From 579c68e876e3a2134bff91b1d949930b15f12a4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 18 Sep 2023 15:06:59 +0200 Subject: [PATCH 01/26] kartei ruby: 131.159.38.101 -> 131.159.38.70 --- kartei/mic92/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 720b362fd..e7d1150c6 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -844,9 +844,9 @@ in { owner = config.krebs.users.mic92; nets = rec { internet = { - # of4.dse.cit.tum.de. - ip4.addr = "131.159.38.101"; - ip6.addr = "2a09:80c0:38::101"; + # ruby.dse.cit.tum.de. + ip4.addr = "131.159.38.70"; + ip6.addr = "2a09:80c0:38::70"; aliases = [ "ruby.i" ]; }; retiolum = { From b1e6d6f95259c88c5fee826ccb2c80c5b3356598 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 27 Sep 2023 11:30:04 +0200 Subject: [PATCH 02/26] kartei Ra33it0: fix unispore name and alias --- kartei/Ra33it0/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kartei/Ra33it0/default.nix b/kartei/Ra33it0/default.nix index 64e40182a..d08fe27d1 100644 --- a/kartei/Ra33it0/default.nix +++ b/kartei/Ra33it0/default.nix @@ -4,10 +4,10 @@ in { users.Ra33it0 = { mail = "Ra33it0@posteo.net"; }; - hosts.DUMMYHOST = { + hosts.unispore = { owner = config.krebs.users.Ra33it0; nets.retiolum = { - aliases = [ "Ra33it0.Ra33it0.r" ]; + aliases = [ "unispore.Ra33it0.r" ]; ip6.addr = (slib.krebs.genipv6 "retiolum" "Ra33it0" { hostName = "unispore"; }).address; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- From c0090dd2b1919f3aa3c7fe0e930ed5685d352e68 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 27 Sep 2023 11:30:49 +0200 Subject: [PATCH 03/26] kartei Ra33it0: normalize retiolum RSA key --- kartei/Ra33it0/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kartei/Ra33it0/default.nix b/kartei/Ra33it0/default.nix index d08fe27d1..e4389b32d 100644 --- a/kartei/Ra33it0/default.nix +++ b/kartei/Ra33it0/default.nix @@ -10,7 +10,7 @@ in { aliases = [ "unispore.Ra33it0.r" ]; ip6.addr = (slib.krebs.genipv6 "retiolum" "Ra33it0" { hostName = "unispore"; }).address; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- +-----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEA6Cb+b+snYpsQv1J0yMPSL4P0iKs2EkDtqtt6kBOvqFTr2lRB2thp mu9fRbz/CFmcvFXoEMWQEEkKcyhgJEola2+7Ra49iMNX55o/I0iZ499ZI5rIK/JG +A60ijPCh5TSGYIMiD7VWRsxoAtzB1DZ6n4z94KN0wQB5dXKuLPjk/TDfJPuzMrS @@ -22,7 +22,7 @@ CWYM/HzSffzztK8bF0DwhdWzjtNcwZ05XfA2krGZyMj9UxpwN84o1syCnnYC1Xzg 4r48fUhubXXE4SbdnN68pCNCct9DT8exPeYeJL2FHi6s+EsfBY+NGEAaQGJTeQEW zUSnX/txoZV6xGUKZ4iOgfQ4MBCVVdtPAaurNP/esVwOr0WF0DTuBDPGBaOqo+Us Ef5cREwrCE8nEY8tu3xl4M9iuCTwBuT79YFhfNI3jr1lcg6f8wGaTYsCAwEAAQ== - -----END RSA PUBLIC KEY----- +-----END RSA PUBLIC KEY----- ''; tinc.pubkey_ed25519 = "cFCAfLbDYv/Ty3m34aHgHr1dXGp2DSwfP0K7GG1TA7D"; }; From edc9552c6a2f75912cfbc15386d1835a1fbc9dc6 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 27 Sep 2023 20:25:08 +0200 Subject: [PATCH 04/26] kartei tv: init zoppo --- kartei/tv/hosts/zoppo.nix | 24 ++++++++++++++++++++++++ kartei/tv/wiregrill/zoppo.pub | 1 + 2 files changed, 25 insertions(+) create mode 100644 kartei/tv/hosts/zoppo.nix create mode 100644 kartei/tv/wiregrill/zoppo.pub diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix new file mode 100644 index 000000000..4fcbe76c2 --- /dev/null +++ b/kartei/tv/hosts/zoppo.nix @@ -0,0 +1,24 @@ +{ + nets = { + retiolum = { + ip4.addr = "10.243.13.43"; + aliases = [ + "zoppo.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAtMzW+RL4mik0JHLL2p21bWy81bVv84mi/NKHyewXxx9EahD3cyOP + D/2gLipJnzyjxvM7HzR0FQpBCD5VLmRk2MrRENUGYzrNFhSu36gVg5bGngr0pZld + Fosd5wemGx6SUoXMzuBT/st0sg1Azg5mtA1joQTr47NlcwfFrUe7YT8i67szxJSO + Qo6BP+Zl6uVr9m8zSVwrj7TAoC7DQLhCTb3QJdpyYibHwpo0bMyyJjeuL/NpnOpH + Bv1pZ0oXr/nzCo+8jyQY4L2NonJnHtlzYOQf1cHJ+v+P1jOgGgBGqjo0LOE29Tvx + cfQYGLLZc4mRjVQJF3NYW6kHFqKmuu/y5QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "nVIMNp7r21MYneV24x6qVesCjQYM/pvF6nzaihH7GfD"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo"; + syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ"; +} diff --git a/kartei/tv/wiregrill/zoppo.pub b/kartei/tv/wiregrill/zoppo.pub new file mode 100644 index 000000000..7574c4792 --- /dev/null +++ b/kartei/tv/wiregrill/zoppo.pub @@ -0,0 +1 @@ +5YFGAb9Tg/5HH+XHSKanh4P6jE7KTrViwqVuEkmQeSg= From 8d2358ddc4bd06f63f9fb5ee176b38d398b82291 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 5 Oct 2023 15:18:21 +0200 Subject: [PATCH 05/26] submodules: remove disko --- submodules/disko | 1 - 1 file changed, 1 deletion(-) delete mode 160000 submodules/disko diff --git a/submodules/disko b/submodules/disko deleted file mode 160000 index 7b186e0f8..000000000 --- a/submodules/disko +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 7b186e0f812a7c54a1fa86b8f7c0f01afecc69c2 From 353875a4168790ceb1f96449ffa3cc62d01d1d35 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 5 Oct 2023 17:53:01 +0200 Subject: [PATCH 06/26] kartei lass: init ignavia --- kartei/lass/ignavia.nix | 19 +++++++++++++++++++ kartei/lass/ignavia/retiolum.ed25519_key.pub | 1 + kartei/lass/ignavia/retiolum.rsa_key.pub | 13 +++++++++++++ kartei/lass/ignavia/ssh.id_ed25519.pub | 1 + kartei/lass/ignavia/syncthing.pub | 1 + 5 files changed, 35 insertions(+) create mode 100644 kartei/lass/ignavia.nix create mode 100644 kartei/lass/ignavia/retiolum.ed25519_key.pub create mode 100644 kartei/lass/ignavia/retiolum.rsa_key.pub create mode 100644 kartei/lass/ignavia/ssh.id_ed25519.pub create mode 100644 kartei/lass/ignavia/syncthing.pub diff --git a/kartei/lass/ignavia.nix b/kartei/lass/ignavia.nix new file mode 100644 index 000000000..228be1912 --- /dev/null +++ b/kartei/lass/ignavia.nix @@ -0,0 +1,19 @@ +{ r6, w6, ... }: +{ + ci = false; + nets = { + retiolum = { + ip4.addr = "10.243.0.25"; + ip6.addr = r6 "16a2"; + aliases = [ + "ignavia.r" + ]; + tinc = { + pubkey = builtins.readFile ./ignavia/retiolum.rsa_key.pub; + pubkey_ed25519 = builtins.replaceStrings [ "Ed25519PublicKey = " ] [ "" ] (builtins.readFile ./ignavia/retiolum.ed25519_key.pub); + }; + }; + }; + ssh.pubkey = builtins.readFile ./ignavia/ssh.id_ed25519.pub; + syncthing.id = builtins.readFile ./ignavia/syncthing.pub; +} diff --git a/kartei/lass/ignavia/retiolum.ed25519_key.pub b/kartei/lass/ignavia/retiolum.ed25519_key.pub new file mode 100644 index 000000000..cbe130fd5 --- /dev/null +++ b/kartei/lass/ignavia/retiolum.ed25519_key.pub @@ -0,0 +1 @@ +Ed25519PublicKey = iuu6UcJpUu+72IywGkeGh/PpJJZ9UidbsdTR00JbFQL diff --git a/kartei/lass/ignavia/retiolum.rsa_key.pub b/kartei/lass/ignavia/retiolum.rsa_key.pub new file mode 100644 index 000000000..1627ec7e1 --- /dev/null +++ b/kartei/lass/ignavia/retiolum.rsa_key.pub @@ -0,0 +1,13 @@ +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAx362jbzjyKsPG4zAeZW1mgDWzaBoTz6JpJlN6ycsTLkrAAQrHiCs +Dz6sbE0zkQUcdFFuagqwROrQU81kx663azBAlHHsMs/vkVmbQk/ilXHHOYYbkRUS +zCfBe1JwXNPUyZ+v46IgOuvLLBfO00prcDj69sIqWdRMGAvKqYssSHuelBO3UdMl +7r5nQ+Kc5hOqfHjf1xW7eSL3BsAA1GP/nuHkhUJN4TOKXqlywTxpcJQKI35k1gR/ +zCH53qZQ6/GHe6lHEWIjrKdzg51h7cu6UbyfpVN0zoFSY3gcFemRNKk/LI8DxVZs +DjBQCpNVzRkrbmRIS0jTpzwSIvA7O204Z4Z7Q7ocrlFP5gKKT7M+Hk18CU0DIHwp +e5shYBGLPAswmWJQJUyXRyMjS580+ymxw5DRIym2Ogu8w3ztSOxbcWunvLAn9I84 +U6/njQxdKHeuCYBqlO1YHOJ+qKvU4HsV3EYjwGvVzxL4XVg24KvQJ4M6QZvjLYfS +oysx64tLBW4hYv4dTA0vLSa9/0zreNKucJRAaHYGw9rC6FZDK3b8AZiNOCSz2tWC +I/C/sw/UgZMev66MHVuO/K6xR5hpi1tW6ONZ3ecFp4N+MS8lUOQrCQ/L6UU58Qgr +AmAP6hM3FM1TCHEOC2jpLcUIHAdLf+xdzdp2ExPZJiMAUeV310i/dlECAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/kartei/lass/ignavia/ssh.id_ed25519.pub b/kartei/lass/ignavia/ssh.id_ed25519.pub new file mode 100644 index 000000000..9e6c348f8 --- /dev/null +++ b/kartei/lass/ignavia/ssh.id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjhIyEbkirWJcsuJHwnZx4QcFhIDNGGsMzJOp4lVnQY lass@aergia diff --git a/kartei/lass/ignavia/syncthing.pub b/kartei/lass/ignavia/syncthing.pub new file mode 100644 index 000000000..9c38cbda1 --- /dev/null +++ b/kartei/lass/ignavia/syncthing.pub @@ -0,0 +1 @@ +NWYGIWH-M2HDGLM-32HL27Z-DGO3ALT-QVCWEET-P436GDZ-4ELEB67-7OE6XQ2 From 5cc5e2d1e6d33279a90caf15cb8d72ea437393c9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 5 Oct 2023 21:25:19 +0200 Subject: [PATCH 07/26] kartei lass: remove legacy keys --- kartei/lass/default.nix | 29 ++--------------------------- krebs/2configs/default.nix | 2 -- krebs/2configs/tor/initrd.nix | 2 -- 3 files changed, 2 insertions(+), 31 deletions(-) diff --git a/kartei/lass/default.nix b/kartei/lass/default.nix index fac48a8ba..fe3725809 100644 --- a/kartei/lass/default.nix +++ b/kartei/lass/default.nix @@ -25,36 +25,11 @@ in { inherit (slib) krebs; }) ); - users = rec { - lass = lass-yubikey; - lass-yubikey = { + users = { + lass = { mail = "lass@green.r"; pubkey = builtins.readFile ./ssh/yubikey.rsa; pgp.pubkeys.default = builtins.readFile ./pgp/yubikey.pgp; }; - lass-blue = { - mail = "lass@blue.r"; - pubkey = builtins.readFile ./ssh/blue.rsa; - }; - lass-green = { - mail = "lass@green.r"; - pubkey = builtins.readFile ./ssh/green.ed25519; - }; - lass-red = { - mail = "lass@red.r"; - pubkey = builtins.readFile ./ssh/red.ed25519; - }; - lass-mors = { - mail = "lass@mors.r"; - pubkey = builtins.readFile ./ssh/mors.rsa; - pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp; - }; - lass-android = { - mail = "lassulus@gmail.com"; - pubkey = builtins.readFile ./ssh/android.ed25519; - }; - lass-tablet = { - pubkey = builtins.readFile ./ssh/tablet.ed25519; - }; }; } diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index bd4f36cbe..905eaaef7 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -48,9 +48,7 @@ with import ../../lib/pure.nix { inherit lib; }; users.mutableUsers = false; users.extraUsers.root.openssh.authorizedKeys.keys = [ - config.krebs.users.jeschli-brauerei.pubkey config.krebs.users.lass.pubkey - config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey config.krebs.users.kmein.pubkey diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 21c46a0a7..768439734 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -7,9 +7,7 @@ enable = true; port = 22; authorizedKeys = [ - config.krebs.users.jeschli-brauerei.pubkey config.krebs.users.lass.pubkey - config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; From 84818541d5db5a1c129c29506a6eca8e8faf6522 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 5 Oct 2023 21:25:37 +0200 Subject: [PATCH 08/26] sync-containers3: add startComamnd option --- krebs/3modules/sync-containers3.nix | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index c88dd5919..6d3a71324 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -32,6 +32,17 @@ in { type = lib.types.bool; default = true; }; + startCommand = lib.mkOption { + type = lib.types.str; + default = '' + set -efu + mkdir -p /var/state/var_src + ln -Tfrs /var/state/var_src /var/src + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + }; }; })); }; @@ -52,14 +63,7 @@ in { NIX_REMOTE = "daemon"; }; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' - set -efu - mkdir -p /var/state/var_src - ln -Tfrs /var/state/var_src /var/src - if test -e /var/src/nixos-config; then - /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : - fi - ''; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ctr.startCommand; unitConfig.X-StopOnRemoval = false; }; }; From 4f4b7a63da0758d80b74e26dd9d65cd69d200bb2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 6 Oct 2023 12:21:40 +0200 Subject: [PATCH 09/26] ignavia: fix syncthing pubkey --- kartei/lass/ignavia.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kartei/lass/ignavia.nix b/kartei/lass/ignavia.nix index 228be1912..88d290e70 100644 --- a/kartei/lass/ignavia.nix +++ b/kartei/lass/ignavia.nix @@ -15,5 +15,5 @@ }; }; ssh.pubkey = builtins.readFile ./ignavia/ssh.id_ed25519.pub; - syncthing.id = builtins.readFile ./ignavia/syncthing.pub; + syncthing.id = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./ignavia/syncthing.pub); } From 1c97bd301a3f924a8be9e98f7e4d88b101fc4c18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 18 Sep 2023 15:06:59 +0200 Subject: [PATCH 10/26] kartei ruby: 131.159.38.101 -> 131.159.38.70 --- kartei/mic92/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 720b362fd..e7d1150c6 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -844,9 +844,9 @@ in { owner = config.krebs.users.mic92; nets = rec { internet = { - # of4.dse.cit.tum.de. - ip4.addr = "131.159.38.101"; - ip6.addr = "2a09:80c0:38::101"; + # ruby.dse.cit.tum.de. + ip4.addr = "131.159.38.70"; + ip6.addr = "2a09:80c0:38::70"; aliases = [ "ruby.i" ]; }; retiolum = { From 417515046cd969b0a8cf2e247254bf469d091519 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 22 Sep 2023 11:33:48 +0200 Subject: [PATCH 11/26] kartei mic92: add vislor --- kartei/mic92/default.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index e7d1150c6..878db4cc8 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -978,6 +978,33 @@ in { }; }; }; + + vislor = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # vislor.dos.cit.tum.de + ip4.addr = "131.159.102.25"; + ip6.addr = "2a09:80c0:102::25"; + aliases = [ "vislor.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "vislor.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAnAIEtqtJzQmhAOLMDOp6LvlMoElNezeFarvZ6LshbZbLPL7Mv2Iy + buEoduzGNlqUbqEypsv7pQBSqw4Kqn9jMnpk8EpPiLiqIaBJeGqS1eIHi4DdRIyC + wwOgAqbc0e55LGSRyLS2GgbzD3kHh0UgVF2/MM01r4l53w8ftSJwR5dL6tpKnfgm + wjc8hwQtxen+zym2RJV7E+YPKg2t/ZGTJZbgk54/19l5Eeb18xxfTyxBNdUWBBCo + vnR/h2gfCZnmsj4UiSor+z+00eaDyespfjLw3X7XQkCdlfgx0BVfhXH2RGOtdH+P + AdnLFg7OfGh9V8zAiOC7jyuCrlbh0q0QoQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "PqpTiIldNgPTKQVnouiGNo8mX0wqSVtg9al6ve/sj2E"; + }; + }; + }; }; users = { mic92 = { From 79d6f7956fdcbed5131c28eb4870e3cda4926671 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 04:40:23 +0000 Subject: [PATCH 12/26] Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/repo-sync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index 5112f7e0c..dc9360a76 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -8,7 +8,7 @@ jobs: if: github.repository_owner == 'Mic92' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: persist-credentials: false - name: repo-sync From 6bff3fe5d8bfd2c58f2b3b1a7680e0b2ae68249d Mon Sep 17 00:00:00 2001 From: Dhananjay Balan Date: Tue, 10 Oct 2023 22:17:58 +0200 Subject: [PATCH 13/26] kartei dbalan: init tofu --- kartei/dbalan/default.nix | 62 ++++++++++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 17 deletions(-) diff --git a/kartei/dbalan/default.nix b/kartei/dbalan/default.nix index 6bf10b921..1f7e22aca 100644 --- a/kartei/dbalan/default.nix +++ b/kartei/dbalan/default.nix @@ -2,29 +2,57 @@ let inherit (lib) flip mapAttrs optionalAttrs recursiveUpdate; slib = import ../../lib/pure.nix { inherit lib; }; - hostDefaults = hostName: host: flip recursiveUpdate host ({ - ci = false; - external = true; - monitoring = false; - owner = config.krebs.users.dbalan; - } // optionalAttrs (host.nets?retiolum) { - nets.retiolum = { - ip6.addr = (slib.krebs.genipv6 "retiolum" "external" { inherit hostName; }).address; - }; - } // optionalAttrs (host.nets?wiregrill) { - nets.wiregrill = { - ip6.addr = (slib.krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address; - }; - }); -in -{ + hostDefaults = hostName: host: + flip recursiveUpdate host ({ + ci = false; + external = true; + monitoring = false; + owner = config.krebs.users.dbalan; + } // optionalAttrs (host.nets ? retiolum) { + nets.retiolum = { + ip6.addr = (slib.krebs.genipv6 "retiolum" "external" { + inherit hostName; + }).address; + }; + } // optionalAttrs (host.nets ? wiregrill) { + nets.wiregrill = { + ip6.addr = (slib.krebs.genipv6 "wiregrill" "external" { + inherit hostName; + }).address; + }; + }); +in { users = rec { dbalan = { mail = "dbalan@thaum.space"; - pubkey = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAiWF+U3VHNfp1IPU0/TWhMioxJvmoyG1AMZMvnQjy5QAAAABHNzaDo= dj@v60"; + pubkey = + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAiWF+U3VHNfp1IPU0/TWhMioxJvmoyG1AMZMvnQjy5QAAAABHNzaDo= dj@v60"; }; }; hosts = mapAttrs hostDefaults { + tofu = { + nets.retiolum = { + aliases = [ "tofu.dbalan.r" ]; + ip4.addr = "10.243.43.12"; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAlBMwSkdI+3CWPVazfDoPCoqYJH1MLd8Z/ZQCTFx4MhLO/DvJrb7H + HJEwvFuImk2yy4oYfcRz8pK+ymBDArdVT5aeTwztTbjkcWa5RTm2d2xuYppTUPZB + L0/yY+a+mP1eRa8O6HAoNx3ETvC5euJS40qISTh6grPGFV7i1HhGNPUkvYFlNF6q + rJs7RgC8Y2/OSNed5WdJfNYNBeB4xUiKtg3sShKQGO++860yNV4G+J+PtBVnMs8/ + MnxQbJxnMbhAHNQt5nV+Z66Ewy/2qcn4clrGB3SG1v9fFizzh9mAFK3Udfa+6s8r + JaM4BL41uOgHxiiKovmudxIRtts31cKzwPkMyThQpK8hdxJxrCzSQSbiDUkckE+5 + CeLgAh5jMwEkT6OvYOGZbyeqvZX5gX+yErJyRlsjgYs5TTlfUnpg1BKz2BErzb1b + +lWsZXjO03BpNXsuWhC2sspKfuB3+fjlNwR+ov8/UDTOwhzBz15TlufcxiqzA08d + yJiNylm07C19qxlffqSZ5KSZGTT+DZg53ror1PLMoxLApV5MgHiM6oltDxemSegb + yySGz/EFDDbQQYLYOPu6seLt+ktudvFTERmetV0Bn37Ok8Avs2y6BIgXWjVxcb5p + EDbE5tAvX/MZIU9rAXRqDAOulumfvsyFpK8RkXDEoIQEt+gDoZ5OzJsCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "b355fDYFQgFFj3KfzUCv4DPSfoFTKklsB12imwci7fH"; + }; + }; + v60 = { nets.retiolum = { aliases = [ "v60.dbalan.r" ]; From b5c9c677e3cd2e2f5576b468402486255e43000e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 11 Oct 2023 19:58:47 +0200 Subject: [PATCH 14/26] zones: add NS _acme-challenge.krebsco.de --- krebs/3modules/zones.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 29c0b0f23..7a9cf5be1 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -17,6 +17,8 @@ with lib; { @ 3600 IN NS ns3.he.net. @ 3600 IN NS ns2.hosting.de. + _acme-challenge IN NS ns1 + panda NS panda panda A 130.61.237.100 ''; From 81ea4297184bf4be5a5f3a1801ab9f6e55f3dc20 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 12 Oct 2023 14:09:38 +0200 Subject: [PATCH 15/26] kartei neoprism.r: increment v6 --- kartei/lass/neoprism.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix index a122fa207..63d608e46 100644 --- a/kartei/lass/neoprism.nix +++ b/kartei/lass/neoprism.nix @@ -7,7 +7,7 @@ prefix = "${addr}/32"; }; ip6 = rec { - addr = "2a01:4f9:4a:4f1a::1"; + addr = "2a01:4f9:4a:4f1a::2"; prefix = "${addr}/64"; }; aliases = [ From 23d52de962f91cde3761645c57c301a294b9b7b6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 Oct 2023 09:16:33 +0100 Subject: [PATCH 16/26] remove deprecated fetchWallpaper --- krebs/3modules/default.nix | 1 - krebs/3modules/fetchWallpaper.nix | 95 ------------------------------- 2 files changed, 96 deletions(-) delete mode 100644 krebs/3modules/fetchWallpaper.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 5d12ea7af..27c3da2e6 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -17,7 +17,6 @@ ./exim-retiolum.nix ./exim-smarthost.nix ./exim.nix - ./fetchWallpaper.nix ./git.nix ./github ./go.nix diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix deleted file mode 100644 index 0d67120fd..000000000 --- a/krebs/3modules/fetchWallpaper.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../lib/pure.nix { inherit lib; }; - -let - cfg = config.krebs.fetchWallpaper; - - out = { - options.krebs.fetchWallpaper = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "fetch wallpaper"; - url = mkOption { - type = types.str; - }; - timerConfig = mkOption { - type = types.unspecified; - default = { - OnCalendar = "*:00,10,20,30,40,50"; - }; - }; - stateDir = mkOption { - type = types.str; - default = "/var/lib/wallpaper"; - }; - display = mkOption { - type = types.str; - default = ":${toString config.services.xserver.display}"; - }; - unitConfig = mkOption { - type = types.attrsOf types.str; - description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit"; - example = literalExample '' - # do not start when running on umts - { ConditionPathExists = "!/var/run/ppp0.pid"; } - ''; - default = {}; - }; - }; - - fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" '' - set -euf - - mkdir -p ${cfg.stateDir} - chmod o+rx ${cfg.stateDir} - cd ${cfg.stateDir} - (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || : - feh --no-fehbg --bg-scale wallpaper - ''; - - imp = { - users.users.fetchWallpaper = { - name = "fetchWallpaper"; - uid = genid_uint31 "fetchWallpaper"; - description = "fetchWallpaper user"; - group = "fetchWallpaper"; - home = cfg.stateDir; - createHome = true; - isSystemUser = true; - }; - users.groups.fetchWallpaper = {}; - - systemd.timers.fetchWallpaper = { - description = "fetch wallpaper timer"; - wantedBy = [ "timers.target" ]; - - timerConfig = cfg.timerConfig; - }; - systemd.services.fetchWallpaper = { - description = "fetch wallpaper"; - after = [ "network.target" ]; - - path = with pkgs; [ - curl - feh - ]; - - environment = { - URL = cfg.url; - DISPLAY = cfg.display; - }; - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - ExecStart = fetchWallpaperScript; - User = "fetchWallpaper"; - }; - - unitConfig = cfg.unitConfig; - }; - }; -in out From cc928a38a98f50e060a2c9a9bbe98ea92564270c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 2 Nov 2023 09:56:42 +0100 Subject: [PATCH 17/26] setuid: run after usrbinenv, since wrappers got removed --- krebs/3modules/setuid.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 53fed0e36..fdb96c8ba 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -80,7 +80,7 @@ let }; imp = { - system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] + system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ] (concatMapStringsSep "\n" (cfg: /* sh */ '' ${cfg.activate} From d1b54dcef22cb7960d9a5b98dd4e817feb8c2363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 15 Oct 2023 10:28:40 +0200 Subject: [PATCH 18/26] kartei mic92: update eve.i --- kartei/mic92/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 878db4cc8..00fb92128 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -80,8 +80,8 @@ in { nets = rec { internet = { # eve.thalheim.io - ip4.addr = "88.99.244.96"; - ip6.addr = "2a01:4f8:10b:49f::1"; + ip4.addr = "95.217.199.121"; + ip6.addr = "2a01:4f9:4a:42e8::1"; aliases = [ "eve.i" ]; }; retiolum = { From 095f89e9726fe5247aba6508b13ecbba756904d1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Nov 2023 18:03:01 +0100 Subject: [PATCH 19/26] git: declare group --- krebs/3modules/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 1ec216f62..347a2c32b 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -376,6 +376,7 @@ let (filter (user: isString user.pubkey) (concatMap (getAttr "user") cfg.rules)))); }; + users.groups.${cfg.cgit.fcgiwrap.group.name} = {}; }; cgit-imp = { From 4fd1aaaf8d1f4656f02d7868dcd6e7b297bb5cfe Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Nov 2023 18:03:49 +0100 Subject: [PATCH 20/26] exim: use upstream security wrappers --- krebs/3modules/exim.nix | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 917a8e5a4..583fd07b1 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -50,14 +50,18 @@ in { ''; systemPackages = [ pkgs.exim ]; }; - krebs.setuid = { + security.wrappers = { exim = { - filename = "${pkgs.exim}/bin/exim"; - mode = "4111"; + source = "${pkgs.exim}/bin/exim"; + owner = "root"; + group = "root"; + setuid = true; }; sendmail = { - filename = "${pkgs.exim}/bin/exim"; - mode = "4111"; + source = "${pkgs.exim}/bin/exim"; + owner = "root"; + group = "root"; + setuid = true; }; }; systemd.services.exim = { From 8a62119217a92691e80fb0991b223694419373d4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Nov 2023 18:43:57 +0100 Subject: [PATCH 21/26] sync-containers3: use ping from path --- krebs/3modules/sync-containers3.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 6d3a71324..7bec27b0f 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -88,6 +88,7 @@ in { { "${ctr.name}_syncer" = { path = with pkgs; [ coreutils + inetutils consul rsync openssh @@ -107,7 +108,7 @@ in { set -efux consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' set -efux - if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then + if ping -c 1 ${ctr.name}.r; then nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync touch "$HOME"/incomplete nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk @@ -120,6 +121,7 @@ in { { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { path = with pkgs; [ coreutils + inetutils consul cryptsetup curl @@ -149,7 +151,7 @@ in { export payload if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then # echo 'we are the host, trying to reach container' - if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then + if $(retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null); then # echo 'container is reachable, continueing' continue else @@ -177,6 +179,7 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils + inetutils consul cryptsetup mount @@ -232,8 +235,8 @@ in { /run/current-system/sw/bin/nixos-container start ${ctr.name} # wait for system to become reachable for the first time systemctl start ${ctr.name}_watcher.service - retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null - while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do + retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null + while systemctl is-active container@${ctr.name}.service >/devnull && ping -q -c 3 ${ctr.name}.r >/dev/null; do consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null sleep 10 done From c79f5fc9faa7790fa7612a8c121b3637faf08470 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 7 Nov 2023 20:27:19 +0100 Subject: [PATCH 22/26] flake: export all systems --- flake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 1ff183e74..a44446b08 100644 --- a/flake.nix +++ b/flake.nix @@ -12,15 +12,15 @@ description = "stockholm"; outputs = { self, nixpkgs, nix-writers }: { - nixosConfigurations.hotdog = nixpkgs.lib.nixosSystem { + nixosConfigurations = nixpkgs.lib.mapAttrs (machineName: _: nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs.stockholm = self; specialArgs.nix-writers = nix-writers; - specialArgs.secrets = toString ./krebs/0tests/data/secrets; + specialArgs.secrets = nixpkgs.lib.mkDefault (toString ./krebs/0tests/data/secrets); modules = [ - ./krebs/1systems/hotdog/config.nix + ./krebs/1systems/${machineName}/config.nix ]; - }; + }) (builtins.readDir ./krebs/1systems); nixosModules = let From 015ef28416289059a66b1df043a186256384cc7b Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Nov 2023 21:21:24 +0100 Subject: [PATCH 23/26] tinc: reload on change --- krebs/3modules/tinc.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 9df368cfb..d73d5ca61 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -208,10 +208,9 @@ with import ../../lib/pure.nix { inherit lib; }; { description = "Tinc daemon for ${netname}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - # Restart the service in a single step in order to prevent potential - # connection timeouts and subsequent issues while deploying via tinc. - stopIfChanged = false; + reloadIfChanged = true; serviceConfig = { + ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; Restart = "always"; LoadCredential = filter (x: x != "") [ (optionalString (cfg.privkey_ed25519 != null) From 334378bc5730f7758a3e45346f6641b4464fc97d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 25 Nov 2023 12:42:10 +0100 Subject: [PATCH 24/26] sync-containers3: bind to bridge after startup --- krebs/3modules/sync-containers3.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 7bec27b0f..58446c82b 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -246,9 +246,11 @@ in { }; } { "container@${ctr.name}" = lib.mkIf ctr.runContainer { serviceConfig = { - ExecStop = pkgs.writers.writeDash "remove_interface" '' - ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} - ''; + ExecStartPost = [ + (pkgs.writers.writeDash "bind-to-bridge" '' + ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0 + '') + ]; }; }; } ]) (lib.attrValues cfg.containers))); From c81b09c602a50bbd911abfb28abade77c2a8b6a6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 29 Nov 2023 19:53:42 +0100 Subject: [PATCH 25/26] news.r: set ssh private key --- krebs/1systems/news/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index b5a2b21ba..290870fce 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -14,6 +14,7 @@ ]; krebs.build.host = config.krebs.hosts.news; + krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; boot.isContainer = true; networking.useDHCP = lib.mkForce true; From c660bedbb94a9a08c50050a3447f4fc5ba90fd69 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 29 Nov 2023 19:58:49 +0100 Subject: [PATCH 26/26] flake: set krebs.secret.directory --- flake.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index a44446b08..516648849 100644 --- a/flake.nix +++ b/flake.nix @@ -16,9 +16,11 @@ system = "x86_64-linux"; specialArgs.stockholm = self; specialArgs.nix-writers = nix-writers; - specialArgs.secrets = nixpkgs.lib.mkDefault (toString ./krebs/0tests/data/secrets); modules = [ ./krebs/1systems/${machineName}/config.nix + { + krebs.secret.directory = "/var/src/secrets"; + } ]; }) (builtins.readDir ./krebs/1systems);