summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/fetchWallpaper.nix7
-rw-r--r--krebs/3modules/iptables.nix3
-rw-r--r--krebs/3modules/lass/default.nix35
-rw-r--r--krebs/3modules/lass/default.pgp95
-rw-r--r--krebs/3modules/makefu/default.nix12
-rw-r--r--krebs/3modules/per-user.nix5
-rw-r--r--krebs/3modules/retiolum.nix4
7 files changed, 101 insertions, 60 deletions
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 53fe0839d..0adcec3d8 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -40,11 +40,12 @@ let
};
};
- fetchWallpaperScript = pkgs.writeScript "fetchWallpaper" ''
- #! ${pkgs.bash}/bin/bash
+ fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
+ set -euf
mkdir -p ${shell.escape cfg.stateDir}
- curl -s -o ${shell.escape cfg.stateDir}/wallpaper -z ${shell.escape cfg.stateDir}/wallpaper ${shell.escape cfg.url}
+ cd ${shell.escape cfg.stateDir}
+ curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
'';
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index 9596229de..4b99873a1 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -20,6 +20,7 @@ let
flatten
length
hasAttr
+ hasPrefix
mkEnableOption
mkOption
mkIf
@@ -123,7 +124,7 @@ let
buildRule = tn: cn: rule:
#target validation test:
- assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
+ assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target;
#predicate validation test:
#maybe use iptables-test
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index b4686894e..dddbe881b 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -12,6 +12,7 @@ with config.krebs.lib;
aliases = [
"dishfire.internet"
];
+ ssh.port = 45621;
};
retiolum = {
via = internet;
@@ -40,10 +41,11 @@ with config.krebs.lib;
cores = 2;
nets = rec {
internet = {
- ip4.addr = "162.252.241.33";
+ ip4.addr = "104.233.79.118";
aliases = [
"echelon.internet"
];
+ ssh.port = 45621;
};
retiolum = {
via = internet;
@@ -79,6 +81,7 @@ with config.krebs.lib;
aliases = [
"prism.internet"
];
+ ssh.port = 45621;
};
retiolum = {
via = internet;
@@ -143,6 +146,7 @@ with config.krebs.lib;
aliases = [
"cloudkrebs.internet"
];
+ ssh.port = 45621;
};
retiolum = {
via = internet;
@@ -174,6 +178,7 @@ with config.krebs.lib;
gg23 = {
ip4.addr = "10.23.1.12";
aliases = ["uriel.gg23"];
+ ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.81.176";
@@ -205,6 +210,7 @@ with config.krebs.lib;
gg23 = {
ip4.addr = "10.23.1.11";
aliases = ["mors.gg23"];
+ ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.0.2";
@@ -257,6 +263,33 @@ with config.krebs.lib;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWlIxkX41V55Yker8n4gErx2xcKpXFNKthhbP3+bTJ7";
};
+ shodan = {
+ cores = 2;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.4";
+ ip6.addr = "42:0:0:0:0:0:0:50d4";
+ aliases = [
+ "shodan.retiolum"
+ "shodan.r"
+ "cgit.shodan.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT
+ YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7
+ ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF
+ 7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4
+ xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ
+ V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ secure = true;
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
+ };
};
users = {
diff --git a/krebs/3modules/lass/default.pgp b/krebs/3modules/lass/default.pgp
index 38e2fa8df..6d985f0e2 100644
--- a/krebs/3modules/lass/default.pgp
+++ b/krebs/3modules/lass/default.pgp
@@ -1,52 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
-mQINBFSZ3/oBEADYvRPoLdDkASIArXyWR5ccugJQURxMDgphAGrvj6qskSkn0chF
-gnc/kcQr4aVTaDFdonSyHjYvspDOZm5BgHAICCu1PL8rkMTGS+vHM5dlwnok6IKy
-e2aLjLPq5sHyp4+Zeq1eHe5TQ1cgN0cPdMMnEHd8GQke21pRQ5Vz79s8qRfWlt1Y
-+OQ5uY/52iZ9qJ11/N4bPPe/Zm63sRTpGw14i8UCgBAsMQOG1XPUX2/IJc1CC9+1
-Ohn/hPCbIdCbwOs7/HFFMRWmV6w4ul9gr7Js0owkWAS8FNOactS2i2SSwdONetKs
-UbCVQ1PubPBZvh2Vij/oUBK5BvfNDR6nRYhOjYbt6PW/Q6bjqGecjnlO98dpcqag
-+8bdl1JY9FpE4RzfuRgAFjVbtNztrmm9t6EuOHGZ5ec34TG9+i02ixh0YTEDK/Yt
-my2MfIbGUbeIYRKJscqgxKkL6nv4x0lOvs8nDiUmqztGdSdTGni+BAWZz3+1xaJH
-DTyQ36qYauBb5FWneRTBeagrDOAvvk/WxS+fMFZpnQovevOQBqxEL62fntikmMFn
-ddPgq7R1VPdivvr+BO8yMI8i45Vn9EzIJR02WAp7oAsT966yzopVT4JLT8++CVPh
-/VBrFID9yRyWjW5IJPsMsOt7z3UJaP08ua0UG4uVqo6dT6IdR8jKKxYdvwARAQAB
-tCBsYXNzdWx1cyA8bGFzc3VsdXNAYWlkc2JhbGxzLmRlPokCPQQTAQoAJwUCVJnf
-+gIbAwUJBaOagAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAyqvthRFEnnviI
-D/95QdNgttsly9CUeHKGfNGlJ2NgDepqob/VR2385q7cXCbFftRIsD0vaWYfsQ87
-kbKs3fpeHz8teKqZtMnXYkPIaSK0TcoaqQtyfkmj+agP2YRSkNYonlmmCiCWkodP
-2VnnmRUSwHcgxS14xsUHh13JXsU5nTHDAdJqOxUX6l6Lxb989h7Q8wTn5SX1XRVd
-0U5P7fNXKvVF34J6uGyWraxQLOqJEEzi82F/61hbI6zVPhxu/R+qmiSqgHIlp0ax
-u+8u3eyDVP1q95AMPaL1GsNYDcSl5njbkEbruSmjVcO99cD1ZLAODFJuaa+h/IvQ
-HoPnFL3hRo0SHt/RimokboJL7nx5jT/0y+FtGuPMVKUqiLApOfoeWeHWVKgMLV/0
-1+O4jEDRMNSIClI2YHdgyuQPBuHkaYXrrpDpJnYDEz2qAiijx+xIAPzifxebuVFV
-NQl/XnXlzTmYrt0GHfCrNZa/ZtsqQqnJSRpydjey+ATGgs+3Oqa6z8lHhYx83ST2
-cGsUmSnzk0TnxXmqwWxb3aGA0kO50atrObWwNXud7n3hu4V0FWwfHXUk8gJxtMN6
-IenjLcI0WyLwSKvTazF6GSgtUhwNgON88eiqLS8CWdop4CEyEUfxFoZeQoS72Yzq
-4pSOYPnbRDcBn2zkYaWyCTmf9qvWbZOu0Sl2lfy9n5LiKrkCDQRUmd/6ARAAq+Mt
-/9LohA9Qnz/GjE504h38G3USXgEV9/ctr2PXkc2onW67u45trLSYLyCK6kDq3VIN
-/3uLt8Pr+IL41NntW1exRtqohVeKI38CCqR5RP9tVxLkyxnpA/SPpSvOjWhyBkph
-MRXYta1+nBHwxSaPcc2e+15pk/cYgg0cTY7Nvgo+wL4bgI+b2OHwwIwRov/t4aim
-0y63OaCG82NqWrX7i2ONaR8RsZ8RHLnC+TyFaoj0mdp+vp4WFwxbqcIq+Vvn1m5j
-gPlkzXK4Yrykp2IULGuj+qZyS043FzZYhbxZoE85zIMtQ5gV/ktaP25+YsU1bwb9
-75FQvdMM827bbOJJ67/l96asQNg1TMzosL8/t9xLPDry4YYu8kRIPZgKWvT0Eg1Q
-AWzWJCXplTdPlhj660OCGuuyv/XJIbhqtBVZhIyR7gs6EZHZ6FHax7F41fEWGgSv
-WVAMrjrnG4XYAyCP1yiW1i7/ogCzKXYvV42tzBFuPcza6jhBnU17w5E7nwYaEWgA
-02Ai7aTK9WDAi8j8emQ8XppU9hqEILSvR5tG4R0YOAUbIUplIpnpf8KcEhNy48ei
-MuhiTJBjPyu7bRJoZXvipNPjqhESGlvrcr1QKuEqPLRcfLo3DOt3zgxBqOZZGHKL
-ckaud05wevMPK09F7taLgwBCHOmAxiMa5NQVjL8AEQEAAYkCJQQYAQoADwUCVJnf
-+gIbDAUJBaOagAAKCRAyqvthRFEnngGYD/wP77ax6yczKT/AHEvqyMMRPigLHIHy
-XIWt8uNKwbn1RTXuH9Nj1rtVuj7ck4jscNwmDYeT52ZDxHQjLHWgAG0CBq6afdBi
-VwLur6M7jv0EwY/SMed+QD1+a59kiO8+difwLDF+Q50lYQ4fmSGsfdQ4Qxesm92r
-Y1Q/xFg1K9MNZbItpzYTE4P+ii4kU5BnWwExX2OEhhlrNUjJhA30HvvUID6bsguq
-Jl7mWnGpS5YYqPxiABNI++TzYXQvP95nWGROvdx2vSPuJ756S8VJ81LL7BmQyQzq
-8S/ciHjmgtgLRyncqqXl1uJBqtK+50vEFHxJrANdDNzD+K4S7+23DpRsmEl/2ECQ
-laGsU6HtYbnr+hc1alE4uNMEN1/a75EFI59BISnUm8jIy1nLhcIXMhFh4JuG7kGk
-2ePa4Gv2DafMR8N0WYPIhP3LIIDP0s9gv2QSA+5BmI9OhZDkz9Ubuut1+PMfWCXm
-aNmF2Bh8puTffsFxGJSiQ4CXDzuNRqMR5wB0OCnB/WAnuZhRAJhXmgR8FJY+EvTN
-PcA1QZIZ0hQGVf8eJ5Gx4W1w2Q6mQCGnCy1XtEkZP0BOP0Or5CMtqP/VSuwaF4wh
-4FLYTOLZ7oDr2ErK/bhnpuoPoUU0y3n7AG/nhtmqenlMPLWB246XnEoJMb6Ar8vW
-It6jrzDh3+COSQ==
-=0gFT
+mQINBFcWQhEBEADwt+hHRZxZx05USejn4x5LVWqqg5I2nIzjwI8pVyBra2AmXaMA
+SAImFk1W6oM35rwYmez6TG8QC7RPRUrMHX2aAdDwJ/VtU/b87q0ICwlMxYUnikg1
+tsHV4kRB7ukm+Rs0ECMqZzjwdlbiEEfQ6VPUrIBzDHeD0idkC82DonZ6xe083klH
+LpO36ckBOtyaoZZspzRu5yB76vsbeviVqsQ9WTQ8GoQk1i6FUbTbtOlvjhtx05Rk
+ic66RrfFSM/ElLe5yA96kZd7m/Sn9WIRwRj3clxnT1vAVpMlpISsTutEQtuG3MDX
+tT3EPVSSZEEcY1xxlJF+u1JZu4QqqtH+nczjshv+z3HZdmGd7OGqmgI8D3Ly/Ufi
+Uyz+ewZbhbgy/XSHqwriUbnMuE9OKxx0LqlQLA59+/icT+upW4TexiHKd6PYeSeJ
+kCxUEAmzqxsnilmwbehQrmmhI7uzxT8YxNGjF5mRJ1zOY55praTMKlp3MOxKvVPn
+EZSyWm/22CuUZZEX0XR6TBgkL71VoGrlaezADzhHu9i5yBwbNCuiE2CYcS5IuDf+
+GkoKGtWeLbXTXccWOaIItSzlVUcJx3D009kTXeLEo2T1RPpz41LMvqWkUlZg4CA1
+zMAcudsXDtXGJEvS3dZAaiUUdASktzNL/ltuW/CXITJ0V7UjmA0pOyLDOQARAQAB
+tBlsYXNzdWx1cyA8bGFzc0BsYXNzdWwudXM+iQI3BBMBCAAhBQJXFkIRAhsDBQsJ
+CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEInoKVKXan5NFVsP/RfU4dychz5eadnN
+/iCybL2eXCkpNbSJaPVqKKmBqY4oDEqK0NekwgOiWXFuFI6BpNyTW5z1a2PaBgF2
+bG5K/k/aGnzUUqH+LhtMCYr90UjJPtsrgi+C5poL4e2EsPN1SASSOSYFtYY1EQCe
+NcYut2foM/PjviJKuS9t/kJxmZn8Vi3+qQKSwys219IQuXqos44aihjnwEL+TR6D
+MgcDCW2QSCqB5kfksjustSihDck8ZkT+nISTrSdZVPzROcyBeswN/UqjOUBZd1p1
+sO7SqDaBnzovRD3G4kyscepPWChnOFCIq9tuE2Mai2QliQ4q1Bn0+8uhLPLG+nQI
+leL/6pFXY9ecjmpqrSAXEysDUgfpiqJzDtv8WC3fY7wl88/ROiHrgF8x5P4PmUMl
+oTfe+BGQar6BNV3rStPsW6Ogm6Mu6WNVXCRIJboM+ev3JdVSGF/ehnmb06EGCIrI
+ahWbMViDSAjOvM92By/RJkP8ADCN2ezvdf86Ubyib5EyRoleu0WHvtO1mLQn0pIP
+cYCGXrnQlkduC7ENS942hLUq976LPH1ZatM26gaN1MKxN03v+6e9E6jtxUH3wWk1
+oDGddTl+zu4fqUxEAA391sPMhp+DTVxXmPKvpnJivKAsL2Hkg0vKQt6VQNEv2Lgm
+G8vdqOcapWLBcddR9d0DpFgkZNQCuQINBFcWQhEBEADgv6HfZQyxuiFpHQbt59s4
+7mA4AmzgjA1GiS73xo16qjwLieKPJWlrgPk4OOwqQpdygZ9LAhH+FIqcGo4wCNKL
+1qiMQeQcFOACvLOfxpv8F1TkOc9IbQUoMPxXEYRK/c0ZtaWpe8dy4QL3tDwS/ovk
+sCZBpvXdpJXDuccfTQ23UPozWKs21JAIKqbO7p5n86VGr0Co07xmBsxOK6ylK8YM
+ftBjugfbxfmFApW2lAsjeDe7J5RY6W5NaeMg/IxTy6wkfoz1UjwtQaRvp1XbWqPz
+Ib+mx8AeRQQXzuVKxS20ZVgazSZHg1PYu9PoKTIWK0NLd68CydcQ4q6F3PjNytFH
+tDM13q5kWmTU0yFy2OWvy4JAq2z02C+Z+/+nffp0ZfsdEeVNm5ZvlDLmOYMWFzDj
+OScYgBYIAvAs3pYV+xl6pxvdTyI3JXed7Q889e36TC3mwUIR4sL+oOfctA7Swzkr
+aU8uMCwIE6ppGsxIcXQt15sUjgM5THXzAQXVkbM8i1x9F0JjP7bFMWcIP1pmqcaO
+6znM2D/wocY+RO3xYj0GLFgRBW2O/pJUWrWHInpO3mrwZeRMGZix5nZH8U6cvfD5
+9SwIVdyKj6sZklcS2JJclBDrAudYUbckAuV7KI1ZWcU4kVS3joYdWcFQO3vOxJW5
+mGXML9roJXeXN664iNBgpQARAQABiQIfBBgBCAAJBQJXFkIRAhsMAAoJEInoKVKX
+an5NGhcP/jkeR/fYPYuYEUWLGBxq2hFhwMssiJ+pwx5Nj+Kh9rLm90LBLCcwBVu0
+ILbaePkPCmin8p9F+AOy11DsWb5lBrlyUqU6+ID9nY/WbNL5ZYl6zIBmuYQ5qFEA
+n5NQD6hLllC6wyOqIeKXrnkvFJMW8+W0aYRQh7hhpAzyJz9gawXWvWY45NhWl3Tm
+S3LfJbA5nM6uZvO0VU7LERgfwTgPSjMwYVQGtktndy9N4Avi1N02l5BEmuZoXwTC
+oQuW6LiAPGE2ztXztyNGnUYUAGMWl22UTezqfU/aOG9Qum+QebwTgBUH4pTgLiV/
+pWxXib517wGkect/0Yd+zcya8lA7x1EzFFMb3i4ToawIz76I2ncIlpC2q31x2nVI
+6fBW4kfu8AR7XW9Yyv+plIuva1AeTf+sMc7FSb5CpOmjjLpUfQ96vZvQwarcEip7
+UmOBoAoFdhtwJotskBOje52AUgDIBWZrIfH1bq7/NjAO73UdR1mJkOpY01qQXkED
+TiLeIBGYqseCbnJNi1PVOVNEOT4Up3/RSjpAu8dBrXKqx7yS8bKlVk3RsIDlgyb4
+rWMc88uBl57YsjSnQN36LN7j0hPpb0TAD1OsPI1pepsKUAPZKA2EAyLXKyQ3oLqN
+DWU4ZWpIi8+RKm3UpWgQ9qN4tuRHvVX/AQjEW1LkhfmR2VIqnrkv
+=fgFG
-----END PGP PUBLIC KEY BLOCK-----
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 814e6929b..a6d4597f7 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -479,12 +479,12 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEA961eCQE562VPYjuZtd0+FNRfUghvD2ccjUlihMjzg46GAK+duqK+
- 4peWklGOL4eRYQBg6G2VDzWiU2MxXVbXUZaMrxh7fTc3G3LdbqTxzAv3GQKR/6iA
- 9bGUf6u4ztVNAcj2mrY3mfs4gMlBQyQ2wcM0ZUpiAMaRB4cdq7I4GVHbYTFYfQuI
- 2zdnr0w8AjlMpFFcD0ExsWeppiJsE7iiME/S2VVfh2NrEpAKQbLH9fKrfkiJA/+9
- 0VIH9wLLIYngUtQKbvEQ5xgx6ybrg0vO8ZqZ1ZGXYxOQZzWzPP0tvDU0QHSKYSWb
- FjcOf1lWSWjsjHxMl/Gh57hjNJFCbs8yjQIDAQAB
+ MIIBCgKCAQEA2VjW30A3uQoo5QwbFTnl5fuGg81DZVu8HXmDwgEkhZYr5Xf3V5/d
+ fmPlX1igzatWYX0OylFAY69r0V4dqeTubIf83sz1eqtpXjK4czG8A3wMHEXj5Pzs
+ e1Qh8K4rHMEATc7Y/cwpQBi2THn2bhufqgaz94m8HrStCZcKCin3fDMbE01WHWX1
+ KFqeBtUd7b9pWbXKlLBNpHTZoGxVQk0Hto9pxYzHecRsbQXykYk3Rw2tSuf0aH99
+ oY0i3LjOb+f2oq2S4qVHqHZsMJfDVr+x2/LP1SIcc1lVTztWSSAzZEokE0/ejvXf
+ wkquBVHXdl6LuzH+/V1I7OsaMhHShYu1LwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix
index 13da5c4c3..93a7d2293 100644
--- a/krebs/3modules/per-user.nix
+++ b/krebs/3modules/per-user.nix
@@ -26,7 +26,10 @@ let
environment = {
etc = flip mapAttrs' cfg (name: { packages, ... }: {
name = "per-user/${name}";
- value.source = pkgs.symlinkJoin "per-user.${name}" packages;
+ value.source = pkgs.symlinkJoin {
+ name = "per-user.${name}";
+ paths = packages;
+ };
});
profiles = ["/etc/per-user/$LOGNAME"];
};
diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix
index 5aaeb5a30..5a035fa50 100644
--- a/krebs/3modules/retiolum.nix
+++ b/krebs/3modules/retiolum.nix
@@ -102,6 +102,10 @@ let
The list of hosts in the network which the client will try to connect
to. These hosts should have an 'Address' configured which points to a
routeable IPv4 or IPv6 address.
+
+ In stockholm this can be done by configuring:
+ krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 =
+ [ "${external-ip} ${external-port}" ]
'';
};