Merge remote-tracking branch 'ni/master' into HEAD
This commit is contained in:
commit
32a5fd32c8
|
@ -18,6 +18,15 @@ with import <stockholm/lib>;
|
||||||
default = null;
|
default = null;
|
||||||
type = types.nullOr types.groupname;
|
type = types.nullOr types.groupname;
|
||||||
};
|
};
|
||||||
|
keepGoing = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Whether to keep going when chowning or chmodding fails.
|
||||||
|
If set to false, then errors will cause the service to restart
|
||||||
|
instead.
|
||||||
|
'';
|
||||||
|
};
|
||||||
owner = mkOption {
|
owner = mkOption {
|
||||||
type = types.username;
|
type = types.username;
|
||||||
};
|
};
|
||||||
|
@ -43,7 +52,12 @@ with import <stockholm/lib>;
|
||||||
'';
|
'';
|
||||||
in concatMapStrings mkdir plans;
|
in concatMapStrings mkdir plans;
|
||||||
|
|
||||||
systemd.services = genAttrs' plans (plan: {
|
systemd.services = genAttrs' plans (plan: let
|
||||||
|
continuable = command:
|
||||||
|
if plan.keepGoing
|
||||||
|
then /* sh */ "{ ${command}; } || :"
|
||||||
|
else command;
|
||||||
|
in {
|
||||||
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
|
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
|
||||||
value = {
|
value = {
|
||||||
environment = {
|
environment = {
|
||||||
|
@ -82,9 +96,9 @@ with import <stockholm/lib>;
|
||||||
cleanup
|
cleanup
|
||||||
exec "$0" "$@"
|
exec "$0" "$@"
|
||||||
fi
|
fi
|
||||||
chown -h "$OWNER_GROUP" "$path"
|
${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''}
|
||||||
if test -f "$path"; then
|
if test -f "$path"; then
|
||||||
chmod "$FILE_MODE" "$path"
|
${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''}
|
||||||
fi
|
fi
|
||||||
done < "$paths"
|
done < "$paths"
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -29,6 +29,9 @@ let
|
||||||
Interface = ${netname}
|
Interface = ${netname}
|
||||||
Broadcast = no
|
Broadcast = no
|
||||||
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
||||||
|
${optionalString (tinc.config.privkey_ed25519 != null)
|
||||||
|
"Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
|
||||||
|
}
|
||||||
PrivateKeyFile = ${tinc.config.privkey.path}
|
PrivateKeyFile = ${tinc.config.privkey.path}
|
||||||
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
||||||
${tinc.config.extraConfig}
|
${tinc.config.extraConfig}
|
||||||
|
@ -165,6 +168,17 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
privkey_ed25519 = mkOption {
|
||||||
|
type = types.nullOr types.secret-file;
|
||||||
|
default =
|
||||||
|
if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
|
||||||
|
name = "${tinc.config.netname}.ed25519_key.priv";
|
||||||
|
path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
|
||||||
|
owner = tinc.config.user;
|
||||||
|
source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
connectTo = mkOption {
|
connectTo = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
${if tinc.config.netname == "retiolum" then "default" else null} = [
|
${if tinc.config.netname == "retiolum" then "default" else null} = [
|
||||||
|
@ -198,8 +212,23 @@ let
|
||||||
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
|
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
|
||||||
# avoid conflicts in environment if the packages differ
|
# avoid conflicts in environment if the packages differ
|
||||||
|
|
||||||
krebs.secret.files = mapAttrs' (netname: cfg:
|
krebs.secret.files =
|
||||||
nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
|
let
|
||||||
|
ed25519_keys =
|
||||||
|
filterAttrs
|
||||||
|
(_: key: key != null)
|
||||||
|
(mapAttrs'
|
||||||
|
(netname: cfg:
|
||||||
|
nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
|
||||||
|
)
|
||||||
|
config.krebs.tinc);
|
||||||
|
|
||||||
|
rsa_keys =
|
||||||
|
mapAttrs'
|
||||||
|
(netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
|
||||||
|
config.krebs.tinc;
|
||||||
|
in
|
||||||
|
ed25519_keys // rsa_keys;
|
||||||
|
|
||||||
users.users = mapAttrs' (netname: cfg:
|
users.users = mapAttrs' (netname: cfg:
|
||||||
nameValuePair "${netname}" {
|
nameValuePair "${netname}" {
|
||||||
|
@ -221,11 +250,15 @@ let
|
||||||
in {
|
in {
|
||||||
description = "Tinc daemon for ${netname}";
|
description = "Tinc daemon for ${netname}";
|
||||||
after = [
|
after = [
|
||||||
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
|
||||||
"network.target"
|
"network.target"
|
||||||
|
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
||||||
|
] ++ optionals (cfg.privkey_ed25519 != null) [
|
||||||
|
config.krebs.secret.files."${netname}.ed25519_key.priv".service
|
||||||
];
|
];
|
||||||
partOf = [
|
partOf = [
|
||||||
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
||||||
|
] ++ optionals (cfg.privkey_ed25519 != null) [
|
||||||
|
config.krebs.secret.files."${netname}.ed25519_key.priv".service
|
||||||
];
|
];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ tinc iproute ];
|
path = [ tinc iproute ];
|
||||||
|
|
|
@ -55,6 +55,33 @@ in {
|
||||||
ssh.privkey.path = <secrets/ssh.id_rsa>;
|
ssh.privkey.path = <secrets/ssh.id_rsa>;
|
||||||
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
|
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
|
||||||
};
|
};
|
||||||
|
au = {
|
||||||
|
ci = true;
|
||||||
|
cores = 4;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.13.39";
|
||||||
|
aliases = [
|
||||||
|
"au.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
|
||||||
|
9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
|
||||||
|
PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
|
||||||
|
PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
|
||||||
|
cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
|
||||||
|
jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 =
|
||||||
|
"Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secure = true;
|
||||||
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
|
||||||
|
};
|
||||||
mu = {
|
mu = {
|
||||||
ci = true;
|
ci = true;
|
||||||
cores = 2;
|
cores = 2;
|
||||||
|
|
|
@ -179,6 +179,10 @@ rec {
|
||||||
pubkey = mkOption {
|
pubkey = mkOption {
|
||||||
type = tinc-pubkey;
|
type = tinc-pubkey;
|
||||||
};
|
};
|
||||||
|
pubkey_ed25519 = mkOption {
|
||||||
|
type = nullOr tinc-pubkey;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
description = "Extra Configuration to be appended to the hosts file";
|
description = "Extra Configuration to be appended to the hosts file";
|
||||||
default = "";
|
default = "";
|
||||||
|
|
|
@ -17,7 +17,6 @@ with import <stockholm/lib>;
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
chromium
|
|
||||||
firefoxWrapper
|
firefoxWrapper
|
||||||
networkmanagerapplet
|
networkmanagerapplet
|
||||||
(pkgs.pidgin-with-plugins.override {
|
(pkgs.pidgin-with-plugins.override {
|
||||||
|
@ -31,12 +30,12 @@ with import <stockholm/lib>;
|
||||||
};
|
};
|
||||||
"/" = {
|
"/" = {
|
||||||
device = "/dev/mapper/main-root";
|
device = "/dev/mapper/main-root";
|
||||||
fsType = "btrfs";
|
fsType = "ext4";
|
||||||
options = [ "defaults" "noatime" ];
|
options = [ "defaults" "noatime" ];
|
||||||
};
|
};
|
||||||
"/home" = {
|
"/home" = {
|
||||||
device = "/dev/mapper/main-home";
|
device = "/dev/mapper/main-home";
|
||||||
fsType = "btrfs";
|
fsType = "ext4";
|
||||||
options = [ "defaults" "noatime" ];
|
options = [ "defaults" "noatime" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -55,9 +54,11 @@ with import <stockholm/lib>;
|
||||||
|
|
||||||
networking.networkmanager.enable = true;
|
networking.networkmanager.enable = true;
|
||||||
|
|
||||||
nixpkgs.config = {
|
services.earlyoom.enable = true;
|
||||||
allowUnfree = true;
|
services.earlyoom.freeMemThreshold = 5;
|
||||||
};
|
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
|
||||||
|
"--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs
|
||||||
|
];
|
||||||
|
|
||||||
services.xserver = {
|
services.xserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
18
tv/1systems/au/config.nix
Normal file
18
tv/1systems/au/config.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, ... }: {
|
||||||
|
imports = [
|
||||||
|
./disks.nix
|
||||||
|
<stockholm/tv>
|
||||||
|
<stockholm/tv/2configs/hw/x220.nix>
|
||||||
|
<stockholm/tv/2configs/retiolum.nix>
|
||||||
|
];
|
||||||
|
|
||||||
|
krebs.build.host = config.krebs.hosts.au;
|
||||||
|
|
||||||
|
networking.wireless.enable = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.interfaces.enp0s25.useDHCP = true;
|
||||||
|
networking.interfaces.wlp3s0.useDHCP = true;
|
||||||
|
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
|
||||||
|
|
||||||
|
system.stateVersion = "20.03";
|
||||||
|
}
|
19
tv/1systems/au/disks.nix
Normal file
19
tv/1systems/au/disks.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{
|
||||||
|
boot.initrd.luks.devices.main.device = "/dev/sda2";
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/main/root";
|
||||||
|
options = ["defaults" "noatime" "commit=60"];
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/sda1";
|
||||||
|
options = ["defaults" "noatime"];
|
||||||
|
};
|
||||||
|
fileSystems."/bku" = {
|
||||||
|
device = "/dev/main/bku";
|
||||||
|
options = ["defaults" "noatime"];
|
||||||
|
};
|
||||||
|
fileSystems."/home" = {
|
||||||
|
device = "/dev/main/home";
|
||||||
|
options = ["defaults" "noatime" "commit=60"];
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,6 +2,18 @@
|
||||||
krebs = {
|
krebs = {
|
||||||
dns.providers.hkw = "hosts";
|
dns.providers.hkw = "hosts";
|
||||||
hosts = {
|
hosts = {
|
||||||
|
au = {
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.39";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"au.hkw"
|
||||||
|
];
|
||||||
|
ssh.port = 11423;
|
||||||
|
};
|
||||||
|
};
|
||||||
nomic = {
|
nomic = {
|
||||||
nets.hkw = {
|
nets.hkw = {
|
||||||
ip4 = {
|
ip4 = {
|
||||||
|
@ -55,7 +67,7 @@
|
||||||
zu = {
|
zu = {
|
||||||
nets.hkw = {
|
nets.hkw = {
|
||||||
ip4 = {
|
ip4 = {
|
||||||
addr = "10.23.1.39";
|
addr = "10.23.1.40";
|
||||||
prefix = "10.23.1.0/24";
|
prefix = "10.23.1.0/24";
|
||||||
};
|
};
|
||||||
aliases = [
|
aliases = [
|
||||||
|
|
Loading…
Reference in New Issue
Block a user