diff options
Diffstat (limited to 'kartei/makefu')
59 files changed, 694 insertions, 0 deletions
diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix new file mode 100644 index 000000000..f9997b2d2 --- /dev/null +++ b/kartei/makefu/default.nix @@ -0,0 +1,393 @@ +## generate keys with: +# tinc generate-keys +# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host + +with import ../../lib; +{ config, ... }: let + + hostDefaults = hostName: host: foldl' recursiveUpdate {} [ + { + owner = config.krebs.users.makefu; + } + # Retiolum defaults + (let + pubkey-path = ./retiolum + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.retiolum = { + tinc.pubkey = readFile pubkey-path; + aliases = [ + "${hostName}.r" + ]; + ip6.addr = + (krebs.genipv6 "retiolum" "makefu" { inherit hostName; }).address; + }; + }) + # Retiolum ed25519 keys + (let + pubkey-path = ./retiolum + "/${hostName}_ed25519.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.retiolum.tinc.pubkey_ed25519 = readFile pubkey-path; + }) + # Wiregrill defaults + (let + pubkey-path = ./wiregrill + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.wiregrill = { + aliases = [ + "${hostName}.w" + ]; + ip6.addr = + (krebs.genipv6 "wiregrill" "makefu" { inherit hostName; }).address; + wireguard.pubkey = readFile pubkey-path; + }; + }) + # SSHD defaults + (let + pubkey-path = ./sshd + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + ssh.pubkey = readFile pubkey-path; + # We assume that if the sshd pubkey exits then there must be a privkey in + # the screts store as well + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + }) + host + ]; + + pub-for = name: builtins.readFile (./ssh + "/${name}.pub"); + w6 = ip: (krebs.genipv6 "wiregrill" "makefu" ip).address; +in { + hosts = mapAttrs hostDefaults { + cake = rec { + cores = 4; + ci = false; + nets = { + retiolum.ip4.addr = "10.243.136.236"; + }; + }; + crapi = rec { # raspi1 + cores = 1; + ci = false; + nets = { + retiolum.ip4.addr = "10.243.136.237"; + }; + }; + firecracker = { + cores = 4; + nets = { + retiolum.ip4.addr = "10.243.12.12"; + }; + }; + + studio = rec { + ci = false; + cores = 4; + nets = { + retiolum.ip4.addr = "10.243.227.163"; + }; + }; + fileleech = rec { + ci = false; + cores = 4; + nets = { + retiolum.ip4.addr = "10.243.113.98"; + }; + }; + tsp = { + ci = true; + cores = 1; + nets = { + retiolum.ip4.addr = "10.243.0.212"; + }; + }; + x = { + ci = true; + cores = 4; + syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; + nets = { + retiolum.ip4.addr = "10.243.0.91"; + wiregrill = { + # defaults + }; + }; + + }; + filepimp = rec { + ci = false; + cores = 1; + nets = { + retiolum.ip4.addr = "10.243.153.102"; + }; + }; + + omo = rec { + ci = true; + cores = 2; + syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; + nets = { + retiolum = { + ip4.addr = "10.243.0.89"; + aliases = [ + "omo.r" + "dcpp.omo.r" + "backup.makefu.r" + "torrent.omo.r" + "music.omo.r" + "music.makefu.r" + ]; + }; + }; + }; + wbob = rec { + ci = true; + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.214.15"; + aliases = [ + "wbob.r" + "hydra.wbob.r" + "log.wbob.r" + ]; + }; + }; + }; + latte = rec { + ci = true; + extraZones = { + "krebsco.de" = '' + latte.euer IN A ${nets.internet.ip4.addr} + ''; + }; + cores = 4; + nets = rec { + internet = { + ip4.addr = "178.254.30.202"; + ip6.addr = "2a00:6800:3:18c::2"; + aliases = [ + "latte.i" + ]; + }; + #wiregrill = { + # via = internet; + # ip4.addr = "10.244.245.1"; + # ip6.addr = w6 "1"; + # wireguard.port = 51821; + # wireguard.subnets = [ + # (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR + # "10.244.245.0/24" # required for routing directly to gum via rockit + # ]; + #}; + retiolum = { + via = internet; + ip4.addr = "10.243.0.214"; + # never connect via gum (he eats your packets!) + #tinc.weight = 9001; + + aliases = [ + "latte.r" + "torrent.latte.r" + ]; + }; + }; + }; + gum = rec { + ci = true; + extraZones = { + "krebsco.de" = '' + rss.euer IN A ${nets.internet.ip4.addr} + o.euer IN A ${nets.internet.ip4.addr} + bw.euer IN A ${nets.internet.ip4.addr} + bookmark.euer IN A ${nets.internet.ip4.addr} + boot IN A ${nets.internet.ip4.addr} + boot.euer IN A ${nets.internet.ip4.addr} + cache.euer IN A ${nets.internet.ip4.addr} + cache.gum IN A ${nets.internet.ip4.addr} + cgit.euer IN A ${nets.internet.ip4.addr} + dl.euer IN A ${nets.internet.ip4.addr} + dns.euer IN A ${nets.internet.ip4.addr} + dockerhub IN A ${nets.internet.ip4.addr} + euer IN A ${nets.internet.ip4.addr} + euer IN MX 1 aspmx.l.google.com. + ghook IN A ${nets.internet.ip4.addr} + git.euer IN A ${nets.internet.ip4.addr} + gold IN A ${nets.internet.ip4.addr} + graph IN A ${nets.internet.ip4.addr} + gum IN A ${nets.internet.ip4.addr} + io IN NS gum.krebsco.de. + iso.euer IN A ${nets.internet.ip4.addr} + feed.euer IN A ${nets.internet.ip4.addr} + board.euer IN A ${nets.internet.ip4.addr} + etherpad.euer IN A ${nets.internet.ip4.addr} + mediengewitter IN CNAME over.dose.io. + mon.euer IN A ${nets.internet.ip4.addr} + netdata.euer IN A ${nets.internet.ip4.addr} + nixos.unstable IN CNAME krebscode.github.io. + photostore IN A ${nets.internet.ip4.addr} + pigstarter IN CNAME makefu.github.io. + share.euer IN A ${nets.internet.ip4.addr} + wg.euer IN A ${nets.internet.ip4.addr} + wiki.euer IN A ${nets.internet.ip4.addr} + wikisearch IN A ${nets.internet.ip4.addr} + + meet.euer IN A ${nets.internet.ip4.addr} + work.euer IN A ${nets.internet.ip4.addr} + admin.work.euer IN A ${nets.internet.ip4.addr} + push.work.euer IN A ${nets.internet.ip4.addr} + api.work.euer IN A ${nets.internet.ip4.addr} + maps.work.euer IN A ${nets.internet.ip4.addr} + play.work.euer IN A ${nets.internet.ip4.addr} + ul.work.euer IN A ${nets.internet.ip4.addr} + music.euer IN A ${nets.internet.ip4.addr} + ''; + }; + cores = 8; + nets = rec { + internet = { + ip4.addr = "142.132.189.140"; + ip6.addr = "fe80::9400:1ff:fe24:33f4"; + aliases = [ + "gum.i" + ]; + }; + wiregrill = { + via = internet; + ip4.addr = "10.244.245.1"; + ip6.addr = w6 "1"; + wireguard.port = 51821; + wireguard.subnets = [ + (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR + "10.244.245.0/24" # required for routing directly to gum via rockit + ]; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.0.213"; + # never connect via gum (he eats your packets!) + #tinc.weight = 9001; + + aliases = [ + "gum.r" + "blog.gum.r" + "blog.makefu.r" + "cache.gum.r" + "cgit.gum.r" + "dcpp.gum.r" + "dcpp.nextgum.r" + "graph.makefu.r" + "logs.makefu.r" + "netdata.makefu.r" + "nextgum.r" + "o.gum.r" + "search.makefu.r" + "stats.makefu.r" + "torrent.gum.r" + "tracker.makefu.r" + "wiki.gum.r" + "wiki.makefu.r" + "warrior.gum.r" + "rss.makefu.r" + "sick.makefu.r" + "dl.gum.r" + "dl.makefu.r" + ]; + }; + }; + }; + + sdev = rec { + ci = true; + cores = 1; + nets = { + retiolum.ip4.addr = "10.243.83.237"; + }; + }; + + +# non-stockholm + + flap = rec { + cores = 1; + extraZones = { + "krebsco.de" = '' + flap IN A ${nets.internet.ip4.addr} + ''; + }; + nets = { + internet = { + ip4.addr = "162.248.11.162"; + aliases = [ + "flap.i" + ]; + }; + retiolum = { + ip4.addr = "10.243.211.172"; + }; + }; + }; + + nukular = rec { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.231.219"; + }; + }; + }; + + + shackdev = rec { # router@shack + cores = 1; + nets.wiregrill.ip4.addr = "10.244.245.2"; + }; + + rockit = rec { # router@home + cores = 1; + nets.wiregrill.ip4.addr = "10.244.245.3"; + }; + + senderechner = rec { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.0.163"; + }; + }; + }; + }; + users = rec { + makefu = { + mail = "makefu@x.r"; + pubkey = pub-for "makefu.x"; + pgp.pubkeys.default = builtins.readFile ./pgp/default.asc; + pgp.pubkeys.brain = builtins.readFile ./pgp/brain.asc; + }; + makefu-omo = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.omo"; + }; + makefu-tsp = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.tsp"; + }; + makefu-vbob = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.vbob"; + }; + makefu-tempx = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.tempx"; + }; + makefu-android = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.android"; + }; + makefu-remote-builder = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.remote-builder"; + }; + makefu-bob = { + inherit (makefu) mail pgp; + pubkey = pub-for "makefu.bob"; + }; + }; +} diff --git a/kartei/makefu/pgp/brain.asc b/kartei/makefu/pgp/brain.asc new file mode 100644 index 000000000..739385a38 --- /dev/null +++ b/kartei/makefu/pgp/brain.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFXn/k4BEACmXMbhoAKsMC/gFqBrQq2mgvo8+FnUe4F6JznVh7NiPH0PUdDw +jRnK2EEpD+NoDt3A0jtq6C+wnr1V+p/jYAPxRcvv8a7ym+xuA4sBIPrlW1fQIuWF +EjYnUVnN16Qa1xJiQQyEDeleAxgg0luOdqBZ0myT84a9O0deN8JM+zwqT/+sLY9c +2fVGNv496/mt7Ct294QbS6cfdR26r8PZ1Wfo8cr8UhFfFft0TE267HJdoJ8NBvH/ +BSEcoaS3kaxk2YyOdAJ1RgEoQY2w1/jeZv5IUyO7azAQUhbqBK7nVbgUd2l3nf4v +qmgNvvtcAlccY6L2M8BR6TI4Yw2hfbLOHPVTNjFlMXXX/MDYFFF9+GqmYOjyy5dy +8m4qA4ZEoHG9XT+xsZAsHJRFPBacSp2ydoVdlkJsEQnabb78NXLusgBBxhOmvVHe +5SeIvsrpn83/aIeHpLUQbzUdK3osERZUBTp9Pr0+dB+UkqThjE3MPntKcawm4cGN +dXY6iNXH4gGPOjb5ed0OzDiRS2bVyb0/F2wYXvIPE2e0CwJ0io2rRT410HfpFkWD +OPENdlNYb6FCXc4fpGxdtFL0hE6RZqBvwQAN9iDkEj+DxEwUc+yyroFRI25y+T1z +68T0xqVfKXUqcOmsACKtjlQ5QcikCj8kC9bNDln7v1Q9argSEJXJDdf3cwARAQAB +tBhwdyB1c2VyIDxyb290QGxvY2FsaG9zdD6JAjgEEwECACIFAlXn/k4CGwMGCwkI +BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEDtOh4EJ4fmcIecP/1+HMD22wilyb3hQ +QLKz+Wx37ZM6w0p9o0lMEeeUpcYPtWeVBqID6vxmqFwIOU5LtkHiE0yO8AcW7TYx +14Ql3mPWd594fKXr04mN9RM9wTr09S0P4nqKuq0cR3x5s4C30DoKoUqt3ZKSZRW/ +4suhvebfYiTjlE5joH4lZy7bMaH2HpvLacZXGcyH7cmYfLuZekf1kNXRDh40IgrH +uzsXFoflhLEZouKWiV3mWFo1iIckvTDrFNHuJj5oHP2D3J1RYdbPNP+5yOu/34mt +wPK/R6MxXY+zKWZWU59Ll5nx+2wUkIP/MaE9Ubx1W0UdeB4In/Y/HhV2fwd9DFsq +cbKofeDRblEdaaTjiqc1MjSxyhPplApgG4389gXX4vszAuyxBq6AecJobYkzmVek +EOJVVqDFoT+a70p5hWMP5nQV7dE3jyy1esm6cjF9iv0cRf/GqZAIiNdeo9av56OO +H5uwamTwcRrDsy4xWzowUfJDB+nJzlXw08aQRTfczCZ3n5hXvqqxuoweH08hfm/S +oa0gU95mCkHYbscaxjXnkEgbuvCiVRhDqd8rZpi5WxNV63zHIaoeXIPVJH0zswIJ +MT2LofWB8W8in48rmRvUdzZlm/++c/9+evNyNyAyOmdRk6fP0nHdRmuINyeKc67P +0BrVstk/cywbNbpNBt+2uUJCemBBuQINBFXn/k4BEADQYsT81uL8XE9homHLRai0 +3Xo/gVe5lwXWouzzVImEQIICvmBCjdzA1nPfKvdBcFsBfOro6aefETq/cZeL16It +zJKhh2HDJ/7oCuJM0OufkwoSBwJ4f0I+0zXsPZV0+P1ijPaKunYW+YpoFm3z8rLc +iX/kxYRgo13jCNphL/TKOoq3ZTREzDcBk9QR8yLTV5i0j1qrlIsAx7iTv1jrC1L6 +fBZm40+wn0ahz9IgBWWv588i+1f7ekKQBYXi9n2+hSfMQ0ebhW14xG72eXDzV14Q +Yra+FNMOCeKhmHH9PnVw0NkwRPbtL92ZySeFMHxhYnBPckqBUuEO12TXUMWA9fzj +rpBjJWEtCRCeaSLAe5Nzleb09NKO3z4ghwedef/Cz8XZ+XDIpE/1yTQy0lSuLosw +ScmwG9UPYxpWWqJmC+H6GQ0qQmCgmPYG8b20JvnqROmsLooC/xmf4seT8J+fYpKt +fkQiuOd8RecW+1jyfr7qy2S3roNgNl7hyzlIHmtGnn3rYC4uCe4VjosvcPmnXP6N +Jcck3dQnFxmE+/JS1zdH47nDGJsn5fFrArdfU9DLGjU/L7BJt99vIvif89B2FF/n +0cR7bLeY72P1oJw+tgrsjo9uaS9u9vk/J8+Rhf3TIqbHfFh7/42sdkgk3Mqha+Bn +wAOpUP3tjdDTwow9/2iYjQARAQABiQIfBBgBAgAJBQJV5/5OAhsMAAoJEDtOh4EJ +4fmcTy8P/03eVL9GoarIjwRxYY8U23fU4xNIypkNrjspjJHVRcKJFCyA2/R9toKf +0XGJIM2fwBo6beH0rinq8Xm8hrT/gFIWupuDLSTR/km0UD6CtfFOIt+5jw3c5mMR +u9DbSWAiRYGzQKYYZUy5mdMG/kokDRSm5D0lO+YnLZtpECZn/Zi5rPKzbGyMus+a +fm8a/eNko+Eg6j8FSYBm+d8SKYdoLJN3R7hYji7JuERMs+UZMsuriSAn2Af2Jn1I +hc7fiwotrMdNifyWCtYqiFvcrsm8K8EC2J0KsieydBHwCuamlqTrjqVejbITD8Jl +ghTGNHe/crP7/XKTjKva+1+VJAHDLylZgcArQSKa+SsWB/GoKB0x9UEWThJ1DLi4 +j2GhNlCIYZtPBQMu3+2btDj0A3IUQp4aW0nd5+0zz0H7JVrl+pI37uUxTiXCZG9X +fjXrcP3niJhraHTG8mWD1v8+cG3NXpv/IZN82Z+sQlpabwjpybag2CeTfhEoFtEl +V6ez9wpgBKeDsLDLOB8VRgpsikw9f6H8GAUZe2PjKUwiDtptqa37nU+3A6wPiO2s +AWT/7D6vhMpDncp7E9DcsmsU9LNt7D+ISqi4uLKYJcfmqbJOui2YFo3zsYP8TqQD +JTZ1lSpFpipJpi6mAzQUS4P3H+aUjeW/LWiSS/YNmGIOAUeB6Y3c +=rEQB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/kartei/makefu/pgp/default.asc b/kartei/makefu/pgp/default.asc new file mode 100644 index 000000000..bc5c50b76 --- /dev/null +++ b/kartei/makefu/pgp/default.asc @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBE6quoQBEACemTuY0Ujeygxdyds3ugPbKuIsJMCQSdXAKsCkH4vV5qam8rQP +AabpYyQfew9nCUCJa4NkKFrLnGz4d7rl1u5ihVqMctYeJqZdtX88DqqNKQXoqKQv +crF5hcZmUtbGe5eyoMV55hiODPVPTVra6pbxWwhqa0pYeXEyDy1BPoqgcP0DUFho +yBeoyw71ujgdJZvl5rq6ZVjTGuToNKHn5UBDMu6n0rl9Ha7ukL4Gx8hOhmK8yv87 +zuUzBRQkTgoC48JA3Bt0kb15ghbOV7D411ZhmhEqWwE/OBk3//6MOGu24Mm0OG8J ++tbEMysck0LYe5q5U/2cmGsqlwV6FXLmnPOj6H4XtdTBDVXo/Hp6A8mVR1sSDopc +/2TnTwv0cdGOIS1CgxUc/qS6a8h+2UGaLSPnuPBWom163YbO/vgj8Th5q3N2DiRO +EP+mGCKn1/cghU7WjMny8z59A7SeZ0rRN8KaMlFEZMlgtQf7/6EjL5Ulo5H0vb2m +G5lAfW5xz55Y6M06sEl2wJ4pkgt+jeWRItKQvyqcdFEfiJfuP0+ESmQIMvz2ZnDC +ZJzpmjP5uDwqu5THcTHvJ/ptSHRtXEiqqwrpQ0dqtwxLMJtIdgOohVoPAUNTTXcy +XmL0qZsLFI2We2v0jgYMcYw1gswsksMLLmnVWlAsBqCALRyu4Ptxrkg9NwARAQAB +tB5tYWtlZnUgPHJvb3RAc3ludGF4LWZlaGxlci5kZT6JAjgEEwECACIFAk6quoQC +GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMk6uSvVJeKfr5UP/3vvBlZQ +9DjLRBx9YUjbq34LDl/wdDX7Fwsdb+TccUiOgKW2RAXbdnff2r5VRn4VSDUYoFfN +qtDrxKl04IWeVwiaTjCJdXp6veSpov5GcmARgPUow8v9Eu2gZw0o1LvW7NFP5e3u +YxmSTrlVGZMTCkwIkYoaETseCE0qsahWD0zCM19rAEuTkwKOQo58mXFUzNq829Ex +OAv4zIQE6V7SKKOZzXhvBu3s1ql1SDfmciaszMlwwPtwgFBkg1HrFvuimU7zqGkf +wQpWt91j8kJZdAC8iUf/7UNh/VZu+n9jtmynunRrY2PgPh6LgeDmiaTbVfHX51/3 +R01dzzTk0dnqwosNoc1u8Xsb/rTs9LDsncteUGKgiEh+LRjouGGh/C1g58dkF0wP +S00dgnEhI9d8ui/yTPa47l3zDSa/m6Nq6oEGVbZDivNDuTV1jfhrs0v3kx50aK0O +y+exKMmgxoxeCMZs53iHXiXAcsHSj+Gue6W2jDvRjaPqfxnM3GNd7y9ix8IF43R6 +n1oAZo7zWA4a5iq8yvBTjKqyDJAKu8C4kYM/9FMJlDgUjWYvNI4BiG1iw0iGVAjt +JHz/QEM/7Mg7fw1rtJB/A9ezLJGyiDcc5GwrLIVl6U8stNWF0ZqgtwWKF1lm0Faj +mPRDdOVZNTPw61YNqHJGdHVBD0usx3Xg/4V6tC5GZWxpeCBSaWNodGVyIDxGZWxp +eC5SaWNodGVyQHN5bnRheC1mZWhsZXIuZGU+iQI4BBMBAgAiBQJSpxSDAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDJOrkr1SXin4w8D/9QY5oTvCmFERHR +uUgGyU1hPomIE6RrSxoeqHsMUhUuqNeWYk0T/Oju/sZLlWUuBZHLTXeGPyFEe0/n +6ys4cqTSwCKUdB0kQO3GAzPKGmC6C5trQaMpY+A6yVi3He6rN37+XjfjrY+o7Rbl +s8K6S3jR/f/MSODjRnGNPTLsuDYKo+d4RwlWv2G+RFHueh4/aef0s3lzoDbmdJiW +zXaTqiCKgG34GzQO4hs6MsyG9mJo05qXvMAGgCyRDJkbcmwjgQonlEi6TIJyQ3J2 +CNLrl2UW5eUFKnZbWGZYL7Ojsq0UnRna6z1L4sxk1kCLxn1Gz8RiisJ1bUOM85vZ +dTyFTb9+iC43c2IbLpF139ic+hb6dYJC392cOwrT2UgfUuzqocY2V/HXjVsqsNtL +t4tnoZkZhjFMaUe5FQbUYwtA2IqqrqD7iC7ULtclYa2tvW2HIAs4VjocWxfbgY4b +He99Ma5xSNL171a34n2ZayjsI8cbYtHvVPTZ8Zs6xqsz8D+o+m0bBxGobOAkb6yN +UUdZjo5Jdcr2AxAITEgzgzcWR0sCbn+6Jj7XJuz2SYEtO |