diff options
101 files changed, 2468 insertions, 1716 deletions
diff --git a/.gitmodules b/.gitmodules index 5825f86da..4779748c8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -7,3 +7,6 @@ [submodule "lass/5pkgs/autowifi"] path = lass/5pkgs/autowifi url = https://github.com/Lassulus/autowifi +[submodule "submodules/disko"] + path = submodules/disko + url = https://github.com/nix-community/disko diff --git a/doc/Commit_Messages_Guideline.md b/doc/Commit_Messages_Guideline.md index e704ee575..63d479cf7 100644 --- a/doc/Commit_Messages_Guideline.md +++ b/doc/Commit_Messages_Guideline.md @@ -21,11 +21,11 @@ rather fuzzy and may mean different things, just choose what would fit best. Here are a numbers of samples for defining the component: -* Change `gum` in `krebs/3modules/makefu/default.nix`: `gum.r: change ip` +* Change `gum` in `krebs/3modules/makefu/default.nix`: `gum: change ip` * Change `prepare.sh` in `krebs/4libs/infest`: `infest: prepare stockholm ISO` * Remove `concat` in `krebs/5pkgs`: `concat: RIP`, this commit may like some `<rationale>` * Update `types` in `krebs/3modules`: `lib/types: add managed bool to host type` -* Change host `gum` in `makefu/1systems/gum`: `ma gum.r: add taskserver` +* Change host `gum` in `makefu/1systems/gum`: `ma gum: add taskserver` * Change `tinc` module in `krebs/3modules`: `tinc module: add option enableLegacy` ## `<rationale>` diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index e5626d923..7419ba13f 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -15,7 +15,6 @@ with import ../../lib; "test-all-krebs-modules" ] (name: { inherit name; - cores = 1; nets = { retiolum = { ip4.addr = "10.243.73.57"; @@ -36,7 +35,6 @@ in { hosts = mapAttrs hostDefaults ({ filebitch = { ci = true; - cores = 4; nets = { shack = { ip4 = { @@ -134,7 +132,6 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo "; }; onebutton = { - cores = 1; nets = { retiolum = { ip4.addr = "10.243.0.101"; @@ -163,7 +160,6 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe "; }; ponte = { - cores = 1; owner = config.krebs.users.krebs; extraZones = { "krebsco.de" = /* bindzone */ '' @@ -212,7 +208,6 @@ in { }; puyak = { ci = true; - cores = 4; nets = { retiolum = { ip4.addr = "10.243.77.2"; diff --git a/kartei/lass/blue.nix b/kartei/lass/blue.nix new file mode 100644 index 000000000..ddec9553d --- /dev/null +++ b/kartei/lass/blue.nix @@ -0,0 +1,40 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.77"; + ip6.addr = r6 "b1ce"; + aliases = [ + "blue.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd + QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc + sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM + wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu + PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ + RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/ + HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm + khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP + 49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N + w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6 + ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J + Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "vf3JzuLpEkjcwZtuJ/0M9Zjfp5ChKXvkORMXsZ4nJKL"; + }; + }; + wiregrill = { + ip6.addr = w6 "b1ce"; + aliases = [ + "blue.w" + ]; + wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U="; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; + syncthing.id = "J2LMIPD-PBEPVKL-A3MN6NQ-KL6DZ4N-K4GGWZB-E2EPLFN-PDLVAOC-DCSZHAD"; +} diff --git a/kartei/lass/coaxmetal.nix b/kartei/lass/coaxmetal.nix new file mode 100644 index 000000000..d32f279fe --- /dev/null +++ b/kartei/lass/coaxmetal.nix @@ -0,0 +1,42 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.17"; + ip6.addr = r6 "17"; + aliases = [ + "coaxmetal.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA + xCc8CkqpUTYldPdB9KJmcH6OpbQqCcPxGOvRe42NdOfCyy11WjAjUMRGnzMyi4MK + gMEjcrl5CnQd9nF9f8Mom8cuSOVm1j46qY7Trl/MsEKsKHiYAHtLFpHz2+UI+HBU + WbSeDLLA8g79SZq/pqWHfp3YKzqP4p+dmi8j+aOZJWkGu9l+Q40qQrTJQCxYgEek + ODeBFCY3DGfJRn79IFGuhF1/jGiAwF3/1j2Rxlesazl6/Lyvmtioplsqn8J94z32 + G5wyGpqn/BcXkJTlWtwb3Rrg6OOALJAqy2H5EoIVT26gwmvkEStMtvgLfAeYjL8F + G2bAtaeQGzwQZNuVJAMI9Qtb+PHw322Wz+P8U669C/HCdGCumMf+M7UDHP79kXOO + IFs1NvkU3z/iO/5bj41v8u0W8+b9NWe++dI8N8q0hWLPgnz5PI998xW06Dul7pAX + K1OMIMfTTGgAZHAF1Kdn1BSXezgwkutwzy5h8XkYclyHB2nPXkXIYmahi1XgWeAE + 7B4NmefbS6H8dLOU7yMEWuxmYl41UOybtyrsp1za5wtERpQgzl6EWfIXISEdx1Ly + bmb3SGtB85RyqqCe2O9DzVZCw7mXgN69R5efyEuq3HIIN9udLNrybPNNyD/OlAqo + l/xwDxiSCEsO6yY5lGc0MCMCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "bEGgA5Wupw+Dgh6Ub7V21Y3wOmyspW1rKGrZsVhi3cO"; + }; + }; + wiregrill = { + ip6.addr = w6 "17"; + aliases = [ + "coaxmetal.w" + ]; + wireguard.pubkey = '' + lkjR14oOVKl03/0sUzOmddf28ps+v5qRxrbRY03Pg38= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9vAYuTv07c9bOjDJId3ShXJ1qIEuyrjkVYkJn9yMET "; + syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ"; +} diff --git a/kartei/lass/daedalus.nix b/kartei/lass/daedalus.nix new file mode 100644 index 000000000..891cbd293 --- /dev/null +++ b/kartei/lass/daedalus.nix @@ -0,0 +1,33 @@ +{ r6, w6, ... }: +{ + nets = rec { + retiolum = { + ip4.addr = "10.243.133.115"; + ip6.addr = r6 "daed"; + aliases = [ + "daedalus.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8 + 5hz7go+l3Z7IhTc/HbpGFJ5QJJNFSuSpLfZVyi+cKAUVheTivIniHFIRw37JbJ4+ + qWTlVe3uvOiZ0cA9S6LrbzqAUTLbH0JlWj36mvGIPICDr9YSEkIUKbenxjJlIpX8 + ECEBm8RU1aq3PUo/cVjmpqircynVJBbRCXZiHoxyLXNmh23d0fCPCabEYWhJhgaR + arkYRls5A14HGMI52F3ehnhED3k0mU8/lb4OzYgk34FjuZGmyRWIfrEKnqL4Uu2w + 3pmEvswG1WYG/3+YE80C5OpCE4BUKAzYSwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "ybmNcRLtZ0NxlxIRE3bdc2G4lLXtTGXu+iRaXMTKCNG"; + }; + }; + wiregrill = { + ip6.addr = w6 "daed"; + aliases = [ + "daedalus.w" + ]; + wireguard.pubkey = "ZVTTWbJfe8Oq6E6QW1qgXU91FnkuKDGJO3MF3I3gDFI="; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5Ovdcsljr5dOl7+2sQNKpGpdX0SlOIuCZKEiWEp8g"; +} diff --git a/kartei/lass/default.nix b/kartei/lass/default.nix index e17e000dd..de776fca0 100644 --- a/kartei/lass/default.nix +++ b/kartei/lass/default.nix @@ -3,6 +3,12 @@ with import ../../lib; r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; + hostFiles = + builtins.map (lib.removeSuffix ".nix") ( + builtins.filter + (x: lib.hasSuffix ".nix" x && x != "default.nix") + (lib.attrNames (builtins.readDir ./.)) + ); in { dns.providers = { @@ -13,895 +19,10 @@ in { consul = true; ci = true; monitoring = true; - }) { - dishfire = { - cores = 4; - nets = rec { - internet = { - ip4 = rec { - addr = "157.90.232.92"; - prefix = "${addr}/32"; - }; - aliases = [ - "dishfire.i" - ]; - ssh.port = 45621; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.133.99"; - ip6.addr = r6 "d15f:1233"; - aliases = [ - "dishfire.r" - "grafana.lass.r" - "prometheus.lass.r" - "alert.lass.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs - Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7 - uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK - R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd - vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U - HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO"; - }; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; - }; - prism = rec { - cores = 4; - extraZones = { - "krebsco.de" = '' - cache 60 IN A ${nets.internet.ip4.addr} - p 60 IN A ${nets.internet.ip4.addr} - c 60 IN A ${nets.internet.ip4.addr} - paste 60 IN A ${nets.internet.ip4.addr} - prism 60 IN A ${nets.internet.ip4.addr} - social 60 IN A ${nets.internet.ip4.addr} - ''; - "lassul.us" = '' - $TTL 3600 - @ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300) - 60 IN NS ns16.ovh.net. - 60 IN NS dns16.ovh.net. - 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} - IN MX 5 mail.lassul.us. - 60 IN TXT "v=spf1 mx -all" - 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) - default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" - cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - io 60 IN NS ions.lassul.us. - ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - confusion 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - ''; - }; - nets = rec { - internet = { - ip4 = { - addr = "95.216.1.150"; - prefix = "0.0.0.0/0"; - }; - ip6 = { - addr = "2a01:4f9:2a:1e9::1"; - prefix = "2a01:4f9:2a:1e9::/64"; - }; - aliases = [ - "prism.i" - "paste.i" - ]; - ssh.port = 45621; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.0.103"; - ip6.addr = r6 "1"; - aliases = [ - "prism.r" - "cache.prism.r" - "cgit.prism.r" - "bota.r" - "flix.r" - "jelly.r" - "paste.r" - "c.r" - "p.r" - "search.r" - "radio-news.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje - fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo - rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z - ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB - wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio - /jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA - BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C - 9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5 - Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu - 3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH - TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb - g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ - kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg - 7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo - 7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz - cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451 - k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0 - dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu - ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i - jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/ - AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE - T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "XbBBPg+dtZM1LRN46VAujVKIC6VSo6nFoHo/1unbggO"; - }; - }; - wiregrill = { - via = internet; - ip4.addr = "10.244.1.103"; - ip6.addr = w6 "1"; - aliases = [ - "prism.w" - ]; - wireguard = { - pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk="; - subnets = [ - (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR - (krebs.genipv6 "wiregrill" "lass" 0).subnetCIDR - "10.244.1.0/24" - ]; - }; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; - syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU"; - }; - mors = { - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.0.2"; - ip6.addr = r6 "dea7"; - aliases = [ - "mors.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE - H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R - +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ - 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa - 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU - O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "kuh0cP/HjGOQ+NafR3zjmqp+RAnA59F4CgtzENj9/MM"; - }; - }; - wiregrill = { - ip6.addr = w6 "dea7"; - aliases = [ - "mors.w" - ]; - wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ="; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD"; - syncthing.id = "ZPRS57K-YK32ROQ-7A6MRAV-VOYXQ3I-CQCXISZ-C5PCV2A-GSFLG3I-K7UGGAH"; - }; - shodan = { - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.0.4"; - ip6.addr = r6 "50da"; - aliases = [ - "shodan.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT - YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7 - ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF - 7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4 - xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ - V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "Ptc5VuYkRd5+zHibZwNe3DEgGHHvAk0Ul00dW1YXsrC"; - }; - }; - wiregrill = { - ip6.addr = w6 "50da"; - ip4.addr = "10.244.1.4"; - aliases = [ - "shodan.w" - ]; - wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30="; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C"; - syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6"; - }; - icarus = { - cores = 2; - nets = rec { - retiolum = { - ip4.addr = "10.243.133.114"; - ip6.addr = r6 "1205"; - aliases = [ - "icarus.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr - Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK - 7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t - k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7 - zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt - gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "vUc/ynOlNqB7a+sr0BmfdRv0dATtGZTjsU2qL2yGInK"; - }; - }; - wiregrill = { - ip6.addr = w6 "1205"; - aliases = [ - "icarus.w" - ]; - wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ="; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj"; - syncthing.id = "7V75LMM-MIFCAIZ-TAWR3AI-OXONVZR-TEW4GBK-URKPPN4-PQFG653-LGHPDQ4"; - }; - daedalus = { - cores = 2; - nets = rec { - retiolum = { - ip4.addr = "10.243.133.115"; - ip6.addr = r6 "daed"; - aliases = [ - "daedalus.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8 - 5hz7go+l3Z7IhTc/HbpGFJ5QJJNFSuSpLfZVyi+cKAUVheTivIniHFIRw37JbJ4+ - qWTlVe3uvOiZ0cA9S6LrbzqAUTLbH0JlWj36mvGIPICDr9YSEkIUKbenxjJlIpX8 - ECEBm8RU1aq3PUo/cVjmpqircynVJBbRCXZiHoxyLXNmh23d0fCPCabEYWhJhgaR - arkYRls5A14HGMI52F3ehnhED3k0mU8/lb4OzYgk34FjuZGmyRWIfrEKnqL4Uu2w - 3pmEvswG1WYG/3+YE80C5OpCE4BUKAzYSwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "ybmNcRLtZ0NxlxIRE3bdc2G4lLXtTGXu+iRaXMTKCNG"; - }; - }; - wiregrill = { - ip6.addr = w6 "daed"; - aliases = [ - "daedalus.w" - ]; - wireguard.pubkey = "ZVTTWbJfe8Oq6E6QW1qgXU91FnkuKDGJO3MF3I3gDFI="; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5Ovdcsljr5dOl7+2sQNKpGpdX0SlOIuCZKEiWEp8g"; - }; - skynet = { - cores = 2; - nets = rec { - retiolum = { - ip4.addr = "10.243.133.116"; - ip6.addr = r6 "5ce7"; - aliases = [ - "skynet.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX - Ic457utOSGxTE+90yXXez2DD9llJMMyd+O06lHJ7CxtbJGBNr3jwoUZVCdBuuo5B - p9XfhXU9l9fUsbc1+a/cDjPBhQv8Uqmc6tOX+52H1aqZsa4W50c9Dv5vjsHgxCB0 - yiUd2MrKptCQTdmMM9Mf0XWKPPOuwpHpxaomlrpUz07LisFVGGHCflOvj5PAy8Da - NC+AfNgR/76yfuYWcv4NPo9acjD9AIftS2c0tD3szyHBCGaYK/atKzIoBbFbOtMb - mwG3B0X3UdphkqGDGsvT+66Kcv2jnKwL0wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "9s7eB16k7eAtHyneffTCmYR7s3mRpJqpVVjSPGaVKKN"; - }; - }; - wiregrill = { - ip6.addr = w6 "5ce7"; - aliases = [ - "skynet.w" - ]; - wireguard.pubkey = "pt9a6nP+YPqxnSskcM9NqRmAmFzbO5bE7wzViFFonnU="; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t"; - syncthing.id = "KWGPAHH-H53Y2WL-SDAUVQE-7PMYRVP-6Q2INYB-FL535EO-HIE7425-ZCNP7A3"; - }; - littleT = { - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.133.77"; - ip6.addr = r6 "771e"; - aliases = [ - "littleT.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF - /m2ZWpKDZyKx17GXQwm8n0NgyvcemvoCVGqSHIsbxvLB6aBF6ZLkeKyx1mZioEDY - 1MWR+yr42dFn+6uVTxJhLPmOxgX0D3pWe31UycoAMSWf4eAhmFIEFUvQCAW43arO - ni1TFSsaHOCxOaLVd/r7tSO0aT72WbOat84zWccwBZXvpqt/V6/o1MGB28JwZ92G - sBMjsCsoiciSg9aAzMCdjOYdM+RSwHEHI9xMineJgZFAbQqwTvK9axyvleJvgaWR - M9906r/17tlqJ/hZ0IwA6X+OT4w/JNGruy/5phxHvZmDgvXmYD9hf2a6JmjOMPp/ - Zn6zYCDYgSYugwJ7GI39GG7f+3Xpmre87O6g6WSaMWCfdOaAeYnj+glP5+YvTLpT - +cdN9HweV27wShRozJAqTGZbD0Nfs+EXd0J/q6kP43lwv6wyZdmXCShPF2NzBlEY - xdtWKhRYKC1cs0Z2nK+XGEyznNzp1f8NC5qvTguj4kDMhoOd6WXwk460HF49Tf/c - aGQTGzgEVMAI7phTJubEmxdBooedvPFamS5wpHTmOt9dZ3qbpCgThaMblVvUu/lm - 7pkPgc60Y2RAk/Rvyy5A8AaxBXPRBNwVkM5TY/5TW+S1zY09600ZCC2GE27qGT9v - k4GHabO42n3wTHk+APodzKDBbEazhOp5Oclg4nNKqgg+IrmheB91oEqBXlfyDj8B - idVoUvbH9WPwBqdh7hoqzrHDur5wCFBphrkjEe98o5iFFFi2C8W04H7iqe+nFqvJ - y/vzKk5kbfpjov71EEje+hNUCLTWF7sjgT4Z2z8LuqjpIq+d2i5dASfTqj4VBs6D - SeiHyyAfCHG/03I9E5eizCCd98Tr30yhu3IKsdFFXsVwxHVFenq2Y1ca7uypCk+i - mDC5q5WQFEK/8SSO25i1teWBawfNVVVI/A1b676VJyafS9ebJs8TmXYRbE6rcBzH - PssdHNwbtEwhbGdQhgQ2pqQg1SIZM3zvjcpgzL9QP29tulubJ05keaw/4p/Yg/mB - ivF8EAIefXYYVxYkRQsHox7UQpSCzjOtj7gvc0KdJxshSLuryM0LxP+gk+x6JPX5 - Ht8x+oE7iL0cqBsIenc/e0XdTZ+4zrBY5hWbGH8a8VJqEYs54WRJhzQf1jzNaCbS - 8328MpRF5lXujv61aveg0i4pvczznlSV7wXmmwNAdhvSUTh34tCpRqabpCJdlRBt - NvVuij6guPKt4XV1TxXNsPCfib1vYjvwX8gUE4UhL69VmM8OBaC3XdroMfNvz9YW - 5ObxDGIEiP53Jp8hiWId0AI/XF5Ct3Gh2wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "rDnc4Ha+M6fyN5JU4lkV9NKfMBtIHOcG4/AUB9KodiP"; - }; - }; - wiregrill = { - ip6.addr = w6 "771e"; - aliases = [ - "littleT.w" - ]; - wireguard.pubkey = "VfSTPO1XGqLqujAGCov1yA0WxyRXJndZCW5XYkScNXg="; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; - syncthing.id = "PCDXICO-GMGWKSB-V6CYF3I-LQMZSGV-B7YBJXA-DVO7KXN-TFCSQXW-XY6WNQD"; - }; - xerxes = { - cores = 2; - consul = false; - nets = rec { - retiolum = { - ip4.addr = "10.243.1.3"; - ip6.addr = r6 "3"; - aliases = [ - "xerxes.r" - ]; - tinc = { - pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U - MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk - gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W - /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb - mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO - X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj - +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim - hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9 - 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4 - H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5 - JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4 - hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe - SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo - 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe - vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3 - Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO - scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv - jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ - Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u - /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0 - bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ - sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - pubkey_ed25519 = "PRtxFg/zw8dmwEGEM+u28N5GWuGNiHSNlaieplVSqQK"; - }; - }; - wiregrill = { - ip6.addr = w6 "3"; - aliases = [ - "xerxes.w" - ]; - wireguard.pubkey = "UTm8B8YUVvBGqwwxAUMVFsVQFQGQ6jbcXAavZ8LxYT8="; - }; - }; - secure = true; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; - syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM"; - }; - yellow = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.14"; - ip6.addr = r6 "3110"; - aliases = [ - "yellow.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP - MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY - b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU - Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd - OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP - vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6 - C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp - Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU - 52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg - zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p - DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ - Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "qZBhDSW6ir1/w6lOngg2feCZj9W9AfifEMlKXcOb5QE"; - }; - }; - wiregrill = { - ip6.addr = w6 "3110"; - aliases = [ - "yellow.w" - ]; - wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU="; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje "; - }; - blue = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.77"; - ip6.addr = r6 "b1ce"; - aliases = [ - "blue.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd - QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc - sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM - wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu - PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ - RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/ - HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm - khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP - 49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N - w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6 - ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J - Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "vf3JzuLpEkjcwZtuJ/0M9Zjfp5ChKXvkORMXsZ4nJKL"; - }; - }; - wiregrill = { - ip6.addr = w6 "b1ce"; - aliases = [ - "blue.w" - ]; - wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U="; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; - syncthing.id = "J2LMIPD-PBEPVKL-A3MN6NQ-KL6DZ4N-K4GGWZB-E2EPLFN-PDLVAOC-DCSZHAD"; - }; - - green = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.66"; - ip6.addr = r6 "12ee"; - aliases = [ - "green.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk - uoDBjWqhM9Pgq6PJSpJjyNAgMkKJcQnWi0WpELaHISAVqjdPGUQSLiar++JN3YBx - ZQGFiucG0ijVJKAUbQQDYbc+RGK8MGO2v3Bv/6E56UKjxtT1zjjvkyXpSC7FN477 - n9IfsvIzH/RLcAP5VnHBYqZ467UR4rqi7T7yWjrEgr+VirY9Opp9LM9YozlbRrlI - hYshk5RET/EvOSwYlw/KJEMMmYHro74neZKIVKoXD3CSE66rncNmdFwD3ZXVxYn6 - m3Eob8ojWPW+CpAL2AurUyq4Igem9JVigZiyKGgaYsdkOWgkYLW2M0DXX+vCRcM6 - BvJgJn7s0PHkLvybEVveTolRWO+I/IG1LN8m0SvrVPXf5JYHB32nKYwVMLwi+BQ1 - pwo0USGByVRv2lWZfy3doKxow0ppilq4DwoT+iqVO4sK5YhPipBHSmCcaxlquHjy - 2k1eb0gYisp0LBjHlhTErXtt4RlrUqs/84RfgtIZYUowJfXbtEbyDmLIlESbY7qk - UlXIMXtY0sWpDivWwpdMj9kJdKlS09QTMeLYz4fFGXMksFmLijx8RKDOYfNWL7oA - udmEOHPzYzu/Ex8RfKJjD4GhWLDvDTcyXDG9vmuDNZGcPHANeg23sGhr5Hz37FRT - 3MVh92sFyMVYkJcL7SISk80CAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "WfH8ULtWklOFK6htphdSSL46vHn6TkJIhsvK9fK+4+C"; - }; - }; - wiregrill = { - ip6.addr = w6 "12ee"; - aliases = [ - "green.w" - ]; - wireguard.pubkey = "lOORkStNJ6iP5ffqjHa/kWOxilJIMW4E6BEtNvNhLGk="; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0wqzo7rMkyw6gqTGuUp8aUA0vtwj0HuuaTIkkOnA30 "; - syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM"; - }; - - massulus = { - cores = 1; - ci = false; - nets = { - retiolum = { - ip4.addr = "10.243.0.113"; - ip6.addr = r6 "113"; - aliases = [ - "massulus.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt - ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN - ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K - zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3 - F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e - v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd - kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF - LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW - EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb - KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl - oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00 - yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM"; - port = 1655; - }; - }; - wiregrill = { - ip6.addr = w6 "113"; - aliases = [ - "massulus.w" - ]; - wireguard.pubkey = '' - 4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ= - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 "; - }; - - phone = { - consul = false; - nets = { - wiregrill = { - ip4.addr = "10.244.1.13"; - ip6.addr = w6 "a"; - aliases = [ - "phone.w" - ]; - wireguard.pubkey = "FY4PB8E/RC2JvtLgq/IDyMmZ9Ln6pz6eGyoytmUFMgk="; - }; - }; - external = true; - ci = false; - syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; - }; - tablet = { - consul = false; - nets = { - wiregrill = { - ip4.addr = "10.244.1.14"; - ip6.addr = w6 "b"; - aliases = [ - "tablet.w" - ]; - wireguard.pubkey = "eIafsxYEFCqmWNFon6ZsYXeDrK4X1UJ9KD0zmNZjgEI="; - }; - }; - external = true; - ci = false; - }; - hilum = { - consul = false; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.20.123"; - ip6.addr = r6 "005b"; - aliases = [ - "hilum.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb - pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi - V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c - SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh - 4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE - saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz - vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY - 8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ - wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3 - RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh - Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl - 87b8jfJNXlKFW+EBxBxN2uECAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "9D50r3DmftSe2L++jPktQRbcCrE4sEazMewgbQbodRH"; - }; - }; - wiregrill = { - ip6.addr = w6 "005b"; - aliases = [ - "hilum.w" - ]; - wireguard.pubkey = '' - 0DRcCDR0O+UqV07DsGfS4On+6YaZ3LPfvni9u1NZNhw= - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPARXXe0HaP1r0pLqtInhnbYSZsP0g4VC6aaWP7qi5+w"; - syncthing.id = "J6PHKTS-2JG5NOL-H5ZWOF6-6L6ENA7-L4RO6DV-BQHU7YL-CHOLDCC-S5YX3AC"; - }; - styx = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.11.1"; - ip6.addr = r6 "111"; - aliases = [ - "styx.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn - ETYrLu/TJjq5iSQx/JbbonJriMS3X/0+m8JREzeol67svQDuZEXTEg5EfEldxrrU - aZpNmTSmFbj2NLLCIfNBL/oLOvg9ElzhN+f+4jvakfEKi7Y7LekV25VVGrHbOEVE - 3G6XWfHx5qO5Vd6kqNWQKD3LG38aZ/Lx9XYDMbujYxPGCtOsabtAz8BKo/RgOZzi - 6A/54RFhdecJm0VoQk3iKpp2YqyCN6dLfJVLil4cREs4sW6nDyF4Y4l3dtZdfskq - m/MoZt6fwOjNIKuI9DGdU4/X1hQelnemstzxY5x1XwG52cz+ww0h7pMF2aggsHqn - Vmaq3b0fXrbn066Ybkbhz3UEIU9zKQGYaANGCnXxbvkd5lWbIN60GEXGE3zYJSAt - EH3FLDTGa27fTNgAnbdnSV40KWKN4FM0iY/xrt3aOXfneTP9S2fqzTVEL9vd04C/ - 7RWvRjvZ7mlAi+kVKSHkOibFVjeo+Z4Pvw5YxCAavrjXCiWj8zP8o3MNWcq/bMao - Uk9zBMXymm8zX43w5LNnhf59oitBjiY/mzZ3NDI9N3szMvJsaUEnhO4Kq1CWtMs2 - 6/TpEyRSmen1UmNwgKKFx3rELuctwMmNbOLL8cGLotEBhIk7vnZKD7NvLVX7xtOF - wzhy2N6a3ypB4XqM7dBzzAUCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "yVT5nQstw+o5P0ZoBK81G7sL6nQEBwg42wyBn6ogZgK"; - }; - }; - wiregrill = { - ip6.addr = w6 "111"; - aliases = [ - "styx.w" - ]; - wireguard.pubkey = '' - 0BZfd8f0pZMRfyoHrdYZY0cR5zfFvJcS8gQLn6xGuFs= - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU "; - syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN"; - }; - - coaxmetal = { - cores = 16; - nets = { - retiolum = { - ip4.addr = "10.243.0.17"; - ip6.addr = r6 "17"; - aliases = [ - "coaxmetal.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA - xCc8CkqpUTYldPdB9KJmcH6OpbQqCcPxGOvRe42NdOfCyy11WjAjUMRGnzMyi4MK - gMEjcrl5CnQd9nF9f8Mom8cuSOVm1j46qY7Trl/MsEKsKHiYAHtLFpHz2+UI+HBU - WbSeDLLA8g79SZq/pqWHfp3YKzqP4p+dmi8j+aOZJWkGu9l+Q40qQrTJQCxYgEek - ODeBFCY3DGfJRn79IFGuhF1/jGiAwF3/1j2Rxlesazl6/Lyvmtioplsqn8J94z32 - G5wyGpqn/BcXkJTlWtwb3Rrg6OOALJAqy2H5EoIVT26gwmvkEStMtvgLfAeYjL8F - G2bAtaeQGzwQZNuVJAMI9Qtb+PHw322Wz+P8U669C/HCdGCumMf+M7UDHP79kXOO - IFs1NvkU3z/iO/5bj41v8u0W8+b9NWe++dI8N8q0hWLPgnz5PI998xW06Dul7pAX - K1OMIMfTTGgAZHAF1Kdn1BSXezgwkutwzy5h8XkYclyHB2nPXkXIYmahi1XgWeAE - 7B4NmefbS6H8dLOU7yMEWuxmYl41UOybtyrsp1za5wtERpQgzl6EWfIXISEdx1Ly - bmb3SGtB85RyqqCe2O9DzVZCw7mXgN69R5efyEuq3HIIN9udLNrybPNNyD/OlAqo - l/xwDxiSCEsO6yY5lGc0MCMCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "bEGgA5Wupw+Dgh6Ub7V21Y3wOmyspW1rKGrZsVhi3cO"; - }; - }; - wiregrill = { - ip6.addr = w6 "17"; - aliases = [ - "coaxmetal.w" - ]; - wireguard.pubkey = '' - lkjR14oOVKl03/0sUzOmddf28ps+v5qRxrbRY03Pg38= - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9vAYuTv07c9bOjDJId3ShXJ1qIEuyrjkVYkJn9yMET "; - syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ"; - }; - - echelon = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.3"; - ip6.addr = r6 "4"; - aliases = [ - "echelon.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp - 1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A - MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe - UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V - rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez - gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO - c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna - dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze - ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D - KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq - GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr - 43jjLL40ONdFxX7qW/DhT9MCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "LgJ7+/sq7t+Ym/DjJrWesIpUw1Lw7bxPi0XFHtsVWLB"; - }; - }; - wiregrill = { - ip6.addr = w6 "3"; - aliases = [ - "echelon.w" - ]; - wireguard.pubkey = '' - SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc= - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd "; - syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ"; - }; - - lasspi = { - consul = false; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.1.89"; - ip6.addr = r6 "189"; - aliases = [ - "lasspi.r" - ]; - tinc = { - pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1 - JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F - CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl - oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P - Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS - BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC - VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8 - +Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs - QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP - zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP - 6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc - 287nChBcbY+HlshTe0lZdrkCAwEAAQ== - -----END PUBLIC KEY----- - ''; - pubkey_ed25519 = "vSCHU+/BkoCo6lL5OmikALKBWgkRY8JRo4q8ZZRd5EG"; - }; - }; - wiregrill = { - ip6.addr = w6 "189"; - aliases = [ - "lasspi.w" - ]; - wireguard.pubkey = '' - IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw= - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB"; - }; - - domsen-pixel = { - consul = false; - nets = { - wiregrill = { - ip4.addr = "10.244.1.17"; - ip6.addr = w6 "d0"; - aliases = [ - "domsen-pixel.w" - ]; - wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY="; - }; - }; - external = true; - ci = false; - }; - - }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + }) ( + lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") { inherit config krebs lib r6 w6; }) + ); users = rec { lass = lass-yubikey; lass-yubikey = { @@ -917,6 +38,10 @@ in { mail = "lass@green.r"; pubkey = builtins.readFile ./ssh/green.ed25519; }; + lass-red = { + mail = "lass@red.r"; + pubkey = builtins.readFile ./ssh/red.ed25519; + }; lass-mors = { mail = "lass@mors.r"; pubkey = builtins.readFile ./ssh/mors.rsa; diff --git a/kartei/lass/dishfire.nix b/kartei/lass/dishfire.nix new file mode 100644 index 000000000..548320584 --- /dev/null +++ b/kartei/lass/dishfire.nix @@ -0,0 +1,40 @@ +{ r6, w6, ... }: +{ + nets = rec { + internet = { + ip4 = rec { + addr = "157.90.232.92"; + prefix = "${addr}/32"; + }; + aliases = [ + "dishfire.i" + ]; + ssh.port = 45621; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.133.99"; + ip6.addr = r6 "d15f:1233"; + aliases = [ + "dishfire.r" + "grafana.lass.r" + "prometheus.lass.r" + "alert.lass.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs + Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7 + uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK + R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd + vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U + HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO"; + }; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; +} diff --git a/kartei/lass/domsen-pixel.nix b/kartei/lass/domsen-pixel.nix new file mode 100644 index 000000000..66785f8bd --- /dev/null +++ b/kartei/lass/domsen-pixel.nix @@ -0,0 +1,16 @@ +{ r6, w6, ... }: +{ + consul = false; + nets = { + wiregrill = { + ip4.addr = "10.244.1.17"; + ip6.addr = w6 "d0"; + aliases = [ + "domsen-pixel.w" + ]; + wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY="; + }; + }; + external = true; + ci = false; +} diff --git a/kartei/lass/echelon.nix b/kartei/lass/echelon.nix new file mode 100644 index 000000000..d66033ba4 --- /dev/null +++ b/kartei/lass/echelon.nix @@ -0,0 +1,42 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.3"; + ip6.addr = r6 "4"; + aliases = [ + "echelon.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp + 1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A + MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe + UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V + rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez + gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO + c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna + dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze + ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D + KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq + GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr + 43jjLL40ONdFxX7qW/DhT9MCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "LgJ7+/sq7t+Ym/DjJrWesIpUw1Lw7bxPi0XFHtsVWLB"; + }; + }; + wiregrill = { + ip6.addr = w6 "3"; + aliases = [ + "echelon.w" + ]; + wireguard.pubkey = '' + SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd "; + syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ"; +} diff --git a/kartei/lass/green.nix b/kartei/lass/green.nix new file mode 100644 index 000000000..1c5d0aead --- /dev/null +++ b/kartei/lass/green.nix @@ -0,0 +1,40 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.66"; + ip6.addr = r6 "12ee"; + aliases = [ + "green.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk + uoDBjWqhM9Pgq6PJSpJjyNAgMkKJcQnWi0WpELaHISAVqjdPGUQSLiar++JN3YBx + ZQGFiucG0ijVJKAUbQQDYbc+RGK8MGO2v3Bv/6E56UKjxtT1zjjvkyXpSC7FN477 + n9IfsvIzH/RLcAP5VnHBYqZ467UR4rqi7T7yWjrEgr+VirY9Opp9LM9YozlbRrlI + hYshk5RET/EvOSwYlw/KJEMMmYHro74neZKIVKoXD3CSE66rncNmdFwD3ZXVxYn6 + m3Eob8ojWPW+CpAL2AurUyq4Igem9JVigZiyKGgaYsdkOWgkYLW2M0DXX+vCRcM6 + BvJgJn7s0PHkLvybEVveTolRWO+I/IG1LN8m0SvrVPXf5JYHB32nKYwVMLwi+BQ1 + pwo0USGByVRv2lWZfy3doKxow0ppilq4DwoT+iqVO4sK5YhPipBHSmCcaxlquHjy + 2k1eb0gYisp0LBjHlhTErXtt4RlrUqs/84RfgtIZYUowJfXbtEbyDmLIlESbY7qk + UlXIMXtY0sWpDivWwpdMj9kJdKlS09QTMeLYz4fFGXMksFmLijx8RKDOYfNWL7oA + udmEOHPzYzu/Ex8RfKJjD4GhWLDvDTcyXDG9vmuDNZGcPHANeg23sGhr5Hz37FRT + 3MVh92sFyMVYkJcL7SISk80CAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "WfH8ULtWklOFK6htphdSSL46vHn6TkJIhsvK9fK+4+C"; + }; + }; + wiregrill = { + ip6.addr = w6 "12ee"; + aliases = [ + "green.w" + ]; + wireguard.pubkey = "lOORkStNJ6iP5ffqjHa/kWOxilJIMW4E6BEtNvNhLGk="; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0wqzo7rMkyw6gqTGuUp8aUA0vtwj0HuuaTIkkOnA30 "; + syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM"; +} diff --git a/kartei/lass/hilum.nix b/kartei/lass/hilum.nix new file mode 100644 index 000000000..27fd0620a --- /dev/null +++ b/kartei/lass/hilum.nix @@ -0,0 +1,43 @@ +{ r6, w6, ... }: +{ + consul = false; + nets = { + retiolum = { + ip4.addr = "10.243.20.123"; + ip6.addr = r6 "005b"; + aliases = [ + "hilum.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb + pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi + V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c + SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh + 4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE + saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz + vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY + 8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ + wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3 + RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh + Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl + 87b8jfJNXlKFW+EBxBxN2uECAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "9D50r3DmftSe2L++jPktQRbcCrE4sEazMewgbQbodRH"; + }; + }; + wiregrill = { + ip6.addr = w6 "005b"; + aliases = [ + "hilum.w" + ]; + wireguard.pubkey = '' + 0DRcCDR0O+UqV07DsGfS4On+6YaZ3LPfvni9u1NZNhw= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPARXXe0HaP1r0pLqtInhnbYSZsP0g4VC6aaWP7qi5+w"; + syncthing.id = "J6PHKTS-2JG5NOL-H5ZWOF6-6L6ENA7-L4RO6DV-BQHU7YL-CHOLDCC-S5YX3AC"; +} diff --git a/kartei/lass/icarus.nix b/kartei/lass/icarus.nix new file mode 100644 index 000000000..c19d4e15c --- /dev/null +++ b/kartei/lass/icarus.nix @@ -0,0 +1,35 @@ +{ r6, w6, ... }: +{ + nets = rec { + retiolum = { + ip4.addr = "10.243.133.114"; + ip6.addr = r6 "1205"; + aliases = [ + "icarus.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr + Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK + 7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t + k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7 + zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt + gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "vUc/ynOlNqB7a+sr0BmfdRv0dATtGZTjsU2qL2yGInK"; + }; + }; + wiregrill = { + ip6.addr = w6 "1205"; + aliases = [ + "icarus.w" + ]; + wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ="; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj"; + syncthing.id = "7V75LMM-MIFCAIZ-TAWR3AI-OXONVZR-TEW4GBK-URKPPN4-PQFG653-LGHPDQ4"; +} diff --git a/kartei/lass/lasspi.nix b/kartei/lass/lasspi.nix new file mode 100644 index 000000000..aab44bc5e --- /dev/null +++ b/kartei/lass/lasspi.nix @@ -0,0 +1,42 @@ +{ r6, w6, ... }: +{ + consul = false; + nets = { + retiolum = { + ip4.addr = "10.243.1.89"; + ip6.addr = r6 "189"; + aliases = [ + "lasspi.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1 + JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F + CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl + oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P + Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS + BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC + VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8 + +Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs + QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP + zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP + 6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc + 287nChBcbY+HlshTe0lZdrkCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "vSCHU+/BkoCo6lL5OmikALKBWgkRY8JRo4q8ZZRd5EG"; + }; + }; + wiregrill = { + ip6.addr = w6 "189"; + aliases = [ + "lasspi.w" + ]; + wireguard.pubkey = '' + IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB"; +} diff --git a/kartei/lass/littleT.nix b/kartei/lass/littleT.nix new file mode 100644 index 000000000..297d2dc62 --- /dev/null +++ b/kartei/lass/littleT.nix @@ -0,0 +1,51 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.133.77"; + ip6.addr = r6 "771e"; + aliases = [ + "littleT.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF + /m2ZWpKDZyKx17GXQwm8n0NgyvcemvoCVGqSHIsbxvLB6aBF6ZLkeKyx1mZioEDY + 1MWR+yr42dFn+6uVTxJhLPmOxgX0D3pWe31UycoAMSWf4eAhmFIEFUvQCAW43arO + ni1TFSsaHOCxOaLVd/r7tSO0aT72WbOat84zWccwBZXvpqt/V6/o1MGB28JwZ92G + sBMjsCsoiciSg9aAzMCdjOYdM+RSwHEHI9xMineJgZFAbQqwTvK9axyvleJvgaWR + M9906r/17tlqJ/hZ0IwA6X+OT4w/JNGruy/5phxHvZmDgvXmYD9hf2a6JmjOMPp/ + Zn6zYCDYgSYugwJ7GI39GG7f+3Xpmre87O6g6WSaMWCfdOaAeYnj+glP5+YvTLpT + +cdN9HweV27wShRozJAqTGZbD0Nfs+EXd0J/q6kP43lwv6wyZdmXCShPF2NzBlEY + xdtWKhRYKC1cs0Z2nK+XGEyznNzp1f8NC5qvTguj4kDMhoOd6WXwk460HF49Tf/c + aGQTGzgEVMAI7phTJubEmxdBooedvPFamS5wpHTmOt9dZ3qbpCgThaMblVvUu/lm + 7pkPgc60Y2RAk/Rvyy5A8AaxBXPRBNwVkM5TY/5TW+S1zY09600ZCC2GE27qGT9v + k4GHabO42n3wTHk+APodzKDBbEazhOp5Oclg4nNKqgg+IrmheB91oEqBXlfyDj8B + idVoUvbH9WPwBqdh7hoqzrHDur5wCFBphrkjEe98o5iFFFi2C8W04H7iqe+nFqvJ + y/vzKk5kbfpjov71EEje+hNUCLTWF7sjgT4Z2z8LuqjpIq+d2i5dASfTqj4VBs6D + SeiHyyAfCHG/03I9E5eizCCd98Tr30yhu3IKsdFFXsVwxHVFenq2Y1ca7uypCk+i + mDC5q5WQFEK/8SSO25i1teWBawfNVVVI/A1b676VJyafS9ebJs8TmXYRbE6rcBzH + PssdHNwbtEwhbGdQhgQ2pqQg1SIZM3zvjcpgzL9QP29tulubJ05keaw/4p/Yg/mB + ivF8EAIefXYYVxYkRQsHox7UQpSCzjOtj7gvc0KdJxshSLuryM0LxP+gk+x6JPX5 + Ht8x+oE7iL0cqBsIenc/e0XdTZ+4zrBY5hWbGH8a8VJqEYs54WRJhzQf1jzNaCbS + 8328MpRF5lXujv61aveg0i4pvczznlSV7wXmmwNAdhvSUTh34tCpRqabpCJdlRBt + NvVuij6guPKt4XV1TxXNsPCfib1vYjvwX8gUE4UhL69VmM8OBaC3XdroMfNvz9YW + 5ObxDGIEiP53Jp8hiWId0AI/XF5Ct3Gh2wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "rDnc4Ha+M6fyN5JU4lkV9NKfMBtIHOcG4/AUB9KodiP"; + }; + }; + wiregrill = { + ip6.addr = w6 "771e"; + aliases = [ + "littleT.w" + ]; + wireguard.pubkey = "VfSTPO1XGqLqujAGCov1yA0WxyRXJndZCW5XYkScNXg="; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; + syncthing.id = "PCDXICO-GMGWKSB-V6CYF3I-LQMZSGV-B7YBJXA-DVO7KXN-TFCSQXW-XY6WNQD"; +} diff --git a/kartei/lass/massulus.nix b/kartei/lass/massulus.nix new file mode 100644 index 000000000..6876e02b9 --- /dev/null +++ b/kartei/lass/massulus.nix @@ -0,0 +1,44 @@ +{ r6, w6, ... }: +{ + ci = false; + nets = { + retiolum = { + ip4.addr = "10.243.0.113"; + ip6.addr = r6 "113"; + aliases = [ + "massulus.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt + ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN + ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K + zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3 + F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e + v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd + kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF + LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW + EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb + KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl + oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00 + yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM"; + port = 1655; + }; + }; + wiregrill = { + ip6.addr = w6 "113"; + aliases = [ + "massulus.w" + ]; + wireguard.pubkey = '' + 4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 "; + syncthing.id = "R2EGJ5S-PQMETUP-C2UGXQG-A6VP7TB-NGSN3MV-C7OGSWT-SZ34L3X-H6IF6AQ"; +} diff --git a/kartei/lass/mors.nix b/kartei/lass/mors.nix new file mode 100644 index 000000000..c483fe5a3 --- /dev/null +++ b/kartei/lass/mors.nix @@ -0,0 +1,35 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.2"; + ip6.addr = r6 "dea7"; + aliases = [ + "mors.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "kuh0cP/HjGOQ+NafR3zjmqp+RAnA59F4CgtzENj9/MM"; + }; + }; + wiregrill = { + ip6.addr = w6 "dea7"; + aliases = [ + "mors.w" + ]; + wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ="; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD"; + syncthing.id = "ZPRS57K-YK32ROQ-7A6MRAV-VOYXQ3I-CQCXISZ-C5PCV2A-GSFLG3I-K7UGGAH"; +} diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix new file mode 100644 index 000000000..74b8aca3c --- /dev/null +++ b/kartei/lass/neoprism.nix @@ -0,0 +1,38 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.99"; + ip6.addr = r6 "99"; + aliases = [ + "neoprism.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwQiPQT9XQkeAIMohNhIVH1Er73LS36JQu/bokNSAlgRjiHfmWVQw + hpmI0hO5ewI/HSxVH8MqITTjj8fp5+TOY5rxb3qj9SKGmoDpENw7g7BJsrpydu8+ + hdvC4btCibAeTeaNqubPMoJLnwuh7NJ9ucYAcRU24FI6qR/Q973a3rzWYBfPd4w9 + +Lq3ltFE4m6eLiL4ruQGR9Fc4HOJshJlUDUovGIC/98Fu468OuCaka4fR/IXD13O + khc5LfAzm2PLuD25YZRjw27Pv3txYOWzb9ZfI8BS+7WUg1nKPDVZErvj97OouqVH + binDgKLdLsamJgi+BrZs9uoxmXK9b459B3J6z4/d8dXTAW/cczqsODzsJnvw8IEE + u45Pm3sY49vmnNsVhDEIPad3ZDitgeWW6UVBR+EJHp+r1TZ8eLaeUTdV6x3zIrHv + dkobgI/0ynujSeMVzXA8cRDuLLVz0CwvNQ9FWzciZw4prOPjUDeSaOlIISOD4q8O + u/jRfaIzPuQNyQN/0B9gUacHOGkQ3sZ33gFt1j6YdfjWnHn2Ddxm99nXfYUo82oC + tEMui/7Vtj5G9dqDCzEacECvKqNVY2MRq5gpX+X5IwSbNc/vmykqhuDB5fzZWXRD + AmRfNCsuFCw3EehPWkdH9JJxysBa52sAB387CL44bJ2rfRglTAKZYNUCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "/k2/hpq3XdSKfPPSAolfIx/AUgtKNF6kgv+WRTKtMqG"; + }; + wiregrill = { + ip6.addr = w6 "99"; + aliases = [ + "neoprism.w" + ]; + wireguard.pubkey = '' + lhMJvEZOREjCSS3BbBxel0dJ3Mxjj0m82sUXqyYlUx0= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEljpF/rqA2o9CcZny8Kdg1Ij9JmHsmuS/ii+HS5T7rW "; +} diff --git a/kartei/lass/phone.nix b/kartei/lass/phone.nix new file mode 100644 index 000000000..e4e0f58c1 --- /dev/null +++ b/kartei/lass/phone.nix @@ -0,0 +1,17 @@ +{ r6, w6, ... }: +{ + consul = false; + nets = { + wiregrill = { + ip4.addr = "10.244.1.13"; + ip6.addr = w6 "a"; + aliases = [ + "phone.w" + ]; + wireguard.pubkey = "FY4PB8E/RC2JvtLgq/IDyMmZ9Ln6pz6eGyoytmUFMgk="; + }; + }; + external = true; + ci = false; + syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; +} diff --git a/kartei/lass/prism.nix b/kartei/lass/prism.nix new file mode 100644 index 000000000..cfc05b636 --- /dev/null +++ b/kartei/lass/prism.nix @@ -0,0 +1,123 @@ +{ config, krebs, r6, w6, ... }: +rec { + extraZones = { + "krebsco.de" = '' + cache 60 IN A ${nets.internet.ip4.addr} + p 60 IN A ${nets.internet.ip4.addr} + c 60 IN A ${nets.internet.ip4.addr} + paste 60 IN A ${nets.internet.ip4.addr} + prism 60 IN A ${nets.internet.ip4.addr} + social 60 IN A ${nets.internet.ip4.addr} + ''; + "lassul.us" = '' + $TTL 3600 + @ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300) + 60 IN NS ns16.ovh.net. + 60 IN NS dns16.ovh.net. + 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} + IN MX 5 mail.lassul.us. + 60 IN TXT "v=spf1 mx -all" + 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) + default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" + cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + cgit CNAME ${config.krebs.hosts.prism.nets.internet.ip4.addr} + pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + io 60 IN NS ions.lassul.us. + ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + mail 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} + flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + ''; + }; + nets = rec { + internet = { + ip4 = { + addr = "95.216.1.150"; + prefix = "0.0.0.0/0"; + }; + ip6 = { + addr = "2a01:4f9:2a:1e9::1"; + prefix = "2a01:4f9:2a:1e9::/64"; + }; + aliases = [ + "prism.i" + "paste.i" + ]; + ssh.port = 45621; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.0.103"; + ip6.addr = r6 "1"; + aliases = [ + "prism.r" + "cache.prism.r" + "cgit.prism.r" + "bota.r" + "flix.r" + "paste.r" + "c.r" + "p.r" + "search.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje + fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo + rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z + ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB + wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio + /jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA + BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C + 9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5 + Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu + 3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH + TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb + g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ + kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg + 7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo + 7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz + cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451 + k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0 + dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu + ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i + jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/ + AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE + T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "XbBBPg+dtZM1LRN46VAujVKIC6VSo6nFoHo/1unbggO"; + }; + }; + wiregrill = { + via = internet; + ip4.addr = "10.244.1.103"; + ip6.addr = w6 "1"; + aliases = [ + "prism.w" + ]; + wireguard = { + pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk="; + subnets = [ + (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR + (krebs.genipv6 "wiregrill" "lass" 0).subnetCIDR + "10.244.1.0/24" + ]; + }; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; + syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU"; +} diff --git a/kartei/lass/radio.nix b/kartei/lass/radio.nix new file mode 100644 index 000000000..808245312 --- /dev/null +++ b/kartei/lass/radio.nix @@ -0,0 +1,40 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.11"; + ip6.addr = r6 "4d10"; + aliases = [ + "radio.r" + "radio-news.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAx08urv4sl22+pLchD6W6kprJ1JZBiG9/MVA50PqYAJmvTpYyDUCR + Dwgt7pR8n/zbbof98QS5D67J5rZPcrLI6PY2bBzlXFFKHZEj2AVwUjUbyvEvQqtf + yJM+AxFy1/CaXmDvYM9UF/Wh6rb/ZeUxFtbaIVfMPox0Zln0THEsOmCWvNzxMvjZ + rjouZGzrH+er3yxJVovxD/JT32COmK0R20DLDoofBdtBkFlB/VkrbxYfX/cWXX1K + WQVJuQ/H1xP9m4c4S8g/nM63rLUBOIkn06TcXyI/mEgRecEUDgC02PNXc5BDgB4A + seXx+BiLC/f6+64KOWODHEEm/iHjCyrOSZtdA2EbPCATfOHrj0EG5Y4V6d1Iw4WP + kiOIQByHMbOzRwm91yd/gM1DTxdy3j5nqaMhCzrM/QeOhSf5FXkWpARawUsChwh+ + eCuSZDg218u/NkzCrTvCPTdY1q+MZ5d5qgID4VQrenjBJq4AZxsw74Zd2G2uRWlF + paZ2pSCyAey19A/or2iG10tqNpXJzZy0HNhh7q/gKhQKKTh+ggzgOrRe2ZaxlbEy + P45JQKcR9/WJAohnYQ8uZJ6oin5EsEdVkapdYu60aReRGeyTmq3RLnu3Zn5MR5RH + 1r+W03KQcQzmmpE5YrxKSZL6OriXQYEPTa9/mSZT6TEUIvRT8W5jGQ0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "DmiyfmRsWd8Qg6M/ZsAd5lFM+vnkwRTfnMH/jCFwWFF"; + }; + wiregrill = { + ip6.addr = w6 "4d10"; + aliases = [ + "radio.w" + ]; + wireguard.pubkey = '' + iCe1O9qeziw18AlGuFt5tIxm6SIBtNpwO/6OZm9Bn30= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsvyWrMN2lupBmjI8nW+NUSJIDPkr8c90Z4BcuZ7Myi"; + syncthing.id = "KMDPLE5-7FBYYXH-PF5LEET-G2AWR33-7XAPZJU-5S3VOB7-ZX5Q74V-PZKI6QN"; +} diff --git a/kartei/lass/shodan.nix b/kartei/lass/shodan.nix new file mode 100644 index 000000000..50ab86e6e --- /dev/null +++ b/kartei/lass/shodan.nix @@ -0,0 +1,36 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.4"; + ip6.addr = r6 "50da"; + aliases = [ + "shodan.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT + YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7 + ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF + 7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4 + xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ + V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "Ptc5VuYkRd5+zHibZwNe3DEgGHHvAk0Ul00dW1YXsrC"; + }; + }; + wiregrill = { + ip6.addr = w6 "50da"; + ip4.addr = "10.244.1.4"; + aliases = [ + "shodan.w" + ]; + wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30="; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C"; + syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6"; +} diff --git a/kartei/lass/skynet.nix b/kartei/lass/skynet.nix new file mode 100644 index 000000000..2109d2e35 --- /dev/null +++ b/kartei/lass/skynet.nix @@ -0,0 +1,35 @@ +{ r6, w6, ... }: +{ + nets = rec { + retiolum = { + ip4.addr = "10.243.133.116"; + ip6.addr = r6 "5ce7"; + aliases = [ + "skynet.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX + Ic457utOSGxTE+90yXXez2DD9llJMMyd+O06lHJ7CxtbJGBNr3jwoUZVCdBuuo5B + p9XfhXU9l9fUsbc1+a/cDjPBhQv8Uqmc6tOX+52H1aqZsa4W50c9Dv5vjsHgxCB0 + yiUd2MrKptCQTdmMM9Mf0XWKPPOuwpHpxaomlrpUz07LisFVGGHCflOvj5PAy8Da + NC+AfNgR/76yfuYWcv4NPo9acjD9AIftS2c0tD3szyHBCGaYK/atKzIoBbFbOtMb + mwG3B0X3UdphkqGDGsvT+66Kcv2jnKwL0wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "9s7eB16k7eAtHyneffTCmYR7s3mRpJqpVVjSPGaVKKN"; + }; + }; + wiregrill = { + ip6.addr = w6 "5ce7"; + aliases = [ + "skynet.w" + ]; + wireguard.pubkey = "pt9a6nP+YPqxnSskcM9NqRmAmFzbO5bE7wzViFFonnU="; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t"; + syncthing.id = "KWGPAHH-H53Y2WL-SDAUVQE-7PMYRVP-6Q2INYB-FL535EO-HIE7425-ZCNP7A3"; +} diff --git a/kartei/lass/ssh/red.ed25519 b/kartei/lass/ssh/red.ed25519 new file mode 100644 index 000000000..ee5d3e20e --- /dev/null +++ b/kartei/lass/ssh/red.ed25519 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp diff --git a/kartei/lass/styx.nix b/kartei/lass/styx.nix new file mode 100644 index 000000000..0b13c1184 --- /dev/null +++ b/kartei/lass/styx.nix @@ -0,0 +1,43 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.11.1"; + ip6.addr = r6 "111"; + aliases = [ + "styx.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn + ETYrLu/TJjq5iSQx/JbbonJriMS3X/0+m8JREzeol67svQDuZEXTEg5EfEldxrrU + aZpNmTSmFbj2NLLCIfNBL/oLOvg9ElzhN+f+4jvakfEKi7Y7LekV25VVGrHbOEVE + 3G6XWfHx5qO5Vd6kqNWQKD3LG38aZ/Lx9XYDMbujYxPGCtOsabtAz8BKo/RgOZzi + 6A/54RFhdecJm0VoQk3iKpp2YqyCN6dLfJVLil4cREs4sW6nDyF4Y4l3dtZdfskq + m/MoZt6fwOjNIKuI9DGdU4/X1hQelnemstzxY5x1XwG52cz+ww0h7pMF2aggsHqn + Vmaq3b0fXrbn066Ybkbhz3UEIU9zKQGYaANGCnXxbvkd5lWbIN60GEXGE3zYJSAt + EH3FLDTGa27fTNgAnbdnSV40KWKN4FM0iY/xrt3aOXfneTP9S2fqzTVEL9vd04C/ + 7RWvRjvZ7mlAi+kVKSHkOibFVjeo+Z4Pvw5YxCAavrjXCiWj8zP8o3MNWcq/bMao + Uk9zBMXymm8zX43w5LNnhf59oitBjiY/mzZ3NDI9N3szMvJsaUEnhO4Kq1CWtMs2 + 6/TpEyRSmen1UmNwgKKFx3rELuctwMmNbOLL8cGLotEBhIk7vnZKD7NvLVX7xtOF + wzhy2N6a3ypB4XqM7dBzzAUCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "yVT5nQstw+o5P0ZoBK81G7sL6nQEBwg42wyBn6ogZgK"; + weight = null; + }; + }; + wiregrill = { + ip6.addr = w6 "111"; + aliases = [ + "styx.w" + ]; + wireguard.pubkey = '' + 0BZfd8f0pZMRfyoHrdYZY0cR5zfFvJcS8gQLn6xGuFs= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU "; + syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN"; +} diff --git a/kartei/lass/tablet.nix b/kartei/lass/tablet.nix new file mode 100644 index 000000000..ea7e5d007 --- /dev/null +++ b/kartei/lass/tablet.nix @@ -0,0 +1,16 @@ +{ r6, w6, ... }: +{ + consul = false; + nets = { + wiregrill = { + ip4.addr = "10.244.1.14"; + ip6.addr = w6 "b"; + aliases = [ + "tablet.w" + ]; + wireguard.pubkey = "eIafsxYEFCqmWNFon6ZsYXeDrK4X1UJ9KD0zmNZjgEI="; + }; + }; + external = true; + ci = false; +} diff --git a/kartei/lass/xerxes.nix b/kartei/lass/xerxes.nix new file mode 100644 index 000000000..96f619a70 --- /dev/null +++ b/kartei/lass/xerxes.nix @@ -0,0 +1,52 @@ +{ r6, w6, ... }: +{ + consul = false; + nets = rec { + retiolum = { + ip4.addr = "10.243.1.3"; + ip6.addr = r6 "3"; + aliases = [ + "xerxes.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U + MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk + gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W + /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb + mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO + X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj + +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim + hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9 + 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4 + H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5 + JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4 + hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe + SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo + 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe + vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3 + Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO + scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv + jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ + Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u + /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0 + bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ + sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "PRtxFg/zw8dmwEGEM+u28N5GWuGNiHSNlaieplVSqQK"; + }; + }; + wiregrill = { + ip6.addr = w6 "3"; + aliases = [ + "xerxes.w" + ]; + wireguard.pubkey = "UTm8B8YUVvBGqwwxAUMVFsVQFQGQ6jbcXAavZ8LxYT8="; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; + syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM"; +} diff --git a/kartei/lass/yellow.nix b/kartei/lass/yellow.nix new file mode 100644 index 000000000..bb0b1f09b --- /dev/null +++ b/kartei/lass/yellow.nix @@ -0,0 +1,42 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.14"; + ip6.addr = r6 "3110"; + aliases = [ + "yellow.r" + "jelly.r" + "radar.r" + "sonar.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP + MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY + b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU + Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd + OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP + vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6 + C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp + Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU + 52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg + zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p + DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ + Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "qZBhDSW6ir1/w6lOngg2feCZj9W9AfifEMlKXcOb5QE"; + }; + }; + wiregrill = { + ip6.addr = w6 "3110"; + aliases = [ + "yellow.w" + ]; + wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU="; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje "; +} diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index 7448968f6..b79a91967 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -58,21 +58,18 @@ with import ../../lib; in { hosts = mapAttrs hostDefaults { cake = rec { - cores = 4; ci = false; nets = { retiolum.ip4.addr = "10.243.136.236"; }; }; crapi = rec { # raspi1 - cores = 1; ci = false; nets = { retiolum.ip4.addr = "10.243.136.237"; }; }; firecracker = { - cores = 4; nets = { retiolum.ip4.addr = "10.243.12.12"; }; @@ -80,28 +77,24 @@ in { studio = rec { ci = false; - cores = 4; nets = { retiolum.ip4.addr = "10.243.227.163"; }; }; fileleech = rec { ci = false; - cores = 4; nets = { retiolum.ip4.addr = "10.243.113.98"; }; }; tsp = { ci = true; - cores = 1; nets = { retiolum.ip4.addr = "10.243.0.212"; }; }; x = { ci = true; - cores = 4; syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; nets = { retiolum.ip4.addr = "10.243.0.91"; @@ -113,7 +106,6 @@ in { }; filepimp = rec { ci = false; - cores = 1; nets = { retiolum.ip4.addr = "10.243.153.102"; }; @@ -121,7 +113,6 @@ in { omo = rec { ci = true; - cores = 2; syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; nets = { retiolum = { @@ -139,7 +130,6 @@ in { }; wbob = rec { ci = true; - cores = 4; nets = { retiolum = { ip4.addr = "10.243.214.15"; @@ -165,7 +155,6 @@ in { latte.euer IN A ${nets.internet.ip4.addr} ''; }; - cores = 4; nets = rec { internet = { ip4.addr = "178.254.30.202"; @@ -247,7 +236,6 @@ in { music.euer IN A ${nets.internet.ip4.addr} ''; }; - cores = 8; nets = rec { internet = { ip4.addr = "142.132.189.140"; @@ -303,7 +291,6 @@ in { sdev = rec { ci = true; - cores = 1; nets = { retiolum.ip4.addr = "10.243.83.237"; }; @@ -313,7 +300,6 @@ in { # non-stockholm flap = rec { - cores = 1; extraZones = { "krebsco.de" = '' flap IN A ${nets.internet.ip4.addr} @@ -333,7 +319,6 @@ in { }; nukular = rec { - cores = 1; nets = { retiolum = { ip4.addr = "10.243.231.219"; @@ -343,17 +328,14 @@ in { shackdev = rec { # router@shack - cores = 1; nets.wiregrill.ip4.addr = "10.244.245.2"; }; rockit = rec { # router@home - cores = 1; nets.wiregrill.ip4.addr = "10.244.245.3"; }; senderechner = rec { - cores = 2; nets = { retiolum = { ip4.addr = "10.243.0.163"; diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 7c5c09c81..6eacb4a27 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -507,8 +507,8 @@ in { nets = rec { internet = { # eva.thalheim.io - ip4.addr = "131.159.102.4"; - ip6.addr = "2a09:80c0:102::4"; + ip4.addr = "89.58.27.144"; + ip6.addr = "2a03:4000:62:fdb::"; aliases = [ "eva.i" ]; }; retiolum = { diff --git a/kartei/others/default.nix b/kartei/others/default.nix index f3ea8b80c..de0bd2f7f 100644 --- a/kartei/others/default.nix +++ b/kartei/others/default.nix @@ -43,7 +43,6 @@ in { }; }; horisa = { - cores = 2; owner = config.krebs.users.ulrich; # main laptop nets = { retiolum = { @@ -57,7 +56,6 @@ in { }; }; hasegateway = { - cores = 1; owner = config.krebs.users.hase; nets = { #internet = { @@ -343,7 +341,6 @@ in { }; }; tpsw = { - cores = 2; owner = config.krebs.users.ciko; # main laptop nets = { retiolum = { diff --git a/kartei/tv/default.nix b/kartei/tv/default.nix index f7e86c598..eacb40af3 100644 --- a/kartei/tv/default.nix +++ b/kartei/tv/default.nix @@ -1,370 +1,53 @@ with import ../../lib; -{ config, ... }: let - - evalHost = hostName: hostConfig: evalSubmodule types.host [ - hostConfig - { - name = hostName; - owner = config.krebs.users.tv; - } - (optionalAttrs (hasAttrByPath ["nets" "retiolum"] hostConfig) { - nets.retiolum = { - ip6.addr = - (krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address; - }; - }) - (let - pubkey-path = ./wiregrill + "/${hostName}.pub"; - in optionalAttrs (pathExists pubkey-path) { - nets.wiregrill = { - aliases = [ - "${hostName}.w" - ]; - ip6.addr = - (krebs.genipv6 "wiregrill" "tv" { inherit hostName; }).address; - wireguard.pubkey = readFile pubkey-path; - }; - }) - (host: mkIf (host.config.ssh.pubkey != null) { - ssh.privkey = mapAttrs (const mkDefault) { - path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}"; - type = head (toList (match "ssh-([^ ]+) .*" host.config.ssh.pubkey)); - }; - }) - ]; - -in { +{ config, ... }: { dns.providers = { "viljetic.de" = "regfish"; }; - hosts = mapAttrs evalHost { - alnus = { - ci = true; - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.21.1"; - aliases = [ - "alnus.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP - /4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs - gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+ - q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ - rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU - cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K"; + hosts = + mapAttrs + (hostName: hostFile: let + hostSource = import hostFile; + hostConfig = getAttr (typeOf hostSource) { + lambda = hostSource { inherit config lib; }; + set = hostSource; }; - }; - ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q=="; - }; - au = { - ci = true; - cores = 4; - nets = { - retiolum = { - ip4.addr = "10.243.13.39"; - aliases = [ - "au.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z - 9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm - PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb - PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG - cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83 - jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO"; - }; - }; - secure = true; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; - }; - bu = { - ci = true; - cores = 4; - nets = { - retiolum = { - ip4.addr = "10.243.13.36"; - aliases = [ - "bu.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb - hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l - jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M - gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG - sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/ - st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE"; - }; - }; - secure = true; - ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa"; - ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu"; - }; - hu = { - nets = { - retiolum = { - ip4.addr = "10.243.13.41"; - aliases = [ - "hu.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwj5T9Rejp8zGVrHjqA+OeMvcVpax4VazssnRPSUznUEOdVEeSJL5 - 8gDBJPtIfxF8iunXr5K7CW036tKvYaGMDwYMOPJZXhFCmU2yUF2g4BcqEhuDdIfO - +D2Pfr4lc9xO90SKOgwJ53qhf5yqeU/WQ3dpCF/n8k4SUmdafTsvh00UrxYpHuTU - C22BRXIKR4r/sCJUitWQSWNdSQUxh3lu7sUPr+6sZyJov+eu8oBVlPgYOv6u9nZe - YhrbCPDKMGPfnQTAtWfHIxNt70Ec5AG6ddQzLeVcM2gP5qi957Fert+C2RNtbz5s - Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO"; - }; - }; - secure = true; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rrf9tvuusYlnSZwUiHS4O+AhrpVZ/6n7peSRKojTc root@hu"; - }; - mu = { - ci = true; - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.20.1"; - aliases = [ - "mu.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEApXErmPSn2CO4V25lqxanCGCFgxEAjdzFUiTCCu0IvELEuCc3PqVA - g4ecf8gGwPCbzMW/1txjlgbsQcm87U5enaCwzSv/pa7P9/memV74OhqEVOypFlDE - XeZczqQfNbjoLYl4cKZpTsSZmOgASXaMDrH2N37f50q35C0MQw0HRzaQM5VLrzb4 - o87MClS+yPqpvp34QjW+1lqnOKvMkr6mDrmtcAjCOs9Ma16txyfjGVFi8KmYqIs1 - QEJmyC9Uocz5zuoSLUghgVRn9yl4+MEw6++akFDwKt/eMkcSq0GPB+3Rz/WLDiBs - FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C"; - }; - }; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu"; - }; - ni = { - extraZones = { - "krebsco.de" = '' - ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} - search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} - krebsco.de. 60 IN MX 5 ni - krebsco.de. 60 IN TXT "v=spf1 mx -all" - tv 300 IN NS ni - ''; - }; - nets = { - internet = { - ip4 = rec { - addr = "188.68.36.196"; - prefix = "${addr}/32"; + in evalSubmodule types.host [ + hostConfig + { + name = hostName; + owner = config.krebs.users.tv; + } + (optionalAttrs (hasAttrByPath ["nets" "retiolum"] hostConfig) { + nets.retiolum = { + ip6.addr = + (krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address; }; - ip6 = rec { - addr = "2a03:4000:13:4c::1"; - prefix = "${addr}/64"; + }) + (let + pubkey-path = ./wiregrill + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.wiregrill = { + aliases = [ + "${hostName}.w" + ]; + ip6.addr = + (krebs.genipv6 "wiregrill" "tv" { inherit hostName; }).address; + wireguard.pubkey = readFile pubkey-path; }; - aliases = [ - "ni.i" - "cgit.ni.i" - ]; - ssh.port = 11423; - }; - retiolum = { - via = config.krebs.hosts.ni.nets.internet; - ip4.addr = "10.243.113.223"; - aliases = [ - "ni.r" - "cgit.ni.r" - "krebs.ni.r" - "search.ni.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12 - bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6 - Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59 - OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im - W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2 - NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY - nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv - lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ - 9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9 - q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF - Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE"; - }; - wiregrill = { - via = config.krebs.hosts.ni.nets.internet; - ip4.addr = "10.244.3.1"; - wireguard.subnets = [ - (krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR - ]; - }; - }; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb"; - }; - nomic = { - ci = true; - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.0.110"; - aliases = [ - "nomic.r" - "cgit.nomic.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP"; - }; - }; - secure = true; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic"; - }; - wu = { - ci = true; - cores = 4; - nets = { - retiolum = { - ip4.addr = "10.243.13.37"; - aliases = [ - "wu.r" - "cgit.wu.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB"; - }; - }; - secure = true; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; - }; - querel = { - ci = true; - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.22.22"; - aliases = [ - "querel.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEArv9eB8acpUhJwRaLY9kGeM7DEPvInVvoduEbec10p4Y2PFx2MjSz - 2OhyxFRkONC4EMV9oVTKD+NRtpbRGZGLYD8ZPB622SvccgB0XnL6ZZfie1feSgrn - bPyVnX8EnEgtx9IQckHyaxWgtyrluJnY2CbLkCYgD+50KFT12rdHyAa3+QoYU65x - ACQo28i9xIpsl6dm7iWBb+ecHc7fST35OqWywtVxSpHPe1nvwaYm1p3rqqtkCGVh - iXE5ruAscri7Dskc5dGR1p7LquhBaebuylH6sfRKA6kre05+/IkXi+JLeAmAtJ+W - xezYlecEvxhguql9ZmSYAYkR4KknZb56KtvCnm29o0evvEpsaYcbtgq1D0JhoGyk - 4DixS5e+5dg470icVKxPfz1AzejxrTUTtMlI28qjAIx1FcmCBGM+T6yHs/MhNGbf - aqUmN+FwtsJ2QWFYqu9zjxxyAfrAw+gqHm0LnsKK1ttwF/2fYCTRLowY+ItB3axs - UVq7DQxyunyYalKGX2RSJ5BHczREHrfgX43HCSlcAuMuow9jHLOjzul0A49rSZ9E - vOPqbjrki0KEEQj0HN3Ax4UVqZ6mPWaTQzuup+bPQ/2Sjkx6COzMSAPmKo4l6DkA - J++ZonpnOCUkwCeCU6qJgMuHeXn0uh117Ypj/3J9eKYMO/RTSs3x8l0CAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFM2GdL9yOjSBmYBE07ClywNOADc/zxqXwZuWd7Mael root@querel.r"; - }; - xu = { - binary-cache = { - pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s="; - }; - ci = true; - cores = 4; - nets = { - retiolum = { - ip4.addr = "10.243.13.38"; - aliases = [ - "xu.r" - "cgit.xu.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAl3l7IWbfbkVgaJFM3s9g2UCh2rmqoTba16Of7NNWMj05L/hIkUsQ - uc43/QzidWh/4gEaq5MQ7JpLyzVBQYRJkNlPRF/Z07KdLBskAZCjDYdYue9BrziX - 8s2Irs2+FNbCK2LqtrPhbcXQJvixsk6vjl2OBpWTDUcDEsk+D1YQilxdtyUzCUkw - mmRo/mzNsLZsYlSgZ6El/ZLkRdtexAzGxJ0DrukpDR0uqXXkp7jUaxRCZ+Cwanvj - 4I1Hu5aHzWB7KJ1SIvpX3a4f+mun1gh3TPqWP5PUqJok1PSuScz6P2UGaLZZyH63 - 4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM"; - }; - }; - secure = true; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu"; - }; - zu = { - ci = true; - cores = 4; - nets = { - retiolum = { - ip4.addr = "10.243.13.40"; - aliases = [ - "zu.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d - idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u - BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a - OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj - /NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk - b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu"; - }; - umz = { - nets.wiregrill.ip4.addr = "10.244.3.101"; - }; - }; + }) + (host: mkIf (host.config.ssh.pubkey != null) { + ssh.privkey = mapAttrs (const mkDefault) { + path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}"; + type = head (toList (match "ssh-([^ ]+) .*" host.config.ssh.pubkey)); + }; + }) + ]) + (mapAttrs' + (name: type: { + name = removeSuffix ".nix" name; + value = ./hosts + "/${name}"; + }) + (readDir ./hosts)); sitemap = { "http://cgit.krebsco.de" = { desc = "Git repositories"; diff --git a/kartei/tv/hosts/alnus.nix b/kartei/tv/hosts/alnus.nix new file mode 100644 index 000000000..e66236f1f --- /dev/null +++ b/kartei/tv/hosts/alnus.nix @@ -0,0 +1,23 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.21.1"; + aliases = [ + "alnus.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP + /4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs + gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+ + q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ + rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU + cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K"; + }; + }; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q=="; +} diff --git a/kartei/tv/hosts/au.nix b/kartei/tv/hosts/au.nix new file mode 100644 index 000000000..44279b687 --- /dev/null +++ b/kartei/tv/hosts/au.nix @@ -0,0 +1,24 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.39"; + aliases = [ + "au.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z + 9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm + PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb + PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG + cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83 + jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; +} diff --git a/kartei/tv/hosts/bu.nix b/kartei/tv/hosts/bu.nix new file mode 100644 index 000000000..cbdf5af22 --- /dev/null +++ b/kartei/tv/hosts/bu.nix @@ -0,0 +1,24 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.36"; + aliases = [ + "bu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb + hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l + jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M + gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG + sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/ + st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE"; + }; + }; + secure = true; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu"; +} diff --git a/kartei/tv/hosts/hu.nix b/kartei/tv/hosts/hu.nix new file mode 100644 index 000000000..20045b079 --- /dev/null +++ b/kartei/tv/hosts/hu.nix @@ -0,0 +1,23 @@ +{ + nets = { + retiolum = { + ip4.addr = "10.243.13.41"; + aliases = [ + "hu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwj5T9Rejp8zGVrHjqA+OeMvcVpax4VazssnRPSUznUEOdVEeSJL5 + 8gDBJPtIfxF8iunXr5K7CW036tKvYaGMDwYMOPJZXhFCmU2yUF2g4BcqEhuDdIfO + +D2Pfr4lc9xO90SKOgwJ53qhf5yqeU/WQ3dpCF/n8k4SUmdafTsvh00UrxYpHuTU + C22BRXIKR4r/sCJUitWQSWNdSQUxh3lu7sUPr+6sZyJov+eu8oBVlPgYOv6u9nZe + YhrbCPDKMGPfnQTAtWfHIxNt70Ec5AG6ddQzLeVcM2gP5qi957Fert+C2RNtbz5s + Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rrf9tvuusYlnSZwUiHS4O+AhrpVZ/6n7peSRKojTc root@hu"; +} diff --git a/kartei/tv/hosts/mu.nix b/kartei/tv/hosts/mu.nix new file mode 100644 index 000000000..e10694ec1 --- /dev/null +++ b/kartei/tv/hosts/mu.nix @@ -0,0 +1,23 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.20.1"; + aliases = [ + "mu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEApXErmPSn2CO4V25lqxanCGCFgxEAjdzFUiTCCu0IvELEuCc3PqVA + g4ecf8gGwPCbzMW/1txjlgbsQcm87U5enaCwzSv/pa7P9/memV74OhqEVOypFlDE + XeZczqQfNbjoLYl4cKZpTsSZmOgASXaMDrH2N37f50q35C0MQw0HRzaQM5VLrzb4 + o87MClS+yPqpvp34QjW+1lqnOKvMkr6mDrmtcAjCOs9Ma16txyfjGVFi8KmYqIs1 + QEJmyC9Uocz5zuoSLUghgVRn9yl4+MEw6++akFDwKt/eMkcSq0GPB+3Rz/WLDiBs + FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + #tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C"; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu"; +} diff --git a/kartei/tv/hosts/ni.nix b/kartei/tv/hosts/ni.nix new file mode 100644 index 000000000..c45321656 --- /dev/null +++ b/kartei/tv/hosts/ni.nix @@ -0,0 +1,68 @@ +{ config, lib, ... }: { + extraZones = { + "krebsco.de" = '' + ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} + cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} + cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} + search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} + krebsco.de. 60 IN MX 5 ni + krebsco.de. 60 IN TXT "v=spf1 mx -all" + tv 300 IN NS ni + ''; + }; + nets = { + internet = { + ip4 = rec { + addr = "188.68.36.196"; + prefix = "${addr}/32"; + }; + ip6 = rec { + addr = "2a03:4000:13:4c::1"; + prefix = "${addr}/64"; + }; + aliases = [ + "ni.i" + "cgit.ni.i" + ]; + ssh.port = 11423; + }; + retiolum = { + via = config.krebs.hosts.ni.nets.internet; + ip4.addr = "10.243.113.223"; + aliases = [ + "ni.r" + "cgit.ni.r" + "krebs.ni.r" + "search.ni.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12 + bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6 + Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59 + OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im + W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2 + NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY + nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv + lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ + 9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9 + q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF + Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE"; + }; + wiregrill = { + via = config.krebs.hosts.ni.nets.internet; + ip4.addr = "10.244.3.1"; + wireguard.subnets = [ + (lib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR + ]; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb"; +} diff --git a/kartei/tv/hosts/nomic.nix b/kartei/tv/hosts/nomic.nix new file mode 100644 index 000000000..7c46dc40a --- /dev/null +++ b/kartei/tv/hosts/nomic.nix @@ -0,0 +1,25 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.0.110"; + aliases = [ + "nomic.r" + "cgit.nomic.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ + qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw + Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu + 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a + OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA + Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic"; +} diff --git a/kartei/tv/hosts/querel.nix b/kartei/tv/hosts/querel.nix new file mode 100644 index 000000000..6b9b9881b --- /dev/null +++ b/kartei/tv/hosts/querel.nix @@ -0,0 +1,27 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.22.22"; + aliases = [ + "querel.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEArv9eB8acpUhJwRaLY9kGeM7DEPvInVvoduEbec10p4Y2PFx2MjSz + 2OhyxFRkONC4EMV9oVTKD+NRtpbRGZGLYD8ZPB622SvccgB0XnL6ZZfie1feSgrn + bPyVnX8EnEgtx9IQckHyaxWgtyrluJnY2CbLkCYgD+50KFT12rdHyAa3+QoYU65x + ACQo28i9xIpsl6dm7iWBb+ecHc7fST35OqWywtVxSpHPe1nvwaYm1p3rqqtkCGVh + iXE5ruAscri7Dskc5dGR1p7LquhBaebuylH6sfRKA6kre05+/IkXi+JLeAmAtJ+W + xezYlecEvxhguql9ZmSYAYkR4KknZb56KtvCnm29o0evvEpsaYcbtgq1D0JhoGyk + 4DixS5e+5dg470icVKxPfz1AzejxrTUTtMlI28qjAIx1FcmCBGM+T6yHs/MhNGbf + aqUmN+FwtsJ2QWFYqu9zjxxyAfrAw+gqHm0LnsKK1ttwF/2fYCTRLowY+ItB3axs + UVq7DQxyunyYalKGX2RSJ5BHczREHrfgX43HCSlcAuMuow9jHLOjzul0A49rSZ9E + vOPqbjrki0KEEQj0HN3Ax4UVqZ6mPWaTQzuup+bPQ/2Sjkx6COzMSAPmKo4l6DkA + J++ZonpnOCUkwCeCU6qJgMuHeXn0uh117Ypj/3J9eKYMO/RTSs3x8l0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFM2GdL9yOjSBmYBE07ClywNOADc/zxqXwZuWd7Mael root@querel.r"; +} diff --git a/kartei/tv/hosts/umz.nix b/kartei/tv/hosts/umz.nix new file mode 100644 index 000000000..8838574e0 --- /dev/null +++ b/kartei/tv/hosts/umz.nix @@ -0,0 +1,3 @@ +{ + nets.wiregrill.ip4.addr = "10.244.3.101"; +} diff --git a/kartei/tv/hosts/wu.nix b/kartei/tv/hosts/wu.nix new file mode 100644 index 000000000..d03886f14 --- /dev/null +++ b/kartei/tv/hosts/wu.nix @@ -0,0 +1,25 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.37"; + aliases = [ + "wu.r" + "cgit.wu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn + M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg + GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT + KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 + 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik + AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; +} diff --git a/kartei/tv/hosts/xu.nix b/kartei/tv/hosts/xu.nix new file mode 100644 index 000000000..e943915e4 --- /dev/null +++ b/kartei/tv/hosts/xu.nix @@ -0,0 +1,28 @@ +{ + binary-cache = { + pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s="; + }; + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.38"; + aliases = [ + "xu.r" + "cgit.xu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAl3l7IWbfbkVgaJFM3s9g2UCh2rmqoTba16Of7NNWMj05L/hIkUsQ + uc43/QzidWh/4gEaq5MQ7JpLyzVBQYRJkNlPRF/Z07KdLBskAZCjDYdYue9BrziX + 8s2Irs2+FNbCK2LqtrPhbcXQJvixsk6vjl2OBpWTDUcDEsk+D1YQilxdtyUzCUkw + mmRo/mzNsLZsYlSgZ6El/ZLkRdtexAzGxJ0DrukpDR0uqXXkp7jUaxRCZ+Cwanvj + 4I1Hu5aHzWB7KJ1SIvpX3a4f+mun1gh3TPqWP5PUqJok1PSuScz6P2UGaLZZyH63 + 4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu"; +} diff --git a/kartei/tv/hosts/zu.nix b/kartei/tv/hosts/zu.nix new file mode 100644 index 000000000..91270d57e --- /dev/null +++ b/kartei/tv/hosts/zu.nix @@ -0,0 +1,23 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.40"; + aliases = [ + "zu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d + idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u + BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a + OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj + /NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk + b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu"; +} diff --git a/krebs/0tests/data/test-config.nix b/krebs/0tests/data/test-config.nix index f0927ddd9..33cb01245 100644 --- a/krebs/0tests/data/test-config.nix +++ b/krebs/0tests/data/test-config.nix @@ -8,7 +8,6 @@ ]; krebs.hosts.minimal = { - cores = 1; secure = false; }; diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index fffe128e6..eda03cc10 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -53,6 +53,7 @@ with import <stockholm/lib>; config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey + config.krebs.users.kmein.pubkey ]; # The NixOS release to be compatible with for stateful data such as databases. diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index a802b8a25..5435ea166 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -8,6 +8,7 @@ services.ergochat = { enable = true; settings = { + server.name = "irc.r"; server.secure-nets = [ "42::0/16" "10.240.0.0/12" diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 9bcee6fbd..11aaf876a 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -146,7 +146,7 @@ let command = 1; arguments = [2]; env.TASKDATA = "${stateDir}/${name}"; - commands = { + commands = rec { add.filename = pkgs.writeDash "${name}-task-add" '' ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" ''; @@ -159,6 +159,7 @@ let delete.filename = pkgs.writeDash "${name}-task-delete" '' ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" ''; + del = delete; done.filename = pkgs.writeDash "${name}-task-done" '' ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" ''; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 6babac72e..bff7e135f 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -7,6 +7,7 @@ let out = { imports = [ ../../kartei + ../../submodules/disko/module.nix ./acl.nix ./airdcpp.nix ./announce-activation.nix diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 7c176d224..b3cf212e4 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -108,7 +108,7 @@ let }; imp = { - krebs.systemd.services.exim = {}; + krebs.systemd.services.exim.restartIfCredentialsChange = true; systemd.services.exim.serviceConfig.LoadCredential = map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; krebs.exim = { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 7007090c0..052dad9c6 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -43,10 +43,6 @@ let target = mkOption { type = str; }; - precedence = mkOption { - type = int; - default = 0; - }; v4 = mkOption { type = bool; default = true; @@ -145,13 +141,11 @@ let buildChain = tn: cn: let filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; - sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; - in #TODO: double check should be unneccessary, refactor! if ts.${tn}.${cn}.rules or null != null then concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules + ++ map (buildRule tn cn) filteredRules ) else "" diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index c4cfb9a49..5b8a53be8 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -159,7 +159,9 @@ let ) cfg.repos; krebs.systemd.services = mapAttrs' (name: _: - nameValuePair "repo-sync-${name}" {} + nameValuePair "repo-sync-${name}" { + restartIfCredentialsChange = true; + } ) cfg.repos; systemd.services = mapAttrs' (name: repo: diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 194e8b24a..3e524d3b5 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -3,14 +3,28 @@ body.options.krebs.systemd.services = lib.mkOption { default = {}; - type = lib.types.attrsOf (lib.types.submodule { + type = lib.types.attrsOf (lib.types.submodule (cfg_: let + serviceName = cfg_.config._module.args.name; + cfg = config.systemd.services.${serviceName} // cfg_.config; + in { options = { + credentialPaths = lib.mkOption { + default = + lib.sort + lib.lessThan + (lib.filter + lib.types.absolute-pathname.check + (map + (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) + (lib.toList cfg.serviceConfig.LoadCredential))); + readOnly = true; + }; + credentialUnitName = lib.mkOption { + default = "trigger-${lib.systemd.encodeName serviceName}"; + readOnly = true; + }; restartIfCredentialsChange = lib.mkOption { - # Enabling this by default only makes sense here as the user already - # bothered to write down krebs.systemd.services.* = {}. If this - # functionality gets upstreamed to systemd.services, restarting - # should be disabled by default. - default = true; + default = false; description = '' Whether to restart the service whenever any of its credentials change. Only credentials with an absolute path in LoadCredential= @@ -19,30 +33,40 @@ type = lib.types.bool; }; }; - }); + })); }; - body.config = { - systemd.paths = lib.mapAttrs' (serviceName: _: - lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = - lib.filter - lib.types.absolute-pathname.check - (map - (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) - (lib.toList - config.systemd.services.${serviceName}.serviceConfig.LoadCredential)); - } - ) config.krebs.systemd.services; + body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: { + paths.${cfg.credentialUnitName} = { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = cfg.credentialPaths; + }; + services.${cfg.credentialUnitName} = { + serviceConfig = { + Type = "oneshot"; + StateDirectory = "credentials"; + ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" '' + set -efu - systemd.services = lib.mapAttrs' (serviceName: cfg: - lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}"; - }; - } - ) config.krebs.systemd.services; - }; + PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.diffutils + pkgs.systemd + ]} + + cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum + tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX) + trap 'rm -f "$tmpfile"' EXIT + + sha1sum ${toString cfg.credentialPaths} > "$tmpfile" + if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then + exit + fi + mv "$tmpfile" "$cache" + + systemctl restart ${lib.shell.escape serviceName} + ''; + }; + }; + }) config.krebs.systemd.services); } diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index c33b30f0d..0babc448a 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -232,6 +232,7 @@ with import <stockholm/lib>; ) config.krebs.tinc; krebs.systemd.services = mapAttrs (netname: cfg: { + restartIfCredentialsChange = true; }) config.krebs.tinc; systemd.services = mapAttrs (netname: cfg: { diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix index f9a7450f7..a3c9f67c5 100644 --- a/krebs/5pkgs/simple/generate-secrets/default.nix +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -23,7 +23,6 @@ pkgs.writers.writeDashBin "generate-secrets" '' cat <<EOF $HOSTNAME = { - cores = 1; owner = config.krebs.users.krebs; nets = { retiolum = { diff --git a/krebs/5pkgs/simple/git-assembler.nix b/krebs/5pkgs/simple/git-assembler.nix new file mode 100644 index 000000000..095dddf0f --- /dev/null +++ b/krebs/5pkgs/simple/git-assembler.nix @@ -0,0 +1,24 @@ +{ pkgs, stdenv }: + +stdenv.mkDerivation rec { + pname = "git-assembler"; + version = "1.3"; + + src = pkgs.fetchFromGitLab { + owner = "wavexx"; + repo = "git-assembler"; + rev = "v${version}"; + hash = "sha256-A+ygt6Fxiu6EkVoQU5L1rhxu2e1HU0nbqJFzLzXzHBo="; + }; + + buildInputs = [ + pkgs.python3 + ]; + + buildPhase = ":"; + + installPhase = '' + mkdir -p $out/bin + cp git-assembler $out/bin + ''; +} diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index dd8308bbd..2c88b68cc 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/prism-mounts/samba.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/bitcoin.nix> diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 4c98091f1..cd38c3585 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -57,7 +57,7 @@ with import <stockholm/lib>; ]; krebs.iptables.tables.nat.PREROUTING.rules = [ - { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; } ]; # workaround for ssh access from yubikey via android diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index dd479f267..6d0d177ec 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -41,6 +41,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ppp/umts-stick.nix> # <stockholm/lass/2configs/remote-builder/morpheus.nix> # <stockholm/lass/2configs/remote-builder/prism.nix> + <stockholm/lass/2configs/autotether.nix> { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix new file mode 100644 index 000000000..8e5a60c36 --- /dev/null +++ b/lass/1systems/neoprism/config.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs/retiolum.nix> + + # sync-containers + <stockholm/lass/2configs/consul.nix> + <stockholm/lass/2configs/yellow-host.nix> + <stockholm/lass/2configs/radio/container-host.nix> + + # other containers + <stockholm/lass/2configs/riot.nix> + ]; + + krebs.build.host = config.krebs.hosts.neoprism; +} diff --git a/lass/1systems/neoprism/disk.nix b/lass/1systems/neoprism/disk.nix new file mode 100644 index 000000000..cf9a8cef4 --- /dev/null +++ b/lass/1systems/neoprism/disk.nix @@ -0,0 +1,116 @@ +{ lib, ... }: +{ + disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: { + type = "disk"; + device = disk; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1M"; + end = "1GiB"; + fs-type = "fat32"; + bootable = true; + content = { + type = "mdraid"; + name = "boot"; + }; + } + { + type = "partition"; + name = "zfs"; + start = "1GiB"; + end = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + } + ]; + }; + })) // { + hdd1 = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "zfs"; + pool = "tank"; + }; + }; + }; + mdadm = { + boot = { + type = "mdadm"; + level = 1; + metadata = "1.0"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + mode = "mirror"; + mountpoint = "/"; + rootFsOptions = { + }; + datasets.reserved = { + zfs_type = "filesystem"; + options.refreservation = "1G"; + }; + }; + tank = { + type = "zpool"; + datasets = { + reserved = { + zfs_type = "filesystem"; + options.refreservation = "1G"; + }; + containers = { + zfs_type = "filesystem"; + mountpoint = "/var/lib/containers"; + }; + home = { + zfs_type = "filesystem"; + mountpoint = "/home"; + }; + srv = { + zfs_type = "filesystem"; + mountpoint = "/srv"; + }; + libvirt = { + zfs_type = "filesystem"; + mountpoint = "/var/lib/libvirt"; + }; + # encrypted = { + # zfs_type = "filesystem"; + # options = { + # mountpoint = "none"; + # encryption = "aes-256-gcm"; + # keyformat = "passphrase"; + # keylocation = "prompt"; + # }; + # }; + + # "encrypted/download" = { + # zfs_type = "filesystem"; + # mountpoint = "/var/download"; + # }; + }; + }; + }; +} diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix new file mode 100644 index 000000000..4ffb749f1 --- /dev/null +++ b/lass/1systems/neoprism/physical.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./config.nix + <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + disko.devices = import ./disk.nix; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.efiSupport = true; + boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; + boot.kernelModules = [ "kvm-amd" ]; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + # networking config + boot.kernelParams = [ "net.ifnames=0" ]; + networking.bridges."ext-br".interfaces = [ "eth0" ]; + networking = { + hostId = "2283aaae"; + defaultGateway = "95.217.192.1"; + defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; }; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.ext-br.ipv4.addresses = [ + { + address = "95.217.192.59"; + prefixLength = 26; + } + ]; + interfaces.ext-br.ipv6.addresses = [ + { + address = "2a01:4f9:4a:4f1a::1"; + prefixLength = 64; + } + ]; + }; + +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 594a21c02..bcc8c1a08 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -33,9 +33,9 @@ with import <stockholm/lib>; "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" ]; }; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } + { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } ]; } { @@ -97,9 +97,35 @@ with import <stockholm/lib>; localAddress = "10.233.2.2"; }; } + { + services.nginx.virtualHosts."radio.lassul.us" = { + enableACME = true; + addSSL = true; + locations."/" = { + # recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://radio.r"; + extraConfig = '' + proxy_set_header Host radio.r; + # get source ip for weather reports + proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; + ''; + }; + }; + krebs.htgen.radio-redirect = { + port = 8000; + scriptFile = pkgs.writers.writeDash "redir" '' + printf 'HTTP/1.1 301 Moved Permanently\r\n' + printf "Location: http://radio.lassul.us''${Request_URI}\r\n" + printf '\r\n' + ''; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } + ]; + } <stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> - <stockholm/lass/2configs/radio> <stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/paste.nix> @@ -227,13 +253,13 @@ with import <stockholm/lib>; imports = [ <stockholm/lass/2configs/wiregrill.nix> ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } - { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } + krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ + { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } @@ -252,7 +278,7 @@ with import <stockholm/lib>; } { krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } <stockholm/lass/2configs/murmur.nix> diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix new file mode 100644 index 000000000..2fd23a448 --- /dev/null +++ b/lass/1systems/radio/config.nix @@ -0,0 +1,24 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/radio> + ]; + + krebs.build.host = config.krebs.hosts.radio; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@lassul.us"; + }; + + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt"; + }; +} diff --git a/lass/1systems/radio/physical.nix b/lass/1systems/radio/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/radio/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index ef538f339..5e48c216a 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/green-host.nix> <stockholm/krebs/2configs/news-host.nix> - <stockholm/lass/2configs/prism-mounts/samba.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/consul.nix> <stockholm/lass/2configs/red-host.nix> diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index c8077e5ea..06561e9cf 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,20 +9,23 @@ in { krebs.build.host = config.krebs.hosts.yellow; + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; + }; + users.groups.download.members = [ "transmission" ]; networking.useHostResolvConf = false; networking.useNetworkd = true; - systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; - systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; services.transmission = { enable = true; + home = "/var/state/transmission"; group = "download"; downloadDirPermissions = "775"; settings = { - download-dir = "/var/download/finished"; - incomplete-dir = "/var/download/incoming"; - incomplete-dir-enable = true; + download-dir = "/var/download/transmission"; + incomplete-dir-enabled = false; rpc-bind-address = "::"; message-level = 1; umask = 18; @@ -31,6 +34,12 @@ in { }; }; + security.acme.defaults.email = "spam@krebsco.de"; + security.acme.acceptTerms = true; + security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; package = pkgs.nginx.override { @@ -38,13 +47,12 @@ in { fancyindex ]; }; - virtualHosts.default = { + virtualHosts."yellow.r" = { default = true; - locations."/dl".extraConfig = '' - return 301 /; - ''; + enableACME = true; + addSSL = true; locations."/" = { - root = "/var/download/finished"; + root = "/var/download"; extraConfig = '' fancyindex on; fancyindex_footer "/fancy.html"; @@ -136,9 +144,87 @@ in { ''}; ''; }; + virtualHosts."jelly.r" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:8096/; + proxy_set_header Accept-Encoding ""; + ''; + }; + virtualHosts."radar.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:7878"; + }; + }; + virtualHosts."sonar.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:8989"; + }; + }; }; - systemd.services.bruellwuerfel = { + services.samba = { + enable = true; + enableNmbd = false; + extraConfig = '' + workgroup = WORKGROUP + server string = ${config.networking.hostName} + # only allow retiolum addresses + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 + + # Use sendfile() for performance gain + use sendfile = true + + # No NetBIOS is needed + disable netbios = true + + # Only mangle non-valid NTFS names, don't care about DOS support + mangled names = illegal + + # Performance optimizations + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 + + # Disable all printing + load printers = false + disable spoolss = true + printcap name = /dev/null + + map to guest = Bad User + max log size = 50 + dns proxy = no + security = user + + [global] + syslog only = yes + ''; + shares.public = { + comment = "Warez"; + path = "/var/download"; + public = "yes"; + "only guest" = "yes"; + "create mask" = "0644"; + "directory mask" = "2777"; + writable = "no"; + printable = "no"; + }; + }; + + systemd.services.bruellwuerfel = + let + bruellwuerfelSrc = pkgs.fetchFromGitHub { + owner = "krebs"; + repo = "bruellwuerfel"; + rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; + sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; + }; + in { wantedBy = [ "multi-user.target" ]; environment = { IRC_CHANNEL = "#flix"; @@ -147,7 +233,7 @@ in { IRC_HISTORY_FILE = "/tmp/bruelli.history"; }; serviceConfig = { - ExecStart = "${pkgs.bruellwuerfel}/bin/bruellwuerfel"; + ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; }; }; @@ -155,15 +241,36 @@ in { enable = true; tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir + { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin + { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr + { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr + { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr + { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr + + # smbd + { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; tables.filter.OUTPUT = { policy = "DROP"; rules = [ + { predicate = "-o lo"; target = "ACCEPT"; } { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } { predicate = "-o tun0"; target = "ACCEPT"; } { predicate = "-o retiolum"; target = "ACCEPT"; } @@ -271,7 +378,7 @@ in { ExecStart = pkgs.writers.writeDash "flix-index" '' set -efu - DIR=/var/download/finished + DIR=/var/download cd "$DIR" while inotifywait -rq -e create -e move -e delete "$DIR"; do find . -type f > "$DIR"/index.tmp @@ -286,9 +393,22 @@ in { group = "download"; }; - services.magnetico = { + services.radarr = { + enable = true; + group = "download"; + }; + + services.sonarr = { + enable = true; + group = "download"; + }; + + services.prowlarr = { enable = true; - web.address = "0.0.0.0"; - web.port = 9092; + }; + + services.bazarr = { + enable = true; + group = "download"; }; } diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix index dfffbfdf9..e38475381 100644 --- a/lass/2configs/AP.nix +++ b/lass/2configs/AP.nix @@ -68,8 +68,8 @@ in { { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ #TODO find out what this is about? diff --git a/lass/2configs/autotether.nix b/lass/2configs/autotether.nix new file mode 100644 index 000000000..98712303e --- /dev/null +++ b/lass/2configs/autotether.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: +{ + systemd.services.usb_tether = { + script = '' + ${pkgs.android-tools}/bin/adb -s QV770FAMEK wait-for-device + ${pkgs.android-tools}/bin/adb -s QV770FAMEK shell svc usb setFunctions rndis + ''; + }; + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="fce/320d/510", TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service" + ''; + systemd.network.networks.android = { + matchConfig.Name = "enp0s20u1"; + DHCP = "yes"; + }; +} diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix index 3e533fb74..a8dd3dd1d 100644 --- a/lass/2configs/c-base.nix +++ b/lass/2configs/c-base.nix @@ -1,97 +1,115 @@ { config, lib, pkgs, ... }: let - inherit (import <stockholm/lib>) genid; - in { - users.extraUsers = { - cbasevpn = rec { - name = "cbasevpn"; - uid = genid "cbasevpn"; - description = "user for running c-base openvpn"; - home = "/home/${name}"; - }; - }; - - users.extraGroups.cbasevpn.gid = genid "cbasevpn"; - environment.systemPackages = [ pkgs.cifs-utils ]; - services.openvpn.servers = { - c-base = { - config = '' - client - dev tap - proto tcp - remote vpn.ext.c-base.org 1194 - resolv-retry infinite - nobind - user cbasevpn - group cbasevpn - persist-key - persist-tun - - auth-nocache - #auth-user-pass - auth-user-pass ${toString <secrets/cbase.txt>} - - comp-lzo - verb 3 - - #script-security 2 - #up /etc/openvpn/update-resolv-conf - #down /etc/openvpn/update-resolv-conf - - <ca> - -----BEGIN CERTIFICATE----- - MIIDUjCCArugAwIBAgIJAOOk8EXgjsf5MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV - BAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZj - LWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJ - ARYQYWRtYXhAYy1iYXNlLm9yZzAeFw0wOTAyMTMwOTE1MzdaFw0xOTAyMTEwOTE1 - MzdaMHoxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGlu - MQ8wDQYDVQQKEwZjLWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEf - MB0GCSqGSIb3DQEJARYQYWRtYXhAYy1iYXNlLm9yZzCBnzANBgkqhkiG9w0BAQEF - AAOBjQAwgYkCgYEAt3wEgXbqFKxs8z/E4rv13hkRi6J+QdshNzntm7rTOmUsXKE7 - IEwoJSglrmsDPv4UqE86A7bjW7YYSFjhzxFRkTEHJanyOCF48ZPItVl7Eq7T81co - uR+6lAhxnLDrwnPJCC83NzAa6lw8U1DsQRDkayKlrQrtZq6++pFFEvZvt1cCAwEA - AaOB3zCB3DAdBgNVHQ4EFgQUqkSbdXS90+HtqXDeAI+PcyTSSHEwgawGA1UdIwSB - pDCBoYAUqkSbdXS90+HtqXDeAI+PcyTSSHGhfqR8MHoxCzAJBgNVBAYTAkRFMQsw - CQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZjLWJhc2UxGzAZ - BgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhA - Yy1iYXNlLm9yZ4IJAOOk8EXgjsf5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF - BQADgYEAOBANG1H4uEEWk3sbeQoSMeA3LFG1+6MgFGk2WAdeHYuV9GKYBq6/PLP5 - ffw+FNkiDjLSeSQO88vHYJr2V1v8n/ZoCIT+1VBcDWXTpGz0YxDI1iBauO3tUPzK - wGs46RA/S0YwiZw64MaUHd88ZVadjKy9kNoO3w6/vpAS6s/Mh+o= - -----END CERTIFICATE----- - </ca> - key-direction 1 - <tls-auth> - # - # 2048 bit OpenVPN static key - # - -----BEGIN OpenVPN Static key V1----- - 5d49aa8c9cec18de7ab6e0b5cd09a368 - d3f1b8b77e055e448804fa0e14f487cb - 491681742f96b54a23fb8639aa9ed14e - c40b86a5546b888c4f3873f23c956e87 - 169076ec869127ffc85353fd5928871c - da19776b79f723abb366fae6cdfe4ad6 - 7ef667b7d05a7b78dfd5ea1d2da276dc - 5f6c82313fe9c1178c7256b8d1d081b0 - 4c80bc8f21add61fbc52c158579edc1d - bbde230afb9d0e531624ce289a17098a - 3261f9144a9a2a6f0da4250c9eed4086 - 187ec6fa757a454de743a349e32af193 - e9f8b49b010014bdfb3240d992f2f234 - 581d0ce05d4e07a2b588ad9b0555b704 - 9d5edc28efde59226ec8942feed690a1 - 2acd0c8bc9424d6074d0d495391023b6 - -----END OpenVPN Static key V1----- - </tls-auth> - ''; + systemd.network.networks.c-base = { + matchConfig.Name = "c-base"; + networkConfig = { + IgnoreCarrierLoss = "3s"; + KeepConfiguration = "static"; + DNS = "10.0.1.254"; + Domains = "cbrp3.c-base.org"; }; + routes = [ + { routeConfig = { + Destination = "10.0.1.0/24"; + Gateway = "172.31.77.1"; + };} + { routeConfig = { + Destination = "91.102.9.99/32"; # vorstand.c-base.org + Gateway = "172.31.77.1"; + };} + ]; + }; + services.openvpn.servers.c-base = { + config = '' + remote vpn.ext.c-base.org 1194 + verify-x509-name vpn.ext.c-base.org name + client + proto udp + dev-type tun + dev c-base + resolv-retry infinite + nobind + # user openvpn + # group openvpn + persist-key + persist-tun + comp-lzo + # register-dns + # block-outside-dns + script-security 2 + auth-user-pass ${toString <secrets/cbase.txt>} + #auth-user-pass + key-direction 1 + <tls-auth> + # + # 2048 bit OpenVPN static key + # + -----BEGIN OpenVPN Static key V1----- + 54a66ed1048bed7508703347e89d68d6 + 5586e6a5d1218cf8675941031d540be6 + 993e07200a16ad3b770b659932ee71e5 + f8080b5c9fa2acb3893abd40fad2552c + fdaf17565e617ae450efcccf5652dca5 + a16419509024b075941098731eb25ac0 + a64f963ece3dca1d2a64a9c5e17839d7 + 5b5080165a9b2dc90ef111879d7d3173 + 2d1027ae42d869394aca08da4472a9d0 + 6b724b4ed43a957feef7d6dfc86da241 + 74828fa0e1240941586f0d937cac32fc + 13cc81e7bed58817353d6afaff7e6a26 + 4f9cc086af79c1cdca660d86e18cff96 + 69dd3d392caf09a468894a8504f4cc7c + 7ae0072e6d9ad90b166ad13a39c57b3c + 3a869e27a1d89deb161c255227551713 + -----END OpenVPN Static key V1----- + </tls-auth> + <ca> + -----BEGIN CERTIFICATE----- + MIIGsDCCBJigAwIBAgIJAPkM1l2zA306MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD + VQQGEwJERTEPMA0GA1UEBxMGQmVybGluMRswGQYDVQQLExJ2cG4uZXh0LmMtYmFz + ZS5vcmcxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEbMBkGA1UEKRMSdnBu + LmV4dC5jLWJhc2Uub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1heEBjLWJhc2Uub3Jn + MB4XDTE2MDcwOTE4MjkyMFoXDTI2MDcxMDE4MjkyMFowgZYxCzAJBgNVBAYTAkRF + MQ8wDQYDVQQHEwZCZXJsaW4xGzAZBgNVBAsTEnZwbi5leHQuYy1iYXNlLm9yZzEb + MBkGA1UEAxMSdnBuLmV4dC5jLWJhc2Uub3JnMRswGQYDVQQpExJ2cG4uZXh0LmMt + YmFzZS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWF4QGMtYmFzZS5vcmcwggIiMA0G + CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXEs+uWCXLNmm+lgP9x7u3FqWa4pPI + h64c6EWIULMATrhEw+Ej4fpCXwU9otFaO04fAeJmZGkDcnAYdBDiCeI0luOSdj44 + Bg9KecSei/TskqjhDVnEBp65hiz0rZE6c1baPdLYmD5xrXWb3i0zrlBYFawuL6C2 + lwVCEm3cadvkDJ2DleMuu3NblV8ViIDN0HZqzJNP72g1I0MgohkpetACXlf7MzQV + PFHfzvb04Rj2lJ8BDhceQ0WmjtVV/Ag6nka5oi954OeHMujRuH+rZYiQZDZpJLHK + Kh1KWTVlWPRy+AvCi9lweDWSmLccq7Ug4xMtDF4I5qW3tjCd0xqpZ21Xmo2JyKtY + 4h8wEDPqiJvgwvkXsH17GLn5ZxiMcQuRJQYZqJephkzR9uccJeWSS76kwm/vLqG3 + +eORlYnyjiNXtiMIhmAEFjpWUrGH8v4CijpUNP6E63ynGrRVXK684YQXkqL+xPAt + t6dsMBUwf94a2S1o2kgvuRCim1wlHvf1QsHrO/Hwgpzc8no/daWL+Z9Rq9okTHNK + nc1G5dv8TkmxIDYnLm07QMzzBoOT36BcGtkEBA+0xhQlX5PyQdM5/jnZVhdSBmoP + MbZXPoU/gJAIuuBuwdTlgCzYf44/9/YU/AnW8eLrbhm9KtMtoMpatrWorKqk/GPv + /lGNRQuNffrbiQIDAQABo4H+MIH7MB0GA1UdDgQWBBTf5cYbK+KCF9u9aobFlLbu + ilwX4jCBywYDVR0jBIHDMIHAgBTf5cYbK+KCF9u9aobFlLbuilwX4qGBnKSBmTCB + ljELMAkGA1UEBhMCREUxDzANBgNVBAcTBkJlcmxpbjEbMBkGA1UECxMSdnBuLmV4 + dC5jLWJhc2Uub3JnMRswGQYDVQQDExJ2cG4uZXh0LmMtYmFzZS5vcmcxGzAZBgNV + BCkTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhAYy1i + YXNlLm9yZ4IJAPkM1l2zA306MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD + ggIBAMs1moiS7UZ4neOivQjqwKrBbm1j3tgmPLhDfNMmXYarGhnBGAlLxLAQWtG+ + Fnbx8KcsJnrsWcGfZcst1z45S4a5oBdVNKOfgkMOG0glZorIDO8Odrb51rpyzU0v + 0wcNumMNWhkFuo2OTBHPnnJIWEAFwwCCSCL0I0hQxxoaV36kphjuIwzrMJhd+XAT + 24En58cNp6sPRDd+FzOH08uFINevyzKWYxkMgVj+e3fbuiyOB8RqvndKvtfBBcpB + cCO86lGnj/ETMDciTczUShxaMn9wV1zr1KH1xvT3ohUeOcQZGbGTcjG4mxlns8ZO + U5J3Yrcd1eMfJq9Bwd3zPsTLnT8LwIS8vfYRav9b34XdqcBG73dhrjsicMK0Qy0z + Qz7vKJzcvrEnKuaMyB3mCxz/UvbNc2Bupwm4FmzN5eFjDs+7paYFdfOzqMjoRP+8 + bcXSqDN5P2eUd7cdsZXaFNcsf1FkWlE3GudVBOmNJqz9zBab/T5J+l4Z90Pd6OUX + GNozEvLhcJkvPKA526TegHTGC8hMquxKc9tpOzNRqZJMFa+UG1mgMrMepRmM/B3s + QrKI1C11iCVYfb9J0tQUkfENHMx4J7mG2DZAhnKWQDU2awM41qU4A7aBYaJvDPnQ + RRcbaT0D794lKUQwH/mZuyKzF22oZNk1o1TV2SaFXqgX5tDt + -----END CERTIFICATE----- + </ca> + ''; }; } diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index f04e4342d..0cfe193d9 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -8,8 +8,8 @@ { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ + { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 49a04e9c2..3d7188dc6 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -69,7 +69,6 @@ with import <stockholm/lib>; ]; networking.hostName = config.krebs.build.host.name; - nix.maxJobs = config.krebs.build.host.cores; krebs = { enable = true; @@ -190,28 +189,34 @@ with import <stockholm/lib>; enable = true; tables = { nat.PREROUTING.rules = [ - { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } - { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } - { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } ]; nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } + filter.INPUT.rules = mkMerge [ + (mkBefore [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { predicate = "-p icmp"; target = "ACCEPT"; } + { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } + { predicate = "-i lo"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + ]) + (mkOrder 1000 [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } + ]) + (mkAfter [ + { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; } + { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; } + { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; } + ]) ]; }; }; diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 89ccae408..51db9a40a 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -2,37 +2,56 @@ with import <stockholm/lib>; { + systemd.network.networks."50-et0" = { + matchConfig.Name = "et0"; + DHCP = "yes"; + # dhcpV4Config.UseDNS = false; + # dhcpV6Config.UseDNS = false; + linkConfig = { + RequiredForOnline = "routable"; + }; + # networkConfig = { + # LinkLocalAddressing = "no"; + # }; + # dhcpV6Config = { + # PrefixDelegationHint = "::/60"; + # }; + # networkConfig = { + # IPv6AcceptRA = true; + # }; + # ipv6PrefixDelegationConfig = { + # Managed = true; + # }; + }; + systemd.network.networks."50-int0" = { + name = "int0"; + address = [ + "10.42.0.1/24" + ]; + networkConfig = { + IPForward = "yes"; + IPMasquerade = "both"; + ConfigureWithoutCarrier = true; + DHCPServer = "yes"; + # IPv6SendRA = "yes"; + # DHCPPrefixDelegation = "yes"; + }; + }; networking.networkmanager.unmanaged = [ "int0" ]; - networking.interfaces.int0.ipv4.addresses = [{ - address = "10.42.0.1"; - prefixLength = 24; - }]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i int0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i int0"; target = "ACCEPT"; } + { predicate = "-o int0"; target = "ACCEPT"; } + { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } + ]; networking.domain = "gg23"; - services.dhcpd4 = { - enable = true; - interfaces = [ "int0" ]; - extraConfig = '' - option subnet-mask 255.255.255.0; - option routers 10.42.0.1; - option domain-name-servers 10.42.0.1; - subnet 10.42.0.0 netmask 255.255.255.0 { - range 10.42.0.100 10.42.0.200; - } - ''; - machines = [ - { ethernetAddress = "a8:a6:48:65:ce:4c"; hostName = "tv"; ipAddress = "10.42.0.3"; } - { ethernetAddress = "3c:2a:f4:22:28:37"; hostName = "drucker"; ipAddress = "10.42.0.4"; } - { ethernetAddress = "80:7d:3a:67:b7:01"; hostName = "s20-tv"; ipAddress = "10.42.0.10"; } - { ethernetAddress = "80:7d:3a:68:04:f0"; hostName = "s20-drucker"; ipAddress = "10.42.0.11"; } - { ethernetAddress = "80:7d:3a:68:11:a5"; hostName = "s20-wasch"; ipAddress = "10.42.0.12"; } - { ethernetAddress = "80:7d:3a:67:bb:69"; hostName = "s20-stereo"; ipAddress = "10.42.0.13"; } - { ethernetAddress = "ec:b5:fa:07:78:16"; hostName = "hue-bridge"; ipAddress = "10.42.0.21"; } - { ethernetAddress = "80:8d:b7:c5:80:dc"; hostName = "arubaAP"; ipAddress = "10.42.0.99"; } - ]; - }; - services.dnsmasq = { enable = true; resolveLocalQueries = false; @@ -45,22 +64,4 @@ with import <stockholm/lib>; interface=int0 ''; }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i int0 -p udp --dport 53"; target = "ACCEPT"; } # dns - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 10.42.0.0/24 -o int0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 10.42.0.0/24 -i int0"; target = "ACCEPT"; } - { v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; } - ]; } - diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index f8dd2f0d2..9dafe086c 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -18,22 +18,22 @@ with import <stockholm/lib>; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } ]; - krebs.iptables.tables.nat.OUTPUT.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [ + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; # TODO use bridge interfaces instead of this crap diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index d391e0d7b..6d07c7a77 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -20,8 +20,8 @@ krebs.iptables.tables.filter.OUTPUT.rules = [ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ + { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } diff --git a/lass/2configs/radio/container-host.nix b/lass/2configs/radio/container-host.nix new file mode 100644 index 000000000..e32095ffa --- /dev/null +++ b/lass/2configs/radio/container-host.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.radio = { + sshKey = "${toString <secrets>}/radio.sync.key"; + }; + containers.radio = { + bindMounts."/var/music" = { + hostPath = "/var/music"; + isReadOnly = false; + }; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } + ]; + krebs.htgen.radio-redirect = { + port = 8000; + scriptFile = pkgs.writers.writeDash "redir" '' + printf 'HTTP/1.1 301 Moved Permanently\r\n' + printf "Location: http://radio.lassul.us''${Request_URI}\r\n" + printf '\r\n' + ''; + }; +} diff --git a/lass/2configs/radio/default.nix b/lass/2configs/radio/default.nix index dfb3d7e0b..a511196fd 100644 --- a/lass/2configs/radio/default.nix +++ b/lass/2configs/radio/default.nix @@ -3,7 +3,7 @@ let name = "radio"; - music_dir = "/home/radio/music"; + music_dir = "/var/music"; skip_track = pkgs.writers.writeBashBin "skip_track" '' set -eu @@ -113,7 +113,7 @@ in { LIMIT=1000 #how many tracks to keep in the history HISTORY_FILE=/var/lib/radio/recent - listeners=$(${pkgs.curl}/bin/curl -fSs lassul.us:8000/status-json.xsl | + listeners=$(${pkgs.curl}/bin/curl -fSs http://localhost:8000/status-json.xsl | ${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add' || echo 0) echo "$(${pkgs.coreutils}/bin/date -Is)" "$filename" | ${pkgs.coreutils}/bin/tee -a "$HISTORY_FILE" echo "$(${pkgs.coreutils}/bin/tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE" @@ -128,14 +128,33 @@ in { serviceConfig.User = lib.mkForce "radio"; }; + nixpkgs.config.packageOverrides = opkgs: { + icecast = opkgs.icecast.overrideAttrs (old: rec { + version = "2.5-beta3"; + + src = pkgs.fetchurl { + url = "http://downloads.xiph.org/releases/icecast/icecast-${version}.tar.gz"; + sha256 = "sha256-4FDokoA9zBDYj8RAO/kuTHaZ6jZYBLSJZiX/IYFaCW8="; + }; + + buildInputs = old.buildInputs ++ [ pkgs.pkg-config ]; + }); + }; services.icecast = { enable = true; hostname = "radio.lassul.us"; admin.password = "hackme"; extraConf = '' <authentication> - <source-password>hackme</source-password> + <source-password>hackme</source-password> + <admin-user>admin</admin-user> + <admin-password>hackme</admin-password> </authentication> + <logging> + <accesslog>-</accesslog> + <errorlog>-</errorlog> + <loglevel>3</loglevel> + </logging> ''; }; @@ -234,18 +253,38 @@ in { ''; }; + networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { enable = true; - virtualHosts."radio.lassul.us" = { - forceSSL = true; - enableACME = true; + virtualHosts."radio.r" = { locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Real-IP $remote_addr; + # https://github.com/aswild/icecast-notes#core-nginx-config proxy_pass http://localhost:8000; + # Disable request size limit, very important for uploading large files + client_max_body_size 0; + + # Enable support `Transfer-Encoding: chunked` + chunked_transfer_encoding on; + + # Disable request and response buffering, minimize latency to/from Icecast + proxy_buffering off; + proxy_request_buffering off; + + # Icecast needs HTTP/1.1, not 1.0 or 2 + proxy_http_version 1.1; + + # Forward all original request headers + proxy_pass_request_headers on; + + # Set some standard reverse proxy headers. Icecast server currently ignores these, + # but may support them in a future version so that access logs are more useful. + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # get source ip for weather reports + proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; ''; locations."= /recent".extraConfig = '' default_type "text/plain"; @@ -266,7 +305,7 @@ in { while sleep 1; do mpv \ --cache-secs=0 --demuxer-readahead-secs=0 --untimed --cache-pause=no \ - 'http://lassul.us:8000/radio.ogg' + 'http://radio.lassul.us/radio.ogg' done ''; locations."= /controls".extraConfig = '' @@ -278,35 +317,12 @@ in { add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; ''; }; - virtualHosts."lassul.us".locations."= /the_playlist".extraConfig = let - html = pkgs.writeText "index.html" '' - <!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="utf-8"> - <title>lassulus playlist</title> - </head> - <body> - <div style="display:inline-block;margin:0px;padding:0px;overflow:hidden"> - <iframe src="https://kiwiirc.com/client/irc.hackint.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe> - </div> - <div style="position:absolute;bottom:1px;display:inline-block;background-color:red;"> - <audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio> - </div> - <!-- page content --> - </body> - </html> - ''; - in '' - default_type "text/html"; - alias ${html}; - ''; }; services.syncthing.declarative.folders."the_playlist" = { - path = "/home/radio/music/the_playlist"; - devices = [ "mors" "phone" "prism" "omo" ]; + path = "/var/music/the_playlist"; + devices = [ "mors" "phone" "prism" "omo" "radio" ]; }; - krebs.acl."/home/radio/music/the_playlist"."u:syncthing:X".parents = true; - krebs.acl."/home/radio/music/the_playlist"."u:syncthing:rwX" = {}; - krebs.acl."/home/radio/music/the_playlist"."u:radio:rwX" = {}; + krebs.acl."/var/music/the_playlist"."u:syncthing:X".parents = true; + krebs.acl."/var/music/the_playlist"."u:syncthing:rwX" = {}; + krebs.acl."/var/music/the_playlist"."u:radio:rwX" = {}; } diff --git a/lass/2configs/radio/radio.liq b/lass/2configs/radio/radio.liq index 70d316043..1366287a7 100644 --- a/lass/2configs/radio/radio.liq +++ b/lass/2configs/radio/radio.liq @@ -10,7 +10,7 @@ def stringify_attrs(attrs) = out end -def filter_graveyard(req) = +def filter_music(req) = filename = request.filename(req) if string.match(pattern = '.*/\\.graveyard/.*', filename) then false @@ -27,7 +27,7 @@ end env = environment() port = string.to_int(env["RADIO_PORT"], default = 8000) -all_music = playlist(env["MUSIC"], check_next = filter_graveyard) +all_music = playlist(env["MUSIC"], check_next = filter_music) wishlist = request.queue() tracks = fallback(track_sensitive = true, [wishlist, all_music]) tracks = blank.eat(tracks) @@ -36,7 +36,7 @@ last_metadata = ref([]) def on_metadata(m) = last_metadata := m print("changing tracks") - out = process.read(env["HOOK_TRACK_CHANGE"], env = m) + out = process.read(env["HOOK_TRACK_CHANGE"], env = m, timeout = 5.0) print(out) end tracks.on_metadata(on_metadata) diff --git a/lass/2configs/radio/weather.nix b/lass/2configs/radio/weather.nix index 704bf7218..dca8a7843 100644 --- a/lass/2configs/radio/weather.nix +++ b/lass/2configs/radio/weather.nix @@ -10,20 +10,25 @@ let export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.curl - pkgs.iproute2 - pkgs.jc pkgs.jq ]}" curl -fSsz /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY - ss -no 'sport = :8000' | - jc --ss | jq -r '.[] | - select( - .local_address != "[::ffff:127.0.0.1]" - and .local_address != "[::1]" - ) | .peer_address | gsub("[\\[\\]]"; "") - ' | + ( + curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.ogg' + curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.mp3' + curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.opus' + ) | jq -rs ' + [ + .[][].source|values|to_entries[].value | + (.listener//[]) [] | + (.useragent | capture("client-ip=(?<ip>[a-f0-9.:]+)")).ip // .ip + ] | + unique[] | + select(. != "127.0.0.1") | + select(. != "::1") + ' | ${weather_for_ips}/bin/weather_for_ips ''; in { diff --git a/lass/2configs/radio/weather_for_ips.py b/lass/2configs/radio/weather_for_ips.py index 1f8489bd1..62206a985 100644 --- a/lass/2configs/radio/weather_for_ips.py +++ b/lass/2configs/radio/weather_for_ips.py @@ -3,32 +3,46 @@ import fileinput import json import requests import os +import random geoip = geoip2.database.Reader(os.environ['MAXMIND_GEOIP_DB']) seen = {} output = [] for ip in fileinput.input(): - location = geoip.city(ip.strip()) - if location.city.geoname_id not in seen: - seen[location.city.geoname_id] = True - weather_api_key = os.environ['OPENWEATHER_API_KEY'] - url = ( - f'https://api.openweathermap.org/data/2.5/onecall' - f'?lat={location.location.latitude}' - f'&lon={location.location.longitude}' - f'&appid={weather_api_key}' - f'&units=metric' - ) - resp = requests.get(url) - weather = json.loads(resp.text) + if "80.147.140.51" in ip: output.append( - f'Weather report for {location.city.name}, {location.country.name}. ' - f'It is {weather["current"]["weather"][0]["description"]} outside ' - f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' - f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' - f'and a humidity of {weather["current"]["humidity"]} percent. ' - f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' + 'Weather report for c-base, space.' + 'It is empty space outside ' + 'with a temperature of -270 degrees, ' + 'a lightspeed of 299792 kilometers per second ' + 'and a humidity of Not a Number percent. ' + f'The probability of reincarnation is {random.randrange(0, 100)} percent.' ) + else: + try: + location = geoip.city(ip.strip()) + if location.city.geoname_id not in seen: + seen[location.city.geoname_id] = True + weather_api_key = os.environ['OPENWEATHER_API_KEY'] + url = ( + f'https://api.openweathermap.org/data/2.5/onecall' + f'?lat={location.location.latitude}' + f'&lon={location.location.longitude}' + f'&appid={weather_api_key}' + f'&units=metric' + ) + resp = requests.get(url) + weather = json.loads(resp.text) + output.append( + f'Weather report for {location.city.name}, {location.country.name}. ' + f'It is {weather["current"]["weather"][0]["description"]} outside ' + f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' + f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' + f'and a humidity of {weather["current"]["humidity"]} percent. ' + f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' + ) + except: # noqa E722 + pass print('\n'.join(output)) diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index b8c9d4f8d..746bc069d 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -27,6 +27,15 @@ LocalDiscovery = no ''} ''; + tincUp = lib.mkIf config.systemd.network.enable ""; + }; + + systemd.network.networks.retiolum = { + matchConfig.Name = "retiolum"; + address = [ + "${config.krebs.build.host.nets.retiolum.ip4.addr}/16" + "${config.krebs.build.host.nets.retiolum.ip6.addr}/16" + ]; }; nixpkgs.config.packageOverrides = pkgs: { diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix new file mode 100644 index 000000000..559e7b20d --- /dev/null +++ b/lass/2configs/riot.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: +{ + containers.riot = { + config = { + environment.systemPackages = [ + pkgs.dhcpcd + pkgs.git + pkgs.jq + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; + networking.defaultGateway = "10.233.1.1"; + systemd.services.autoswitch = { + environment = { + NIX_REMOTE = "daemon"; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + set -efu + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + unitConfig.X-StopOnRemoval = false; + }; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.1.1"; + localAddress = "10.233.1.2"; + forwardPorts = [ + { hostPort = 45622; containerPort = 22; } + ]; + }; + + systemd.network.networks."50-ve-riot" = { + matchConfig.Name = "ve-riot"; + + networkConfig = { + IPForward = "yes"; + # weirdly we have to use POSTROUTING MASQUERADE here + # IPMasquerade = "both"; + LinkLocalAddressing = "no"; + KeepConfiguration = "static"; + }; + }; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ve-riot"; target = "ACCEPT"; } + { predicate = "-o ve-riot"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix index c01a11cc3..233ca8fb7 100644 --- a/lass/2configs/sync/the_playlist.nix +++ b/lass/2configs/sync/the_playlist.nix @@ -1,7 +1,7 @@ { services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; - devices = [ "mors" "phone" "prism" "omo" ]; + devices = [ "mors" "phone" "prism" "omo" "radio" ]; }; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index 54257d2c4..a27e99ee2 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -16,13 +16,20 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ - { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [ + { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } + { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]); + systemd.network.networks.wiregrill = { + matchConfig.Name = "wiregrill"; + address = + (optional (!isNull self.ip4) "${self.ip4.addr}/16") ++ + (optional (!isNull self.ip6) "${self.ip6.addr}/48") + ; + }; networking.wireguard.interfaces.wiregrill = { ips = diff --git a/lass/2configs/yellow-host.nix b/lass/2configs/yellow-host.nix new file mode 100644 index 000000000..d07c222c6 --- /dev/null +++ b/lass/2configs/yellow-host.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.yellow = { + sshKey = "${toString <secrets>}/yellow.sync.key"; + }; + containers.yellow.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/yellow/state"; + isReadOnly = false; + }; + containers.yellow.bindMounts."/var/download" = { + hostPath = "/var/download"; + isReadOnly = false; + }; +} diff --git a/lass/2configs/prism-mounts/samba.nix b/lass/2configs/yellow-mounts/samba.nix index 4b1475ef3..e16f1cc47 100644 --- a/lass/2configs/prism-mounts/samba.nix +++ b/lass/2configs/yellow-mounts/samba.nix @@ -1,6 +1,6 @@ { - fileSystems."/mnt/prism" = { - device = "//prism.r/public"; + fileSystems."/mnt/yellow" = { + device = "//yellow.r/public"; fsType = "cifs"; options = [ "guest" diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix index 1371d5233..86aa40f03 100644 --- a/lass/3modules/sync-containers3.nix +++ b/lass/3modules/sync-containers3.nix @@ -28,6 +28,10 @@ in { type = lib.types.bool; default = false; }; + runContainer = lib.mkOption { + type = lib.types.bool; + default = true; + }; }; })); }; @@ -50,7 +54,8 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' set -efu - ln -frs /var/state/var_src /var/src + mkdir -p /var/state/var_src + ln -Tfrs /var/state/var_src /var/src if test -e /var/src/nixos-config; then /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : fi @@ -64,7 +69,6 @@ in { privateNetwork = true; hostBridge = "ctr0"; bindMounts = { - "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; "/var/lib/self/disk" = { hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; isReadOnly = false; @@ -74,7 +78,7 @@ in { isReadOnly = false; }; }; - }) cfg.containers; + }) (lib.filterAttrs (_: ctr: ctr.runContainer) cfg.containers); systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ { "${ctr.name}_syncer" = { @@ -101,14 +105,14 @@ in { set -efux if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then touch "$HOME"/incomplete - rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk + rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk rm "$HOME"/incomplete fi ''} ''; }; }; } - { "${ctr.name}_watcher" = { + { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { path = with pkgs; [ coreutils consul @@ -136,7 +140,8 @@ in { ;; 200) # echo 'got 200 from kv, will check payload' - export payload=$(consul kv get containers/${ctr.name}) + payload=$(consul kv get containers/${ctr.name}) || continue + export payload if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then # echo 'we are the host, trying to reach container' if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then @@ -163,7 +168,7 @@ in { ''; }; }; } - { "${ctr.name}_scheduler" = { + { "${ctr.name}_scheduler" = lib.mkIf ctr.runContainer { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils @@ -246,7 +251,7 @@ in { users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" { }) cfg.containers; users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({ - group = "container_${ctr.name}"; + group = "${ctr.name}_container"; isNormalUser = true; uid = slib.genid_uint31 "container_${ctr.name}"; home = "/var/lib/sync-containers3/${ctr.name}"; @@ -254,47 +259,51 @@ in { homeMode = "705"; })) cfg.containers; + environment.systemPackages = lib.mapAttrsToList (_: ctr: (pkgs.writers.writeDashBin "${ctr.name}_init" '' + set -efux + export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.cryptsetup + pkgs.libxfs.bin + ]}:$PATH + truncate -s 5G /var/lib/sync-containers3/${ctr.name}/disk + cryptsetup luksFormat /var/lib/sync-containers3/${ctr.name}/disk ${ctr.luksKey} + cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} + mkfs.xfs /dev/mapper/${ctr.name} + mkdir -p /var/lib/sync-containers3/${ctr.name}/state + mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state + /run/current-system/sw/bin/nixos-container start ${ctr.name} + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "init" '' + mkdir -p /var/state + ''} + '')) cfg.containers; }) (lib.mkIf (cfg.containers != {}) { # networking - networking.networkmanager.unmanaged = [ "ctr0" ]; - networking.interfaces.dummy0.virtual = true; - networking.bridges.ctr0.interfaces = [ "dummy0" ]; - networking.interfaces.ctr0.ipv4.addresses = [{ - address = "10.233.0.1"; - prefixLength = 24; - }]; - systemd.services."dhcpd-ctr0" = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Type = "forking"; - Restart = "always"; - DynamicUser = true; - StateDirectory = "dhcpd-ctr0"; - User = "dhcpd-ctr0"; - Group = "dhcpd-ctr0"; - AmbientCapabilities = [ - "CAP_NET_RAW" # to send ICMP messages - "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) - ]; - ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; - ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' - default-lease-time 600; - max-lease-time 7200; - authoritative; - ddns-update-style interim; - log-facility local1; # see dhcpd.nix - - option subnet-mask 255.255.255.0; - option routers 10.233.0.1; - # option domain-name-servers 8.8.8.8; # TODO configure dns server - subnet 10.233.0.0 netmask 255.255.255.0 { - range 10.233.0.10 10.233.0.250; - } - ''} ctr0"; + systemd.network.networks.ctr0 = { + name = "ctr0"; + address = [ + "10.233.0.1/24" + ]; + networkConfig = { + IPForward = "yes"; + IPMasquerade = "both"; + ConfigureWithoutCarrier = true; + DHCPServer = "yes"; }; }; + systemd.network.netdevs.ctr0.netdevConfig = { + Kind = "bridge"; + Name = "ctr0"; + }; + networking.networkmanager.unmanaged = [ "ctr0" ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + { predicate = "-o ctr0"; target = "ACCEPT"; } + ]; }) (lib.mkIf cfg.inContainer.enable { users.groups.container_sync = {}; @@ -308,6 +317,17 @@ in { cfg.inContainer.pubkey ]; }; + + networking.useHostResolvConf = false; + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks.eth0 = { + matchConfig.Name = "eth0"; + DHCP = "yes"; + dhcpV4Config.UseDNS = true; + }; + }; }) ]; } diff --git a/lass/5pkgs/bruellwuerfel/default.nix b/lass/5pkgs/bruellwuerfel/default.nix deleted file mode 100644 index cb8f08fa8..000000000 --- a/lass/5pkgs/bruellwuerfel/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ yarn2nix-moretea, fetchFromGitHub, nodePackages, nodejs }: let - #src = ~/src/bruellwuerfel; - src = fetchFromGitHub { - owner = "krebs"; - repo = "bruellwuerfel"; - rev = "57e20e630f732ce4e15b495ec5f9bf72a121b959"; - sha256 = "08zwwl24sq21r497a03lqpy2x10az8frrsh6d38xm92snd1yf85b"; - }; - -in yarn2nix-moretea.mkYarnModules rec { - pname = "bruellwuerfel"; - version = "1.0"; - name = "${pname}-${version}"; - packageJSON = "${src}/package.json"; - yarnLock = "${src}/yarn.lock"; - postBuild = '' - cp -r ${src}/{src,tsconfig.json} $out/ - cd $out - ${nodePackages.typescript}/bin/tsc || : - mkdir -p $out/bin - echo '#!/bin/sh' > $out/bin/bruellwuerfel - echo "export NODE_PATH=$out/dist" >> $out/bin/bruellwuerfel - echo "${nodejs}/bin/node $out/dist/index.js" >> $out/bin/bruellwuerfel - chmod +x $out/bin/bruellwuerfel - ''; -} diff --git a/lass/5pkgs/install-system/default.nix b/lass/5pkgs/install-system/default.nix new file mode 100644 index 000000000..9a392e669 --- /dev/null +++ b/lass/5pkgs/install-system/default.nix @@ -0,0 +1,26 @@ +{ pkgs }: +pkgs.writers.writeDashBin "install-system" '' + set -efux + SYSTEM=$1 + TARGET=$2 + # format + if ! (sshn "$TARGET" -- mountpoint /mnt); then + nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '<nixpkgs/nixos>' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET" + fi + + # install dependencies + sshn "$TARGET" << SSH + nix-channel --update + nix-env -iA nixos.git + SSH + + # populate + $(nix-build --no-out-link "$HOME"/sync/stockholm/lass/krops.nix -A populate --argstr name "$SYSTEM" --argstr target "$TARGET"/mnt/var/src --arg force true) + + # install + sshn "$TARGET" << SSH + ln -s /mnt/var/src /var/src + NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /var/src + zpool export -fa + SSH +'' diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index d999a4334..27e59bb96 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -1,57 +1,82 @@ { pkgs }: -pkgs.writeDashBin "l-gen-secrets" '' - HOSTNAME="$1" +pkgs.writers.writeDashBin "l-gen-secrets" '' + set -efu + HOSTNAME=$1 TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + if [ "''${DRYRUN-n}" = "n" ]; then + trap 'rm -rf $TMPDIR' EXIT + else + echo "$TMPDIR" + set -x + fi + mkdir -p $TMPDIR/out + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + # ssh ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null - ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null - ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null - ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key - ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub - cat <<EOF > $TMPDIR/hashedPasswords.nix + ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/ + + # tor + ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 >/dev/null || : + ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv + + # tinc + ${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc + ${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null + ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv + ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv + + # wireguard + ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key + ${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub + + # system passwords + cat <<EOF > $TMPDIR/out/hashedPasswords.nix { root = "$HASHED_PASSWORD"; mainUser = "$HASHED_PASSWORD"; } EOF - cd $TMPDIR - for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null - done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null + set +f + if [ "''${DRYRUN-n}" = "n" ]; then + cd $TMPDIR/out + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null + ${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null + fi + set -f cat <<EOF - $HOSTNAME = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.changeme"; - ip6.addr = r6 "changeme"; - aliases = [ - "$HOSTNAME.r" - ]; - tinc.pubkey = ${"''"} - $(cat $TMPDIR/retiolum.rsa_key.pub) - ${"''"}; - }; - wiregrill = { - ip6.addr = w6 "changeme"; - aliases = [ - "$HOSTNAME.w" - ]; - wireguard.pubkey = ${"''"} - $(cat $TMPDIR/wiregrill.pub) - ${"''"}; - }; + { r6, w6, ... }: + { + nets = { + retiolum = { + ip4.addr = "10.243.0.changeme"; + ip6.addr = r6 "changeme"; + aliases = [ + "$HOSTNAME.r" + ]; + tinc.pubkey = ${"''"} + $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/ /') + ${"''"}; + tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')"; + }; + wiregrill = { + ip6.addr = w6 "changeme"; + aliases = [ + "$HOSTNAME.w" + ]; + wireguard.pubkey = ${"''"} + $(cat $TMPDIR/wiregrill.pub) + ${"''"}; }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; }; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + } EOF - - rm -rf $TMPDIR '' - diff --git a/lib/default.nix b/lib/default.nix index 149b97a72..280f04299 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -39,6 +39,8 @@ let ne = x: y: x != y; mod = x: y: x - y * (x / y); + on = b: u: x: y: b (u x) (u y); + genid = lib.genid_uint32; # TODO remove genid_uint31 = x: ((lib.genid_uint32 x) + 16777216) / 2; genid_uint32 = import ./genid.nix { inherit lib; }; @@ -185,6 +187,30 @@ let in filter (x: x != []) ([acc.chunk] ++ acc.chunks); + # Filter adjacent duplicate elements. + uniq = uniqBy eq; + + # Filter adjacent duplicate elements determined via the given function. + uniqBy = cmp: let + f = a: s: + if length s == 0 then + [] + else let + b = head s; + in + if cmp a b then + f b (tail s) + else + [b] ++ f b (tail s); + in + s: + if length s == 0 then + [] + else let + b = head s; + in + [b] ++ f b (tail s); + warnOldVersion = oldName: newName: if compareVersions oldName newName != -1 then trace "Upstream `${oldName}' gets overridden by `${newName}'." newName diff --git a/lib/haskell.nix b/lib/haskell.nix index 4f0ee05ab..f87cfa761 100644 --- a/lib/haskell.nix +++ b/lib/haskell.nix @@ -39,7 +39,12 @@ rec { in if parse == null then (pkgs.writeText name s).overrideAttrs (old: { - dependencies = old.dependencies or [] ++ dependencies; + dependencies = + lib.uniq + (lib.sort (lib.on lib.lessThan (lib.getAttr "name")) + (filter + (lib.ne null) + (old.dependencies or [] ++ dependencies))); }) else diff --git a/lib/types.nix b/lib/types.nix index 67a0c6f1b..32b4541ae 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -18,9 +18,6 @@ rec { type = label; default = config._module.args.name; }; - cores = mkOption { - type = uint; - }; nets = mkOption { type = attrsOf net; default = {}; @@ -149,6 +146,14 @@ rec { }.${config._module.args.name} or { default = "${ip4.config.addr}/32"; }); + prefixLength = mkOption ({ + type = uint; + } // { + retiolum.default = 16; + wiregrill.default = 16; + }.${config._module.args.name} or { + default = 32; + }); }; })); default = null; @@ -168,6 +173,14 @@ rec { }.${config._module.args.name} or { default = "${ip6.config.addr}/128"; }); + prefixLength = mkOption ({ + type = uint; + } // { + retiolum.default = 32; + wiregrill.default = 32; + }.${config._module.args.name} or { + default = 128; + }); }; })); default = null; diff --git a/makefu/2configs/tools/init-host/default.nix b/makefu/2configs/tools/init-host/default.nix index d1d3f7195..84f8e7730 100644 --- a/makefu/2configs/tools/init-host/default.nix +++ b/makefu/2configs/tools/init-host/default.nix @@ -23,7 +23,6 @@ pkgs.writeDashBin "generate-secrets" '' cat <<EOF $HOSTNAME = { - cores = 1; owner = config.krebs.users.makefu; nets = { retiolum = { diff --git a/submodules/disko b/submodules/disko new file mode 160000 +Subproject df3a607ad7ee431f4831a51af2c464aa8a8813f diff --git a/tv/1systems/xu/config.nix b/tv/1systems/xu/config.nix index 6ca62ac0d..b83d01f02 100644 --- a/tv/1systems/xu/config.nix +++ b/tv/1systems/xu/config.nix @@ -4,6 +4,7 @@ with import ./lib; imports = [ <stockholm/tv> + ../../2configs/autotether.nix <stockholm/tv/2configs/hw/x220.nix> <stockholm/tv/2configs/exim-retiolum.nix> <stockholm/tv/2configs/gitconfig.nix> diff --git a/tv/2configs/autotether.nix b/tv/2configs/autotether.nix new file mode 100644 index 000000000..43b5575c8 --- /dev/null +++ b/tv/2configs/autotether.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: let + cfg.serial = "17e064850405"; +in { + systemd.services.usb_tether.serviceConfig = { + SyslogIdentifier = "usb_tether"; + ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device"; + ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis"; + }; + services.udev.extraRules = /* sh */ '' + ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android" + + ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service" + ''; + systemd.network.networks.android = { + matchConfig.Name = "android"; + DHCP = "yes"; + }; +} diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index de77de381..1b176e0b9 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -11,6 +11,16 @@ with import ./lib; LocalDiscovery = yes ''; tincPackage = pkgs.tinc_pre; + tincUp = lib.mkIf config.systemd.network.enable ""; + }; + systemd.network.networks.retiolum = { + matchConfig.Name = "retiolum"; + address = let + inherit (config.krebs.build.host.nets.retiolum) ip4 ip6; + in [ + "${ip4.addr}/${toString ip4.prefixLength}" + "${ip6.addr}/${toString ip6.prefixLength}" + ]; }; tv.iptables.input-internet-accept-tcp = singleton "tinc"; tv.iptables.input-internet-accept-udp = singleton "tinc"; diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index e3a41a57b..71a1a597a 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -127,7 +127,7 @@ in { }) ]; - krebs.systemd.services.ejabberd = {}; + krebs.systemd.services.ejabberd.restartIfCredentialsChange = true; systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix index f19bfebcc..eb9b1ae4e 100644 --- a/tv/3modules/x0vncserver.nix +++ b/tv/3modules/x0vncserver.nix @@ -26,7 +26,7 @@ in { }; }; config = mkIf cfg.enable { - krebs.systemd.services.x0vncserver = {}; + krebs.systemd.services.x0vncserver.restartIfCredentialsChange = true; systemd.services.x0vncserver = { after = [ "graphical.target" ]; requires = [ "graphical.target" ]; diff --git a/tv/5pkgs/simple/alacritty-tv.nix b/tv/5pkgs/simple/alacritty-tv.nix index 466ff27c5..d80c46cbb 100644 --- a/tv/5pkgs/simple/alacritty-tv.nix +++ b/tv/5pkgs/simple/alacritty-tv.nix @@ -70,8 +70,7 @@ pkgs.symlinkJoin { # Install stored configuration if it has changed. # This allows for both declarative updates and runtime modifications. ${pkgs.coreutils}/bin/mkdir -p "$HOME" - ref=$(${pkgs.coreutils}/bin/cat "$HOME"/ref) - if test "$ref" != ${config-file}; then + if test "$(${pkgs.coreutils}/bin/cat "$HOME"/ref)" != ${config-file}; then echo ${config-file} > "$HOME"/ref ${pkgs.coreutils}/bin/cp ${config-file} "$HOME"/.alacritty.yml fi |