Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
2ca25d5fc3
2
.github/workflows/repo-sync.yml
vendored
2
.github/workflows/repo-sync.yml
vendored
@ -8,7 +8,7 @@ jobs:
|
|||||||
if: github.repository_owner == 'Mic92'
|
if: github.repository_owner == 'Mic92'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
- name: repo-sync
|
- name: repo-sync
|
||||||
|
10
flake.nix
10
flake.nix
@ -12,15 +12,17 @@
|
|||||||
description = "stockholm";
|
description = "stockholm";
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nix-writers }: {
|
outputs = { self, nixpkgs, nix-writers }: {
|
||||||
nixosConfigurations.hotdog = nixpkgs.lib.nixosSystem {
|
nixosConfigurations = nixpkgs.lib.mapAttrs (machineName: _: nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
specialArgs.stockholm = self;
|
specialArgs.stockholm = self;
|
||||||
specialArgs.nix-writers = nix-writers;
|
specialArgs.nix-writers = nix-writers;
|
||||||
specialArgs.secrets = toString ./krebs/0tests/data/secrets;
|
|
||||||
modules = [
|
modules = [
|
||||||
./krebs/1systems/hotdog/config.nix
|
./krebs/1systems/${machineName}/config.nix
|
||||||
|
{
|
||||||
|
krebs.secret.directory = "/var/src/secrets";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
}) (builtins.readDir ./krebs/1systems);
|
||||||
|
|
||||||
nixosModules =
|
nixosModules =
|
||||||
let
|
let
|
||||||
|
@ -4,10 +4,10 @@ in {
|
|||||||
users.Ra33it0 = {
|
users.Ra33it0 = {
|
||||||
mail = "Ra33it0@posteo.net";
|
mail = "Ra33it0@posteo.net";
|
||||||
};
|
};
|
||||||
hosts.DUMMYHOST = {
|
hosts.unispore = {
|
||||||
owner = config.krebs.users.Ra33it0;
|
owner = config.krebs.users.Ra33it0;
|
||||||
nets.retiolum = {
|
nets.retiolum = {
|
||||||
aliases = [ "Ra33it0.Ra33it0.r" ];
|
aliases = [ "unispore.Ra33it0.r" ];
|
||||||
ip6.addr = (slib.krebs.genipv6 "retiolum" "Ra33it0" { hostName = "unispore"; }).address;
|
ip6.addr = (slib.krebs.genipv6 "retiolum" "Ra33it0" { hostName = "unispore"; }).address;
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
@ -2,29 +2,57 @@
|
|||||||
let
|
let
|
||||||
inherit (lib) flip mapAttrs optionalAttrs recursiveUpdate;
|
inherit (lib) flip mapAttrs optionalAttrs recursiveUpdate;
|
||||||
slib = import ../../lib/pure.nix { inherit lib; };
|
slib = import ../../lib/pure.nix { inherit lib; };
|
||||||
hostDefaults = hostName: host: flip recursiveUpdate host ({
|
hostDefaults = hostName: host:
|
||||||
|
flip recursiveUpdate host ({
|
||||||
ci = false;
|
ci = false;
|
||||||
external = true;
|
external = true;
|
||||||
monitoring = false;
|
monitoring = false;
|
||||||
owner = config.krebs.users.dbalan;
|
owner = config.krebs.users.dbalan;
|
||||||
} // optionalAttrs (host.nets ? retiolum) {
|
} // optionalAttrs (host.nets ? retiolum) {
|
||||||
nets.retiolum = {
|
nets.retiolum = {
|
||||||
ip6.addr = (slib.krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
|
ip6.addr = (slib.krebs.genipv6 "retiolum" "external" {
|
||||||
|
inherit hostName;
|
||||||
|
}).address;
|
||||||
};
|
};
|
||||||
} // optionalAttrs (host.nets ? wiregrill) {
|
} // optionalAttrs (host.nets ? wiregrill) {
|
||||||
nets.wiregrill = {
|
nets.wiregrill = {
|
||||||
ip6.addr = (slib.krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address;
|
ip6.addr = (slib.krebs.genipv6 "wiregrill" "external" {
|
||||||
|
inherit hostName;
|
||||||
|
}).address;
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
users = rec {
|
users = rec {
|
||||||
dbalan = {
|
dbalan = {
|
||||||
mail = "dbalan@thaum.space";
|
mail = "dbalan@thaum.space";
|
||||||
pubkey = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAiWF+U3VHNfp1IPU0/TWhMioxJvmoyG1AMZMvnQjy5QAAAABHNzaDo= dj@v60";
|
pubkey =
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAiWF+U3VHNfp1IPU0/TWhMioxJvmoyG1AMZMvnQjy5QAAAABHNzaDo= dj@v60";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
hosts = mapAttrs hostDefaults {
|
hosts = mapAttrs hostDefaults {
|
||||||
|
tofu = {
|
||||||
|
nets.retiolum = {
|
||||||
|
aliases = [ "tofu.dbalan.r" ];
|
||||||
|
ip4.addr = "10.243.43.12";
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAlBMwSkdI+3CWPVazfDoPCoqYJH1MLd8Z/ZQCTFx4MhLO/DvJrb7H
|
||||||
|
HJEwvFuImk2yy4oYfcRz8pK+ymBDArdVT5aeTwztTbjkcWa5RTm2d2xuYppTUPZB
|
||||||
|
L0/yY+a+mP1eRa8O6HAoNx3ETvC5euJS40qISTh6grPGFV7i1HhGNPUkvYFlNF6q
|
||||||
|
rJs7RgC8Y2/OSNed5WdJfNYNBeB4xUiKtg3sShKQGO++860yNV4G+J+PtBVnMs8/
|
||||||
|
MnxQbJxnMbhAHNQt5nV+Z66Ewy/2qcn4clrGB3SG1v9fFizzh9mAFK3Udfa+6s8r
|
||||||
|
JaM4BL41uOgHxiiKovmudxIRtts31cKzwPkMyThQpK8hdxJxrCzSQSbiDUkckE+5
|
||||||
|
CeLgAh5jMwEkT6OvYOGZbyeqvZX5gX+yErJyRlsjgYs5TTlfUnpg1BKz2BErzb1b
|
||||||
|
+lWsZXjO03BpNXsuWhC2sspKfuB3+fjlNwR+ov8/UDTOwhzBz15TlufcxiqzA08d
|
||||||
|
yJiNylm07C19qxlffqSZ5KSZGTT+DZg53ror1PLMoxLApV5MgHiM6oltDxemSegb
|
||||||
|
yySGz/EFDDbQQYLYOPu6seLt+ktudvFTERmetV0Bn37Ok8Avs2y6BIgXWjVxcb5p
|
||||||
|
EDbE5tAvX/MZIU9rAXRqDAOulumfvsyFpK8RkXDEoIQEt+gDoZ5OzJsCAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "b355fDYFQgFFj3KfzUCv4DPSfoFTKklsB12imwci7fH";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
v60 = {
|
v60 = {
|
||||||
nets.retiolum = {
|
nets.retiolum = {
|
||||||
aliases = [ "v60.dbalan.r" ];
|
aliases = [ "v60.dbalan.r" ];
|
||||||
|
@ -25,36 +25,11 @@ in {
|
|||||||
inherit (slib) krebs;
|
inherit (slib) krebs;
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
users = rec {
|
users = {
|
||||||
lass = lass-yubikey;
|
lass = {
|
||||||
lass-yubikey = {
|
|
||||||
mail = "lass@green.r";
|
mail = "lass@green.r";
|
||||||
pubkey = builtins.readFile ./ssh/yubikey.rsa;
|
pubkey = builtins.readFile ./ssh/yubikey.rsa;
|
||||||
pgp.pubkeys.default = builtins.readFile ./pgp/yubikey.pgp;
|
pgp.pubkeys.default = builtins.readFile ./pgp/yubikey.pgp;
|
||||||
};
|
};
|
||||||
lass-blue = {
|
|
||||||
mail = "lass@blue.r";
|
|
||||||
pubkey = builtins.readFile ./ssh/blue.rsa;
|
|
||||||
};
|
|
||||||
lass-green = {
|
|
||||||
mail = "lass@green.r";
|
|
||||||
pubkey = builtins.readFile ./ssh/green.ed25519;
|
|
||||||
};
|
|
||||||
lass-red = {
|
|
||||||
mail = "lass@red.r";
|
|
||||||
pubkey = builtins.readFile ./ssh/red.ed25519;
|
|
||||||
};
|
|
||||||
lass-mors = {
|
|
||||||
mail = "lass@mors.r";
|
|
||||||
pubkey = builtins.readFile ./ssh/mors.rsa;
|
|
||||||
pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
|
|
||||||
};
|
|
||||||
lass-android = {
|
|
||||||
mail = "lassulus@gmail.com";
|
|
||||||
pubkey = builtins.readFile ./ssh/android.ed25519;
|
|
||||||
};
|
|
||||||
lass-tablet = {
|
|
||||||
pubkey = builtins.readFile ./ssh/tablet.ed25519;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
19
kartei/lass/ignavia.nix
Normal file
19
kartei/lass/ignavia.nix
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{ r6, w6, ... }:
|
||||||
|
{
|
||||||
|
ci = false;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.0.25";
|
||||||
|
ip6.addr = r6 "16a2";
|
||||||
|
aliases = [
|
||||||
|
"ignavia.r"
|
||||||
|
];
|
||||||
|
tinc = {
|
||||||
|
pubkey = builtins.readFile ./ignavia/retiolum.rsa_key.pub;
|
||||||
|
pubkey_ed25519 = builtins.replaceStrings [ "Ed25519PublicKey = " ] [ "" ] (builtins.readFile ./ignavia/retiolum.ed25519_key.pub);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ssh.pubkey = builtins.readFile ./ignavia/ssh.id_ed25519.pub;
|
||||||
|
syncthing.id = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./ignavia/syncthing.pub);
|
||||||
|
}
|
1
kartei/lass/ignavia/retiolum.ed25519_key.pub
Normal file
1
kartei/lass/ignavia/retiolum.ed25519_key.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
Ed25519PublicKey = iuu6UcJpUu+72IywGkeGh/PpJJZ9UidbsdTR00JbFQL
|
13
kartei/lass/ignavia/retiolum.rsa_key.pub
Normal file
13
kartei/lass/ignavia/retiolum.rsa_key.pub
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAx362jbzjyKsPG4zAeZW1mgDWzaBoTz6JpJlN6ycsTLkrAAQrHiCs
|
||||||
|
Dz6sbE0zkQUcdFFuagqwROrQU81kx663azBAlHHsMs/vkVmbQk/ilXHHOYYbkRUS
|
||||||
|
zCfBe1JwXNPUyZ+v46IgOuvLLBfO00prcDj69sIqWdRMGAvKqYssSHuelBO3UdMl
|
||||||
|
7r5nQ+Kc5hOqfHjf1xW7eSL3BsAA1GP/nuHkhUJN4TOKXqlywTxpcJQKI35k1gR/
|
||||||
|
zCH53qZQ6/GHe6lHEWIjrKdzg51h7cu6UbyfpVN0zoFSY3gcFemRNKk/LI8DxVZs
|
||||||
|
DjBQCpNVzRkrbmRIS0jTpzwSIvA7O204Z4Z7Q7ocrlFP5gKKT7M+Hk18CU0DIHwp
|
||||||
|
e5shYBGLPAswmWJQJUyXRyMjS580+ymxw5DRIym2Ogu8w3ztSOxbcWunvLAn9I84
|
||||||
|
U6/njQxdKHeuCYBqlO1YHOJ+qKvU4HsV3EYjwGvVzxL4XVg24KvQJ4M6QZvjLYfS
|
||||||
|
oysx64tLBW4hYv4dTA0vLSa9/0zreNKucJRAaHYGw9rC6FZDK3b8AZiNOCSz2tWC
|
||||||
|
I/C/sw/UgZMev66MHVuO/K6xR5hpi1tW6ONZ3ecFp4N+MS8lUOQrCQ/L6UU58Qgr
|
||||||
|
AmAP6hM3FM1TCHEOC2jpLcUIHAdLf+xdzdp2ExPZJiMAUeV310i/dlECAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
1
kartei/lass/ignavia/ssh.id_ed25519.pub
Normal file
1
kartei/lass/ignavia/ssh.id_ed25519.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjhIyEbkirWJcsuJHwnZx4QcFhIDNGGsMzJOp4lVnQY lass@aergia
|
1
kartei/lass/ignavia/syncthing.pub
Normal file
1
kartei/lass/ignavia/syncthing.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
NWYGIWH-M2HDGLM-32HL27Z-DGO3ALT-QVCWEET-P436GDZ-4ELEB67-7OE6XQ2
|
@ -7,7 +7,7 @@
|
|||||||
prefix = "${addr}/32";
|
prefix = "${addr}/32";
|
||||||
};
|
};
|
||||||
ip6 = rec {
|
ip6 = rec {
|
||||||
addr = "2a01:4f9:4a:4f1a::1";
|
addr = "2a01:4f9:4a:4f1a::2";
|
||||||
prefix = "${addr}/64";
|
prefix = "${addr}/64";
|
||||||
};
|
};
|
||||||
aliases = [
|
aliases = [
|
||||||
|
@ -80,8 +80,8 @@ in {
|
|||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
# eve.thalheim.io
|
# eve.thalheim.io
|
||||||
ip4.addr = "88.99.244.96";
|
ip4.addr = "95.217.199.121";
|
||||||
ip6.addr = "2a01:4f8:10b:49f::1";
|
ip6.addr = "2a01:4f9:4a:42e8::1";
|
||||||
aliases = [ "eve.i" ];
|
aliases = [ "eve.i" ];
|
||||||
};
|
};
|
||||||
retiolum = {
|
retiolum = {
|
||||||
@ -844,9 +844,9 @@ in {
|
|||||||
owner = config.krebs.users.mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
# of4.dse.cit.tum.de.
|
# ruby.dse.cit.tum.de.
|
||||||
ip4.addr = "131.159.38.101";
|
ip4.addr = "131.159.38.70";
|
||||||
ip6.addr = "2a09:80c0:38::101";
|
ip6.addr = "2a09:80c0:38::70";
|
||||||
aliases = [ "ruby.i" ];
|
aliases = [ "ruby.i" ];
|
||||||
};
|
};
|
||||||
retiolum = {
|
retiolum = {
|
||||||
@ -978,6 +978,33 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
vislor = {
|
||||||
|
owner = config.krebs.users.mic92;
|
||||||
|
nets = rec {
|
||||||
|
internet = {
|
||||||
|
# vislor.dos.cit.tum.de
|
||||||
|
ip4.addr = "131.159.102.25";
|
||||||
|
ip6.addr = "2a09:80c0:102::25";
|
||||||
|
aliases = [ "vislor.i" ];
|
||||||
|
};
|
||||||
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
|
aliases = [ "vislor.r" ];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEAnAIEtqtJzQmhAOLMDOp6LvlMoElNezeFarvZ6LshbZbLPL7Mv2Iy
|
||||||
|
buEoduzGNlqUbqEypsv7pQBSqw4Kqn9jMnpk8EpPiLiqIaBJeGqS1eIHi4DdRIyC
|
||||||
|
wwOgAqbc0e55LGSRyLS2GgbzD3kHh0UgVF2/MM01r4l53w8ftSJwR5dL6tpKnfgm
|
||||||
|
wjc8hwQtxen+zym2RJV7E+YPKg2t/ZGTJZbgk54/19l5Eeb18xxfTyxBNdUWBBCo
|
||||||
|
vnR/h2gfCZnmsj4UiSor+z+00eaDyespfjLw3X7XQkCdlfgx0BVfhXH2RGOtdH+P
|
||||||
|
AdnLFg7OfGh9V8zAiOC7jyuCrlbh0q0QoQIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "PqpTiIldNgPTKQVnouiGNo8mX0wqSVtg9al6ve/sj2E";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
users = {
|
users = {
|
||||||
mic92 = {
|
mic92 = {
|
||||||
|
24
kartei/tv/hosts/zoppo.nix
Normal file
24
kartei/tv/hosts/zoppo.nix
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
{
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.13.43";
|
||||||
|
aliases = [
|
||||||
|
"zoppo.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEAtMzW+RL4mik0JHLL2p21bWy81bVv84mi/NKHyewXxx9EahD3cyOP
|
||||||
|
D/2gLipJnzyjxvM7HzR0FQpBCD5VLmRk2MrRENUGYzrNFhSu36gVg5bGngr0pZld
|
||||||
|
Fosd5wemGx6SUoXMzuBT/st0sg1Azg5mtA1joQTr47NlcwfFrUe7YT8i67szxJSO
|
||||||
|
Qo6BP+Zl6uVr9m8zSVwrj7TAoC7DQLhCTb3QJdpyYibHwpo0bMyyJjeuL/NpnOpH
|
||||||
|
Bv1pZ0oXr/nzCo+8jyQY4L2NonJnHtlzYOQf1cHJ+v+P1jOgGgBGqjo0LOE29Tvx
|
||||||
|
cfQYGLLZc4mRjVQJF3NYW6kHFqKmuu/y5QIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "nVIMNp7r21MYneV24x6qVesCjQYM/pvF6nzaihH7GfD";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secure = true;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo";
|
||||||
|
syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ";
|
||||||
|
}
|
1
kartei/tv/wiregrill/zoppo.pub
Normal file
1
kartei/tv/wiregrill/zoppo.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
5YFGAb9Tg/5HH+XHSKanh4P6jE7KTrViwqVuEkmQeSg=
|
@ -14,6 +14,7 @@
|
|||||||
];
|
];
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.news;
|
krebs.build.host = config.krebs.hosts.news;
|
||||||
|
krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
|
||||||
|
|
||||||
boot.isContainer = true;
|
boot.isContainer = true;
|
||||||
networking.useDHCP = lib.mkForce true;
|
networking.useDHCP = lib.mkForce true;
|
||||||
|
@ -48,9 +48,7 @@ with import ../../lib/pure.nix { inherit lib; };
|
|||||||
|
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
users.extraUsers.root.openssh.authorizedKeys.keys = [
|
users.extraUsers.root.openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.jeschli-brauerei.pubkey
|
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
config.krebs.users.lass-mors.pubkey
|
|
||||||
config.krebs.users.makefu.pubkey
|
config.krebs.users.makefu.pubkey
|
||||||
config.krebs.users.tv.pubkey
|
config.krebs.users.tv.pubkey
|
||||||
config.krebs.users.kmein.pubkey
|
config.krebs.users.kmein.pubkey
|
||||||
|
@ -7,9 +7,7 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
port = 22;
|
port = 22;
|
||||||
authorizedKeys = [
|
authorizedKeys = [
|
||||||
config.krebs.users.jeschli-brauerei.pubkey
|
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
config.krebs.users.lass-mors.pubkey
|
|
||||||
config.krebs.users.makefu.pubkey
|
config.krebs.users.makefu.pubkey
|
||||||
config.krebs.users.tv.pubkey
|
config.krebs.users.tv.pubkey
|
||||||
];
|
];
|
||||||
|
@ -17,7 +17,6 @@
|
|||||||
./exim-retiolum.nix
|
./exim-retiolum.nix
|
||||||
./exim-smarthost.nix
|
./exim-smarthost.nix
|
||||||
./exim.nix
|
./exim.nix
|
||||||
./fetchWallpaper.nix
|
|
||||||
./git.nix
|
./git.nix
|
||||||
./github
|
./github
|
||||||
./go.nix
|
./go.nix
|
||||||
|
@ -50,14 +50,18 @@ in {
|
|||||||
'';
|
'';
|
||||||
systemPackages = [ pkgs.exim ];
|
systemPackages = [ pkgs.exim ];
|
||||||
};
|
};
|
||||||
krebs.setuid = {
|
security.wrappers = {
|
||||||
exim = {
|
exim = {
|
||||||
filename = "${pkgs.exim}/bin/exim";
|
source = "${pkgs.exim}/bin/exim";
|
||||||
mode = "4111";
|
owner = "root";
|
||||||
|
group = "root";
|
||||||
|
setuid = true;
|
||||||
};
|
};
|
||||||
sendmail = {
|
sendmail = {
|
||||||
filename = "${pkgs.exim}/bin/exim";
|
source = "${pkgs.exim}/bin/exim";
|
||||||
mode = "4111";
|
owner = "root";
|
||||||
|
group = "root";
|
||||||
|
setuid = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.exim = {
|
systemd.services.exim = {
|
||||||
|
@ -1,95 +0,0 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with import ../../lib/pure.nix { inherit lib; };
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.krebs.fetchWallpaper;
|
|
||||||
|
|
||||||
out = {
|
|
||||||
options.krebs.fetchWallpaper = api;
|
|
||||||
config = lib.mkIf cfg.enable imp;
|
|
||||||
};
|
|
||||||
|
|
||||||
api = {
|
|
||||||
enable = mkEnableOption "fetch wallpaper";
|
|
||||||
url = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
timerConfig = mkOption {
|
|
||||||
type = types.unspecified;
|
|
||||||
default = {
|
|
||||||
OnCalendar = "*:00,10,20,30,40,50";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
stateDir = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "/var/lib/wallpaper";
|
|
||||||
};
|
|
||||||
display = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = ":${toString config.services.xserver.display}";
|
|
||||||
};
|
|
||||||
unitConfig = mkOption {
|
|
||||||
type = types.attrsOf types.str;
|
|
||||||
description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit";
|
|
||||||
example = literalExample ''
|
|
||||||
# do not start when running on umts
|
|
||||||
{ ConditionPathExists = "!/var/run/ppp0.pid"; }
|
|
||||||
'';
|
|
||||||
default = {};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" ''
|
|
||||||
set -euf
|
|
||||||
|
|
||||||
mkdir -p ${cfg.stateDir}
|
|
||||||
chmod o+rx ${cfg.stateDir}
|
|
||||||
cd ${cfg.stateDir}
|
|
||||||
(curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
|
|
||||||
feh --no-fehbg --bg-scale wallpaper
|
|
||||||
'';
|
|
||||||
|
|
||||||
imp = {
|
|
||||||
users.users.fetchWallpaper = {
|
|
||||||
name = "fetchWallpaper";
|
|
||||||
uid = genid_uint31 "fetchWallpaper";
|
|
||||||
description = "fetchWallpaper user";
|
|
||||||
group = "fetchWallpaper";
|
|
||||||
home = cfg.stateDir;
|
|
||||||
createHome = true;
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
users.groups.fetchWallpaper = {};
|
|
||||||
|
|
||||||
systemd.timers.fetchWallpaper = {
|
|
||||||
description = "fetch wallpaper timer";
|
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
|
|
||||||
timerConfig = cfg.timerConfig;
|
|
||||||
};
|
|
||||||
systemd.services.fetchWallpaper = {
|
|
||||||
description = "fetch wallpaper";
|
|
||||||
after = [ "network.target" ];
|
|
||||||
|
|
||||||
path = with pkgs; [
|
|
||||||
curl
|
|
||||||
feh
|
|
||||||
];
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
URL = cfg.url;
|
|
||||||
DISPLAY = cfg.display;
|
|
||||||
};
|
|
||||||
restartIfChanged = true;
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "simple";
|
|
||||||
ExecStart = fetchWallpaperScript;
|
|
||||||
User = "fetchWallpaper";
|
|
||||||
};
|
|
||||||
|
|
||||||
unitConfig = cfg.unitConfig;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in out
|
|
@ -376,6 +376,7 @@ let
|
|||||||
(filter (user: isString user.pubkey)
|
(filter (user: isString user.pubkey)
|
||||||
(concatMap (getAttr "user") cfg.rules))));
|
(concatMap (getAttr "user") cfg.rules))));
|
||||||
};
|
};
|
||||||
|
users.groups.${cfg.cgit.fcgiwrap.group.name} = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
cgit-imp = {
|
cgit-imp = {
|
||||||
|
@ -80,7 +80,7 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
|
system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
|
||||||
(concatMapStringsSep "\n"
|
(concatMapStringsSep "\n"
|
||||||
(cfg: /* sh */ ''
|
(cfg: /* sh */ ''
|
||||||
${cfg.activate}
|
${cfg.activate}
|
||||||
|
@ -32,6 +32,17 @@ in {
|
|||||||
type = lib.types.bool;
|
type = lib.types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
};
|
};
|
||||||
|
startCommand = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
default = ''
|
||||||
|
set -efu
|
||||||
|
mkdir -p /var/state/var_src
|
||||||
|
ln -Tfrs /var/state/var_src /var/src
|
||||||
|
if test -e /var/src/nixos-config; then
|
||||||
|
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
};
|
};
|
||||||
@ -52,14 +63,7 @@ in {
|
|||||||
NIX_REMOTE = "daemon";
|
NIX_REMOTE = "daemon";
|
||||||
};
|
};
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
|
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ctr.startCommand;
|
||||||
set -efu
|
|
||||||
mkdir -p /var/state/var_src
|
|
||||||
ln -Tfrs /var/state/var_src /var/src
|
|
||||||
if test -e /var/src/nixos-config; then
|
|
||||||
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
unitConfig.X-StopOnRemoval = false;
|
unitConfig.X-StopOnRemoval = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -84,6 +88,7 @@ in {
|
|||||||
{ "${ctr.name}_syncer" = {
|
{ "${ctr.name}_syncer" = {
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
coreutils
|
coreutils
|
||||||
|
inetutils
|
||||||
consul
|
consul
|
||||||
rsync
|
rsync
|
||||||
openssh
|
openssh
|
||||||
@ -103,7 +108,7 @@ in {
|
|||||||
set -efux
|
set -efux
|
||||||
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
|
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
|
||||||
set -efux
|
set -efux
|
||||||
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
|
if ping -c 1 ${ctr.name}.r; then
|
||||||
nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync
|
nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync
|
||||||
touch "$HOME"/incomplete
|
touch "$HOME"/incomplete
|
||||||
nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk
|
nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk
|
||||||
@ -116,6 +121,7 @@ in {
|
|||||||
{ "${ctr.name}_watcher" = lib.mkIf ctr.runContainer {
|
{ "${ctr.name}_watcher" = lib.mkIf ctr.runContainer {
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
coreutils
|
coreutils
|
||||||
|
inetutils
|
||||||
consul
|
consul
|
||||||
cryptsetup
|
cryptsetup
|
||||||
curl
|
curl
|
||||||
@ -145,7 +151,7 @@ in {
|
|||||||
export payload
|
export payload
|
||||||
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
|
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
|
||||||
# echo 'we are the host, trying to reach container'
|
# echo 'we are the host, trying to reach container'
|
||||||
if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
|
if $(retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null); then
|
||||||
# echo 'container is reachable, continueing'
|
# echo 'container is reachable, continueing'
|
||||||
continue
|
continue
|
||||||
else
|
else
|
||||||
@ -173,6 +179,7 @@ in {
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
coreutils
|
coreutils
|
||||||
|
inetutils
|
||||||
consul
|
consul
|
||||||
cryptsetup
|
cryptsetup
|
||||||
mount
|
mount
|
||||||
@ -228,8 +235,8 @@ in {
|
|||||||
/run/current-system/sw/bin/nixos-container start ${ctr.name}
|
/run/current-system/sw/bin/nixos-container start ${ctr.name}
|
||||||
# wait for system to become reachable for the first time
|
# wait for system to become reachable for the first time
|
||||||
systemctl start ${ctr.name}_watcher.service
|
systemctl start ${ctr.name}_watcher.service
|
||||||
retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
|
retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null
|
||||||
while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
|
while systemctl is-active container@${ctr.name}.service >/devnull && ping -q -c 3 ${ctr.name}.r >/dev/null; do
|
||||||
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
|
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
|
||||||
sleep 10
|
sleep 10
|
||||||
done
|
done
|
||||||
@ -239,9 +246,11 @@ in {
|
|||||||
}; }
|
}; }
|
||||||
{ "container@${ctr.name}" = lib.mkIf ctr.runContainer {
|
{ "container@${ctr.name}" = lib.mkIf ctr.runContainer {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStop = pkgs.writers.writeDash "remove_interface" ''
|
ExecStartPost = [
|
||||||
${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
|
(pkgs.writers.writeDash "bind-to-bridge" ''
|
||||||
'';
|
${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
|
||||||
|
'')
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}; }
|
}; }
|
||||||
]) (lib.attrValues cfg.containers)));
|
]) (lib.attrValues cfg.containers)));
|
||||||
|
@ -208,10 +208,9 @@ with import ../../lib/pure.nix { inherit lib; }; {
|
|||||||
description = "Tinc daemon for ${netname}";
|
description = "Tinc daemon for ${netname}";
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
# Restart the service in a single step in order to prevent potential
|
reloadIfChanged = true;
|
||||||
# connection timeouts and subsequent issues while deploying via tinc.
|
|
||||||
stopIfChanged = false;
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
LoadCredential = filter (x: x != "") [
|
LoadCredential = filter (x: x != "") [
|
||||||
(optionalString (cfg.privkey_ed25519 != null)
|
(optionalString (cfg.privkey_ed25519 != null)
|
||||||
|
@ -17,6 +17,8 @@ with lib; {
|
|||||||
@ 3600 IN NS ns3.he.net.
|
@ 3600 IN NS ns3.he.net.
|
||||||
@ 3600 IN NS ns2.hosting.de.
|
@ 3600 IN NS ns2.hosting.de.
|
||||||
|
|
||||||
|
_acme-challenge IN NS ns1
|
||||||
|
|
||||||
panda NS panda
|
panda NS panda
|
||||||
panda A 130.61.237.100
|
panda A 130.61.237.100
|
||||||
'';
|
'';
|
||||||
|
@ -1 +0,0 @@
|
|||||||
Subproject commit 7b186e0f812a7c54a1fa86b8f7c0f01afecc69c2
|
|
Loading…
Reference in New Issue
Block a user