diff options
64 files changed, 242 insertions, 887 deletions
@@ -1,6 +1,6 @@ # usage: nix-instantiate --eval --json --read-write-mode --strict ci.nix | jq . -with import ./lib; let + lib = pkgs.lib; pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; }; system = import <nixpkgs/nixos/lib/eval-config.nix> { @@ -16,9 +16,9 @@ let } ; - ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts; + ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts; build = host: owner: - ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-build";}); + ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${builtins.getEnv "HOME"}/stockholm-build";}); -in mapAttrs (n: h: build n h.owner.name) ci-systems +in lib.mapAttrs (n: h: build n h.owner.name) ci-systems diff --git a/default.nix b/default.nix index 9368dcd9e..45b4f03f6 100644 --- a/default.nix +++ b/default.nix @@ -1,7 +1,7 @@ import <nixpkgs/nixos> {} // rec { lib = import ./lib; systems = with lib; let - namespace = getEnv "LOGNAME"; + namespace = krebs; systemsDir = <stockholm> + "/${namespace}/1systems"; in genAttrs diff --git a/flake.lock b/flake.lock index b11c289b4..c7b051683 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1760516981, - "narHash": "sha256-4AYTAH7WDL6C6WKktc9UEQRiav6oPzVpKuFWRyYeuTQ=", + "lastModified": 1768927382, + "narHash": "sha256-qdmb8Pm73PADLgO8Q06QfyPbEQS6el9Si+dGQc3TB1I=", "owner": "Mic92", "repo": "buildbot-nix", - "rev": "01dfc9a07c070092e3187be8edbd2243a9e301a5", + "rev": "eb4e904a8dc1aa12a964752e4fd9977c6aead724", "type": "github" }, "original": { @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1758022363, - "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", + "lastModified": 1768476106, + "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", + "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb", "type": "github" }, "original": { @@ -87,7 +87,9 @@ "nix-writers": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1677612737, @@ -105,26 +107,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677608380, - "narHash": "sha256-k82O23qBAK+43X0KSBjsMYXG2x4kWWXeAmpPTc2KRGY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4aba90e89f6d4ac6138939961f62842bd94ec929", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1768886240, + "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0", "type": "github" }, "original": { @@ -138,7 +125,7 @@ "inputs": { "buildbot-nix": "buildbot-nix", "nix-writers": "nix-writers", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" } }, "treefmt-nix": { @@ -149,11 +136,11 @@ ] }, "locked": { - "lastModified": 1758728421, - "narHash": "sha256-ySNJ008muQAds2JemiyrWYbwbG+V7S5wg3ZVKGHSFu8=", + "lastModified": 1768158989, + "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "5eda4ee8121f97b218f7cc73f5172098d458f1d1", + "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca", "type": "github" }, "original": { @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-writers.url = "git+https://cgit.krebsco.de/nix-writers"; + nix-writers.inputs.nixpkgs.follows = "nixpkgs"; # disko.url = "github:nix-community/disko"; # disko.inputs.nixpkgs.follows = "nixpkgs"; buildbot-nix.url = "github:Mic92/buildbot-nix"; diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix index 73eda0762..086362938 100644 --- a/kartei/lass/neoprism.nix +++ b/kartei/lass/neoprism.nix @@ -1,5 +1,12 @@ { r6, w6, ... }: -{ +rec { + extraZones = { + "krebsco.de" = '' + p 60 IN A ${nets.internet.ip4.addr} + c 60 IN A ${nets.internet.ip4.addr} + paste 60 IN A ${nets.internet.ip4.addr} + ''; + }; nets = rec { internet = { ip4 = rec { diff --git a/kartei/lass/prism.nix b/kartei/lass/prism.nix index a44e120b2..33c662bc4 100644 --- a/kartei/lass/prism.nix +++ b/kartei/lass/prism.nix @@ -3,9 +3,6 @@ rec { extraZones = { "krebsco.de" = '' cache 60 IN A ${nets.internet.ip4.addr} - p 60 IN A ${nets.internet.ip4.addr} - c 60 IN A ${nets.internet.ip4.addr} - paste 60 IN A ${nets.internet.ip4.addr} prism 60 IN A ${nets.internet.ip4.addr} social 60 IN A ${nets.internet.ip4.addr} ''; diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index 9df79afbf..e92aeec93 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -251,6 +251,8 @@ in { wikisearch IN A ${nets.internet.ip4.addr} work.euer IN A ${nets.internet.ip4.addr} shop.euer IN A ${nets.internet.ip4.addr} + matrix.euer IN A ${nets.internet.ip4.addr} + element.euer IN A ${nets.internet.ip4.addr} mediengewitter IN CNAME over.dose.io. nixos.unstable IN CNAME krebscode.github.io. diff --git a/kartei/tv/hosts/fu.nix b/kartei/tv/hosts/fu.nix index f33da59c9..c3f2f9297 100644 --- a/kartei/tv/hosts/fu.nix +++ b/kartei/tv/hosts/fu.nix @@ -20,5 +20,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8T+2Oe6qCE0uEb9H7CWZengyhHK30NelmYmpI4Umpm root@fu"; - syncthing.id = "F5B3EPT-OEOFYMV-GATESYO-727M6R4-YBXGW6Q-SG3QWC7-PPVFX4C-AY4UKAJ"; } diff --git a/kartei/tv/hosts/leg.nix b/kartei/tv/hosts/leg.nix index c09749302..5841c72d5 100644 --- a/kartei/tv/hosts/leg.nix +++ b/kartei/tv/hosts/leg.nix @@ -23,5 +23,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg"; - syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU"; } diff --git a/kartei/tv/hosts/ne.nix b/kartei/tv/hosts/ne.nix index 584d7c433..1191fcb71 100644 --- a/kartei/tv/hosts/ne.nix +++ b/kartei/tv/hosts/ne.nix @@ -2,8 +2,13 @@ extraZones = { "krebsco.de" = '' @ 60 IN MX 5 ne + @ 60 IN TXT "v=spf1 mx -all" ne 60 IN A ${config.krebs.hosts.ne.nets.internet.ip4.addr} ne 60 IN AAAA ${config.krebs.hosts.ne.nets.internet.ip6.addr} + cgit 60 IN A ${config.krebs.hosts.ne.nets.internet.ip4.addr} + cgit 60 IN AAAA ${config.krebs.hosts.ne.nets.internet.ip6.addr} + cgit.ne 60 IN A ${config.krebs.hosts.ne.nets.internet.ip4.addr} + search.ne 60 IN AAAA ${config.krebs.hosts.ne.nets.internet.ip6.addr} tv 300 IN NS ne ''; }; @@ -11,6 +16,7 @@ internet = { aliases = [ "ne.i" + "cgit.ne.i" ]; ip4 = { addr = "159.195.31.38"; @@ -26,14 +32,26 @@ "ne.m" ]; ip6.addr = "45f:fa21:4bdd:a758:8091:947d:fe84:fac3"; + via = config.krebs.hosts.ne.nets.internet; }; retiolum = { aliases = [ "ne.r" + "cgit.ne.r" + "krebs.ne.r" + "search.ne.r" + "p.ne.r" + "p.tv.r" ]; + ip4.addr = "10.243.113.224"; + via = config.krebs.hosts.ne.nets.internet; }; wiregrill = { ip4.addr = "10.244.3.2"; + via = config.krebs.hosts.ne.nets.internet; + wireguard.subnets = [ + (slib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR + ]; }; }; } diff --git a/kartei/tv/hosts/ni.nix b/kartei/tv/hosts/ni.nix deleted file mode 100644 index 3e3d81c37..000000000 --- a/kartei/tv/hosts/ni.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, lib, slib, ... }: { - extraZones = { - "krebsco.de" = '' - ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - krebsco.de. 60 IN MX 5 ni - krebsco.de. 60 IN TXT "v=spf1 mx -all" - tv 300 IN NS ni - ''; - }; - nets = { - internet = { - ip4 = { - addr = "185.162.251.237"; - }; - ip6 = { - addr = "2a03:4000:1a:cf::1"; - prefixLength = 64; - }; - aliases = [ - "ni.i" - "cgit.ni.i" - ]; - ssh.port = 11423; - }; - retiolum = { - via = config.krebs.hosts.ni.nets.internet; - ip4.addr = "10.243.113.223"; - aliases = [ - "ni.r" - "cgit.ni.r" - "krebs.ni.r" - "search.ni.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12 - bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6 - Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59 - OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im - W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2 - NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY - nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv - lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ - 9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9 - q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF - Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE"; - }; - wiregrill = { - via = config.krebs.hosts.ni.nets.internet; - ip4.addr = "10.244.3.1"; - wireguard.subnets = [ - (slib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR - ]; - }; - }; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb"; -} diff --git a/kartei/tv/hosts/pi.nix b/kartei/tv/hosts/pi.nix index 991bc0086..cfcc71a28 100644 --- a/kartei/tv/hosts/pi.nix +++ b/kartei/tv/hosts/pi.nix @@ -1,4 +1,3 @@ { nets.wiregrill.ip4.addr = "10.244.3.102"; - syncthing.id = "NLR6FLV-2MJQSZ6-4M5QBBB-X2UM225-YGB6IYW-F2EGFV6-D7ZDCWY-27EQAAM"; } diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix index 4d312105f..abbcc08dc 100644 --- a/kartei/tv/hosts/zoppo.nix +++ b/kartei/tv/hosts/zoppo.nix @@ -20,5 +20,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo"; - syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ"; } diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 91071ec85..655192077 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -5,6 +5,17 @@ ../../../krebs ../../../krebs/2configs ../../../krebs/2configs/nginx.nix + { + # Cherry-pick services.nginx.recommendedTlsSettings to fix: + # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform + services.nginx.recommendedTlsSettings = lib.mkForce false; + services.nginx.appendHttpConfig = '' + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_prefer_server_ciphers off; + ''; + } ../../../krebs/2configs/binary-cache/nixos.nix ../../../krebs/2configs/ircd.nix diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8bb14d517..5deeb9923 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,6 +8,18 @@ <stockholm/krebs/2configs/nameserver.nix> ]; + #networking.defaultGateway6 = { + # address = "fe80::1"; + # interface = "ens3"; + #}; + #networking.interfaces.ens3.ipv6.addresses = [ + # { + # # old: address = "2a03:4000:13:4c::1"; + # address = "2a03:4000:1a:cf::1"; #/64" + # prefixLength = 64; + # } + #]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedUnicastsOnly = false; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 0c361cc42..8e03e3b52 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -31,7 +31,7 @@ ../../2configs/shack/ssh-keys.nix # drivedroid.shack for shackphone - ../../2configs/shack/drivedroid.nix + #../../2configs/shack/drivedroid.nix (FIXME error: attribute 'drivedroid-gen-repo' missing) # ../../2configs/shack/nix-cacher.nix # Say if muell will be collected @@ -70,7 +70,7 @@ # ../../2configs/shack/share.nix # mobile.lounge.mpd.shack - ../../2configs/shack/mobile.mpd.nix + #../../2configs/shack/mobile.mpd.nix (FIXME Compatibility with CMake < 3.5 has been removed from CMake.) # hass.shack ../../2configs/shack/glados diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 32452e010..c51d3c651 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -19,7 +19,6 @@ with import ../../lib/pure.nix { inherit lib; }; enable = true; repos = { disko.urls = [ - "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" "http://cgit.orange.r/disko" ]; @@ -33,7 +32,6 @@ with import ../../lib/pure.nix { inherit lib; }; "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.orange.r/stockholm" ]; diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index a797673c9..937a20c29 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -17,8 +17,8 @@ }; hardware.opengl.extraPackages = [ - pkgs.vaapiIntel - pkgs.vaapiVdpau + pkgs.intel-vaapi-driver + pkgs.libva-vdpau-driver ]; services.xserver = { diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index fb22dc6f9..c61b5c1b1 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -70,10 +70,6 @@ in { address: ${config.krebs.hosts.ne.nets.internet.ip4.addr} key: krebs_transfer_notify_key - - id: krebscode_ni - address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} - key: krebs_transfer_notify_key - acl: - id: acme_acl key: acme @@ -124,7 +120,6 @@ in { notify: henet_ns1 notify: hostingde_ns1 notify: krebscode_ne - notify: krebscode_ni acl: transfer_to_henet_secondary acl: transfer_to_hostingde_secondary acl: transfer_to_krebscode_secondary @@ -146,10 +141,14 @@ in { ''; }; + #krebs.systemd.services.knot.restartIfCredentialsChange = true; systemd.services."knsupdate-krebsco.de" = { serviceConfig = { Type = "oneshot"; SyslogIdentifier = "knsupdate-krebsco.de"; + #LoadCredential = [ + # "keys.conf:/var/src/secrets/knot-keys.conf" + #]; ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' set -efu @@ -170,8 +169,8 @@ in { echo server krebsco.de. echo zone krebsco.de. echo origin krebsco.de. - echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data - echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo add _25._tcp.ne 60 IN TLSA 3 0 1 $certificate_association_data + echo add _443._tcp.ne 60 IN TLSA 3 0 1 $certificate_association_data echo show echo send echo answer diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index e7d348d50..600f7cd6d 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -235,20 +235,20 @@ let env.TASKDATA = "${stateDir}/${name}"; commands = rec { add.filename = pkgs.writers.writeDash "${name}-task-add" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} add "$1" ''; list.filename = pkgs.writers.writeDash "${name}-task-list" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export \ + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export \ | ${pkgs.jq}/bin/jq -r ' .[] | select(.id != 0) | "\(.id) \(.description)" ' ''; delete.filename = pkgs.writers.writeDash "${name}-task-delete" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} delete "$1" ''; del = delete; done.filename = pkgs.writers.writeDash "${name}-task-done" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} done "$1" ''; }; }; @@ -456,7 +456,7 @@ in { printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' - TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export + TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export exit ;; esac d |