Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'ni/master'

Browse Source
This commit is contained in:
lassulus 2022-12-29 17:46:12 +01:00
commit 59a0ed177a
19 changed files with 420 additions and 384 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

394
kartei/tv/default.nix
View File

@ -1,361 +1,53 @@
with import ../../lib;
{ config, ... }: let
evalHost = hostName: hostConfig: evalSubmodule types.host [
hostConfig
{
name = hostName;
owner = config.krebs.users.tv;
}
(optionalAttrs (hasAttrByPath ["nets" "retiolum"] hostConfig) {
nets.retiolum = {
ip6.addr =
(krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address;
};
})
(let
pubkey-path = ./wiregrill + "/${hostName}.pub";
in optionalAttrs (pathExists pubkey-path) {
nets.wiregrill = {
aliases = [
"${hostName}.w"
];
ip6.addr =
(krebs.genipv6 "wiregrill" "tv" { inherit hostName; }).address;
wireguard.pubkey = readFile pubkey-path;
};
})
(host: mkIf (host.config.ssh.pubkey != null) {
ssh.privkey = mapAttrs (const mkDefault) {
path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}";
type = head (toList (match "ssh-([^ ]+) .*" host.config.ssh.pubkey));
};
})
];
in {
{ config, ... }: {
dns.providers = {
"viljetic.de" = "regfish";
};
hosts = mapAttrs evalHost {
alnus = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
aliases = [
"alnus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP
/4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs
gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+
q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ
rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU
cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K";
hosts =
mapAttrs
(hostName: hostFile: let
hostSource = import hostFile;
hostConfig = getAttr (typeOf hostSource) {
lambda = hostSource { inherit config lib; };
set = hostSource;
};
};
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
};
au = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.39";
aliases = [
"au.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
};
bu = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";
aliases = [
"bu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb
hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l
jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M
gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG
sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/
st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE";
};
};
secure = true;
ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa";
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu";
};
hu = {
nets = {
retiolum = {
ip4.addr = "10.243.13.41";
aliases = [
"hu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwj5T9Rejp8zGVrHjqA+OeMvcVpax4VazssnRPSUznUEOdVEeSJL5
8gDBJPtIfxF8iunXr5K7CW036tKvYaGMDwYMOPJZXhFCmU2yUF2g4BcqEhuDdIfO
+D2Pfr4lc9xO90SKOgwJ53qhf5yqeU/WQ3dpCF/n8k4SUmdafTsvh00UrxYpHuTU
C22BRXIKR4r/sCJUitWQSWNdSQUxh3lu7sUPr+6sZyJov+eu8oBVlPgYOv6u9nZe
YhrbCPDKMGPfnQTAtWfHIxNt70Ec5AG6ddQzLeVcM2gP5qi957Fert+C2RNtbz5s
Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rrf9tvuusYlnSZwUiHS4O+AhrpVZ/6n7peSRKojTc root@hu";
};
mu = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";
aliases = [
"mu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApXErmPSn2CO4V25lqxanCGCFgxEAjdzFUiTCCu0IvELEuCc3PqVA
g4ecf8gGwPCbzMW/1txjlgbsQcm87U5enaCwzSv/pa7P9/memV74OhqEVOypFlDE
XeZczqQfNbjoLYl4cKZpTsSZmOgASXaMDrH2N37f50q35C0MQw0HRzaQM5VLrzb4
o87MClS+yPqpvp34QjW+1lqnOKvMkr6mDrmtcAjCOs9Ma16txyfjGVFi8KmYqIs1
QEJmyC9Uocz5zuoSLUghgVRn9yl4+MEw6++akFDwKt/eMkcSq0GPB+3Rz/WLDiBs
FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu";
};
ni = {
extraZones = {
"krebsco.de" = ''
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
krebsco.de. 60 IN MX 5 ni
krebsco.de. 60 IN TXT "v=spf1 mx -all"
tv 300 IN NS ni
'';
};
nets = {
internet = {
ip4 = rec {
addr = "188.68.36.196";
prefix = "${addr}/32";
in evalSubmodule types.host [
hostConfig
{
name = hostName;
owner = config.krebs.users.tv;
}
(optionalAttrs (hasAttrByPath ["nets" "retiolum"] hostConfig) {
nets.retiolum = {
ip6.addr =
(krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address;
};
ip6 = rec {
addr = "2a03:4000:13:4c::1";
prefix = "${addr}/64";
})
(let
pubkey-path = ./wiregrill + "/${hostName}.pub";
in optionalAttrs (pathExists pubkey-path) {
nets.wiregrill = {
aliases = [
"${hostName}.w"
];
ip6.addr =
(krebs.genipv6 "wiregrill" "tv" { inherit hostName; }).address;
wireguard.pubkey = readFile pubkey-path;
};
aliases = [
"ni.i"
"cgit.ni.i"
];
ssh.port = 11423;
};
retiolum = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223";
aliases = [
"ni.r"
"cgit.ni.r"
"krebs.ni.r"
"search.ni.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12
bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6
Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59
OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im
W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2
NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY
nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv
lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ
9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9
q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF
Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE";
};
wiregrill = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.244.3.1";
wireguard.subnets = [
(krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR
];
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb";
};
nomic = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.0.110";
aliases = [
"nomic.r"
"cgit.nomic.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+
qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw
Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu
5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a
OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA
Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
};
wu = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.37";
aliases = [
"wu.r"
"cgit.wu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn
M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg
GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT
KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4
4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik
AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
querel = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";
aliases = [
"querel.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEArv9eB8acpUhJwRaLY9kGeM7DEPvInVvoduEbec10p4Y2PFx2MjSz
2OhyxFRkONC4EMV9oVTKD+NRtpbRGZGLYD8ZPB622SvccgB0XnL6ZZfie1feSgrn
bPyVnX8EnEgtx9IQckHyaxWgtyrluJnY2CbLkCYgD+50KFT12rdHyAa3+QoYU65x
ACQo28i9xIpsl6dm7iWBb+ecHc7fST35OqWywtVxSpHPe1nvwaYm1p3rqqtkCGVh
iXE5ruAscri7Dskc5dGR1p7LquhBaebuylH6sfRKA6kre05+/IkXi+JLeAmAtJ+W
xezYlecEvxhguql9ZmSYAYkR4KknZb56KtvCnm29o0evvEpsaYcbtgq1D0JhoGyk
4DixS5e+5dg470icVKxPfz1AzejxrTUTtMlI28qjAIx1FcmCBGM+T6yHs/MhNGbf
aqUmN+FwtsJ2QWFYqu9zjxxyAfrAw+gqHm0LnsKK1ttwF/2fYCTRLowY+ItB3axs
UVq7DQxyunyYalKGX2RSJ5BHczREHrfgX43HCSlcAuMuow9jHLOjzul0A49rSZ9E
vOPqbjrki0KEEQj0HN3Ax4UVqZ6mPWaTQzuup+bPQ/2Sjkx6COzMSAPmKo4l6DkA
J++ZonpnOCUkwCeCU6qJgMuHeXn0uh117Ypj/3J9eKYMO/RTSs3x8l0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFM2GdL9yOjSBmYBE07ClywNOADc/zxqXwZuWd7Mael root@querel.r";
};
xu = {
binary-cache = {
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
};
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.38";
aliases = [
"xu.r"
"cgit.xu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAl3l7IWbfbkVgaJFM3s9g2UCh2rmqoTba16Of7NNWMj05L/hIkUsQ
uc43/QzidWh/4gEaq5MQ7JpLyzVBQYRJkNlPRF/Z07KdLBskAZCjDYdYue9BrziX
8s2Irs2+FNbCK2LqtrPhbcXQJvixsk6vjl2OBpWTDUcDEsk+D1YQilxdtyUzCUkw
mmRo/mzNsLZsYlSgZ6El/ZLkRdtexAzGxJ0DrukpDR0uqXXkp7jUaxRCZ+Cwanvj
4I1Hu5aHzWB7KJ1SIvpX3a4f+mun1gh3TPqWP5PUqJok1PSuScz6P2UGaLZZyH63
4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
};
zu = {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.40";
aliases = [
"zu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d
idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u
BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a
OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj
/NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk
b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu";
};
umz = {
nets.wiregrill.ip4.addr = "10.244.3.101";
};
};
})
(host: mkIf (host.config.ssh.pubkey != null) {
ssh.privkey = mapAttrs (const mkDefault) {
path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}";
type = head (toList (match "ssh-([^ ]+) .*" host.config.ssh.pubkey));
};
})
])
(mapAttrs'
(name: type: {
name = removeSuffix ".nix" name;
value = ./hosts + "/${name}";
})
(readDir ./hosts));
sitemap = {
"http://cgit.krebsco.de" = {
desc = "Git repositories";

23
kartei/tv/hosts/alnus.nix Normal file
View File

@ -0,0 +1,23 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
aliases = [
"alnus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP
/4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs
gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+
q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ
rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU
cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K";
};
};
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
}

24
kartei/tv/hosts/au.nix Normal file
View File

@ -0,0 +1,24 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.39";
aliases = [
"au.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
}

24
kartei/tv/hosts/bu.nix Normal file
View File

@ -0,0 +1,24 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";
aliases = [
"bu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb
hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l
jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M
gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG
sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/
st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE";
};
};
secure = true;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu";
}

24
kartei/tv/hosts/hu.nix Normal file
View File

@ -0,0 +1,24 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.41";
aliases = [
"hu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwj5T9Rejp8zGVrHjqA+OeMvcVpax4VazssnRPSUznUEOdVEeSJL5
8gDBJPtIfxF8iunXr5K7CW036tKvYaGMDwYMOPJZXhFCmU2yUF2g4BcqEhuDdIfO
+D2Pfr4lc9xO90SKOgwJ53qhf5yqeU/WQ3dpCF/n8k4SUmdafTsvh00UrxYpHuTU
C22BRXIKR4r/sCJUitWQSWNdSQUxh3lu7sUPr+6sZyJov+eu8oBVlPgYOv6u9nZe
YhrbCPDKMGPfnQTAtWfHIxNt70Ec5AG6ddQzLeVcM2gP5qi957Fert+C2RNtbz5s
Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rrf9tvuusYlnSZwUiHS4O+AhrpVZ/6n7peSRKojTc root@hu";
}

23
kartei/tv/hosts/mu.nix Normal file
View File

@ -0,0 +1,23 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";
aliases = [
"mu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApXErmPSn2CO4V25lqxanCGCFgxEAjdzFUiTCCu0IvELEuCc3PqVA
g4ecf8gGwPCbzMW/1txjlgbsQcm87U5enaCwzSv/pa7P9/memV74OhqEVOypFlDE
XeZczqQfNbjoLYl4cKZpTsSZmOgASXaMDrH2N37f50q35C0MQw0HRzaQM5VLrzb4
o87MClS+yPqpvp34QjW+1lqnOKvMkr6mDrmtcAjCOs9Ma16txyfjGVFi8KmYqIs1
QEJmyC9Uocz5zuoSLUghgVRn9yl4+MEw6++akFDwKt/eMkcSq0GPB+3Rz/WLDiBs
FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB
-----END RSA PUBLIC KEY-----
'';
#tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu";
}

68
kartei/tv/hosts/ni.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, ... }: {
extraZones = {
"krebsco.de" = ''
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
krebsco.de. 60 IN MX 5 ni
krebsco.de. 60 IN TXT "v=spf1 mx -all"
tv 300 IN NS ni
'';
};
nets = {
internet = {
ip4 = rec {
addr = "188.68.36.196";
prefix = "${addr}/32";
};
ip6 = rec {
addr = "2a03:4000:13:4c::1";
prefix = "${addr}/64";
};
aliases = [
"ni.i"
"cgit.ni.i"
];
ssh.port = 11423;
};
retiolum = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223";
aliases = [
"ni.r"
"cgit.ni.r"
"krebs.ni.r"
"search.ni.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12
bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6
Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59
OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im
W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2
NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY
nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv
lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ
9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9
q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF
Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE";
};
wiregrill = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.244.3.1";
wireguard.subnets = [
(lib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR
];
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb";
}

25
kartei/tv/hosts/nomic.nix Normal file
View File

@ -0,0 +1,25 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.0.110";
aliases = [
"nomic.r"
"cgit.nomic.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+
qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw
Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu
5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a
OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA
Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
}

27
kartei/tv/hosts/querel.nix Normal file
View File

@ -0,0 +1,27 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";
aliases = [
"querel.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEArv9eB8acpUhJwRaLY9kGeM7DEPvInVvoduEbec10p4Y2PFx2MjSz
2OhyxFRkONC4EMV9oVTKD+NRtpbRGZGLYD8ZPB622SvccgB0XnL6ZZfie1feSgrn
bPyVnX8EnEgtx9IQckHyaxWgtyrluJnY2CbLkCYgD+50KFT12rdHyAa3+QoYU65x
ACQo28i9xIpsl6dm7iWBb+ecHc7fST35OqWywtVxSpHPe1nvwaYm1p3rqqtkCGVh
iXE5ruAscri7Dskc5dGR1p7LquhBaebuylH6sfRKA6kre05+/IkXi+JLeAmAtJ+W
xezYlecEvxhguql9ZmSYAYkR4KknZb56KtvCnm29o0evvEpsaYcbtgq1D0JhoGyk
4DixS5e+5dg470icVKxPfz1AzejxrTUTtMlI28qjAIx1FcmCBGM+T6yHs/MhNGbf
aqUmN+FwtsJ2QWFYqu9zjxxyAfrAw+gqHm0LnsKK1ttwF/2fYCTRLowY+ItB3axs
UVq7DQxyunyYalKGX2RSJ5BHczREHrfgX43HCSlcAuMuow9jHLOjzul0A49rSZ9E
vOPqbjrki0KEEQj0HN3Ax4UVqZ6mPWaTQzuup+bPQ/2Sjkx6COzMSAPmKo4l6DkA
J++ZonpnOCUkwCeCU6qJgMuHeXn0uh117Ypj/3J9eKYMO/RTSs3x8l0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFM2GdL9yOjSBmYBE07ClywNOADc/zxqXwZuWd7Mael root@querel.r";
}

3
kartei/tv/hosts/umz.nix Normal file
View File

@ -0,0 +1,3 @@
{
nets.wiregrill.ip4.addr = "10.244.3.101";
}

25
kartei/tv/hosts/wu.nix Normal file
View File

@ -0,0 +1,25 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.37";
aliases = [
"wu.r"
"cgit.wu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn
M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg
GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT
KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4
4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik
AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
}

28
kartei/tv/hosts/xu.nix Normal file
View File

@ -0,0 +1,28 @@
{
binary-cache = {
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
};
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.38";
aliases = [
"xu.r"
"cgit.xu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAl3l7IWbfbkVgaJFM3s9g2UCh2rmqoTba16Of7NNWMj05L/hIkUsQ
uc43/QzidWh/4gEaq5MQ7JpLyzVBQYRJkNlPRF/Z07KdLBskAZCjDYdYue9BrziX
8s2Irs2+FNbCK2LqtrPhbcXQJvixsk6vjl2OBpWTDUcDEsk+D1YQilxdtyUzCUkw
mmRo/mzNsLZsYlSgZ6El/ZLkRdtexAzGxJ0DrukpDR0uqXXkp7jUaxRCZ+Cwanvj
4I1Hu5aHzWB7KJ1SIvpX3a4f+mun1gh3TPqWP5PUqJok1PSuScz6P2UGaLZZyH63
4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
}

23
kartei/tv/hosts/zu.nix Normal file
View File

@ -0,0 +1,23 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.40";
aliases = [
"zu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d
idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u
BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a
OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj
/NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk
b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu";
}

2
krebs/3modules/exim-smarthost.nix
View File

@ -108,7 +108,7 @@ let
};
imp = {
krebs.systemd.services.exim = {};
krebs.systemd.services.exim.restartIfCredentialsChange = true;
systemd.services.exim.serviceConfig.LoadCredential =
map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
krebs.exim = {

4
krebs/3modules/repo-sync.nix
View File

@ -159,7 +159,9 @@ let
) cfg.repos;
krebs.systemd.services = mapAttrs' (name: _:
nameValuePair "repo-sync-${name}" {}
nameValuePair "repo-sync-${name}" {
restartIfCredentialsChange = true;
}
) cfg.repos;
systemd.services = mapAttrs' (name: repo:

82
krebs/3modules/systemd.nix
View File

@ -3,14 +3,28 @@
body.options.krebs.systemd.services = lib.mkOption {
default = {};
type = lib.types.attrsOf (lib.types.submodule {
type = lib.types.attrsOf (lib.types.submodule (cfg_: let
serviceName = cfg_.config._module.args.name;
cfg = config.systemd.services.${serviceName} // cfg_.config;
in {
options = {
credentialPaths = lib.mkOption {
default =
lib.sort
lib.lessThan
(lib.filter
lib.types.absolute-pathname.check
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
(lib.toList cfg.serviceConfig.LoadCredential)));
readOnly = true;
};
credentialUnitName = lib.mkOption {
default = "trigger-${lib.systemd.encodeName serviceName}";
readOnly = true;
};
restartIfCredentialsChange = lib.mkOption {
# Enabling this by default only makes sense here as the user already
# bothered to write down krebs.systemd.services.* = {}. If this
# functionality gets upstreamed to systemd.services, restarting
# should be disabled by default.
default = true;
default = false;
description = ''
Whether to restart the service whenever any of its credentials
change. Only credentials with an absolute path in LoadCredential=
@ -19,30 +33,40 @@
type = lib.types.bool;
};
};
});
}));
};
body.config = {
systemd.paths = lib.mapAttrs' (serviceName: _:
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged =
lib.filter
lib.types.absolute-pathname.check
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
(lib.toList
config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
}
) config.krebs.systemd.services;
body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: {
paths.${cfg.credentialUnitName} = {
wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged = cfg.credentialPaths;
};
services.${cfg.credentialUnitName} = {
serviceConfig = {
Type = "oneshot";
StateDirectory = "credentials";
ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" ''
set -efu
systemd.services = lib.mapAttrs' (serviceName: cfg:
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}";
};
}
) config.krebs.systemd.services;
};
PATH=${lib.makeBinPath [
pkgs.coreutils
pkgs.diffutils
pkgs.systemd
]}
cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum
tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX)
trap 'rm -f "$tmpfile"' EXIT
sha1sum ${toString cfg.credentialPaths} > "$tmpfile"
if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then
exit
fi
mv "$tmpfile" "$cache"
systemctl restart ${lib.shell.escape serviceName}
'';
};
};
}) config.krebs.systemd.services);
}

1
krebs/3modules/tinc.nix
View File

@ -232,6 +232,7 @@ with import <stockholm/lib>;
) config.krebs.tinc;
krebs.systemd.services = mapAttrs (netname: cfg: {
restartIfCredentialsChange = true;
}) config.krebs.tinc;
systemd.services = mapAttrs (netname: cfg: {

2
tv/3modules/ejabberd/default.nix
View File

@ -127,7 +127,7 @@ in {
})
];
krebs.systemd.services.ejabberd = {};
krebs.systemd.services.ejabberd.restartIfCredentialsChange = true;
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];

2
tv/3modules/x0vncserver.nix
View File

@ -26,7 +26,7 @@ in {
};
};
config = mkIf cfg.enable {
krebs.systemd.services.x0vncserver = {};
krebs.systemd.services.x0vncserver.restartIfCredentialsChange = true;
systemd.services.x0vncserver = {
after = [ "graphical.target" ];
requires = [ "graphical.target" ];