summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/0tests/data/secrets/gollum.id_ed255190
-rw-r--r--krebs/0tests/data/secrets/shack/telegram_bot.env0
-rw-r--r--krebs/1systems/puyak/config.nix2
-rw-r--r--krebs/2configs/go.nix2
-rw-r--r--krebs/2configs/reaktor2.nix2
-rw-r--r--krebs/2configs/wiki.nix83
-rw-r--r--krebs/3modules/default.nix13
-rw-r--r--krebs/3modules/dns.nix2
-rw-r--r--krebs/3modules/external/default.nix4
-rw-r--r--krebs/3modules/external/mic92.nix99
-rw-r--r--krebs/3modules/external/ssh/mic92.pub (renamed from krebs/3modules/external/ssh/Mic92.pub)0
-rw-r--r--krebs/3modules/gollum.nix112
-rw-r--r--krebs/3modules/hosts.nix8
-rw-r--r--krebs/3modules/permown.nix20
-rw-r--r--krebs/3modules/secret.nix2
-rw-r--r--krebs/3modules/tinc.nix39
-rw-r--r--krebs/3modules/tv/default.nix64
-rw-r--r--krebs/5pkgs/simple/htgen-imgur/default.nix2
-rw-r--r--krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur20
-rw-r--r--krebs/5pkgs/simple/htgen/default.nix4
-rw-r--r--krebs/nixpkgs-unstable.json6
-rw-r--r--krebs/nixpkgs.json6
22 files changed, 375 insertions, 115 deletions
diff --git a/krebs/0tests/data/secrets/gollum.id_ed25519 b/krebs/0tests/data/secrets/gollum.id_ed25519
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/gollum.id_ed25519
diff --git a/krebs/0tests/data/secrets/shack/telegram_bot.env b/krebs/0tests/data/secrets/shack/telegram_bot.env
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/shack/telegram_bot.env
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 8b30dfef9..08a3392bd 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -85,7 +85,7 @@
'';
users.users.joerg = {
- openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ];
+ openssh.authorizedKeys.keys = [ config.krebs.users.mic92.pubkey ];
isNormalUser = true;
shell = "/run/current-system/sw/bin/zsh";
};
diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix
index f4c1290c2..c39b08a8e 100644
--- a/krebs/2configs/go.nix
+++ b/krebs/2configs/go.nix
@@ -13,7 +13,7 @@ with import <stockholm/lib>;
enable = true;
virtualHosts.go = {
locations."/".extraConfig = ''
- proxy_set_header Host go;
+ proxy_set_header Host go.r;
proxy_pass http://localhost:1337;
'';
serverAliases = [
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 72eff176b..061dc9ab9 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -76,7 +76,7 @@ let
};
}
{
- pattern = ''^([\w-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$'';
+ pattern = ''^([\H-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$'';
activate = "match";
arguments = [1 2 3];
command = {
diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index 2350e711e..e4f05a6e6 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -1,9 +1,41 @@
-{ config, ... }:
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+ setupGit = ''
+ export PATH=${makeBinPath [ pkgs.git ]}
+ export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519'
+ repo='git@localhost:wiki'
+ cd ${config.krebs.gollum.stateDir}
+ if ! url=$(git config remote.origin.url); then
+ git remote add origin "$repo"
+ elif test "$url" != "$repo"; then
+ git remote set-url origin "$repo"
+ fi
+ '';
+
+ pushGollum = pkgs.writeDash "push_gollum" ''
+ ${setupGit}
+ git fetch origin
+ git merge --ff-only origin/master
+ '';
+
+ pushCgit = pkgs.writeDash "push_cgit" ''
+ ${setupGit}
+ git push origin master
+ '';
+
+in
{
- services.gollum = {
+ krebs.gollum = {
enable = true;
+ extraConfig = ''
+ Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
+ system('${pushCgit}')
+ end
+ '';
};
+
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
@@ -16,4 +48,51 @@
'';
};
};
+
+ krebs.git = {
+ enable = true;
+ cgit.settings = {
+ root-title = "krebs repos";
+ };
+ rules = with git; [
+ {
+ user = [
+ {
+ name = "gollum";
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXbjDnQWg8EECsNRZZWezocMIiuENhCSQFcFUXcsOQ6";
+ }
+ ] ++ (attrValues config.krebs.users);
+ repo = [ config.krebs.git.repos.wiki ];
+ perm = push ''refs/heads/master'' [ create merge ];
+ }
+ ];
+ repos.wiki = {
+ public = true;
+ name = "wiki";
+ hooks = {
+ post-receive = ''
+ ${pkgs.git-hooks.irc-announce {
+ channel = "#xxx";
+ refs = [
+ "refs/heads/master"
+ ];
+ nick = config.networking.hostName;
+ server = "irc.r";
+ verbose = true;
+ }}
+ /run/wrappers/bin/sudo -S -u gollum ${pushGollum}
+ '';
+ };
+ };
+ };
+
+ krebs.secret.files.gollum = {
+ path = "${config.krebs.gollum.stateDir}/.ssh/id_ed25519";
+ owner = { name = "gollum"; };
+ source-path = "${<secrets/gollum.id_ed25519>}";
+ };
+
+ security.sudo.extraConfig = ''
+ git ALL=(gollum) NOPASSWD: ${pushGollum}
+ '';
}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index f3180722d..bd6bab376 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -27,6 +27,7 @@ let
./github-known-hosts.nix
./git.nix
./go.nix
+ ./gollum.nix
./hidden-ssh.nix
./hosts.nix
./htgen.nix
@@ -108,7 +109,6 @@ let
{
krebs.dns.providers = {
"krebsco.de" = "zones";
- gg23 = "hosts";
shack = "hosts";
i = "hosts";
r = "hosts";
@@ -152,9 +152,11 @@ let
let
longs = net.aliases;
shorts =
- map (removeSuffix ".${cfg.dns.search-domain}")
- (filter (hasSuffix ".${cfg.dns.search-domain}")
- longs);
+ optionals
+ (cfg.dns.search-domain != null)
+ (map (removeSuffix ".${cfg.dns.search-domain}")
+ (filter (hasSuffix ".${cfg.dns.search-domain}")
+ longs));
add-port = a:
if net.ssh.port != 22
then "[${a}]:${toString net.ssh.port}"
@@ -177,7 +179,8 @@ let
(concatMap (host: attrValues host.nets)
(mapAttrsToList
(_: host: recursiveUpdate host
- (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) {
+ (optionalAttrs (cfg.dns.search-domain != null &&
+ hasAttr cfg.dns.search-domain host.nets) {
nets."" = host.nets.${cfg.dns.search-domain} // {
aliases = [host.name];
addrs = [];
diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix
index b7e2a2cbb..8acc4ccd8 100644
--- a/krebs/3modules/dns.nix
+++ b/krebs/3modules/dns.nix
@@ -6,7 +6,7 @@ with import <stockholm/lib>;
};
krebs.dns.search-domain = mkOption {
- type = types.hostname;
+ type = types.nullOr types.hostname;
};
};
}
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 082dfd80f..e1667cb68 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -465,9 +465,9 @@ in {
mail = "kieran.meinhardt@gmail.com";
pubkey = ssh-for "kmein";
};
- Mic92 = {
+ mic92 = {
mail = "joerg@thalheim.io";
- pubkey = ssh-for "Mic92";
+ pubkey = ssh-for "mic92";
};
qubasa = {
mail = "luis.nixos@gmail.com";
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index b8aaf9900..5a766664f 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -11,7 +11,7 @@ with import <stockholm/lib>;
in {
hosts = mapAttrs hostDefaults {
amy = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.57";
@@ -44,7 +44,7 @@ in {
};
};
clara = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.58";
@@ -77,7 +77,7 @@ in {
};
};
dimitrios = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.183";
@@ -98,7 +98,7 @@ in {
};
};
donna = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.54";
@@ -132,7 +132,7 @@ in {
};
};
dpdkm = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
retiolum = {
ip4.addr = "10.243.29.173";
@@ -156,7 +156,7 @@ in {
};
};
herbert = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
retiolum = {
addrs = [
@@ -179,7 +179,7 @@ in {
};
};
inspector = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
@@ -208,7 +208,7 @@ in {
};
};
eddie = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
# eddie.thalheim.io
@@ -242,7 +242,7 @@ in {
};
};
eve = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
# eve.thalheim.io
@@ -273,13 +273,17 @@ in {
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
- # ohorn lan
- tinc.subnets = [ "fd42:4492:6a6d:500:8526:2adf:7451:8bbb" ];
+ tinc.subnets = [
+ # ohorn lan
+ "fd42:4492:6a6d:500:8526:2adf:7451:8bbb"
+ # docker network
+ "42:0000:002b:1605:3::/80"
+ ];
};
};
};
martha = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.53";
@@ -313,7 +317,7 @@ in {
};
};
matchbox = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.176";
@@ -339,31 +343,32 @@ in {
};
};
rock = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.171";
aliases = [ "rock.r" ];
tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
- DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
- HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
- mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
- Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
- Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
- 91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
- fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
- 3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
- ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
- cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
- -----END RSA PUBLIC KEY-----
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0uhNk3XXVxQcIVhD1Ime
+ 9PY3QBIcXvwDlOrd3oUwyWTvZpUeO7yzIXdouAe4s0ohPIVq7Cmruj4ZrOGUCKyB
+ oJpOziYSbL/IiCpXyOzWMLEwu0AoeFfbxig+5oZfwQ9epM2j902CgsUipJBLIg48
+ BC9oOD+/iYEwsFPqQ/S0kETyQK5Ad+qv0lbU6/Kmify8Qplvpv/8DRdjsdLki1fU
+ a6MAEw12OtHe6IWtlitPjFMBykTP6kkSp/eg0G2KZFVuEulwHGf9QT/eT4fZTMCC
+ 2V5Vp4rIr/hawmj+h4NIxniBSQcPAAIGNwZVC4uYYV1nd4iaI/T04rDJwte5WKHf
+ EVxtlYt9RU1I/XdNRSj9gYyneVcVlDVos8Z93oUv1hIGZYFtNmGVna6lggOBPf/t
+ BZ1MT6FKA4QX9JI8bQoNs18s8ffzyb07psNbH6YhpCygnhf9C7NR/CeI8BtpzJza
+ 1Qk731Z6bk6xRFKMuY2tRKlNCqPHULj44oTHB3Ki2B/bMlkguqSChfFzKIRASYO1
+ SASSgddexjkjKLslxcLWhIqYrZhuhYlFyoeoMI3qQsey/4X5PUmQDxxhTT80+qvE
+ thBNPg46joyLTq9E9ddf7t/0C6oD2DXY88N9bkztuK5dtYHmjajUbePuaTJtrKhI
+ 7MnLboZCEiSyvkVTTx0Yjf0CAwEAAQ==
+ -----END PUBLIC KEY-----
'';
};
};
};
rose = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.52";
@@ -397,7 +402,7 @@ in {
};
};
turingmachine = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.168";
@@ -425,7 +430,7 @@ in {
};
};
harsha = {
- owner = config.krebs.users.Mic92;
+ owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.184";
@@ -446,22 +451,36 @@ in {
};
};
eva = {
- owner = config.krebs.users.Mic92;
- nets = {
+ owner = config.krebs.users.mic92;
+ nets = rec {
+ internet = {
+ # eva.thalheim.io
+ ip4.addr = "52.59.172.193";
+ ip6.addr = "2a05:d014:301:a601:ef0e:5434:d814:b8ed";
+ aliases = [ "eva.i" ];
+ };
retiolum = {
+ via = internet;
ip4.addr = "10.243.29.185";
aliases = [
"eva.r"
+ "prometheus.r"
];
tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv
- 3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC
- pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r
- NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44
- 9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd
- WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB
- -----END RSA PUBLIC KEY-----
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHptaExEcSUjEJ+RH33h
+ uRK0Ttq8mJLDosWFYcoQkcL9S54aO9kF1gRJAKPBHoOt/IGeOxg2LNYWK6UjWfUy
+ LB9c42EQ1wWZ2jSJ0LJgYzjR9cp3dlo9aHSa//O6p6eLpXRo9QLf8+aIWhNW5+BG
+ sLIMR5b6Ngc2l8xQS+wvMmvTWJt3LyfQ6AKiKwCjeyrUFiuw0VWSn1I6n7H+CZBZ
+ f/UvSxLucy1e0rvbHoTITOflIAfA84iCHsHsZjVqrx1iyOMdPtY2sBPmWhtVemDo
+ duwzUpIuaJnWS7JOB4jsYWm672/KfzK7yAivqxD19OwqfZ3nNQ7sEDb3p4udw2Lf
+ 0dqHwZ5Hoj21vs3XiXX/SHcSf5QLzpj1MWBkV3r1D8I8v3P5qUbLunCofp3d9GxE
+ N0gK06gqbLNonJvC/WD7lxeY32Rh1wYXbzbD/X6aWe/oD8WMIl312hH4cHQHOnVT
+ t76NISlYTPxwX5mfFsBm8t0GjnnWY2jLwaefk7N/CwoDaKhkhmw1oeAZMuRcDRvE
+ 0ecpO4CZ6CcYERLxoYHgEAj3cMkSrQ8dT6XS4b9EO4hW4zCQ3RK9xDz71+uaihuB
+ 6uuTTsn7s0PYBJDNdccOf1Qt8fqPPgzqUKqeUciHojYDDPTC5KQh5m2PBv4I4iIR
+ LnKOqNUX7UCqbdaE/tfFRG0CAwEAAQ==
+ -----END PUBLIC KEY-----
'';
};
};
diff --git a/krebs/3modules/external/ssh/Mic92.pub b/krebs/3modules/external/ssh/mic92.pub
index 600709c78..600709c78 100644
--- a/krebs/3modules/external/ssh/Mic92.pub
+++ b/krebs/3modules/external/ssh/mic92.pub
diff --git a/krebs/3modules/gollum.nix b/krebs/3modules/gollum.nix
new file mode 100644
index 000000000..4b4e04d16
--- /dev/null
+++ b/krebs/3modules/gollum.nix
@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.krebs.gollum;
+in
+
+{
+ options.krebs.gollum = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable the Gollum service.";
+ };
+
+ address = mkOption {
+ type = types.str;
+ default = "0.0.0.0";
+ description = "IP address on which the web server will listen.";
+ };
+
+ port = mkOption {
+ type = types.int;
+ default = 4567;
+ description = "Port on which the web server will run.";
+ };
+
+ extraConfig = mkOption {
+ type = types.lines;
+ default = "";
+ description = "Content of the configuration file";
+ };
+
+ mathjax = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable support for math rendering using MathJax";
+ };
+
+ allowUploads = mkOption {
+ type = types.nullOr (types.enum [ "dir" "page" ]);
+ default = null;
+ description = "Enable uploads of external files";
+ };
+
+ emoji = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Parse and interpret emoji tags";
+ };
+
+ branch = mkOption {
+ type = types.str;
+ default = "master";
+ example = "develop";
+ description = "Git branch to serve";
+ };
+
+ stateDir = mkOption {
+ type = types.path;
+ default = "/var/lib/gollum";
+ description = "Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup.";
+ };
+
+ };
+
+ config = mkIf cfg.enable {
+
+ users.users.gollum = {
+ group = config.users.users.gollum.name;
+ description = "Gollum user";
+ home = cfg.stateDir;
+ createHome = false;
+ isSystemUser = true;
+ };
+
+ users.groups.gollum = { };
+
+ systemd.tmpfiles.rules = [
+ "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
+ ];
+
+ systemd.services.gollum = {
+ description = "Gollum wiki";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.git ];
+
+ preStart = ''
+ # This is safe to be run on an existing repo
+ git init ${cfg.stateDir}
+ '';
+
+ serviceConfig = {
+ User = config.users.users.gollum.name;
+ Group = config.users.groups.gollum.name;
+ ExecStart = ''
+ ${pkgs.gollum}/bin/gollum \
+ --port ${toString cfg.port} \
+ --host ${cfg.address} \
+ --config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \
+ --ref ${cfg.branch} \
+ ${optionalString cfg.mathjax "--mathjax"} \
+ ${optionalString cfg.emoji "--emoji"} \
+ ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \
+ ${cfg.stateDir}
+ '';
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix
index 7fe01a769..ae0136303 100644
--- a/krebs/3modules/hosts.nix
+++ b/krebs/3modules/hosts.nix
@@ -24,7 +24,11 @@ in {
aliases = longs ++ shorts;
longs = filter check net.aliases;
shorts = let s = ".${config.krebs.dns.search-domain}"; in
- map (removeSuffix s) (filter (hasSuffix s) longs);
+ optionals
+ (config.krebs.dns.search-domain != null)
+ (map (removeSuffix s)
+ (filter (hasSuffix s)
+ longs));
in
map (addr: { ${addr} = aliases; }) net.addrs)
(attrValues host.nets))
@@ -44,7 +48,9 @@ in {
hostNetAliases = host:
mapAttrs (_: net: filter (x: x.name != null && x.value != []) [
{ name = net.ip4.addr or null; value = net.aliases; }
+ { name = net.ip4.addr or null; value = (map (alias: "4.${alias}") net.aliases); }
{ name = net.ip6.addr or null; value = net.aliases; }
+ { name = net.ip6.addr or null; value = (map (alias: "6.${alias}") net.aliases); }
]) host.nets;
# netAliases : { ${netname} : [addrAliases] }
diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix
index fe293810c..ca81e2ea5 100644
--- a/krebs/3modules/permown.nix
+++ b/krebs/3modules/permown.nix
@@ -18,6 +18,15 @@ with import <stockholm/lib>;
default = null;
type = types.nullOr types.groupname;
};
+ keepGoing = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Whether to keep going when chowning or chmodding fails.
+ If set to false, then errors will cause the service to restart
+ instead.
+ '';
+ };
owner = mkOption {
type = types.username;
};
@@ -43,7 +52,12 @@ with import <stockholm/lib>;
'';
in concatMapStrings mkdir plans;
- systemd.services = genAttrs' plans (plan: {
+ systemd.services = genAttrs' plans (plan: let
+ continuable = command:
+ if plan.keepGoing
+ then /* sh */ "{ ${command}; } || :"
+ else command;
+ in {
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
value = {
environment = {
@@ -82,9 +96,9 @@ with import <stockholm/lib>;
cleanup
exec "$0" "$@"
fi
- chown -h "$OWNER_GROUP" "$path"
+ ${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''}
if test -f "$path"; then
- chmod "$FILE_MODE" "$path"
+ ${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''}
fi
done < "$paths"
'';
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
index bf2c62cc9..67454d1f7 100644
--- a/krebs/3modules/secret.nix
+++ b/krebs/3modules/secret.nix
@@ -22,7 +22,7 @@ in {
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
- ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}";
+ ExecStart = "${pkgs.systemd}/bin/systemctl restart ${shell.escape file.service}";
};
})
cfg.files
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 1fca7de5c..0f5e1aa83 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -29,6 +29,9 @@ let
Interface = ${netname}
Broadcast = no
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
+ ${optionalString (tinc.config.privkey_ed25519 != null)
+ "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
+ }
PrivateKeyFile = ${tinc.config.privkey.path}
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
${tinc.config.extraConfig}
@@ -165,6 +168,17 @@ let
};
};
+ privkey_ed25519 = mkOption {
+ type = types.nullOr types.secret-file;
+ default =
+ if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
+ name = "${tinc.config.netname}.ed25519_key.priv";
+ path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
+ owner = tinc.config.user;
+ source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
+ };
+ };
+
connectTo = mkOption {
type = types.listOf types.str;
${if tinc.config.netname == "retiolum" then "default" else null} = [
@@ -198,8 +212,23 @@ let
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
# avoid conflicts in environment if the packages differ
- krebs.secret.files = mapAttrs' (netname: cfg:
- nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
+ krebs.secret.files =
+ let
+ ed25519_keys =
+ filterAttrs
+ (_: key: key != null)
+ (mapAttrs'
+ (netname: cfg:
+ nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
+ )
+ config.krebs.tinc);
+
+ rsa_keys =
+ mapAttrs'
+ (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
+ config.krebs.tinc;
+ in
+ ed25519_keys // rsa_keys;
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
@@ -221,11 +250,15 @@ let
in {
description = "Tinc daemon for ${netname}";
after = [
- config.krebs.secret.files."${netname}.rsa_key.priv".service
"network.target"
+ config.krebs.secret.files."${netname}.rsa_key.priv".service
+ ] ++ optionals (cfg.privkey_ed25519 != null) [
+ config.krebs.secret.files."${netname}.ed25519_key.priv".service
];
partOf = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
+ ] ++ optionals (cfg.privkey_ed25519 != null) [
+ config.krebs.secret.files."${netname}.ed25519_key.priv".service
];
wantedBy = [ "multi-user.target" ];
path = [ tinc iproute ];
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index a20801b12..c86fda05d 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -55,6 +55,33 @@ in {
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
};
+ au = {
+ ci = true;
+ cores = 4;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.13.39";
+ aliases = [
+ "au.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
+ 9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
+ PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
+ PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
+ cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
+ jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 =
+ "Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
+ };
+ };
+ secure = true;
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
+ };
mu = {
ci = true;
cores = 2;
@@ -131,11 +158,6 @@ in {
ci = true;
cores = 2;
nets = {
- gg23 = {
- ip4.addr = "10.23.1.110";
- aliases = ["nomic.gg23"];
- ssh.port = 11423;
- };
retiolum = {
ip4.addr = "10.243.0.110";
aliases = [
@@ -158,27 +180,10 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
};
- ok = {
- external = true;
- nets = {
- gg23 = {
- ip4.addr = "10.23.1.1";
- aliases = ["ok.gg23"];
- };
- };
- };
wu = {
ci = true;
cores = 4;
nets = {
- gg23 = {
- ip4.addr = "10.23.1.37";
- aliases = [
- "wu.gg23"
- "cache.wu.gg23"
- ];
- ssh.port = 11423;
- };
retiolum = {
ip4.addr = "10.243.13.37";
aliases = [
@@ -237,14 +242,6 @@ in {
ci = true;
cores = 4;
nets = {
- gg23 = {
- ip4.addr = "10.23.1.38";
- aliases = [
- "xu.gg23"
- "cache.xu.gg23"
- ];
- ssh.port = 11423;
- };
retiolum = {
ip4.addr = "10.243.13.38";
aliases = [
@@ -272,13 +269,6 @@ in {
ci = true;