summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/external/default.nix2
-rw-r--r--krebs/3modules/external/mic92.nix108
-rw-r--r--krebs/3modules/fetchWallpaper.nix2
-rw-r--r--krebs/3modules/git.nix6
-rw-r--r--krebs/3modules/krebs/default.nix8
-rw-r--r--krebs/3modules/lass/default.nix104
-rw-r--r--krebs/3modules/solanum.nix104
-rw-r--r--krebs/3modules/sync-containers.nix2
-rw-r--r--krebs/3modules/tinc.nix5
10 files changed, 132 insertions, 210 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 149995a23..24b17487b 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -50,7 +50,6 @@ let
./secret.nix
./setuid.nix
./shadow.nix
- ./solanum.nix
./sync-containers.nix
./tinc.nix
./tinc_graphs.nix
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 982516e5d..28d58b525 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -587,7 +587,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.13.12";
- aliases = [ "catalonia.r" "aleph.r" ];
+ aliases = [ "catalonia.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index 3ef693290..b4e046303 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -256,6 +256,10 @@ in {
okelmann = {
owner = config.krebs.users.mic92;
nets.retiolum = {
+ addrs = [
+ config.krebs.hosts.okelmann.nets.retiolum.ip4.addr
+ config.krebs.hosts.okelmann.nets.retiolum.ip6.addr
+ ];
ip4.addr = "10.243.29.190";
aliases = [
"okelmann.r"
@@ -275,6 +279,10 @@ in {
aendernix = {
owner = config.krebs.users.mic92;
nets.retiolum = {
+ addrs = [
+ config.krebs.hosts.aendernix.nets.retiolum.ip4.addr
+ config.krebs.hosts.aendernix.nets.retiolum.ip6.addr
+ ];
ip4.addr = "10.243.29.172";
aliases = [
"aendernix.r"
@@ -296,6 +304,30 @@ in {
'';
};
};
+ aenderpad = {
+ owner = config.krebs.users.mic92;
+ nets.retiolum = {
+ addrs = [
+ config.krebs.hosts.aenderpad.nets.retiolum.ip4.addr
+ config.krebs.hosts.aenderpad.nets.retiolum.ip6.addr
+ ];
+ ip4.addr = "10.243.29.201";
+ aliases = [
+ "aendernix.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAvHSVUd6/5P2rK3s9iQhVrxkjufDIi0Kn04iVB4Z0TpUvnmFAP+Hv
+ d7umo95lNkAPL9c3byv4ooQjOskrp7GmgQRijLUvJSAZ9FBVWPAjMXs+gk9oJnQj
+ 6bovXJ3DurmW3h1ZRmkWn256j7g8lEMtf5LGFxs9Bwi4wqZTbI6DzTQhmNm76Spb
+ 2UMSzr9kDcNj5r6LDhDKEDtx4P1Opshgsf9AusV81N5nqDcvAYsvEqYoPvjKIPwF
+ 5jtfHY7hM7SdYoVgdAY8RFH7xuRkLQW4LBxPKjP3pEQPCgXcuEELm33PGr+w/vhC
+ jxeyKP+uSeuBBMSatTWG3kU8W2LxVML65QIDAQAB
+ -----END RSA PUBLIC KEY-----
+ Ed25519PublicKey = jC2UzKiUtWUlZF2ET88qM+Ot+GpoWxFFfpi8TCCr0uM
+ '';
+ };
+ };
dimitra = {
owner = config.krebs.users.mic92;
nets.retiolum = {
@@ -761,5 +793,81 @@ in {
};
};
};
+
+
+ ryan = {
+ owner = config.krebs.users.mic92;
+ nets = rec {
+ retiolum = {
+ addrs = [
+ config.krebs.hosts.ryan.nets.retiolum.ip4.addr
+ config.krebs.hosts.ryan.nets.retiolum.ip6.addr
+ ];
+ ip4.addr = "10.243.29.198";
+ aliases = [ "ryan.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA0RE5jmBiEGmaYLVFmpCyVvlb6K3Zh2uxh7sVm44k31d9PEHHm4Wz
+ HQH+ueaefGVu19xLRJQGu4ZMl7oRbb5awiqKdSGgInhQaNzxUIHW4cCCdOVkgZSy
+ NjI9LMcc8tQtkoFGt6OhAzaViuGMo+aJAkLuXNf8hz5uR2flqQEeKfG5Kc7Z1DAQ
+ QNoBRtY0pltyK2y/Ip8cZ9cdxR5oLww67ykhY+eLy9tZLfKs6uWSq+2CV0cpNNQ9
+ Sh8fSbkjb4+JkxWAHDOyAnwFxnxstMcW0cscOW7nXYDi5IpvvesJlk698un7bLhm
+ vCkAd+WiNuTGfs9t0r6FDDVDREBhNk1sLwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ Ed25519PublicKey = sOD149OLZ2yUEjRpwbGdwHULKF2qNY3F+9AsEi1G0ZM
+ '';
+ };
+ };
+ };
+
+ graham = {
+ owner = config.krebs.users.mic92;
+ nets = rec {
+ retiolum = {
+ addrs = [
+ config.krebs.hosts.graham.nets.retiolum.ip4.addr
+ config.krebs.hosts.graham.nets.retiolum.ip6.addr
+ ];
+ ip4.addr = "10.243.29.199";
+ aliases = [ "graham.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAtnM8VqFlEPLPYfKOZvN4kKklrVEyX4WewlqHO8vtxML9ND5BHCdn
+ UeRsThvbKVRqEvZLTAXKClZRYVr2IroHqfx0euTq3FYTUbNNQ4KgcFAfLKWoxGfK
+ HsQbYpS93/sUtmhRBGcgXPnEkE6yqvFBXxcmB1QqdmgYKdY2Gtikwrv/5hb4AlNe
+ /gyzKGtAKYogspLI6EpEwlD9CGDNIUPJ4uQ56gDhV/qtyMSE6X0igSSVZayDc+x1
+ InPkH90xsa0/uXjYDnXNdMguLArGkRzMhd6DzK4vEaPFIX59yMX+tEj46rGY7xAI
+ gUZUI2codqY5Z93W5GC+ws34y0bpfeMMWwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ Ed25519PublicKey = xMJNMMXZRCbWkN9CzLFohkGUK54dPcrrosFD7xgIFXA
+ '';
+ };
+ };
+ };
+
+ maurice = {
+ owner = config.krebs.users.mic92;
+ nets = rec {
+ retiolum = {
+ addrs = [
+ config.krebs.hosts.maurice.nets.retiolum.ip4.addr
+ config.krebs.hosts.maurice.nets.retiolum.ip6.addr
+ ];
+ ip4.addr = "10.243.29.200";
+ aliases = [ "maurice.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAsLKBfPtZkjWGu6uitCV+4c5aQox2t4N8XNhY2mqE806XsYrqAC+y
+ d0oLOxRMUjfh9stDnEW/YRoLEKz9oZdRYd4eenP0Q3c3HdRFDBNCs27M5a8ysqZD
+ 5w9+B+9OfUmMv61NyKiaR6WtoGbE849cj1UNk1z04elshfU7h829D8QnD4j1A1gf
+ bOaNG+RzOP6qP/6Q30rxAiTxRPi+FhcHvxa33y1ZVobvnfGcJa+AzsTbgH9T9Yob
+ GuXFZvuQVSyWOLOgY/vVml904q8gScMpBesAsZJ7DEXxSTga0Rt99Ti3d9ABwBI5
+ 1YabQlGLaAkrj3PMgrDyayzGBDDDva9fEQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ Ed25519PublicKey = pkMuJ4kbyleQAdau+sfmLtzTuUy7uL+wwcgV/GWC7/N
+ '';
+ };
+ };
+ };
};
}
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 852c8f630..dc0133a63 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -55,10 +55,12 @@ let
name = "fetchWallpaper";
uid = genid_uint31 "fetchWallpaper";
description = "fetchWallpaper user";
+ group = "fetchWallpaper";
home = cfg.stateDir;
createHome = true;
isSystemUser = true;
};
+ users.groups.fetchWallpaper = {};
systemd.timers.fetchWallpaper = {
description = "fetch wallpaper timer";
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index d02ef6a3e..1bfd58e31 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -365,10 +365,8 @@ let
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
description = "Git repository hosting user";
- extraGroups = [
- # To allow running cgit-clear-cache via hooks.
- cfg.cgit.fcgiwrap.group.name
- ];
+ # To allow running cgit-clear-cache via hooks.
+ group = cfg.cgit.fcgiwrap.group.name;
isSystemUser = true;
shell = "/bin/sh";
openssh.authorizedKeys.keys =
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index c05409fe9..776b893f5 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -39,7 +39,10 @@ in {
cores = 4;
nets = {
shack = {
- ip4.addr = "10.42.0.50" ;
+ ip4 = {
+ addr = "10.42.0.50" ;
+ prefix = "10.42.0.0/16";
+ };
aliases = [
"filebitch.shack"
];
@@ -105,6 +108,7 @@ in {
"go.r"
"rss.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
@@ -157,6 +161,7 @@ in {
};
puyak = {
ci = true;
+ cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.77.2";
@@ -165,6 +170,7 @@ in {
"build.puyak.r"
"cgit.puyak.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 3419d806c..2475a0d5a 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -37,6 +37,7 @@ in {
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
@@ -48,11 +49,15 @@ in {
jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
- ip4.addr = "95.216.1.150";
+ ip4 = {
+ addr = "95.216.1.150";
+ prefix = "0.0.0.0/0";
+ };
aliases = [
"prism.i"
"paste.i"
@@ -122,33 +127,6 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU";
};
- uriel = {
- monitoring = false;
- cores = 1;
- nets = {
- retiolum = {
- ip4.addr = "10.243.81.176";
- ip6.addr = r6 "1e1";
- aliases = [
- "uriel.r"
- ];
- tinc.port = 0;
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR
- duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb
- MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME
- m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx
- uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo
- u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBryIo/Waw8SWvlQ0+5I+Bd/dJgcMd6iPXtELS6gQXoc";
- secure = true;
- };
mors = {
cores = 2;
nets = {
@@ -418,38 +396,6 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM";
};
- red = {
- monitoring = false;
- cores = 1;
- nets = {
- retiolum = {
- ip4.addr = "10.243.0.13";
- ip6.addr = r6 "12ed";
- aliases = [
- "red.r"
- ];
- tinc.port = 0;
- tinc.pubkey = ''
- -----BEGIN PUBLIC KEY-----
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
- 4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF
- Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI
- phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0
- FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox
- TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa
- mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w
- oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE
- cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ
- 7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa
- 5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW
- ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ==
- -----END PUBLIC KEY-----
- '';
- };
- };
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
- };
yellow = {
cores = 1;
nets = {
@@ -583,44 +529,6 @@ in {
ci = false;
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
};
- morpheus = {
- cores = 1;
- nets = {
- retiolum = {
- ip4.addr = "10.243.0.19";
- ip6.addr = r6 "012f";
- aliases = [
- "morpheus.r"
- ];
- tinc.port = 0;
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
- T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
- /Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
- S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
- Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
- bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
- Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
- sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
- VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
- 3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
- U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- wiregrill = {
- ip6.addr = w6 "012f";
- aliases = [
- "morpheus.w"
- ];
- wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY=";
- };
- };
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
- syncthing.id = "JS4RFIL-MJP2SMJ-EOQXCPQ-MC3NB4V-BQ77GN5-LPKGLWY-GHDP732-G22OJQQ";
- };
hilum = {
cores = 1;
nets = {
diff --git a/krebs/3modules/solanum.nix b/krebs/3modules/solanum.nix
deleted file mode 100644
index 9094d1003..000000000
--- a/krebs/3modules/solanum.nix
+++ /dev/null
@@ -1,104 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
- inherit (lib) mkEnableOption mkIf mkOption singleton types;
- inherit (pkgs) coreutils solanum;
- cfg = config.krebs.solanum;
-
- configFile = pkgs.writeText "solanum.conf" ''
- ${cfg.config}
- '';
-in
-
-{
-
- ###### interface
-
- options = {
-
- krebs.solanum = {
-
- enable = mkEnableOption "Solanum IRC daemon";
-
- config = mkOption {
- type = types.str;
- description = ''
- Solanum IRC daemon configuration file.
- '';
- };
-
- statedir = mkOption {
- type = types.path;
- default = "/var/lib/solanum";
- description = ''
- Location of the state directory of solanum.
- '';
- };
-
- user = mkOption {
- type = types.str;
- default = "ircd";
- description = ''
- Solanum IRC daemon user.
- '';
- };
-
- group = mkOption {
- type = types.str;
- default = "ircd";
- description = ''
- Solanum IRC daemon group.
- '';
- };
-
- motd = mkOption {
- type = types.nullOr types.lines;
- default = null;
- description = ''
- Solanum MOTD text.
-
- Solanum will read its MOTD from /etc/solanum/ircd.motd .
- If set, the value of this option will be written to this path.
- '';
- };
-
- };
-
- };
-
-
- ###### implementation
-
- config = mkIf cfg.enable (lib.mkMerge [
- {
- users.users.${cfg.user} = {
- description = "Solanum IRC daemon user";
- uid = config.ids.uids.ircd;
- group = cfg.group;
- };
-
- users.groups.${cfg.group} = {
- gid = config.ids.gids.ircd;
- };
-
- systemd.tmpfiles.rules = [
- "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -"
- ];
-
- systemd.services.solanum = {
- description = "Solanum IRC daemon";
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile ${configFile} -pidfile ${cfg.statedir}/ircd.pid";
- Group = cfg.group;
- User = cfg.user;
- };
- };
-
- }
-
- (mkIf (cfg.motd != null) {
- environment.etc."solanum/ircd.motd".text = cfg.motd;
- })
- ]);
-}
diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index fcfaf1dd0..e47f9a3a7 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -94,7 +94,7 @@ in {
programs.fuse.userAllowOther = true;
# allow syncthing to enter /var/lib/containers
system.activationScripts.containers-enter = mkDefault ''
- ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
+ ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || :
'';
services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index d0a4ba260..898b5e8c3 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -254,9 +254,14 @@ let
inherit (cfg.user) home name uid;
createHome = true;
isSystemUser = true;
+ group = netname;
}
) config.krebs.tinc;
+ users.groups = mapAttrs' (netname: cfg:
+ nameValuePair netname {}
+ ) config.krebs.tinc;
+
environment.etc = mapAttrs' (netname: cfg:
nameValuePair "tinc/${netname}" (mkIf cfg.enableLegacy {
source = cfg.confDir;