diff options
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/ergo.nix | 53 | ||||
-rw-r--r-- | krebs/3modules/external/default.nix | 4 | ||||
-rw-r--r-- | krebs/3modules/external/mic92.nix | 8 | ||||
-rw-r--r-- | krebs/3modules/external/ssh/kmein.pub | 3 | ||||
-rw-r--r-- | krebs/3modules/krebs/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/systemd.nix | 22 | ||||
-rw-r--r-- | krebs/3modules/tinc.nix | 15 |
7 files changed, 78 insertions, 28 deletions
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 0ce0345d8..3153e4cfc 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -6,6 +6,7 @@ type = (pkgs.formats.json {}).type; description = '' Ergo IRC daemon configuration file. + https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml ''; default = { network = { @@ -34,19 +35,34 @@ }; }; datastore = { + autoupgrade = true; path = "/var/lib/ergo/ircd.db"; }; accounts = { authentication-enabled = true; registration = { enabled = true; - email-verification = { - enabled = false; + allow-before-connect = true; + throttling = { + enabled = true; + duration = "10m"; + max-attempts = 30; }; + bcrypt-cost = 4; + email-verification.enabled = false; + }; + multiclient = { + enabled = true; + allowed-by-default = true; + always-on = "opt-in"; + auto-away = "opt-in"; }; }; channels = { - default-modes = "+nt"; + default-modes = "+ntC"; + registration = { + enabled = true; + }; }; limits = { nicklen = 32; @@ -56,6 +72,31 @@ kicklen = 390; topiclen = 390; }; + history = { + enabled = true; + channel-length = 2048; + client-length = 256; + autoresize-window = "3d"; + autoreplay-on-join = 0; + chathistory-maxmessages = 100; + znc-maxmessages = 2048; + restrictions = { + expire-time = "1w"; + query-cutoff = "none"; + grace-period = "1h"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + }; }; }; }; @@ -64,13 +105,17 @@ cfg = config.krebs.ergo; configFile = pkgs.writeJSON "ergo.conf" cfg.config; in lib.mkIf cfg.enable ({ + environment.etc."ergo.yaml".source = configFile; krebs.ergo.config = lib.mapAttrsRecursive (_: lib.mkDefault) options.krebs.ergo.config.default; systemd.services.ergo = { description = "Ergo IRC daemon"; wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ configFile ]; serviceConfig = { - ExecStart = "${pkgs.ergo}/bin/ergo run --conf ${configFile}"; + ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; + ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; }; diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 4a87c3501..4c4e53f2f 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -253,12 +253,12 @@ in { }; }; - pinpox-ahorn = { + ahorn = { owner = config.krebs.users.pinpox; nets = { retiolum = { ip4.addr = "10.243.100.100"; - aliases = [ "pinpox-ahorn.r" ]; + aliases = [ "ahorn.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAyfCuWUYEqp4vEt+a6DRvFpIrBu+GlkpNs/mE4OHzATQLNnWooOXQ diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b1e11b452..f8c371b7f 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -173,7 +173,7 @@ in { }; retiolum = { via = internet; - aliases = [ "eve.r" ]; + aliases = [ "eve.r" "tts.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH @@ -300,6 +300,11 @@ in { }; yasmin = { owner = config.krebs.users.mic92; + nets.internet = { + ip4.addr = "131.159.102.7"; + ip6.addr = "2a09:80c0:102::7"; + aliases = [ "yasmin.i" ]; + }; nets.retiolum = { ip4.addr = "10.243.29.197"; aliases = [ @@ -674,7 +679,6 @@ in { owner = config.krebs.users.mic92; nets = rec { retiolum = { - ip4.addr = "10.243.29.169"; aliases = [ "bernie.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/external/ssh/kmein.pub b/krebs/3modules/external/ssh/kmein.pub index 5711a2c1c..8eade3498 100644 --- a/krebs/3modules/external/ssh/kmein.pub +++ b/krebs/3modules/external/ssh/kmein.pub @@ -1 +1,2 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC19H0FhSNWcfBRPKzbTVSMJikIWZl0CoM8zCm+/3fdMgoaLRpeZWe/AfDK6b4qOjk/sez/J0JUFCGr+JbMwjsduoazsuQowu9L9DLP9Q5UkJje4BD7MHznaeu9/XfVng/MvyaEWArA/VUJeKQesHe76tR511/+n3+bdzlIh8Zw/3wfFxmg1OTNA99/vLkXrQzHDTuV/yj1pxykL4xFtN0OIssW1IKncJeKtkO/OHGT55ypz52Daj6bNKqvxiTuzeEhv5M+5ppyIPcRf1uj/7IaPKttCgZAntEqBTIR9MbyXFeAZVayzaFnLl2okeam5XreeZbj+Y1h2ZjxiIuWoab3MLndSekVfLtfa63gtcWIf8CIvZO2wJoH8v73y0U78JsfWVaTM09ZCfFlHHA/bWqZ6laAjW+mWLO/c77DcYkB3IBzaMVNfc6mfTcGFIC+biWeYpKgA0zC6rByUPbmbIoMueP9zqJwqUaM90Nwd6559inBB107/BK3Ktb3b+37mMCstetIPB9e4EFpGMjhmnL/G81jS53ACWLXJYzt7mKU/fEsiW93MtaB+Le46OEC18y/4G8F7p/nnH7i0kO74ukxbnc4PlpiM7iWT6ra2Cyy+nzEgdXCNXywIxr05TbCQDwX6/NY8k7Hokgdfyz+1Pq3sX0yCcWRPaoB26YF12KYFQ== kieran.meinhardt@gmail.com +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 1b5d903cb..5e0e69924 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -92,6 +92,7 @@ in { h5ZUzfd1r1pTzQ0nYD5aRtlDd7zP7y5tUwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "ugy/sGReVro3YzjDuroV/5hdeBdqD18no9dMhTy9DYL"; }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 294f80a3c..194e8b24a 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -5,18 +5,18 @@ default = {}; type = lib.types.attrsOf (lib.types.submodule { options = { - ifCredentialsChange = lib.mkOption { - default = "restart"; + restartIfCredentialsChange = lib.mkOption { + # Enabling this by default only makes sense here as the user already + # bothered to write down krebs.systemd.services.* = {}. If this + # functionality gets upstreamed to systemd.services, restarting + # should be disabled by default. + default = true; description = '' - Whether to reload or restart the service whenever any its - credentials change. Only credentials with an absolute path in - LoadCredential= are supported. + Whether to restart the service whenever any of its credentials + change. Only credentials with an absolute path in LoadCredential= + are supported. ''; - type = lib.types.enum [ - "reload" - "restart" - null - ]; + type = lib.types.bool; }; }; }); @@ -40,7 +40,7 @@ lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { serviceConfig = { Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl ${cfg.ifCredentialsChange} ${lib.shell.escape serviceName}"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}"; }; } ) config.krebs.systemd.services; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index a18248351..21ddde1c6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -222,12 +222,6 @@ with import <stockholm/lib>; nameValuePair netname {} ) config.krebs.tinc; - environment.etc = mapAttrs' (netname: cfg: - nameValuePair "tinc/${netname}" { - source = cfg.confDir; - } - ) config.krebs.tinc; - krebs.systemd.services = mapAttrs (netname: cfg: { }) config.krebs.tinc; @@ -239,8 +233,6 @@ with import <stockholm/lib>; cfg.iproutePackage cfg.tincPackage ]; - reloadIfChanged = true; - restartTriggers = [ cfg.confDir ]; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -249,6 +241,13 @@ with import <stockholm/lib>; ) "rsa_key:${cfg.privkey}" ]; + ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" '' + ${pkgs.coreutils}/bin/mkdir -p /etc/tinc + ${pkgs.rsync}/bin/rsync -vaL --delete \ + --chown ${cfg.user.name} \ + --chmod u=rwX,g=rX \ + ${cfg.confDir}/ /etc/tinc/${netname}/ + ''; ExecStart = toString [ "${cfg.tincPackage}/sbin/tincd" "-D" |