diff options
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/external/default.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/external/mic92.nix | 108 | ||||
-rw-r--r-- | krebs/3modules/fetchWallpaper.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/git.nix | 6 | ||||
-rw-r--r-- | krebs/3modules/krebs/default.nix | 8 | ||||
-rw-r--r-- | krebs/3modules/lass/default.nix | 104 | ||||
-rw-r--r-- | krebs/3modules/solanum.nix | 104 | ||||
-rw-r--r-- | krebs/3modules/sync-containers.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/tinc.nix | 5 |
10 files changed, 132 insertions, 210 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 149995a23..24b17487b 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -50,7 +50,6 @@ let ./secret.nix ./setuid.nix ./shadow.nix - ./solanum.nix ./sync-containers.nix ./tinc.nix ./tinc_graphs.nix diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 982516e5d..28d58b525 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -587,7 +587,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.13.12"; - aliases = [ "catalonia.r" "aleph.r" ]; + aliases = [ "catalonia.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 3ef693290..b4e046303 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -256,6 +256,10 @@ in { okelmann = { owner = config.krebs.users.mic92; nets.retiolum = { + addrs = [ + config.krebs.hosts.okelmann.nets.retiolum.ip4.addr + config.krebs.hosts.okelmann.nets.retiolum.ip6.addr + ]; ip4.addr = "10.243.29.190"; aliases = [ "okelmann.r" @@ -275,6 +279,10 @@ in { aendernix = { owner = config.krebs.users.mic92; nets.retiolum = { + addrs = [ + config.krebs.hosts.aendernix.nets.retiolum.ip4.addr + config.krebs.hosts.aendernix.nets.retiolum.ip6.addr + ]; ip4.addr = "10.243.29.172"; aliases = [ "aendernix.r" @@ -296,6 +304,30 @@ in { ''; }; }; + aenderpad = { + owner = config.krebs.users.mic92; + nets.retiolum = { + addrs = [ + config.krebs.hosts.aenderpad.nets.retiolum.ip4.addr + config.krebs.hosts.aenderpad.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.201"; + aliases = [ + "aendernix.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAvHSVUd6/5P2rK3s9iQhVrxkjufDIi0Kn04iVB4Z0TpUvnmFAP+Hv + d7umo95lNkAPL9c3byv4ooQjOskrp7GmgQRijLUvJSAZ9FBVWPAjMXs+gk9oJnQj + 6bovXJ3DurmW3h1ZRmkWn256j7g8lEMtf5LGFxs9Bwi4wqZTbI6DzTQhmNm76Spb + 2UMSzr9kDcNj5r6LDhDKEDtx4P1Opshgsf9AusV81N5nqDcvAYsvEqYoPvjKIPwF + 5jtfHY7hM7SdYoVgdAY8RFH7xuRkLQW4LBxPKjP3pEQPCgXcuEELm33PGr+w/vhC + jxeyKP+uSeuBBMSatTWG3kU8W2LxVML65QIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = jC2UzKiUtWUlZF2ET88qM+Ot+GpoWxFFfpi8TCCr0uM + ''; + }; + }; dimitra = { owner = config.krebs.users.mic92; nets.retiolum = { @@ -761,5 +793,81 @@ in { }; }; }; + + + ryan = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.ryan.nets.retiolum.ip4.addr + config.krebs.hosts.ryan.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.198"; + aliases = [ "ryan.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0RE5jmBiEGmaYLVFmpCyVvlb6K3Zh2uxh7sVm44k31d9PEHHm4Wz + HQH+ueaefGVu19xLRJQGu4ZMl7oRbb5awiqKdSGgInhQaNzxUIHW4cCCdOVkgZSy + NjI9LMcc8tQtkoFGt6OhAzaViuGMo+aJAkLuXNf8hz5uR2flqQEeKfG5Kc7Z1DAQ + QNoBRtY0pltyK2y/Ip8cZ9cdxR5oLww67ykhY+eLy9tZLfKs6uWSq+2CV0cpNNQ9 + Sh8fSbkjb4+JkxWAHDOyAnwFxnxstMcW0cscOW7nXYDi5IpvvesJlk698un7bLhm + vCkAd+WiNuTGfs9t0r6FDDVDREBhNk1sLwIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = sOD149OLZ2yUEjRpwbGdwHULKF2qNY3F+9AsEi1G0ZM + ''; + }; + }; + }; + + graham = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.graham.nets.retiolum.ip4.addr + config.krebs.hosts.graham.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.199"; + aliases = [ "graham.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAtnM8VqFlEPLPYfKOZvN4kKklrVEyX4WewlqHO8vtxML9ND5BHCdn + UeRsThvbKVRqEvZLTAXKClZRYVr2IroHqfx0euTq3FYTUbNNQ4KgcFAfLKWoxGfK + HsQbYpS93/sUtmhRBGcgXPnEkE6yqvFBXxcmB1QqdmgYKdY2Gtikwrv/5hb4AlNe + /gyzKGtAKYogspLI6EpEwlD9CGDNIUPJ4uQ56gDhV/qtyMSE6X0igSSVZayDc+x1 + InPkH90xsa0/uXjYDnXNdMguLArGkRzMhd6DzK4vEaPFIX59yMX+tEj46rGY7xAI + gUZUI2codqY5Z93W5GC+ws34y0bpfeMMWwIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = xMJNMMXZRCbWkN9CzLFohkGUK54dPcrrosFD7xgIFXA + ''; + }; + }; + }; + + maurice = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.maurice.nets.retiolum.ip4.addr + config.krebs.hosts.maurice.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.200"; + aliases = [ "maurice.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsLKBfPtZkjWGu6uitCV+4c5aQox2t4N8XNhY2mqE806XsYrqAC+y + d0oLOxRMUjfh9stDnEW/YRoLEKz9oZdRYd4eenP0Q3c3HdRFDBNCs27M5a8ysqZD + 5w9+B+9OfUmMv61NyKiaR6WtoGbE849cj1UNk1z04elshfU7h829D8QnD4j1A1gf + bOaNG+RzOP6qP/6Q30rxAiTxRPi+FhcHvxa33y1ZVobvnfGcJa+AzsTbgH9T9Yob + GuXFZvuQVSyWOLOgY/vVml904q8gScMpBesAsZJ7DEXxSTga0Rt99Ti3d9ABwBI5 + 1YabQlGLaAkrj3PMgrDyayzGBDDDva9fEQIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = pkMuJ4kbyleQAdau+sfmLtzTuUy7uL+wwcgV/GWC7/N + ''; + }; + }; + }; }; } diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 852c8f630..dc0133a63 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -55,10 +55,12 @@ let name = "fetchWallpaper"; uid = genid_uint31 "fetchWallpaper"; description = "fetchWallpaper user"; + group = "fetchWallpaper"; home = cfg.stateDir; createHome = true; isSystemUser = true; }; + users.groups.fetchWallpaper = {}; systemd.timers.fetchWallpaper = { description = "fetch wallpaper timer"; diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index d02ef6a3e..1bfd58e31 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -365,10 +365,8 @@ let users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; description = "Git repository hosting user"; - extraGroups = [ - # To allow running cgit-clear-cache via hooks. - cfg.cgit.fcgiwrap.group.name - ]; + # To allow running cgit-clear-cache via hooks. + group = cfg.cgit.fcgiwrap.group.name; isSystemUser = true; shell = "/bin/sh"; openssh.authorizedKeys.keys = diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index c05409fe9..776b893f5 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -39,7 +39,10 @@ in { cores = 4; nets = { shack = { - ip4.addr = "10.42.0.50" ; + ip4 = { + addr = "10.42.0.50" ; + prefix = "10.42.0.0/16"; + }; aliases = [ "filebitch.shack" ]; @@ -105,6 +108,7 @@ in { "go.r" "rss.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc @@ -157,6 +161,7 @@ in { }; puyak = { ci = true; + cores = 4; nets = { retiolum = { ip4.addr = "10.243.77.2"; @@ -165,6 +170,7 @@ in { "build.puyak.r" "cgit.puyak.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955 diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 3419d806c..2475a0d5a 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -37,6 +37,7 @@ in { default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} io 60 IN NS ions.lassul.us. @@ -48,11 +49,15 @@ in { jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { internet = { - ip4.addr = "95.216.1.150"; + ip4 = { + addr = "95.216.1.150"; + prefix = "0.0.0.0/0"; + }; aliases = [ "prism.i" "paste.i" @@ -122,33 +127,6 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU"; }; - uriel = { - monitoring = false; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.81.176"; - ip6.addr = r6 "1e1"; - aliases = [ - "uriel.r" - ]; - tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR - duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb - MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME - m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx - uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo - u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBryIo/Waw8SWvlQ0+5I+Bd/dJgcMd6iPXtELS6gQXoc"; - secure = true; - }; mors = { cores = 2; nets = { @@ -418,38 +396,6 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM"; }; - red = { - monitoring = false; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.13"; - ip6.addr = r6 "12ed"; - aliases = [ - "red.r" - ]; - tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG - 4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF - Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI - phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0 - FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox - TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa - mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w - oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE - cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ - 7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa - 5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW - ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ== - -----END PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp"; - }; yellow = { cores = 1; nets = { @@ -583,44 +529,6 @@ in { ci = false; syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; }; - morpheus = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.19"; - ip6.addr = r6 "012f"; - aliases = [ - "morpheus.r" - ]; - tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY - T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN - /Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh - S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz - Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR - bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI - Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz - sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+ - VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j - 3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA - U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - wiregrill = { - ip6.addr = w6 "012f"; - aliases = [ - "morpheus.w" - ]; - wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY="; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f "; - syncthing.id = "JS4RFIL-MJP2SMJ-EOQXCPQ-MC3NB4V-BQ77GN5-LPKGLWY-GHDP732-G22OJQQ"; - }; hilum = { cores = 1; nets = { diff --git a/krebs/3modules/solanum.nix b/krebs/3modules/solanum.nix deleted file mode 100644 index 9094d1003..000000000 --- a/krebs/3modules/solanum.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkEnableOption mkIf mkOption singleton types; - inherit (pkgs) coreutils solanum; - cfg = config.krebs.solanum; - - configFile = pkgs.writeText "solanum.conf" '' - ${cfg.config} - ''; -in - -{ - - ###### interface - - options = { - - krebs.solanum = { - - enable = mkEnableOption "Solanum IRC daemon"; - - config = mkOption { - type = types.str; - description = '' - Solanum IRC daemon configuration file. - ''; - }; - - statedir = mkOption { - type = types.path; - default = "/var/lib/solanum"; - description = '' - Location of the state directory of solanum. - ''; - }; - - user = mkOption { - type = types.str; - default = "ircd"; - description = '' - Solanum IRC daemon user. - ''; - }; - - group = mkOption { - type = types.str; - default = "ircd"; - description = '' - Solanum IRC daemon group. - ''; - }; - - motd = mkOption { - type = types.nullOr types.lines; - default = null; - description = '' - Solanum MOTD text. - - Solanum will read its MOTD from /etc/solanum/ircd.motd . - If set, the value of this option will be written to this path. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable (lib.mkMerge [ - { - users.users.${cfg.user} = { - description = "Solanum IRC daemon user"; - uid = config.ids.uids.ircd; - group = cfg.group; - }; - - users.groups.${cfg.group} = { - gid = config.ids.gids.ircd; - }; - - systemd.tmpfiles.rules = [ - "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" - ]; - - systemd.services.solanum = { - description = "Solanum IRC daemon"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile ${configFile} -pidfile ${cfg.statedir}/ircd.pid"; - Group = cfg.group; - User = cfg.user; - }; - }; - - } - - (mkIf (cfg.motd != null) { - environment.etc."solanum/ircd.motd".text = cfg.motd; - }) - ]); -} diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index fcfaf1dd0..e47f9a3a7 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -94,7 +94,7 @@ in { programs.fuse.userAllowOther = true; # allow syncthing to enter /var/lib/containers system.activationScripts.containers-enter = mkDefault '' - ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers + ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ''; services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index d0a4ba260..898b5e8c3 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -254,9 +254,14 @@ let inherit (cfg.user) home name uid; createHome = true; isSystemUser = true; + group = netname; } ) config.krebs.tinc; + users.groups = mapAttrs' (netname: cfg: + nameValuePair netname {} + ) config.krebs.tinc; + environment.etc = mapAttrs' (netname: cfg: nameValuePair "tinc/${netname}" (mkIf cfg.enableLegacy { source = cfg.confDir; |