Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master' into HEAD

Browse Source
This commit is contained in:
makefu 2018-12-12 17:53:38 +01:00
commit 97aaf34c33
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
26 changed files with 797 additions and 489 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
krebs/3modules/default.nix
View File

@ -109,6 +109,7 @@ let
}; };
imp = lib.mkMerge [ imp = lib.mkMerge [
{ krebs = import ./external { inherit config; }; }
{ krebs = import ./jeschli { inherit config; }; } { krebs = import ./jeschli { inherit config; }; }
{ krebs = import ./krebs { inherit config; }; } { krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; } { krebs = import ./lass { inherit config; }; }
@ -121,6 +122,7 @@ let
shack = "hosts"; shack = "hosts";
i = "hosts"; i = "hosts";
r = "hosts"; r = "hosts";
w = "hosts";
}; };
krebs.users = { krebs.users = {

306
krebs/3modules/external/default.nix vendored Normal file
View File

@ -0,0 +1,306 @@
with import <stockholm/lib>;
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host ({
ci = false;
external = true;
monitoring = false;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
});
in {
hosts = mapAttrs hostDefaults {
sokrateslaptop = {
owner = config.krebs.users.sokratess;
nets = {
retiolum = {
ip4.addr = "10.243.142.104";
aliases = [
"sokrateslaptop.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0EMbBv5NCSns4V/VR/NJHhwe2qNLUYjWWtCDY4zDuoiJdm3JNZJ2
t0iKNxFwd6Mmg3ahAlndsH4FOjOBGBQCgBG25VRnQgli1sypI/gYTsSgIWHVIRoZ
rgrng0K3oyJ6FuTP+nH1rd7UAYkrOQolXQBY+LqAbxOVjiJl+DpbAXIxCIs5TBeW
egtBiXZ1S53Lv5EGFXug716XlgZLHjw7PzRLJXSlvUAIRZj0Sjq4UD9VrhazM9s5
aDuxJIdknccEEXm6NK7a51hU/o8L+T0IUpZxhaXOdi6fvO/y3TbffKb1yRTbN0/V
VBjBh18Le7h0SmAEED5tz7NOCrAjMZQtJQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
kruck = {
owner = config.krebs.users.palo;
nets = {
retiolum = {
ip4.addr = "10.243.29.201";
aliases = [
"kruck.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
/RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
scardanelli = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.2";
aliases = [
"scardanelli.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxM93+YgGhk5PtcOrE7E/
MAOMF/c9c4Ps6m8xd4VZat3ru07yH8Yfox1yM6jwZBwIwK2AC9DK0/k3WIvZQUge
UKSTiXpE4z/0ceaesugLQ9KTjUty1e/2vQ78bOqmd7EG3aPV2QsjlgpjJ6qQxeFi
kjlHoFi9NNBLVkIyaAdlAhwvZuYFmAY/FQEmm6+XOb+Nmo+fccQlG6+NinA2GOg0
gdY/dKYxa04Ns/yu7TK3sBQIt6cg/YUk9VpyC4yIIRPMdyVcAPz3Kd2mp23fhSvx
we80prWXYtdct4vXaBZm9FUY5y4SL3c0TEScuM73VXtr2tPAxjD5W4XMWhrjnIiY
QzoyAquVS9rR4fCaoP+hw3Tjy7Att3voa/YlHEDaendxjZ3nuO0m0vcgOa+SfCNm
SqLsqb8to1y8yJ8LnR2og4MbtasxqSe1L9VLTsb4k/AGfmAdlqyG4Q1h5pCBh0GL
2F6FbYHzwrwqBvVCz4DTPygPtta5o7THpP50PgojtzNLm1yKWpfdcWeMgGQJSI0f
m3yenytM1u0jjw7KbBG79Z3etFNIYZy4Uq/dryEJnwpTFls+zZn9Q3tDEnO4a38Q
FgzV0VLQpRM/uf1powSDzoWp+/JYgB9464OKcTsSlVJpi3crxF86xFqqc39U2/u5
lM61fOMcVW1KREdWypiDtu8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
homeros = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.1";
aliases = [
"homeros.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd
ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc
6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v
RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd
vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3
+LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc
QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm
fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh
VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7
k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX
gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N
mJ/hywVtvLxNkNimyztoKKMCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
turingmachine = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.168";
aliases = [
"turingmachine.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxh+5HD1oAFTvMWEra2pYrA3HF8T4EnkP917lIUiuN7xUj7sawu0C
t1/1IfIlH9dbxgFe5CD/gXvokxHdovPTGVH11L+thZgq6hg/xbYvZAl76yLxj7t9
6+Ocac08TQZYMqWKShz5jqTVE/DLz4Cdy0Qk9sMJ1++OmH8jsWgK5BkogF99Gwf8
ZiI0t3n3lCZsm3v592lveDcVIh6hjuCIvFVxc+7cOj0MKm1LxLWbCHZlUIE3he4g
nZu4XiYaE4Y2LicMs8zKehnQkkXrP1amT56SqUfbSnWR+HZc2+KjwRDI5BPeTS06
5WHwkQs0ScOn7vFZci3rElIc7vilu2eKGF1VLce9kXw9SU2RFciqavaEUXbwPnwT
1WF35Ct+qIOP0rXoObm6mrsj7hJnlBPlVpb58/kTxLHMSHPzqQRbFZ35f6tZodJ1
gRMKKEnMX8/VWm6TqLUIpFCCTZ5PH1fxaAnulHCxksK03UyfUOvExCTU4x8KS9fl
DIoLlV9PFBlAW8mTuIgRKYtHacsc31/5Tehcx0If09NuMFT9Qfl2/Q3p6QJomRFL
W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eddie = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
# eddie.thalheim.io
ip4.addr = "129.215.197.11";
aliases = [ "eddie.i" ];
};
retiolum = {
via = internet;
addrs = [
config.krebs.hosts.eddie.nets.retiolum.ip4.addr
config.krebs.hosts.eddie.nets.retiolum.ip6.addr
];
ip4.addr = "10.243.29.170";
aliases = [ "eddie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuRQphRlSIC/aqRTfvStPdJOJCx1ACeFIDEjRdgoxuu32qoBl7i6d
j7Voh+Msditf2a5+f0fVsNDaPnjPGfk0NkZBjmn+RZQDRXk0krpTNj2Vb6W5quTm
3yrjJMFJR9CU5khfppc47X+ir8bjn7RusWTFNEuDvUswHmRmnJHLS3Y+utOaRbCF
2hxpyxCn423gpsaBfORPEK8X90nPbuNpFDugWPnC+R45TpNmIf4qyKvfhd9OKrua
KNanGHG30xhBW/DclUwwWi8D44d94xFnIRVcG1O+Uto93WoUWZn90lI1qywSj5Aq
iWstBK4tc7VwvAj0UzPlaRYYPfFjOEkPQzj8xC6l/leJcgxkup252uo6m1njMx3t
6QWMgevjqosY22OZReZfIwb14aDWFKLTWs30J+zmWK4TjlRITdsOEKxlpODMbJAD
kfSoPwuwkWIzFhNOrFiD/NtKaRYmV8bTBCT3a9cvvObshJx13BP+IUFzBS1N1n/u
hJWYH5WFsQZn/8rHDwZGkS1zKPEaNoydjqCZNyJpJ5nhggyl6gpuD7wpXM/8tFay
pAjRP40+qRQLUWXmswV0hsZTOX1tvZs4f68y3WJ+GwCWw9HvvwmzYes5ayJrPsbJ
lyK301Jb42wGEsVWxu3Eo/PLtp8OdD+Wdh6o/ELcc0k/YCUGFMujUM8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.subnets = [
# edinburgh university
"129.215.0.0/16"
];
};
};
};
rock = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.171";
aliases = [ "rock.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
inspector = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
aliases = [ "inspector.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
dpdkm = {
owner = config.krebs.users.Mic92;
nets = rec {
retiolum = {
ip4.addr = "10.243.29.173";
aliases = [ "dpdkm.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eve = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
# eve.thalheim.io
ip4.addr = "188.68.39.17";
ip6.addr = "2a03:4000:13:31e::1";
aliases = [ "eve.i" ];
};
retiolum = {
via = internet;
addrs = [
config.krebs.hosts.eve.nets.retiolum.ip4.addr
config.krebs.hosts.eve.nets.retiolum.ip6.addr
];
ip4.addr = "10.243.29.174";
aliases = [ "eve.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
XRcH/aYg+IL03cyx4wU7oJKxiOTNGbysglnbTVthfYhqeQY+NRTzR1Thb2Fo+P82
08Eovwlgb0uwCjaiH8ZoH3BKjXyMn/Ezrni7hc5zyyRb88XJLosTykO2USlrsoIk
6OCA3A34HyJH0/G6GbNYCPrB/a/r1ji7OWDlg3Ft9c3ViVOkcNV1d9FV0RULX9EI
+xRDbAs1fkK5wMkC2BpkJRHTpImPbYlwQvDrL2sp+JNAEVni84xGxWn9Wjd9WVv3
dn+iPUD7HF9bFVDsj0rbVL78c63MEgr0pVyONDBK+XxogMTOqjgicmkLRxlhaSPW
pnfZHJzJ727crBbwosORY+lTq6MNIMjEjNcJnzAEVS5uTJikLYL9Y5EfIztGp7LP
c298AtKjEYOftiyMcohTGnHhio6zteuW/i2sv4rCBxHyH5sWulaHB7X1ej0eepJi
YX6/Ff+y9vDLCuDxb6mvPGT1xpnNmt1jxAUJhiRNuAvbtvjtPwYfWjQXOf7xa2xI
61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
};
users = {
Mic92 = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
mail = "joerg@higgsboson.tk";
};
kmein = {
};
palo = {
};
sokratess = {
};
};
}

2
krebs/3modules/git.nix
View File

@ -427,7 +427,7 @@ let
system.activationScripts.cgit = '' system.activationScripts.cgit = ''
mkdir -m 0770 -p ${cfg.cgit.settings.cache-root} mkdir -m 0770 -p ${cfg.cgit.settings.cache-root}
chmod 0770 ${cfg.cgit.settings.cache-root} chmod 0770 ${cfg.cgit.settings.cache-root}
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root} chown ${toString cfg.cgit.fcgiwrap.user.name}:${toString cfg.cgit.fcgiwrap.group.name} ${cfg.cgit.settings.cache-root}
''; '';
services.nginx.virtualHosts.cgit = { services.nginx.virtualHosts.cgit = {

20
krebs/3modules/jeschli/default.nix
View File

@ -1,17 +1,20 @@
{ config, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
{ config, ... }: let
{ hostDefaults = hostName: host: flip recursiveUpdate host ({
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.jeschli;
ci = true; ci = true;
}) { owner = config.krebs.users.jeschli;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "jeschli" { inherit hostName; }).address;
});
in {
hosts = mapAttrs hostDefaults {
brauerei = { brauerei = {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.27.29"; ip4.addr = "10.243.27.29";
ip6.addr = "42::29";
aliases = [ aliases = [
"brauerei.r" "brauerei.r"
]; ];
@ -48,7 +51,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.27.27"; ip4.addr = "10.243.27.27";
ip6.addr = "42::27";
aliases = [ aliases = [
"reagenzglas.r" "reagenzglas.r"
]; ];
@ -92,7 +94,6 @@ with import <stockholm/lib>;
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.27.30"; ip4.addr = "10.243.27.30";
ip6.addr = "42::30";
aliases = [ aliases = [
"enklave.r" "enklave.r"
"cgit.enklave.r" "cgit.enklave.r"
@ -131,7 +132,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.27.31"; ip4.addr = "10.243.27.31";
ip6.addr = "42::31";
aliases = [ aliases = [
"bolide.r" "bolide.r"
]; ];

26
krebs/3modules/krebs/default.nix
View File

@ -1,20 +1,24 @@
{ config, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
let { config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host ({
owner = config.krebs.users.krebs;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "krebs" { inherit hostName; }).address;
});
testHosts = genAttrs [ testHosts = genAttrs [
"test-arch" "test-arch"
"test-centos6" "test-centos6"
"test-centos7" "test-centos7"
"test-all-krebs-modules" "test-all-krebs-modules"
] (name: { ] (name: {
owner = config.krebs.users.krebs;
inherit name; inherit name;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.73.57"; ip4.addr = "10.243.73.57";
ip6.addr = "42:0:0:0:0:0:0:7357";
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd
@ -29,14 +33,12 @@ let
}; };
}); });
in { in {
hosts = { hosts = mapAttrs hostDefaults ({
hotdog = { hotdog = {
ci = true; ci = true;
owner = config.krebs.users.krebs;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.77.3"; ip4.addr = "10.243.77.3";
ip6.addr = "42:0:0:0:0:0:77:3";
aliases = [ aliases = [
"hotdog.r" "hotdog.r"
"build.r" "build.r"
@ -61,11 +63,9 @@ in {
}; };
onebutton = { onebutton = {
cores = 1; cores = 1;
owner = config.krebs.users.krebs;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.101"; ip4.addr = "10.243.0.101";
ip6.addr = "42:0:0:0:0:0:0:101";
aliases = [ aliases = [
"onebutton.r" "onebutton.r"
]; ];
@ -92,11 +92,9 @@ in {
}; };
puyak = { puyak = {
ci = true; ci = true;
owner = config.krebs.users.krebs;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.77.2"; ip4.addr = "10.243.77.2";
ip6.addr = "42:0:0:0:0:0:77:2";
aliases = [ aliases = [
"puyak.r" "puyak.r"
"build.puyak.r" "build.puyak.r"
@ -120,7 +118,6 @@ in {
}; };
wolf = { wolf = {
ci = true; ci = true;
owner = config.krebs.users.krebs;
nets = { nets = {
shack = { shack = {
ip4.addr = "10.42.2.150" ; ip4.addr = "10.42.2.150" ;
@ -135,7 +132,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.77.1"; ip4.addr = "10.243.77.1";
ip6.addr = "42:0:0:0:0:0:77:1";
aliases = [ aliases = [
"wolf.r" "wolf.r"
"build.wolf.r" "build.wolf.r"
@ -157,7 +153,7 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR";
}; };
} // testHosts; } // testHosts);
users = { users = {
krebs = { krebs = {
pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary

460
krebs/3modules/lass/default.nix
View File

@ -1,16 +1,22 @@
{ config, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
{ config, ... }: let
{ hostDefaults = hostName: host: flip recursiveUpdate host ({
ci = true;
monitoring = true;
owner = config.krebs.users.lass;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "lass" { inherit hostName; }).address;
});
wip6 = krebs.genipv6 "wirelum" "lass";
in {
dns.providers = { dns.providers = {
"lassul.us" = "zones"; "lassul.us" = "zones";
}; };
hosts = mapAttrs (_: recursiveUpdate { hosts = mapAttrs hostDefaults {
owner = config.krebs.users.lass;
ci = true;
monitoring = true;
}) {
prism = rec { prism = rec {
cores = 4; cores = 4;
extraZones = { extraZones = {
@ -50,7 +56,6 @@ with import <stockholm/lib>;
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.0.103"; ip4.addr = "10.243.0.103";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab";
aliases = [ aliases = [
"prism.r" "prism.r"
"cache.prism.r" "cache.prism.r"
@ -85,11 +90,22 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
wirelum = {
via = internet;
ip4.addr = "10.244.1.1";
ip6.addr = (wip6 "1").address;
aliases = [
"prism.w"
];
wireguard = {
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ];
};
};
}; };
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
}; };
archprism = { archprism = {
cores = 1; cores = 1;
nets = rec { nets = rec {
@ -103,7 +119,6 @@ with import <stockholm/lib>;
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.0.123"; ip4.addr = "10.243.0.123";
ip6.addr = "42:0:0:0:0:0:0:123";
aliases = [ aliases = [
"archprism.r" "archprism.r"
]; ];
@ -129,32 +144,12 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
}; };
domsen-nas = {
ci = false;
monitoring = false;
external = true;
nets = rec {
internet = {
aliases = [
"domsen-nas.internet"
];
ip4.addr = "87.138.180.167";
ssh.port = 2223;
};
};
};
uriel = { uriel = {
monitoring = false; monitoring = false;
cores = 1; cores = 1;
nets = { nets = {
gg23 = {
ip4.addr = "10.23.1.12";
aliases = ["uriel.gg23"];
ssh.port = 45621;
};
retiolum = { retiolum = {
ip4.addr = "10.243.81.176"; ip4.addr = "10.243.81.176";
ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56";
aliases = [ aliases = [
"uriel.r" "uriel.r"
"cgit.uriel.r" "cgit.uriel.r"
@ -178,14 +173,8 @@ with import <stockholm/lib>;
mors = { mors = {
cores = 2; cores = 2;
nets = { nets = {
gg23 = {
ip4.addr = "10.23.1.11";
aliases = ["mors.gg23"];
ssh.port = 45621;
};
retiolum = { retiolum = {
ip4.addr = "10.243.0.2"; ip4.addr = "10.243.0.2";
ip6.addr = "42:0:0:0:0:0:0:dea7";
aliases = [ aliases = [
"mors.r" "mors.r"
"cgit.mors.r" "cgit.mors.r"
@ -201,6 +190,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
wirelum = {
ip6.addr = (wip6 "dea7").address;
aliases = [
"mors.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
};
}; };
secure = true; secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -211,7 +207,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.4"; ip4.addr = "10.243.0.4";
ip6.addr = "42:0:0:0:0:0:0:50d4";
aliases = [ aliases = [
"shodan.r" "shodan.r"
"cgit.shodan.r" "cgit.shodan.r"
@ -227,6 +222,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
wirelum = {
ip6.addr = (wip6 "50da").address;
aliases = [
"shodan.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ=";
};
}; };
secure = true; secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -237,7 +239,6 @@ with import <stockholm/lib>;
nets = rec { nets = rec {
retiolum = { retiolum = {
ip4.addr = "10.243.133.114"; ip4.addr = "10.243.133.114";
ip6.addr = "42:0:0:0:0:0:01ca:1205";
aliases = [ aliases = [
"icarus.r" "icarus.r"
"cgit.icarus.r" "cgit.icarus.r"
@ -253,6 +254,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
wirelum = {
ip6.addr = (wip6 "1205").address;
aliases = [
"icarus.w"
];
wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
};
}; };
secure = true; secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -263,7 +271,6 @@ with import <stockholm/lib>;
nets = rec { nets = rec {
retiolum = { retiolum = {
ip4.addr = "10.243.133.115"; ip4.addr = "10.243.133.115";
ip6.addr = "42:0:0:0:0:0:daed:a105";
aliases = [ aliases = [
"daedalus.r" "daedalus.r"
"cgit.daedalus.r" "cgit.daedalus.r"
@ -289,7 +296,6 @@ with import <stockholm/lib>;
nets = rec { nets = rec {
retiolum = { retiolum = {
ip4.addr = "10.243.133.116"; ip4.addr = "10.243.133.116";
ip6.addr = "42:0:0:0:0:0:0:1101";
aliases = [ aliases = [
"skynet.r" "skynet.r"
"cgit.skynet.r" "cgit.skynet.r"
@ -315,7 +321,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.133.77"; ip4.addr = "10.243.133.77";
ip6.addr = "42:0:0:0:0:0:717:7137";
aliases = [ aliases = [
"littleT.r" "littleT.r"
]; ];
@ -351,324 +356,11 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
}; };
iso = {
monitoring = false;
ci = false;
cores = 1;
};
sokrateslaptop = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.142.104";
ip6.addr = "42:f8a1:044d:0f75:9d73:56d8:f432:c6cc";
aliases = [
"sokrateslaptop.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0EMbBv5NCSns4V/VR/NJHhwe2qNLUYjWWtCDY4zDuoiJdm3JNZJ2
t0iKNxFwd6Mmg3ahAlndsH4FOjOBGBQCgBG25VRnQgli1sypI/gYTsSgIWHVIRoZ
rgrng0K3oyJ6FuTP+nH1rd7UAYkrOQolXQBY+LqAbxOVjiJl+DpbAXIxCIs5TBeW
egtBiXZ1S53Lv5EGFXug716XlgZLHjw7PzRLJXSlvUAIRZj0Sjq4UD9VrhazM9s5
aDuxJIdknccEEXm6NK7a51hU/o8L+T0IUpZxhaXOdi6fvO/y3TbffKb1yRTbN0/V
VBjBh18Le7h0SmAEED5tz7NOCrAjMZQtJQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
kruck = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.29.201";
ip6.addr = "42:4234:6a6d:600::1";
aliases = [
"kruck.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
/RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
scardanelli = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.2.2";
ip6.addr = "42:2:5ca:da:3111::1";
aliases = [
"scardanelli.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxM93+YgGhk5PtcOrE7E/
MAOMF/c9c4Ps6m8xd4VZat3ru07yH8Yfox1yM6jwZBwIwK2AC9DK0/k3WIvZQUge
UKSTiXpE4z/0ceaesugLQ9KTjUty1e/2vQ78bOqmd7EG3aPV2QsjlgpjJ6qQxeFi
kjlHoFi9NNBLVkIyaAdlAhwvZuYFmAY/FQEmm6+XOb+Nmo+fccQlG6+NinA2GOg0
gdY/dKYxa04Ns/yu7TK3sBQIt6cg/YUk9VpyC4yIIRPMdyVcAPz3Kd2mp23fhSvx
we80prWXYtdct4vXaBZm9FUY5y4SL3c0TEScuM73VXtr2tPAxjD5W4XMWhrjnIiY
QzoyAquVS9rR4fCaoP+hw3Tjy7Att3voa/YlHEDaendxjZ3nuO0m0vcgOa+SfCNm
SqLsqb8to1y8yJ8LnR2og4MbtasxqSe1L9VLTsb4k/AGfmAdlqyG4Q1h5pCBh0GL
2F6FbYHzwrwqBvVCz4DTPygPtta5o7THpP50PgojtzNLm1yKWpfdcWeMgGQJSI0f
m3yenytM1u0jjw7KbBG79Z3etFNIYZy4Uq/dryEJnwpTFls+zZn9Q3tDEnO4a38Q
FgzV0VLQpRM/uf1powSDzoWp+/JYgB9464OKcTsSlVJpi3crxF86xFqqc39U2/u5
lM61fOMcVW1KREdWypiDtu8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
homeros = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.2.1";
ip6.addr = "42:2::0:3:05::1";
aliases = [
"homeros.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd
ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc
6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v
RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd
vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3
+LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc
QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm
fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh
VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7
k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX
gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N
mJ/hywVtvLxNkNimyztoKKMCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
turingmachine = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.29.168";
ip6.addr = "42:4992:6a6d:600::1";
aliases = [
"turingmachine.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxh+5HD1oAFTvMWEra2pYrA3HF8T4EnkP917lIUiuN7xUj7sawu0C
t1/1IfIlH9dbxgFe5CD/gXvokxHdovPTGVH11L+thZgq6hg/xbYvZAl76yLxj7t9
6+Ocac08TQZYMqWKShz5jqTVE/DLz4Cdy0Qk9sMJ1++OmH8jsWgK5BkogF99Gwf8
ZiI0t3n3lCZsm3v592lveDcVIh6hjuCIvFVxc+7cOj0MKm1LxLWbCHZlUIE3he4g
nZu4XiYaE4Y2LicMs8zKehnQkkXrP1amT56SqUfbSnWR+HZc2+KjwRDI5BPeTS06
5WHwkQs0ScOn7vFZci3rElIc7vilu2eKGF1VLce9kXw9SU2RFciqavaEUXbwPnwT
1WF35Ct+qIOP0rXoObm6mrsj7hJnlBPlVpb58/kTxLHMSHPzqQRbFZ35f6tZodJ1
gRMKKEnMX8/VWm6TqLUIpFCCTZ5PH1fxaAnulHCxksK03UyfUOvExCTU4x8KS9fl
DIoLlV9PFBlAW8mTuIgRKYtHacsc31/5Tehcx0If09NuMFT9Qfl2/Q3p6QJomRFL
W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eddie = {
monitoring = false;
ci = false;
external = true;
nets = rec {
internet = {
# eddie.thalheim.io
ip4.addr = "129.215.197.11";
aliases = [ "eddie.i" ];
};
retiolum = rec {
via = internet;
addrs = [
ip4.addr
ip6.addr
];
ip4.addr = "10.243.29.170";
ip6.addr = "42:4992:6a6d:700::1";
aliases = [ "eddie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuRQphRlSIC/aqRTfvStPdJOJCx1ACeFIDEjRdgoxuu32qoBl7i6d
j7Voh+Msditf2a5+f0fVsNDaPnjPGfk0NkZBjmn+RZQDRXk0krpTNj2Vb6W5quTm
3yrjJMFJR9CU5khfppc47X+ir8bjn7RusWTFNEuDvUswHmRmnJHLS3Y+utOaRbCF
2hxpyxCn423gpsaBfORPEK8X90nPbuNpFDugWPnC+R45TpNmIf4qyKvfhd9OKrua
KNanGHG30xhBW/DclUwwWi8D44d94xFnIRVcG1O+Uto93WoUWZn90lI1qywSj5Aq
iWstBK4tc7VwvAj0UzPlaRYYPfFjOEkPQzj8xC6l/leJcgxkup252uo6m1njMx3t
6QWMgevjqosY22OZReZfIwb14aDWFKLTWs30J+zmWK4TjlRITdsOEKxlpODMbJAD
kfSoPwuwkWIzFhNOrFiD/NtKaRYmV8bTBCT3a9cvvObshJx13BP+IUFzBS1N1n/u
hJWYH5WFsQZn/8rHDwZGkS1zKPEaNoydjqCZNyJpJ5nhggyl6gpuD7wpXM/8tFay
pAjRP40+qRQLUWXmswV0hsZTOX1tvZs4f68y3WJ+GwCWw9HvvwmzYes5ayJrPsbJ
lyK301Jb42wGEsVWxu3Eo/PLtp8OdD+Wdh6o/ELcc0k/YCUGFMujUM8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.subnets = [
# edinburgh university
"129.215.0.0/16"
];
};
};
};
rock = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.29.171";
ip6.addr = "42:4992:6a6d:700::2";
aliases = [ "rock.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
inspector = {
monitoring = false;
ci = false;
external = true;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
ip6.addr = "42:4992:6a6d:800::1";
aliases = [ "inspector.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
dpdkm = {
monitoring = false;
ci = false;
external = true;
nets = rec {
retiolum = {
ip4.addr = "10.243.29.173";
ip6.addr = "42:4992:6a6d:900::1";
aliases = [ "dpdkm.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eve = {
monitoring = false;
ci = false;
external = true;
nets = rec {
internet = {
# eve.thalheim.io
ip4.addr = "188.68.39.17";
ip6.addr = "2a03:4000:13:31e::1";
aliases = [ "eve.i" ];
};
retiolum = rec {
via = internet;
addrs = [
ip4.addr
ip6.addr
];
ip4.addr = "10.243.29.174";
ip6.addr = "42:4992:6a6d:a00::1";
aliases = [ "eve.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
XRcH/aYg+IL03cyx4wU7oJKxiOTNGbysglnbTVthfYhqeQY+NRTzR1Thb2Fo+P82
08Eovwlgb0uwCjaiH8ZoH3BKjXyMn/Ezrni7hc5zyyRb88XJLosTykO2USlrsoIk
6OCA3A34HyJH0/G6GbNYCPrB/a/r1ji7OWDlg3Ft9c3ViVOkcNV1d9FV0RULX9EI
+xRDbAs1fkK5wMkC2BpkJRHTpImPbYlwQvDrL2sp+JNAEVni84xGxWn9Wjd9WVv3
dn+iPUD7HF9bFVDsj0rbVL78c63MEgr0pVyONDBK+XxogMTOqjgicmkLRxlhaSPW
pnfZHJzJ727crBbwosORY+lTq6MNIMjEjNcJnzAEVS5uTJikLYL9Y5EfIztGp7LP
c298AtKjEYOftiyMcohTGnHhio6zteuW/i2sv4rCBxHyH5sWulaHB7X1ej0eepJi
YX6/Ff+y9vDLCuDxb6mvPGT1xpnNmt1jxAUJhiRNuAvbtvjtPwYfWjQXOf7xa2xI
61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
xerxes = { xerxes = {
cores = 2; cores = 2;
nets = rec { nets = rec {
retiolum = { retiolum = {
ip4.addr = "10.243.1.3"; ip4.addr = "10.243.1.3";
ip6.addr = "42::1:3";
aliases = [ aliases = [
"xerxes.r" "xerxes.r"
]; ];
@ -710,7 +402,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.13"; ip4.addr = "10.243.0.13";
ip6.addr = "42:0:0:0:0:0:0:12ed";
aliases = [ aliases = [
"red.r" "red.r"
]; ];
@ -740,7 +431,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.14"; ip4.addr = "10.243.0.14";
ip6.addr = "42:0:0:0:0:0:0:14";
aliases = [ aliases = [
"yellow.r" "yellow.r"
]; ];
@ -761,6 +451,13 @@ with import <stockholm/lib>;
-----END PUBLIC KEY----- -----END PUBLIC KEY-----
''; '';
}; };
wirelum = {
ip6.addr = (wip6 "e110").address;
aliases = [
"yellow.w"
];
wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
};
}; };
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje "; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
@ -770,7 +467,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.77"; ip4.addr = "10.243.0.77";
ip6.addr = "42:0:0:0:0:0:0:77";
aliases = [ aliases = [
"blue.r" "blue.r"
]; ];
@ -795,6 +491,48 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
}; };
phone = {
nets = {
wirelum = {
ip6.addr = (wip6 "a").address;
ip4.addr = "10.244.1.2";
aliases = [
"phone.w"
];
wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
};
};
external = true;
ci = false;
};
morpheus = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.19";
aliases = [
"morpheus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
/Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
};
}; };
users = rec { users = rec {
lass = lass-blue; lass = lass-blue;
@ -846,14 +584,8 @@ with import <stockholm/lib>;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h";
mail = "lass@mors.r"; mail = "lass@mors.r";
}; };
sokratess = {
};
wine-mors = { wine-mors = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
}; };
Mic92 = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
mail = "joerg@higgsboson.tk";
};
}; };
} }

50
krebs/3modules/makefu/default.nix
View File

@ -1,20 +1,27 @@
{ config, ... }:
with import <stockholm/lib>;
## generate keys with: ## generate keys with:
# tinc generate-keys # tinc generate-keys
# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host # ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host
let
with import <stockholm/lib>;
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host ({
owner = config.krebs.users.makefu;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "makefu" { inherit hostName; }).address;
});
pub-for = name: builtins.readFile (./ssh + "/${name}.pub"); pub-for = name: builtins.readFile (./ssh + "/${name}.pub");
in { in {
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) { hosts = mapAttrs hostDefaults {
cake = rec { cake = rec {
cores = 4; cores = 4;
ci = false; ci = false;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.136.236"; ip4.addr = "10.243.136.236";
ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee1";
aliases = [ aliases = [
"cake.r" "cake.r"
]; ];
@ -39,7 +46,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.136.237"; ip4.addr = "10.243.136.237";
ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee2";
aliases = [ aliases = [
"crapi.r" "crapi.r"
]; ];
@ -65,7 +71,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.177.9"; ip4.addr = "10.243.177.9";
ip6.addr = "42:f63:ddf8:7520:cfec:9b61:d807:1dce";
aliases = [ aliases = [
"drop.r" "drop.r"
]; ];
@ -90,7 +95,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.227.163"; ip4.addr = "10.243.227.163";
ip6.addr = "42:e23f:ae0e:ea25:72ff:4ab8:9bd9:38a6";
aliases = [ aliases = [
"studio.r" "studio.r"
]; ];
@ -116,7 +120,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.113.98"; ip4.addr = "10.243.113.98";
# ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
aliases = [ aliases = [
"fileleech.r" "fileleech.r"
]; ];
@ -147,7 +150,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.80.249"; ip4.addr = "10.243.80.249";
ip6.addr = "42:ecb0:376:b37d:cf47:1ecf:f32b:a3b9";
aliases = [ aliases = [
"latte.r" "latte.r"
]; ];
@ -171,7 +173,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.210"; ip4.addr = "10.243.0.210";
ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001";
aliases = [ aliases = [
"pnp.r" "pnp.r"
"cgit.pnp.r" "cgit.pnp.r"
@ -195,7 +196,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.84"; ip4.addr = "10.243.0.84";
ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566";
aliases = [ aliases = [
"darth.r" "darth.r"
]; ];
@ -267,7 +267,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.212"; ip4.addr = "10.243.0.212";
ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002";
aliases = [ aliases = [
"tsp.r" "tsp.r"
]; ];
@ -295,7 +294,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.91"; ip4.addr = "10.243.0.91";
ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db";
aliases = [ aliases = [
"x.r" "x.r"
]; ];
@ -329,7 +327,6 @@ in {
''; '';
}; };
#wiregrill = { #wiregrill = {
# ip6.addr = "42:4200:0000:0000:0000:0000:0000:a4db";
# aliases = [ # aliases = [
# "x.w" # "x.w"
# ]; # ];
@ -347,7 +344,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.1.91"; ip4.addr = "10.243.1.91";
ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400";
aliases = [ aliases = [
"vbob.r" "vbob.r"
]; ];
@ -386,7 +382,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.0.153"; ip4.addr = "10.243.0.153";
ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110";
aliases = [ aliases = [
"pigstarter.r" "pigstarter.r"
]; ];
@ -422,7 +417,6 @@ in {
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.29.169"; ip4.addr = "10.243.29.169";
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [ aliases = [
"wry.r" "wry.r"
"graph.wry.r" "graph.wry.r"
@ -460,7 +454,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.153.102"; ip4.addr = "10.243.153.102";
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [ aliases = [
"filepimp.r" "filepimp.r"
]; ];
@ -491,7 +484,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.0.89"; ip4.addr = "10.243.0.89";
ip6.addr = "42:f9f0::10";
aliases = [ aliases = [
"omo.r" "omo.r"
"dcpp.omo.r" "dcpp.omo.r"
@ -536,7 +528,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.214.15"; ip4.addr = "10.243.214.15";
# ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
aliases = [ aliases = [
"wbob.r" "wbob.r"
"hydra.wbob.r" "hydra.wbob.r"
@ -597,7 +588,6 @@ in {
}; };
#wiregrill = { #wiregrill = {
# via = internet; # via = internet;
# ip6.addr = "42:4200:0000:0000:0000:0000:0000:70d3";
# aliases = [ # aliases = [
# "gum.w" # "gum.w"
# ]; # ];
@ -606,7 +596,6 @@ in {
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.0.213"; ip4.addr = "10.243.0.213";
ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d3";
aliases = [ aliases = [
"backup.makefu.r" "backup.makefu.r"
"blog.gum.r" "blog.gum.r"
@ -675,7 +664,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.205.131"; ip4.addr = "10.243.205.131";
ip6.addr = "42:490d:cd82:d2bb:56d5:abd1:b88b:e8b4";
aliases = [ aliases = [
"shoney.r" "shoney.r"
]; ];
@ -700,7 +688,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.83.237"; ip4.addr = "10.243.83.237";
ip6.addr = "42:af50:99cf:c185:f1a8:14d5:acb:8101";
aliases = [ aliases = [
"sdev.r" "sdev.r"
]; ];
@ -738,7 +725,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.211.172"; ip4.addr = "10.243.211.172";
ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d";
aliases = [ aliases = [
"flap.r" "flap.r"
]; ];
@ -761,7 +747,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.231.219"; ip4.addr = "10.243.231.219";
ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72";
aliases = [ aliases = [
"nukular.r" "nukular.r"
]; ];
@ -784,7 +769,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.124.21"; ip4.addr = "10.243.124.21";
ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [ aliases = [
"heidi.r" "heidi.r"
]; ];
@ -874,7 +858,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.189.130"; ip4.addr = "10.243.189.130";
ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d";
aliases = [ aliases = [
"filebitch.r" "filebitch.r"
]; ];
@ -897,7 +880,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.26.29"; ip4.addr = "10.243.26.29";
ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e";
aliases = [ aliases = [
"excobridge.r" "excobridge.r"
]; ];
@ -920,7 +902,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.226.213"; ip4.addr = "10.243.226.213";
ip6.addr = "42:432e:2379:0cd2:8486:f3b5:335a:5d83";
aliases = [ aliases = [
"horisa.r" "horisa.r"
]; ];
@ -949,7 +930,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.57.85"; ip4.addr = "10.243.57.85";
ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731";
aliases = [ aliases = [
"wooki.r" "wooki.r"
]; ];
@ -972,7 +952,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.163"; ip4.addr = "10.243.0.163";
ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda";
aliases = [ aliases = [
"senderechner.r" "senderechner.r"
]; ];
@ -997,7 +976,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.144.142"; ip4.addr = "10.243.144.142";
ip6.addr = "42:4bf8:94b:eec5:69e2:c837:686e:f278";
aliases = [ aliases = [
"tcac-0-1.r" "tcac-0-1.r"
]; ];
@ -1027,7 +1005,6 @@ in {
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.139.184"; ip4.addr = "10.243.139.184";
ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb";
aliases = [ aliases = [
"muhbaasu.r" "muhbaasu.r"
]; ];
@ -1050,7 +1027,6 @@ in {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.183.236"; ip4.addr = "10.243.183.236";
ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c";
aliases = [ aliases = [
"tpsw.r" "tpsw.r"
]; ];

22
krebs/3modules/tv/default.nix
View File

@ -1,19 +1,24 @@
{ config, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
{ config, ... }: let
{ hostDefaults = hostName: host: flip recursiveUpdate host ({
owner = config.krebs.users.tv;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address;
});
in {
dns.providers = { dns.providers = {
"viljetic.de" = "regfish"; "viljetic.de" = "regfish";
}; };
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) { hosts = mapAttrs hostDefaults {
alnus = { alnus = {
ci = true; ci = true;
cores = 2; cores = 2;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.21.1"; ip4.addr = "10.243.21.1";
ip6.addr = "42::2101";
aliases = [ aliases = [
"alnus.r" "alnus.r"
]; ];
@ -38,7 +43,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.20.1"; ip4.addr = "10.243.20.1";
ip6.addr = "42::2001";
aliases = [ aliases = [
"mu.r" "mu.r"
]; ];
@ -79,7 +83,6 @@ with import <stockholm/lib>;
retiolum = { retiolum = {
via = config.krebs.hosts.ni.nets.internet; via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223"; ip4.addr = "10.243.113.223";
ip6.addr = "42:4522:25f8:36bb:8ccb:150:231a:2af4";
aliases = [ aliases = [
"ni.r" "ni.r"
"cgit.ni.r" "cgit.ni.r"
@ -114,7 +117,6 @@ with import <stockholm/lib>;
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.0.110"; ip4.addr = "10.243.0.110";
ip6.addr = "42:2d5:733f:d6da:c0f5:2bb7:2b18:9ec";
aliases = [ aliases = [
"nomic.r" "nomic.r"
"cgit.nomic.r" "cgit.nomic.r"
@ -158,7 +160,6 @@ with import <stockholm/lib>;
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.13.37"; ip4.addr = "10.243.13.37";
ip6.addr = "42::1337";
aliases = [ aliases = [
"wu.r" "wu.r"
"cgit.wu.r" "cgit.wu.r"
@ -185,7 +186,6 @@ with import <stockholm/lib>;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.22.22"; ip4.addr = "10.243.22.22";
ip6.addr = "42::2222";
aliases = [ aliases = [
"querel.r" "querel.r"
]; ];
@ -226,7 +226,6 @@ with import <stockholm/lib>;
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.13.38"; ip4.addr = "10.243.13.38";
ip6.addr = "42::1338";
aliases = [ aliases = [
"xu.r" "xu.r"
"cgit.xu.r" "cgit.xu.r"
@ -261,7 +260,6 @@ with import <stockholm/lib>;
}; };
retiolum = { retiolum = {
ip4.addr = "10.243.13.40"; ip4.addr = "10.243.13.40";
ip6.addr = "42::1340";
aliases = [ aliases = [
"zu.r" "zu.r"
]; ];

33
lass/1systems/morpheus/config.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/power-action.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
];
krebs.build.host = config.krebs.hosts.morpheus;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
nixpkgs.config.packageOverrides = super: {
steam = super.steam.override {
withPrimus = true;
extraPkgs = p: with p; [
glxinfo
nettools
bumblebee
];
};
};
}

32
lass/1systems/morpheus/physical.nix Normal file
View File

@ -0,0 +1,32 @@
{ lib, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./config.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostId = "60ce7e88";
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
hardware.bumblebee.enable = true;
hardware.bumblebee.group = "video";
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DF3B-4528";
fsType = "vfat";
};
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

1
lass/1systems/mors/config.nix
View File

@ -34,6 +34,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/network-manager.nix>
{ {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain #risk of rain

33
lass/1systems/prism/config.nix
View File

@ -297,31 +297,28 @@ with import <stockholm/lib>;
}; };
} }
{ {
krebs.iptables.tables.filter.INPUT.rules = [ imports = [
{ predicate = "-p udp --dport 51820"; target = "ACCEPT"; } <stockholm/lass/2configs/wirelum.nix>
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
]; ];
#krebs.iptables.tables.nat.PREROUTING.rules = [
# { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
#];
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
]; ];
networking.wireguard.interfaces.wg0 = { services.dnsmasq = {
ips = [ "10.244.1.1/24" ]; enable = true;
listenPort = 51820; resolveLocalQueries = false;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true; extraConfig= ''
peers = [ listen-address=10.244.1.1
{ except-interface=lo
# lass-android interface=wg0
allowedIPs = [ "10.244.1.2/32" ]; '';
publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
}
];
}; };
} }
{ {

9
lass/1systems/yellow/config.nix
View File

@ -19,7 +19,11 @@ with import <stockholm/lib>;
users.groups.download.members = [ "transmission" ]; users.groups.download.members = [ "transmission" ];
users.users.transmission.group = mkForce "download"; users.users.transmission.group = mkForce "download";
systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ]; systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.postStart = ''
chmod 775 /var/download/finished
'';
services.transmission = { services.transmission = {
enable = true; enable = true;
settings = { settings = {
@ -52,6 +56,9 @@ with import <stockholm/lib>;
autoindex on; autoindex on;
''; '';
}; };
locations."/dl".extraConfig = ''
return 301 /;
'';
locations."/" = { locations."/" = {
root = "/var/download/finished"; root = "/var/download/finished";
extraConfig = '' extraConfig = ''

5
lass/2configs/baseX.nix
View File

@ -9,7 +9,6 @@ in {
./power-action.nix ./power-action.nix
./copyq.nix ./copyq.nix
./urxvt.nix ./urxvt.nix
./network-manager.nix
{ {
hardware.pulseaudio = { hardware.pulseaudio = {
enable = true; enable = true;
@ -97,9 +96,9 @@ in {
enable = true; enable = true;
layout = "us"; layout = "us";
display = mkForce 0; display = mkForce 0;
xkbModel = "evdev";
xkbVariant = "altgr-intl"; xkbVariant = "altgr-intl";
xkbOptions = "caps:backspace"; xkbOptions = "caps:escape";
libinput.enable = true;
displayManager.lightdm.enable = true; displayManager.lightdm.enable = true;
windowManager.default = "xmonad"; windowManager.default = "xmonad";
windowManager.session = [{ windowManager.session = [{

1
lass/2configs/default.nix
View File

@ -10,6 +10,7 @@ with import <stockholm/lib>;
./zsh.nix ./zsh.nix
./htop.nix ./htop.nix
./security-workarounds.nix ./security-workarounds.nix
./wirelum.nix
{ {
users.extraUsers = users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; }) mapAttrs (_: h: { hashedPassword = h; })

1
lass/2configs/exim-smarthost.nix
View File

@ -94,6 +94,7 @@ with import <stockholm/lib>;
{ from = "osmocom@lassul.us"; to = lass.mail; } { from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; } { from = "lesswrong@lassul.us"; to = lass.mail; }
{ from = "nordvpn@lassul.us"; to = lass.mail; } { from = "nordvpn@lassul.us"; to = lass.mail; }
{ from = "csv-direct@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

1
lass/2configs/games.nix
View File

@ -57,6 +57,7 @@ let
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
dolphinEmu
doom1 doom1
doom2 doom2
vdoom1 vdoom1

3
lass/2configs/mouse.nix
View File

@ -1,4 +1,4 @@
{ ... }: { lib, ... }:
{ {
hardware.trackpoint = { hardware.trackpoint = {
enable = true; enable = true;
@ -7,6 +7,7 @@
emulateWheel = true; emulateWheel = true;
}; };
services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics = { services.xserver.synaptics = {
enable = true; enable = true;
horizEdgeScroll = false; horizEdgeScroll = false;

44
lass/2configs/wirelum.nix Normal file
View File

@ -0,0 +1,44 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
self = config.krebs.build.host.nets.wirelum;
isRouter = !isNull self.via;
in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
#hack for modprobe inside containers
systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
(pkgs.writeDashBin "modprobe" ":")
]);
boot.kernel.sysctl = mkIf isRouter {
"net.ipv6.conf.all.forwarding" = 1;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
{ precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
];
networking.wireguard.interfaces.wirelum = {
ips =
(optional (!isNull self.ip4) self.ip4.addr) ++
(optional (!isNull self.ip6) self.ip6.addr);
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wirelum.key";
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
allowedIPs = if isRouter then
(optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
(optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
else
host.nets.wirelum.wireguard.subnets
;
endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
publicKey = host.nets.wirelum.wireguard.pubkey;
})
(filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
};
}

11
lass/5pkgs/l-gen-secrets/default.nix
View File

@ -8,6 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" ''
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wirelum.key
${pkgs.coreutils}/bin/cat $TMPDIR/wirelum.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wirelum.pub
cat <<EOF > $TMPDIR/hashedPasswords.nix cat <<EOF > $TMPDIR/hashedPasswords.nix
{ {
root = "$HASHED_PASSWORD"; root = "$HASHED_PASSWORD";
@ -35,6 +37,15 @@ pkgs.writeDashBin "l-gen-secrets" ''
$(cat $TMPDIR/retiolum.rsa_key.pub) $(cat $TMPDIR/retiolum.rsa_key.pub)
${"''"}; ${"''"};
}; };
wirelum = {
ip6.addr = (wip6 "changeme").address;
aliases = [
"$HOSTNAME.w"
];
wireguard.pubkey = ${"''"}
$(cat $TMPDIR/wirelum.pub)
${"''"};
};
}; };
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";

44
lib/default.nix
View File

@ -5,6 +5,7 @@ let
evalSource = import ./eval-source.nix; evalSource = import ./eval-source.nix;
git = import ./git.nix { inherit lib; }; git = import ./git.nix { inherit lib; };
krebs = import ./krebs lib;
krops = import ../submodules/krops/lib; krops = import ../submodules/krops/lib;
shell = import ./shell.nix { inherit lib; }; shell = import ./shell.nix { inherit lib; };
types = nixpkgs-lib.types // import ./types.nix { inherit lib; }; types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
@ -28,8 +29,6 @@ let
listToAttrs (map (name: nameValuePair name set.${name}) listToAttrs (map (name: nameValuePair name set.${name})
(filter (flip hasAttr set) names)); (filter (flip hasAttr set) names));
setAttr = name: value: set: set // { ${name} = value; };
test = re: x: isString x && testString re x; test = re: x: isString x && testString re x;
testString = re: x: match re x != null; testString = re: x: match re x != null;
@ -94,7 +93,13 @@ let
in in
if max.pos == 0 if max.pos == 0
then a then a
else "${concatStringsSep ":" lhs}::${concatStringsSep ":" rhs}"; else let
sep =
if 8 - (length lhs + length rhs) == 1
then ":0:"
else "::";
in
"${concatStringsSep ":" lhs}${sep}${concatStringsSep ":" rhs}";
drop-leading-zeros = drop-leading-zeros =
let let
@ -108,7 +113,38 @@ let
in in
a: concatStringsSep ":" (map f (splitString ":" a)); a: concatStringsSep ":" (map f (splitString ":" a));
in in
a: toLower (group-zeros (drop-leading-zeros a)); a:
toLower
(if test ".*::.*" a
then a
else group-zeros (drop-leading-zeros a));
hashToLength = n: s: substring 0 n (hashString "sha256" s);
dropLast = n: xs: reverseList (drop n (reverseList xs));
takeLast = n: xs: reverseList (take n (reverseList xs));
# Split string into list of chunks where each chunk is at most n chars long.
# The leftmost chunk might shorter.
# Example: stringToGroupsOf "123456" -> ["12" "3456"]
stringToGroupsOf = n: s: let
acc =
foldl'
(acc: c: if stringLength acc.chunk < n then {
chunk = acc.chunk + c;
chunks = acc.chunks;
} else {
chunk = c;
chunks = acc.chunks ++ [acc.chunk];
})
{
chunk = "";
chunks = [];
}
(stringToCharacters s);
in
filter (x: x != []) ([acc.chunk] ++ acc.chunks);
}; };
in in

3
lib/krebs/default.nix Normal file
View File

@ -0,0 +1,3 @@
lib:
with lib;
mapNixDir (flip import lib) ./.

107
lib/krebs/genipv6.nix Normal file
View File

@ -0,0 +1,107 @@
lib:
with lib;
let {
body = netname: subnetname: suffixSpec: rec {
address = let
suffix' = prependZeros suffixLength suffix;
in
normalize-ip6-addr
(checkAddress addressLength (joinAddress subnetPrefix suffix'));
addressCIDR = "${address}/${toString addressLength}";
addressLength = 128;
inherit netname;
netCIDR = "${netAddress}/${toString netPrefixLength}";
netAddress = appendZeros netPrefixLength netPrefix;
netHash = toString {
retiolum = 0;
wirelum = 1;
}.${netname};
netPrefix = "42:${netHash}";
netPrefixLength = {
retiolum = 32;
wirelum = 32;
}.${netname};
inherit subnetname;
subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}";
subnetAddress = appendZeros subnetPrefixLength subnetPrefix;
subnetHash = hashToLength 4 subnetname;
subnetPrefix = joinAddress netPrefix subnetHash;
subnetPrefixLength = netPrefixLength + 16;
suffix = getAttr (typeOf suffixSpec) {
set =
concatStringsSep
":"
(stringToGroupsOf
4
(hashToLength (suffixLength / 4) suffixSpec.hostName));
string = suffixSpec;
};
suffixLength = addressLength - subnetPrefixLength;
};
appendZeros = n: s: let
n' = n / 16;
zeroCount = n' - length parsedaddr;
parsedaddr = parseAddress s;
in
formatAddress (parsedaddr ++ map (const "0") (range 1 zeroCount));
prependZeros = n: s: let
n' = n / 16;
zeroCount = n' - length parsedaddr;
parsedaddr = parseAddress s;
in
formatAddress (map (const "0") (range 1 zeroCount) ++ parsedaddr);
hasEmptyPrefix = xs: take 2 xs == ["" ""];
hasEmptySuffix = xs: takeLast 2 xs == ["" ""];
hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs);
hasEmptyGroup = xs:
any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix];
ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs;
rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs;
trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs);
parseAddress = splitString ":";
formatAddress = concatStringsSep ":";
check = s: c: if !c then throw "${s}" else true;
checkAddress = maxaddrlen: addr: let
parsedaddr = parseAddress addr;
normalizedaddr = trimEmpty 1 parsedaddr;
in
assert (check "address malformed; lone leading colon: ${addr}" (
head parsedaddr == "" -> tail (take 2 parsedaddr) == ""
));
assert (check "address malformed; lone trailing colon ${addr}" (
last parsedaddr == "" -> head (takeLast 2 parsedaddr) == ""
));
assert (check "address malformed; too many successive colons: ${addr}" (
length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""]
));
assert (check "address malformed: ${addr}" (
all (test "[0-9a-f]{0,4}") parsedaddr
));
assert (check "address is too long: ${addr}" (
length normalizedaddr * 16 <= maxaddrlen
));
addr;
joinAddress = prefix: suffix: let
parsedPrefix = parseAddress prefix;
parsedSuffix = parseAddress suffix;
normalizePrefix = rtrimEmpty 2 parsedPrefix;
normalizeSuffix = ltrimEmpty 2 parsedSuffix;
delimiter =
optional (length (normalizePrefix ++ normalizeSuffix) < 8 &&
(hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix))
"";
in
formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix);
}

26
lib/types.nix
View File

@ -19,7 +19,7 @@ rec {
default = config._module.args.name; default = config._module.args.name;
}; };
cores = mkOption { cores = mkOption {
type = positive; type = uint;
}; };
nets = mkOption { nets = mkOption {
type = attrsOf net; type = attrsOf net;
@ -192,6 +192,28 @@ rec {
})); }));
default = null; default = null;
}; };
wireguard = mkOption {
type = nullOr (submodule ({ config, ... }: {
options = {
port = mkOption {
type = int;
description = "tinc port to use to connect to host";
default = 51820;
};
pubkey = mkOption {
type = wireguard-pubkey;
};
subnets = mkOption {
type = listOf cidr;
description = ''
wireguard subnets,
this defines how routing behaves for hosts that can't reach each other.
'';
default = [];
};
};
}));
};
}; };
}); });
@ -548,4 +570,6 @@ rec {
check = filename.check; check = filename.check;
merge = mergeOneOption; merge = mergeOneOption;
}; };
wireguard-pubkey = str;
} }

2
makefu/1systems/iso/config.nix
View File

@ -10,7 +10,7 @@ with import <stockholm/lib>;
]; ];
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
krebs.build.host = config.krebs.hosts.iso; krebs.build.host = { cores = 0; };
isoImage.isoBaseName = lib.mkForce "stockholm"; isoImage.isoBaseName = lib.mkForce "stockholm";
krebs.hidden-ssh.enable = true; krebs.hidden-ssh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

42
tv/2configs/xserver/default.nix
View File

@ -48,31 +48,35 @@ in {
systemd.services.xmonad = let systemd.services.xmonad = let
xmonad = "${pkgs.haskellPackages.xmonad-tv}/bin/xmonad"; xmonad = "${pkgs.haskellPackages.xmonad-tv}/bin/xmonad";
xmonad-prepare = pkgs.writeDash "xmonad-prepare" ''
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CACHE_DIR"
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CONFIG_DIR"
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_DATA_DIR"
'';
xmonad-ready = pkgs.writeDash "xmonad-ready" ''
{
${pkgs.xorg.xhost}/bin/xhost +SI:localuser:${cfg.user.name}
${pkgs.xorg.xhost}/bin/xhost -LOCAL:
} &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait
'';
in { in {
wantedBy = [ "graphical.target" ]; wantedBy = [ "graphical.target" ];
requires = [ "xserver.service" ]; requires = [ "xserver.service" ];
environment = { environment = {
DISPLAY = ":${toString config.services.xserver.display}"; DISPLAY = ":${toString config.services.xserver.display}";
FZMENU_FZF_DEFAULT_OPTS = toString [ FZMENU_FZF_DEFAULT_OPTS = toString [
"--color=dark,border:126,bg+:090" "--color=dark,border:126,bg+:090"
"--inline-info" "--inline-info"
]; ];
XMONAD_CACHE_DIR = cfg.cacheDir; XMONAD_CACHE_DIR = cfg.cacheDir;
XMONAD_CONFIG_DIR = cfg.configDir; XMONAD_CONFIG_DIR = cfg.configDir;
XMONAD_DATA_DIR = cfg.dataDir; XMONAD_DATA_DIR = cfg.dataDir;
XMONAD_STARTUP_HOOK = xmonad-ready;
XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" '' XMONAD_WORKSPACES0_FILE = pkgs.writeJSON "xmonad-workspaces0.json" [
${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait
'';
# XXX JSON is close enough :)
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
"Dashboard" # we start here "Dashboard" # we start here
"23" "23"
"cr" "cr"
@ -82,7 +86,7 @@ in {
"mail" "mail"
"stockholm" "stockholm"
"za" "zh" "zj" "zs" "za" "zh" "zj" "zs"
]); ];
}; };
path = [ path = [
config.tv.slock.package config.tv.slock.package
@ -93,14 +97,10 @@ in {
"/run/wrappers" # for su "/run/wrappers" # for su
]; ];
serviceConfig = { serviceConfig = {
SyslogIdentifier = "xmonad"; ExecStartPre = "@${xmonad-prepare} xmonad-prepare";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${toString [ ExecStart = "@${xmonad} xmonad-${currentSystem}";
"\${XMONAD_CACHE_DIR}"
"\${XMONAD_CONFIG_DIR}"
"\${XMONAD_DATA_DIR}"
]}";
ExecStart = "@${xmonad} xmonad-${currentSystem} ";
ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown"; ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown";
SyslogIdentifier = "xmonad";
User = cfg.user.name; User = cfg.user.name;
WorkingDirectory = cfg.user.home; WorkingDirectory = cfg.user.home;
}; };