bvg.kmein.r"
- "moodle.kmein.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM
- pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ
- xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i
- 5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q
- T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6
- 2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp
- PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj
- zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc
- xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4
- yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK
- uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH";
- };
- };
- };
sokrateslaptop = {
owner = config.krebs.users.sokratess;
nets = {
@@ -691,6 +563,31 @@ in {
};
};
};
+ papawhakaaro = {
+ owner = config.krebs.users.feliks;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.10.243";
+ aliases = [ "papawhakaaro.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEA4bd0lVUVlzFmM8TuH77C5VctcK4lkw02LbMVQDJ5U+Ww075nNahw
+ oRHqPgJRwfGW0Tgu/1s5czZ2tAFU3lXoOSBYldAspM3KRZ4DKQsFrL9B0oWarGsK
+ sUgsuOJprlX4mkfj/eBNINqTqf2kVIH+p43VENQ9ioKmc+qJKm4xfRONRLp871GV
+ 5jmIvRvQ6JP0RtNd2KpNLaeplzx8M61D9PBOAZkNYAUTpBs4LZBNJj4eFnXBugrz
+ GkBjmm3Rk7olz0uOZzbeTc6Slv2tgtN5FrQifdy4XIlsKcBTzMkYHEZstmldJgd9
+ pGvfmem6uPcXrF+eDJzqUn0ArH7eOIS4F0+DzugJz4qX+ytvE4ag7r2Vx0Pa9TCY
+ hpn0lqwW+ly1clM0SKt59v1nQ4oRW4UIbAZaIgp4UJbb3IGSwbq7NuadvHpNICHi
+ 4pqQD+1sSEbGLAZ0bFjLIYFg9zzNjLeAxXpn49WHOEyRlq3h+SUQcG2EuVMI28DX
+ lILKSoOJsuQupURPubaxkiNEa5neYk9hZ8CWgwSG/VlyRLuNsVDVn2dBma43Mr10
+ LHMkX2/a9t7ghokugvV2XMP9Es9A9TGFShM9UtFAlovdad+SQ8FBPNheDwIhjCJe
+ l5NIrMrmQIveq7QJ1szxYhqfl1ifU0c+YxeMkg3tvEuQV/tk/oki/aECAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "5G49yQPjkkoGZxM6CeDy87y6tB/abtelUAk55wJ4GpP";
+ };
+ };
+ };
hydrogen = {
owner = config.krebs.users.sandro;
nets = rec {
@@ -740,10 +637,6 @@ in {
jonge = {
mail = "jacek.galowicz@gmail.com";
};
- kmein = {
- mail = "kmein@posteo.de";
- pubkey = ssh-for "kmein";
- };
mic92 = {
mail = "joerg@thalheim.io";
pubkey = ssh-for "mic92";
@@ -799,5 +692,8 @@ in {
pie_ = {};
domsen = {
};
+ feliks = {
+ mail = "feliks@flipdot.org";
+ };
};
}
diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix
new file mode 100644
index 000000000..9ef079090
--- /dev/null
+++ b/krebs/3modules/external/kmein.nix
@@ -0,0 +1,146 @@
+with import <stockholm/lib>;
+{ config, ... }:
+let
+ maybeEmpty = attrset: key: if (attrset?key) then attrset.${key} else [];
+ hostDefaults = hostName: host: flip recursiveUpdate host ({
+ ci = false;
+ external = true;
+ monitoring = false;
+ owner = config.krebs.users.kmein;
+ } // optionalAttrs (host.nets?retiolum) {
+ nets.retiolum = {
+ ip6.addr = (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
+ };
+ } // optionalAttrs (host.nets?wiregrill) {
+ nets.wiregrill = {
+ ip6.addr = (krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address;
+ };
+ });
+ ssh-for = name: builtins.readFile (./ssh + "/${name}.pub");
+in
+{
+ users = rec {
+ kmein = kmein-kabsa;
+ kmein-kabsa = {
+ mail = "kmein@posteo.de";
+ pubkey = ssh-for "kmein.kabsa";
+ };
+ kmein-manakish = {
+ inherit (kmein-kabsa) mail;
+ pubkey = ssh-for "kmein.manakish";
+ };
+ };
+ hosts = mapAttrs hostDefaults {
+ kabsa = {
+ nets.retiolum = {
+ aliases = [ "kabsa.r" "kabsa.kmein.r" ];
+ ip4.addr = "10.243.2.4";
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
+ g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
+ 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
+ uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
+ a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
+ IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
+ C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
+ sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
+ 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
+ 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
+ lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
+ QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN";
+ };
+ };
+ makanek = {
+ nets.retiolum = {
+ aliases = [
+ "makanek.r"
+ "makanek.kmein.r"
+ "grafana.kmein.r"
+ "names.kmein.r"
+ "graph.r"
+ "rrm.r"
+ ];
+ ip4.addr = "10.243.2.84";
+ tinc.pubkey