diff --git a/krebs/2configs/binary-cache/prism.nix b/krebs/2configs/binary-cache/prism.nix
index 46b386e14..51b4a1afc 100644
--- a/krebs/2configs/binary-cache/prism.nix
+++ b/krebs/2configs/binary-cache/prism.nix
@@ -3,7 +3,7 @@
{
nix = {
binaryCaches = [
- "http://cache.prism.r"
+ "https://cache.krebsco.de"
];
binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
index 056667d8c..74f345614 100644
--- a/krebs/2configs/cache.nsupdate.info.nix
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -1,4 +1,4 @@
-{lib, ... }:
+{ pkgs, lib, ... }:
with lib;
let
domain = "cache.nsupdate.info";
@@ -17,9 +17,13 @@ in {
};
krebs.cachecache = {
enable = true;
- enableSSL = false; # disable letsencrypt for testing
+ enableSSL = true; # disable letsencrypt for testing
cacheDir = "/var/cache/nix-cache-cache";
maxSize = "10g";
+ indexFile = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html";
+ sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0";
+ };
# assumes that the domain is reachable from the internet
virtualHost = domain;
diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix
index 88b7e1072..a8c658858 100644
--- a/krebs/2configs/news-spam.nix
+++ b/krebs/2configs/news-spam.nix
@@ -4,161 +4,161 @@
krebs.newsbot-js.news-spam = {
urlShortenerHost = "go.lassul.us";
feeds = pkgs.writeText "feeds" ''
- [SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
- [SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
- [SPAM]antirez|http://antirez.com/rss|#snews
- [SPAM]archlinux|http://www.archlinux.org/feeds/news/|#snews
- [SPAM]ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
- [SPAM]augustl|http://augustl.com/atom.xml|#snews
- [SPAM]bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews
- [SPAM]bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews
- [SPAM]bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews
- [SPAM]bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews
- [SPAM]bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews
- [SPAM]bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews
- [SPAM]cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews
- [SPAM]carta|http://feeds2.feedburner.com/carta-standard-rss|#snews
- [SPAM]catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews
- [SPAM]cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews
- [SPAM]cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews
- [SPAM]cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews
- [SPAM]cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews
- [SPAM]cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews
- [SPAM]ccc|http://www.ccc.de/rss/updates.rdf|#snews
- [SPAM]chan_biz|http://boards.4chan.org/biz/index.rss|#snews
- [SPAM]chan_g|http://boards.4chan.org/g/index.rss|#snews
- [SPAM]chan_int|http://boards.4chan.org/int/index.rss|#snews
- [SPAM]chan_sci|http://boards.4chan.org/sci/index.rss|#snews
- [SPAM]chan_x|http://boards.4chan.org/x/index.rss|#snews
- [SPAM]c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews
- [SPAM]cryptogon|http://www.cryptogon.com/?feed=rss2|#snews
- [SPAM]csm|http://rss.csmonitor.com/feeds/csm|#snews
- [SPAM]csm_world|http://rss.csmonitor.com/feeds/world|#snews
- [SPAM]danisch|http://www.danisch.de/blog/feed/|#snews
- [SPAM]dod|http://www.defense.gov/news/afps2.xml|#snews
- [SPAM]dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews
- [SPAM]ecat|http://ecat.com/feed|#snews
- [SPAM]eia_press|http://www.eia.gov/rss/press_rss.xml|#snews
- [SPAM]eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews
- [SPAM]embargowatch|https://embargowatch.wordpress.com/feed/|#snews
- [SPAM]ethereum-comments|http://blog.ethereum.org/comments/feed|#snews
- [SPAM]ethereum|http://blog.ethereum.org/feed|#snews
- [SPAM]europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews
- [SPAM]eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews
- [SPAM]exploitdb|http://www.exploit-db.com/rss.xml|#snews
- [SPAM]fars|http://www.farsnews.com/rss.php|#snews #test
- [SPAM]faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews
- [SPAM]faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews
- [SPAM]faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews
- [SPAM]fbi|https://www.fbi.gov/news/rss.xml|#snews
- [SPAM]fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews
- [SPAM]fefe|http://blog.fefe.de/rss.xml|#snews
- [SPAM]forbes|http://www.forbes.com/forbes/feed2/|#snews
- [SPAM]forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews
- [SPAM]fox|http://feeds.foxnews.com/foxnews/latest|#snews
- [SPAM]geheimorganisation|http://geheimorganisation.org/feed/|#snews
- [SPAM]GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews
- [SPAM]gmanet|http://www.gmanetwork.com/news/rss/news|#snews
- [SPAM]golem|http://rss.golem.de/rss.php|#snews
- [SPAM]google|http://news.google.com/?output=rss|#snews
- [SPAM]greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews
- [SPAM]guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews
- [SPAM]gulli|http://ticker.gulli.com/rss/|#snews
- [SPAM]hackernews|https://news.ycombinator.com/rss|#snews
- [SPAM]handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews
- [SPAM]heise|https://www.heise.de/newsticker/heise-atom.xml|#snews
- [SPAM]hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews
- [SPAM]hindu|http://www.thehindu.com/?service=rss|#snews
- [SPAM]ign|http://feeds.ign.com/ign/all|#snews
- [SPAM]independent|http://www.independent.com/rss/headlines/|#snews
- [SPAM]indymedia|https://de.indymedia.org/rss.xml|#snews
- [SPAM]info_libera|http://www.informationliberation.com/rss.xml|#snews
- [SPAM]klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews
- [SPAM]korea_herald|http://www.koreaherald.com/rss_xml.php|#snews
- [SPAM]linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews
- [SPAM]lisp|http://planet.lisp.org/rss20.xml|#snews
- [SPAM]liveleak|http://www.liveleak.com/rss|#snews
- [SPAM]lolmythesis|http://lolmythesis.com/rss|#snews
- [SPAM]LtU|http://lambda-the-ultimate.org/rss.xml|#snews
- [SPAM]lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews
- [SPAM]mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews
- [SPAM]mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews
- [SPAM]nds|http://www.nachdenkseiten.de/?feed=atom|#snews
- [SPAM]netzpolitik|https://netzpolitik.org/feed/|#snews
- [SPAM]newsbtc|http://newsbtc.com/feed/|#snews
- [SPAM]nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews
- [SPAM]npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews
- [SPAM]npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews
- [SPAM]npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews
- [SPAM]npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
- [SPAM]nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
- [SPAM]nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
- [SPAM]painload|https://github.com/krebs/painload/commits/master.atom|#snews
- [SPAM]phys|http://phys.org/rss-feed/|#snews
- [SPAM]piraten|https://www.piratenpartei.de/feed/|#snews
- [SPAM]polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
- [SPAM]presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews
- [SPAM]presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews
- [SPAM]prisonplanet|http://prisonplanet.com/feed.rss|#snews
- [SPAM]rawstory|http://www.rawstory.com/rs/feed/|#snews
- [SPAM]reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews
- [SPAM]reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews
- [SPAM]reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews
- [SPAM]reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews
- [SPAM]reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews
- [SPAM]reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews
- [SPAM]reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews
- [SPAM]reddit_sci|http://www.reddit.com/r/science/.rss|#snews
- [SPAM]reddit_tech|http://www.reddit.com/r/technology/.rss|#snews
- [SPAM]reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews
- [SPAM]reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews
- [SPAM]r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews
- [SPAM]reuters|http://feeds.reuters.com/Reuters/worldNews|#snews
- [SPAM]reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews
- [SPAM]rt|http://rt.com/rss/news/|#snews
- [SPAM]schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews
- [SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
- [SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews
- [SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
- [SPAM]shackspace|http://shackspace.de/atom.xml|#snews
- [SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
- [SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
- [SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
- [SPAM]sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews
- [SPAM]sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews
- [SPAM]sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews
- [SPAM]slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
- [SPAM]slate|http://feeds.slate.com/slate|#snews
- [SPAM]spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
- [SPAM]spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
- [SPAM]standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
- [SPAM]stern|http://www.stern.de/feed/standard/all/|#snews
- [SPAM]stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews
- [SPAM]sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews
- [SPAM]sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews
- [SPAM]sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews
- [SPAM]tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews
- [SPAM]taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews
- [SPAM]telegraph|http://www.telegraph.co.uk/rss.xml|#snews
- [SPAM]telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews
- [SPAM]the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
- [SPAM]tigsource|http://www.tigsource.com/feed/|#snews
- [SPAM]tinc|http://tinc-vpn.org/news/index.rss|#snews
- [SPAM]torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
- [SPAM]torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
- [SPAM]torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
- [SPAM]travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews
- [SPAM]un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews
- [SPAM]un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews
- [SPAM]un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews
- [SPAM]un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews
- [SPAM]un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews
- [SPAM]un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews
- [SPAM]us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
- [SPAM]vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
- [SPAM]weechat|http://dev.weechat.org/feed/atom|#snews
- [SPAM]xkcd|https://xkcd.com/rss.xml|#snews
- [SPAM]zdnet|http://www.zdnet.com/news/rss.xml|#snews
+ _aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
+ _allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
+ _antirez|http://antirez.com/rss|#snews
+ _archlinux|http://www.archlinux.org/feeds/news/|#snews
+ _ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
+ _augustl|http://augustl.com/atom.xml|#snews
+ _bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews
+ _bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews
+ _bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews
+ _bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews
+ _bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews
+ _bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews
+ _cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews
+ _carta|http://feeds2.feedburner.com/carta-standard-rss|#snews
+ _catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews
+ _cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews
+ _cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews
+ _cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews
+ _cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews
+ _cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews
+ _ccc|http://www.ccc.de/rss/updates.rdf|#snews
+ _chan_biz|http://boards.4chan.org/biz/index.rss|#snews
+ _chan_g|http://boards.4chan.org/g/index.rss|#snews
+ _chan_int|http://boards.4chan.org/int/index.rss|#snews
+ _chan_sci|http://boards.4chan.org/sci/index.rss|#snews
+ _chan_x|http://boards.4chan.org/x/index.rss|#snews
+ _c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews
+ _cryptogon|http://www.cryptogon.com/?feed=rss2|#snews
+ _csm|http://rss.csmonitor.com/feeds/csm|#snews
+ _csm_world|http://rss.csmonitor.com/feeds/world|#snews
+ _danisch|http://www.danisch.de/blog/feed/|#snews
+ _dod|http://www.defense.gov/news/afps2.xml|#snews
+ _dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews
+ _ecat|http://ecat.com/feed|#snews
+ _eia_press|http://www.eia.gov/rss/press_rss.xml|#snews
+ _eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews
+ _embargowatch|https://embargowatch.wordpress.com/feed/|#snews
+ _ethereum-comments|http://blog.ethereum.org/comments/feed|#snews
+ _ethereum|http://blog.ethereum.org/feed|#snews
+ _europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews
+ _eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews
+ _exploitdb|http://www.exploit-db.com/rss.xml|#snews
+ _fars|http://www.farsnews.com/rss.php|#snews #test
+ _faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews
+ _faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews
+ _faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews
+ _fbi|https://www.fbi.gov/news/rss.xml|#snews
+ _fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews
+ _fefe|http://blog.fefe.de/rss.xml|#snews
+ _forbes|http://www.forbes.com/forbes/feed2/|#snews
+ _forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews
+ _fox|http://feeds.foxnews.com/foxnews/latest|#snews
+ _geheimorganisation|http://geheimorganisation.org/feed/|#snews
+ _GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews
+ _gmanet|http://www.gmanetwork.com/news/rss/news|#snews
+ _golem|http://rss.golem.de/rss.php|#snews
+ _google|http://news.google.com/?output=rss|#snews
+ _greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews
+ _guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews
+ _gulli|http://ticker.gulli.com/rss/|#snews
+ _hackernews|https://news.ycombinator.com/rss|#snews
+ _handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews
+ _heise|https://www.heise.de/newsticker/heise-atom.xml|#snews
+ _hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews
+ _hindu|http://www.thehindu.com/?service=rss|#snews
+ _ign|http://feeds.ign.com/ign/all|#snews
+ _independent|http://www.independent.com/rss/headlines/|#snews
+ _indymedia|https://de.indymedia.org/rss.xml|#snews
+ _info_libera|http://www.informationliberation.com/rss.xml|#snews
+ _klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews
+ _korea_herald|http://www.koreaherald.com/rss_xml.php|#snews
+ _linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews
+ _lisp|http://planet.lisp.org/rss20.xml|#snews
+ _liveleak|http://www.liveleak.com/rss|#snews
+ _lolmythesis|http://lolmythesis.com/rss|#snews
+ _LtU|http://lambda-the-ultimate.org/rss.xml|#snews
+ _lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews
+ _mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews
+ _mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews
+ _nds|http://www.nachdenkseiten.de/?feed=atom|#snews
+ _netzpolitik|https://netzpolitik.org/feed/|#snews
+ _newsbtc|http://newsbtc.com/feed/|#snews
+ _nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews
+ _npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews
+ _npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews
+ _npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews
+ _npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
+ _nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
+ _nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
+ _painload|https://github.com/krebs/painload/commits/master.atom|#snews
+ _phys|http://phys.org/rss-feed/|#snews
+ _piraten|https://www.piratenpartei.de/feed/|#snews
+ _polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
+ _presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews
+ _presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews
+ _prisonplanet|http://prisonplanet.com/feed.rss|#snews
+ _rawstory|http://www.rawstory.com/rs/feed/|#snews
+ _reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews
+ _reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews
+ _reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews
+ _reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews
+ _reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews
+ _reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews
+ _reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews
+ _reddit_sci|http://www.reddit.com/r/science/.rss|#snews
+ _reddit_tech|http://www.reddit.com/r/technology/.rss|#snews
+ _reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews
+ _reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews
+ _r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews
+ _reuters|http://feeds.reuters.com/Reuters/worldNews|#snews
+ _reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews
+ _rt|http://rt.com/rss/news/|#snews
+ _schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews
+ _sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
+ _scmp|http://www.scmp.com/rss/91/feed|#snews
+ _sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
+ _shackspace|http://shackspace.de/atom.xml|#snews
+ _shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
+ _sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
+ _sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
+ _sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews
+ _sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews
+ _sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews
+ _slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
+ _slate|http://feeds.slate.com/slate|#snews
+ _spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
+ _spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
+ _standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
+ _stern|http://www.stern.de/feed/standard/all/|#snews
+ _stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews
+ _sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews
+ _sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews
+ _sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews
+ _tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews
+ _taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews
+ _telegraph|http://www.telegraph.co.uk/rss.xml|#snews
+ _telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews
+ _the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
+ _tigsource|http://www.tigsource.com/feed/|#snews
+ _tinc|http://tinc-vpn.org/news/index.rss|#snews
+ _torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
+ _torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
+ _torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
+ _travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews
+ _un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews
+ _un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews
+ _un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews
+ _un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews
+ _un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews
+ _un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews
+ _us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
+ _vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
+ _weechat|http://dev.weechat.org/feed/atom|#snews
+ _xkcd|https://xkcd.com/rss.xml|#snews
+ _zdnet|http://www.zdnet.com/news/rss.xml|#snews
'';
};
}
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix
index 677b6f7b8..669483f3c 100644
--- a/krebs/3modules/Reaktor.nix
+++ b/krebs/3modules/Reaktor.nix
@@ -8,7 +8,7 @@ let
out = {
options.krebs.Reaktor = api;
- config = imp;
+ config = mkIf (cfg != {}) imp;
};
api = mkOption {
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index dd29a4e17..e12367b7c 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -143,12 +143,12 @@ let
) cfg.servers;
users.extraUsers.bepasty = {
- uid = genid "bepasty";
+ uid = genid_uint31 "bepasty";
group = "bepasty";
home = "/var/lib/bepasty-server";
};
users.extraGroups.bepasty = {
- gid = genid "bepasty";
+ gid = genid_uint31 "bepasty";
};
};
diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix
index 989320480..2c2d07ff5 100644
--- a/krebs/3modules/cachecache.nix
+++ b/krebs/3modules/cachecache.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ pkgs, config, lib, ... }:
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
@@ -59,15 +59,6 @@ in
'';
};
- # webRoot = mkOption {
- # type = types.str;
- # default = "/";
- # description = ''
- # Directory on virtual host that serves the cache. Must end in
- # /.
- # '';
- # };
-
resolver = mkOption {
type = types.str;
description = "Address of DNS resolver.";
@@ -82,6 +73,13 @@ in
Where nginx should store cached data.
'';
};
+ indexFile = mkOption {
+ type = types.path;
+ default = pkgs.writeText "myindex" "hello world";
+ description = ''
+ Path to index.html file.
+ '';
+ };
maxSize = mkOption {
type = types.str;
@@ -98,6 +96,7 @@ in
systemd.services.nginx.preStart = ''
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
+ ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html
chown ${nginxCfg.user}:${nginxCfg.group} \
${cfg.cacheDir} /srv/www/nix-cache-cache
'';
@@ -143,6 +142,7 @@ in
locations."/" =
{
root = "/srv/www/nix-cache-cache";
+ index = "index.html";
extraConfig = ''
expires max;
add_header Cache-Control $nix_cache_cache_header always;
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 24cbd9cc9..2e7c61fb5 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -109,6 +109,7 @@ let
};
imp = lib.mkMerge [
+ { krebs = import ./external { inherit config; }; }
{ krebs = import ./jeschli { inherit config; }; }
{ krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; }
@@ -121,6 +122,7 @@ let
shack = "hosts";
i = "hosts";
r = "hosts";
+ w = "hosts";
};
krebs.users = {
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
new file mode 100644
index 000000000..02d28ddc8
--- /dev/null
+++ b/krebs/3modules/external/default.nix
@@ -0,0 +1,306 @@
+with import ;
+{ config, ... }: let
+
+ hostDefaults = hostName: host: flip recursiveUpdate host ({
+ ci = false;
+ external = true;
+ monitoring = false;
+ } // optionalAttrs (host.nets?retiolum) {
+ nets.retiolum.ip6.addr =
+ (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
+ });
+
+in {
+ hosts = mapAttrs hostDefaults {
+ sokrateslaptop = {
+ owner = config.krebs.users.sokratess;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.142.104";
+ aliases = [
+ "sokrateslaptop.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA0EMbBv5NCSns4V/VR/NJHhwe2qNLUYjWWtCDY4zDuoiJdm3JNZJ2
+ t0iKNxFwd6Mmg3ahAlndsH4FOjOBGBQCgBG25VRnQgli1sypI/gYTsSgIWHVIRoZ
+ rgrng0K3oyJ6FuTP+nH1rd7UAYkrOQolXQBY+LqAbxOVjiJl+DpbAXIxCIs5TBeW
+ egtBiXZ1S53Lv5EGFXug716XlgZLHjw7PzRLJXSlvUAIRZj0Sjq4UD9VrhazM9s5
+ aDuxJIdknccEEXm6NK7a51hU/o8L+T0IUpZxhaXOdi6fvO/y3TbffKb1yRTbN0/V
+ VBjBh18Le7h0SmAEED5tz7NOCrAjMZQtJQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ kruck = {
+ owner = config.krebs.users.palo;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.29.201";
+ aliases = [
+ "kruck.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
+ QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
+ EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
+ uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
+ /RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
+ 9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
+ qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
+ gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
+ jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
+ fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
+ TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ scardanelli = {
+ owner = config.krebs.users.kmein;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.2.2";
+ aliases = [
+ "scardanelli.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxM93+YgGhk5PtcOrE7E/
+ MAOMF/c9c4Ps6m8xd4VZat3ru07yH8Yfox1yM6jwZBwIwK2AC9DK0/k3WIvZQUge
+ UKSTiXpE4z/0ceaesugLQ9KTjUty1e/2vQ78bOqmd7EG3aPV2QsjlgpjJ6qQxeFi
+ kjlHoFi9NNBLVkIyaAdlAhwvZuYFmAY/FQEmm6+XOb+Nmo+fccQlG6+NinA2GOg0
+ gdY/dKYxa04Ns/yu7TK3sBQIt6cg/YUk9VpyC4yIIRPMdyVcAPz3Kd2mp23fhSvx
+ we80prWXYtdct4vXaBZm9FUY5y4SL3c0TEScuM73VXtr2tPAxjD5W4XMWhrjnIiY
+ QzoyAquVS9rR4fCaoP+hw3Tjy7Att3voa/YlHEDaendxjZ3nuO0m0vcgOa+SfCNm
+ SqLsqb8to1y8yJ8LnR2og4MbtasxqSe1L9VLTsb4k/AGfmAdlqyG4Q1h5pCBh0GL
+ 2F6FbYHzwrwqBvVCz4DTPygPtta5o7THpP50PgojtzNLm1yKWpfdcWeMgGQJSI0f
+ m3yenytM1u0jjw7KbBG79Z3etFNIYZy4Uq/dryEJnwpTFls+zZn9Q3tDEnO4a38Q
+ FgzV0VLQpRM/uf1powSDzoWp+/JYgB9464OKcTsSlVJpi3crxF86xFqqc39U2/u5
+ lM61fOMcVW1KREdWypiDtu8CAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ homeros = {
+ owner = config.krebs.users.kmein;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.2.1";
+ aliases = [
+ "homeros.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd
+ ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc
+ 6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v
+ RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd
+ vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3
+ +LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc
+ QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm
+ fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh
+ VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7
+ k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX
+ gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N
+ mJ/hywVtvLxNkNimyztoKKMCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ turingmachine = {
+ owner = config.krebs.users.Mic92;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.29.168";
+ aliases = [
+ "turingmachine.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAxh+5HD1oAFTvMWEra2pYrA3HF8T4EnkP917lIUiuN7xUj7sawu0C
+ t1/1IfIlH9dbxgFe5CD/gXvokxHdovPTGVH11L+thZgq6hg/xbYvZAl76yLxj7t9
+ 6+Ocac08TQZYMqWKShz5jqTVE/DLz4Cdy0Qk9sMJ1++OmH8jsWgK5BkogF99Gwf8
+ ZiI0t3n3lCZsm3v592lveDcVIh6hjuCIvFVxc+7cOj0MKm1LxLWbCHZlUIE3he4g
+ nZu4XiYaE4Y2LicMs8zKehnQkkXrP1amT56SqUfbSnWR+HZc2+KjwRDI5BPeTS06
+ 5WHwkQs0ScOn7vFZci3rElIc7vilu2eKGF1VLce9kXw9SU2RFciqavaEUXbwPnwT
+ 1WF35Ct+qIOP0rXoObm6mrsj7hJnlBPlVpb58/kTxLHMSHPzqQRbFZ35f6tZodJ1
+ gRMKKEnMX8/VWm6TqLUIpFCCTZ5PH1fxaAnulHCxksK03UyfUOvExCTU4x8KS9fl
+ DIoLlV9PFBlAW8mTuIgRKYtHacsc31/5Tehcx0If09NuMFT9Qfl2/Q3p6QJomRFL
+ W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
+ OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ eddie = {
+ owner = config.krebs.users.Mic92;
+ nets = rec {
+ internet = {
+ # eddie.thalheim.io
+ ip4.addr = "129.215.197.11";
+ aliases = [ "eddie.i" ];
+ };
+ retiolum = {
+ via = internet;
+ addrs = [
+ config.krebs.hosts.eddie.nets.retiolum.ip4.addr
+ config.krebs.hosts.eddie.nets.retiolum.ip6.addr
+ ];
+ ip4.addr = "10.243.29.170";
+ aliases = [ "eddie.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAuRQphRlSIC/aqRTfvStPdJOJCx1ACeFIDEjRdgoxuu32qoBl7i6d
+ j7Voh+Msditf2a5+f0fVsNDaPnjPGfk0NkZBjmn+RZQDRXk0krpTNj2Vb6W5quTm
+ 3yrjJMFJR9CU5khfppc47X+ir8bjn7RusWTFNEuDvUswHmRmnJHLS3Y+utOaRbCF
+ 2hxpyxCn423gpsaBfORPEK8X90nPbuNpFDugWPnC+R45TpNmIf4qyKvfhd9OKrua
+ KNanGHG30xhBW/DclUwwWi8D44d94xFnIRVcG1O+Uto93WoUWZn90lI1qywSj5Aq
+ iWstBK4tc7VwvAj0UzPlaRYYPfFjOEkPQzj8xC6l/leJcgxkup252uo6m1njMx3t
+ 6QWMgevjqosY22OZReZfIwb14aDWFKLTWs30J+zmWK4TjlRITdsOEKxlpODMbJAD
+ kfSoPwuwkWIzFhNOrFiD/NtKaRYmV8bTBCT3a9cvvObshJx13BP+IUFzBS1N1n/u
+ hJWYH5WFsQZn/8rHDwZGkS1zKPEaNoydjqCZNyJpJ5nhggyl6gpuD7wpXM/8tFay
+ pAjRP40+qRQLUWXmswV0hsZTOX1tvZs4f68y3WJ+GwCWw9HvvwmzYes5ayJrPsbJ
+ lyK301Jb42wGEsVWxu3Eo/PLtp8OdD+Wdh6o/ELcc0k/YCUGFMujUM8CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.subnets = [
+ # edinburgh university
+ "129.215.0.0/16"
+ ];
+ };
+ };
+ };
+ rock = {
+ owner = config.krebs.users.Mic92;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.29.171";
+ aliases = [ "rock.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
+ DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
+ HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
+ mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
+ Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
+ Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
+ 91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
+ fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
+ 3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
+ ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
+ cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ inspector = {
+ owner = config.krebs.users.Mic92;
+ nets = rec {
+ internet = {
+ ip4.addr = "141.76.44.154";
+ aliases = [ "inspector.i" ];
+ };
+ retiolum = {
+ via = internet;
+ ip4.addr = "10.243.29.172";
+ aliases = [ "inspector.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
+ EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
+ 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
+ m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
+ WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
+ eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
+ OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
+ ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
+ B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
+ q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
+ 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ dpdkm = {
+ owner = config.krebs.users.Mic92;
+ nets = rec {
+ retiolum = {
+ ip4.addr = "10.243.29.173";
+ aliases = [ "dpdkm.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
+ NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
+ qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
+ X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
+ f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
+ bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
+ Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
+ B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
+ tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
+ dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
+ mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ eve = {
+ owner = config.krebs.users.Mic92;
+ nets = rec {
+ internet = {
+ # eve.thalheim.io
+ ip4.addr = "188.68.39.17";
+ ip6.addr = "2a03:4000:13:31e::1";
+ aliases = [ "eve.i" ];
+ };
+ retiolum = {
+ via = internet;
+ addrs = [
+ config.krebs.hosts.eve.nets.retiolum.ip4.addr
+ config.krebs.hosts.eve.nets.retiolum.ip6.addr
+ ];
+ ip4.addr = "10.243.29.174";
+ aliases = [ "eve.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
+ XRcH/aYg+IL03cyx4wU7oJKxiOTNGbysglnbTVthfYhqeQY+NRTzR1Thb2Fo+P82
+ 08Eovwlgb0uwCjaiH8ZoH3BKjXyMn/Ezrni7hc5zyyRb88XJLosTykO2USlrsoIk
+ 6OCA3A34HyJH0/G6GbNYCPrB/a/r1ji7OWDlg3Ft9c3ViVOkcNV1d9FV0RULX9EI
+ +xRDbAs1fkK5wMkC2BpkJRHTpImPbYlwQvDrL2sp+JNAEVni84xGxWn9Wjd9WVv3
+ dn+iPUD7HF9bFVDsj0rbVL78c63MEgr0pVyONDBK+XxogMTOqjgicmkLRxlhaSPW
+ pnfZHJzJ727crBbwosORY+lTq6MNIMjEjNcJnzAEVS5uTJikLYL9Y5EfIztGp7LP
+ c298AtKjEYOftiyMcohTGnHhio6zteuW/i2sv4rCBxHyH5sWulaHB7X1ej0eepJi
+ YX6/Ff+y9vDLCuDxb6mvPGT1xpnNmt1jxAUJhiRNuAvbtvjtPwYfWjQXOf7xa2xI
+ 61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
+ Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ };
+ users = {
+ Mic92 = {
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
+ mail = "joerg@higgsboson.tk";
+ };
+ kmein = {
+ };
+ palo = {
+ };
+ sokratess = {
+ };
+ };
+}
+
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 5a5065565..e89b86e32 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -53,7 +53,7 @@ let
imp = {
users.users.fetchWallpaper = {
name = "fetchWallpaper";
- uid = genid "fetchWallpaper";
+ uid = genid_uint31 "fetchWallpaper";
description = "fetchWallpaper user";
home = cfg.stateDir;
createHome = true;
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index f6b4e3c69..895d9b3b6 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -427,7 +427,7 @@ let
system.activationScripts.cgit = ''
mkdir -m 0770 -p ${cfg.cgit.settings.cache-root}
chmod 0770 ${cfg.cgit.settings.cache-root}
- chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
+ chown ${toString cfg.cgit.fcgiwrap.user.name}:${toString cfg.cgit.fcgiwrap.group.name} ${cfg.cgit.settings.cache-root}
'';
services.nginx.virtualHosts.cgit = {
diff --git a/krebs/3modules/jeschli/default.nix b/krebs/3modules/jeschli/default.nix
index 4bae31b31..9f5b1bd6a 100644
--- a/krebs/3modules/jeschli/default.nix
+++ b/krebs/3modules/jeschli/default.nix
@@ -1,17 +1,20 @@
-{ config, ... }:
-
with import ;
+{ config, ... }: let
-{
- hosts = mapAttrs (_: recursiveUpdate {
- owner = config.krebs.users.jeschli;
+ hostDefaults = hostName: host: flip recursiveUpdate host ({
ci = true;
- }) {
+ owner = config.krebs.users.jeschli;
+ } // optionalAttrs (host.nets?retiolum) {
+ nets.retiolum.ip6.addr =
+ (krebs.genipv6 "retiolum" "jeschli" { inherit hostName; }).address;
+ });
+
+in {
+ hosts = mapAttrs hostDefaults {
brauerei = {
nets = {
retiolum = {
ip4.addr = "10.243.27.29";
- ip6.addr = "42::29";
aliases = [
"brauerei.r"
];
@@ -55,7 +58,6 @@ with import ;
retiolum = {
via = internet;
ip4.addr = "10.243.27.30";
- ip6.addr = "42::30";
aliases = [
"enklave.r"
"cgit.enklave.r"
@@ -94,7 +96,6 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.27.31";
- ip6.addr = "42::31";
aliases = [
"bolide.r"
];
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 889ee2817..72c16711c 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -1,20 +1,24 @@
-{ config, ... }:
-
with import ;
-let
+{ config, ... }: let
+
+ hostDefaults = hostName: host: flip recursiveUpdate host ({
+ owner = config.krebs.users.krebs;
+ } // optionalAttrs (host.nets?retiolum) {
+ nets.retiolum.ip6.addr =
+ (krebs.genipv6 "retiolum" "krebs" { inherit hostName; }).address;
+ });
+
testHosts = genAttrs [
"test-arch"
"test-centos6"
"test-centos7"
"test-all-krebs-modules"
] (name: {
- owner = config.krebs.users.krebs;
inherit name;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.73.57";
- ip6.addr = "42:0:0:0:0:0:0:7357";
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd
@@ -29,14 +33,12 @@ let
};
});
in {
- hosts = {
+ hosts = mapAttrs hostDefaults ({
hotdog = {
ci = true;
- owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.77.3";
- ip6.addr = "42:0:0:0:0:0:77:3";
aliases = [
"hotdog.r"
"build.r"
@@ -61,11 +63,9 @@ in {
};
onebutton = {
cores = 1;
- owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.0.101";
- ip6.addr = "42:0:0:0:0:0:0:101";
aliases = [
"onebutton.r"
];
@@ -92,11 +92,9 @@ in {
};
puyak = {
ci = true;
- owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.77.2";
- ip6.addr = "42:0:0:0:0:0:77:2";
aliases = [
"puyak.r"
"build.puyak.r"
@@ -120,7 +118,6 @@ in {
};
wolf = {
ci = true;
- owner = config.krebs.users.krebs;
nets = {
shack = {
ip4.addr = "10.42.2.150" ;
@@ -135,7 +132,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.77.1";
- ip6.addr = "42:0:0:0:0:0:77:1";
aliases = [
"wolf.r"
"build.wolf.r"
@@ -157,7 +153,7 @@ in {
ssh.privkey.path = ;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR";
};
- } // testHosts;
+ } // testHosts);
users = {
krebs = {
pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 12345a20a..1117dc61c 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -1,16 +1,20 @@
-{ config, ... }:
-
with import ;
+{ config, ... }: let
-{
+ hostDefaults = hostName: host: flip recursiveUpdate host {
+ ci = true;
+ monitoring = true;
+ owner = config.krebs.users.lass;
+ };
+
+ r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
+ w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
+
+in {
dns.providers = {
"lassul.us" = "zones";
};
- hosts = mapAttrs (_: recursiveUpdate {
- owner = config.krebs.users.lass;
- ci = true;
- monitoring = true;
- }) {
+ hosts = mapAttrs hostDefaults {
prism = rec {
cores = 4;
extraZones = {
@@ -50,7 +54,7 @@ with import ;
retiolum = {
via = internet;
ip4.addr = "10.243.0.103";
- ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab";
+ ip6.addr = r6 "1";
aliases = [
"prism.r"
"cache.prism.r"
@@ -85,11 +89,22 @@ with import ;
-----END RSA PUBLIC KEY-----
'';
};
+ wiregrill = {
+ via = internet;
+ ip4.addr = "10.244.1.1";
+ ip6.addr = w6 "1";
+ aliases = [
+ "prism.w"
+ ];
+ wireguard = {
+ pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
+ subnets = [ "10.244.1.0/24" "42:1::/32" ];
+ };
+ };
};
ssh.privkey.path = ;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
};
-
archprism = {
cores = 1;
nets = rec {
@@ -103,7 +118,6 @@ with import ;
retiolum = {
via = internet;
ip4.addr = "10.243.0.123";
- ip6.addr = "42:0:0:0:0:0:0:123";
aliases = [
"archprism.r"
];
@@ -129,32 +143,13 @@ with import ;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
};
- domsen-nas = {
- ci = false;
- monitoring = false;
- external = true;
- nets = rec {
- internet = {
- aliases = [
- "domsen-nas.internet"
- ];
- ip4.addr = "87.138.180.167";
- ssh.port = 2223;
- };
- };
- };
uriel = {
monitoring = false;
cores = 1;
nets = {
- gg23 = {
- ip4.addr = "10.23.1.12";
- aliases = ["uriel.gg23"];
- ssh.port = 45621;
- };
retiolum = {
ip4.addr = "10.243.81.176";
- ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56";
+ ip6.addr = r6 "1e1";
aliases = [
"uriel.r"
"cgit.uriel.r"
@@ -178,14 +173,9 @@ with import ;
mors = {
cores = 2;
nets = {
- gg23 = {
- ip4.addr = "10.23.1.11";
- aliases = ["mors.gg23"];
- ssh.port = 45621;
- };
retiolum = {
ip4.addr = "10.243.0.2";
- ip6.addr = "42:0:0:0:0:0:0:dea7";
+ ip6.addr = r6 "dea7";
aliases = [
"mors.r"
"cgit.mors.r"
@@ -201,6 +191,13 @@ with import ;
-----END RSA PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "dea7";
+ aliases = [
+ "mors.w"
+ ];
+ wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
+ };
};
secure = true;
ssh.privkey.path = ;
@@ -211,7 +208,7 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.0.4";
- ip6.addr = "42:0:0:0:0:0:0:50d4";
+ ip6.addr = r6 "50da";
aliases = [
"shodan.r"
"cgit.shodan.r"
@@ -227,6 +224,13 @@ with import ;
-----END RSA PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "50da";
+ aliases = [
+ "shodan.w"
+ ];
+ wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30=";
+ };
};
secure = true;
ssh.privkey.path = ;
@@ -237,7 +241,7 @@ with import ;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.114";
- ip6.addr = "42:0:0:0:0:0:01ca:1205";
+ ip6.addr = r6 "1205";
aliases = [
"icarus.r"
"cgit.icarus.r"
@@ -253,6 +257,13 @@ with import ;
-----END RSA PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "1205";
+ aliases = [
+ "icarus.w"
+ ];
+ wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
+ };
};
secure = true;
ssh.privkey.path = ;
@@ -263,7 +274,7 @@ with import ;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.115";
- ip6.addr = "42:0:0:0:0:0:daed:a105";
+ ip6.addr = r6 "dead";
aliases = [
"daedalus.r"
"cgit.daedalus.r"
@@ -289,7 +300,7 @@ with import ;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.116";
- ip6.addr = "42:0:0:0:0:0:0:1101";
+ ip6.addr = r6 "5ce7";
aliases = [
"skynet.r"
"cgit.skynet.r"
@@ -315,7 +326,7 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.133.77";
- ip6.addr = "42:0:0:0:0:0:717:7137";
+ ip6.addr = r6 "771e";
aliases = [
"littleT.r"
];
@@ -351,306 +362,13 @@ with import ;
ssh.privkey.path = ;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
};
- iso = {
- monitoring = false;
- ci = false;
- cores = 1;
- };
- sokrateslaptop = {
- monitoring = false;
- ci = false;
- external = true;
- nets = {
- retiolum = {
- ip4.addr = "10.243.142.104";
- ip6.addr = "42:f8a1:044d:0f75:9d73:56d8:f432:c6cc";
- aliases = [
- "sokrateslaptop.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEA0EMbBv5NCSns4V/VR/NJHhwe2qNLUYjWWtCDY4zDuoiJdm3JNZJ2
- t0iKNxFwd6Mmg3ahAlndsH4FOjOBGBQCgBG25VRnQgli1sypI/gYTsSgIWHVIRoZ
- rgrng0K3oyJ6FuTP+nH1rd7UAYkrOQolXQBY+LqAbxOVjiJl+DpbAXIxCIs5TBeW
- egtBiXZ1S53Lv5EGFXug716XlgZLHjw7PzRLJXSlvUAIRZj0Sjq4UD9VrhazM9s5
- aDuxJIdknccEEXm6NK7a51hU/o8L+T0IUpZxhaXOdi6fvO/y3TbffKb1yRTbN0/V
- VBjBh18Le7h0SmAEED5tz7NOCrAjMZQtJQIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- kruck = {
- monitoring = false;
- ci = false;
- external = true;
- nets = {
- retiolum = {
- ip4.addr = "10.243.29.201";
- ip6.addr = "42:4234:6a6d:600::1";
- aliases = [
- "kruck.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
- QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
- EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
- uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
- /RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
- 9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
- qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
- gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
- jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
- fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
- TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- turingmachine = {
- monitoring = false;
- ci = false;
- external = true;
- nets = {
- retiolum = {
- ip4.addr = "10.243.29.168";
- ip6.addr = "42:4992:6a6d:600::1";
- aliases = [
- "turingmachine.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAxh+5HD1oAFTvMWEra2pYrA3HF8T4EnkP917lIUiuN7xUj7sawu0C
- t1/1IfIlH9dbxgFe5CD/gXvokxHdovPTGVH11L+thZgq6hg/xbYvZAl76yLxj7t9
- 6+Ocac08TQZYMqWKShz5jqTVE/DLz4Cdy0Qk9sMJ1++OmH8jsWgK5BkogF99Gwf8
- ZiI0t3n3lCZsm3v592lveDcVIh6hjuCIvFVxc+7cOj0MKm1LxLWbCHZlUIE3he4g
- nZu4XiYaE4Y2LicMs8zKehnQkkXrP1amT56SqUfbSnWR+HZc2+KjwRDI5BPeTS06
- 5WHwkQs0ScOn7vFZci3rElIc7vilu2eKGF1VLce9kXw9SU2RFciqavaEUXbwPnwT
- 1WF35Ct+qIOP0rXoObm6mrsj7hJnlBPlVpb58/kTxLHMSHPzqQRbFZ35f6tZodJ1
- gRMKKEnMX8/VWm6TqLUIpFCCTZ5PH1fxaAnulHCxksK03UyfUOvExCTU4x8KS9fl
- DIoLlV9PFBlAW8mTuIgRKYtHacsc31/5Tehcx0If09NuMFT9Qfl2/Q3p6QJomRFL
- W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
- OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- eddie = {
- monitoring = false;
- ci = false;
- external = true;
- nets = rec {
- internet = {
- # eddie.thalheim.io
- ip4.addr = "129.215.197.11";
- aliases = [ "eddie.i" ];
- };
- retiolum = rec {
- via = internet;
- addrs = [
- ip4.addr
- ip6.addr
- ];
- ip4.addr = "10.243.29.170";
- ip6.addr = "42:4992:6a6d:700::1";
- aliases = [ "eddie.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAuRQphRlSIC/aqRTfvStPdJOJCx1ACeFIDEjRdgoxuu32qoBl7i6d
- j7Voh+Msditf2a5+f0fVsNDaPnjPGfk0NkZBjmn+RZQDRXk0krpTNj2Vb6W5quTm
- 3yrjJMFJR9CU5khfppc47X+ir8bjn7RusWTFNEuDvUswHmRmnJHLS3Y+utOaRbCF
- 2hxpyxCn423gpsaBfORPEK8X90nPbuNpFDugWPnC+R45TpNmIf4qyKvfhd9OKrua
- KNanGHG30xhBW/DclUwwWi8D44d94xFnIRVcG1O+Uto93WoUWZn90lI1qywSj5Aq
- iWstBK4tc7VwvAj0UzPlaRYYPfFjOEkPQzj8xC6l/leJcgxkup252uo6m1njMx3t
- 6QWMgevjqosY22OZReZfIwb14aDWFKLTWs30J+zmWK4TjlRITdsOEKxlpODMbJAD
- kfSoPwuwkWIzFhNOrFiD/NtKaRYmV8bTBCT3a9cvvObshJx13BP+IUFzBS1N1n/u
- hJWYH5WFsQZn/8rHDwZGkS1zKPEaNoydjqCZNyJpJ5nhggyl6gpuD7wpXM/8tFay
- pAjRP40+qRQLUWXmswV0hsZTOX1tvZs4f68y3WJ+GwCWw9HvvwmzYes5ayJrPsbJ
- lyK301Jb42wGEsVWxu3Eo/PLtp8OdD+Wdh6o/ELcc0k/YCUGFMujUM8CAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- tinc.subnets = [
- # edinburgh university
- "129.215.0.0/16"
- ];
- };
- };
- };
- rock = {
- monitoring = false;
- ci = false;
- external = true;
- nets = {
- retiolum = {
- ip4.addr = "10.243.29.171";
- ip6.addr = "42:4992:6a6d:700::2";
- aliases = [ "rock.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
- DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
- HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
- mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
- Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
- Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
- 91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
- fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
- 3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
- ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
- cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- inspector = {
- monitoring = false;
- ci = false;
- external = true;
- nets = rec {
- internet = {
- ip4.addr = "141.76.44.154";
- aliases = [ "inspector.i" ];
- };
- retiolum = {
- via = internet;
- ip4.addr = "10.243.29.172";
- ip6.addr = "42:4992:6a6d:800::1";
- aliases = [ "inspector.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
- EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
- 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
- m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
- WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
- eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
- OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
- ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
- B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
- q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
- 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- dpdkm = {
- monitoring = false;
- ci = false;
- external = true;
- nets = rec {
- retiolum = {
- ip4.addr = "10.243.29.173";
- ip6.addr = "42:4992:6a6d:900::1";
- aliases = [ "dpdkm.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
- NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
- qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
- X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
- f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
- bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
- Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
- B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
- tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
- dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
- mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- eve = {
- monitoring = false;
- ci = false;
- external = true;
- nets = rec {
- internet = {
- # eve.thalheim.io
- ip4.addr = "188.68.39.17";
- ip6.addr = "2a03:4000:13:31e::1";
- aliases = [ "eve.i" ];
- };
- retiolum = rec {
- via = internet;
- addrs = [
- ip4.addr
- ip6.addr
- ];
- ip4.addr = "10.243.29.174";
- ip6.addr = "42:4992:6a6d:a00::1";
- aliases = [ "eve.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
- XRcH/aYg+IL03cyx4wU7oJKxiOTNGbysglnbTVthfYhqeQY+NRTzR1Thb2Fo+P82
- 08Eovwlgb0uwCjaiH8ZoH3BKjXyMn/Ezrni7hc5zyyRb88XJLosTykO2USlrsoIk
- 6OCA3A34HyJH0/G6GbNYCPrB/a/r1ji7OWDlg3Ft9c3ViVOkcNV1d9FV0RULX9EI
- +xRDbAs1fkK5wMkC2BpkJRHTpImPbYlwQvDrL2sp+JNAEVni84xGxWn9Wjd9WVv3
- dn+iPUD7HF9bFVDsj0rbVL78c63MEgr0pVyONDBK+XxogMTOqjgicmkLRxlhaSPW
- pnfZHJzJ727crBbwosORY+lTq6MNIMjEjNcJnzAEVS5uTJikLYL9Y5EfIztGp7LP
- c298AtKjEYOftiyMcohTGnHhio6zteuW/i2sv4rCBxHyH5sWulaHB7X1ej0eepJi
- YX6/Ff+y9vDLCuDxb6mvPGT1xpnNmt1jxAUJhiRNuAvbtvjtPwYfWjQXOf7xa2xI
- 61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
- Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
- xerxes = {
- cores = 2;
- nets = rec {
- retiolum = {
- ip4.addr = "10.243.1.3";
- ip6.addr = "42::1:3";
- aliases = [
- "xerxes.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
- MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
- gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
- /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
- mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
- X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
- +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
- hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
- 3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
- H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
- JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
- hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
- SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
- 4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
- vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
- Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
- scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
- jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
- Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
- /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
- bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
- sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- secure = true;
- ssh.privkey.path = ;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
- };
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
- ip6.addr = "42:0:0:0:0:0:0:12ed";
+ ip6.addr = r6 "12ed";
aliases = [
"red.r"
];
@@ -680,7 +398,7 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.0.14";
- ip6.addr = "42:0:0:0:0:0:0:14";
+ ip6.addr = r6 "3110";
aliases = [
"yellow.r"
];
@@ -701,6 +419,13 @@ with import ;
-----END PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "3110";
+ aliases = [
+ "yellow.w"
+ ];
+ wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
+ };
};
ssh.privkey.path = ;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
@@ -710,7 +435,7 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.0.77";
- ip6.addr = "42:0:0:0:0:0:0:77";
+ ip6.addr = r6 "b1ce";
aliases = [
"blue.r"
];
@@ -731,10 +456,67 @@ with import ;
-----END PUBLIC KEY-----
'';
};
+ wiregrill = {
+ ip6.addr = w6 "b1ce";
+ aliases = [
+ "blue.w"
+ ];
+ wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U=";
+ };
};
ssh.privkey.path = ;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
};
+ phone = {
+ nets = {
+ wiregrill = {
+ ip4.addr = "10.244.1.2";
+ ip6.addr = w6 "a";
+ aliases = [
+ "phone.w"
+ ];
+ wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
+ };
+ };
+ external = true;
+ ci = false;
+ };
+ morpheus = {
+ cores = 1;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.19";
+ ip6.addr = r6 "012f";
+ aliases = [
+ "morpheus.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
+ T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
+ /Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
+ S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
+ Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
+ bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
+ Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
+ sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
+ VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
+ 3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
+ U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ wiregrill = {
+ ip6.addr = w6 "012f";
+ aliases = [
+ "morpheus.w"
+ ];
+ wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY=";
+ };
+ };
+ ssh.privkey.path = ;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
+ };
};
users = rec {
lass = lass-blue;
@@ -786,14 +568,8 @@ with import ;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h";
mail = "lass@mors.r";
};
- sokratess = {
- };
wine-mors = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
};
- Mic92 = {
- pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
- mail = "joerg@higgsboson.tk";
- };
};
}
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 188fbc461..befec2156 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -1,20 +1,27 @@
-{ config, ... }:
-
-with import ;
## generate keys with:
# tinc generate-keys
# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host
-let
+
+with import ;
+{ config, ... }: let
+
+ hostDefaults = hostName: host: flip recursiveUpdate host ({
+ owner = config.krebs.users.makefu;
+ } // optionalAttrs (host.nets?retiolum) {
+ nets.retiolum.ip6.addr =
+ (krebs.genipv6 "retiolum" "makefu" { inherit hostName; }).address;
+ });
+
pub-for = name: builtins.readFile (./ssh + "/${name}.pub");
+
in {
- hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) {
+ hosts = mapAttrs hostDefaults {
cake = rec {
cores = 4;
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.136.236";
- ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee1";
aliases = [
"cake.r"
];
@@ -39,7 +46,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.136.237";
- ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee2";
aliases = [
"crapi.r"
];
@@ -65,7 +71,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.177.9";
- ip6.addr = "42:f63:ddf8:7520:cfec:9b61:d807:1dce";
aliases = [
"drop.r"
];
@@ -90,7 +95,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.227.163";
- ip6.addr = "42:e23f:ae0e:ea25:72ff:4ab8:9bd9:38a6";
aliases = [
"studio.r"
];
@@ -116,7 +120,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.113.98";
- # ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
aliases = [
"fileleech.r"
];
@@ -147,7 +150,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.80.249";
- ip6.addr = "42:ecb0:376:b37d:cf47:1ecf:f32b:a3b9";
aliases = [
"latte.r"
];
@@ -171,7 +173,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.210";
- ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001";
aliases = [
"pnp.r"
"cgit.pnp.r"
@@ -195,7 +196,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.84";
- ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566";
aliases = [
"darth.r"
];
@@ -267,7 +267,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.212";
- ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002";
aliases = [
"tsp.r"
];
@@ -295,7 +294,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.91";
- ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db";
aliases = [
"x.r"
];
@@ -329,7 +327,6 @@ in {
'';
};
#wiregrill = {
- # ip6.addr = "42:4200:0000:0000:0000:0000:0000:a4db";
# aliases = [
# "x.w"
# ];
@@ -347,7 +344,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.1.91";
- ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400";
aliases = [
"vbob.r"
];
@@ -386,7 +382,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.0.153";
- ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110";
aliases = [
"pigstarter.r"
];
@@ -422,7 +417,6 @@ in {
retiolum = {
via = internet;
ip4.addr = "10.243.29.169";
- ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [
"wry.r"
"graph.wry.r"
@@ -460,7 +454,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.153.102";
- ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [
"filepimp.r"
];
@@ -491,7 +484,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.0.89";
- ip6.addr = "42:f9f0::10";
aliases = [
"omo.r"
"dcpp.omo.r"
@@ -536,7 +528,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.214.15";
- # ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
aliases = [
"wbob.r"
"hydra.wbob.r"
@@ -560,27 +551,28 @@ in {
ci = true;
extraZones = {
"krebsco.de" = ''
+ boot.euer IN A ${nets.internet.ip4.addr}
cache.euer IN A ${nets.internet.ip4.addr}
cache.gum IN A ${nets.internet.ip4.addr}
- graph IN A ${nets.internet.ip4.addr}
- gold IN A ${nets.internet.ip4.addr}
- iso.euer IN A ${nets.internet.ip4.addr}
- wg.euer IN A ${nets.internet.ip4.addr}
- photostore IN A ${nets.internet.ip4.addr}
- o.euer IN A ${nets.internet.ip4.addr}
- mon.euer IN A ${nets.internet.ip4.addr}
- boot.euer IN A ${nets.internet.ip4.addr}
- wiki.euer IN A ${nets.internet.ip4.addr}
- pigstarter IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr}
- git.euer IN A ${nets.internet.ip4.addr}
- euer IN A ${nets.internet.ip4.addr}
- share.euer IN A ${nets.internet.ip4.addr}
- gum IN A ${nets.internet.ip4.addr}
- wikisearch IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr}
- ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}
+ euer IN A ${nets.internet.ip4.addr}
+ ghook IN A ${nets.internet.ip4.addr}
+ git.euer IN A ${nets.internet.ip4.addr}
+ gold IN A ${nets.internet.ip4.addr}
+ graph IN A ${nets.internet.ip4.addr}
+ gum IN A ${nets.internet.ip4.addr}
+ iso.euer IN A ${nets.internet.ip4.addr}
+ mon.euer IN A ${nets.internet.ip4.addr}
+ netdata.euer IN A ${nets.internet.ip4.addr}
+ o.euer IN A ${nets.internet.ip4.addr}
+ photostore IN A ${nets.internet.ip4.addr}
+ pigstarter IN A ${nets.internet.ip4.addr}
+ share.euer IN A ${nets.internet.ip4.addr}
+ wg.euer IN A ${nets.internet.ip4.addr}
+ wiki.euer IN A ${nets.internet.ip4.addr}
+ wikisearch IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
@@ -596,7 +588,6 @@ in {
};
#wiregrill = {
# via = internet;
- # ip6.addr = "42:4200:0000:0000:0000:0000:0000:70d3";
# aliases = [
# "gum.w"
# ];
@@ -605,26 +596,26 @@ in {
retiolum = {
via = internet;
ip4.addr = "10.243.0.213";
- ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d3";
aliases = [
- "nextgum.r"
- "graph.r"
- "cache.gum.r"
- "logs.makefu.r"
- "stats.makefu.r"
"backup.makefu.r"
- "dcpp.nextgum.r"
- "gum.r"
- "cgit.gum.r"
- "o.gum.r"
- "tracker.makefu.r"
- "search.makefu.r"
- "wiki.makefu.r"
- "wiki.gum.r"
- "blog.makefu.r"
"blog.gum.r"
+ "blog.makefu.r"
+ "cache.gum.r"
+ "cgit.gum.r"
"dcpp.gum.r"
+ "dcpp.nextgum.r"
+ "graph.r"
+ "gum.r"
+ "logs.makefu.r"
+ "netdata.makefu.r"
+ "nextgum.r"
+ "o.gum.r"
+ "search.makefu.r"
+ "stats.makefu.r"
"torrent.gum.r"
+ "tracker.makefu.r"
+ "wiki.gum.r"
+ "wiki.makefu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -673,7 +664,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.205.131";
- ip6.addr = "42:490d:cd82:d2bb:56d5:abd1:b88b:e8b4";
aliases = [
"shoney.r"
];
@@ -698,7 +688,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.83.237";
- ip6.addr = "42:af50:99cf:c185:f1a8:14d5:acb:8101";
aliases = [
"sdev.r"
];
@@ -736,7 +725,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.211.172";
- ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d";
aliases = [
"flap.r"
];
@@ -759,7 +747,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.231.219";
- ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72";
aliases = [
"nukular.r"
];
@@ -782,7 +769,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.124.21";
- ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [
"heidi.r"
];
@@ -872,7 +858,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.189.130";
- ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d";
aliases = [
"filebitch.r"
];
@@ -895,7 +880,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.26.29";
- ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e";
aliases = [
"excobridge.r"
];
@@ -918,7 +902,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.226.213";
- ip6.addr = "42:432e:2379:0cd2:8486:f3b5:335a:5d83";
aliases = [
"horisa.r"
];
@@ -947,7 +930,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.57.85";
- ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731";
aliases = [
"wooki.r"
];
@@ -970,7 +952,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.163";
- ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda";
aliases = [
"senderechner.r"
];
@@ -995,7 +976,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.144.142";
- ip6.addr = "42:4bf8:94b:eec5:69e2:c837:686e:f278";
aliases = [
"tcac-0-1.r"
];
@@ -1025,7 +1005,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.139.184";
- ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb";
aliases = [
"muhbaasu.r"
];
@@ -1048,7 +1027,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.183.236";
- ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c";
aliases = [
"tpsw.r"
];
diff --git a/krebs/3modules/makefu/ssh/ulrich.pub b/krebs/3modules/makefu/ssh/ulrich.pub
index 88313ee7c..8ac69004c 100644
--- a/krebs/3modules/makefu/ssh/ulrich.pub
+++ b/krebs/3modules/makefu/ssh/ulrich.pub
@@ -1 +1 @@
-AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 8390eccbb..486a0c9cc 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -124,7 +124,7 @@ let
};
users.extraUsers.tinc_graphs = {
- uid = genid "tinc_graphs";
+ uid = genid_uint31 "tinc_graphs";
home = "/var/spool/tinc_graphs";
};
services.nginx = mkIf cfg.nginx.enable {
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 71670d336..0683492bc 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -1,19 +1,24 @@
-{ config, ... }:
-
with import ;
+{ config, ... }: let
-{
+ hostDefaults = hostName: host: flip recursiveUpdate host ({
+ owner = config.krebs.users.tv;
+ } // optionalAttrs (host.nets?retiolum) {
+ nets.retiolum.ip6.addr =
+ (krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address;
+ });
+
+in {
dns.providers = {
"viljetic.de" = "regfish";
};
- hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) {
+ hosts = mapAttrs hostDefaults {
alnus = {
ci = true;
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
- ip6.addr = "42::2101";
aliases = [
"alnus.r"
];
@@ -38,7 +43,6 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";
- ip6.addr = "42::2001";
aliases = [
"mu.r"
];
@@ -79,7 +83,6 @@ with import ;
retiolum = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223";
- ip6.addr = "42:4522:25f8:36bb:8ccb:150:231a:2af4";
aliases = [
"ni.r"
"cgit.ni.r"
@@ -114,7 +117,6 @@ with import ;
};
retiolum = {
ip4.addr = "10.243.0.110";
- ip6.addr = "42:2d5:733f:d6da:c0f5:2bb7:2b18:9ec";
aliases = [
"nomic.r"
"cgit.nomic.r"
@@ -158,7 +160,6 @@ with import ;
};
retiolum = {
ip4.addr = "10.243.13.37";
- ip6.addr = "42::1337";
aliases = [
"wu.r"
"cgit.wu.r"
@@ -185,7 +186,6 @@ with import ;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";
- ip6.addr = "42::2222";
aliases = [
"querel.r"
];
@@ -226,7 +226,6 @@ with import ;
};
retiolum = {
ip4.addr = "10.243.13.38";
- ip6.addr = "42::1338";
aliases = [
"xu.r"
"cgit.xu.r"
@@ -261,7 +260,6 @@ with import ;
};
retiolum = {
ip4.addr = "10.243.13.40";
- ip6.addr = "42::1340";
aliases = [
"zu.r"
];
diff --git a/krebs/5pkgs/simple/cabal-read.nix b/krebs/5pkgs/simple/cabal-read.nix
new file mode 100644
index 000000000..f8fc71e05
--- /dev/null
+++ b/krebs/5pkgs/simple/cabal-read.nix
@@ -0,0 +1,35 @@
+{ writeHaskellPackage }:
+
+# Because `sed -n 's/.*\
+ putStrLn . intercalate " " . fromMaybe [] . lookup GHC
+ . options . buildInfo . condTreeData $ exe
+
+ Nothing ->
+ error ("executable " <> name <> " not found in " <> path)
+ '';
+ };
+}
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
index bed8961b8..0a2ab1611 100644
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@@ -6,26 +6,10 @@ with import ;
- {
- services.nginx.enable = true;
- imports = [
-
-
- ];
- # needed by domsen.nix ^^
- lass.usershadow = {
- enable = true;
- };
-
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
- ];
- }
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
- uid = genid "riot";
+ uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
@@ -42,153 +26,7 @@ with import ;
{ v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; }
];
}
- {
- users.users.tv = {
- uid = genid "tv";
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.tv.pubkey
- ];
- };
- users.users.makefu = {
- uid = genid "makefu";
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.makefu.pubkey
- ];
- };
- users.extraUsers.dritter = {
- uid = genid "dritter";
- isNormalUser = true;
- extraGroups = [
- "download"
- ];
- openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
- ];
- };
- users.extraUsers.juhulian = {
- uid = 1339;
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
- ];
- };
- users.users.hellrazor = {
- uid = genid "hellrazor";
- isNormalUser = true;
- extraGroups = [
- "download"
- ];
- openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
- };
- }
- {
- #hotdog
- systemd.services."container@hotdog".reloadIfChanged = mkForce false;
- containers.hotdog = {
- config = { ... }: {
- imports = [ ];
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = true;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.1";
- localAddress = "10.233.2.2";
- };
- }
-
-
-
-
-
-
-
-
-
-
- { # quasi bepasty.nix
- imports = [
-
- ];
- krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
- if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
- return 403;
- }
- '';
- }
- {
- services.tor = {
- enable = true;
- };
- }
- {
- lass.ejabberd = {
- enable = true;
- hosts = [ "lassul.us" ];
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
- ];
- }
- {
- imports = [
-
- ];
- services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
- alias /var/realwallpaper/realwallpaper.png;
- '';
- }
- {
- users.users.jeschli = {
- uid = genid "jeschli";
- isNormalUser = true;
- openssh.authorizedKeys.keys = with config.krebs.users; [
- jeschli.pubkey
- jeschli-bln.pubkey
- jeschli-bolide.pubkey
- jeschli-brauerei.pubkey
- ];
- };
- krebs.git.rules = [
- {
- user = with config.krebs.users; [
- jeschli
- jeschli-bln
- jeschli-bolide
- jeschli-brauerei
- ];
- repo = [ config.krebs.git.repos.xmonad-stockholm ];
- perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
- }
- {
- user = with config.krebs.users; [
- jeschli
- jeschli-bln
- jeschli-bolide
- jeschli-brauerei
- ];
- repo = [ config.krebs.git.repos.stockholm ];
- perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
- }
- ];
- }
- {
- krebs.repo-sync.repos.stockholm.timerConfig = {
- OnBootSec = "5min";
- OnUnitInactiveSec = "2min";
- RandomizedDelaySec = "2min";
- };
- }
-
-
{
services.taskserver = {
enable = true;
@@ -201,123 +39,11 @@ with import ;
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
- #
- {
- environment.systemPackages = [ pkgs.cryptsetup ];
- systemd.services."container@red".reloadIfChanged = mkForce false;
- containers.red = {
- config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = false;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.3";
- localAddress = "10.233.2.4";
- };
- services.nginx.virtualHosts."rote-allez-fraktion.de" = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- extraConfig = ''
- proxy_set_header Host rote-allez-fraktion.de;
- proxy_pass http://10.233.2.4;
- '';
- };
- };
- }
- #{
- # imports = [ ];
- # lass.restic = genAttrs [
- # "daedalus"
- # "icarus"
- # "littleT"
- # "mors"
- # "shodan"
- # "skynet"
- # ] (dest: {
- # dirs = [
- # "/home/chat/.weechat"
- # "/bku/sql_dumps"
- # ];
- # passwordFile = (toString ) + "/restic/${dest}";
- # repo = "sftp:backup@${dest}.r:/backups/prism";
- # extraArguments = [
- # "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
- # ];
- # timerConfig = {
- # OnCalendar = "00:05";
- # RandomizedDelaySec = "5h";
- # };
- # });
- #}
- {
- users.users.download.openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
- ];
- }
- {
- }
- {
- lass.nichtparasoup.enable = true;
- services.nginx = {
- enable = true;
- virtualHosts."lol.lassul.us" = {
- forceSSL = true;
- enableACME = true;
- locations."/".extraConfig = ''
- proxy_pass http://localhost:5001;
- '';
- };
- };
- }
- {
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.nat.POSTROUTING.rules = [
- { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
- ];
- networking.wireguard.interfaces.wg0 = {
- ips = [ "10.244.1.1/24" ];
- listenPort = 51820;
- privateKeyFile = (toString ) + "/wireguard.key";
- allowedIPsAsRoutes = true;
- peers = [
- {
- # lass-android
- allowedIPs = [ "10.244.1.2/32" ];
- publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
- }
- ];
- };
- }
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
];
}
- {
- services.murmur.enable = true;
- services.murmur.registerName = "lassul.us";
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
- ];
-
- }
];
krebs.build.host = config.krebs.hosts.archprism;
diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix
index 44617d3e7..7fe143c3c 100644
--- a/lass/1systems/littleT/config.nix
+++ b/lass/1systems/littleT/config.nix
@@ -6,52 +6,11 @@ with import ;
-
-
- {
- users.users.blacky = {
- uid = genid "blacky";
- home = "/home/blacky";
- group = "users";
- createHome = true;
- extraGroups = [
- "audio"
- "networkmanager"
- "video"
- ];
- useDefaultShell = true;
- };
- networking.networkmanager.enable = true;
- networking.wireless.enable = mkForce false;
- hardware.pulseaudio = {
- enable = true;
- systemWide = true;
- };
- environment.systemPackages = with pkgs; [
- pavucontrol
- chromium
- hexchat
- networkmanagerapplet
- vlc
- ];
- services.xserver.enable = true;
- services.xserver.displayManager.lightdm.enable = true;
- services.xserver.desktopManager.plasma5.enable = true;
- services.xserver.layout = "de";
- users.mutableUsers = mkForce true;
- services.xserver.synaptics.enable = true;
- }
- {
- #remote control
- environment.systemPackages = with pkgs; [
- x11vnc
- ];
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; }
- ];
- }
+
];
+ networking.networkmanager.enable = true;
+ networking.wireless.enable = mkForce false;
time.timeZone = "Europe/Berlin";
hardware.trackpoint = {
diff --git a/lass/1systems/littleT/physical.nix b/lass/1systems/littleT/physical.nix
index 9776211ae..550f058a8 100644
--- a/lass/1systems/littleT/physical.nix
+++ b/lass/1systems/littleT/physical.nix
@@ -1,7 +1,25 @@
{
imports = [
./config.nix
-
-
+
];
+ fileSystems."/" =
+ { device = "rpool/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/5B2E-3734";
+ fsType = "vfat";
+ };
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.efiSupport = true;
+ boot.loader.grub.efiInstallAsRemovable = true;
+ boot.loader.grub.device = "nodev";
+ networking.hostId = "584248c6";
+
+ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
+ boot.kernelModules = [ "kvm-intel" ];
+
}
diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix
new file mode 100644
index 000000000..0d82ba611
--- /dev/null
+++ b/lass/1systems/morpheus/config.nix
@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+with import ;
+{
+ imports = [
+
+
+
+
+
+
+
+ ];
+
+ krebs.build.host = config.krebs.hosts.morpheus;
+
+ networking.wireless.enable = false;
+ networking.networkmanager.enable = true;
+
+ services.logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ '';
+
+ nixpkgs.config.packageOverrides = super: {
+ steam = super.steam.override {
+ withPrimus = true;
+ extraPkgs = p: with p; [
+ glxinfo
+ nettools
+ bumblebee
+ ];
+ };
+ };
+}
diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix
new file mode 100644
index 000000000..0f08acb2d
--- /dev/null
+++ b/lass/1systems/morpheus/physical.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+{
+ imports = [
+
+ ./config.nix
+ ];
+
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostId = "60ce7e88";
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
+
+ hardware.bumblebee.enable = true;
+ hardware.bumblebee.group = "video";
+
+ fileSystems."/" =
+ { device = "rpool/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/DF3B-4528";
+ fsType = "vfat";
+ };
+
+ nix.maxJobs = lib.mkDefault 8;
+ powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 207c7c640..46cdbbb66 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -34,6 +34,7 @@ with import ;
+
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 0ca39447d..6c454b4ac 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -25,7 +25,7 @@ with import ;
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
- uid = genid "riot";
+ uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
@@ -44,21 +44,21 @@ with import ;
}
{
users.users.tv = {
- uid = genid "tv";
+ uid = genid_uint31 "tv";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
users.users.makefu = {
- uid = genid "makefu";
+ uid = genid_uint31 "makefu";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
];
};
users.extraUsers.dritter = {
- uid = genid "dritter";
+ uid = genid_uint31 "dritter";
isNormalUser = true;
extraGroups = [
"download"
@@ -75,7 +75,7 @@ with import ;
];
};
users.users.hellrazor = {
- uid = genid "hellrazor";
+ uid = genid_uint31 "hellrazor";
isNormalUser = true;
extraGroups = [
"download"
@@ -168,7 +168,7 @@ with import ;
}
{
users.users.jeschli = {
- uid = genid "jeschli";
+ uid = genid_uint31 "jeschli";
isNormalUser = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
jeschli.pubkey
@@ -297,31 +297,30 @@ with import ;
};
}
{
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
+ imports = [
+
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
+ { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
+ { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
+ { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
];
- networking.wireguard.interfaces.wg0 = {
- ips = [ "10.244.1.1/24" ];
- listenPort = 51820;
- privateKeyFile = (toString ) + "/wireguard.key";
- allowedIPsAsRoutes = true;
- peers = [
- {
- # lass-android
- allowedIPs = [ "10.244.1.2/32" ];
- publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
- }
- ];
+ services.dnsmasq = {
+ enable = true;
+ resolveLocalQueries = false;
+
+ extraConfig= ''
+ listen-address=42:1:ce16::1
+ except-interface=lo
+ interface=wg0
+ '';
};
}
{
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 87a733d62..39c0791fc 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -8,11 +8,9 @@ with import ;
-
-
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index 13a8b3e41..4b806af7b 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -5,7 +5,6 @@ with import ;
-
{
diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix
deleted file mode 100644
index 1bd6cf2c5..000000000
--- a/lass/1systems/xerxes/config.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
-
-
-
-
-
-
-
-
- ];
-
- krebs.build.host = config.krebs.hosts.xerxes;
-}
diff --git a/lass/1systems/xerxes/physical.nix b/lass/1systems/xerxes/physical.nix
deleted file mode 100644
index 17caccfe6..000000000
--- a/lass/1systems/xerxes/physical.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{
- imports = [
- ./config.nix
-
-
- ];
- services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
- '';
-
- fileSystems."/" = {
- device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
- fsType = "btrfs";
- };
-
- fileSystems."/boot" = {
- device = "/dev/disk/by-uuid/16C8-D053";
- fsType = "vfat";
- };
-
- fileSystems."/home" = {
- device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
- fsType = "btrfs";
- };
-
- boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
-
- networking.wireless.enable = true;
-}
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 48d405111..58fa564a1 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -19,7 +19,11 @@ with import ;
users.groups.download.members = [ "transmission" ];
users.users.transmission.group = mkForce "download";
- systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
+ systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
+ systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
+ systemd.services.transmission.postStart = ''
+ chmod 775 /var/download/finished
+ '';
services.transmission = {
enable = true;
settings = {
@@ -34,10 +38,40 @@ with import ;
services.nginx = {
enable = true;
- virtualHosts."yellow.r".locations."/dl".extraConfig = ''
- autoindex on;
- alias /var/download/finished;
- '';
+ package = pkgs.nginx.override {
+ modules = with pkgs.nginxModules; [
+ fancyindex
+ ];
+ };
+ virtualHosts."dl" = {
+ default = true;
+ locations."/Nginx-Fancyindex-Theme-dark" = {
+ extraConfig = ''
+ alias ${pkgs.fetchFromGitHub {
+ owner = "Naereen";
+ repo = "Nginx-Fancyindex-Theme";
+ rev = "e84f7d6a32085c2b6238f85f5fdebe9ceb710fc4";
+ sha256 = "0wzl4ws2w8f0749vxfd1c8c21p3jw463wishgfcmaljbh4dwplg6";
+ }}/Nginx-Fancyindex-Theme-dark;
+ autoindex on;
+ '';
+ };
+ locations."/dl".extraConfig = ''
+ return 301 /;
+ '';
+ locations."/" = {
+ root = "/var/download/finished";
+ extraConfig = ''
+ fancyindex on;
+ fancyindex_header "/Nginx-Fancyindex-Theme-dark/header.html";
+ fancyindex_footer "/Nginx-Fancyindex-Theme-dark/footer.html";
+ dav_methods PUT DELETE MKCOL COPY MOVE;
+
+ create_full_put_path on;
+ dav_access all:r;
+ '';
+ };
+ };
};
krebs.iptables = {
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index d781f8c71..1b6a1d593 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,7 +9,6 @@ in {
./power-action.nix
./copyq.nix
./urxvt.nix
- ./network-manager.nix
{
hardware.pulseaudio = {
enable = true;
@@ -65,6 +64,7 @@ in {
dic
dmenu
font-size
+ fzfmenu
gitAndTools.qgit
git-preview
gnome3.dconf
@@ -97,9 +97,9 @@ in {
enable = true;
layout = "us";
display = mkForce 0;
- xkbModel = "evdev";
xkbVariant = "altgr-intl";
- xkbOptions = "caps:backspace";
+ xkbOptions = "caps:escape";
+ libinput.enable = true;
displayManager.lightdm.enable = true;
windowManager.default = "xmonad";
windowManager.session = [{
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 9cf294afd..718a92e9c 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -7,6 +7,7 @@ let
"daedalus"
"skynet"
"prism"
+ "littleT"
];
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
index 4d4a92eb9..cdd77e847 100644
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@@ -22,7 +22,9 @@ with (import );
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
+ { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
+ { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";}
];
systemd.services.chat = let
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index 425e0ee13..d214e224d 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -45,7 +45,7 @@ let
createFirefoxUser = name: groups: precedence:
createUser (pkgs.writeDash name ''
- ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@"
+ ${pkgs.firefox}/bin/firefox "$@"
'') name groups precedence 80;
createQuteUser = name: groups: precedence:
@@ -89,8 +89,8 @@ in {
}));
};
}
- ( createQuteUser "qb" [ "audio" ] 20 )
- ( createFirefoxUser "ff" [ "audio" ] 10 )
+ ( createFirefoxUser "ff" [ "audio" ] 11 )
+ ( createQuteUser "qb" [ "audio" ] 10 )
( createChromiumUser "cr" [ "audio" "video" ] 9 )
( createChromiumUser "gm" [ "video" "audio" ] 8 )
( createChromiumUser "wk" [ "audio" ] 0 )
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index a43113177..62a42baf9 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -10,6 +10,7 @@ with import ;
./zsh.nix
./htop.nix
./security-workarounds.nix
+ ./wiregrill.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 1ee45bb41..1acfe5056 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -94,6 +94,7 @@ with import ;
{ from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
{ from = "nordvpn@lassul.us"; to = lass.mail; }
+ { from = "csv-direct@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 49602898e..62e3f6d52 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -57,6 +57,7 @@ let
in {
environment.systemPackages = with pkgs; [
+ dolphinEmu
doom1
doom2
vdoom1
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 62173e33f..7650f4294 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -154,7 +154,7 @@ let
public = true;
};
- make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: {
+ make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? true, hooks ? {}, ... }: {
inherit admins collaborators name;
public = false;
hooks = {
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 36e797a96..21b9d7b49 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -82,7 +82,7 @@ let
source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc
set pgp_use_gpg_agent = yes
set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D
- set crypt_autosign = yes
+ set crypt_autosign = no
set crypt_replyencrypt = yes
set crypt_verify_sig = yes
set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f"
diff --git a/lass/2configs/mouse.nix b/lass/2configs/mouse.nix
index 098809d62..f5f9319ed 100644
--- a/lass/2configs/mouse.nix
+++ b/lass/2configs/mouse.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
{
hardware.trackpoint = {
enable = true;
@@ -7,6 +7,7 @@
emulateWheel = true;
};
+ services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics = {
enable = true;
horizEdgeScroll = false;
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 85faded14..987632cd1 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -5,7 +5,6 @@ with import ;
let
name = "radio";
mainUser = config.users.extraUsers.mainUser;
- inherit (import ) genid;
admin-password = import ;
source-password = import ;
@@ -31,7 +30,7 @@ in {
"${name}" = rec {
inherit name;
group = name;
- uid = genid name;
+ uid = genid_uint31 name;
description = "radio manager";
home = "/home/${name}";
useDefaultShell = true;
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 4935268a4..ce7df4bfb 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -126,6 +126,7 @@ in {
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
{ from = "akayguen@freemonkey.art"; to ="akayguen"; }
{ from = "bui@freemonkey.art"; to ="bui"; }
+ { from = "kontakt@alewis.de"; to ="klabusterbeere"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
@@ -204,5 +205,12 @@ in {
createHome = true;
};
+ users.users.klabusterbeere = {
+ uid = genid_uint31 "klabusterbeere";
+ home = "/home/klabusterbeere";
+ useDefaultShell = true;
+ createHome = true;
+ };
+
}
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 6470d86f7..17af0d00d 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -3,7 +3,7 @@
with lib;
let
inherit (import )
- genid
+ genid_uint31
;
in {
@@ -22,7 +22,7 @@ in {
krebs.tinc_graphs.enable = true;
users.users.lass-stuff = {
- uid = genid "lass-stuff";
+ uid = genid_uint31 "lass-stuff";
description = "lassul.us blog cgi stuff";
home = "/var/empty";
};
@@ -124,7 +124,7 @@ in {
};
users.users.blog = {
- uid = genid "blog";
+ uid = genid_uint31 "blog";
description = "lassul.us blog deployment";
home = "/srv/http/lassul.us";
useDefaultShell = true;
diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix
new file mode 100644
index 000000000..b2ee35df3
--- /dev/null
+++ b/lass/2configs/wiregrill.nix
@@ -0,0 +1,44 @@
+with import ;
+{ config, pkgs, ... }: let
+
+ self = config.krebs.build.host.nets.wiregrill;
+ isRouter = !isNull self.via;
+
+in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
+ #hack for modprobe inside containers
+ systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
+ (pkgs.writeDashBin "modprobe" ":")
+ ]);
+
+ boot.kernel.sysctl = mkIf isRouter {
+ "net.ipv6.conf.all.forwarding" = 1;
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
+ { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
+ ];
+
+ networking.wireguard.interfaces.wiregrill = {
+ ips =
+ (optional (!isNull self.ip4) self.ip4.addr) ++
+ (optional (!isNull self.ip6) self.ip6.addr);
+ listenPort = 51820;
+ privateKeyFile = (toString ) + "/wiregrill.key";
+ allowedIPsAsRoutes = true;
+ peers = mapAttrsToList
+ (_: host: {
+ allowedIPs = if isRouter then
+ (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
+ (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
+ else
+ host.nets.wiregrill.wireguard.subnets
+ ;
+ endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
+ persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
+ publicKey = host.nets.wiregrill.wireguard.pubkey;
+ })
+ (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
+ };
+}
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
index 974e11c6e..f6ce7ccc9 100644
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@@ -142,7 +142,7 @@ with import ;
users.users = mapAttrs' (_: cfg:
nameValuePair cfg.name {
- uid = genid cfg.name;
+ uid = genid_uint31 cfg.name;
home = "/home/${cfg.name}";
useDefaultShell = true;
createHome = true;
diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix
index f86a4a69b..79e6416e1 100644
--- a/lass/5pkgs/custom/xmonad-lass/default.nix
+++ b/lass/5pkgs/custom/xmonad-lass/default.nix
@@ -78,7 +78,7 @@ main = getArgs >>= \case
main' :: IO ()
main' = do
handleShutdownEvent <- newShutdownEventHandler
- xmonad $ ewmh
+ launch $ ewmh
$ withUrgencyHook LibNotifyUrgencyHook
$ def
{ terminal = myTerm
diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix
index b6cb2ec7e..85b050644 100644
--- a/lass/5pkgs/l-gen-secrets/default.nix
+++ b/lass/5pkgs/l-gen-secrets/default.nix
@@ -8,6 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" ''
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
+ ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wiregrill.key
+ ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wiregrill.pub
cat < $TMPDIR/hashedPasswords.nix
{
root = "$HASHED_PASSWORD";
@@ -35,6 +37,15 @@ pkgs.writeDashBin "l-gen-secrets" ''
$(cat $TMPDIR/retiolum.rsa_key.pub)
${"''"};
};
+ wiregrill = {
+ ip6.addr = (wip6 "changeme").address;
+ aliases = [
+ "$HOSTNAME.w"
+ ];
+ wireguard.pubkey = ${"''"}
+ $(cat $TMPDIR/wiregrill.pub)
+ ${"''"};
+ };
};
ssh.privkey.path = ;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
diff --git a/lib/default.nix b/lib/default.nix
index 348d47e85..347830e8c 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -5,6 +5,7 @@ let
evalSource = import ./eval-source.nix;
git = import ./git.nix { inherit lib; };
+ krebs = import ./krebs lib;
krops = import ../submodules/krops/lib;
shell = import ./shell.nix { inherit lib; };
types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
@@ -28,8 +29,6 @@ let
listToAttrs (map (name: nameValuePair name set.${name})
(filter (flip hasAttr set) names));
- setAttr = name: value: set: set // { ${name} = value; };
-
test = re: x: isString x && testString re x;
testString = re: x: match re x != null;
@@ -94,7 +93,13 @@ let
in
if max.pos == 0
then a
- else "${concatStringsSep ":" lhs}::${concatStringsSep ":" rhs}";
+ else let
+ sep =
+ if 8 - (length lhs + length rhs) == 1
+ then ":0:"
+ else "::";
+ in
+ "${concatStringsSep ":" lhs}${sep}${concatStringsSep ":" rhs}";
drop-leading-zeros =
let
@@ -108,7 +113,38 @@ let
in
a: concatStringsSep ":" (map f (splitString ":" a));
in
- a: toLower (group-zeros (drop-leading-zeros a));
+ a:
+ toLower
+ (if test ".*::.*" a
+ then a
+ else group-zeros (drop-leading-zeros a));
+
+ hashToLength = n: s: substring 0 n (hashString "sha256" s);
+
+ dropLast = n: xs: reverseList (drop n (reverseList xs));
+ takeLast = n: xs: reverseList (take n (reverseList xs));
+
+ # Split string into list of chunks where each chunk is at most n chars long.
+ # The leftmost chunk might shorter.
+ # Example: stringToGroupsOf "123456" -> ["12" "3456"]
+ stringToGroupsOf = n: s: let
+ acc =
+ foldl'
+ (acc: c: if stringLength acc.chunk < n then {
+ chunk = acc.chunk + c;
+ chunks = acc.chunks;
+ } else {
+ chunk = c;
+ chunks = acc.chunks ++ [acc.chunk];
+ })
+ {
+ chunk = "";
+ chunks = [];
+ }
+ (stringToCharacters s);
+ in
+ filter (x: x != []) ([acc.chunk] ++ acc.chunks);
+
};
in
diff --git a/lib/krebs/default.nix b/lib/krebs/default.nix
new file mode 100644
index 000000000..c9d9bef63
--- /dev/null
+++ b/lib/krebs/default.nix
@@ -0,0 +1,3 @@
+lib:
+with lib;
+mapNixDir (flip import lib) ./.
diff --git a/lib/krebs/genipv6.nix b/lib/krebs/genipv6.nix
new file mode 100644
index 000000000..22a23fcef
--- /dev/null
+++ b/lib/krebs/genipv6.nix
@@ -0,0 +1,109 @@
+lib:
+with lib;
+let {
+ body = netname: subnetname: suffixSpec: rec {
+ address = let
+ suffix' = prependZeros suffixLength suffix;
+ in
+ normalize-ip6-addr
+ (checkAddress addressLength (joinAddress subnetPrefix suffix'));
+ addressCIDR = "${address}/${toString addressLength}";
+ addressLength = 128;
+
+ inherit netname;
+ netCIDR = "${netAddress}/${toString netPrefixLength}";
+ netAddress =
+ normalize-ip6-addr (appendZeros addressLength netPrefix);
+ netHash = toString {
+ retiolum = 0;
+ wiregrill = 1;
+ }.${netname};
+ netPrefix = "42:${netHash}";
+ netPrefixLength = {
+ retiolum = 32;
+ wiregrill = 32;
+ }.${netname};
+
+ inherit subnetname;
+ subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}";
+ subnetAddress =
+ normalize-ip6-addr (appendZeros addressLength subnetPrefix);
+ subnetHash = hashToLength 4 subnetname;
+ subnetPrefix = joinAddress netPrefix subnetHash;
+ subnetPrefixLength = netPrefixLength + 16;
+
+ suffix = getAttr (typeOf suffixSpec) {
+ set =
+ concatStringsSep
+ ":"
+ (stringToGroupsOf
+ 4
+ (hashToLength (suffixLength / 4) suffixSpec.hostName));
+ string = suffixSpec;
+ };
+ suffixLength = addressLength - subnetPrefixLength;
+ };
+
+ appendZeros = n: s: let
+ n' = n / 16;
+ zeroCount = n' - length parsedaddr;
+ parsedaddr = parseAddress s;
+ in
+ formatAddress (parsedaddr ++ map (const "0") (range 1 zeroCount));
+
+ prependZeros = n: s: let
+ n' = n / 16;
+ zeroCount = n' - length parsedaddr;
+ parsedaddr = parseAddress s;
+ in
+ formatAddress (map (const "0") (range 1 zeroCount) ++ parsedaddr);
+
+ hasEmptyPrefix = xs: take 2 xs == ["" ""];
+ hasEmptySuffix = xs: takeLast 2 xs == ["" ""];
+ hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs);
+
+ hasEmptyGroup = xs:
+ any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix];
+
+ ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs;
+ rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs;
+ trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs);
+
+ parseAddress = splitString ":";
+ formatAddress = concatStringsSep ":";
+
+ check = s: c: if !c then throw "${s}" else true;
+
+ checkAddress = maxaddrlen: addr: let
+ parsedaddr = parseAddress addr;
+ normalizedaddr = trimEmpty 1 parsedaddr;
+ in
+ assert (check "address malformed; lone leading colon: ${addr}" (
+ head parsedaddr == "" -> tail (take 2 parsedaddr) == ""
+ ));
+ assert (check "address malformed; lone trailing colon ${addr}" (
+ last parsedaddr == "" -> head (takeLast 2 parsedaddr) == ""
+ ));
+ assert (check "address malformed; too many successive colons: ${addr}" (
+ length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""]
+ ));
+ assert (check "address malformed: ${addr}" (
+ all (test "[0-9a-f]{0,4}") parsedaddr
+ ));
+ assert (check "address is too long: ${addr}" (
+ length normalizedaddr * 16 <= maxaddrlen
+ ));
+ addr;
+
+ joinAddress = prefix: suffix: let
+ parsedPrefix = parseAddress prefix;
+ parsedSuffix = parseAddress suffix;
+ normalizePrefix = rtrimEmpty 2 parsedPrefix;
+ normalizeSuffix = ltrimEmpty 2 parsedSuffix;
+ delimiter =
+ optional (length (normalizePrefix ++ normalizeSuffix) < 8 &&
+ (hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix))
+ "";
+ in
+ formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix);
+}
diff --git a/lib/types.nix b/lib/types.nix
index 016853300..17c1688fa 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -19,7 +19,7 @@ rec {
default = config._module.args.name;
};
cores = mkOption {
- type = positive;
+ type = uint;
};
nets = mkOption {
type = attrsOf net;
@@ -192,6 +192,28 @@ rec {
}));
default = null;
};
+ wireguard = mkOption {
+ type = nullOr (submodule ({ config, ... }: {
+ options = {
+ port = mkOption {
+ type = int;
+ description = "tinc port to use to connect to host";
+ default = 51820;
+ };
+ pubkey = mkOption {
+ type = wireguard-pubkey;
+ };
+ subnets = mkOption {
+ type = listOf cidr;
+ description = ''
+ wireguard subnets,
+ this defines how routing behaves for hosts that can't reach each other.
+ '';
+ default = [];
+ };
+ };
+ }));
+ };
};
});
@@ -548,4 +570,6 @@ rec {
check = filename.check;
merge = mergeOneOption;
};
+
+ wireguard-pubkey = str;
}
diff --git a/makefu/0tests/data/secrets/netdata-stream.conf b/makefu/0tests/data/secrets/netdata-stream.conf
new file mode 100644
index 000000000..e69de29bb
diff --git a/makefu/0tests/data/secrets/nsupdate-cache.nix b/makefu/0tests/data/secrets/nsupdate-cache.nix
new file mode 100644
index 000000000..f5e704702
--- /dev/null
+++ b/makefu/0tests/data/secrets/nsupdate-cache.nix
@@ -0,0 +1 @@
+"derp"
diff --git a/makefu/1systems/full/source.nix b/makefu/1systems/full/source.nix
deleted file mode 100644
index 1e36c6e87..000000000
--- a/makefu/1systems/full/source.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- name="gum";
- torrent = true;
- clever_kexec = true;
-}
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 3d2cbac6f..dcfa3d0e5 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -4,13 +4,14 @@ with import ;
let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
ext-if = config.makefu.server.primary-itf;
+ allDisks = [ "/dev/sda" "/dev/sdb" ];
in {
imports = [
./hardware-config.nix
{
users.users.lass = {
- uid = 9002;
+ uid = 19002;
isNormalUser = true;
createHome = true;
useDefaultShell = true;
@@ -20,8 +21,12 @@ in {
];
};
}
+ #
+
+
- #
+
+ { services.smartd.devices = builtins.map (x: { device = x; }) allDisks; }
# Security
@@ -30,6 +35,8 @@ in {
+
+
#
@@ -41,17 +48,47 @@ in {
#
+ { # bonus retiolum config for connecting more hosts
+ krebs.tinc.retiolum = {
+ extraConfig = ''
+ ListenAddress = ${external-ip} 53
+ ListenAddress = ${external-ip} 655
+ ListenAddress = ${external-ip} 21031
+ '';
+ connectTo = [
+ "prism" "ni" "enklave" "eve" "archprism"
+ ];
+ };
+ networking.firewall = {
+ allowedTCPPorts =
+ [
+ 53
+ 655
+ 21031
+ ];
+ allowedUDPPorts =
+ [
+ 53
+ 655
+ 21031
+ ];
+ };
+ }
# ci
#
+
# services
-
+ #
+ {
+ krebs.exim.enable = mkForce false;
+ }
# sharing
@@ -59,13 +96,6 @@ in {
#
##
#
- { # ncdc
- environment.systemPackages = [ pkgs.ncdc ];
- networking.firewall = {
- allowedUDPPorts = [ 51411 ];
- allowedTCPPorts = [ 51411 ];
- };
- }
#
## network
@@ -91,17 +121,17 @@ in {
#
#
-
+ #
-
+
-
+
+
-
#
# sharing
@@ -115,7 +145,8 @@ in {
# krebs infrastructure services
- ];
+ ];
+
makefu.dl-dir = "/var/download";
services.openssh.hostKeys = [
@@ -125,70 +156,14 @@ in {
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum;
- krebs.tinc.retiolum = {
- extraConfig = ''
- ListenAddress = ${external-ip} 53
- ListenAddress = ${external-ip} 655
- ListenAddress = ${external-ip} 21031
- '';
- connectTo = [
- "prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
- ];
- };
-
-
- # access
- users.users = {
- root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
- makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
- };
-
- # Chat
- environment.systemPackages = with pkgs;[
- weechat
- bepasty-client-cli
- tmux
- ];
-
- # Hardware
-
# Network
networking = {
firewall = {
allowPing = true;
logRefusedConnections = false;
- allowedTCPPorts = [
- # smtp
- 25
- # http
- 80 443
- # httptunnel
- 8080 8443
- # tinc
- 655
- # tinc-shack
- 21032
- # tinc-retiolum
- 21031
- # taskserver
- 53589
- # temp vnc
- 18001
- # temp reverseshell
- 31337
- ];
- allowedUDPPorts = [
- # tinc
- 655 53
- # tinc-retiolum
- 21031
- # tinc-shack
- 21032
- ];
};
nameservers = [ "8.8.8.8" ];
};
users.users.makefu.extraGroups = [ "download" "nginx" ];
- boot.tmpOnTmpfs = true;
state = [ "/home/makefu/.weechat" ];
}
diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix
index bfe29b46c..e9670a5a4 100644
--- a/makefu/1systems/gum/hardware-config.nix
+++ b/makefu/1systems/gum/hardware-config.nix
@@ -46,7 +46,7 @@ in {
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
];
- boot.kernelModules = [ "kvm-intel" ];
+ boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/mapper/nixos-root";
@@ -56,10 +56,19 @@ in {
device = "/dev/mapper/nixos-lib";
fsType = "ext4";
};
+ fileSystems."/var/log" = {
+ device = "/dev/mapper/nixos-log";
+ fsType = "ext4";
+ };
fileSystems."/var/download" = {
device = "/dev/mapper/nixos-download";
fsType = "ext4";
};
+ fileSystems."/var/www/binaergewitter" = {
+ device = "/dev/mapper/nixos-binaergewitter";
+ fsType = "ext4";
+ options = [ "nofail" ];
+ };
fileSystems."/var/lib/borgbackup" = {
device = "/dev/mapper/nixos-backup";
fsType = "ext4";
diff --git a/makefu/1systems/gum/rescue.txt b/makefu/1systems/gum/rescue.txt
index 30276b7db..0a3ed96ee 100644
--- a/makefu/1systems/gum/rescue.txt
+++ b/makefu/1systems/gum/rescue.txt
@@ -1,10 +1,14 @@
+ssh gum.i -o StrictHostKeyChecking=no
+
mount /dev/mapper/nixos-root /mnt
mount /dev/sda2 /mnt/boot
chroot-prepare /mnt
chroot /mnt /bin/sh
+
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
+# ... activating ...
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate
diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix
index 6940498f1..1e36c6e87 100644
--- a/makefu/1systems/gum/source.nix
+++ b/makefu/1systems/gum/source.nix
@@ -1,5 +1,5 @@
{
- name="nextgum";
+ name="gum";
torrent = true;
clever_kexec = true;
}
diff --git a/makefu/1systems/iso/config.nix b/makefu/1systems/iso/config.nix
index 34a75dbd3..fdf203d5b 100644
--- a/makefu/1systems/iso/config.nix
+++ b/makefu/1systems/iso/config.nix
@@ -10,7 +10,7 @@ with import ;
];
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
- krebs.build.host = config.krebs.hosts.iso;
+ krebs.build.host = { cores = 0; };
isoImage.isoBaseName = lib.mkForce "stockholm";
krebs.hidden-ssh.enable = true;
environment.systemPackages = with pkgs; [
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index 260f96081..81b1e0ea1 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -44,7 +44,8 @@ in {
#
-
+ # statistics
+
# Logging
#influx + grafana
@@ -74,7 +75,8 @@ in {
"homeassistant-0.77.2"
];
}
-
+
+
{
makefu.ps3netsrv = {
enable = true;
diff --git a/makefu/1systems/omo/hw/omo.nix b/makefu/1systems/omo/hw/omo.nix
index 1b618a486..31db335bb 100644
--- a/makefu/1systems/omo/hw/omo.nix
+++ b/makefu/1systems/omo/hw/omo.nix
@@ -48,9 +48,8 @@ in {
makefu.snapraid = {
enable = true;
- # TODO: 3 is not protected
- disks = map toMapper [ 0 1 ];
- parity = toMapper 2;
+ disks = map toMapper [ 0 2 3 ];
+ parity = toMapper 1;
};
fileSystems = let
cryptMount = name:
diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix
index f2311fb55..3930406b1 100644
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@@ -20,9 +20,6 @@ in {
-
-
-
#
#
#
@@ -35,6 +32,8 @@ in {
# Sensors
+
+
@@ -51,9 +50,9 @@ in {
"homeassistant-0.77.2"
];
}
-
-
-
+
+
+
(let
collectd-port = 25826;
influx-port = 8086;
diff --git a/makefu/2configs/bgt/auphonic.pub b/makefu/2configs/bgt/auphonic.pub
new file mode 100644
index 000000000..37b8e0599
--- /dev/null
+++ b/makefu/2configs/bgt/auphonic.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx
diff --git a/makefu/2configs/nginx/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix
similarity index 51%
rename from makefu/2configs/nginx/download.binaergewitter.de.nix
rename to makefu/2configs/bgt/download.binaergewitter.de.nix
index 6b5687e72..6d64848f5 100644
--- a/makefu/2configs/nginx/download.binaergewitter.de.nix
+++ b/makefu/2configs/bgt/download.binaergewitter.de.nix
@@ -1,12 +1,25 @@
{ config, lib, pkgs, ... }:
+with import ;
let
- ident = (toString ) + "/mirrorsync.gum.id_ed25519";
+ ident = (builtins.readFile ./auphonic.pub);
in {
- systemd.services.mirrorsync = {
- startAt = "08:00:00";
- path = with pkgs; [ rsync openssh ];
- script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter'';
+ services.openssh = {
+ allowSFTP = true;
+ sftpFlags = [ "-l VERBOSE" ];
+ extraConfig = ''
+ Match User auphonic
+ ForceCommand internal-sftp
+ AllowTcpForwarding no
+ X11Forwarding no
+ PasswordAuthentication no
+ '';
+ };
+ users.users.auphonic = {
+ uid = genid "auphonic";
+ group = "nginx";
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ];
};
services.nginx = {
enable = lib.mkDefault true;
diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/bgt/hidden_service.nix
similarity index 100%
rename from makefu/2configs/deployment/bgt/hidden_service.nix
rename to makefu/2configs/bgt/hidden_service.nix
diff --git a/makefu/2configs/binary-cache/lass.nix b/makefu/2configs/binary-cache/lass.nix
index 46b386e14..51b4a1afc 100644
--- a/makefu/2configs/binary-cache/lass.nix
+++ b/makefu/2configs/binary-cache/lass.nix
@@ -3,7 +3,7 @@
{
nix = {
binaryCaches = [
- "http://cache.prism.r"
+ "https://cache.krebsco.de"
];
binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
diff --git a/makefu/2configs/bitlbee.nix b/makefu/2configs/bitlbee.nix
index 17efa7113..e955384d6 100644
--- a/makefu/2configs/bitlbee.nix
+++ b/makefu/2configs/bitlbee.nix
@@ -3,6 +3,6 @@
{
services.bitlbee = {
enable = true;
- libpurple_plugins = [ pkgs.telegram-purple ];
+ libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb];
};
}
diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/bureautomation/default.nix
similarity index 100%
rename from makefu/2configs/deployment/bureautomation/default.nix
rename to makefu/2configs/bureautomation/default.nix
diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/bureautomation/hass.nix
similarity index 87%
rename from makefu/2configs/deployment/bureautomation/hass.nix
rename to makefu/2configs/bureautomation/hass.nix
index 443484a34..a89a4813f 100644
--- a/makefu/2configs/deployment/bureautomation/hass.nix
+++ b/makefu/2configs/bureautomation/hass.nix
@@ -112,7 +112,6 @@ in {
"temperature" # "temperature_high" "temperature_low"
"apparent_temperature"
"hourly_summary" # next 24 hours text
- "minutely_summary"
"humidity"
"pressure"
"uv_index" ];
@@ -212,27 +211,44 @@ in {
to = "on";
};
action = {
- service= "homeassistant.turn_on";
- entity_id= "switch.fernseher";
+ service = "homeassistant.turn_on";
+ entity_id = [ "switch.fernseher" "switch.blitzdings" ];
};
}
{ alias = "Turn off Fernseher 10 minutes after last movement";
- trigger = {
+ trigger = [
+ { # trigger when movement was detected at the time
platform = "state";
entity_id = "binary_sensor.motion";
to = "off";
for.minutes = 10;
- };
+ }
+ { # trigger at 20:00 no matter what
+ # to avoid 'everybody left before 18:00:00'
+ platform = "time";
+ at = "18:00:00";
+ }
+ ];
action = {
- service= "homeassistant.turn_off";
- entity_id= "switch.fernseher";
+ service = "homeassistant.turn_off";
+ entity_id = [ "switch.fernseher" "switch.blitzdings" ];
+ };
+ condition =
+ { condition = "and";
+ conditions = [
+ {
+ condition = "time";
+ before = "06:30:00"; #only turn off between 6:30 and 18:00
+ after = "18:00:00";
+ # weekday = [ "mon" "tue" "wed" "thu" "fri" ];
+ }
+ {
+ condition = "state";
+ entity_id = "binary_sensor.motion";
+ state = "off";
+ }
+ ];
};
- condition = [{
- condition = "time";
- before = "06:30:00"; #only turn off between 6:30 and 18:00
- after = "18:00:00";
- weekday = [ "mon" "tue" "wed" "thu" "fri" ];
- }];
}
];
};
diff --git a/makefu/2configs/deployment/bureautomation/mpd.nix b/makefu/2configs/bureautomation/mpd.nix
similarity index 100%
rename from makefu/2configs/deployment/bureautomation/mpd.nix
rename to makefu/2configs/bureautomation/mpd.nix
diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix
index 521bfc80a..e7b91e6a8 100644
--- a/makefu/2configs/elchos/search.nix
+++ b/makefu/2configs/elchos/search.nix
@@ -32,7 +32,7 @@ let
${user}
protocol=dyndns2
- usev5=if, if=${primary-itf}
+ usev6=if, if=${primary-itf}
ssl=yes
server=ipv6.nsupdate.info
login=${user}
diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/homeautomation/default.nix
similarity index 99%
rename from makefu/2configs/deployment/homeautomation/default.nix
rename to makefu/2configs/homeautomation/default.nix
index 94799b11d..596d0002a 100644
--- a/makefu/2configs/deployment/homeautomation/default.nix
+++ b/makefu/2configs/homeautomation/default.nix
@@ -31,7 +31,7 @@ let
brightness_scale = 100;
# color
rgb_state_topic = "/ham/${topic}/stat/Color";
- rgb_command_topic = "/ham/${topic}/cmnd/Color2";
+ rgb_command_topic = "/ham/${topic}/cmnd/MEM1"; # use enabled tasmota rule
rgb_command_mode = "hex";
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
# effects
diff --git a/makefu/2configs/deployment/google-muell.nix b/makefu/2configs/homeautomation/google-muell.nix
similarity index 100%
rename from makefu/2configs/deployment/google-muell.nix
rename to makefu/2configs/homeautomation/google-muell.nix
diff --git a/makefu/2configs/deployment/homeautomation/mqtt.nix b/makefu/2configs/homeautomation/mqtt.nix
similarity index 100%
rename from makefu/2configs/deployment/homeautomation/mqtt.nix
rename to makefu/2configs/homeautomation/mqtt.nix
diff --git a/makefu/2configs/mail/mail.euer.nix b/makefu/2configs/mail/mail.euer.nix
index f079d7f41..f8f82e76b 100644
--- a/makefu/2configs/mail/mail.euer.nix
+++ b/makefu/2configs/mail/mail.euer.nix
@@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [
- (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz")
+ (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz")
];
mailserver = {
diff --git a/makefu/2configs/minimal.nix b/makefu/2configs/minimal.nix
index d764e5624..cb2ef09e3 100644
--- a/makefu/2configs/minimal.nix
+++ b/makefu/2configs/minimal.nix
@@ -7,8 +7,8 @@
# the only true timezone (even after the the removal of DST)
time.timeZone = "Europe/Berlin";
- networking.hostName = config.krebs.build.host.name;
- nix.buildCores = config.krebs.build.host.cores;
+ networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
+ nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
# we use gpg if necessary (or nothing at all)
programs.ssh.startAgent = false;
@@ -85,4 +85,6 @@
"net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = 2;
};
+
+ services.nscd.enable = false;
}
diff --git a/makefu/2configs/nginx/gum.krebsco.de.nix b/makefu/2configs/nginx/gum.krebsco.de.nix
new file mode 100644
index 000000000..3e96e6826
--- /dev/null
+++ b/makefu/2configs/nginx/gum.krebsco.de.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+with import ;
+let
+in {
+ services.nginx = {
+ enable = mkDefault true;
+ virtualHosts."gum.krebsco.de" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ # proxyPass = "http://localhost:8000/";
+ # extraConfig = ''
+ # proxy_set_header Host $host;
+ # proxy_set_header X-Real-IP $remote_addr;
+ # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ # '';
+ };
+ };
+ };
+}
diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix
index 531d2525e..964e5ccbb 100644
--- a/makefu/2configs/shack/events-publisher/default.nix
+++ b/makefu/2configs/shack/events-publisher/default.nix
@@ -2,8 +2,8 @@
with import ;
let
shack-announce = pkgs.callPackage (builtins.fetchTarball {
- url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz";
- sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd";
+ url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz";
+ sha256 = "0rn1ykgjbd79zg03maa49kzi6hpzn4xzf4j93qgx5wax7h12qjx0";
}) {} ;
home = "/var/lib/shackannounce";
user = "shackannounce";
diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix
index e4fef7c3c..ed5066787 100644
--- a/makefu/2configs/share/omo.nix
+++ b/makefu/2configs/share/omo.nix
@@ -30,6 +30,12 @@ in {
browseable = "yes";
"guest ok" = "yes";
};
+ audiobook = {
+ path = "/media/crypt1/audiobooks";
+ "read only" = "yes";
+ browseable = "yes";
+ "guest ok" = "yes";
+ };
crypt0 = {
path = "/media/crypt0";
"read only" = "yes";
diff --git a/makefu/2configs/share/wbob.nix b/makefu/2configs/share/wbob.nix
index 7d3fc38fe..9695751ff 100644
--- a/makefu/2configs/share/wbob.nix
+++ b/makefu/2configs/share/wbob.nix
@@ -8,6 +8,7 @@
home = "/home/share";
createHome = true;
};
+ users.groups.mpd.members = [ "makefu" ];
services.samba = {
enable = true;
enableNmbd = true;
@@ -24,6 +25,12 @@
browseable = "yes";
"guest ok" = "yes";
};
+ music-rw = {
+ path = "/data/music";
+ "read only" = "no";
+ browseable = "yes";
+ "guest ok" = "no";
+ };
};
extraConfig = ''
guest account = smbguest
diff --git a/makefu/2configs/stats/client.nix b/makefu/2configs/stats/client.nix
index cfb5e3fd2..b88515a35 100644
--- a/makefu/2configs/stats/client.nix
+++ b/makefu/2configs/stats/client.nix
@@ -1,61 +1,7 @@
-{pkgs, config, ...}:
{
- services.collectd = {
+ makefu.netdata = {
enable = true;
- autoLoadPlugin = true;
- extraConfig = ''
- Hostname ${config.krebs.build.host.name}
- LoadPlugin load
- LoadPlugin disk
- LoadPlugin memory
- LoadPlugin df
- Interval 30.0
-
- LoadPlugin interface
-
- Interface "*Link"
- Interface "lo"
- Interface "vboxnet*"
- Interface "virbr*"
- IgnoreSelected true
-
-
- LoadPlugin df
-
- MountPoint "/nix/store"
- # MountPoint "/run*"
- # MountPoint "/sys*"
- # MountPoint "/dev"
- # MountPoint "/dev/shm"
- # MountPoint "/tmp"
- FSType "tmpfs"
- FSType "binfmt_misc"
- FSType "debugfs"
- FSType "tracefs"
- FSType "mqueue"
- FSType "hugetlbfs"
- FSType "systemd-1"
- FSType "cgroup"
- FSType "securityfs"
- FSType "ramfs"
- FSType "proc"
- FSType "devpts"
- FSType "devtmpfs"
- MountPoint "/var/lib/docker/devicemapper"
- IgnoreSelected true
-
-
- LoadPlugin cpu
-
- ReportByCpu true
- ReportByState true
- ValuesPercentage true
-
-
- LoadPlugin network
-
- Server "${config.makefu.stats-server}" "25826"
-
- '';
+ stream.role = "slave";
+ # stream.destination = "netdata.makefu.r";
};
}
diff --git a/makefu/2configs/stats/collectd-client.nix b/makefu/2configs/stats/collectd-client.nix
new file mode 100644
index 000000000..cfb5e3fd2
--- /dev/null
+++ b/makefu/2configs/stats/collectd-client.nix
@@ -0,0 +1,61 @@
+{pkgs, config, ...}:
+{
+ services.collectd = {
+ enable = true;
+ autoLoadPlugin = true;
+ extraConfig = ''
+ Hostname ${config.krebs.build.host.name}
+ LoadPlugin load
+ LoadPlugin disk
+ LoadPlugin memory
+ LoadPlugin df
+ Interval 30.0
+
+ LoadPlugin interface
+
+ Interface "*Link"
+ Interface "lo"
+ Interface "vboxnet*"
+ Interface "virbr*"
+ IgnoreSelected true
+
+
+ LoadPlugin df
+
+ MountPoint "/nix/store"
+ # MountPoint "/run*"
+ # MountPoint "/sys*"
+ # MountPoint "/dev"
+ # MountPoint "/dev/shm"
+ # MountPoint "/tmp"
+ FSType "tmpfs"
+ FSType "binfmt_misc"
+ FSType "debugfs"
+ FSType "tracefs"
+ FSType "mqueue"
+ FSType "hugetlbfs"
+ FSType "systemd-1"
+ FSType "cgroup"
+ FSType "securityfs"
+ FSType "ramfs"
+ FSType "proc"
+ FSType "devpts"
+ FSType "devtmpfs"
+ MountPoint "/var/lib/docker/devicemapper"
+ IgnoreSelected true
+
+
+ LoadPlugin cpu
+
+ ReportByCpu true
+ ReportByState true
+ ValuesPercentage true
+
+
+ LoadPlugin network
+
+ Server "${config.makefu.stats-server}" "25826"
+
+ '';
+ };
+}
diff --git a/makefu/2configs/stats/netdata-server.nix b/makefu/2configs/stats/netdata-server.nix
new file mode 100644
index 000000000..5fec3583c
--- /dev/null
+++ b/makefu/2configs/stats/netdata-server.nix
@@ -0,0 +1,17 @@
+{
+ makefu.netdata = {
+ enable = true;
+ stream.role = "master";
+ };
+
+ services.nginx = {
+ virtualHosts."netdata.euer.krebsco.de" = {
+ addSSL = true;
+ enableACME = true;
+ locations."/".proxyPass = "http://localhost:19999";
+ };
+ virtualHosts."netdata.makefu.r" = {
+ locations."/".proxyPass = "http://localhost:19999";
+ };
+ };
+}
diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix
index c8e768c99..bb8fd1750 100644
--- a/makefu/2configs/stats/server.nix
+++ b/makefu/2configs/stats/server.nix
@@ -21,6 +21,13 @@ in {
services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true;
+ logging.level = "info";
+ http.log-enabled = true;
+ http.write-tracing = false;
+ http.suppress-write-log = true;
+ data.trace-logging-enabled = false;
+ data.query-log-enabled = false;
+
http.bind-address = ":${toString influx-port}";
admin.bind-address = ":8083";
monitoring = {
diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix
index 98abb2406..0d2774209 100644
--- a/makefu/2configs/tinc/retiolum.nix
+++ b/makefu/2configs/tinc/retiolum.nix
@@ -1,8 +1,10 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
{
imports = [
../binary-cache/lass.nix
];
krebs.tinc.retiolum.enable = true;
environment.systemPackages = [ pkgs.tinc ];
+ networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
+ networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
}
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 7146174fb..65b5a6afd 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -5,6 +5,7 @@ _:
./awesome-extra.nix
./deluge.nix
./forward-journal.nix
+ ./netdata.nix
./opentracker.nix
./ps3netsrv.nix
./logging-config.nix
diff --git a/makefu/3modules/netdata.nix b/makefu/3modules/netdata.nix
new file mode 100644
index 000000000..3ed33643c
--- /dev/null
+++ b/makefu/3modules/netdata.nix
@@ -0,0 +1,150 @@
+{ config, lib, pkgs, ... }:
+
+# fork of https://github.com/Mic92/dotfiles/blob/master/nixos/vms/modules/netdata.nix
+with lib;
+let
+ cfg = config.makefu.netdata;
+in
+{
+ options.makefu.netdata = {
+ enable = mkEnableOption "netdata";
+
+ # TODO only apikey from file, set remote host manually
+ stream.file = mkOption {
+ type = types.str;
+ default = toString ;
+ description = "path to stream data file";
+ };
+ stream.role = mkOption {
+ type = types.enum [ "master" "slave" ];
+ default = "slave";
+ description = "Wether to stream data";
+ };
+
+ httpcheck.checks = mkOption {
+ type = types.attrsOf (types.submodule ({
+ options = {
+ url = mkOption {
+ type = types.str;
+ example = "https://thalheim.io";
+ description = "Url to check";
+ };
+ regex = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ example = "My homepage";
+ description = "Regex that is matched against the returned content";
+ };
+ statusAccepted = mkOption {
+ type = types.listOf types.int;
+ default = [ 200 ];
+ example = [ 401 ];
+ description = "Expected http status code";
+ };
+ };
+ }));
+ default = {};
+ description = ''
+ httpcheck plugin: https://github.com/netdata/netdata/blob/master/collectors/python.d.plugin/httpcheck/httpcheck.conf
+ '';
+ };
+
+ portcheck.checks = mkOption {
+ type = types.attrsOf (types.submodule ({
+ options = {
+ host = mkOption {
+ type = types.str;
+ default = "127.0.0.1";
+ description = "Dns name/IP to check";
+ };
+ port = mkOption {
+ type = types.int;
+ description = "Tcp port number";
+ };
+ };
+ }));
+ default = {};
+ description = ''
+ portcheck plugin: https://github.com/netdata/netdata/tree/master/collectors/python.d.plugin/portcheck
+ '';
+ };
+ };
+ config = mkIf cfg.enable {
+ systemd.services.netdata = {
+ requires = [ "secret.service" ];
+ after = [ "secret.service" ];
+ };
+ krebs.secret.files.netdata-stream = {
+ path = "/run/secret/netdata-stream.conf";
+ owner.name = "netdata";
+ source-path = cfg.stream.file;
+ };
+ environment.etc."netdata/stream.conf".source = "/run/secret/netdata-stream.conf";
+
+ services.netdata = {
+ enable = true;
+ config = {
+ global = {
+ "bind to" = "0.0.0.0:19999 [::]:19999";
+ "error log" = "stderr";
+ "update every" = "5";
+ };
+ health.enable = if cfg.stream.role == "master" then "yes" else "no";
+ };
+ };
+ services.netdata.python.extraPackages = ps: [
+ ps.psycopg2 ps.docker ps.dnspython
+ ];
+
+ makefu.netdata.portcheck.checks.openssh.port = (lib.head config.services.openssh.ports);
+
+ networking.firewall.allowedTCPPorts = [ 19999 ];
+
+ environment.etc."netdata/python.d/httpcheck.conf".text = ''
+ update_every: 30
+ ${lib.concatStringsSep "\n" (mapAttrsToList (site: options:
+ ''
+ ${site}:
+ url: '${options.url}'
+ ${optionalString (options.regex != null) "regex: '${options.regex}'"}
+ status_accepted: [ ${lib.concatStringsSep " " (map toString options.statusAccepted) } ]
+ '') cfg.httpcheck.checks)
+ }
+ '';
+
+ environment.etc."netdata/python.d/portcheck.conf".text = ''
+ ${lib.concatStringsSep "\n" (mapAttrsToList (service: options:
+ ''
+ ${service}:
+ host: '${options.host}'
+ port: ${toString options.port}
+ '') cfg.portcheck.checks)
+ }
+ '';
+ systemd.services.netdata.restartTriggers = [
+ config.environment.etc."netdata/python.d/httpcheck.conf".source
+ config.environment.etc."netdata/python.d/portcheck.conf".source
+ config.environment.etc."netdata/stream.conf".source
+ ];
+
+ environment.etc."netdata/health.d/httpcheck.conf".text = ''
+ # taken from the original but warn only if a request is at least 300ms slow
+ template: web_service_slow
+ families: *
+ on: httpcheck.responsetime
+ lookup: average -3m unaligned of time
+ units: ms
+ every: 10s
+ warn: ($this > ($1h_web_service_response_time * 4) && $this > 1000)
+ crit: ($this > ($1h_web_service_response_time * 6) && $this > 1000)
+ info: average response time over the last 3 minutes, compared to the average over the last hour
+ delay: down 5m multiplier 1.5 max 1h
+ options: no-clear-notification
+ to: webmaster
+ '';
+
+ };
+ # TODO: notification
+ # environment.etc."netdata/health_alarm_notify.conf".source = "/run/keys/netdata-pushover.conf";
+
+}
diff --git a/makefu/5pkgs/libopencm3/default.nix b/makefu/5pkgs/libopencm3/default.nix
deleted file mode 100644
index ed35fc639..000000000
--- a/makefu/5pkgs/libopencm3/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, gcc-arm-embedded, python }:
-stdenv.mkDerivation rec {
- name = "libopencm-${version}";
- version = "2017-04-01";
-
- src = fetchFromGitHub {
- owner = "libopencm3";
- repo = "libopencm3";
- rev = "383fafc862c0d47f30965f00409d03a328049278";
- sha256 = "0ar67icxl39cf7yb5glx3zd5413vcs7zp1jq0gzv1napvmrv3jv9";
- };
-
- buildInputs = [ gcc-arm-embedded python ];
- buildPhase = ''
- sed -i 's#/usr/bin/env python#${python}/bin/python#' ./scripts/irq2nvic_h
- make
- '';
- installPhase = ''
- mkdir -p $out
- cp -r lib $out/
- '';
-
- meta = {
- description = "Open Source ARM cortex m microcontroller library";
- homepage = https://github.com/libopencm3/libopencm3;
- license = stdenv.lib.licenses.gpl2;
- platforms = stdenv.lib.platforms.linux;
- maintainers = with stdenv.lib.maintainers; [ makefu ];
- };
-}
diff --git a/makefu/krops.nix b/makefu/krops.nix
index 6c510eba3..2a2f70a05 100644
--- a/makefu/krops.nix
+++ b/makefu/krops.nix
@@ -7,7 +7,6 @@
host-src = {
secure = false;
- full = false;
torrent = false;
hw = false;
musnix = false;
@@ -23,7 +22,11 @@
{
# nixos-18.09 @ 2018-09-18
# + uhub/sqlite: 5dd7610401747
- nixpkgs = if test then {
+ # + hovercraft: 7134801b17d72
+ nixpkgs = if host-src.arm6 then {
+ # TODO: we want to track the unstable channel
+ symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
+ } else {
file = {
path = toString (pkgs.fetchFromGitHub {
owner = "makefu";
@@ -33,14 +36,6 @@
});
useChecksum = true;
};
- } else if host-src.full then {
- git.ref = nixpkgs-src.rev;
- git.url = nixpkgs-src.url;
- } else if host-src.arm6 then {
- # TODO: we want to track the unstable channel
- symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
- } else {
- file = "/home/makefu/store/${nixpkgs-src.rev}";
};
nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix";
diff --git a/makefu/update-channel.sh b/makefu/update-channel.sh
index 59d3c434f..0899581ec 100755
--- a/makefu/update-channel.sh
+++ b/makefu/update-channel.sh
@@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--rev refs/heads/master' \
> $dir/nixpkgs.json
newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
-echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref"
+echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'"
diff --git a/submodules/krops b/submodules/krops
index eb68146cc..61b5ef3b8 160000
--- a/submodules/krops
+++ b/submodules/krops
@@ -1 +1 @@
-Subproject commit eb68146cc4848cfc0c0339c72a44a96fdeb4a1de
+Subproject commit 61b5ef3b8e7e4d601db67a20f14a5022e9de8398
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index 8d4b13fad..f68e8e681 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -48,31 +48,35 @@ in {
systemd.services.xmonad = let
xmonad = "${pkgs.haskellPackages.xmonad-tv}/bin/xmonad";
+ xmonad-prepare = pkgs.writeDash "xmonad-prepare" ''
+ ${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CACHE_DIR"
+ ${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CONFIG_DIR"
+ ${pkgs.coreutils}/bin/mkdir -p "$XMONAD_DATA_DIR"
+ '';
+ xmonad-ready = pkgs.writeDash "xmonad-ready" ''
+ {
+ ${pkgs.xorg.xhost}/bin/xhost +SI:localuser:${cfg.user.name}
+ ${pkgs.xorg.xhost}/bin/xhost -LOCAL:
+ } &
+ ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+ ${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
+ ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+ wait
+ '';
in {
wantedBy = [ "graphical.target" ];
requires = [ "xserver.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
-
FZMENU_FZF_DEFAULT_OPTS = toString [
"--color=dark,border:126,bg+:090"
"--inline-info"
];
-
XMONAD_CACHE_DIR = cfg.cacheDir;
XMONAD_CONFIG_DIR = cfg.configDir;
XMONAD_DATA_DIR = cfg.dataDir;
-
- XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
- ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
- ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
- ${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
- ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
- wait
- '';
-
- # XXX JSON is close enough :)
- XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+ XMONAD_STARTUP_HOOK = xmonad-ready;
+ XMONAD_WORKSPACES0_FILE = pkgs.writeJSON "xmonad-workspaces0.json" [
"Dashboard" # we start here
"23"
"cr"
@@ -82,7 +86,7 @@ in {
"mail"
"stockholm"
"za" "zh" "zj" "zs"
- ]);
+ ];
};
path = [
config.tv.slock.package
@@ -93,14 +97,10 @@ in {
"/run/wrappers" # for su
];
serviceConfig = {
- SyslogIdentifier = "xmonad";
- ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${toString [
- "\${XMONAD_CACHE_DIR}"
- "\${XMONAD_CONFIG_DIR}"
- "\${XMONAD_DATA_DIR}"
- ]}";
- ExecStart = "@${xmonad} xmonad-${currentSystem} ";
+ ExecStartPre = "@${xmonad-prepare} xmonad-prepare";
+ ExecStart = "@${xmonad} xmonad-${currentSystem}";
ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown";
+ SyslogIdentifier = "xmonad";
User = cfg.user.name;
WorkingDirectory = cfg.user.home;
};
diff --git a/tv/5pkgs/haskell/xmonad-tv/shell.nix b/tv/5pkgs/haskell/xmonad-tv/shell.nix
index 936e69627..6ca00bc05 100644
--- a/tv/5pkgs/haskell/xmonad-tv/shell.nix
+++ b/tv/5pkgs/haskell/xmonad-tv/shell.nix
@@ -46,7 +46,7 @@ in
xmonad_restart() {(
set -efu
cd "$WORKDIR"
- if systemctl is-active xmonad; then
+ if systemctl --quiet is-active xmonad; then
sudo systemctl stop xmonad
cp -b "$config_XMONAD_CACHE_DIR"/xmonad.state "$CACHEDIR"/
echo "xmonad.state: $(cat "$CACHEDIR"/xmonad.state)"
@@ -59,9 +59,14 @@ in
xmonad_yield() {(
set -efu
- "$xmonad" --shutdown
- cp -b "$CACHEDIR"/xmonad.state "$config_XMONAD_CACHE_DIR"/
- sudo systemctl start xmonad
+ if ! systemctl --quiet is-active xmonad; then
+ "$xmonad" --shutdown
+ cp -b "$CACHEDIR"/xmonad.state "$config_XMONAD_CACHE_DIR"/
+ sudo systemctl start xmonad
+ else
+ echo "xmonad.service is already running" >&2
+ exit -1
+ fi
)}
export PATH=${config.systemd.services.xmonad.path}:$PATH