diff options
Diffstat (limited to 'krebs')
32 files changed, 309 insertions, 93 deletions
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 2f55995cf..8bb14d517 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -5,6 +5,7 @@ <stockholm/krebs> <stockholm/krebs/2configs> <stockholm/krebs/2configs/matterbridge.nix> + <stockholm/krebs/2configs/nameserver.nix> ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -30,8 +31,23 @@ krebs.pages.enable = true; krebs.pages.nginx.addSSL = true; - krebs.pages.nginx.enableACME = true; + krebs.pages.nginx.useACMEHost = "krebsco.de"; security.acme.acceptTerms = true; - security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de"; + security.acme.certs."krebsco.de" = { + domain = "krebsco.de"; + extraDomainNames = [ + "*.krebsco.de" + ]; + email = "spam@krebsco.de"; + reloadServices = [ + "knsupdate-krebsco.de.service" + "nginx.service" + ]; + keyType = "ec384"; + dnsProvider = "rfc2136"; + credentialsFile = "/var/src/secrets/acme-credentials"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; } diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString <secrets> + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix index a1fe47b5d..1a0cdf019 100644 --- a/krebs/2configs/cal.nix +++ b/krebs/2configs/cal.nix @@ -108,7 +108,7 @@ in { krebs.secret.files.calendar = { path = "/var/lib/radicale/.ssh/id_ed25519"; owner = { name = "radicale"; }; - source-path = "${<secrets/radicale.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix index 95d70376b..ab2b22b7c 100644 --- a/krebs/2configs/hotdog-host.nix +++ b/krebs/2configs/hotdog-host.nix @@ -1,6 +1,7 @@ +{ config, ... }: { krebs.sync-containers3.containers.hotdog = { - sshKey = "${toString <secrets>}/hotdog.sync.key"; + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; }; containers.hotdog.bindMounts."/var/lib" = { hostPath = "/var/lib/sync-containers3/hotdog/state"; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 145b383ed..af308b2c7 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -33,8 +33,10 @@ ]; environment.systemPackages = [ - (pkgs.writers.writeDashBin "tootctl" '' - sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 '') (pkgs.writers.writeDashBin "create-mastodon-user" '' set -efu diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix new file mode 100644 index 000000000..633f6f5d5 --- /dev/null +++ b/krebs/2configs/nameserver.nix @@ -0,0 +1,179 @@ +{ config, lib, pkgs, ... }: let + acmeChallenge = + { domain + , nameserver + , adminEmail + , serial ? 0 + , refresh ? 3600 + , retry ? 900 + , expire ? 604800 + , minimum ? 180 + }: + pkgs.writeText "${domain}.zone" /* bindzone */ '' + $TTL 60 + @ IN SOA ${lib.concatStringsSep " " [ + "${nameserver}." + "${lib.replaceStrings ["@"] ["."] adminEmail}." + (toString serial) + (toString refresh) + (toString retry) + (toString expire) + (toString minimum) + ]} + @ IN NS ${nameserver}. + ''; +in { + networking.firewall.allowedTCPPorts = [ + 53 # domain for AXFR + ]; + networking.firewall.allowedUDPPorts = [ + 53 # domain + ]; + + krebs.systemd.services.knot.restartIfCredentialsChange = true; + systemd.services.knot.serviceConfig.LoadCredential = [ + "keys.conf:/var/src/secrets/knot-keys.conf" + ]; + + services.knot = { + enable = true; + keyFiles = [ + "/run/credentials/knot.service/keys.conf" + ]; + extraConfig = /* yaml */ '' + server: + udp-max-payload: 4096 + listen: [ 127.0.0.53@2, ${ + lib.concatMapStringsSep ", " + (addr: "${addr}@53") + ( + config.krebs.build.host.nets.internet.addrs or [] + ++ + # This is required for hosts at OCI because the default route + # provided by DHCP is using the private address. + config.krebs.build.host.nets.intranet.addrs or [] + ) + } ] + + log: + - target: syslog + any: debug + + remote: + - id: henet_ns1 + address: 216.218.130.2 + + - id: hostingde_ns1 + address: 134.0.30.178 + + - id: krebscode_ni + address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} + key: krebs_transfer_notify_key + + acl: + - id: acme_acl + key: acme + action: update + + - id: dane_acl + key: dane + action: update + + - id: transfer_to_henet_secondary + key: henet_transfer_key + address: [ 216.218.133.2, 2001:470:600::2 ] + action: transfer + + # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/ + - id: transfer_to_hostingde_secondary + address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ] + action: transfer + + - id: transfer_to_krebscode_secondary + key: krebs_transfer_notify_key + action: transfer + + mod-rrl: + - id: default + rate-limit: 200 # Allow 200 resp/s for each flow + slip: 2 # Every other response slips + + policy: + - id: rsa2k + algorithm: rsasha256 + ksk-size: 4096 + zsk-size: 2048 + + template: + - id: default + global-module: mod-rrl/default + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: krebsco.de + file: ${pkgs.krebs.zones."krebsco.de"} + dnssec-signing: on + dnssec-policy: rsa2k + notify: henet_ns1 + notify: hostingde_ns1 + notify: krebscode_ni + acl: transfer_to_henet_secondary + acl: transfer_to_hostingde_secondary + acl: transfer_to_krebscode_secondary + acl: dane_acl + + - domain: _acme-challenge.krebsco.de + file: ${acmeChallenge { + domain = "_acme-challenge.krebsco.de"; + nameserver = "ns1.krebsco.de"; + adminEmail = "spam@krebsco.de"; + }} + acl: acme_acl + + - domain: r + file: ${pkgs.krebs.zones.r} + + - domain: w + file: ${pkgs.krebs.zones.w} + ''; + }; + + systemd.services."knsupdate-krebsco.de" = { + serviceConfig = { + Type = "oneshot"; + SyslogIdentifier = "knsupdate-krebsco.de"; + ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' + set -efu + + mk_certificate_association_data() { + ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" | + ${pkgs.coreutils}/bin/cut -d= -f2 | + ${pkgs.coreutils}/bin/tr -d : + } + + certfile=/var/lib/acme/krebsco.de/cert.pem + certificate_association_data=$(mk_certificate_association_data "$certfile") + keyfile=/var/src/secrets/dane.tsig + + script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX) + trap 'rm "$script"' EXIT + ( + exec >"$script" + echo server krebsco.de. + echo zone krebsco.de. + echo origin krebsco.de. + echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo show + echo send + echo answer + echo quit + ) + ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script" + ''; + }; + }; +} diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 71793e518..81922ef87 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -1,5 +1,6 @@ +{ config, ... }: { krebs.sync-containers3.containers.news = { - sshKey = "${toString <secrets>}/news.sync.key"; + sshKey = "${config.krebs.secret.directory}/news.sync.key"; }; } diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 1b72924a6..a488fdfea 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${<secrets/konsens.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; }; imports = [ diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 59178516c..90ae66f6e 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,8 +10,8 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - key = toString <secrets/syncthing.key>; - cert = toString <secrets/syncthing.cert>; + key = "${config.krebs.secret.directory}/syncthing.key"; + cert = "${config.krebs.secret.directory}/syncthing.cert"; # workaround for infinite recursion on unstable, remove in 23.11 } // (if builtins.hasAttr "settings" options.services.syncthing then { settings.devices = mk_peers used_peers; } diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 98ed039b4..21c46a0a7 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -13,12 +13,12 @@ config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; - hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ]; + hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ]; }; boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.secrets = { - "/etc/tor/onion/bootup" = <secrets/initrd>; + "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd"; }; boot.initrd.extraUtilsCommands = '' diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index a227ceb4a..4b0bf9768 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -96,7 +96,7 @@ in krebs.secret.files.gollum = { path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; owner = { name = "gollum"; }; - source-path = "${<secrets/gollum.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/gollum.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 093ae2030..4e42ce72e 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -20,14 +20,14 @@ let }; dkim = mkOption { - type = types.listOf (types.submodule ({ config, ... }: { + type = types.listOf (types.submodule (dkim: { options = { domain = mkOption { type = types.str; }; private_key = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/${config.domain}.dkim.priv"; + default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 79187adfa..0d67120fd 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -40,7 +40,7 @@ let }; }; - fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' + fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" '' set -euf mkdir -p ${cfg.stateDir} diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix index 6f9aee0ce..2f373f9bc 100644 --- a/krebs/3modules/github/hosts-sync.nix +++ b/krebs/3modules/github/hosts-sync.nix @@ -22,7 +22,7 @@ let }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString <secrets/github-hosts-sync.ssh.id_ed25519>; + default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519"; defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›"; }; url = mkOption { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index c1c5b68c8..32a5273a5 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -177,7 +177,7 @@ let ${buildTables iptables-version cfg.tables} ''; - startScript = pkgs.writeDash "krebs-iptables_start" '' + startScript = pkgs.writers.writeDash "krebs-iptables_start" '' set -euf iptables-restore < ${rules "v4"} ip6tables-restore < ${rules "v6"} diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix index 71e2b541a..a9ed24d3f 100644 --- a/krebs/3modules/power-action.nix +++ b/krebs/3modules/power-action.nix @@ -60,7 +60,7 @@ let }; }; - startScript = pkgs.writeDash "power-action" '' + startScript = pkgs.writers.writeDash "power-action" '' set -euf power="$(${powerlvl})" @@ -77,11 +77,11 @@ let writeRule = _: plan: "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; - powerlvl = pkgs.writeDash "powerlvl" '' + powerlvl = pkgs.writers.writeDash "powerlvl" '' cat /sys/class/power_supply/${cfg.battery}/capacity ''; - state = pkgs.writeDash "state" '' + state = pkgs.writers.writeDash "state" '' if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] then echo "false" else echo "true" diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index a6de3f3f6..5208d91ae 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -123,7 +123,7 @@ let privateKeyFile = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/repo-sync.ssh.key"; + default = "${config.krebs.secret.directory}/repo-sync.ssh.key"; defaultText = "‹secrets/repo-sync.ssh.key›"; }; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index c9ea8a619..bd7e7c5f6 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -14,12 +14,12 @@ in sslCertificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "${toString <secrets>}/tinc.krebsco.de.crt" ; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ; }; sslCertificateKey = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "${toString <secrets>}/tinc.krebsco.de.key"; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: # <secrets/tinc.krebsco.de.crt> diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index 58f3a3c10..aba825c29 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -4,32 +4,9 @@ let cfg = config.krebs; out = { - options.krebs = api; config = lib.mkIf cfg.enable imp; }; - api = { - zone-head-config = mkOption { - type = with types; attrsOf str; - description = '' - The zone configuration head which is being used to create the - zone files. The string for each key is pre-pended to the zone file. - ''; - # TODO: configure the default somewhere else, - # maybe use krebs.dns.providers - default = { - - # github.io -> 192.30.252.154 - "krebsco.de" = '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - IN NS ns19.ovh.net. - IN NS dns19.ovh.net. - ''; - }; - }; - }; - imp = lib.mkMerge [ { services.openssh.hostKeys = diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 2f9efad46..9df368cfb 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; { privkey = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; + default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; @@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; { default = if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null then null - else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; + else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; }; diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 7771d3b51..e68482d77 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,6 +1,25 @@ { config, pkgs, lib, ... }: with lib; { + options.krebs.zone-head-config = mkOption { + type = lib.types.attrsOf lib.types.str; + description = '' + The zone configuration head which is being used to create the + zone files. The string for each key is pre-pended to the zone file. + ''; + default = { + "krebsco.de" = /* bindzone */ '' + $TTL 60 + @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 + @ 3600 IN NS ni + @ 3600 IN NS ns2.he.net. + @ 3600 IN NS ns3.he.net. + @ 3600 IN NS ns2.hosting.de. + ''; + }; + }; + config = { environment.etc = mapAttrs' diff --git a/krebs/5pkgs/haskell/pager.nix b/krebs/5pkgs/haskell/desktop-pager.nix index 36709788c..1a4f94db3 100644 --- a/krebs/5pkgs/haskell/pager.nix +++ b/krebs/5pkgs/haskell/desktop-pager.nix @@ -4,7 +4,7 @@ , utf8-string, X11 }: mkDerivation { - pname = "pager"; + pname = "desktop-pager"; version = "1.0.0"; src = fetchgit { url = "https://cgit.krebsco.de/pager"; diff --git a/krebs/5pkgs/haskell/nix-serve-ng.nix b/krebs/5pkgs/haskell/nix-serve-ng.nix index 8866b205b..62e02ce82 100644 --- a/krebs/5pkgs/haskell/nix-serve-ng.nix +++ b/krebs/5pkgs/haskell/nix-serve-ng.nix @@ -6,11 +6,11 @@ }: mkDerivation { pname = "nix-serve-ng"; - version = "1.0.0"; + version = "1.0.1"; src = fetchgit { url = "https://github.com/aristanetworks/nix-serve-ng"; - sha256 = "0mqp67z5mi8rsjahdh395n7ppf0b65k8rd3pvnl281g02rbr69y2"; - rev = "433f70f4daae156b84853f5aaa11987aa5ce7277"; + sha256 = "sha256-PkzwtjUgYuqfWtCH1nRqVRaajihN1SqMVjWmoSG/CCY="; + rev = "9b546864f4090736f3f9069a01ea5d42cf7bab7c"; fetchSubmodules = true; }; isLibrary = false; diff --git a/krebs/5pkgs/simple/fzfmenu/default.nix b/krebs/5pkgs/simple/fzfmenu/default.nix index eb2441330..030c1b1b1 100644 --- a/krebs/5pkgs/simple/fzfmenu/default.nix +++ b/krebs/5pkgs/simple/fzfmenu/default.nix @@ -43,7 +43,7 @@ pkgs.writers.writeDashBin "fzfmenu" '' set -efu # Spawn terminal if called without one, like e.g. from a window manager. - if [ -z ''${TERM+x} ]; then + if [ -z ''${TERM+x} ] || [ $TERM = dumb ]; then exec 3<&0 exec 4>&1 export FZFMENU_INPUT_FD=3 diff --git a/krebs/5pkgs/simple/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix deleted file mode 100644 index 32608e7fa..000000000 --- a/krebs/5pkgs/simple/krebszones/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeDashBin "krebszones" '' - set -efu - export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf} - case $* in - import) - set -- import /etc/zones/krebsco.de krebsco.de - echo "+ krebszones $*" >&2 - ;; - esac - exec ${pkgs.ovh-zone}/bin/ovh-zone "$@" -'' diff --git a/krebs/5pkgs/simple/ovh-zone/default.nix b/krebs/5pkgs/simple/ovh-zone/default.nix index 051a14e8d..bc0e45cb9 100644 --- a/krebs/5pkgs/simple/ovh-zone/default.nix +++ b/krebs/5pkgs/simple/ovh-zone/default.nix @@ -9,7 +9,6 @@ python3Packages.buildPythonPackage rec { name = "ovh-zone-${version}"; version = "0.4.4"; propagatedBuildInputs = with pkgs.python3Packages;[ - d2to1 # for setup to work ovh docopt ]; diff --git a/krebs/5pkgs/simple/pager.nix b/krebs/5pkgs/simple/pager.nix index 952b5ee1e..adc2cc67b 100644 --- a/krebs/5pkgs/simple/pager.nix +++ b/krebs/5pkgs/simple/pager.nix @@ -33,7 +33,7 @@ pkgs.symlinkJoin { -ti vt340 \ -xrm '*geometry: 32x10' \ -xrm '*internalBorder: 2' \ - -e ${pkgs.haskellPackages.pager}/bin/pager "$@" + -e ${pkgs.haskellPackages.desktop-pager}/bin/pager "$@" '') pkgs.haskellPackages.pager ]; diff --git a/krebs/5pkgs/simple/realwallpaper/get_constellations.py b/krebs/5pkgs/simple/realwallpaper/get_constellations.py index 5d8d3df5d..4ba766f6a 100644 --- a/krebs/5pkgs/simple/realwallpaper/get_constellations.py +++ b/krebs/5pkgs/simple/realwallpaper/get_constellations.py @@ -18,19 +18,24 @@ def points_to_lines(points): return lines -with open(sys.argv[1]) as f: - constellations = json.load(f)['features'] +def main(): + with open(sys.argv[1]) as f: + constellations = json.load(f)['features'] -output = [] + output = [] -for const in constellations: - for line in const['geometry']['coordinates']: - transformed_line = [] - for point in line: - transformed_line.append(convert_to_itrs(point)) + for const in constellations: + for line in const['geometry']['coordinates']: + transformed_line = [] + for point in line: + transformed_line.append(convert_to_itrs(point)) - line_combined = points_to_lines(transformed_line) - for l in line_combined: # noqa - output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa + line_combined = points_to_lines(transformed_line) + for l in line_combined: # noqa + output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa -print('\n'.join(output)) + print('\n'.join(output)) + + +if __name__ == "__main__": + main() diff --git a/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix new file mode 100644 index 000000000..d3557894d --- /dev/null +++ b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix @@ -0,0 +1,30 @@ +{ pkgs }: +pkgs.writers.writeDashBin "renew-intermediate-ca" '' + TMPDIR=$(mktemp -d) + trap "rm -rf $TMPDIR;" INT TERM EXIT + mkdir -p "$TMPDIR/krebs" + brain show ca/ca.key > "$TMPDIR/krebs/ca.key" + brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt" + brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key" + cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt" + export STEPPATH="$TMPDIR/step" + cat << EOF > "$TMPDIR/intermediate.tpl" + { + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": ["r" ,"w"] + } + } |