summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/ergo.nix53
-rw-r--r--krebs/3modules/external/default.nix4
-rw-r--r--krebs/3modules/external/mic92.nix8
-rw-r--r--krebs/3modules/external/ssh/kmein.pub3
-rw-r--r--krebs/3modules/krebs/default.nix1
-rw-r--r--krebs/3modules/systemd.nix22
-rw-r--r--krebs/3modules/tinc.nix15
7 files changed, 78 insertions, 28 deletions
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
index 0ce0345d8..3153e4cfc 100644
--- a/krebs/3modules/ergo.nix
+++ b/krebs/3modules/ergo.nix
@@ -6,6 +6,7 @@
type = (pkgs.formats.json {}).type;
description = ''
Ergo IRC daemon configuration file.
+ https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml
'';
default = {
network = {
@@ -34,19 +35,34 @@
};
};
datastore = {
+ autoupgrade = true;
path = "/var/lib/ergo/ircd.db";
};
accounts = {
authentication-enabled = true;
registration = {
enabled = true;
- email-verification = {
- enabled = false;
+ allow-before-connect = true;
+ throttling = {
+ enabled = true;
+ duration = "10m";
+ max-attempts = 30;
};
+ bcrypt-cost = 4;
+ email-verification.enabled = false;
+ };
+ multiclient = {
+ enabled = true;
+ allowed-by-default = true;
+ always-on = "opt-in";
+ auto-away = "opt-in";
};
};
channels = {
- default-modes = "+nt";
+ default-modes = "+ntC";
+ registration = {
+ enabled = true;
+ };
};
limits = {
nicklen = 32;
@@ -56,6 +72,31 @@
kicklen = 390;
topiclen = 390;
};
+ history = {
+ enabled = true;
+ channel-length = 2048;
+ client-length = 256;
+ autoresize-window = "3d";
+ autoreplay-on-join = 0;
+ chathistory-maxmessages = 100;
+ znc-maxmessages = 2048;
+ restrictions = {
+ expire-time = "1w";
+ query-cutoff = "none";
+ grace-period = "1h";
+ };
+ retention = {
+ allow-individual-delete = false;
+ enable-account-indexing = false;
+ };
+ tagmsg-storage = {
+ default = false;
+ whitelist = [
+ "+draft/react"
+ "+react"
+ ];
+ };
+ };
};
};
};
@@ -64,13 +105,17 @@
cfg = config.krebs.ergo;
configFile = pkgs.writeJSON "ergo.conf" cfg.config;
in lib.mkIf cfg.enable ({
+ environment.etc."ergo.yaml".source = configFile;
krebs.ergo.config =
lib.mapAttrsRecursive (_: lib.mkDefault) options.krebs.ergo.config.default;
systemd.services.ergo = {
description = "Ergo IRC daemon";
wantedBy = [ "multi-user.target" ];
+ reloadIfChanged = true;
+ restartTriggers = [ configFile ];
serviceConfig = {
- ExecStart = "${pkgs.ergo}/bin/ergo run --conf ${configFile}";
+ ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
+ ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true;
StateDirectory = "ergo";
};
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 4a87c3501..4c4e53f2f 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -253,12 +253,12 @@ in {
};
};
- pinpox-ahorn = {
+ ahorn = {
owner = config.krebs.users.pinpox;
nets = {
retiolum = {
ip4.addr = "10.243.100.100";
- aliases = [ "pinpox-ahorn.r" ];
+ aliases = [ "ahorn.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAyfCuWUYEqp4vEt+a6DRvFpIrBu+GlkpNs/mE4OHzATQLNnWooOXQ
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index b1e11b452..f8c371b7f 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -173,7 +173,7 @@ in {
};
retiolum = {
via = internet;
- aliases = [ "eve.r" ];
+ aliases = [ "eve.r" "tts.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
@@ -300,6 +300,11 @@ in {
};
yasmin = {
owner = config.krebs.users.mic92;
+ nets.internet = {
+ ip4.addr = "131.159.102.7";
+ ip6.addr = "2a09:80c0:102::7";
+ aliases = [ "yasmin.i" ];
+ };
nets.retiolum = {
ip4.addr = "10.243.29.197";
aliases = [
@@ -674,7 +679,6 @@ in {
owner = config.krebs.users.mic92;
nets = rec {
retiolum = {
- ip4.addr = "10.243.29.169";
aliases = [ "bernie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/external/ssh/kmein.pub b/krebs/3modules/external/ssh/kmein.pub
index 5711a2c1c..8eade3498 100644
--- a/krebs/3modules/external/ssh/kmein.pub
+++ b/krebs/3modules/external/ssh/kmein.pub
@@ -1 +1,2 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC19H0FhSNWcfBRPKzbTVSMJikIWZl0CoM8zCm+/3fdMgoaLRpeZWe/AfDK6b4qOjk/sez/J0JUFCGr+JbMwjsduoazsuQowu9L9DLP9Q5UkJje4BD7MHznaeu9/XfVng/MvyaEWArA/VUJeKQesHe76tR511/+n3+bdzlIh8Zw/3wfFxmg1OTNA99/vLkXrQzHDTuV/yj1pxykL4xFtN0OIssW1IKncJeKtkO/OHGT55ypz52Daj6bNKqvxiTuzeEhv5M+5ppyIPcRf1uj/7IaPKttCgZAntEqBTIR9MbyXFeAZVayzaFnLl2okeam5XreeZbj+Y1h2ZjxiIuWoab3MLndSekVfLtfa63gtcWIf8CIvZO2wJoH8v73y0U78JsfWVaTM09ZCfFlHHA/bWqZ6laAjW+mWLO/c77DcYkB3IBzaMVNfc6mfTcGFIC+biWeYpKgA0zC6rByUPbmbIoMueP9zqJwqUaM90Nwd6559inBB107/BK3Ktb3b+37mMCstetIPB9e4EFpGMjhmnL/G81jS53ACWLXJYzt7mKU/fEsiW93MtaB+Le46OEC18y/4G8F7p/nnH7i0kO74ukxbnc4PlpiM7iWT6ra2Cyy+nzEgdXCNXywIxr05TbCQDwX6/NY8k7Hokgdfyz+1Pq3sX0yCcWRPaoB26YF12KYFQ== kieran.meinhardt@gmail.com
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 1b5d903cb..5e0e69924 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -92,6 +92,7 @@ in {
h5ZUzfd1r1pTzQ0nYD5aRtlDd7zP7y5tUwIDAQAB
-----END RSA PUBLIC KEY-----
'';
+ tinc.pubkey_ed25519 = "ugy/sGReVro3YzjDuroV/5hdeBdqD18no9dMhTy9DYL";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
index 294f80a3c..194e8b24a 100644
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@@ -5,18 +5,18 @@
default = {};
type = lib.types.attrsOf (lib.types.submodule {
options = {
- ifCredentialsChange = lib.mkOption {
- default = "restart";
+ restartIfCredentialsChange = lib.mkOption {
+ # Enabling this by default only makes sense here as the user already
+ # bothered to write down krebs.systemd.services.* = {}. If this
+ # functionality gets upstreamed to systemd.services, restarting
+ # should be disabled by default.
+ default = true;
description = ''
- Whether to reload or restart the service whenever any its
- credentials change. Only credentials with an absolute path in
- LoadCredential= are supported.
+ Whether to restart the service whenever any of its credentials
+ change. Only credentials with an absolute path in LoadCredential=
+ are supported.
'';
- type = lib.types.enum [
- "reload"
- "restart"
- null
- ];
+ type = lib.types.bool;
};
};
});
@@ -40,7 +40,7 @@
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
serviceConfig = {
Type = "oneshot";
- ExecStart = "${pkgs.systemd}/bin/systemctl ${cfg.ifCredentialsChange} ${lib.shell.escape serviceName}";
+ ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}";
};
}
) config.krebs.systemd.services;
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index a18248351..21ddde1c6 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -222,12 +222,6 @@ with import <stockholm/lib>;
nameValuePair netname {}
) config.krebs.tinc;
- environment.etc = mapAttrs' (netname: cfg:
- nameValuePair "tinc/${netname}" {
- source = cfg.confDir;
- }
- ) config.krebs.tinc;
-
krebs.systemd.services = mapAttrs (netname: cfg: {
}) config.krebs.tinc;
@@ -239,8 +233,6 @@ with import <stockholm/lib>;
cfg.iproutePackage
cfg.tincPackage
];
- reloadIfChanged = true;
- restartTriggers = [ cfg.confDir ];
serviceConfig = {
Restart = "always";
LoadCredential = filter (x: x != "") [
@@ -249,6 +241,13 @@ with import <stockholm/lib>;
)
"rsa_key:${cfg.privkey}"
];
+ ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" ''
+ ${pkgs.coreutils}/bin/mkdir -p /etc/tinc
+ ${pkgs.rsync}/bin/rsync -vaL --delete \
+ --chown ${cfg.user.name} \
+ --chmod u=rwX,g=rX \
+ ${cfg.confDir}/ /etc/tinc/${netname}/
+ '';
ExecStart = toString [
"${cfg.tincPackage}/sbin/tincd"
"-D"