summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-01-16 20:19:27 +0100
committertv <tv@krebsco.de>2018-01-16 20:19:27 +0100
commitcc4e5322aeca08d121b7769517136b05d7e391ca (patch)
tree8d8757d91cd631c58d30cb98589973a4983e9d4a /krebs
parent1c06f938b3d4e4e036184639ecdcadec27b5d8f8 (diff)
parent74d1531be988057ccadd3de5184d915dcf84c92d (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs')
-rw-r--r--krebs/2configs/repo-sync.nix2
-rw-r--r--krebs/3modules/jeschli/default.nix46
-rw-r--r--krebs/3modules/lass/default.nix15
-rw-r--r--krebs/3modules/makefu/default.nix1
-rw-r--r--krebs/4lib/infest/prepare.sh87
-rw-r--r--krebs/5pkgs/simple/internetarchive/default.nix2
6 files changed, 128 insertions, 25 deletions
diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix
index 84b7d9c0e..48da88a8d 100644
--- a/krebs/2configs/repo-sync.nix
+++ b/krebs/2configs/repo-sync.nix
@@ -58,7 +58,7 @@ let
ref = "heads/master";
};
};
- krebs.git = defineRepo name true;
+ krebs.git = defineRepo name false;
};
in {
diff --git a/krebs/3modules/jeschli/default.nix b/krebs/3modules/jeschli/default.nix
index 0d161e1c8..c7e882742 100644
--- a/krebs/3modules/jeschli/default.nix
+++ b/krebs/3modules/jeschli/default.nix
@@ -118,6 +118,52 @@ with import <stockholm/lib>;
};
};
};
+ enklave = {
+ nets = rec {
+ internet = {
+ ip4.addr = "88.198.164.182";
+ aliases = [
+ "enklave.i"
+ ];
+ };
+ retiolum = {
+ via = internet;
+ ip4.addr = "10.243.27.30";
+ ip6.addr = "42::30";
+ aliases = [
+ "enklave.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIID8gKCA+kAt8zRg/g0jRmqXn6rVul/tdjWtLPcu0aTjNJ5OYZh50i7WqWllGVz
+ +FfJicuq/Xd1l5qrgUN7MD+Wrfeov+G9lzSgacfPhXMujutXxX3JwW/9f7UN+yoN
+ Sw29Zj+NWb45HyI5WVwMQ332KbKjNcWdTRe+O39oE6bZWg54oEeZOad2UJ7/83sB
+ yNEV/B7bJ0+X9HR8XCKrHI/RkjixNauMDlquGzoVyqLKIWwUnBl9CwtNBCYHbvYD
+ G1rWeCewd9Z6KsqcKSePfa4mn5eOluWcXmbrD/sx8oII40oNUs3kI7a2HExB2Yle
+ P9Q5MQrXRZfI3bdrh1aHieBodZLtosHPNuJIpo8ZaCX88WLhGR3nhJa1vvM1vNwd
+ TSSAdobdZUcuIQJKnVxwP4rXQAKPkN2+ddy+tXCGvfFAsdGKDbgPy4FgT+Ed28vg
+ 3W0fef/3sDNGPY1VAa58/pLz9Un3kNJKUjt00tWamo8daU/3mxZs83nIqDHLq86l
+ 1+wCl37l+KHe7pUVZ3smoezPRCMoUThmc7VzupbQG+piiSSyiYQi0CuBusa44t76
+ 1lMr3pOdRBBAoetZ745ZZVx8s+eYk+C1BmQbLJAfzQ9sbH3LAwXpuAH70mtrFqWl
+ C3LF89/5mZRbFxALZv9cVx3LqIZDjwpKlwPWorZwo14L+eAagdPCcnVNo6ZcVow2
+ mAdNnf7C33fvRsU+rUEIZVPsBHZfAv+f0jqQ65TMvl32VZ0FlxxahSZSj64n8iwr
+ Z+DOxKA9OcAaTrHQReYLpWUfNceVDLfOmQLeih8hNgClgqPgYJP/OtN+ox3NP6ZX
+ +Gkx9HO7a+agtyJxjh3NYbT/NkRW8HcjW8KgRN7jlE9sQi5/FoxKQOUdHmLTvjdk
+ YJXqdPWMYHj2xt4A8x2nzl/si6lwDsod+zdY5RGSdYhoybEOs4wZZIuArmm8GP+C
+ IbtgutknAuqvm2FOxyWCbLFTimgqC5BgrNUsXFJJLsHQ3bWFJtVpJlSa5Y0iypCP
+ Yr/cefbDrGfs3eCy7FlYDIkCcH06FPm1LTs6USisrtKFObRQN+zPSPln9FysNmpH
+ h0YUhrWdTO+wN78K5gc4ALPNUlyqmH61h8jS2qSdrRZLcZWIi4K4banG6EJcWRvV
+ kaVxghY1i/Z9x43bZRpBPvpM462IDx08vYX9AcFmF7JfjAXPwJO/EqZVsY1YPDzO
+ vdXWrtTORO8R8Pjq3X952yNqgHBcJQh7Q9TBcj+XBtkidOSnTt3Sp/RumsucUW19
+ 0wMempDPiCOAadLmR4cW5XL1ednXurkd+5gHCmB1Sl7FueP5dgLB/mhXjmITE3zH
+ aQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+
+
};
users = {
jeschli = {
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 0567d58ba..37bb31563 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -3,6 +3,9 @@
with import <stockholm/lib>;
{
+ dns.providers = {
+ "lassul.us" = "zones";
+ };
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
ci = true;
@@ -80,6 +83,18 @@ with import <stockholm/lib>;
prism IN A ${nets.internet.ip4.addr}
paste IN A ${nets.internet.ip4.addr}
'';
+ "lassul.us" = ''
+ $TTL 3600
+ @ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
+ 60 IN NS ns16.ovh.net.
+ 60 IN NS dns16.ovh.net.
+ 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ 60 IN TXT v=spf1 mx -all
+ cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ io 60 IN NS ions.lassul.us.
+ ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ '';
};
nets = rec {
internet = {
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 9f1842b88..56e5c6b82 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -541,6 +541,7 @@ with import <stockholm/lib>;
graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}
+ photostore IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index ccfc4f49b..78c1c6ec1 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -21,6 +21,10 @@ prepare() {(
esac
;;
debian)
+ if grep -Fq Hetzner /etc/motd; then
+ prepare_hetzner_rescue "$@"
+ exit
+ fi
case $VERSION_ID in
7)
prepare_debian "$@"
@@ -72,7 +76,7 @@ prepare_debian() {
type bzip2 2>/dev/null || apt-get install bzip2
type git 2>/dev/null || apt-get install git
type rsync 2>/dev/null || apt-get install rsync
- type curl 2>/dev/null || apt-get install curl
+ type curl 2>/dev/null || apt-get install curl
prepare_common
}
@@ -90,10 +94,33 @@ prepare_nixos_iso() {
mkdir -p bin
rm -f bin/nixos-install
- cp "$(type -p nixos-install)" bin/nixos-install
+ cp "$(_which nixos-install)" bin/nixos-install
sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
}
+prepare_hetzner_rescue() {
+ _which() (
+ which "$1"
+ )
+ mountpoint /mnt
+
+ type bzip2 2>/dev/null || apt-get install bzip2
+ type git 2>/dev/null || apt-get install git
+ type rsync 2>/dev/null || apt-get install rsync
+ type curl 2>/dev/null || apt-get install curl
+
+ mkdir -p /mnt/"$target_path"
+ mkdir -p "$target_path"
+
+ if ! mountpoint "$target_path"; then
+ mount --rbind /mnt/"$target_path" "$target_path"
+ fi
+
+ _prepare_nix_users
+ _prepare_nix
+ _prepare_nixos_install
+}
+
get_nixos_install() {
echo "installing nixos-install" 2>&1
c=$(mktemp)
@@ -107,24 +134,13 @@ EOF
nix-env -i -A config.system.build.nixos-install -f "<nixpkgs/nixos>"
rm -v $c
}
+
prepare_common() {(
+ _which() (
+ type -p "$1"
+ )
- if ! getent group nixbld >/dev/null; then
- groupadd -g 30000 -r nixbld
- fi
- for i in `seq 1 10`; do
- if ! getent passwd nixbld$i 2>/dev/null; then
- useradd \
- -d /var/empty \
- -g 30000 \
- -G 30000 \
- -l \
- -M \
- -s /sbin/nologin \
- -u $(expr 30000 + $i) \
- nixbld$i
- fi
- done
+ _prepare_nix_users
#
# mount install directory
@@ -173,10 +189,12 @@ prepare_common() {(
mount --bind /nix /mnt/nix
fi
- #
- # install nix
- #
+ _prepare_nix
+ _prepare_nixos_install
+)}
+
+_prepare_nix() {
# install nix on host (cf. https://nixos.org/nix/install)
if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then
(
@@ -201,17 +219,40 @@ prepare_common() {(
if ! mountpoint "$target_path"; then
mount --rbind /mnt/"$target_path" "$target_path"
fi
+}
+_prepare_nix_users() {
+ if ! getent group nixbld >/dev/null; then
+ groupadd -g 30000 -r nixbld
+ fi
+ for i in `seq 1 10`; do
+ if ! getent passwd nixbld$i 2>/dev/null; then
+ useradd \
+ -d /var/empty \
+ -g 30000 \
+ -G 30000 \
+ -l \
+ -M \
+ -s /sbin/nologin \
+ -u $(expr 30000 + $i) \
+ nixbld$i
+ fi
+ done
+}
+
+
+_prepare_nixos_install() {
get_nixos_install
+
mkdir -p bin
rm -f bin/nixos-install
- cp "$(type -p nixos-install)" bin/nixos-install
+ cp "$(_which nixos-install)" bin/nixos-install
sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
if ! grep -q '^PATH.*#krebs' .bashrc; then
echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc
echo 'PATH=$HOME/bin:$PATH #krebs' >> .bashrc
fi
-)}
+}
prepare "$@"
diff --git a/krebs/5pkgs/simple/internetarchive/default.nix b/krebs/5pkgs/simple/internetarchive/default.nix
index 2f55e6f42..3c83093be 100644
--- a/krebs/5pkgs/simple/internetarchive/default.nix
+++ b/krebs/5pkgs/simple/internetarchive/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, pkgs, fetchPypi, ... }:
+{ stdenv, pkgs, ... }:
with pkgs.python3Packages;
buildPythonPackage rec {
pname = "internetarchive";