From 3bec49053d491de9ea28164f3424d04e138e43f4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Dec 2021 23:34:13 +0100 Subject: hotdog.r tinc: add ed25519 pubkey --- krebs/3modules/krebs/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 1b5d903cb..5e0e69924 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -92,6 +92,7 @@ in { h5ZUzfd1r1pTzQ0nYD5aRtlDd7zP7y5tUwIDAQAB -----END RSA PUBLIC KEY----- ''; + tinc.pubkey_ed25519 = "ugy/sGReVro3YzjDuroV/5hdeBdqD18no9dMhTy9DYL"; }; }; ssh.privkey.path = ; -- cgit v1.2.3 From 8a24a9f39570a272c85795b1434bb4c5d81498cb Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 29 Dec 2021 15:52:29 +0100 Subject: ergo: reload, accounts, channels, doc --- krebs/3modules/ergo.nix | 53 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 49 insertions(+), 4 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 0ce0345d8..d781a4d0b 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -6,6 +6,7 @@ type = (pkgs.formats.json {}).type; description = '' Ergo IRC daemon configuration file. + https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml ''; default = { network = { @@ -34,19 +35,34 @@ }; }; datastore = { + autoupgrade = true; path = "/var/lib/ergo/ircd.db"; }; accounts = { authentication-enabled = true; registration = { enabled = true; - email-verification = { - enabled = false; + allow-before-connect = true; + throttling = { + enabled = true; + duration = "10m"; + max-attempts = 30; + }; + bcrypt-cost = 4; + email-verification.enabled = false; + multiclient = { + enabled = true; + allowed-by-default = true; + always-on = "opt-in"; + auto-away = "opt-in"; }; }; }; channels = { - default-modes = "+nt"; + default-modes = "+ntC"; + registration = { + enabled = true; + }; }; limits = { nicklen = 32; @@ -56,6 +72,31 @@ kicklen = 390; topiclen = 390; }; + history = { + enabled = true; + channel-length = 2048; + client-length = 256; + autoresize-window = "3d"; + autoreplay-on-join = 0; + chathistory-maxmessages = 100; + znc-maxmessages = 2048; + restrictions = { + expire-time = "1w"; + query-cutoff = "none"; + grace-period = "1h"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + }; }; }; }; @@ -64,13 +105,17 @@ cfg = config.krebs.ergo; configFile = pkgs.writeJSON "ergo.conf" cfg.config; in lib.mkIf cfg.enable ({ + environment.etc."ergo.yaml".source = configFile; krebs.ergo.config = lib.mapAttrsRecursive (_: lib.mkDefault) options.krebs.ergo.config.default; systemd.services.ergo = { description = "Ergo IRC daemon"; wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ configFile ]; serviceConfig = { - ExecStart = "${pkgs.ergo}/bin/ergo run --conf ${configFile}"; + ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; + ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; }; -- cgit v1.2.3 From f393c44c226f07ef2ac43f93d90d432bfb753a03 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 29 Dec 2021 16:13:00 +0100 Subject: external: pinpox-ahorn.r -> ahorn.r --- krebs/3modules/external/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 4a87c3501..4c4e53f2f 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -253,12 +253,12 @@ in { }; }; - pinpox-ahorn = { + ahorn = { owner = config.krebs.users.pinpox; nets = { retiolum = { ip4.addr = "10.243.100.100"; - aliases = [ "pinpox-ahorn.r" ]; + aliases = [ "ahorn.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAyfCuWUYEqp4vEt+a6DRvFpIrBu+GlkpNs/mE4OHzATQLNnWooOXQ -- cgit v1.2.3 From 2f15fd1d680c3353a4a78c8aaeb5d20db147b6a8 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 29 Dec 2021 16:23:59 +0100 Subject: ergo: fix multiclient default config --- krebs/3modules/ergo.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index d781a4d0b..3153e4cfc 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -50,12 +50,12 @@ }; bcrypt-cost = 4; email-verification.enabled = false; - multiclient = { - enabled = true; - allowed-by-default = true; - always-on = "opt-in"; - auto-away = "opt-in"; - }; + }; + multiclient = { + enabled = true; + allowed-by-default = true; + always-on = "opt-in"; + auto-away = "opt-in"; }; }; channels = { -- cgit v1.2.3 From 2280c39d3e37769c8eb2159f6e934211eb82b778 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 29 Dec 2021 16:52:23 +0100 Subject: krebs.systemd: don't offer to reload services Because new credentials won't be available after reloading, only after restarting. --- krebs/3modules/systemd.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 294f80a3c..194e8b24a 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -5,18 +5,18 @@ default = {}; type = lib.types.attrsOf (lib.types.submodule { options = { - ifCredentialsChange = lib.mkOption { - default = "restart"; + restartIfCredentialsChange = lib.mkOption { + # Enabling this by default only makes sense here as the user already + # bothered to write down krebs.systemd.services.* = {}. If this + # functionality gets upstreamed to systemd.services, restarting + # should be disabled by default. + default = true; description = '' - Whether to reload or restart the service whenever any its - credentials change. Only credentials with an absolute path in - LoadCredential= are supported. + Whether to restart the service whenever any of its credentials + change. Only credentials with an absolute path in LoadCredential= + are supported. ''; - type = lib.types.enum [ - "reload" - "restart" - null - ]; + type = lib.types.bool; }; }; }); @@ -40,7 +40,7 @@ lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { serviceConfig = { Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl ${cfg.ifCredentialsChange} ${lib.shell.escape serviceName}"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}"; }; } ) config.krebs.systemd.services; -- cgit v1.2.3 From ed896a991faa5bf35da6362ffe32788e93eca286 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Thu, 30 Dec 2021 03:19:58 +0100 Subject: external: update kmein ssh keys --- krebs/3modules/external/ssh/kmein.pub | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/external/ssh/kmein.pub b/krebs/3modules/external/ssh/kmein.pub index 5711a2c1c..8eade3498 100644 --- a/krebs/3modules/external/ssh/kmein.pub +++ b/krebs/3modules/external/ssh/kmein.pub @@ -1 +1,2 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC19H0FhSNWcfBRPKzbTVSMJikIWZl0CoM8zCm+/3fdMgoaLRpeZWe/AfDK6b4qOjk/sez/J0JUFCGr+JbMwjsduoazsuQowu9L9DLP9Q5UkJje4BD7MHznaeu9/XfVng/MvyaEWArA/VUJeKQesHe76tR511/+n3+bdzlIh8Zw/3wfFxmg1OTNA99/vLkXrQzHDTuV/yj1pxykL4xFtN0OIssW1IKncJeKtkO/OHGT55ypz52Daj6bNKqvxiTuzeEhv5M+5ppyIPcRf1uj/7IaPKttCgZAntEqBTIR9MbyXFeAZVayzaFnLl2okeam5XreeZbj+Y1h2ZjxiIuWoab3MLndSekVfLtfa63gtcWIf8CIvZO2wJoH8v73y0U78JsfWVaTM09ZCfFlHHA/bWqZ6laAjW+mWLO/c77DcYkB3IBzaMVNfc6mfTcGFIC+biWeYpKgA0zC6rByUPbmbIoMueP9zqJwqUaM90Nwd6559inBB107/BK3Ktb3b+37mMCstetIPB9e4EFpGMjhmnL/G81jS53ACWLXJYzt7mKU/fEsiW93MtaB+Le46OEC18y/4G8F7p/nnH7i0kO74ukxbnc4PlpiM7iWT6ra2Cyy+nzEgdXCNXywIxr05TbCQDwX6/NY8k7Hokgdfyz+1Pq3sX0yCcWRPaoB26YF12KYFQ== kieran.meinhardt@gmail.com +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB -- cgit v1.2.3 From 62b30b072016c2bce7da315b5e85c693677467de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 31 Dec 2021 17:26:42 +0100 Subject: mic92: add tts.r --- krebs/3modules/external/mic92.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b1e11b452..9a3c855f4 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -173,7 +173,7 @@ in { }; retiolum = { via = internet; - aliases = [ "eve.r" ]; + aliases = [ "eve.r" "tts.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH -- cgit v1.2.3 From 6f96a15df66161e217258a5626f94121b0a39459 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 2 Jan 2022 14:53:24 +0100 Subject: mic92: add ip address for yasmin --- krebs/3modules/external/mic92.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 9a3c855f4..95eae20b0 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -300,6 +300,11 @@ in { }; yasmin = { owner = config.krebs.users.mic92; + nets.internet = { + ip4.addr = "131.159.102.7"; + ip6.addr = "2a09:80c0:102::7"; + aliases = [ "yasmin.i" ]; + }; nets.retiolum = { ip4.addr = "10.243.29.197"; aliases = [ -- cgit v1.2.3 From 88ec249276ccf86591279b104908d9786d2be63a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 2 Jan 2022 22:14:24 +0100 Subject: mic92: drop ipv4 for bernie --- krebs/3modules/external/mic92.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 95eae20b0..f8c371b7f 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -679,7 +679,6 @@ in { owner = config.krebs.users.mic92; nets = rec { retiolum = { - ip4.addr = "10.243.29.169"; aliases = [ "bernie.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- -- cgit v1.2.3 From afaf87781a282e6fbba596b0cbf652552961e54e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 2 Jan 2022 23:21:28 +0100 Subject: krebs.tinc: make /etc/tinc/ writable by tincd --- krebs/3modules/tinc.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index a18248351..21ddde1c6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -222,12 +222,6 @@ with import ; nameValuePair netname {} ) config.krebs.tinc; - environment.etc = mapAttrs' (netname: cfg: - nameValuePair "tinc/${netname}" { - source = cfg.confDir; - } - ) config.krebs.tinc; - krebs.systemd.services = mapAttrs (netname: cfg: { }) config.krebs.tinc; @@ -239,8 +233,6 @@ with import ; cfg.iproutePackage cfg.tincPackage ]; - reloadIfChanged = true; - restartTriggers = [ cfg.confDir ]; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -249,6 +241,13 @@ with import ; ) "rsa_key:${cfg.privkey}" ]; + ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" '' + ${pkgs.coreutils}/bin/mkdir -p /etc/tinc + ${pkgs.rsync}/bin/rsync -vaL --delete \ + --chown ${cfg.user.name} \ + --chmod u=rwX,g=rX \ + ${cfg.confDir}/ /etc/tinc/${netname}/ + ''; ExecStart = toString [ "${cfg.tincPackage}/sbin/tincd" "-D" -- cgit v1.2.3