diff options
author | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
commit | 54aaf5af8ed4d62a2e6645b7ca662ffac310e86c (patch) | |
tree | b3b1a1797791cd8cf763254a3fd88f7d35a2340c | |
parent | ef48f536a3e539b215bb004b512e62c2d0f96907 (diff) | |
parent | 31fc5a95c735ab3b9b832d407195e422c07cd4c0 (diff) |
Merge remote-tracking branch 'lass/master'
43 files changed, 586 insertions, 386 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 6a51bf45f..cf07d3b4d 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -7,7 +7,7 @@ <stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix> - <stockholm/krebs/2configs/ergo.nix> + <stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/wiki.nix> <stockholm/krebs/2configs/acme.nix> diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 9200d41fe..38d770316 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -4,6 +4,7 @@ with import <stockholm/lib>; { imports = [ ./backup.nix + ./security-workarounds.nix ]; krebs.announce-activation.enable = true; krebs.enable = true; diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix deleted file mode 100644 index db0bc5748..000000000 --- a/krebs/2configs/ergo.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.firewall.allowedTCPPorts = [ - 6667 - ]; - - krebs.ergo = { - enable = true; - }; -} - - diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 904878731..c6c91e074 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -1,121 +1,44 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ - 6667 6669 + 6667 ]; - systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; - - services.solanum = { + krebs.ergo = { enable = true; - motd = '' - hello - ''; - config = '' - loadmodule "extensions/m_omode"; - serverinfo { - name = "${config.krebs.build.host.name}.irc.r"; - sid = "1as"; - description = "irc!"; - network_name = "irc.r"; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 2048; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - #sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - #sslport = 6697; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 4096; - number_per_ip_global = 4096; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 65535; - max_number = 65535; - sendq = 1000 megabyte; - }; - - privset "op" { - privs = oper:admin, oper:general; - }; - - operator "aids" { - user = "*@*"; - password = "balls"; - flags = ~encrypted; - snomask = "+s"; - privset = "op"; - }; - - exempt { - ip = "127.0.0.1"; - }; - - exempt { - ip = "10.243.0.0/16"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = kline_exempt, exceed_limit, flood_exempt; - }; - - channel { - autochanmodes = "+t"; - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 150; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - - general { - #maybe we want ident someday? - default_floodcount = 10000; - disable_auth = yes; - throttle_duration = 1; - throttle_count = 10000; - }; - ''; + config = { + server.secure-nets = [ + "42::0/16" + "10.240.0.0/12" + ]; + oper-classes.server-admin = { + title = "admin"; + capabilities = [ + "kill" # disconnect user sessions + "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line") + "nofakelag" # remove "fakelag" restrictions on rate of message sending + "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block) + "vhosts" # add and remove vhosts from users + "sajoin" # join arbitrary channels, including private channels + "samode" # modify arbitrary channel and user modes + "snomasks" # subscribe to arbitrary server notice masks + "roleplay" # use the (deprecated) roleplay commands in any channel + "rehash" # rehash the server, i.e. reload the config at runtime + "accreg" # modify arbitrary account registrations + "chanreg" # modify arbitrary channel registrations + "history" # modify or delete history messages + "defcon" # use the DEFCON command (restrict server capabilities) + "massmessage" # message all users on the server + ]; + }; + opers.aids = { + class = "server-admin"; + hidden = false; + password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO"; + }; + }; }; } + + diff --git a/krebs/2configs/mud.nix b/krebs/2configs/mud.nix index d5e4c89c1..30f232b64 100644 --- a/krebs/2configs/mud.nix +++ b/krebs/2configs/mud.nix @@ -156,7 +156,8 @@ in { openssh.authorizedKeys.keys = with config.krebs.users; [ lass.pubkey makefu.pubkey - kmein.pubkey + kmein-kabsa.pubkey + kmein-manakish.pubkey tv.pubkey ]; packages = with pkgs; [ diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 84a39f95b..9ea4cbf8d 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -68,7 +68,13 @@ wantedBy = [ "multi-user.target" ]; }; - systemd.services.brockman.bindsTo = [ "solanum.service" ]; + krebs.ergo.openFilesLimit = 16384; + krebs.ergo.config = { + limits.nicklen = 100; + limits.identlen = 100; + history.enabled = false; + }; + systemd.services.brockman.bindsTo = [ "ergo.service" ]; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; krebs.brockman = { diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index df66fd798..305d31405 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -95,7 +95,7 @@ let } hooks.sed (generators.command_hook { - inherit (commands) random-emoji nixos-version; + inherit (commands) dance random-emoji nixos-version; tell = { filename = <stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>; diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix new file mode 100644 index 000000000..27d1f8485 --- /dev/null +++ b/krebs/2configs/security-workarounds.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; +{ + # https://github.com/berdav/CVE-2021-4034 + security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); +} diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index c5cb1cae6..4a88582a2 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -157,7 +157,8 @@ let # of the deepest directory: # shellcheck disable=SC2174 ${local.rsync} >&2 \ - -aAXF --delete \ + -aAX --delete \ + --filter='dir-merge /.backup-filter' \ --rsh=${shell.escape ssh} \ --rsync-path=${shell.escape remote.rsync} \ --link-dest=${shell.escape plan.dst.path}/current \ @@ -191,7 +192,8 @@ let echo >&2 "create snapshot: $ns/$name" mkdir -m 0700 -p "$dst_path/$ns" rsync >&2 \ - -aAXF --delete \ + -aAX --delete \ + --filter='dir-merge /.backup-filter' \ --link-dest="$dst_path/current" \ "$dst_path/current/" \ "$dst_path/$ns/.partial.$name" diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index f76d3c536..b58b52038 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -108,6 +108,7 @@ let { krebs = import ./makefu { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./external/mic92.nix { inherit config; }; } + { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 3153e4cfc..50c5ab628 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -2,6 +2,13 @@ options = { krebs.ergo = { enable = lib.mkEnableOption "Ergo IRC daemon"; + openFilesLimit = lib.mkOption { + type = lib.types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; config = lib.mkOption { type = (pkgs.formats.json {}).type; description = '' @@ -54,8 +61,8 @@ multiclient = { enabled = true; allowed-by-default = true; - always-on = "opt-in"; - auto-away = "opt-in"; + always-on = "opt-out"; + auto-away = "opt-out"; }; }; channels = { @@ -111,13 +118,15 @@ systemd.services.ergo = { description = "Ergo IRC daemon"; wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; + # reload currently not working as expected + # reloadIfChanged = true; restartTriggers = [ configFile ]; serviceConfig = { ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; }; }; }); diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 66914797d..1b51f0223 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -16,37 +16,7 @@ with import <stockholm/lib>; tinc-for = name: builtins.readFile (./tinc + "/${name}.pub"); in { - hosts = mapAttrs hostDefaults { - kabsa = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.4"; - aliases = [ - "kabsa.r" - "kabsa.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk - g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg - 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay - uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L - a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo - IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM - C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q - sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq - 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo - 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57 - lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0 - QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ== - -----END PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN"; - }; - }; - }; helsinki = { owner = config.krebs.users.ajs124; nets = { @@ -142,65 +112,6 @@ in { }; }; }; - makanek = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.84"; - aliases = [ - "makanek.r" - "makanek.kmein.r" - "grafana.kmein.r" - "names.kmein.r" - "graph.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb - VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u - JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5 - hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X - Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39 - de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK - Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE - uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G - zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO - Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV - oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC"; - }; - }; - }; - manakish = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.85"; - aliases = [ - "manakish.r" - "manakish.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH - Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy - 7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB - dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF - 1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb - GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ - EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw - U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM// - +FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64 - I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c - qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN"; - }; - }; - }; qubasa = { owner = config.krebs.users.qubasa; nets = { @@ -226,7 +137,6 @@ in { }; }; }; - keller = { owner = config.krebs.users.qubasa; nets = { @@ -279,13 +189,6 @@ in { }; }; - rilke = { - owner = config.krebs.users.kmein; - nets.wiregrill = { - aliases = [ "rilke.w" ]; - wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ="; - }; - }; rtjure = { owner = config.krebs.users.rtjure; nets = { @@ -312,37 +215,6 @@ in { }; }; }; - zaatar = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.34"; - aliases = [ - "zaatar.r" - "zaatar.kmein.r" - "grocy.kmein.r" - "bvg.kmein.r" - "moodle.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM - pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ - xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i - 5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q - T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6 - 2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp - PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj - zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc - xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4 - yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK - uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH"; - }; - }; - }; sokrateslaptop = { owner = config.krebs.users.sokratess; nets = { @@ -691,6 +563,31 @@ in { }; }; }; + papawhakaaro = { + owner = config.krebs.users.feliks; + nets = { + retiolum = { + ip4.addr = "10.243.10.243"; + aliases = [ "papawhakaaro.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA4bd0lVUVlzFmM8TuH77C5VctcK4lkw02LbMVQDJ5U+Ww075nNahw + oRHqPgJRwfGW0Tgu/1s5czZ2tAFU3lXoOSBYldAspM3KRZ4DKQsFrL9B0oWarGsK + sUgsuOJprlX4mkfj/eBNINqTqf2kVIH+p43VENQ9ioKmc+qJKm4xfRONRLp871GV + 5jmIvRvQ6JP0RtNd2KpNLaeplzx8M61D9PBOAZkNYAUTpBs4LZBNJj4eFnXBugrz + GkBjmm3Rk7olz0uOZzbeTc6Slv2tgtN5FrQifdy4XIlsKcBTzMkYHEZstmldJgd9 + pGvfmem6uPcXrF+eDJzqUn0ArH7eOIS4F0+DzugJz4qX+ytvE4ag7r2Vx0Pa9TCY + hpn0lqwW+ly1clM0SKt59v1nQ4oRW4UIbAZaIgp4UJbb3IGSwbq7NuadvHpNICHi + 4pqQD+1sSEbGLAZ0bFjLIYFg9zzNjLeAxXpn49WHOEyRlq3h+SUQcG2EuVMI28DX + lILKSoOJsuQupURPubaxkiNEa5neYk9hZ8CWgwSG/VlyRLuNsVDVn2dBma43Mr10 + LHMkX2/a9t7ghokugvV2XMP9Es9A9TGFShM9UtFAlovdad+SQ8FBPNheDwIhjCJe + l5NIrMrmQIveq7QJ1szxYhqfl1ifU0c+YxeMkg3tvEuQV/tk/oki/aECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "5G49yQPjkkoGZxM6CeDy87y6tB/abtelUAk55wJ4GpP"; + }; + }; + }; hydrogen = { owner = config.krebs.users.sandro; nets = rec { @@ -740,10 +637,6 @@ in { jonge = { mail = "jacek.galowicz@gmail.com"; }; - kmein = { - mail = "kmein@posteo.de"; - pubkey = ssh-for "kmein"; - }; mic92 = { mail = "joerg@thalheim.io"; pubkey = ssh-for "mic92"; @@ -799,5 +692,8 @@ in { pie_ = {}; domsen = { }; + feliks = { + mail = "feliks@flipdot.org"; + }; }; } diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix new file mode 100644 index 000000000..9ef079090 --- /dev/null +++ b/krebs/3modules/external/kmein.nix @@ -0,0 +1,146 @@ +with import <stockholm/lib>; +{ config, ... }: +let + maybeEmpty = attrset: key: if (attrset?key) then attrset.${key} else []; + hostDefaults = hostName: host: flip recursiveUpdate host ({ + ci = false; + external = true; + monitoring = false; + owner = config.krebs.users.kmein; + } // optionalAttrs (host.nets?retiolum) { + nets.retiolum = { + ip6.addr = (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address; + }; + } // optionalAttrs (host.nets?wiregrill) { + nets.wiregrill = { + ip6.addr = (krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address; + }; + }); + ssh-for = name: builtins.readFile (./ssh + "/${name}.pub"); +in +{ + users = rec { + kmein = kmein-kabsa; + kmein-kabsa = { + mail = "kmein@posteo.de"; + pubkey = ssh-for "kmein.kabsa"; + }; + kmein-manakish = { + inherit (kmein-kabsa) mail; + pubkey = ssh-for "kmein.manakish"; + }; + }; + hosts = mapAttrs hostDefaults { + kabsa = { + nets.retiolum = { + aliases = [ "kabsa.r" "kabsa.kmein.r" ]; + ip4.addr = "10.243.2.4"; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk + g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg + 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay + uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L + a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo + IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM + C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q + sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq + 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo + 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57 + lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0 + QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ== + -----END PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN"; + }; + }; + makanek = { + nets.retiolum = { + aliases = [ + "makanek.r" + "makanek.kmein.r" + "grafana.kmein.r" + "names.kmein.r" + "graph.r" + "rrm.r" + ]; + ip4.addr = "10.243.2.84"; + tinc.pubkey |