summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/hotdog/config.nix1
-rw-r--r--krebs/2configs/default.nix12
-rw-r--r--krebs/2configs/mastodon-proxy.nix13
-rw-r--r--krebs/2configs/mastodon.nix14
-rw-r--r--krebs/2configs/nginx.nix24
-rw-r--r--krebs/2configs/reaktor2.nix2
-rw-r--r--krebs/3modules/setuid.nix26
-rw-r--r--krebs/3modules/sync-containers3.nix16
-rw-r--r--krebs/krops.nix4
9 files changed, 78 insertions, 34 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 75a8a0da1..0a103ed1a 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -4,6 +4,7 @@
imports = [
../../../krebs
../../../krebs/2configs
+ ../../../krebs/2configs/nginx.nix
../../../krebs/2configs/buildbot-stockholm.nix
../../../krebs/2configs/binary-cache/nixos.nix
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 0d55a01fa..5d64555c8 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -8,7 +8,17 @@ with import ../../lib/pure.nix { inherit lib; };
];
krebs.announce-activation.enable = true;
krebs.enable = true;
- krebs.tinc.retiolum.enable = mkDefault true;
+
+ # retiolum
+ krebs.tinc.retiolum = {
+ enable = mkDefault true;
+ extraConfig = ''
+ AutoConnect = yes
+ LocalDiscovery = yes
+ '';
+ };
+ networking.firewall.allowedTCPPorts = [ 655 ];
+ networking.firewall.allowedUDPPorts = [ 655 ];
# trust krebs ACME CA
krebs.ssl.trustIntermediate = true;
diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix
index 4d359c3fe..b579a5031 100644
--- a/krebs/2configs/mastodon-proxy.nix
+++ b/krebs/2configs/mastodon-proxy.nix
@@ -5,19 +5,12 @@
virtualHosts."social.krebsco.de" = {
forceSSL = true;
enableACME = true;
+ acmeFallbackHost = "hotdog.r";
locations."/" = {
# TODO use this in 22.11
- # recommendedProxySettings = true;
- proxyPass = "http://hotdog.r";
+ recommendedProxySettings = true;
+ proxyPass = "https://hotdog.r";
proxyWebsockets = true;
- extraConfig = ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Forwarded-Server $host;
- '';
};
};
};
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
index af308b2c7..ebc4207a0 100644
--- a/krebs/2configs/mastodon.nix
+++ b/krebs/2configs/mastodon.nix
@@ -3,7 +3,7 @@
services.postgresql = {
enable = true;
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
- package = pkgs.postgresql_11;
+ package = pkgs.postgresql_16;
};
systemd.tmpfiles.rules = [
"d /var/state/postgresql 0700 postgres postgres -"
@@ -13,23 +13,17 @@
enable = true;
localDomain = "social.krebsco.de";
configureNginx = true;
+ streamingProcesses = 3;
trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
smtp.createLocally = false;
smtp.fromAddress = "derp";
};
- services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
- forceSSL = lib.mkForce false;
- enableACME = lib.mkForce false;
- locations."@proxy".extraConfig = ''
- proxy_redirect off;
- proxy_pass_header Server;
- proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
- '';
- };
+ security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
networking.firewall.allowedTCPPorts = [
80
+ 443
];
environment.systemPackages = [
diff --git a/krebs/2configs/nginx.nix b/krebs/2configs/nginx.nix
new file mode 100644
index 000000000..812093a7e
--- /dev/null
+++ b/krebs/2configs/nginx.nix
@@ -0,0 +1,24 @@
+{
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "spam@krebsco.de";
+
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+
+ enableReload = true;
+
+ virtualHosts.default = {
+ default = true;
+ locations."= /etc/os-release".extraConfig = ''
+ default_type text/plain;
+ alias /etc/os-release;
+ '';
+ # needed for acmeFallback in sync-containers, or other machines not reachable globally
+ locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
+ };
+ };
+}
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index db7b794f4..e84827656 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -526,6 +526,8 @@ in {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
'';
+ # needed for acmeFallback in sync-containers, or other machines not reachable globally
+ locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
};
services.nginx.virtualHosts."bedge.r" = {
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index fdb96c8ba..e3108d88e 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -80,13 +80,25 @@ let
};
imp = {
- system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
- (concatMapStringsSep "\n"
- (cfg: /* sh */ ''
- ${cfg.activate}
- rm -f ${cfg.wrapperDir}/${cfg.name}.real
- '')
- (attrValues config.krebs.setuid));
+ systemd.services."krebs.setuid" = {
+ wantedBy = [ "suid-sgid-wrappers.service" ];
+ after = [ "suid-sgid-wrappers.service" ];
+ path = [
+ pkgs.coreutils
+ ];
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
+ ${concatMapStringsSep "\n"
+ (getAttr "activate")
+ (attrValues config.krebs.setuid)
+ }
+ '';
+ };
+ unitConfig = {
+ DefaultDependencies = false;
+ };
+ };
};
in out
diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index cb239b955..7373592a5 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -58,6 +58,8 @@ in {
pkgs.jq
];
networking.useDHCP = lib.mkForce true;
+ networking.useHostResolvConf = false;
+ services.resolved.enable = true;
systemd.services.autoswitch = {
environment = {
NIX_REMOTE = "daemon";
@@ -155,7 +157,7 @@ in {
# echo 'container is reachable, continueing'
continue
else
- # echo 'container seems dead, killing'
+ echo 'container seems dead, killing'
break
fi
else
@@ -297,9 +299,6 @@ in {
(lib.mkIf (cfg.containers != {}) {
# networking
- # needed because otherwise we lose local dns
- environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
-
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
systemd.network.networks.ctr0 = {
name = "ctr0";
@@ -312,6 +311,9 @@ in {
ConfigureWithoutCarrier = true;
DHCPServer = "yes";
};
+ dhcpServerConfig = {
+ DNS = "9.9.9.9";
+ };
};
systemd.network.netdevs.ctr0.netdevConfig = {
Kind = "bridge";
@@ -344,6 +346,12 @@ in {
networking.useHostResolvConf = false;
networking.useNetworkd = true;
+ services.resolved = {
+ enable = true;
+ extraConfig = ''
+ Domains=~.
+ '';
+ };
systemd.network = {
enable = true;
networks.eth0 = {
diff --git a/krebs/krops.nix b/krebs/krops.nix
index ad277ac86..eba966b4f 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -11,7 +11,7 @@
nixpkgs = if test then {
derivation = let
rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
- sha256 = (lib.importJSON ./nixpkgs.json).nixpkgs.locked.narHash;
+ sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash;
in ''
with import (builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
@@ -26,7 +26,7 @@
'';
} else {
git = {
- ref = (lib.importJSON ./nixpkgs.json).rev;
+ ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
url = "https://github.com/NixOS/nixpkgs";
shallow = true;
};