diff options
| -rw-r--r-- | krebs/3modules/external/default.nix | 84 | ||||
| -rw-r--r-- | krebs/nixpkgs-unstable.json | 6 | ||||
| -rw-r--r-- | lass/1systems/littleT/config.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/skynet/config.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/green-host.nix | 99 |
5 files changed, 71 insertions, 120 deletions
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 49cf7c9de..d4858c67f 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -224,6 +224,33 @@ in { }; }; }; + manakish = { + owner = config.krebs.users.kmein; + nets = { + retiolum = { + ip4.addr = "10.243.2.85"; + aliases = [ + "manakish.r" + "manakish.kmein.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH + Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy + 7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB + dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF + 1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb + GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ + EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw + U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM// + +FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64 + I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c + qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; qubasa = { owner = config.krebs.users.qubasa; nets = { @@ -281,30 +308,29 @@ in { }; }; }; - scardanelli = { + zaatar = { owner = config.krebs.users.kmein; nets = { retiolum = { - ip4.addr = "10.243.2.2"; + ip4.addr = "10.243.2.34"; aliases = [ "zaatar.r" "zaatar.kmein.r" ]; tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxM93+YgGhk5PtcOrE7E/ - MAOMF/c9c4Ps6m8xd4VZat3ru07yH8Yfox1yM6jwZBwIwK2AC9DK0/k3WIvZQUge - UKSTiXpE4z/0ceaesugLQ9KTjUty1e/2vQ78bOqmd7EG3aPV2QsjlgpjJ6qQxeFi - kjlHoFi9NNBLVkIyaAdlAhwvZuYFmAY/FQEmm6+XOb+Nmo+fccQlG6+NinA2GOg0 - gdY/dKYxa04Ns/yu7TK3sBQIt6cg/YUk9VpyC4yIIRPMdyVcAPz3Kd2mp23fhSvx - we80prWXYtdct4vXaBZm9FUY5y4SL3c0TEScuM73VXtr2tPAxjD5W4XMWhrjnIiY - QzoyAquVS9rR4fCaoP+hw3Tjy7Att3voa/YlHEDaendxjZ3nuO0m0vcgOa+SfCNm - SqLsqb8to1y8yJ8LnR2og4MbtasxqSe1L9VLTsb4k/AGfmAdlqyG4Q1h5pCBh0GL - 2F6FbYHzwrwqBvVCz4DTPygPtta5o7THpP50PgojtzNLm1yKWpfdcWeMgGQJSI0f - m3yenytM1u0jjw7KbBG79Z3etFNIYZy4Uq/dryEJnwpTFls+zZn9Q3tDEnO4a38Q - FgzV0VLQpRM/uf1powSDzoWp+/JYgB9464OKcTsSlVJpi3crxF86xFqqc39U2/u5 - lM61fOMcVW1KREdWypiDtu8CAwEAAQ== - -----END PUBLIC KEY----- + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAn1L8LaoLuvHnN39Vz/8Mu/G20+z2DdWeG8XCX53seG2R+Nv4K/Fb + PikALazrN5TIxjRSRL4HEOsYAHWrHyMyRiK0RTuVZxYX4ArilpWz6+5dyt9CkPDg + mpUqhkpHuWO7zXnCcMVkn2ESzJaDIClLaaZP9klrGoaOJLGSJhfF/y4z8p6C/HlR + AjxI4z+90ReRWHWj+adSd3FZnN9yfeVQwUyqohGM0tIHvLCiDVewigLOI3IWjPom + MyUFV/UPVn0/A81C2eADgKbwn6EiJnxDtlPZWBrEJ9vd8lNWBCyGTxTcD0DuDVCe + yP5+r3uV2OYgQPYFrmWwCZJDu7qBdR4MpPP974iPFZ7WCHrvqQQNPYNZ78zBVA4x + YPNpXxp7i3Q10Vnp5fDQlxy+tfE9deeS3vk15Ydyc6gC2D9YClch720cAtPemgs3 + F1O9Uc1PfJkUS5T0t9dpxH/0k6GZ9RQyJGCW7nupWTXmnDW7+TTjszLX3KYmG7XO + pQiic0oMvSCHwEPygnHTLWSt7rroje84htbatzplpQo8GS2tffieOEsgOaHp8TNr + QkRQnNbkAermVod6yK7wtutOk55f7WtYSCw+Kdo/pdQQQpcayKpTBikUQgdGwtTV + z9V1ZlEoLaaRxqisT4DB8279Bzy3QRV+eSHMMqw3+ePjxn7NbJxFn3sCAwEAAQ== + -----END RSA PUBLIC KEY----- ''; }; }; @@ -485,6 +511,32 @@ in { }; }; }; + nxrm = { + owner = config.krebs.users.rtjure; + nets = { + retiolum = { + ip4.addr = "10.243.122.124"; + aliases = [ + "nxrm.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAxPg9J+cpmazp8ZH2eCQwbq6GdU22Nhd/ySm+K/aN+x55C4QN6gMM + cBW2o0nfHi4JtvqDtdw0s9pGh0GsLHHoQlFD/lGr1oCMAe0FeN4cSAwbUH1DYFPw + KsyiXpXLVYCqt42JjzCM8HNUMBNDlnZ60z2Ashxj79PbYJ+i3oPEIE//Vf6MPOta + vaDUXCbqsWKKEqG8t+rM4WRrqzVVpASq6Avs2x+eijVe0Yeq4tkHcO0z3SrV2TM1 + nAPYDL0QlHHBVtAt0tAfo4CC+HAwZJz8yZ0sWPzz/fJj/K3HwuFDBKZSrsIgSPBc + +JCFefuI3aNc1fKTYIu0XqCqgdB0Xu2g/AkJcqXSvJQaNPFuyk5n79C2INHcpLrp + s8NWwaUAH7XhNUGYnzevan3hiuSgIsT0T2cfERmEGyMn90fioYWN7TW9txfEX9qL + I4mkmh1xqt8ipdpfGxYmUAAj9KoHEhAnDElblIXRWY3KLdY6gT4sO80K+hTbK/J+ + oyhU0nYcAnrFJNlSNjNucM/4UlCXqs4TaCM9cRggT6PmHy+M7vLebI4JGoOpCuYw + W1fiyXCrzlTP0vidDtv9mr0vTTK78Nc8oGc46Yu3K1kFSQYS/pRCjnOin35sYe/K + ahpclNJjom6tHxcwTriT0w6Yh/fCei7WCqpWtK2m4Qho/+WA3rFc3WUCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; ada = { owner = config.krebs.users.filly; nets = { diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 22c33bd66..9ea1d4141 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,7 +1,7 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "007126eef72271480cb7670e19e501a1ad2c1ff2", - "date": "2020-10-20T10:30:15+10:00", - "sha256": "1rfvw560vp2wn3dxdhqn1rk1fgk0ak9lnqm2dqpnsrkl4b8ay9mq", + "rev": "34ad166a830d3ac1541dcce571c52231f2f0865a", + "date": "2020-11-02T21:18:15-05:00", + "sha256": "1jvi1562x3kq65w642vfimpszv65zbc7c2nv8gakhzcx4n3f47xq", "fetchSubmodules": false } diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index d44e62053..eee23ee60 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -8,7 +8,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/green-host.nix> ]; networking.networkmanager.enable = true; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 1bc440a98..507ccd14d 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -8,7 +8,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/power-action.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/green-host.nix> { services.xserver.enable = true; services.xserver.desktopManager.xfce.enable = true; diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix deleted file mode 100644 index 6cccab4b3..000000000 --- a/lass/2configs/green-host.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, lib, pkgs, ... }: -with import <stockholm/lib>; - -let - - cname = "green"; - cryfs = pkgs.cryfs.overrideAttrs (old: { - patches = [ - (pkgs.writeText "file_mode.patch" '' - --- a/src/cryfs/filesystem/CryNode.cpp - +++ b/src/cryfs/filesystem/CryNode.cpp - @@ -171,7 +171,7 @@ CryNode::stat_info CryNode::stat() const { - result.uid = fspp::uid_t(getuid()); - result.gid = fspp::gid_t(getgid()); - #endif - - result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag(); - + result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag().addGroupReadFlag().addGroupExecFlag().addOtherReadFlag().addOtherExecFlag();; - result.size = fsblobstore::DirBlob::DIR_LSTAT_SIZE; - //TODO If possible without performance loss, then for a directory, st_nlink should return number of dir entries (including "." and "..") - result.nlink = 1; - '') - ] ++ old.patches; - }); - -in { - imports = [ - <stockholm/lass/2configs/container-networking.nix> - <stockholm/lass/2configs/syncthing.nix> - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}".devices = [ "icarus" "skynet" "littleT" "shodan" ]; - # krebs.permown."/var/lib/sync-containers/${cname}" = { - # owner = "root"; - # group = "syncthing"; - # umask = "0007"; - # }; - - systemd.services."container@green".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt_unicode.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "start-${cname}" '' - set -euf - - mkdir -p /var/lib/containers/${cname}/var/state - chown ${config.services.syncthing.user}: /var/lib/containers/${cname}/var/state - if ! ${pkgs.mount}/bin/mount | grep -q '^cryfs@/var/lib/sync-containers/${cname} on /var/lib/containers/${cname}/var/state '; then - /run/wrappers/bin/sudo -u "${config.services.syncthing.user}" \ - ${cryfs}/bin/cryfs /var/lib/sync-containers/${cname} /var/lib/containers/${cname}/var/state -o allow_other -o default_permissions - fi - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - if ! ping -c1 -q -w5 ${cname}.r && [ -d /var/lib/containers/${cname}/var/src ]; then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - mkdir -p /var/state/var_src - ln -sf state/var_Src /var/src - nixos-rebuild -I /var/src switch - ''} - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - ${cryfs}/bin/cryfs-unmount /var/lib/containers/${cname}/var/state - '') - ]; -} |