diff options
| author | tv <tv@krebsco.de> | 2023-09-11 14:55:04 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2023-09-11 14:55:04 +0200 |
| commit | 8fc162ee3d9525a2b45346a1ca8f34ccb5ef971b (patch) | |
| tree | aa37724dd0452860d4b9b033332587c8832629e3 /krebs | |
| parent | 90b1515dcd5b67a85cd92901fb211764b1fa5f83 (diff) | |
| parent | 083229d0211096daec08673f743ccc45b1d8a0ac (diff) | |
Merge remote-tracking branch 'orange/master'
Diffstat (limited to 'krebs')
26 files changed, 92 insertions, 54 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString <secrets> + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix index a1fe47b5d..1a0cdf019 100644 --- a/krebs/2configs/cal.nix +++ b/krebs/2configs/cal.nix @@ -108,7 +108,7 @@ in { krebs.secret.files.calendar = { path = "/var/lib/radicale/.ssh/id_ed25519"; owner = { name = "radicale"; }; - source-path = "${<secrets/radicale.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix index 95d70376b..ab2b22b7c 100644 --- a/krebs/2configs/hotdog-host.nix +++ b/krebs/2configs/hotdog-host.nix @@ -1,6 +1,7 @@ +{ config, ... }: { krebs.sync-containers3.containers.hotdog = { - sshKey = "${toString <secrets>}/hotdog.sync.key"; + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; }; containers.hotdog.bindMounts."/var/lib" = { hostPath = "/var/lib/sync-containers3/hotdog/state"; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 145b383ed..af308b2c7 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -33,8 +33,10 @@ ]; environment.systemPackages = [ - (pkgs.writers.writeDashBin "tootctl" '' - sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 '') (pkgs.writers.writeDashBin "create-mastodon-user" '' set -efu diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 71793e518..81922ef87 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -1,5 +1,6 @@ +{ config, ... }: { krebs.sync-containers3.containers.news = { - sshKey = "${toString <secrets>}/news.sync.key"; + sshKey = "${config.krebs.secret.directory}/news.sync.key"; }; } diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 0f7ab0adf..bc5bfc0fb 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -486,7 +486,7 @@ in { services.nginx.virtualHosts."agenda.r" = { serverAliases = [ "kri.r" ]; locations."= /index.html".extraConfig = '' - alias ./agenda.html; + alias ${./agenda.html}; ''; locations."/agenda.json".extraConfig = '' proxy_set_header Host $host; diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 1b72924a6..a488fdfea 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${<secrets/konsens.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; }; imports = [ diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 59178516c..90ae66f6e 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,8 +10,8 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - key = toString <secrets/syncthing.key>; - cert = toString <secrets/syncthing.cert>; + key = "${config.krebs.secret.directory}/syncthing.key"; + cert = "${config.krebs.secret.directory}/syncthing.cert"; # workaround for infinite recursion on unstable, remove in 23.11 } // (if builtins.hasAttr "settings" options.services.syncthing then { settings.devices = mk_peers used_peers; } diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 98ed039b4..21c46a0a7 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -13,12 +13,12 @@ config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; - hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ]; + hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ]; }; boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.secrets = { - "/etc/tor/onion/bootup" = <secrets/initrd>; + "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd"; }; boot.initrd.extraUtilsCommands = '' diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index a227ceb4a..4b0bf9768 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -96,7 +96,7 @@ in krebs.secret.files.gollum = { path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; owner = { name = "gollum"; }; - source-path = "${<secrets/gollum.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/gollum.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 093ae2030..4e42ce72e 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -20,14 +20,14 @@ let }; dkim = mkOption { - type = types.listOf (types.submodule ({ config, ... }: { + type = types.listOf (types.submodule (dkim: { options = { domain = mkOption { type = types.str; }; private_key = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/${config.domain}.dkim.priv"; + default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 79187adfa..0d67120fd 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -40,7 +40,7 @@ let }; }; - fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' + fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" '' set -euf mkdir -p ${cfg.stateDir} diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix index 6f9aee0ce..2f373f9bc 100644 --- a/krebs/3modules/github/hosts-sync.nix +++ b/krebs/3modules/github/hosts-sync.nix @@ -22,7 +22,7 @@ let }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString <secrets/github-hosts-sync.ssh.id_ed25519>; + default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519"; defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›"; }; url = mkOption { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index c1c5b68c8..32a5273a5 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -177,7 +177,7 @@ let ${buildTables iptables-version cfg.tables} ''; - startScript = pkgs.writeDash "krebs-iptables_start" '' + startScript = pkgs.writers.writeDash "krebs-iptables_start" '' set -euf iptables-restore < ${rules "v4"} ip6tables-restore < ${rules "v6"} diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix index 71e2b541a..a9ed24d3f 100644 --- a/krebs/3modules/power-action.nix +++ b/krebs/3modules/power-action.nix @@ -60,7 +60,7 @@ let }; }; - startScript = pkgs.writeDash "power-action" '' + startScript = pkgs.writers.writeDash "power-action" '' set -euf power="$(${powerlvl})" @@ -77,11 +77,11 @@ let writeRule = _: plan: "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; - powerlvl = pkgs.writeDash "powerlvl" '' + powerlvl = pkgs.writers.writeDash "powerlvl" '' cat /sys/class/power_supply/${cfg.battery}/capacity ''; - state = pkgs.writeDash "state" '' + state = pkgs.writers.writeDash "state" '' if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] then echo "false" else echo "true" diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index a6de3f3f6..5208d91ae 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -123,7 +123,7 @@ let privateKeyFile = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/repo-sync.ssh.key"; + default = "${config.krebs.secret.directory}/repo-sync.ssh.key"; defaultText = "‹secrets/repo-sync.ssh.key›"; }; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index c9ea8a619..bd7e7c5f6 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -14,12 +14,12 @@ in sslCertificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "${toString <secrets>}/tinc.krebsco.de.crt" ; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ; }; sslCertificateKey = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "${toString <secrets>}/tinc.krebsco.de.key"; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: # <secrets/tinc.krebsco.de.crt> diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 2f9efad46..9df368cfb 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; { privkey = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; + default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; @@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; { default = if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null then null - else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; + else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; }; diff --git a/krebs/5pkgs/haskell/nix-serve-ng.nix b/krebs/5pkgs/haskell/nix-serve-ng.nix index 8866b205b..62e02ce82 100644 --- a/krebs/5pkgs/haskell/nix-serve-ng.nix +++ b/krebs/5pkgs/haskell/nix-serve-ng.nix @@ -6,11 +6,11 @@ }: mkDerivation { pname = "nix-serve-ng"; - version = "1.0.0"; + version = "1.0.1"; src = fetchgit { url = "https://github.com/aristanetworks/nix-serve-ng"; - sha256 = "0mqp67z5mi8rsjahdh395n7ppf0b65k8rd3pvnl281g02rbr69y2"; - rev = "433f70f4daae156b84853f5aaa11987aa5ce7277"; + sha256 = "sha256-PkzwtjUgYuqfWtCH1nRqVRaajihN1SqMVjWmoSG/CCY="; + rev = "9b546864f4090736f3f9069a01ea5d42cf7bab7c"; fetchSubmodules = true; }; isLibrary = false; diff --git a/krebs/5pkgs/simple/fzfmenu/default.nix b/krebs/5pkgs/simple/fzfmenu/default.nix index eb2441330..030c1b1b1 100644 --- a/krebs/5pkgs/simple/fzfmenu/default.nix +++ b/krebs/5pkgs/simple/fzfmenu/default.nix @@ -43,7 +43,7 @@ pkgs.writers.writeDashBin "fzfmenu" '' set -efu # Spawn terminal if called without one, like e.g. from a window manager. - if [ -z ''${TERM+x} ]; then + if [ -z ''${TERM+x} ] || [ $TERM = dumb ]; then exec 3<&0 exec 4>&1 export FZFMENU_INPUT_FD=3 diff --git a/krebs/5pkgs/simple/ovh-zone/default.nix b/krebs/5pkgs/simple/ovh-zone/default.nix index 051a14e8d..bc0e45cb9 100644 --- a/krebs/5pkgs/simple/ovh-zone/default.nix +++ b/krebs/5pkgs/simple/ovh-zone/default.nix @@ -9,7 +9,6 @@ python3Packages.buildPythonPackage rec { name = "ovh-zone-${version}"; version = "0.4.4"; propagatedBuildInputs = with pkgs.python3Packages;[ - d2to1 # for setup to work ovh docopt ]; diff --git a/krebs/5pkgs/simple/realwallpaper/get_constellations.py b/krebs/5pkgs/simple/realwallpaper/get_constellations.py index 5d8d3df5d..4ba766f6a 100644 --- a/krebs/5pkgs/simple/realwallpaper/get_constellations.py +++ b/krebs/5pkgs/simple/realwallpaper/get_constellations.py @@ -18,19 +18,24 @@ def points_to_lines(points): return lines -with open(sys.argv[1]) as f: - constellations = json.load(f)['features'] +def main(): + with open(sys.argv[1]) as f: + constellations = json.load(f)['features'] -output = [] + output = [] -for const in constellations: - for line in const['geometry']['coordinates']: - transformed_line = [] - for point in line: - transformed_line.append(convert_to_itrs(point)) + for const in constellations: + for line in const['geometry']['coordinates']: + transformed_line = [] + for point in line: + transformed_line.append(convert_to_itrs(point)) - line_combined = points_to_lines(transformed_line) - for l in line_combined: # noqa - output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa + line_combined = points_to_lines(transformed_line) + for l in line_combined: # noqa + output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa -print('\n'.join(output)) + print('\n'.join(output)) + + +if __name__ == "__main__": + main() diff --git a/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix new file mode 100644 index 000000000..d3557894d --- /dev/null +++ b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix @@ -0,0 +1,30 @@ +{ pkgs }: +pkgs.writers.writeDashBin "renew-intermediate-ca" '' + TMPDIR=$(mktemp -d) + trap "rm -rf $TMPDIR;" INT TERM EXIT + mkdir -p "$TMPDIR/krebs" + brain show ca/ca.key > "$TMPDIR/krebs/ca.key" + brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt" + brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key" + cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt" + export STEPPATH="$TMPDIR/step" + cat << EOF > "$TMPDIR/intermediate.tpl" + { + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": ["r" ,"w"] + } + } + EOF + + ${pkgs.step-cli}/bin/step ca renew "$TMPDIR/ca.crt" "$TMPDIR/ca.key" \ + --offline \ + --root "$TMPDIR/krebs/ca.crt" \ + --ca-config "$TMPDIR/intermediate.tpl" +'' diff --git a/krebs/5pkgs/simple/vicuna-chat/default.nix b/krebs/5pkgs/simple/vicuna-chat/default.nix index 11a11aabe..db15899d6 100644 --- a/krebs/5pkgs/simple/vicuna-chat/default.nix +++ b/krebs/5pkgs/simple/vicuna-chat/default.nix @@ -23,7 +23,7 @@ pkgs.writers.writeDashBin "vicuna-chat" '' add_to_context "{\"role\": \"user\", \"content\": \"$PROMPT\"}" response=$( jq -nc --slurpfile context "$CONTEXT" '{ - model: "vicuna-13b", + model: "vicuna-13b-v1.5-16k", messages: $context[0], }' | curl -Ss http://vicuna.r/v1/chat/completions -H 'Content-Type: application/json' -d @- diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 4ae0716ea..2233cd20b 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28", - "date": "2023-07-28T14:55:37+02:00", - "path": "/nix/store/38nmp3rkbjic5dm6g9qp4ldwi7pr602p-nixpkgs", - "sha256": "0c2x3bcal4kyxgf6i408622zqvxamz986h11z8zjvd7gc8y4wxn7", - "hash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=", + "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", + "date": "2023-09-01T18:51:16+08:00", + "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs", + "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9", + "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 55e54ec64..0b6021ed0 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "48e82fe1b1c863ee26a33ce9bd39621d2ada0a33", - "date": "2023-07-28T18:34:19+03:00", - "path": "/nix/store/pgqfg8ip3lv0lr6mpwh558npz3c1wwcr-nixpkgs", - "sha256": "0d7na9ygda2r7gs3gbixd9gvcxgdv84993cilkj86bcwbpbg4vp5", - "hash": "sha256-5W7y1l2cLYPkpJGNlAja7XW2X2o9rjf0O1mo9nxS9jQ=", + "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", + "date": "2023-09-02T08:28:47+02:00", + "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", + "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", + "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, |