diff options
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/acl.nix | 55 | ||||
| -rw-r--r-- | krebs/3modules/ci.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/external/default.nix | 25 | ||||
| -rw-r--r-- | krebs/3modules/external/kmein.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/external/mic92.nix | 52 | ||||
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 6 | ||||
| -rw-r--r-- | krebs/3modules/sync-containers.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 18 |
9 files changed, 124 insertions, 38 deletions
diff --git a/krebs/3modules/acl.nix b/krebs/3modules/acl.nix new file mode 100644 index 000000000..9cdbb6cff --- /dev/null +++ b/krebs/3modules/acl.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: let + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.krebs.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); + RemainAfterExit = true; + Type = "simple"; + }; + }) config.krebs.acl; + }; +} diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 822dbab61..5efe41786 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -166,6 +166,8 @@ let nick = "buildbot|${hostname}", notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], channels = [{"channel": "#xxx"}], + showBlameList = True, + authz={'force': True}, ) '']; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e8f0d35e4..fc57d8188 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./acl.nix ./airdcpp.nix ./announce-activation.nix ./apt-cacher-ng.nix diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 1b51f0223..cc67c1a0a 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -563,6 +563,31 @@ in { }; }; }; + alsace = { + owner = config.krebs.users.xkey; + nets = { + retiolum = { + ip4.addr = "10.243.73.31"; + aliases = [ "alsace.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAn9mZHXfUcR1/oby6KB1Z8s1AAuie4l5G624r0UqbWu+4xowFIeZs + kv2dqd+yiqammAA9P207ooLbGBp+P6i4f5VMCemkCnv0sC1TJ+DNwYqWYcFRZE7I + j00fw/QI9d6L1c4CqZHJPQXEHG3v46qPuUow8FDJ6fjoBmy6biHjSd0XC7oHGqRh + GE5RolnqUiQhW0b4TkHJV4yUfVki+olxQtYd4xIHs1hcSqoMK898jsPX5cLgoCzR + NPZVyHf2BM0urPn4mu/th4ZDKpQtrqeI7h6yhnzJ0onhtValwHiA3/DcHcWmYvHC + vw6umyiCqFDx2kmzOnpkBWv65ugKUwDSZR8ibp3q7W9iPBiCPv0FtKXsQW9EngSS + asQWC8U6cB23nKuMYQrtD33fVwYn58FBIY6+avroc7XN5cPM/9VBHqyXSDZNAWtt + TwC/sXFWqT6AbTwLV6zY1TW4jiwKOh3KAVnHqQhUhNlEMk6EFOjR1CABSwUVXleR + 5whr1RbKAsrhqMprGKHndvxLXjbKSh6A0bVdOLOzSs7BME2Oi1OdHd6tqqYmcyuV + XQnFcOYKxF0RM83/V8rEgvVisIxXTGVrGw8Kse7PGFA1dGldptTC6kofLUxzADNw + bRnXtRk8VR0BBzTuPNDgUXL2XQLht6FwDKCA/En2vId98yc2uuDk468CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "lPvwNm2mfF+rX3noqt+80c7nlDCpC+98JPLWx2jJRLN"; + }; + }; + }; papawhakaaro = { owner = config.krebs.users.feliks; nets = { diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix index 9ef079090..1e4a68057 100644 --- a/krebs/3modules/external/kmein.nix +++ b/krebs/3modules/external/kmein.nix @@ -123,6 +123,7 @@ in "zaatar.kmein.r" "grocy.kmein.r" "moodle.kmein.r" + "radio.kmein.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 27a2beed6..db57b5944 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -95,7 +95,6 @@ in { owner = config.krebs.users.mic92; nets = { retiolum = { - ip4.addr = "10.243.29.189"; aliases = [ "dimitriosxps.r" ]; @@ -173,7 +172,12 @@ in { }; retiolum = { via = internet; - aliases = [ "eve.r" "tts.r" ]; + aliases = [ + "eve.r" + "tts.r" + "flood.r" + "navidrome.r" + ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH @@ -279,25 +283,6 @@ in { ''; }; }; - philipsaendig = { - owner = config.krebs.users.mic92; - nets.retiolum = { - ip4.addr = "10.243.29.193"; - aliases = [ - "philipsaendig.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX - 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl - 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl - +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF - Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S - oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; yasmin = { owner = config.krebs.users.mic92; nets.internet = { @@ -306,7 +291,6 @@ in { aliases = [ "yasmin.i" ]; }; nets.retiolum = { - ip4.addr = "10.243.29.197"; aliases = [ "yasmin.r" ]; @@ -414,7 +398,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.195"; aliases = [ "bill.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -445,7 +428,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.173"; aliases = [ "nardole.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -470,7 +452,6 @@ in { owner = config.krebs.users.mic92; nets = { retiolum = { - ip4.addr = "10.243.29.171"; aliases = [ "rock.r" ]; @@ -736,7 +717,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.198"; aliases = [ "ryan.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -764,7 +744,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.199"; aliases = [ "graham.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -890,5 +869,24 @@ in { }; }; }; + hal9000 = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + aliases = [ "hal9000.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA5aunzoz6WIjeQgfibml6T+UNsXXcoglhCqRkun7WaSHE93SQcCil + CDoUoq2aeiGTZ189LgdSyeRL7qmBzgVExIT4NlhfBCkNbHB/sz6epBb9qx49hLh5 + K/tJfUBYKRd06ymSXPK+cCiO0/gM8fjzI+3GMlYvcbZ+ow11zTRgX/QB2lE1G8cW + Obh/nS0af7G6wmovHsKEpry5AxoAPLLi5JaP4hlc/i0iCbebMqb+szF0KBAbmDg3 + JQ4MYIyQOw9kk7hfqTNFEvJhpbV66id2+ZIHX6QAw7OHBpaY6ZWFd/w2BkJHeayb + 2jRnsJd0YgautgBGrBrjRWiVmn/f+lJ4XQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "krVYgJo5OFZkyUOgasH9dFve4OI3ewpt8IFhCPan7mB"; + }; + }; + }; }; } diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 62316bfdb..f87802b45 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -102,6 +102,7 @@ in { x = { ci = true; cores = 4; + syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; nets = { retiolum.ip4.addr = "10.243.0.91"; wiregrill = { @@ -121,7 +122,7 @@ in { omo = rec { ci = true; cores = 2; - + syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; nets = { retiolum = { ip4.addr = "10.243.0.89"; @@ -218,6 +219,9 @@ in { retiolum = { via = internet; ip4.addr = "10.243.0.213"; + # never connect via gum (he eats your packets!) + tinc.weight = 9001; + aliases = [ "gum.r" "backup.makefu.r" diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index e47f9a3a7..e2caa0834 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -97,7 +97,7 @@ in { ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ''; - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ devices = ctr.peers; ignorePerms = false; })) cfg.containers); diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 21ddde1c6..bc85aa0a6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -26,7 +26,7 @@ with import <stockholm/lib>; ${tinc.config.extraConfig} ''; "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up + ip link set ${netname} up ${tinc.config.tincUp} ''; }); @@ -48,7 +48,7 @@ with import <stockholm/lib>; }; extraConfig = mkOption { - type = types.str; + type = types.lines; default = ""; description = '' Extra Configuration to be appended to tinc.conf @@ -58,15 +58,14 @@ with import <stockholm/lib>; type = types.str; default = let net = tinc.config.host.nets.${netname}; - iproute = tinc.config.iproutePackage; in '' ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ip -4 addr add ${net.ip4.addr} dev ${netname} + ip -4 route add ${net.ip4.prefix} dev ${netname} ''} ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ip -6 addr add ${net.ip6.addr} dev ${netname} + ip -6 route add ${net.ip6.prefix} dev ${netname} ''} ${tinc.config.tincUpExtra} ''; @@ -176,7 +175,7 @@ with import <stockholm/lib>; connectTo = mkOption { type = types.listOf types.str; ${if netname == "retiolum" then "default" else null} = [ - "gum" + "eve" "ni" "prism" ]; @@ -233,6 +232,7 @@ with import <stockholm/lib>; cfg.iproutePackage cfg.tincPackage ]; + reloadIfChanged = true; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -260,7 +260,7 @@ with import <stockholm/lib>; "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "--pidfile=/var/run/tinc.${netname}.pid" ]; - ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart"; SyslogIdentifier = netname; }; }) config.krebs.tinc; |