Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
54aaf5af8e
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
<stockholm/krebs/2configs/buildbot-stockholm.nix>
|
<stockholm/krebs/2configs/buildbot-stockholm.nix>
|
||||||
<stockholm/krebs/2configs/binary-cache/nixos.nix>
|
<stockholm/krebs/2configs/binary-cache/nixos.nix>
|
||||||
<stockholm/krebs/2configs/ergo.nix>
|
<stockholm/krebs/2configs/ircd.nix>
|
||||||
<stockholm/krebs/2configs/reaktor2.nix>
|
<stockholm/krebs/2configs/reaktor2.nix>
|
||||||
<stockholm/krebs/2configs/wiki.nix>
|
<stockholm/krebs/2configs/wiki.nix>
|
||||||
<stockholm/krebs/2configs/acme.nix>
|
<stockholm/krebs/2configs/acme.nix>
|
||||||
|
@ -4,6 +4,7 @@ with import <stockholm/lib>;
|
|||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./backup.nix
|
./backup.nix
|
||||||
|
./security-workarounds.nix
|
||||||
];
|
];
|
||||||
krebs.announce-activation.enable = true;
|
krebs.announce-activation.enable = true;
|
||||||
krebs.enable = true;
|
krebs.enable = true;
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
6667
|
|
||||||
];
|
|
||||||
|
|
||||||
krebs.ergo = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
@ -1,121 +1,44 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
6667 6669
|
6667
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384;
|
krebs.ergo = {
|
||||||
|
|
||||||
services.solanum = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
motd = ''
|
config = {
|
||||||
hello
|
server.secure-nets = [
|
||||||
'';
|
"42::0/16"
|
||||||
config = ''
|
"10.240.0.0/12"
|
||||||
loadmodule "extensions/m_omode";
|
];
|
||||||
serverinfo {
|
oper-classes.server-admin = {
|
||||||
name = "${config.krebs.build.host.name}.irc.r";
|
title = "admin";
|
||||||
sid = "1as";
|
capabilities = [
|
||||||
description = "irc!";
|
"kill" # disconnect user sessions
|
||||||
network_name = "irc.r";
|
"ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
|
||||||
|
"nofakelag" # remove "fakelag" restrictions on rate of message sending
|
||||||
vhost = "0.0.0.0";
|
"relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
|
||||||
vhost6 = "::";
|
"vhosts" # add and remove vhosts from users
|
||||||
|
"sajoin" # join arbitrary channels, including private channels
|
||||||
#ssl_private_key = "etc/ssl.key";
|
"samode" # modify arbitrary channel and user modes
|
||||||
#ssl_cert = "etc/ssl.cert";
|
"snomasks" # subscribe to arbitrary server notice masks
|
||||||
#ssl_dh_params = "etc/dh.pem";
|
"roleplay" # use the (deprecated) roleplay commands in any channel
|
||||||
#ssld_count = 1;
|
"rehash" # rehash the server, i.e. reload the config at runtime
|
||||||
|
"accreg" # modify arbitrary account registrations
|
||||||
default_max_clients = 2048;
|
"chanreg" # modify arbitrary channel registrations
|
||||||
#nicklen = 30;
|
"history" # modify or delete history messages
|
||||||
|
"defcon" # use the DEFCON command (restrict server capabilities)
|
||||||
|
"massmessage" # message all users on the server
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
opers.aids = {
|
||||||
listen {
|
class = "server-admin";
|
||||||
defer_accept = yes;
|
hidden = false;
|
||||||
|
password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
|
||||||
/* If you want to listen on a specific IP only, specify host.
|
|
||||||
* host definitions apply only to the following port line.
|
|
||||||
*/
|
|
||||||
host = "0.0.0.0";
|
|
||||||
port = 6667;
|
|
||||||
#sslport = 6697;
|
|
||||||
|
|
||||||
/* Listen on IPv6 (if you used host= above). */
|
|
||||||
host = "::";
|
|
||||||
port = 6667;
|
|
||||||
#sslport = 6697;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
class "users" {
|
|
||||||
ping_time = 2 minutes;
|
|
||||||
number_per_ident = 10;
|
|
||||||
number_per_ip = 4096;
|
|
||||||
number_per_ip_global = 4096;
|
|
||||||
cidr_ipv4_bitlen = 24;
|
|
||||||
cidr_ipv6_bitlen = 64;
|
|
||||||
number_per_cidr = 65535;
|
|
||||||
max_number = 65535;
|
|
||||||
sendq = 1000 megabyte;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
privset "op" {
|
|
||||||
privs = oper:admin, oper:general;
|
|
||||||
};
|
|
||||||
|
|
||||||
operator "aids" {
|
|
||||||
user = "*@*";
|
|
||||||
password = "balls";
|
|
||||||
flags = ~encrypted;
|
|
||||||
snomask = "+s";
|
|
||||||
privset = "op";
|
|
||||||
};
|
|
||||||
|
|
||||||
exempt {
|
|
||||||
ip = "127.0.0.1";
|
|
||||||
};
|
|
||||||
|
|
||||||
exempt {
|
|
||||||
ip = "10.243.0.0/16";
|
|
||||||
};
|
|
||||||
|
|
||||||
auth {
|
|
||||||
user = "*@*";
|
|
||||||
class = "users";
|
|
||||||
flags = kline_exempt, exceed_limit, flood_exempt;
|
|
||||||
};
|
|
||||||
|
|
||||||
channel {
|
|
||||||
autochanmodes = "+t";
|
|
||||||
use_invex = yes;
|
|
||||||
use_except = yes;
|
|
||||||
use_forward = yes;
|
|
||||||
use_knock = yes;
|
|
||||||
knock_delay = 5 minutes;
|
|
||||||
knock_delay_channel = 1 minute;
|
|
||||||
max_chans_per_user = 150;
|
|
||||||
max_bans = 100;
|
|
||||||
max_bans_large = 500;
|
|
||||||
default_split_user_count = 0;
|
|
||||||
default_split_server_count = 0;
|
|
||||||
no_create_on_split = no;
|
|
||||||
no_join_on_split = no;
|
|
||||||
burst_topicwho = yes;
|
|
||||||
kick_on_split_riding = no;
|
|
||||||
only_ascii_channels = no;
|
|
||||||
resv_forcepart = yes;
|
|
||||||
channel_target_change = yes;
|
|
||||||
disable_local_channels = no;
|
|
||||||
};
|
|
||||||
|
|
||||||
general {
|
|
||||||
#maybe we want ident someday?
|
|
||||||
default_floodcount = 10000;
|
|
||||||
disable_auth = yes;
|
|
||||||
throttle_duration = 1;
|
|
||||||
throttle_count = 10000;
|
|
||||||
};
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -156,7 +156,8 @@ in {
|
|||||||
openssh.authorizedKeys.keys = with config.krebs.users; [
|
openssh.authorizedKeys.keys = with config.krebs.users; [
|
||||||
lass.pubkey
|
lass.pubkey
|
||||||
makefu.pubkey
|
makefu.pubkey
|
||||||
kmein.pubkey
|
kmein-kabsa.pubkey
|
||||||
|
kmein-manakish.pubkey
|
||||||
tv.pubkey
|
tv.pubkey
|
||||||
];
|
];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
|
@ -68,7 +68,13 @@
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.brockman.bindsTo = [ "solanum.service" ];
|
krebs.ergo.openFilesLimit = 16384;
|
||||||
|
krebs.ergo.config = {
|
||||||
|
limits.nicklen = 100;
|
||||||
|
limits.identlen = 100;
|
||||||
|
history.enabled = false;
|
||||||
|
};
|
||||||
|
systemd.services.brockman.bindsTo = [ "ergo.service" ];
|
||||||
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
|
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
|
||||||
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
|
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
|
||||||
krebs.brockman = {
|
krebs.brockman = {
|
||||||
|
@ -95,7 +95,7 @@ let
|
|||||||
}
|
}
|
||||||
hooks.sed
|
hooks.sed
|
||||||
(generators.command_hook {
|
(generators.command_hook {
|
||||||
inherit (commands) random-emoji nixos-version;
|
inherit (commands) dance random-emoji nixos-version;
|
||||||
tell = {
|
tell = {
|
||||||
filename =
|
filename =
|
||||||
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>;
|
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>;
|
||||||
|
6
krebs/2configs/security-workarounds.nix
Normal file
6
krebs/2configs/security-workarounds.nix
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
{
|
||||||
|
# https://github.com/berdav/CVE-2021-4034
|
||||||
|
security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" "");
|
||||||
|
}
|
@ -157,7 +157,8 @@ let
|
|||||||
# of the deepest directory:
|
# of the deepest directory:
|
||||||
# shellcheck disable=SC2174
|
# shellcheck disable=SC2174
|
||||||
${local.rsync} >&2 \
|
${local.rsync} >&2 \
|
||||||
-aAXF --delete \
|
-aAX --delete \
|
||||||
|
--filter='dir-merge /.backup-filter' \
|
||||||
--rsh=${shell.escape ssh} \
|
--rsh=${shell.escape ssh} \
|
||||||
--rsync-path=${shell.escape remote.rsync} \
|
--rsync-path=${shell.escape remote.rsync} \
|
||||||
--link-dest=${shell.escape plan.dst.path}/current \
|
--link-dest=${shell.escape plan.dst.path}/current \
|
||||||
@ -191,7 +192,8 @@ let
|
|||||||
echo >&2 "create snapshot: $ns/$name"
|
echo >&2 "create snapshot: $ns/$name"
|
||||||
mkdir -m 0700 -p "$dst_path/$ns"
|
mkdir -m 0700 -p "$dst_path/$ns"
|
||||||
rsync >&2 \
|
rsync >&2 \
|
||||||
-aAXF --delete \
|
-aAX --delete \
|
||||||
|
--filter='dir-merge /.backup-filter' \
|
||||||
--link-dest="$dst_path/current" \
|
--link-dest="$dst_path/current" \
|
||||||
"$dst_path/current/" \
|
"$dst_path/current/" \
|
||||||
"$dst_path/$ns/.partial.$name"
|
"$dst_path/$ns/.partial.$name"
|
||||||
|
@ -108,6 +108,7 @@ let
|
|||||||
{ krebs = import ./makefu { inherit config; }; }
|
{ krebs = import ./makefu { inherit config; }; }
|
||||||
{ krebs = import ./external/palo.nix { inherit config; }; }
|
{ krebs = import ./external/palo.nix { inherit config; }; }
|
||||||
{ krebs = import ./external/mic92.nix { inherit config; }; }
|
{ krebs = import ./external/mic92.nix { inherit config; }; }
|
||||||
|
{ krebs = import ./external/kmein.nix { inherit config; }; }
|
||||||
{ krebs = import ./tv { inherit config; }; }
|
{ krebs = import ./tv { inherit config; }; }
|
||||||
{
|
{
|
||||||
krebs.dns.providers = {
|
krebs.dns.providers = {
|
||||||
|
@ -2,6 +2,13 @@
|
|||||||
options = {
|
options = {
|
||||||
krebs.ergo = {
|
krebs.ergo = {
|
||||||
enable = lib.mkEnableOption "Ergo IRC daemon";
|
enable = lib.mkEnableOption "Ergo IRC daemon";
|
||||||
|
openFilesLimit = lib.mkOption {
|
||||||
|
type = lib.types.int;
|
||||||
|
default = 1024;
|
||||||
|
description = ''
|
||||||
|
Maximum number of open files. Limits the clients and server connections.
|
||||||
|
'';
|
||||||
|
};
|
||||||
config = lib.mkOption {
|
config = lib.mkOption {
|
||||||
type = (pkgs.formats.json {}).type;
|
type = (pkgs.formats.json {}).type;
|
||||||
description = ''
|
description = ''
|
||||||
@ -54,8 +61,8 @@
|
|||||||
multiclient = {
|
multiclient = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
allowed-by-default = true;
|
allowed-by-default = true;
|
||||||
always-on = "opt-in";
|
always-on = "opt-out";
|
||||||
auto-away = "opt-in";
|
auto-away = "opt-out";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
channels = {
|
channels = {
|
||||||
@ -111,13 +118,15 @@
|
|||||||
systemd.services.ergo = {
|
systemd.services.ergo = {
|
||||||
description = "Ergo IRC daemon";
|
description = "Ergo IRC daemon";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
reloadIfChanged = true;
|
# reload currently not working as expected
|
||||||
|
# reloadIfChanged = true;
|
||||||
restartTriggers = [ configFile ];
|
restartTriggers = [ configFile ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
|
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
|
||||||
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
|
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
StateDirectory = "ergo";
|
StateDirectory = "ergo";
|
||||||
|
LimitNOFILE = "${toString cfg.openFilesLimit}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
160
krebs/3modules/external/default.nix
vendored
160
krebs/3modules/external/default.nix
vendored
@ -16,37 +16,7 @@ with import <stockholm/lib>;
|
|||||||
tinc-for = name: builtins.readFile (./tinc + "/${name}.pub");
|
tinc-for = name: builtins.readFile (./tinc + "/${name}.pub");
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
hosts = mapAttrs hostDefaults {
|
hosts = mapAttrs hostDefaults {
|
||||||
kabsa = {
|
|
||||||
owner = config.krebs.users.kmein;
|
|
||||||
nets = {
|
|
||||||
retiolum = {
|
|
||||||
ip4.addr = "10.243.2.4";
|
|
||||||
aliases = [
|
|
||||||
"kabsa.r"
|
|
||||||
"kabsa.kmein.r"
|
|
||||||
];
|
|
||||||
tinc.pubkey = ''
|
|
||||||
-----BEGIN PUBLIC KEY-----
|
|
||||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
|
|
||||||
g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
|
|
||||||
2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
|
|
||||||
uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
|
|
||||||
a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
|
|
||||||
IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
|
|
||||||
C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
|
|
||||||
sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
|
|
||||||
10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
|
|
||||||
1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
|
|
||||||
lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
|
|
||||||
QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
'';
|
|
||||||
tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
helsinki = {
|
helsinki = {
|
||||||
owner = config.krebs.users.ajs124;
|
owner = config.krebs.users.ajs124;
|
||||||
nets = {
|
nets = {
|
||||||
@ -142,65 +112,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
makanek = {
|
|
||||||
owner = config.krebs.users.kmein;
|
|
||||||
nets = {
|
|
||||||
retiolum = {
|
|
||||||
ip4.addr = "10.243.2.84";
|
|
||||||
aliases = [
|
|
||||||
"makanek.r"
|
|
||||||
"makanek.kmein.r"
|
|
||||||
"grafana.kmein.r"
|
|
||||||
"names.kmein.r"
|
|
||||||
"graph.r"
|
|
||||||
];
|
|
||||||
tinc.pubkey = ''
|
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
|
||||||
MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb
|
|
||||||
VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u
|
|
||||||
JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5
|
|
||||||
hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X
|
|
||||||
Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39
|
|
||||||
de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK
|
|
||||||
Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE
|
|
||||||
uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G
|
|
||||||
zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO
|
|
||||||
Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV
|
|
||||||
oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ==
|
|
||||||
-----END RSA PUBLIC KEY-----
|
|
||||||
'';
|
|
||||||
tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
manakish = {
|
|
||||||
owner = config.krebs.users.kmein;
|
|
||||||
nets = {
|
|
||||||
retiolum = {
|
|
||||||
ip4.addr = "10.243.2.85";
|
|
||||||
aliases = [
|
|
||||||
"manakish.r"
|
|
||||||
"manakish.kmein.r"
|
|
||||||
];
|
|
||||||
tinc.pubkey = ''
|
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
|
||||||
MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH
|
|
||||||
Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy
|
|
||||||
7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB
|
|
||||||
dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF
|
|
||||||
1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb
|
|
||||||
GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ
|
|
||||||
EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw
|
|
||||||
U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM//
|
|
||||||
+FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64
|
|
||||||
I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c
|
|
||||||
qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ==
|
|
||||||
-----END RSA PUBLIC KEY-----
|
|
||||||
'';
|
|
||||||
tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
qubasa = {
|
qubasa = {
|
||||||
owner = config.krebs.users.qubasa;
|
owner = config.krebs.users.qubasa;
|
||||||
nets = {
|
nets = {
|
||||||
@ -226,7 +137,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
keller = {
|
keller = {
|
||||||
owner = config.krebs.users.qubasa;
|
owner = config.krebs.users.qubasa;
|
||||||
nets = {
|
nets = {
|
||||||
@ -279,13 +189,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
rilke = {
|
|
||||||
owner = config.krebs.users.kmein;
|
|
||||||
nets.wiregrill = {
|
|
||||||
aliases = [ "rilke.w" ];
|
|
||||||
wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
rtjure = {
|
rtjure = {
|
||||||
owner = config.krebs.users.rtjure;
|
owner = config.krebs.users.rtjure;
|
||||||
nets = {
|
nets = {
|
||||||
@ -312,37 +215,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
zaatar = {
|
|
||||||
owner = config.krebs.users.kmein;
|
|
||||||
nets = {
|
|
||||||
retiolum = {
|
|
||||||
ip4.addr = "10.243.2.34";
|
|
||||||
aliases = [
|
|
||||||
"zaatar.r"
|
|
||||||
"zaatar.kmein.r"
|
|
||||||
"grocy.kmein.r"
|
|
||||||
"bvg.kmein.r"
|
|
||||||
"moodle.kmein.r"
|
|
||||||
];
|
|
||||||
tinc.pubkey = ''
|
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
|
||||||
MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM
|
|
||||||
pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ
|
|
||||||
xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i
|
|
||||||
5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q
|
|
||||||
T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6
|
|
||||||
2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp
|
|
||||||
PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj
|
|
||||||
zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc
|
|
||||||
xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4
|
|
||||||
yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK
|
|
||||||
uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ==
|
|
||||||
-----END RSA PUBLIC KEY-----
|
|
||||||
'';
|
|
||||||
tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
sokrateslaptop = {
|
sokrateslaptop = {
|
||||||
owner = config.krebs.users.sokratess;
|
owner = config.krebs.users.sokratess;
|
||||||
nets = {
|
nets = {
|
||||||
@ -691,6 +563,31 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
papawhakaaro = {
|
||||||
|
owner = config.krebs.users.feliks;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.10.243";
|
||||||
|
aliases = [ "papawhakaaro.r" ];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEA4bd0lVUVlzFmM8TuH77C5VctcK4lkw02LbMVQDJ5U+Ww075nNahw
|
||||||
|
oRHqPgJRwfGW0Tgu/1s5czZ2tAFU3lXoOSBYldAspM3KRZ4DKQsFrL9B0oWarGsK
|
||||||
|
sUgsuOJprlX4mkfj/eBNINqTqf2kVIH+p43VENQ9ioKmc+qJKm4xfRONRLp871GV
|
||||||
|
5jmIvRvQ6JP0RtNd2KpNLaeplzx8M61D9PBOAZkNYAUTpBs4LZBNJj4eFnXBugrz
|
||||||
|
GkBjmm3Rk7olz0uOZzbeTc6Slv2tgtN5FrQifdy4XIlsKcBTzMkYHEZstmldJgd9
|
||||||
|
pGvfmem6uPcXrF+eDJzqUn0ArH7eOIS4F0+DzugJz4qX+ytvE4ag7r2Vx0Pa9TCY
|
||||||
|
hpn0lqwW+ly1clM0SKt59v1nQ4oRW4UIbAZaIgp4UJbb3IGSwbq7NuadvHpNICHi
|
||||||
|
4pqQD+1sSEbGLAZ0bFjLIYFg9zzNjLeAxXpn49WHOEyRlq3h+SUQcG2EuVMI28DX
|
||||||
|
lILKSoOJsuQupURPubaxkiNEa5neYk9hZ8CWgwSG/VlyRLuNsVDVn2dBma43Mr10
|
||||||
|
LHMkX2/a9t7ghokugvV2XMP9Es9A9TGFShM9UtFAlovdad+SQ8FBPNheDwIhjCJe
|
||||||
|
l5NIrMrmQIveq7QJ1szxYhqfl1ifU0c+YxeMkg3tvEuQV/tk/oki/aECAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "5G49yQPjkkoGZxM6CeDy87y6tB/abtelUAk55wJ4GpP";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
hydrogen = {
|
hydrogen = {
|
||||||
owner = config.krebs.users.sandro;
|
owner = config.krebs.users.sandro;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
@ -740,10 +637,6 @@ in {
|
|||||||
jonge = {
|
jonge = {
|
||||||
mail = "jacek.galowicz@gmail.com";
|
mail = "jacek.galowicz@gmail.com";
|
||||||
};
|
};
|
||||||
kmein = {
|
|
||||||
mail = "kmein@posteo.de";
|
|
||||||
pubkey = ssh-for "kmein";
|
|
||||||
};
|
|
||||||
mic92 = {
|
mic92 = {
|
||||||
mail = "joerg@thalheim.io";
|
mail = "joerg@thalheim.io";
|
||||||
pubkey = ssh-for "mic92";
|
pubkey = ssh-for "mic92";
|
||||||
@ -799,5 +692,8 @@ in {
|
|||||||
pie_ = {};
|
pie_ = {};
|
||||||
domsen = {
|
domsen = {
|
||||||
};
|
};
|
||||||
|
feliks = {
|
||||||
|
mail = "feliks@flipdot.org";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
146
krebs/3modules/external/kmein.nix
vendored
Normal file
146
krebs/3modules/external/kmein.nix
vendored
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
with import <stockholm/lib>;
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
maybeEmpty = attrset: key: if (attrset?key) then attrset.${key} else [];
|
||||||
|
hostDefaults = hostName: host: flip recursiveUpdate host ({
|
||||||
|
ci = false;
|
||||||
|
external = true;
|
||||||
|
monitoring = false;
|
||||||
|
owner = config.krebs.users.kmein;
|
||||||
|
} // optionalAttrs (host.nets?retiolum) {
|
||||||
|
nets.retiolum = {
|
||||||
|
ip6.addr = (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
|
||||||
|
};
|
||||||
|
} // optionalAttrs (host.nets?wiregrill) {
|
||||||
|
nets.wiregrill = {
|
||||||
|
ip6.addr = (krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address;
|
||||||
|
};
|
||||||
|
});
|
||||||
|
ssh-for = name: builtins.readFile (./ssh + "/${name}.pub");
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users = rec {
|
||||||
|
kmein = kmein-kabsa;
|
||||||
|
kmein-kabsa = {
|
||||||
|
mail = "kmein@posteo.de";
|
||||||
|
pubkey = ssh-for "kmein.kabsa";
|
||||||
|
};
|
||||||
|
kmein-manakish = {
|
||||||
|
inherit (kmein-kabsa) mail;
|
||||||
|
pubkey = ssh-for "kmein.manakish";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
hosts = mapAttrs hostDefaults {
|
||||||
|
kabsa = {
|
||||||
|
nets.retiolum = {
|
||||||
|
aliases = [ "kabsa.r" "kabsa.kmein.r" ];
|
||||||
|
ip4.addr = "10.243.2.4";
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
|
||||||
|
g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
|
||||||
|
2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
|
||||||
|
uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
|
||||||
|
a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
|
||||||
|
IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
|
||||||
|
C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
|
||||||
|
sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
|
||||||
|
10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
|
||||||
|
1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
|
||||||
|
lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
|
||||||
|
QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
makanek = {
|
||||||
|
nets.retiolum = {
|
||||||
|
aliases = [
|
||||||
|
"makanek.r"
|
||||||
|
"makanek.kmein.r"
|
||||||
|
"grafana.kmein.r"
|
||||||
|
"names.kmein.r"
|
||||||
|
"graph.r"
|
||||||
|
"rrm.r"
|
||||||
|
];
|
||||||
|
ip4.addr = "10.243.2.84";
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb
|
||||||
|
VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u
|
||||||
|
JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5
|
||||||
|
hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X
|
||||||
|
Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39
|
||||||
|
de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK
|
||||||
|
Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE
|
||||||
|
uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G
|
||||||
|
zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO
|
||||||
|
Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV
|
||||||
|
oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
manakish = {
|
||||||
|
nets.retiolum = {
|
||||||
|
aliases = [
|
||||||
|
"manakish.r"
|
||||||
|
"manakish.kmein.r"
|
||||||
|
];
|
||||||
|
ip4.addr = "10.243.2.85";
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH
|
||||||
|
Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy
|
||||||
|
7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB
|
||||||
|
dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF
|
||||||
|
1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb
|
||||||
|
GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ
|
||||||
|
EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw
|
||||||
|
U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM//
|
||||||
|
+FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64
|
||||||
|
I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c
|
||||||
|
qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
g7power = {
|
||||||
|
nets.wiregrill = {
|
||||||
|
ip4.addr = "10.244.2.97";
|
||||||
|
aliases = [ "phone.kmein.w" ];
|
||||||
|
wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
zaatar = {
|
||||||
|
nets.retiolum = {
|
||||||
|
ip4.addr = "10.243.2.34";
|
||||||
|
aliases = [
|
||||||
|
"zaatar.r"
|
||||||
|
"zaatar.kmein.r"
|
||||||
|
"grocy.kmein.r"
|
||||||
|
"moodle.kmein.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM
|
||||||
|
pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ
|
||||||
|
xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i
|
||||||
|
5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q
|
||||||
|
T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6
|
||||||
|
2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp
|
||||||
|
PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj
|
||||||
|
zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc
|
||||||
|
xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4
|
||||||
|
yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK
|
||||||
|
uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
28
krebs/3modules/external/mic92.nix
vendored
28
krebs/3modules/external/mic92.nix
vendored
@ -526,8 +526,10 @@ in {
|
|||||||
};
|
};
|
||||||
turingmachine = {
|
turingmachine = {
|
||||||
owner = config.krebs.users.mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = rec {
|
||||||
|
internet.addrs = [ "turingmachine.thalheim.io" ];
|
||||||
retiolum = {
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
aliases = [
|
aliases = [
|
||||||
"turingmachine.r"
|
"turingmachine.r"
|
||||||
];
|
];
|
||||||
@ -675,10 +677,33 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
jarvis = {
|
||||||
|
owner = config.krebs.users.mic92;
|
||||||
|
nets = rec {
|
||||||
|
internet.addrs = [ "jarvis.thalheim.io" ];
|
||||||
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
|
aliases = [ "jarvis.r" ];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEA7PtJlYBpBr2TK5CAvAukkGvj+esC+sMPKd3mO9iDwdViBrqKdf+D
|
||||||
|
yEy8SI80Y02dpkL97NjvnzepKpyGQWpG1ZQflJLhCTj7oFyVpWd4XsbIuzYp5ES6
|
||||||
|
r8qKWs2xcItc1pbW0ZmrCBzdWsC1B0VAHlYkiz+7vM6pCTvg6hNQugP4c1TRCtJC
|
||||||
|
Sr+n+EjTXN/NTaKl+f7eoHJGnT5liDO3/xZVxm8AuLnron1xPPDghXClVHfDj5mt
|
||||||
|
f66f+CLwZhq3BrZuptwXp7TerMfrNtPyTx96b+EyuLPjrYxKeKL/+Nbr3VmmiDIV
|
||||||
|
tsraNc+0a8OBpVsYh4MQLp55NYwqxAoetQIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "RRkMnGSg+nMkz4L2iqmdFf2fIf4wIfcTM0TlTWLLNCE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
bernie = {
|
bernie = {
|
||||||
owner = config.krebs.users.mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
|
internet.addrs = [ "bernie.thalheim.io" ];
|
||||||
retiolum = {
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
aliases = [ "bernie.r" ];
|
aliases = [ "bernie.r" ];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
@ -700,7 +725,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
ryan = {
|
ryan = {
|
||||||
owner = config.krebs.users.mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
|
@ -1,2 +1 @@
|
|||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB
|
|
1
krebs/3modules/external/ssh/kmein.manakish.pub
vendored
Normal file
1
krebs/3modules/external/ssh/kmein.manakish.pub
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB
|
1
krebs/3modules/external/ssh/qubasa.pub
vendored
1
krebs/3modules/external/ssh/qubasa.pub
vendored
@ -1,2 +1 @@
|
|||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos
|
||||||
|
|
||||||
|
@ -41,11 +41,17 @@ let
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
"POST /")
|
"POST /")
|
||||||
uri=$(head -c "$req_content_length" \
|
uri_candidate=$(head -c "$req_content_length" \
|
||||||
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
|
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
|
||||||
| xargs -0 echo -e \
|
| xargs -0 echo -e \
|
||||||
| tee /tmp/tee.log \
|
)
|
||||||
| ${pkgs.urix}/bin/urix \
|
|
||||||
|
if $(echo "$uri_candidate" | grep -q '^uri=//.*'); then
|
||||||
|
# fix urls with missing https: in front
|
||||||
|
uri_candidate=$(echo "$uri_candidate" | sed 's,//,https://,g')
|
||||||
|
fi
|
||||||
|
|
||||||
|
uri=$(echo "$uri_candidate" | ${pkgs.urix}/bin/urix \
|
||||||
| head -1 \
|
| head -1 \
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -681,7 +681,7 @@ in {
|
|||||||
aliases = [
|
aliases = [
|
||||||
"styx.r"
|
"styx.r"
|
||||||
];
|
];
|
||||||
tinc.port = 0;
|
tinc.port = 654;
|
||||||
tinc = {
|
tinc = {
|
||||||
pubkey = ''
|
pubkey = ''
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
@ -82,6 +82,32 @@ in {
|
|||||||
ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
|
ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
|
||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
|
||||||
};
|
};
|
||||||
|
bu = {
|
||||||
|
ci = true;
|
||||||
|
cores = 4;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.13.36";
|
||||||
|
aliases = [
|
||||||
|
"bu.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb
|
||||||
|
hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l
|
||||||
|
jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M
|
||||||
|
gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG
|
||||||
|
sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/
|
||||||
|
st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secure = true;
|
||||||
|
ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa";
|
||||||
|
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu";
|
||||||
|
};
|
||||||
hu = {
|
hu = {
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
|
@ -7,12 +7,12 @@
|
|||||||
}:
|
}:
|
||||||
mkDerivation rec {
|
mkDerivation rec {
|
||||||
pname = "brockman";
|
pname = "brockman";
|
||||||
version = "4.0.2";
|
version = "4.0.3";
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "kmein";
|
owner = "kmein";
|
||||||
repo = "brockman";
|
repo = "brockman";
|
||||||
rev = version;
|
rev = version;
|
||||||
sha256 = "sha256-EKXKhGdIJRbRklD5zxJNGhOxqPzog4f9NMXo/c8iBGc=";
|
sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw=";
|
||||||
};
|
};
|
||||||
isLibrary = false;
|
isLibrary = false;
|
||||||
isExecutable = true;
|
isExecutable = true;
|
||||||
|
@ -9,11 +9,11 @@
|
|||||||
}:
|
}:
|
||||||
mkDerivation {
|
mkDerivation {
|
||||||
pname = "much";
|
pname = "much";
|
||||||
version = "1.2.0";
|
version = "1.3.1";
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = "https://cgit.krebsco.de/much";
|
url = "https://cgit.krebsco.de/much";
|
||||||
sha256 = "0rf27d7gki5hgivy49xi59ld0j6jw3v7nxi4w1gx6byj1xsarwwl";
|
sha256 = "0gwyhqcvg9ywna8fhb9hnx97qh5inglj3l0pcwkgwcvm27mfpcqa";
|
||||||
rev = "29749366052a8f6c05b314f1ff17201717855ad7";
|
rev = "77357335a3a88a4b93f91a46ab939a1a9b192977";
|
||||||
fetchSubmodules = true;
|
fetchSubmodules = true;
|
||||||
};
|
};
|
||||||
isLibrary = true;
|
isLibrary = true;
|
||||||
|
38
krebs/5pkgs/simple/K_belwagen.nix
Normal file
38
krebs/5pkgs/simple/K_belwagen.nix
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
{ lib, pkgs, stdenv }:
|
||||||
|
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
pname = "K_belwagen";
|
||||||
|
version = "1.0";
|
||||||
|
|
||||||
|
src = pkgs.painload;
|
||||||
|
sourceRoot = "source/K_belwagen";
|
||||||
|
|
||||||
|
buildInputs = [
|
||||||
|
pkgs.jack1
|
||||||
|
pkgs.pkgconfig
|
||||||
|
];
|
||||||
|
|
||||||
|
patchPhase = ''
|
||||||
|
sed -i '
|
||||||
|
s@^cd@# &@
|
||||||
|
s@^make@# &@
|
||||||
|
s@^jackd@# &@
|
||||||
|
s@^trap@# &@
|
||||||
|
|
||||||
|
s@^set.*@&\nPATH=${lib.makeBinPath [
|
||||||
|
pkgs.bc
|
||||||
|
pkgs.coreutils
|
||||||
|
]}; export PATH@
|
||||||
|
|
||||||
|
s@\./a\.out@'"$out"'/lib/a.out@
|
||||||
|
' alarm
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/lib
|
||||||
|
mkdir -p $out/bin
|
||||||
|
|
||||||
|
cp alarm $out/bin
|
||||||
|
cp a.out $out/lib
|
||||||
|
'';
|
||||||
|
}
|
@ -1,14 +1,14 @@
|
|||||||
{ buildGo116Module , fetchFromGitHub, lib }:
|
{ buildGo117Module , fetchFromGitHub, lib }:
|
||||||
|
|
||||||
buildGo116Module rec {
|
buildGo117Module rec {
|
||||||
pname = "ergo";
|
pname = "ergo";
|
||||||
version = "2.8.0";
|
version = "2.9.1";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "ergochat";
|
owner = "ergochat";
|
||||||
repo = "ergo";
|
repo = "ergo";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
sha256 = "sha256-xKcSHNH1ksjH1IikqzDi88fOdHR5CHGs8ya4Fj65MbI=";
|
sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
|
||||||
};
|
};
|
||||||
|
|
||||||
vendorSha256 = null;
|
vendorSha256 = null;
|
||||||
@ -17,7 +17,7 @@ buildGo116Module rec {
|
|||||||
description = "A modern IRC server (daemon/ircd) written in Go";
|
description = "A modern IRC server (daemon/ircd) written in Go";
|
||||||
homepage = "https://github.com/ergochat/ergo";
|
homepage = "https://github.com/ergochat/ergo";
|
||||||
license = lib.licenses.mit;
|
license = lib.licenses.mit;
|
||||||
maintainers = [ lib.maintainers.tv ];
|
maintainers = with lib.maintainers; [ lassulus tv ];
|
||||||
platforms = lib.platforms.linux;
|
platforms = lib.platforms.linux;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -100,6 +100,7 @@ with stockholm.lib;
|
|||||||
add_message "$(
|
add_message "$(
|
||||||
git log \
|
git log \
|
||||||
--format="$(orange %h) %s $(gray '(%ar)')" \
|
--format="$(orange %h) %s $(gray '(%ar)')" \
|
||||||
|
--no-merges \
|
||||||
--reverse \
|
--reverse \
|
||||||
$id2..$id
|
$id2..$id
|
||||||
|
|
||||||
|
@ -1,7 +1,9 @@
|
|||||||
{ fetchgit, ... }:
|
{ pkgs }:
|
||||||
|
|
||||||
fetchgit {
|
pkgs.fetchFromGitHub {
|
||||||
url = https://github.com/krebs/painload;
|
owner = "krebs";
|
||||||
rev = "c113487f73713a03b1a139b22bb34b86234d0495";
|
repo = "painload";
|
||||||
sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6";
|
rev = "a963b45d5a3921f19189575420cc7f8f946345b5";
|
||||||
|
sha256 = "03q8rxpzy4l9nd4wv0107s0ck3dhfzkfy1rabf8srabkwl0c3vsc";
|
||||||
|
fetchSubmodules = true;
|
||||||
}
|
}
|
||||||
|
@ -21,6 +21,16 @@ rec {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dance = {
|
||||||
|
filename = pkgs.writeDash "dance" ''
|
||||||
|
echo "<(^.^<)"
|
||||||
|
echo "<(^.^)>"
|
||||||
|
echo "(>^.^)>"
|
||||||
|
echo "(7^.^)7"
|
||||||
|
echo "(>^.^<)"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
nixos-version = {
|
nixos-version = {
|
||||||
filename = pkgs.writeDash "nixos-version" ''
|
filename = pkgs.writeDash "nixos-version" ''
|
||||||
. /etc/os-release
|
. /etc/os-release
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs",
|
"url": "https://github.com/NixOS/nixpkgs",
|
||||||
"rev": "59bfda72480496f32787cec8c557182738b1bd3f",
|
"rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87",
|
||||||
"date": "2021-12-31T15:09:52+01:00",
|
"date": "2022-01-23T03:10:13+01:00",
|
||||||
"path": "/nix/store/wy2iidg15nwgmn8xir8fbr1lfz1hqphb-nixpkgs",
|
"path": "/nix/store/s6kxwpz8k02mg1wqsf06bsjygwi6xr6j-nixpkgs",
|
||||||
"sha256": "18akd1chfvniq1q774rigfxgmxwi0wyjljpa1j9ls59szpzr316d",
|
"sha256": "08d38db4707jdm3gws82y6bynh6k8qal4s1cms9zqd9cdwcmylyj",
|
||||||
"fetchLFS": false,
|
"fetchLFS": false,
|
||||||
"fetchSubmodules": false,
|
"fetchSubmodules": false,
|
||||||
"deepClone": false,
|
"deepClone": false,
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs",
|
"url": "https://github.com/NixOS/nixpkgs",
|
||||||
"rev": "d1e59cfc49961e121583abe32e2f3db1550fbcff",
|
"rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c",
|
||||||
"date": "2022-01-01T22:20:39+08:00",
|
"date": "2022-01-23T10:04:55-08:00",
|
||||||
"path": "/nix/store/azrxsxpszjwgg75jk1pkzlzjcj0qnw8d-nixpkgs",
|
"path": "/nix/store/r22j0r232a5y02yhd1avaw27zqdbhx1x-nixpkgs",
|
||||||
"sha256": "03ldf1dlxqf3g8qh9x5vp6vd9zvvr481fyjds111imll69y60wpm",
|
"sha256": "0gzhigyn8f7vps4a5vc1c8wbim59724s179a7d0h3gv6ss9avdj4",
|
||||||
"fetchLFS": false,
|
"fetchLFS": false,
|
||||||
"fetchSubmodules": false,
|
"fetchSubmodules": false,
|
||||||
"deepClone": false,
|
"deepClone": false,
|
||||||
|
@ -123,6 +123,7 @@ with import <stockholm/lib>;
|
|||||||
<stockholm/lass/2configs/ciko.nix>
|
<stockholm/lass/2configs/ciko.nix>
|
||||||
<stockholm/lass/2configs/container-networking.nix>
|
<stockholm/lass/2configs/container-networking.nix>
|
||||||
<stockholm/lass/2configs/jitsi.nix>
|
<stockholm/lass/2configs/jitsi.nix>
|
||||||
|
<stockholm/lass/2configs/fysiirc.nix>
|
||||||
{
|
{
|
||||||
services.tor = {
|
services.tor = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -79,9 +79,11 @@
|
|||||||
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
|
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
|
||||||
|
|
||||||
boot.kernelParams = [ "net.ifnames=0" ];
|
boot.kernelParams = [ "net.ifnames=0" ];
|
||||||
|
networking.dhcpcd.enable = false;
|
||||||
networking = {
|
networking = {
|
||||||
hostId = "2283aaae";
|
hostId = "2283aaae";
|
||||||
defaultGateway = "95.216.1.129";
|
defaultGateway = "95.216.1.129";
|
||||||
|
defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
|
||||||
# Use google's public DNS server
|
# Use google's public DNS server
|
||||||
nameservers = [ "8.8.8.8" ];
|
nameservers = [ "8.8.8.8" ];
|
||||||
interfaces.eth0.ipv4.addresses = [
|
interfaces.eth0.ipv4.addresses = [
|
||||||
@ -94,5 +96,11 @@
|
|||||||
prefixLength = 26;
|
prefixLength = 26;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
interfaces.eth0.ipv6.addresses = [
|
||||||
|
{
|
||||||
|
address = "2a01:4f9:2a:1e9::1";
|
||||||
|
prefixLength = 64;
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -65,7 +65,7 @@ in {
|
|||||||
gitAndTools.hub
|
gitAndTools.hub
|
||||||
git-crypt
|
git-crypt
|
||||||
git-preview
|
git-preview
|
||||||
gnome3.dconf
|
dconf
|
||||||
iodine
|
iodine
|
||||||
libarchive
|
libarchive
|
||||||
lm_sensors
|
lm_sensors
|
||||||
|
@ -8,7 +8,7 @@ with import <stockholm/lib>;
|
|||||||
./vim.nix
|
./vim.nix
|
||||||
./zsh.nix
|
./zsh.nix
|
||||||
./htop.nix
|
./htop.nix
|
||||||
./security-workarounds.nix
|
<stockholm/krebs/2configs/security-workarounds.nix>
|
||||||
./wiregrill.nix
|
./wiregrill.nix
|
||||||
{
|
{
|
||||||
users.extraUsers =
|
users.extraUsers =
|
||||||
|
51
lass/2configs/fysiirc.nix
Normal file
51
lass/2configs/fysiirc.nix
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
{
|
||||||
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
{ predicate = "-p tcp --dport 44002"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
krebs.reaktor2.fysiweb-github = {
|
||||||
|
hostname = "irc.libera.chat";
|
||||||
|
port = "6697";
|
||||||
|
useTLS = true;
|
||||||
|
nick = "fysiweb-github";
|
||||||
|
API.listen = "inet://127.0.0.1:44001";
|
||||||
|
plugins = [
|
||||||
|
{
|
||||||
|
plugin = "register";
|
||||||
|
config = {
|
||||||
|
channels = [
|
||||||
|
"#fysi"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
krebs.htgen.fysiweb-github = {
|
||||||
|
port = 44002;
|
||||||
|
user = {
|
||||||
|
name = "reaktor2-fysiweb-github";
|
||||||
|
};
|
||||||
|
script = ''. ${pkgs.writeDash "github-irc" ''
|
||||||
|
case "$Method $Request_URI" in
|
||||||
|
"POST /")
|
||||||
|
payload=$(head -c "$req_content_length" \
|
||||||
|
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
|
||||||
|
| xargs -0 echo -e \
|
||||||
|
)
|
||||||
|
${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \
|
||||||
|
-H content-type:application/json \
|
||||||
|
-d "$(echo "$payload" | ${pkgs.jq}/bin/jq \
|
||||||
|
'{
|
||||||
|
command:"PRIVMSG",
|
||||||
|
params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"]
|
||||||
|
}'
|
||||||
|
)"
|
||||||
|
printf 'HTTP/1.1 200 OK\r\n'
|
||||||
|
printf 'Connection: close\r\n'
|
||||||
|
printf '\r\n'
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
''}'';
|
||||||
|
};
|
||||||
|
}
|
@ -14,8 +14,8 @@
|
|||||||
users.users.mainUser = {
|
users.users.mainUser = {
|
||||||
extraGroups = [ "networkmanager" ];
|
extraGroups = [ "networkmanager" ];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
gnome3.gnome_keyring
|
gnome3.gnome-keyring
|
||||||
gnome3.dconf
|
dconf
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
@ -8,67 +8,18 @@
|
|||||||
powerOnBoot = true;
|
powerOnBoot = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# autostart with login
|
|
||||||
systemd.user.services.pipewire-pulse = {
|
|
||||||
wantedBy = [ "graphical-session.target" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
alsaUtils
|
alsaUtils
|
||||||
pulseaudioLight
|
pulseaudioLight
|
||||||
ponymix
|
ponymix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.variables.PULSE_SERVER = "localhost:4713";
|
|
||||||
services.pipewire = {
|
services.pipewire = {
|
||||||
enable = true;
|
enable = true;
|
||||||
socketActivation = false;
|
systemWide = true;
|
||||||
alsa.enable = true;
|
alsa.enable = true;
|
||||||
alsa.support32Bit = true;
|
alsa.support32Bit = true;
|
||||||
pulse.enable = true;
|
pulse.enable = true;
|
||||||
jack.enable = true;
|
jack.enable = true;
|
||||||
|
|
||||||
# https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp
|
|
||||||
config.pipewire-pulse = {
|
|
||||||
"context.properties" = {
|
|
||||||
"log.level" = 2;
|
|
||||||
};
|
|
||||||
"context.modules" = [
|
|
||||||
{
|
|
||||||
name = "libpipewire-module-rtkit";
|
|
||||||
# args = {
|
|
||||||
# "nice.level" = -15;
|
|
||||||
# "rt.prio" = 88;
|
|
||||||
# "rt.time.soft" = 200000;
|
|
||||||
# "rt.time.hard" = 200000;
|
|
||||||
# };
|
|
||||||
flags = [ "ifexists" "nofail" ];
|
|
||||||
}
|
|
||||||
{ name = "libpipewire-module-protocol-native"; }
|
|
||||||
{ name = "libpipewire-module-client-node"; }
|
|
||||||
{ name = "libpipewire-module-adapter"; }
|
|
||||||
{ name = "libpipewire-module-metadata"; }
|
|
||||||
{
|
|
||||||
name = "libpipewire-module-protocol-pulse";
|
|
||||||
args = {
|
|
||||||
"vm.overrides" = {
|
|
||||||
# "pulse.min.req" = "32/48000";
|
|
||||||
# "pulse.default.req" = "32/48000";
|
|
||||||
# "pulse.max.req" = "32/48000";
|
|
||||||
"pulse.min.quantum" = "1024/48000";
|
|
||||||
# "pulse.max.quantum" = "32/48000";
|
|
||||||
};
|
|
||||||
"server.address" = [
|
|
||||||
"unix:native"
|
|
||||||
"tcp:4713"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
"stream.properties" = {
|
|
||||||
# "node.latency" = "32/48000";
|
|
||||||
# "resample.quality" = 1;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -17,14 +17,17 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
connectTo = [
|
connectTo = [
|
||||||
"prism"
|
"prism"
|
||||||
"gum"
|
|
||||||
"ni"
|
"ni"
|
||||||
|
"eve"
|
||||||
];
|
];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
LocalDiscovery = yes
|
StrictSubnets = yes
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# never connect via gum (he eats our packets!)
|
||||||
|
krebs.hosts.gum.nets.retiolum.tinc.weight = 9000;
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = pkgs: {
|
nixpkgs.config.packageOverrides = pkgs: {
|
||||||
tinc = pkgs.tinc_pre;
|
tinc = pkgs.tinc_pre;
|
||||||
};
|
};
|
||||||
|
@ -1,8 +0,0 @@
|
|||||||
{ config, pkgs, ... }:
|
|
||||||
with import <stockholm/lib>;
|
|
||||||
{
|
|
||||||
# http://seclists.org/oss-sec/2017/q1/471
|
|
||||||
boot.extraModprobeConfig = ''
|
|
||||||
install dccp /run/current-system/sw/bin/false
|
|
||||||
'';
|
|
||||||
}
|
|
@ -6,15 +6,41 @@
|
|||||||
];
|
];
|
||||||
|
|
||||||
services.udev.packages = with pkgs; [ yubikey-personalization ];
|
services.udev.packages = with pkgs; [ yubikey-personalization ];
|
||||||
services.pcscd.enable = true;
|
|
||||||
systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ];
|
systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ];
|
||||||
|
|
||||||
##restart pcscd if yubikey is plugged in
|
services.pcscd.enable = true;
|
||||||
#services.udev.extraRules = ''
|
systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" ''
|
||||||
# ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" ''
|
set -x
|
||||||
# ${pkgs.systemd}/bin/systemctl restart pcscd.service
|
${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" ''
|
||||||
# ''}"
|
disable-ccid
|
||||||
#'';
|
pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1
|
||||||
|
card-timeout 1
|
||||||
|
|
||||||
|
# Always try to use yubikey as the first reader
|
||||||
|
# even when other smart card readers are connected
|
||||||
|
# Name of the reader can be found using the pcsc_scan command
|
||||||
|
# If you have problems with gpg not recognizing the Yubikey
|
||||||
|
# then make sure that the string here matches exacly pcsc_scan
|
||||||
|
# command output. Also check journalctl -f for errors.
|
||||||
|
reader-port Yubico YubiKey
|
||||||
|
''} $HOME/.gnupg/scdaemon.conf
|
||||||
|
'';
|
||||||
|
|
||||||
|
security.polkit.extraConfig = ''
|
||||||
|
polkit.addRule(function(action, subject) {
|
||||||
|
if (
|
||||||
|
(
|
||||||
|
action.id == "org.debian.pcsc-lite.access_pcsc" ||
|
||||||
|
action.id == "org.debian.pcsc-lite.access_card"
|
||||||
|
) && subject.user == "lass"
|
||||||
|
) {
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
polkit.addRule(function(action, subject) {
|
||||||
|
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
|
||||||
|
});
|
||||||
|
'';
|
||||||
|
|
||||||
environment.shellInit = ''
|
environment.shellInit = ''
|
||||||
if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then
|
if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then
|
||||||
@ -28,6 +54,9 @@
|
|||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# allow nix to acces remote builders via yubikey
|
||||||
|
systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh";
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
ssh.startAgent = false;
|
ssh.startAgent = false;
|
||||||
gnupg.agent = {
|
gnupg.agent = {
|
||||||
|
@ -41,10 +41,6 @@ with import <stockholm/lib>;
|
|||||||
type = types.path;
|
type = types.path;
|
||||||
default = pkgs.writeScript "echo_lol" "echo lol";
|
default = pkgs.writeScript "echo_lol" "echo lol";
|
||||||
};
|
};
|
||||||
vglrun = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
wm = mkOption {
|
wm = mkOption {
|
||||||
#TODO find type
|
#TODO find type
|
||||||
type = types.str;
|
type = types.str;
|
||||||
@ -122,21 +118,14 @@ with import <stockholm/lib>;
|
|||||||
${pkgs.coreutils}/bin/kill $XEPHYR_PID
|
${pkgs.coreutils}/bin/kill $XEPHYR_PID
|
||||||
'';
|
'';
|
||||||
# TODO fix xephyr which doesn't honor resizes anymore
|
# TODO fix xephyr which doesn't honor resizes anymore
|
||||||
sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then ''
|
sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
|
||||||
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
|
|
||||||
'' else ''
|
|
||||||
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
|
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
|
||||||
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
|
${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
|
||||||
|
|
||||||
'');
|
|
||||||
vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
|
|
||||||
DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
|
|
||||||
'';
|
'';
|
||||||
in nameValuePair name {
|
in nameValuePair name {
|
||||||
existing = newOrExisting;
|
existing = newOrExisting;
|
||||||
xephyr = xephyr_;
|
xephyr = xephyr_;
|
||||||
sudo = sudo_;
|
sudo = sudo_;
|
||||||
vglrun = vglrun_;
|
|
||||||
}
|
}
|
||||||
) config.lass.xjail;
|
) config.lass.xjail;
|
||||||
in {
|
in {
|
||||||
@ -161,10 +150,19 @@ with import <stockholm/lib>;
|
|||||||
}
|
}
|
||||||
) config.lass.xjail;
|
) config.lass.xjail;
|
||||||
|
|
||||||
security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg:
|
security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
|
||||||
# TODO allow just the right script with sudo
|
polkit.addRule(function(action, subject) {
|
||||||
"${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL"
|
if (
|
||||||
) config.lass.xjail));
|
subject.user == "${cfg.from}" &&
|
||||||
|
action.id == "org.freedesktop.machine1.host-shell" &&
|
||||||
|
action.lookup("user") == "${cfg.user}" &&
|
||||||
|
action.lookup("program") == "${cfg.script}" &&
|
||||||
|
true
|
||||||
|
) {
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
'') config.lass.xjail));
|
||||||
|
|
||||||
lass.xjail-bins = mapAttrs' (name: cfg:
|
lass.xjail-bins = mapAttrs' (name: cfg:
|
||||||
nameValuePair name (pkgs.writeScriptBin cfg.name ''
|
nameValuePair name (pkgs.writeScriptBin cfg.name ''
|
||||||
|
40
tv/1systems/bu/config.nix
Normal file
40
tv/1systems/bu/config.nix
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
{ config, pkgs, ... }: let
|
||||||
|
lib = import ../../../lib;
|
||||||
|
in {
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./disks.nix
|
||||||
|
<stockholm/tv>
|
||||||
|
<stockholm/tv/2configs/hw/x220.nix>
|
||||||
|
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||||
|
<stockholm/tv/2configs/gitconfig.nix>
|
||||||
|
<stockholm/tv/2configs/pulse.nix>
|
||||||
|
<stockholm/tv/2configs/retiolum.nix>
|
||||||
|
];
|
||||||
|
|
||||||
|
environment.homeBinInPath = true;
|
||||||
|
|
||||||
|
krebs.build.host = config.krebs.hosts.bu;
|
||||||
|
|
||||||
|
networking.hostId = lib.mkDefault "00000000";
|
||||||
|
|
||||||
|
networking.wireless.enable = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.interfaces.enp0s25.useDHCP = true;
|
||||||
|
networking.interfaces.wlp3s0.useDHCP = true;
|
||||||
|
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
|
||||||
|
networking.wireless.interfaces = [
|
||||||
|
"wlp3s0"
|
||||||
|
];
|
||||||
|
|
||||||
|
programs.gnupg.agent.enable = true;
|
||||||
|
programs.gnupg.agent.pinentryFlavor = "gtk2";
|
||||||
|
|
||||||
|
services.earlyoom.enable = true;
|
||||||
|
services.earlyoom.freeMemThreshold = 5;
|
||||||
|
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
|
||||||
|
"--prefer '(^|/)chromium$'"
|
||||||
|
];
|
||||||
|
|
||||||
|
system.stateVersion = "21.11";
|
||||||
|
}
|
19
tv/1systems/bu/disks.nix
Normal file
19
tv/1systems/bu/disks.nix
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{
|
||||||
|
boot.initrd.luks.devices.buda2.device = "/dev/sda2";
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "buda2/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
fileSystems."/bku" = {
|
||||||
|
device = "buda2/bku";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
fileSystems."/home" = {
|
||||||
|
device = "buda2/home";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/sda1";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
}
|
@ -10,6 +10,24 @@ with import <stockholm/lib>;
|
|||||||
yearly = { format = "%Y"; };
|
yearly = { format = "%Y"; };
|
||||||
};
|
};
|
||||||
}) {
|
}) {
|
||||||
|
bu-home-wu = {
|
||||||
|
method = "push";
|
||||||
|
src = { host = config.krebs.hosts.bu; path = "/home"; };
|
||||||
|
dst = { host = config.krebs.hosts.wu; path = "/bku/bu-home"; };
|
||||||
|
startAt = "05:15";
|
||||||
|
};
|
||||||
|
bu-home-xu = {
|
||||||
|
method = "push";
|
||||||
|
src = { host = config.krebs.hosts.bu; path = "/home"; };
|
||||||
|
dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; };
|
||||||
|
startAt = "05:20";
|
||||||
|
};
|
||||||
|
bu-home-zu = {
|
||||||
|
method = "push";
|
||||||
|
src = { host = config.krebs.hosts.bu; path = "/home"; };
|
||||||
|
dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; };
|
||||||
|
startAt = "05:25";
|
||||||
|
};
|
||||||
nomic-home-xu = {
|
nomic-home-xu = {
|
||||||
method = "push";
|
method = "push";
|
||||||
src = { host = config.krebs.hosts.nomic; path = "/home"; };
|
src = { host = config.krebs.hosts.nomic; path = "/home"; };
|
||||||
@ -40,6 +58,12 @@ with import <stockholm/lib>;
|
|||||||
dst = { host = config.krebs.hosts.zu; path = "/bku/wu-home"; };
|
dst = { host = config.krebs.hosts.zu; path = "/bku/wu-home"; };
|
||||||
startAt = "05:20";
|
startAt = "05:20";
|
||||||
};
|
};
|
||||||
|
xu-home-bu = {
|
||||||
|
method = "push";
|
||||||
|
src = { host = config.krebs.hosts.xu; path = "/home"; };
|
||||||
|
dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; };
|
||||||
|
startAt = "04:50";
|
||||||
|
};
|
||||||
xu-home-nomic = {
|
xu-home-nomic = {
|
||||||
method = "push";
|
method = "push";
|
||||||
src = { host = config.krebs.hosts.xu; path = "/home"; };
|
src = { host = config.krebs.hosts.xu; path = "/home"; };
|
||||||
|
Loading…
Reference in New Issue
Block a user