Merge remote-tracking branch 'lass/master'

.github/workflows/repo-sync.yml

@@ -8,7 +8,7 @@ jobs:
     if: github.repository_owner == 'Mic92'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         persist-credentials: false
     - name: repo-sync

flake.nix

@@ -12,15 +12,17 @@
   description = "stockholm";
 
   outputs = { self, nixpkgs, nix-writers }: {
-    nixosConfigurations.hotdog = nixpkgs.lib.nixosSystem {
+    nixosConfigurations = nixpkgs.lib.mapAttrs (machineName: _: nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs.stockholm = self;
       specialArgs.nix-writers = nix-writers;
-      specialArgs.secrets = toString ./krebs/0tests/data/secrets;
       modules = [
-        ./krebs/1systems/hotdog/config.nix
+        ./krebs/1systems/${machineName}/config.nix
+        {
+          krebs.secret.directory = "/var/src/secrets";
+        }
       ];
-    };
+    }) (builtins.readDir ./krebs/1systems);
 
     nixosModules =
     let

kartei/Ra33it0/default.nix

@@ -4,13 +4,13 @@ in {
   users.Ra33it0 = {
     mail = "Ra33it0@posteo.net";
   };
-  hosts.DUMMYHOST = {
+  hosts.unispore = {
     owner = config.krebs.users.Ra33it0;
     nets.retiolum = {
-      aliases = [ "Ra33it0.Ra33it0.r" ];
+      aliases = [ "unispore.Ra33it0.r" ];
       ip6.addr = (slib.krebs.genipv6 "retiolum" "Ra33it0" { hostName = "unispore"; }).address;
       tinc.pubkey = ''
-        -----BEGIN RSA PUBLIC KEY-----
+-----BEGIN RSA PUBLIC KEY-----
 MIICCgKCAgEA6Cb+b+snYpsQv1J0yMPSL4P0iKs2EkDtqtt6kBOvqFTr2lRB2thp
 mu9fRbz/CFmcvFXoEMWQEEkKcyhgJEola2+7Ra49iMNX55o/I0iZ499ZI5rIK/JG
 +A60ijPCh5TSGYIMiD7VWRsxoAtzB1DZ6n4z94KN0wQB5dXKuLPjk/TDfJPuzMrS
@@ -22,7 +22,7 @@ CWYM/HzSffzztK8bF0DwhdWzjtNcwZ05XfA2krGZyMj9UxpwN84o1syCnnYC1Xzg
 4r48fUhubXXE4SbdnN68pCNCct9DT8exPeYeJL2FHi6s+EsfBY+NGEAaQGJTeQEW
 zUSnX/txoZV6xGUKZ4iOgfQ4MBCVVdtPAaurNP/esVwOr0WF0DTuBDPGBaOqo+Us
 Ef5cREwrCE8nEY8tu3xl4M9iuCTwBuT79YFhfNI3jr1lcg6f8wGaTYsCAwEAAQ==
-        -----END RSA PUBLIC KEY-----
+-----END RSA PUBLIC KEY-----
       '';
       tinc.pubkey_ed25519 = "cFCAfLbDYv/Ty3m34aHgHr1dXGp2DSwfP0K7GG1TA7D";
     };

kartei/dbalan/default.nix

@@ -2,29 +2,57 @@
 let
   inherit (lib) flip mapAttrs optionalAttrs recursiveUpdate;
   slib = import ../../lib/pure.nix { inherit lib; };
-  hostDefaults = hostName: host: flip recursiveUpdate host ({
+  hostDefaults = hostName: host:
-    ci = false;
+    flip recursiveUpdate host ({
-    external = true;
+      ci = false;
-    monitoring = false;
+      external = true;
-    owner = config.krebs.users.dbalan;
+      monitoring = false;
-  } // optionalAttrs (host.nets?retiolum) {
+      owner = config.krebs.users.dbalan;
-    nets.retiolum = {
+    } // optionalAttrs (host.nets ? retiolum) {
-      ip6.addr = (slib.krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
+      nets.retiolum = {
-    };
+        ip6.addr = (slib.krebs.genipv6 "retiolum" "external" {
-  } // optionalAttrs (host.nets?wiregrill) {
+          inherit hostName;
-    nets.wiregrill = {
+        }).address;
-      ip6.addr = (slib.krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address;
+      };
-    };
+    } // optionalAttrs (host.nets ? wiregrill) {
-  });
+      nets.wiregrill = {
-in
+        ip6.addr = (slib.krebs.genipv6 "wiregrill" "external" {
-{
+          inherit hostName;
+        }).address;
+      };
+    });
+in {
   users = rec {
     dbalan = {
       mail = "dbalan@thaum.space";
-      pubkey = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAiWF+U3VHNfp1IPU0/TWhMioxJvmoyG1AMZMvnQjy5QAAAABHNzaDo= dj@v60";
+      pubkey =
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAiWF+U3VHNfp1IPU0/TWhMioxJvmoyG1AMZMvnQjy5QAAAABHNzaDo= dj@v60";
     };
   };
   hosts = mapAttrs hostDefaults {
+    tofu = {
+      nets.retiolum = {
+        aliases = [ "tofu.dbalan.r" ];
+        ip4.addr = "10.243.43.12";
+        tinc.pubkey = ''
+          -----BEGIN RSA PUBLIC KEY-----
+          MIICCgKCAgEAlBMwSkdI+3CWPVazfDoPCoqYJH1MLd8Z/ZQCTFx4MhLO/DvJrb7H
+          HJEwvFuImk2yy4oYfcRz8pK+ymBDArdVT5aeTwztTbjkcWa5RTm2d2xuYppTUPZB
+          L0/yY+a+mP1eRa8O6HAoNx3ETvC5euJS40qISTh6grPGFV7i1HhGNPUkvYFlNF6q
+          rJs7RgC8Y2/OSNed5WdJfNYNBeB4xUiKtg3sShKQGO++860yNV4G+J+PtBVnMs8/
+          MnxQbJxnMbhAHNQt5nV+Z66Ewy/2qcn4clrGB3SG1v9fFizzh9mAFK3Udfa+6s8r
+          JaM4BL41uOgHxiiKovmudxIRtts31cKzwPkMyThQpK8hdxJxrCzSQSbiDUkckE+5
+          CeLgAh5jMwEkT6OvYOGZbyeqvZX5gX+yErJyRlsjgYs5TTlfUnpg1BKz2BErzb1b
+          +lWsZXjO03BpNXsuWhC2sspKfuB3+fjlNwR+ov8/UDTOwhzBz15TlufcxiqzA08d
+          yJiNylm07C19qxlffqSZ5KSZGTT+DZg53ror1PLMoxLApV5MgHiM6oltDxemSegb
+          yySGz/EFDDbQQYLYOPu6seLt+ktudvFTERmetV0Bn37Ok8Avs2y6BIgXWjVxcb5p
+          EDbE5tAvX/MZIU9rAXRqDAOulumfvsyFpK8RkXDEoIQEt+gDoZ5OzJsCAwEAAQ==
+          -----END RSA PUBLIC KEY-----
+        '';
+        tinc.pubkey_ed25519 = "b355fDYFQgFFj3KfzUCv4DPSfoFTKklsB12imwci7fH";
+      };
+    };
+
     v60 = {
       nets.retiolum = {
         aliases = [ "v60.dbalan.r" ];

kartei/lass/default.nix

@@ -25,36 +25,11 @@ in {
       inherit (slib) krebs;
     })
   );
-  users = rec {
+  users = {
-    lass = lass-yubikey;
+    lass = {
-    lass-yubikey = {
       mail = "lass@green.r";
       pubkey = builtins.readFile ./ssh/yubikey.rsa;
       pgp.pubkeys.default = builtins.readFile ./pgp/yubikey.pgp;
     };
-    lass-blue = {
-      mail = "lass@blue.r";
-      pubkey = builtins.readFile ./ssh/blue.rsa;
-    };
-    lass-green = {
-      mail = "lass@green.r";
-      pubkey = builtins.readFile ./ssh/green.ed25519;
-    };
-    lass-red = {
-      mail = "lass@red.r";
-      pubkey = builtins.readFile ./ssh/red.ed25519;
-    };
-    lass-mors = {
-      mail = "lass@mors.r";
-      pubkey = builtins.readFile ./ssh/mors.rsa;
-      pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
-    };
-    lass-android = {
-      mail = "lassulus@gmail.com";
-      pubkey = builtins.readFile ./ssh/android.ed25519;
-    };
-    lass-tablet = {
-      pubkey = builtins.readFile ./ssh/tablet.ed25519;
-    };
   };
 }

kartei/lass/ignavia.nix

@@ -0,0 +1,19 @@
+{ r6, w6, ... }:
+{
+  ci = false;
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.0.25";
+      ip6.addr = r6 "16a2";
+      aliases = [
+        "ignavia.r"
+      ];
+      tinc = {
+        pubkey = builtins.readFile ./ignavia/retiolum.rsa_key.pub;
+        pubkey_ed25519 = builtins.replaceStrings [ "Ed25519PublicKey = " ] [ "" ] (builtins.readFile ./ignavia/retiolum.ed25519_key.pub);
+      };
+    };
+  };
+  ssh.pubkey = builtins.readFile ./ignavia/ssh.id_ed25519.pub;
+  syncthing.id = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./ignavia/syncthing.pub);
+}

kartei/lass/ignavia/retiolum.ed25519_key.pub

@@ -0,0 +1 @@
+Ed25519PublicKey = iuu6UcJpUu+72IywGkeGh/PpJJZ9UidbsdTR00JbFQL

kartei/lass/ignavia/retiolum.rsa_key.pub

@@ -0,0 +1,13 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEAx362jbzjyKsPG4zAeZW1mgDWzaBoTz6JpJlN6ycsTLkrAAQrHiCs
+Dz6sbE0zkQUcdFFuagqwROrQU81kx663azBAlHHsMs/vkVmbQk/ilXHHOYYbkRUS
+zCfBe1JwXNPUyZ+v46IgOuvLLBfO00prcDj69sIqWdRMGAvKqYssSHuelBO3UdMl
+7r5nQ+Kc5hOqfHjf1xW7eSL3BsAA1GP/nuHkhUJN4TOKXqlywTxpcJQKI35k1gR/
+zCH53qZQ6/GHe6lHEWIjrKdzg51h7cu6UbyfpVN0zoFSY3gcFemRNKk/LI8DxVZs
+DjBQCpNVzRkrbmRIS0jTpzwSIvA7O204Z4Z7Q7ocrlFP5gKKT7M+Hk18CU0DIHwp
+e5shYBGLPAswmWJQJUyXRyMjS580+ymxw5DRIym2Ogu8w3ztSOxbcWunvLAn9I84
+U6/njQxdKHeuCYBqlO1YHOJ+qKvU4HsV3EYjwGvVzxL4XVg24KvQJ4M6QZvjLYfS
+oysx64tLBW4hYv4dTA0vLSa9/0zreNKucJRAaHYGw9rC6FZDK3b8AZiNOCSz2tWC
+I/C/sw/UgZMev66MHVuO/K6xR5hpi1tW6ONZ3ecFp4N+MS8lUOQrCQ/L6UU58Qgr
+AmAP6hM3FM1TCHEOC2jpLcUIHAdLf+xdzdp2ExPZJiMAUeV310i/dlECAwEAAQ==
+-----END RSA PUBLIC KEY-----

kartei/lass/ignavia/ssh.id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjhIyEbkirWJcsuJHwnZx4QcFhIDNGGsMzJOp4lVnQY lass@aergia

kartei/lass/ignavia/syncthing.pub

@@ -0,0 +1 @@
+NWYGIWH-M2HDGLM-32HL27Z-DGO3ALT-QVCWEET-P436GDZ-4ELEB67-7OE6XQ2

kartei/lass/neoprism.nix

@@ -7,7 +7,7 @@
         prefix = "${addr}/32";
       };
       ip6 = rec {
-        addr = "2a01:4f9:4a:4f1a::1";
+        addr = "2a01:4f9:4a:4f1a::2";
         prefix = "${addr}/64";
       };
       aliases = [

kartei/mic92/default.nix

@@ -80,8 +80,8 @@ in {
       nets = rec {
         internet = {
           # eve.thalheim.io
-          ip4.addr = "88.99.244.96";
+          ip4.addr = "95.217.199.121";
-          ip6.addr = "2a01:4f8:10b:49f::1";
+          ip6.addr = "2a01:4f9:4a:42e8::1";
           aliases = [ "eve.i" ];
         };
         retiolum = {
@@ -844,9 +844,9 @@ in {
       owner = config.krebs.users.mic92;
       nets = rec {
         internet = {
-          # of4.dse.cit.tum.de.
+          # ruby.dse.cit.tum.de.
-          ip4.addr = "131.159.38.101";
+          ip4.addr = "131.159.38.70";
-          ip6.addr = "2a09:80c0:38::101";
+          ip6.addr = "2a09:80c0:38::70";
           aliases = [ "ruby.i" ];
         };
         retiolum = {
@@ -978,6 +978,33 @@ in {
         };
       };
     };
+
+    vislor = {
+      owner = config.krebs.users.mic92;
+      nets = rec {
+        internet = {
+          # vislor.dos.cit.tum.de
+          ip4.addr = "131.159.102.25";
+          ip6.addr = "2a09:80c0:102::25";
+          aliases = [ "vislor.i" ];
+        };
+        retiolum = {
+          via = internet;
+          aliases = [ "vislor.r" ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAnAIEtqtJzQmhAOLMDOp6LvlMoElNezeFarvZ6LshbZbLPL7Mv2Iy
+            buEoduzGNlqUbqEypsv7pQBSqw4Kqn9jMnpk8EpPiLiqIaBJeGqS1eIHi4DdRIyC
+            wwOgAqbc0e55LGSRyLS2GgbzD3kHh0UgVF2/MM01r4l53w8ftSJwR5dL6tpKnfgm
+            wjc8hwQtxen+zym2RJV7E+YPKg2t/ZGTJZbgk54/19l5Eeb18xxfTyxBNdUWBBCo
+            vnR/h2gfCZnmsj4UiSor+z+00eaDyespfjLw3X7XQkCdlfgx0BVfhXH2RGOtdH+P
+            AdnLFg7OfGh9V8zAiOC7jyuCrlbh0q0QoQIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+          tinc.pubkey_ed25519 = "PqpTiIldNgPTKQVnouiGNo8mX0wqSVtg9al6ve/sj2E";
+        };
+      };
+    };
   };
   users = {
     mic92 = {

kartei/tv/hosts/zoppo.nix

@@ -0,0 +1,24 @@
+{
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.13.43";
+      aliases = [
+        "zoppo.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIIBCgKCAQEAtMzW+RL4mik0JHLL2p21bWy81bVv84mi/NKHyewXxx9EahD3cyOP
+        D/2gLipJnzyjxvM7HzR0FQpBCD5VLmRk2MrRENUGYzrNFhSu36gVg5bGngr0pZld
+        Fosd5wemGx6SUoXMzuBT/st0sg1Azg5mtA1joQTr47NlcwfFrUe7YT8i67szxJSO
+        Qo6BP+Zl6uVr9m8zSVwrj7TAoC7DQLhCTb3QJdpyYibHwpo0bMyyJjeuL/NpnOpH
+        Bv1pZ0oXr/nzCo+8jyQY4L2NonJnHtlzYOQf1cHJ+v+P1jOgGgBGqjo0LOE29Tvx
+        cfQYGLLZc4mRjVQJF3NYW6kHFqKmuu/y5QIDAQAB
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = "nVIMNp7r21MYneV24x6qVesCjQYM/pvF6nzaihH7GfD";
+    };
+  };
+  secure = true;
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo";
+  syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ";
+}

kartei/tv/wiregrill/zoppo.pub

@@ -0,0 +1 @@
+5YFGAb9Tg/5HH+XHSKanh4P6jE7KTrViwqVuEkmQeSg=

krebs/1systems/news/config.nix

@@ -14,6 +14,7 @@
   ];
 
   krebs.build.host = config.krebs.hosts.news;
+  krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
 
   boot.isContainer = true;
   networking.useDHCP = lib.mkForce true;

krebs/2configs/default.nix

@@ -48,9 +48,7 @@ with import ../../lib/pure.nix { inherit lib; };
 
   users.mutableUsers = false;
   users.extraUsers.root.openssh.authorizedKeys.keys = [
-    config.krebs.users.jeschli-brauerei.pubkey
     config.krebs.users.lass.pubkey
-    config.krebs.users.lass-mors.pubkey
     config.krebs.users.makefu.pubkey
     config.krebs.users.tv.pubkey
     config.krebs.users.kmein.pubkey

krebs/2configs/tor/initrd.nix

@@ -7,9 +7,7 @@
     enable = true;
     port = 22;
     authorizedKeys = [
-      config.krebs.users.jeschli-brauerei.pubkey
       config.krebs.users.lass.pubkey
-      config.krebs.users.lass-mors.pubkey
       config.krebs.users.makefu.pubkey
       config.krebs.users.tv.pubkey
     ];

krebs/3modules/default.nix

@@ -17,7 +17,6 @@
     ./exim-retiolum.nix
     ./exim-smarthost.nix
     ./exim.nix
-    ./fetchWallpaper.nix
     ./git.nix
     ./github
     ./go.nix

krebs/3modules/exim.nix

@@ -50,14 +50,18 @@ in {
       '';
       systemPackages = [ pkgs.exim ];
     };
-    krebs.setuid = {
+    security.wrappers = {
       exim = {
-        filename = "${pkgs.exim}/bin/exim";
+        source = "${pkgs.exim}/bin/exim";
-        mode = "4111";
+        owner = "root";
+        group = "root";
+        setuid = true;
       };
       sendmail = {
-        filename = "${pkgs.exim}/bin/exim";
+        source = "${pkgs.exim}/bin/exim";
-        mode = "4111";
+        owner = "root";
+        group = "root";
+        setuid = true;
       };
     };
     systemd.services.exim = {

krebs/3modules/fetchWallpaper.nix

@@ -1,95 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import ../../lib/pure.nix { inherit lib; };
-
-let
-  cfg = config.krebs.fetchWallpaper;
-
-  out = {
-    options.krebs.fetchWallpaper = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "fetch wallpaper";
-    url = mkOption {
-      type = types.str;
-    };
-    timerConfig = mkOption {
-      type = types.unspecified;
-      default = {
-        OnCalendar = "*:00,10,20,30,40,50";
-      };
-    };
-    stateDir = mkOption {
-      type = types.str;
-      default = "/var/lib/wallpaper";
-    };
-    display = mkOption {
-      type = types.str;
-      default = ":${toString config.services.xserver.display}";
-    };
-    unitConfig = mkOption {
-      type = types.attrsOf types.str;
-      description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit";
-      example = literalExample ''
-        # do not start when running on umts
-        { ConditionPathExists = "!/var/run/ppp0.pid"; }
-      '';
-      default = {};
-    };
-  };
-
-  fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" ''
-    set -euf
-
-    mkdir -p ${cfg.stateDir}
-    chmod o+rx ${cfg.stateDir}
-    cd ${cfg.stateDir}
-    (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
-    feh --no-fehbg --bg-scale wallpaper
-  '';
-
-  imp = {
-    users.users.fetchWallpaper = {
-      name = "fetchWallpaper";
-      uid = genid_uint31 "fetchWallpaper";
-      description = "fetchWallpaper user";
-      group = "fetchWallpaper";
-      home = cfg.stateDir;
-      createHome = true;
-      isSystemUser = true;
-    };
-    users.groups.fetchWallpaper = {};
-
-    systemd.timers.fetchWallpaper = {
-      description = "fetch wallpaper timer";
-      wantedBy = [ "timers.target" ];
-
-      timerConfig = cfg.timerConfig;
-    };
-    systemd.services.fetchWallpaper = {
-      description = "fetch wallpaper";
-      after = [ "network.target" ];
-
-      path = with pkgs; [
-        curl
-        feh
-      ];
-
-      environment = {
-        URL = cfg.url;
-        DISPLAY = cfg.display;
-      };
-      restartIfChanged = true;
-
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = fetchWallpaperScript;
-        User = "fetchWallpaper";
-      };
-
-      unitConfig = cfg.unitConfig;
-    };
-  };
-in out

krebs/3modules/git.nix

@@ -376,6 +376,7 @@ let
                      (filter (user: isString user.pubkey)
                              (concatMap (getAttr "user") cfg.rules))));
     };
+    users.groups.${cfg.cgit.fcgiwrap.group.name} = {};
   };
 
   cgit-imp = {

krebs/3modules/setuid.nix

@@ -80,7 +80,7 @@ let
   };
 
   imp = {
-    system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
+    system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
       (concatMapStringsSep "\n"
         (cfg: /* sh */ ''
           ${cfg.activate}

krebs/3modules/sync-containers3.nix

@@ -32,6 +32,17 @@ in {
             type = lib.types.bool;
             default = true;
           };
+          startCommand = lib.mkOption {
+            type = lib.types.str;
+            default = ''
+              set -efu
+              mkdir -p /var/state/var_src
+              ln -Tfrs /var/state/var_src /var/src
+              if test -e /var/src/nixos-config; then
+                /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+              fi
+            '';
+          };
         };
       }));
     };
@@ -52,14 +63,7 @@ in {
               NIX_REMOTE = "daemon";
             };
             wantedBy = [ "multi-user.target" ];
-            serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
+            serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ctr.startCommand;
-              set -efu
-              mkdir -p /var/state/var_src
-              ln -Tfrs /var/state/var_src /var/src
-              if test -e /var/src/nixos-config; then
-                /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
-              fi
-            '';
             unitConfig.X-StopOnRemoval = false;
           };
         };
@@ -84,6 +88,7 @@ in {
         { "${ctr.name}_syncer" = {
           path = with pkgs; [
             coreutils
+            inetutils
             consul
             rsync
             openssh
@@ -103,7 +108,7 @@ in {
               set -efux
               consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
                 set -efux
-                if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
+                if ping -c 1 ${ctr.name}.r; then
                   nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync
                   touch "$HOME"/incomplete
                   nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk
@@ -116,6 +121,7 @@ in {
         { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer {
           path = with pkgs; [
             coreutils
+            inetutils
             consul
             cryptsetup
             curl
@@ -145,7 +151,7 @@ in {
                     export payload
                     if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
                       # echo 'we are the host, trying to reach container'
-                      if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
+                      if $(retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null); then
                         # echo 'container is reachable, continueing'
                         continue
                       else
@@ -173,6 +179,7 @@ in {
           wantedBy = [ "multi-user.target" ];
           path = with pkgs; [
             coreutils
+            inetutils
             consul
             cryptsetup
             mount
@@ -228,8 +235,8 @@ in {
                 /run/current-system/sw/bin/nixos-container start ${ctr.name}
                 # wait for system to become reachable for the first time
                 systemctl start ${ctr.name}_watcher.service
-                retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
+                retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null
-                while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
+                while systemctl is-active container@${ctr.name}.service >/devnull && ping -q -c 3 ${ctr.name}.r >/dev/null; do
                   consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
                   sleep 10
                 done
@@ -239,9 +246,11 @@ in {
         }; }
         { "container@${ctr.name}" = lib.mkIf ctr.runContainer {
           serviceConfig = {
-            ExecStop = pkgs.writers.writeDash "remove_interface" ''
+            ExecStartPost = [
-              ${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
+              (pkgs.writers.writeDash "bind-to-bridge" ''
-            '';
+                ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
+              '')
+            ];
           };
         }; }
       ]) (lib.attrValues cfg.containers)));

krebs/3modules/tinc.nix

@@ -208,10 +208,9 @@ with import ../../lib/pure.nix { inherit lib; }; {
       description = "Tinc daemon for ${netname}";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      # Restart the service in a single step in order to prevent potential
+      reloadIfChanged = true;
-      # connection timeouts and subsequent issues while deploying via tinc.
-      stopIfChanged = false;
       serviceConfig = {
+        ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
         Restart = "always";
         LoadCredential = filter (x: x != "") [
           (optionalString (cfg.privkey_ed25519 != null)

krebs/3modules/zones.nix

@@ -17,6 +17,8 @@ with lib; {
         @ 3600 IN NS ns3.he.net.
         @ 3600 IN NS ns2.hosting.de.
 
+        _acme-challenge IN NS ns1
+
         panda NS panda
         panda A 130.61.237.100
       '';

submodules/disko

@@ -1 +0,0 @@
-Subproject commit 7b186e0f812a7c54a1fa86b8f7c0f01afecc69c2