From 7fb1a3e775439d61e054e872dad79f9b6b1ae227 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 7 Apr 2016 20:48:07 +0200 Subject: krebs.nginx: don't abuse extraConfig --- krebs/3modules/nginx.nix | 40 ++++++++++++++++++---------------------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 816c2ff69..6af93a570 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -117,28 +117,24 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: - let - _extraConfig = if ssl.enable then - extraConfig + '' - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '' - else - extraConfig - ; - - in '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} - server_name ${toString server-names}; - ${indent _extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: '' + server { + server_name ${toString server-names}; + ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} + ${optionalString ssl.enable (indent '' + listen 443 ssl; + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers '' + ssl_prefer_server_ciphers On; + ''} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '')} + ${indent extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out -- cgit v1.2.3 From 827f1790803bda906ed71c56138cfdbf108ee730 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 7 Apr 2016 21:40:56 +0200 Subject: doppelbock: init --- krebs/3modules/tv/default.nix | 35 +++++++++++++++++++++++++++++++++++ tv/1systems/doppelbock.nix | 23 +++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 tv/1systems/doppelbock.nix diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 13d3163c0..f0f0c5e79 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -62,6 +62,41 @@ with config.krebs.lib; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; + doppelbock = rec { + cores = 2; + nets = rec { + internet = { + addrs4 = ["45.62.237.203"]; + aliases = [ + "doppelbock.i" + "doppelbock.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.224"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + aliases = [ + "doppelbock.r" + "doppelbock.retiolum" + "cgit.doppelbock.r" + "cgit.doppelbock.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAq/luvzH4CQX5qRuucUqR3aLwXtzsRmBOdd2hvrPG1z8ML2kKV+IG + 0aBfyJmQ8csfeGhOj0y0LEBv4bkEjEtYObs+LJfdWZC5e39eAVUE0z8QbSPOx4di + /7Bo+9sFRELP1kYb47eLR8quiIkslMWQMbTLM5RHoXJ5jE8fQSitfp4WUZYiSPDF + d5F7RU/ZQfTZuh8gv7RmSn/6N6bXAQWrueK6ZqMuImIjBrmYyXUWxgsDnpeHxR5j + j/0F2Bda5lyp+Qzv24PREdPT8FazUfmIQwZTTArXHxiqLq+SEVT21E4WEf2sJRan + dti9yVUW3eiqpu8b9BRpvxOB3YdkyqlrGwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLhrVTEmbtuTsgRTHHxsLrq7ai1Yt7+oKFevr1gzktCQqHuyucXzxn60F00kuNDkNiKIF5fHmWy6ajU+6PKD3TfiFMagT9ah0x0RSB0+0tevxnlOp6VdHhrdM5YrBduWMiELmOiI1lvYhRqKd/ZE7b2mra6KYe5VtTi9UX3wQp8qN+bI01KCxv0p6ciUgEO8fnwLKDBUuFJ2UfE7Ais9XrXFIBFXB+MKcpLnIXvrV6dSXdUEiaswg8wo0Q0Y3tMaQ0dNJdH2yp3FVn1aiX3E/vVnffmDKMWYWqn78klujdEdmLm8/8NkXnc/jpgu8ZlSpQHECO2ZUJzd35yRnVKALv"; + }; mkdir = rec { cores = 1; nets = rec { diff --git a/tv/1systems/doppelbock.nix b/tv/1systems/doppelbock.nix new file mode 100644 index 000000000..9a8d5b05d --- /dev/null +++ b/tv/1systems/doppelbock.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: +with config.krebs.lib; +{ + krebs.build.host = config.krebs.hosts.doppelbock; + + imports = [ + ../. + ../2configs/hw/CAC-Developer-2.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/retiolum.nix + ]; + + networking = { + interfaces.enp2s1.ip4 = singleton { + address = let + addr4 = "45.62.237.203"; + in assert config.krebs.build.host.nets.internet.addrs4 == [addr4]; addr4; + prefixLength = 24; + }; + defaultGateway = "45.62.237.1"; + nameservers = ["8.8.8.8"]; + }; +} -- cgit v1.2.3 From 46e818ebbc5446b4215ad9524089d9b2dc91cbd3 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 8 Apr 2016 03:53:34 +0200 Subject: retiolum: don't hardcode routing prefixes --- krebs/3modules/lass/default.nix | 46 ++++---- krebs/3modules/makefu/default.nix | 126 ++++++++++----------- krebs/3modules/miefda/default.nix | 4 +- krebs/3modules/mv/default.nix | 4 +- krebs/3modules/retiolum.nix | 83 +++++--------- krebs/3modules/shared/default.nix | 10 +- krebs/3modules/tv/default.nix | 74 ++++++------ krebs/4lib/types.nix | 48 ++++++-- lass/1systems/cloudkrebs.nix | 3 +- lass/1systems/echelon.nix | 3 +- lass/1systems/prism.nix | 4 +- lass/2configs/privoxy-retiolum.nix | 3 +- lass/3modules/static_nginx.nix | 2 +- makefu/1systems/gum.nix | 4 +- makefu/1systems/wry.nix | 4 +- .../2configs/deployment/mycube.connector.one.nix | 2 +- makefu/2configs/iodined.nix | 2 +- makefu/2configs/nginx/euer.blog.nix | 4 +- makefu/2configs/nginx/euer.test.nix | 4 +- makefu/2configs/nginx/euer.wiki.nix | 4 +- makefu/2configs/nginx/update.connector.one.nix | 2 +- makefu/2configs/omo-share.nix | 2 +- shared/1systems/wolf.nix | 4 +- tv/1systems/doppelbock.nix | 4 +- tv/1systems/mkdir.nix | 11 +- tv/1systems/rmdir.nix | 7 +- tv/2configs/exim-smarthost.nix | 2 +- tv/3modules/charybdis/config.nix | 9 +- 28 files changed, 228 insertions(+), 247 deletions(-) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 3d54900e4..b4686894e 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -8,15 +8,15 @@ with config.krebs.lib; cores = 4; nets = rec { internet = { - addrs4 = ["144.76.172.188"]; + ip4.addr = "144.76.172.188"; aliases = [ "dishfire.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.133.99"]; - addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"]; + ip4.addr = "10.243.133.99"; + ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1233"; aliases = [ "dishfire.retiolum" "dishfire.r" @@ -40,15 +40,15 @@ with config.krebs.lib; cores = 2; nets = rec { internet = { - addrs4 = ["162.252.241.33"]; + ip4.addr = "162.252.241.33"; aliases = [ "echelon.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.206.103"]; - addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f763"]; + ip4.addr = "10.243.206.103"; + ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763"; aliases = [ "echelon.retiolum" "echelon.r" @@ -75,15 +75,15 @@ with config.krebs.lib; cores = 4; nets = rec { internet = { - addrs4 = ["213.239.205.240"]; + ip4.addr = "213.239.205.240"; aliases = [ "prism.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.0.103"]; - addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; + ip4.addr = "10.243.0.103"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab"; aliases = [ "prism.retiolum" "prism.r" @@ -107,15 +107,15 @@ with config.krebs.lib; fastpoke = { nets = rec { internet = { - addrs4 = ["193.22.164.36"]; + ip4.addr = "193.22.164.36"; aliases = [ "fastpoke.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.253.152"]; - addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; + ip4.addr = "10.243.253.152"; + ip6.addr = "42:422a:194f:ff3b:e196:2f82:5cf5:bc00"; aliases = [ "fastpoke.retiolum" "fastpoke.r" @@ -139,15 +139,15 @@ with config.krebs.lib; cores = 1; nets = rec { internet = { - addrs4 = ["104.167.113.104"]; + ip4.addr = "104.167.113.104"; aliases = [ "cloudkrebs.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.206.102"]; - addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + ip4.addr = "10.243.206.102"; + ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f762"; aliases = [ "cloudkrebs.retiolum" "cloudkrebs.r" @@ -172,12 +172,12 @@ with config.krebs.lib; cores = 1; nets = { gg23 = { - addrs4 = ["10.23.1.12"]; + ip4.addr = "10.23.1.12"; aliases = ["uriel.gg23"]; }; retiolum = { - addrs4 = ["10.243.81.176"]; - addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + ip4.addr = "10.243.81.176"; + ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"; aliases = [ "uriel.retiolum" "uriel.r" @@ -203,12 +203,12 @@ with config.krebs.lib; cores = 2; nets = { gg23 = { - addrs4 = ["10.23.1.11"]; + ip4.addr = "10.23.1.11"; aliases = ["mors.gg23"]; }; retiolum = { - addrs4 = ["10.243.0.2"]; - addrs6 = ["42:0:0:0:0:0:0:dea7"]; + ip4.addr = "10.243.0.2"; + ip6.addr = "42:0:0:0:0:0:0:dea7"; aliases = [ "mors.retiolum" "mors.r" @@ -234,8 +234,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.0.3"]; - addrs6 = ["42:0:0:0:0:0:0:7105"]; + ip4.addr = "10.243.0.3"; + ip6.addr = "42:0:0:0:0:0:0:7105"; aliases = [ "helios.retiolum" "helios.r" diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index bd7c0db48..b93b34d24 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -8,8 +8,8 @@ with config.krebs.lib; cores = 1; nets = { retiolum = { - addrs4 = ["10.243.0.210"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; + ip4.addr = "10.243.0.210"; + ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001"; aliases = [ "pnp.retiolum" "cgit.pnp.retiolum" @@ -31,8 +31,8 @@ with config.krebs.lib; cores = 4; nets = { retiolum = { - addrs4 = ["10.243.0.84"]; - addrs6 = ["42:ff6b:5f0b:460d:2cee:4d05:73f7:5566"]; + ip4.addr = "10.243.0.84"; + ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566"; aliases = [ "darth.retiolum" "darth.r" @@ -54,8 +54,8 @@ with config.krebs.lib; cores = 1; nets = { retiolum = { - addrs4 = ["10.243.0.212"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"]; + ip4.addr = "10.243.0.212"; + ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002"; aliases = [ "tsp.retiolum" ]; @@ -81,8 +81,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.0.91"]; - addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"]; + ip4.addr = "10.243.0.91"; + ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"; aliases = [ "pornocauster.retiolum" "pornocauster.r" @@ -108,8 +108,8 @@ with config.krebs.lib; cores = 2; nets = { retiolum = { - addrs4 = ["10.243.1.91"]; - addrs6 = ["42:0b2c:d90e:e717:03dd:9ac1:0000:a400"]; + ip4.addr = "10.243.1.91"; + ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400"; aliases = [ "vbob.retiolum" ]; @@ -135,22 +135,22 @@ with config.krebs.lib; extraZones = { "krebsco.de" = '' euer IN MX 1 aspmx.l.google.com. - pigstarter IN A ${head nets.internet.addrs4} - gold IN A ${head nets.internet.addrs4} - boot IN A ${head nets.internet.addrs4} + pigstarter IN A ${nets.internet.ip4.addr} + gold IN A ${nets.internet.ip4.addr} + boot IN A ${nets.internet.ip4.addr} ''; }; nets = { internet = { - addrs4 = ["192.40.56.122"]; - addrs6 = ["2604:2880::841f:72c"]; + ip4.addr = "192.40.56.122"; + ip6.addr = "2604:2880::841f:72c"; aliases = [ "pigstarter.internet" ]; }; retiolum = { - addrs4 = ["10.243.0.153"]; - addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"]; + ip4.addr = "10.243.0.153"; + ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110"; aliases = [ "pigstarter.retiolum" ]; @@ -171,18 +171,18 @@ with config.krebs.lib; cores = 1; extraZones = { "krebsco.de" = '' - euer IN A ${head nets.internet.addrs4} - wiki.euer IN A ${head nets.internet.addrs4} - wry IN A ${head nets.internet.addrs4} + euer IN A ${nets.internet.ip4.addr} + wiki.euer IN A ${nets.internet.ip4.addr} + wry IN A ${nets.internet.ip4.addr} io IN NS wry.krebsco.de. - graphs IN A ${head nets.internet.addrs4} - paste 60 IN A ${head nets.internet.addrs4} - tinc IN A ${head nets.internet.addrs4} + graphs IN A ${nets.internet.ip4.addr} + paste 60 IN A ${nets.internet.ip4.addr} + tinc IN A ${nets.internet.ip4.addr} ''; }; nets = rec { internet = { - addrs4 = ["104.233.87.86"]; + ip4.addr = "104.233.87.86"; aliases = [ "wry.internet" "paste.internet" @@ -190,8 +190,8 @@ with config.krebs.lib; }; retiolum = { via = internet; - addrs4 = ["10.243.29.169"]; - addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"]; + ip4.addr = "10.243.29.169"; + ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad"; aliases = [ "graphs.wry.retiolum" "graphs.retiolum" @@ -228,8 +228,8 @@ with config.krebs.lib; nets = { retiolum = { - addrs4 = ["10.243.153.102"]; - addrs6 = ["42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"]; + ip4.addr = "10.243.153.102"; + ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; aliases = [ "filepimp.retiolum" ]; @@ -252,8 +252,8 @@ with config.krebs.lib; nets = { retiolum = { - addrs4 = ["10.243.0.89"]; - addrs6 = ["42:f9f0::10"]; + ip4.addr = "10.243.0.89"; + ip6.addr = "42:f9f0::10"; aliases = [ "omo.retiolum" "omo.r" @@ -277,8 +277,8 @@ with config.krebs.lib; cores = 1; nets = { retiolum = { - addrs4 = ["10.243.214.15"]; - addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"]; + ip4.addr = "10.243.214.15"; + ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"; aliases = [ "wbob.retiolum" ]; @@ -301,24 +301,24 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB extraZones = { "krebsco.de" = '' - share.euer IN A ${head nets.internet.addrs4} - mattermost.euer IN A ${head nets.internet.addrs4} - git.euer IN A ${head nets.internet.addrs4} - gum IN A ${head nets.internet.addrs4} - cgit.euer IN A ${head nets.internet.addrs4} + share.euer IN A ${nets.internet.ip4.addr} + mattermost.euer IN A ${nets.internet.ip4.addr} + git.euer IN A ${nets.internet.ip4.addr} + gum IN A ${nets.internet.ip4.addr} + cgit.euer IN A ${nets.internet.ip4.addr} ''; }; nets = rec { internet = { - addrs4 = ["195.154.108.70"]; + ip4.addr = "195.154.108.70"; aliases = [ "gum.internet" ]; }; retiolum = { via = internet; - addrs4 = ["10.243.0.211"]; - addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"]; + ip4.addr = "10.243.0.211"; + ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2"; aliases = [ "gum.r" "gum.retiolum" @@ -346,20 +346,20 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; extraZones = { "krebsco.de" = '' - mediengewitter IN A ${head nets.internet.addrs4} - flap IN A ${head nets.internet.addrs4} + mediengewitter IN A ${nets.internet.ip4.addr} + flap IN A ${nets.internet.ip4.addr} ''; }; nets = { internet = { - addrs4 = ["162.248.11.162"]; + ip4.addr = "162.248.11.162"; aliases = [ "flap.internet" ]; }; retiolum = { - addrs4 = ["10.243.211.172"]; - addrs6 = ["42:472a:3d01:bbe4:4425:567e:592b:065d"]; + ip4.addr = "10.243.211.172"; + ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d"; aliases = [ "flap.retiolum" "flap.r" @@ -382,8 +382,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.231.219"]; - addrs6 = ["42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72"]; + ip4.addr = "10.243.231.219"; + ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72"; aliases = [ "nukular.r" ]; @@ -405,8 +405,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.124.21"]; - addrs6 = ["42:9898:a8be:ce56:0ee3:b99c:42c5:109e"]; + ip4.addr = "10.243.124.21"; + ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e"; aliases = [ "heidi.r" ]; @@ -428,7 +428,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.69.184"]; + ip4.addr = "10.243.69.184"; aliases = [ "soundflower.r" ]; @@ -450,7 +450,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.120.19"]; + ip4.addr = "10.243.120.19"; aliases = [ "falk.r" ]; @@ -472,8 +472,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 4; nets = { retiolum = { - addrs4 = ["10.243.189.130"]; - addrs6 = ["42:c64e:011f:9755:31e1:c3e6:73c0:af2d"]; + ip4.addr = "10.243.189.130"; + ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d"; aliases = [ "filebitch.r" ]; @@ -495,8 +495,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { retiolum = { - addrs4 = ["10.243.26.29"]; - addrs6 = ["42:927a:3d59:1cb3:29d6:1a08:78d3:812e"]; + ip4.addr = "10.243.26.29"; + ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e"; aliases = [ "excobridge.r" ]; @@ -518,14 +518,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { internet = { - addrs4 = ["148.251.47.69"]; + ip4.addr = "148.251.47.69"; aliases = [ "wooki.internet" ]; }; retiolum = { - addrs4 = ["10.243.57.85"]; - addrs6 = ["42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"]; + ip4.addr = "10.243.57.85"; + ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"; aliases = [ "wooki.r" ]; @@ -547,8 +547,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 2; nets = { retiolum = { - addrs4 = ["10.243.0.163"]; - addrs6 = ["42:b67b:5752:a730:5f28:d80d:6b37:5bda/128"]; + ip4.addr = "10.243.0.163"; + ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda/128"; aliases = [ "senderechner.r" ]; @@ -570,14 +570,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB cores = 1; nets = { internet = { - addrs4 = ["217.160.206.154"]; + ip4.addr = "217.160.206.154"; aliases = [ "muhbaasu.internet" ]; }; retiolum = { - addrs4 = ["10.243.139.184"]; - addrs6 = ["42:d568:6106:ba30:753b:0f2a:8225:b1fb"]; + ip4.addr = "10.243.139.184"; + ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb"; aliases = [ "muhbaasu.r" ]; diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix index 9a5866294..a03f7ff4d 100644 --- a/krebs/3modules/miefda/default.nix +++ b/krebs/3modules/miefda/default.nix @@ -8,8 +8,8 @@ with config.krebs.lib; cores = 4; nets = { retiolum = { - addrs4 = ["10.243.111.112"]; - addrs6 = ["42:0:0:0:0:0:111:112"]; + ip4.addr = "10.243.111.112"; + ip6.addr = "42:0:0:0:0:0:111:112"; aliases = [ "bobby.retiolum" "cgit.bobby.retiolum" diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix index 3b4001e7a..20118c61f 100644 --- a/krebs/3modules/mv/default.nix +++ b/krebs/3modules/mv/default.nix @@ -8,8 +8,8 @@ with config.krebs.lib; cores = 4; nets = { retiolum = { - addrs4 = ["10.243.111.111"]; - addrs6 = ["42:0:0:0:0:0:111:111"]; + ip4.addr = "10.243.111.111"; + ip6.addr = "42:0:0:0:0:0:111:111"; aliases = [ "stro.retiolum" "cgit.stro.retiolum" diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 61b4473e1..fe4dbd50c 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -11,26 +11,13 @@ let api = { enable = mkEnableOption "krebs.retiolum"; - name = mkOption { - type = types.str; - default = config.networking.hostName; - # Description stolen from tinc.conf(5). - description = '' - This is the name which identifies this tinc daemon. It must - be unique for the virtual private network this daemon will - connect to. The Name may only consist of alphanumeric and - underscore characters. If Name starts with a $, then the - contents of the environment variable that follows will be - used. In that case, invalid characters will be converted to - underscores. If Name is $HOST, but no such environment - variable exist, the hostname will be read using the - gethostnname() system call This is the name which identifies - the this tinc daemon. - ''; + host = mkOption { + type = types.host; + default = config.krebs.build.host; }; netname = mkOption { - type = types.str; + type = types.hostname; default = "retiolum"; description = '' The tinc network name. @@ -157,46 +144,34 @@ let uid = genid name; }; + net = cfg.host.nets.${cfg.netname}; + tinc = cfg.tincPackage; iproute = cfg.iproutePackage; - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${cfg.hostsPackage} $out/hosts - - cat > $out/tinc.conf < $out/tinc-up < Date: Fri, 8 Apr 2016 03:59:26 +0200 Subject: retiolum netname: hostname -> enum --- krebs/3modules/retiolum.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index fe4dbd50c..8217cbcfd 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -17,7 +17,7 @@ let }; netname = mkOption { - type = types.hostname; + type = types.enum (attrNames cfg.host.nets); default = "retiolum"; description = '' The tinc network name. @@ -114,7 +114,7 @@ let imp = { environment.systemPackages = [ tinc iproute ]; - systemd.services.retiolum = { + systemd.services.${cfg.netname} = { description = "Tinc daemon for Retiolum"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -125,12 +125,12 @@ let Restart = "always"; # TODO we cannot chroot (-R) b/c we use symlinks to hosts # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' + ExecStartPre = pkgs.writeScript "${cfg.netname}-prestart" '' #! /bin/sh install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv ''; ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = "retiolum"; + SyslogIdentifier = cfg.netname; }; }; @@ -140,7 +140,7 @@ let }; user = rec { - name = "retiolum"; + name = cfg.netname; uid = genid name; }; -- cgit v1.2.3 From 0dc2a751a902e11b4e3d2805fe2f97b09479ec85 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 8 Apr 2016 04:11:00 +0200 Subject: krebs.retiolum: use krebs.secret --- krebs/3modules/retiolum.nix | 50 ++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 28 deletions(-) diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 8217cbcfd..5aaeb5a30 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -86,17 +86,13 @@ let description = "Iproute2 package to use."; }; - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = toString ; - description = '' - Generate file with tincd -K. - This file must exist on the local system. The default points to - . - ''; + privkey = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/tinc.rsa_key.priv"; + owner = cfg.user; + source-path = toString + "/${cfg.netname}.rsa_key.priv"; + }; }; connectTo = mkOption { @@ -109,41 +105,39 @@ let ''; }; + user = mkOption { + type = types.user; + default = { + name = cfg.netname; + home = "/var/lib/${cfg.user.name}"; + }; + }; }; imp = { + krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey; + environment.systemPackages = [ tinc iproute ]; systemd.services.${cfg.netname} = { description = "Tinc daemon for Retiolum"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; path = [ tinc iproute ]; serviceConfig = rec { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "${cfg.netname}-prestart" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; SyslogIdentifier = cfg.netname; }; }; - users.extraUsers = singleton { - inherit (user) name uid; + users.users.${cfg.user.name} = { + inherit (cfg.user) home name uid; + createHome = true; }; }; - user = rec { - name = cfg.netname; - uid = genid name; - }; - net = cfg.host.nets.${cfg.netname}; tinc = cfg.tincPackage; @@ -158,7 +152,7 @@ let Name = ${cfg.host.name} Interface = ${cfg.netname} ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = /tmp/retiolum-rsa_key.priv + PrivateKeyFile = ${cfg.privkey.path} ${cfg.extraConfig} ''; "tinc-up" = pkgs.writeScript "${cfg.netname}-tinc-up" '' -- cgit v1.2.3 From 4e99bb9d12405cf1910af3205d8668604e516f50 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 8 Apr 2016 04:38:10 +0200 Subject: krebs types.addr4: check type harder --- krebs/4lib/types.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 24b4e14b1..6396927dd 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -220,7 +220,7 @@ types // rec { check = let IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in concatMapStringsSep "." (const d) (range 1 4); - in x: match IPv4address != null; + in x: match IPv4address x != null; merge = mergeOneOption; }; addr6 = str; # TODO -- cgit v1.2.3 From e74f4ddf8182067ca4f44d8d4ed91a8c5fc65147 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 8 Apr 2016 04:41:30 +0200 Subject: krebs types.addr6: str -> IPv6 address* --- krebs/3modules/makefu/default.nix | 2 +- krebs/4lib/types.nix | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index b93b34d24..814e6929b 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -548,7 +548,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB nets = { retiolum = { ip4.addr = "10.243.0.163"; - ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda/128"; + ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda"; aliases = [ "senderechner.r" ]; diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 6396927dd..f46491801 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -223,7 +223,14 @@ types // rec { in x: match IPv4address x != null; merge = mergeOneOption; }; - addr6 = str; # TODO + addr6 = mkOptionType { + name = "IPv6 address"; + check = let + # TODO check IPv6 address harder + IPv6address = "[0-9a-f.:]+"; + in x: match IPv6address x != null; + merge = mergeOneOption; + }; pgp-pubkey = str; -- cgit v1.2.3 From 345efd36833fc0ada2805b46fd71bcc9642f4374 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 8 Apr 2016 05:06:22 +0200 Subject: tv.exim-smarthost: duh --- tv/2configs/exim-smarthost.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 8a90639b6..2b9ad77d7 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -13,7 +13,7 @@ with config.krebs.lib; "shackspace.de" "viljetic.de" ]; - relay_from_hosts = concatMap (host: host.nets.retiolum.ip4.addr) [ + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ config.krebs.hosts.nomic config.krebs.hosts.wu config.krebs.hosts.xu -- cgit v1.2.3 From a0d08d4793e9aa66837519d5171f4aefa7ea59fb Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 12 Apr 2016 14:26:37 +0200 Subject: exim-smarthost: don't tls_advertise_hosts --- krebs/3modules/exim-smarthost.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index cee10ce7d..a01ab543b 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -136,6 +136,8 @@ let syslog_timestamp = false syslog_duplication = false + tls_advertise_hosts = + begin acl acl_check_rcpt: -- cgit v1.2.3 From 2b0c6616b66570d5648c5ebe3fdad6642510ede9 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 12 Apr 2016 17:13:29 +0200 Subject: doppelbock -> cd --- krebs/3modules/tv/default.nix | 37 +------------------------------------ tv/1systems/cd.nix | 18 +++++++++--------- tv/1systems/doppelbock.nix | 23 ----------------------- 3 files changed, 10 insertions(+), 68 deletions(-) delete mode 100644 tv/1systems/doppelbock.nix diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index b0f0ce547..a44aa552f 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -21,7 +21,7 @@ with config.krebs.lib; }; nets = rec { internet = { - ip4.addr = "162.219.7.216"; + ip4.addr = "45.62.237.203"; aliases = [ "cd.i" "cd.internet" @@ -62,41 +62,6 @@ with config.krebs.lib; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; - doppelbock = rec { - cores = 2; - nets = rec { - internet = { - ip4.addr = "45.62.237.203"; - aliases = [ - "doppelbock.i" - "doppelbock.internet" - ]; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.113.224"; - ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5"; - aliases = [ - "doppelbock.r" - "doppelbock.retiolum" - "cgit.doppelbock.r" - "cgit.doppelbock.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAq/luvzH4CQX5qRuucUqR3aLwXtzsRmBOdd2hvrPG1z8ML2kKV+IG - 0aBfyJmQ8csfeGhOj0y0LEBv4bkEjEtYObs+LJfdWZC5e39eAVUE0z8QbSPOx4di - /7Bo+9sFRELP1kYb47eLR8quiIkslMWQMbTLM5RHoXJ5jE8fQSitfp4WUZYiSPDF - d5F7RU/ZQfTZuh8gv7RmSn/6N6bXAQWrueK6ZqMuImIjBrmYyXUWxgsDnpeHxR5j - j/0F2Bda5lyp+Qzv24PREdPT8FazUfmIQwZTTArXHxiqLq+SEVT21E4WEf2sJRan - dti9yVUW3eiqpu8b9BRpvxOB3YdkyqlrGwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = ; - ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLhrVTEmbtuTsgRTHHxsLrq7ai1Yt7+oKFevr1gzktCQqHuyucXzxn60F00kuNDkNiKIF5fHmWy6ajU+6PKD3TfiFMagT9ah0x0RSB0+0tevxnlOp6VdHhrdM5YrBduWMiELmOiI1lvYhRqKd/ZE7b2mra6KYe5VtTi9UX3wQp8qN+bI01KCxv0p6ciUgEO8fnwLKDBUuFJ2UfE7Ais9XrXFIBFXB+MKcpLnIXvrV6dSXdUEiaswg8wo0Q0Y3tMaQ0dNJdH2yp3FVn1aiX3E/vVnffmDKMWYWqn78klujdEdmLm8/8NkXnc/jpgu8ZlSpQHECO2ZUJzd35yRnVKALv"; - }; mkdir = rec { cores = 1; nets = rec { diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 687f17951..32d956b8a 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -61,16 +61,16 @@ with config.krebs.lib; } ]; - networking.interfaces.enp2s1.ip4 = [ - { - address = "162.219.7.216"; + networking = { + interfaces.enp2s1.ip4 = singleton { + address = let + addr = "45.62.237.203"; + in assert config.krebs.build.host.nets.internet.ip4.addr == addr; addr; prefixLength = 24; - } - ]; - networking.defaultGateway = "162.219.7.1"; - networking.nameservers = [ - "8.8.8.8" - ]; + }; + defaultGateway = "45.62.237.1"; + nameservers = ["8.8.8.8"]; + }; environment.systemPackages = with pkgs; [ htop diff --git a/tv/1systems/doppelbock.nix b/tv/1systems/doppelbock.nix deleted file mode 100644 index ec85a7772..000000000 --- a/tv/1systems/doppelbock.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, lib, pkgs, ... }: -with config.krebs.lib; -{ - krebs.build.host = config.krebs.hosts.doppelbock; - - imports = [ - ../. - ../2configs/hw/CAC-Developer-2.nix - ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/retiolum.nix - ]; - - networking = { - interfaces.enp2s1.ip4 = singleton { - address = let - addr = "45.62.237.203"; - in assert config.krebs.build.host.nets.internet.ip4.addr == addr; addr; - prefixLength = 24; - }; - defaultGateway = "45.62.237.1"; - nameservers = ["8.8.8.8"]; - }; -} -- cgit v1.2.3 From e4422212d4e40189ee23ede2b404006039035bc8 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 17 Apr 2016 02:04:52 +0200 Subject: krebs.on-failure: send journal since start of failed plan --- krebs/3modules/on-failure.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/krebs/3modules/on-failure.nix b/krebs/3modules/on-failure.nix index 13d561b8d..a471a4bc2 100644 --- a/krebs/3modules/on-failure.nix +++ b/krebs/3modules/on-failure.nix @@ -84,6 +84,14 @@ ${pkgs.systemd}/bin/journalctl \ --lines=${toString plan.journalctl.lines} \ --output=${plan.journalctl.output} \ + --since="$( + ${pkgs.coreutils}/bin/date +'%F %T UTC' -ud "$( + ${pkgs.systemd}/bin/systemctl show \ + -p ExecMainStartTimestamp \ + ${shell.escape plan.name} \ + | ${pkgs.coreutils}/bin/cut -d= -f2- + )" + )" \ --unit=${shell.escape plan.name}.service } | ${shell.escape cfg.sendmail} -t ''; -- cgit v1.2.3 From 904d037bd704d9690b8a9a8e8338950931e3ccd1 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 17 Apr 2016 03:50:49 +0200 Subject: krebs.backup: allow injecting variables into dst shell --- krebs/3modules/backup.nix | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index d22dd3810..1cd851a4e 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -103,7 +103,8 @@ let plan.method == method && config.krebs.build.host.name == plan.${side}.host.name; - start = plan: pkgs.writeDash "backup.${plan.name}" '' + start = plan: pkgs.writeScript "backup.${plan.name}" '' + #! ${pkgs.bash}/bin/bash set -efu ${getAttr plan.method { push = '' @@ -116,12 +117,12 @@ let dst_path=${shell.escape plan.dst.path} dst=$dst_user@$dst_host:$dst_path echo "update snapshot: current; $src -> $dst" >&2 - dst_shell() { +