summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/ponte/config.nix20
-rw-r--r--krebs/2configs/acme.nix2
-rw-r--r--krebs/2configs/cal.nix2
-rw-r--r--krebs/2configs/hotdog-host.nix3
-rw-r--r--krebs/2configs/mastodon.nix6
-rw-r--r--krebs/2configs/nameserver.nix179
-rw-r--r--krebs/2configs/news-host.nix3
-rw-r--r--krebs/2configs/repo-sync.nix2
-rw-r--r--krebs/2configs/syncthing.nix4
-rw-r--r--krebs/2configs/tor/initrd.nix4
-rw-r--r--krebs/2configs/wiki.nix2
-rw-r--r--krebs/3modules/exim-smarthost.nix4
-rw-r--r--krebs/3modules/fetchWallpaper.nix2
-rw-r--r--krebs/3modules/github/hosts-sync.nix2
-rw-r--r--krebs/3modules/iptables.nix2
-rw-r--r--krebs/3modules/power-action.nix6
-rw-r--r--krebs/3modules/repo-sync.nix2
-rw-r--r--krebs/3modules/retiolum-bootstrap.nix4
-rw-r--r--krebs/3modules/ssh.nix23
-rw-r--r--krebs/3modules/tinc.nix4
-rw-r--r--krebs/3modules/zones.nix19
-rw-r--r--krebs/5pkgs/haskell/desktop-pager.nix (renamed from krebs/5pkgs/haskell/pager.nix)2
-rw-r--r--krebs/5pkgs/haskell/nix-serve-ng.nix6
-rw-r--r--krebs/5pkgs/simple/fzfmenu/default.nix2
-rw-r--r--krebs/5pkgs/simple/krebszones/default.nix13
-rw-r--r--krebs/5pkgs/simple/ovh-zone/default.nix1
-rw-r--r--krebs/5pkgs/simple/pager.nix2
-rw-r--r--krebs/5pkgs/simple/realwallpaper/get_constellations.py29
-rw-r--r--krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix30
-rw-r--r--krebs/5pkgs/simple/vicuna-chat/default.nix2
-rw-r--r--krebs/nixpkgs-unstable.json10
-rw-r--r--krebs/nixpkgs.json10
32 files changed, 309 insertions, 93 deletions
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 2f55995cf..8bb14d517 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -5,6 +5,7 @@
<stockholm/krebs>
<stockholm/krebs/2configs>
<stockholm/krebs/2configs/matterbridge.nix>
+ <stockholm/krebs/2configs/nameserver.nix>
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -30,8 +31,23 @@
krebs.pages.enable = true;
krebs.pages.nginx.addSSL = true;
- krebs.pages.nginx.enableACME = true;
+ krebs.pages.nginx.useACMEHost = "krebsco.de";
security.acme.acceptTerms = true;
- security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de";
+ security.acme.certs."krebsco.de" = {
+ domain = "krebsco.de";
+ extraDomainNames = [
+ "*.krebsco.de"
+ ];
+ email = "spam@krebsco.de";
+ reloadServices = [
+ "knsupdate-krebsco.de.service"
+ "nginx.service"
+ ];
+ keyType = "ec384";
+ dnsProvider = "rfc2136";
+ credentialsFile = "/var/src/secrets/acme-credentials";
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
}
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
index 056aa7ae4..0b9cb91af 100644
--- a/krebs/2configs/acme.nix
+++ b/krebs/2configs/acme.nix
@@ -24,7 +24,7 @@ in {
path = "/var/lib/step-ca/intermediate_ca.key";
owner.name = "root";
mode = "1444";
- source-path = builtins.toString <secrets> + "/acme_ca.key";
+ source-path = "${config.krebs.secret.directory}/acme_ca.key";
};
services.step-ca = {
enable = true;
diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix
index a1fe47b5d..1a0cdf019 100644
--- a/krebs/2configs/cal.nix
+++ b/krebs/2configs/cal.nix
@@ -108,7 +108,7 @@ in {
krebs.secret.files.calendar = {
path = "/var/lib/radicale/.ssh/id_ed25519";
owner = { name = "radicale"; };
- source-path = "${<secrets/radicale.id_ed25519>}";
+ source-path = "${config.krebs.secret.directory}/radicale.id_ed25519";
};
security.sudo.extraConfig = ''
diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix
index 95d70376b..ab2b22b7c 100644
--- a/krebs/2configs/hotdog-host.nix
+++ b/krebs/2configs/hotdog-host.nix
@@ -1,6 +1,7 @@
+{ config, ... }:
{
krebs.sync-containers3.containers.hotdog = {
- sshKey = "${toString <secrets>}/hotdog.sync.key";
+ sshKey = "${config.krebs.secret.directory}/hotdog.sync.key";
};
containers.hotdog.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/hotdog/state";
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
index 145b383ed..af308b2c7 100644
--- a/krebs/2configs/mastodon.nix
+++ b/krebs/2configs/mastodon.nix
@@ -33,8 +33,10 @@
];
environment.systemPackages = [
- (pkgs.writers.writeDashBin "tootctl" ''
- sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@"
+ (pkgs.writers.writeDashBin "clear-mastodon-cache" ''
+ mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30
+ mastodon-tootctl media remove-orphans
+ mastodon-tootctl preview_cards remove --days=14
'')
(pkgs.writers.writeDashBin "create-mastodon-user" ''
set -efu
diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix
new file mode 100644
index 000000000..633f6f5d5
--- /dev/null
+++ b/krebs/2configs/nameserver.nix
@@ -0,0 +1,179 @@
+{ config, lib, pkgs, ... }: let
+ acmeChallenge =
+ { domain
+ , nameserver
+ , adminEmail
+ , serial ? 0
+ , refresh ? 3600
+ , retry ? 900
+ , expire ? 604800
+ , minimum ? 180
+ }:
+ pkgs.writeText "${domain}.zone" /* bindzone */ ''
+ $TTL 60
+ @ IN SOA ${lib.concatStringsSep " " [
+ "${nameserver}."
+ "${lib.replaceStrings ["@"] ["."] adminEmail}."
+ (toString serial)
+ (toString refresh)
+ (toString retry)
+ (toString expire)
+ (toString minimum)
+ ]}
+ @ IN NS ${nameserver}.
+ '';
+in {
+ networking.firewall.allowedTCPPorts = [
+ 53 # domain for AXFR
+ ];
+ networking.firewall.allowedUDPPorts = [
+ 53 # domain
+ ];
+
+ krebs.systemd.services.knot.restartIfCredentialsChange = true;
+ systemd.services.knot.serviceConfig.LoadCredential = [
+ "keys.conf:/var/src/secrets/knot-keys.conf"
+ ];
+
+ services.knot = {
+ enable = true;
+ keyFiles = [
+ "/run/credentials/knot.service/keys.conf"
+ ];
+ extraConfig = /* yaml */ ''
+ server:
+ udp-max-payload: 4096
+ listen: [ 127.0.0.53@2, ${
+ lib.concatMapStringsSep ", "
+ (addr: "${addr}@53")
+ (
+ config.krebs.build.host.nets.internet.addrs or []
+ ++
+ # This is required for hosts at OCI because the default route
+ # provided by DHCP is using the private address.
+ config.krebs.build.host.nets.intranet.addrs or []
+ )
+ } ]
+
+ log:
+ - target: syslog
+ any: debug
+
+ remote:
+ - id: henet_ns1
+ address: 216.218.130.2
+
+ - id: hostingde_ns1
+ address: 134.0.30.178
+
+ - id: krebscode_ni
+ address: ${config.krebs.hosts.ni.nets.internet.ip4.addr}
+ key: krebs_transfer_notify_key
+
+ acl:
+ - id: acme_acl
+ key: acme
+ action: update
+
+ - id: dane_acl
+ key: dane
+ action: update
+
+ - id: transfer_to_henet_secondary
+ key: henet_transfer_key
+ address: [ 216.218.133.2, 2001:470:600::2 ]
+ action: transfer
+
+ # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/
+ - id: transfer_to_hostingde_secondary
+ address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ]
+ action: transfer
+
+ - id: transfer_to_krebscode_secondary
+ key: krebs_transfer_notify_key
+ action: transfer
+
+ mod-rrl:
+ - id: default
+ rate-limit: 200 # Allow 200 resp/s for each flow
+ slip: 2 # Every other response slips
+
+ policy:
+ - id: rsa2k
+ algorithm: rsasha256
+ ksk-size: 4096
+ zsk-size: 2048
+
+ template:
+ - id: default
+ global-module: mod-rrl/default
+ semantic-checks: on
+ zonefile-sync: -1
+ zonefile-load: difference-no-serial
+ journal-content: all
+
+ zone:
+ - domain: krebsco.de
+ file: ${pkgs.krebs.zones."krebsco.de"}
+ dnssec-signing: on
+ dnssec-policy: rsa2k
+ notify: henet_ns1
+ notify: hostingde_ns1
+ notify: krebscode_ni
+ acl: transfer_to_henet_secondary
+ acl: transfer_to_hostingde_secondary
+ acl: transfer_to_krebscode_secondary
+ acl: dane_acl
+
+ - domain: _acme-challenge.krebsco.de
+ file: ${acmeChallenge {
+ domain = "_acme-challenge.krebsco.de";
+ nameserver = "ns1.krebsco.de";
+ adminEmail = "spam@krebsco.de";
+ }}
+ acl: acme_acl
+
+ - domain: r
+ file: ${pkgs.krebs.zones.r}
+
+ - domain: w
+ file: ${pkgs.krebs.zones.w}
+ '';
+ };
+
+ systemd.services."knsupdate-krebsco.de" = {
+ serviceConfig = {
+ Type = "oneshot";
+ SyslogIdentifier = "knsupdate-krebsco.de";
+ ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ ''
+ set -efu
+
+ mk_certificate_association_data() {
+ ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" |
+ ${pkgs.coreutils}/bin/cut -d= -f2 |
+ ${pkgs.coreutils}/bin/tr -d :
+ }
+
+ certfile=/var/lib/acme/krebsco.de/cert.pem
+ certificate_association_data=$(mk_certificate_association_data "$certfile")
+ keyfile=/var/src/secrets/dane.tsig
+
+ script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX)
+ trap 'rm "$script"' EXIT
+ (
+ exec >"$script"
+ echo server krebsco.de.
+ echo zone krebsco.de.
+ echo origin krebsco.de.
+ echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
+ echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
+ echo show
+ echo send
+ echo answer
+ echo quit
+ )
+ ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script"
+ '';
+ };
+ };
+}
diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix
index 71793e518..81922ef87 100644
--- a/krebs/2configs/news-host.nix
+++ b/krebs/2configs/news-host.nix
@@ -1,5 +1,6 @@
+{ config, ... }:
{
krebs.sync-containers3.containers.news = {
- sshKey = "${toString <secrets>}/news.sync.key";
+ sshKey = "${config.krebs.secret.directory}/news.sync.key";
};
}
diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix
index 1b72924a6..a488fdfea 100644
--- a/krebs/2configs/repo-sync.nix
+++ b/krebs/2configs/repo-sync.nix
@@ -98,7 +98,7 @@ in {
krebs.secret.files.konsens = {
path = "/var/lib/konsens/.ssh/id_ed25519";
owner = konsens-user;
- source-path = "${<secrets/konsens.id_ed25519>}";
+ source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>";
};
imports = [
diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix
index 59178516c..90ae66f6e 100644
--- a/krebs/2configs/syncthing.nix
+++ b/krebs/2configs/syncthing.nix
@@ -10,8 +10,8 @@ in {
services.syncthing = {
enable = true;
configDir = "/var/lib/syncthing";
- key = toString <secrets/syncthing.key>;
- cert = toString <secrets/syncthing.cert>;
+ key = "${config.krebs.secret.directory}/syncthing.key";
+ cert = "${config.krebs.secret.directory}/syncthing.cert";
# workaround for infinite recursion on unstable, remove in 23.11
} // (if builtins.hasAttr "settings" options.services.syncthing then
{ settings.devices = mk_peers used_peers; }
diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix
index 98ed039b4..21c46a0a7 100644
--- a/krebs/2configs/tor/initrd.nix
+++ b/krebs/2configs/tor/initrd.nix
@@ -13,12 +13,12 @@
config.krebs.users.makefu.pubkey
config.krebs.users.tv.pubkey
];
- hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ];
+ hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ];
};
boot.initrd.availableKernelModules = [ "e1000e" ];
boot.initrd.secrets = {
- "/etc/tor/onion/bootup" = <secrets/initrd>;
+ "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd";
};
boot.initrd.extraUtilsCommands = ''
diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index a227ceb4a..4b0bf9768 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -96,7 +96,7 @@ in
krebs.secret.files.gollum = {
path = "${config.services.gollum.stateDir}/.ssh/id_ed25519";
owner = { name = "gollum"; };
- source-path = "${<secrets/gollum.id_ed25519>}";
+ source-path = "${config.krebs.secret.directory}/gollum.id_ed25519";
};
security.sudo.extraConfig = ''
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 093ae2030..4e42ce72e 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -20,14 +20,14 @@ let
};
dkim = mkOption {
- type = types.listOf (types.submodule ({ config, ... }: {
+ type = types.listOf (types.submodule (dkim: {
options = {
domain = mkOption {
type = types.str;
};
private_key = mkOption {
type = types.absolute-pathname;
- default = toString <secrets> + "/${config.domain}.dkim.priv";
+ default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv";
defaultText = "‹secrets/‹domain›.dkim.priv›";
};
selector = mkOption {
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 79187adfa..0d67120fd 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -40,7 +40,7 @@ let
};
};
- fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
+ fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" ''
set -euf
mkdir -p ${cfg.stateDir}
diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix
index 6f9aee0ce..2f373f9bc 100644
--- a/krebs/3modules/github/hosts-sync.nix
+++ b/krebs/3modules/github/hosts-sync.nix
@@ -22,7 +22,7 @@ let
};
ssh-identity-file = mkOption {
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
- default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
+ default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519";
defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›";
};
url = mkOption {
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index c1c5b68c8..32a5273a5 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -177,7 +177,7 @@ let
${buildTables iptables-version cfg.tables}
'';
- startScript = pkgs.writeDash "krebs-iptables_start" ''
+ startScript = pkgs.writers.writeDash "krebs-iptables_start" ''
set -euf
iptables-restore < ${rules "v4"}
ip6tables-restore < ${rules "v6"}
diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix
index 71e2b541a..a9ed24d3f 100644
--- a/krebs/3modules/power-action.nix
+++ b/krebs/3modules/power-action.nix
@@ -60,7 +60,7 @@ let
};
};
- startScript = pkgs.writeDash "power-action" ''
+ startScript = pkgs.writers.writeDash "power-action" ''
set -euf
power="$(${powerlvl})"
@@ -77,11 +77,11 @@ let
writeRule = _: plan:
"if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
- powerlvl = pkgs.writeDash "powerlvl" ''
+ powerlvl = pkgs.writers.writeDash "powerlvl" ''
cat /sys/class/power_supply/${cfg.battery}/capacity
'';
- state = pkgs.writeDash "state" ''
+ state = pkgs.writers.writeDash "state" ''
if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ]
then echo "false"
else echo "true"
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index a6de3f3f6..5208d91ae 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -123,7 +123,7 @@ let
privateKeyFile = mkOption {
type = types.absolute-pathname;
- default = toString <secrets> + "/repo-sync.ssh.key";
+ default = "${config.krebs.secret.directory}/repo-sync.ssh.key";
defaultText = "‹secrets/repo-sync.ssh.key›";
};
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index c9ea8a619..bd7e7c5f6 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -14,12 +14,12 @@ in
sslCertificate = mkOption {
type = types.str;
description = "Certificate file to use for ssl";
- default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
+ default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ;
};
sslCertificateKey = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
- default = "${toString <secrets>}/tinc.krebsco.de.key";
+ default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
};
# in use:
# <secrets/tinc.krebsco.de.crt>
diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix
index 58f3a3c10..aba825c29 100644
--- a/krebs/3modules/ssh.nix
+++ b/krebs/3modules/ssh.nix
@@ -4,32 +4,9 @@ let
cfg = config.krebs;
out = {
- options.krebs = api;
config = lib.mkIf cfg.enable imp;
};
- api = {
- zone-head-config = mkOption {
- type = with types; attrsOf str;
- description = ''
- The zone configuration head which is being used to create the
- zone files. The string for each key is pre-pended to the zone file.
- '';
- # TODO: configure the default somewhere else,
- # maybe use krebs.dns.providers
- default = {
-
- # github.io -> 192.30.252.154
- "krebsco.de" = ''
- $TTL 86400
- @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
- IN NS ns19.ovh.net.
- IN NS dns19.ovh.net.
- '';
- };
- };
- };
-
imp = lib.mkMerge [
{
services.openssh.hostKeys =
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 2f9efad46..9df368cfb 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
privkey = mkOption {
type = types.absolute-pathname;
- default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
+ default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
defaultText = "‹secrets/‹netname›.rsa_key.priv›";
};
@@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
default =
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
then null
- else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
+ else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
};
diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix
index 7771d3b51..e68482d77 100644
--- a/krebs/3modules/zones.nix
+++ b/krebs/3modules/zones.nix
@@ -1,6 +1,25 @@
{ config, pkgs, lib, ... }:
with lib; {
+ options.krebs.zone-head-config = mkOption {
+ type = lib.types.attrsOf lib.types.str;
+ description = ''
+ The zone configuration head which is being used to create the
+ zone files. The string for each key is pre-pended to the zone file.
+ '';
+ default = {
+ "krebsco.de" = /* bindzone */ ''
+ $TTL 60
+ @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600
+ @ 3600 IN NS ns1
+ @ 3600 IN NS ni
+ @ 3600 IN NS ns2.he.net.
+ @ 3600 IN NS ns3.he.net.
+ @ 3600 IN NS ns2.hosting.de.
+ '';
+ };
+ };
+
config = {
environment.etc =
mapAttrs'
diff --git a/krebs/5pkgs/haskell/pager.nix b/krebs/5pkgs/haskell/desktop-pager.nix
index 36709788c..1a4f94db3 100644
--- a/krebs/5pkgs/haskell/pager.nix
+++ b/krebs/5pkgs/haskell/desktop-pager.nix
@@ -4,7 +4,7 @@
, utf8-string, X11
}:
mkDerivation {
- pname = "pager";
+ pname = "desktop-pager";
version = "1.0.0";
src = fetchgit {
url = "https://cgit.krebsco.de/pager";
diff --git a/krebs/5pkgs/haskell/nix-serve-ng.nix b/krebs/5pkgs/haskell/nix-serve-ng.nix
index 8866b205b..62e02ce82 100644
--- a/krebs/5pkgs/haskell/nix-serve-ng.nix
+++ b/krebs/5pkgs/haskell/nix-serve-ng.nix
@@ -6,11 +6,11 @@
}:
mkDerivation {
pname = "nix-serve-ng";
- version = "1.0.0";
+ version = "1.0.1";
src = fetchgit {
url = "https://github.com/aristanetworks/nix-serve-ng";
- sha256 = "0mqp67z5mi8rsjahdh395n7ppf0b65k8rd3pvnl281g02rbr69y2";
- rev = "433f70f4daae156b84853f5aaa11987aa5ce7277";
+ sha256 = "sha256-PkzwtjUgYuqfWtCH1nRqVRaajihN1SqMVjWmoSG/CCY=";
+ rev = "9b546864f4090736f3f9069a01ea5d42cf7bab7c";
fetchSubmodules = true;
};
isLibrary = false;
diff --git a/krebs/5pkgs/simple/fzfmenu/default.nix b/krebs/5pkgs/simple/fzfmenu/default.nix
index eb2441330..030c1b1b1 100644
--- a/krebs/5pkgs/simple/fzfmenu/default.nix
+++ b/krebs/5pkgs/simple/fzfmenu/default.nix
@@ -43,7 +43,7 @@ pkgs.writers.writeDashBin "fzfmenu" ''
set -efu
# Spawn terminal if called without one, like e.g. from a window manager.
- if [ -z ''${TERM+x} ]; then
+ if [ -z ''${TERM+x} ] || [ $TERM = dumb ]; then
exec 3<&0
exec 4>&1
export FZFMENU_INPUT_FD=3
diff --git a/krebs/5pkgs/simple/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix
deleted file mode 100644
index 32608e7fa..000000000
--- a/krebs/5pkgs/simple/krebszones/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.writeDashBin "krebszones" ''
- set -efu
- export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf}
- case $* in
- import)
- set -- import /etc/zones/krebsco.de krebsco.de
- echo "+ krebszones $*" >&2
- ;;
- esac
- exec ${pkgs.ovh-zone}/bin/ovh-zone "$@"
-''
diff --git a/krebs/5pkgs/simple/ovh-zone/default.nix b/krebs/5pkgs/simple/ovh-zone/default.nix
index 051a14e8d..bc0e45cb9 100644
--- a/krebs/5pkgs/simple/ovh-zone/default.nix
+++ b/krebs/5pkgs/simple/ovh-zone/default.nix
@@ -9,7 +9,6 @@ python3Packages.buildPythonPackage rec {
name = "ovh-zone-${version}";
version = "0.4.4";
propagatedBuildInputs = with pkgs.python3Packages;[
- d2to1 # for setup to work
ovh
docopt
];
diff --git a/krebs/5pkgs/simple/pager.nix b/krebs/5pkgs/simple/pager.nix
index 952b5ee1e..adc2cc67b 100644
--- a/krebs/5pkgs/simple/pager.nix
+++ b/krebs/5pkgs/simple/pager.nix
@@ -33,7 +33,7 @@ pkgs.symlinkJoin {
-ti vt340 \
-xrm '*geometry: 32x10' \
-xrm '*internalBorder: 2' \
- -e ${pkgs.haskellPackages.pager}/bin/pager "$@"
+ -e ${pkgs.haskellPackages.desktop-pager}/bin/pager "$@"
'')
pkgs.haskellPackages.pager
];
diff --git a/krebs/5pkgs/simple/realwallpaper/get_constellations.py b/krebs/5pkgs/simple/realwallpaper/get_constellations.py
index 5d8d3df5d..4ba766f6a 100644
--- a/krebs/5pkgs/simple/realwallpaper/get_constellations.py
+++ b/krebs/5pkgs/simple/realwallpaper/get_constellations.py
@@ -18,19 +18,24 @@ def points_to_lines(points):
return lines
-with open(sys.argv[1]) as f:
- constellations = json.load(f)['features']
+def main():
+ with open(sys.argv[1]) as f:
+ constellations = json.load(f)['features']
-output = []
+ output = []
-for const in constellations:
- for line in const['geometry']['coordinates']:
- transformed_line = []
- for point in line:
- transformed_line.append(convert_to_itrs(point))
+ for const in constellations:
+ for line in const['geometry']['coordinates']:
+ transformed_line = []
+ for point in line:
+ transformed_line.append(convert_to_itrs(point))
- line_combined = points_to_lines(transformed_line)
- for l in line_combined: # noqa
- output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa
+ line_combined = points_to_lines(transformed_line)
+ for l in line_combined: # noqa
+ output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa
-print('\n'.join(output))
+ print('\n'.join(output))
+
+
+if __name__ == "__main__":
+ main()
diff --git a/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
new file mode 100644
index 000000000..d3557894d
--- /dev/null
+++ b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
@@ -0,0 +1,30 @@
+{ pkgs }:
+pkgs.writers.writeDashBin "renew-intermediate-ca" ''
+ TMPDIR=$(mktemp -d)
+ trap "rm -rf $TMPDIR;" INT TERM EXIT
+ mkdir -p "$TMPDIR/krebs"
+ brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
+ brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
+ brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key"
+ cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt"
+ export STEPPATH="$TMPDIR/step"
+ cat << EOF > "$TMPDIR/intermediate.tpl"
+ {
+ "subject": {{ toJson .Subject }},
+ "keyUsage": ["certSign", "crlSign"],
+ "basicConstraints": {
+ "isCA": true,
+ "maxPathLen": 0
+ },
+ "nameConstraints": {
+ "critical": true,
+ "permittedDNSDomains": ["r" ,"w"]
+ }
+ }