Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

merge cd/master

Browse Source
This commit is contained in:
makefu 2016-05-24 22:12:38 +02:00
commit 9cba0ffefa
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
43 changed files with 511 additions and 426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Makefile
View File

@ -9,6 +9,7 @@ export STOCKHOLM_VERSION ?= $(shell \
printf '%s' "$$date.$$version"; \ printf '%s' "$$date.$$version"; \
) )
system ?= $(HOSTNAME)
$(if $(system),,$(error unbound variable: system)) $(if $(system),,$(error unbound variable: system))
nixos-config ?= $(stockholm)/$(LOGNAME)/1systems/$(system).nix nixos-config ?= $(stockholm)/$(LOGNAME)/1systems/$(system).nix
@ -54,15 +55,17 @@ evaluate = \
--show-trace \ --show-trace \
-I nixos-config=$(nixos-config) \ -I nixos-config=$(nixos-config) \
-I stockholm=$(stockholm) \ -I stockholm=$(stockholm) \
-E '{ eval, f }: f eval' \ -E "let eval = import <stockholm>; in with eval; $(1)"
--arg eval 'import ./.' \
--arg f "eval@{ config, ... }: $(1)"
execute = \ execute = \
result=$$($(call evaluate,config.krebs.build.$(1))) && \ result=$$($(call evaluate,config.krebs.build.$(1))) && \
script=$$(echo "$$result" | jq -r .) && \ script=$$(echo "$$result" | jq -r .) && \
echo "$$script" | PS5=% sh echo "$$script" | PS5=% sh
ifeq ($(MAKECMDGOALS),)
$(error No goals specified)
endif
# usage: make deploy system=foo [target_host=bar] # usage: make deploy system=foo [target_host=bar]
deploy: ssh ?= ssh deploy: ssh ?= ssh
deploy: deploy:
@ -73,7 +76,7 @@ deploy:
# usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name # usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name
eval eval.:;@$(call evaluate,$${expr-eval}) eval eval.:;@$(call evaluate,$${expr-eval})
eval.%:;@$(call evaluate,$*) eval.%:;@$(call evaluate,$@)
# usage: make install system=foo [target_host=bar] # usage: make install system=foo [target_host=bar]
install: ssh ?= ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null install: ssh ?= ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

138
krebs/3modules/backup.nix
View File

@ -103,103 +103,91 @@ let
plan.method == method && plan.method == method &&
config.krebs.build.host.name == plan.${side}.host.name; config.krebs.build.host.name == plan.${side}.host.name;
start = plan: pkgs.writeDash "backup.${plan.name}" '' start = plan: let
login-name = "root";
identity = local.host.ssh.privkey.path;
ssh = "ssh -i ${shell.escape identity}";
local = getAttr plan.method {
push = plan.src // { rsync = src-rsync; };
pull = plan.dst // { rsync = dst-rsync; };
};
remote = getAttr plan.method {
push = plan.dst // { rsync = dst-rsync; };
pull = plan.src // { rsync = src-rsync; };
};
src-rsync = "rsync";
dst-rsync = concatStringsSep " && " [
"stat ${shell.escape plan.dst.path} >/dev/null"
"mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
"flock -n ${shell.escape plan.dst.path} rsync"
];
in pkgs.writeScript "backup.${plan.name}" ''
#! ${pkgs.bash}/bin/bash
set -efu set -efu
start_date=$(date +%s)
ssh_target=${shell.escape login-name}@$(${fastest-address remote.host})
${getAttr plan.method { ${getAttr plan.method {
push = '' push = ''
identity=${shell.escape plan.src.host.ssh.privkey.path} rsync_src=${shell.escape plan.src.path}
src_path=${shell.escape plan.src.path} rsync_dst=$ssh_target:${shell.escape plan.dst.path}
src=$src_path echo >&2 "update snapshot current; $rsync_src -> $rsync_dst"
dst_user=root
dst_host=$(${fastest-address plan.dst.host})
dst_port=$(${network-ssh-port plan.dst.host "$dst_host"})
dst_path=${shell.escape plan.dst.path}
dst=$dst_user@$dst_host:$dst_path
echo "update snapshot: current; $src -> $dst" >&2
dst_shell() {
exec ssh -F /dev/null \
-i "$identity" \
''${dst_port:+-p $dst_port} \
"$dst_user@$dst_host" \
-T "$with_dst_path_lock_script"
}
rsh="ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}"
local_rsync() {
rsync "$@"
}
remote_rsync=${shell.escape (concatStringsSep " && " [
"mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
"exec flock -n ${shell.escape plan.dst.path} rsync"
])}
''; '';
pull = '' pull = ''
identity=${shell.escape plan.dst.host.ssh.privkey.path} rsync_src=$ssh_target:${shell.escape plan.src.path}
src_user=root rsync_dst=${shell.escape plan.dst.path}
src_host=$(${fastest-address plan.src.host}) echo >&2 "update snapshot current; $rsync_dst <- $rsync_src"
src_port=$(${network-ssh-port plan.src.host "$src_host"})
src_path=${shell.escape plan.src.path}
src=$src_user@$src_host:$src_path
dst_path=${shell.escape plan.dst.path}
dst=$dst_path
echo "update snapshot: current; $dst <- $src" >&2
dst_shell() {
eval "$with_dst_path_lock_script"
}
rsh="ssh -F /dev/null -i $identity ''${src_port:+-p $src_port}"
local_rsync() {
mkdir -m 0700 -p ${shell.escape plan.dst.path}/current
flock -n ${shell.escape plan.dst.path} rsync "$@"
}
remote_rsync=rsync
''; '';
}} }}
# Note that this only works because we trust date +%s to produce output ${local.rsync} >&2 \
# that doesn't need quoting when used to generate a command string.
# TODO relax this requirement by selectively allowing to inject variables
# e.g.: ''${shell.quote "exec env NOW=''${shell.unquote "$NOW"} ..."}
with_dst_path_lock_script="exec env start_date=$(date +%s) "${shell.escape
"flock -n ${shell.escape plan.dst.path} /bin/sh"
}
local_rsync >&2 \
-aAXF --delete \ -aAXF --delete \
--rsh="$rsh" \ --rsh=${shell.escape ssh} \
--rsync-path="$remote_rsync" \ --rsync-path=${shell.escape remote.rsync} \
--link-dest="$dst_path/current" \ --link-dest=${shell.escape plan.dst.path}/current \
"$src/" \ "$rsync_src/" \
"$dst/.partial" "$rsync_dst/.partial"
dst_shell < ${toFile "backup.${plan.name}.take-snapshots" ''
dst_exec() {
${getAttr plan.method {
push = ''exec ${ssh} "$ssh_target" -T "exec$(printf ' %q' "$@")"'';
pull = ''exec "$@"'';
}}
}
dst_exec env \
start_date="$start_date" \
flock -n ${shell.escape plan.dst.path} \
/bin/sh < ${toFile "backup.${plan.name}.take-snapshots" ''
set -efu set -efu
: $start_date : $start_date
dst=${shell.escape plan.dst.path} dst_path=${shell.escape plan.dst.path}
mv "$dst/current" "$dst/.previous" mv "$dst_path/current" "$dst_path/.previous"
mv "$dst/.partial" "$dst/current" mv "$dst_path/.partial" "$dst_path/current"
rm -fR "$dst/.previous" rm -fR "$dst_path/.previous"
echo >&2 echo >&2
snapshot() {( snapshot() {(
: $ns $format $retain : $ns $format $retain
name=$(date --date="@$start_date" +"$format") name=$(date --date="@$start_date" +"$format")
if ! test -e "$dst/$ns/$name"; then if ! test -e "$dst_path/$ns/$name"; then
echo >&2 "create snapshot: $ns/$name" echo >&2 "create snapshot: $ns/$name"
mkdir -m 0700 -p "$dst/$ns" mkdir -m 0700 -p "$dst_path/$ns"
rsync >&2 \ rsync >&2 \
-aAXF --delete \ -aAXF --delete \
--link-dest="$dst/current" \ --link-dest="$dst_path/current" \
"$dst/current/" \ "$dst_path/current/" \
"$dst/$ns/.partial.$name" "$dst_path/$ns/.partial.$name"
mv "$dst/$ns/.partial.$name" "$dst/$ns/$name" mv "$dst_path/$ns/.partial.$name" "$dst_path/$ns/$name"
echo >&2 echo >&2
fi fi
case $retain in case $retain in
([0-9]*) ([0-9]*)
delete_from=$(($retain + 1)) delete_from=$(($retain + 1))
ls -r "$dst/$ns" \ ls -r "$dst_path/$ns" \
| sed -n "$delete_from,\$p" \ | sed -n "$delete_from,\$p" \
| while read old_name; do | while read old_name; do
echo >&2 "delete snapshot: $ns/$old_name" echo >&2 "delete snapshot: $ns/$old_name"
rm -fR "$dst/$ns/$old_name" rm -fR "$dst_path/$ns/$old_name"
done done
;; ;;
(ALL) (ALL)
@ -227,24 +215,12 @@ let
| ${pkgs.coreutils}/bin/head -1; } | ${pkgs.coreutils}/bin/head -1; }
''; '';
# Note that we don't escape word on purpose, so we can deref shell vars.
# TODO type word
network-ssh-port = host: word: ''
case ${word} in
${concatStringsSep ";;\n" (mapAttrsToList
(_: net: "(${head net.aliases}) echo ${toString net.ssh.port}")
host.nets)};;
esac
'';
in out in out
# TODO ionice # TODO ionice
# TODO mail on failed push, pull
# TODO mail on missing push # TODO mail on missing push
# TODO don't cancel plans on activation # TODO don't cancel plans on activation
# also, don't hang while deploying at: # also, don't hang while deploying at:
# starting the following units: backup.wu-home-xu.push.service, backup.wu-home-xu.push.timer # starting the following units: backup.wu-home-xu.push.service, backup.wu-home-xu.push.timer
# TODO make sure /bku is properly mounted
# TODO make sure that secure hosts cannot backup to insecure ones # TODO make sure that secure hosts cannot backup to insecure ones
# TODO optionally only backup when src and dst are near enough :) # TODO optionally only backup when src and dst are near enough :)
# TODO try using btrfs for snapshots (configurable) # TODO try using btrfs for snapshots (configurable)

2
krebs/3modules/build.nix
View File

@ -88,6 +88,8 @@ let
#! /bin/sh #! /bin/sh
set -efu set -efu
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
verbose() { verbose() {
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2 printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@" "$@"

28
krebs/3modules/default.nix
View File

@ -13,6 +13,7 @@ let
./buildbot/slave.nix ./buildbot/slave.nix
./build.nix ./build.nix
./current.nix ./current.nix
./exim.nix
./exim-retiolum.nix ./exim-retiolum.nix
./exim-smarthost.nix ./exim-smarthost.nix
./fetchWallpaper.nix ./fetchWallpaper.nix
@ -157,7 +158,11 @@ let
makefu makefu
tv tv
]; ];
ciko.mail = "wieczorek.stefan@gmail.com";
Mic92.mail = "joerg@higgsboson.tk";
in { in {
"*@eloop.org" = [{ mail = "eloop2016@krebsco.de"; }];
"eloop2016@krebsco.de" = spam-ml ++ [ ciko Mic92 ];
"postmaster@krebsco.de" = spam-ml; # RFC 822 "postmaster@krebsco.de" = spam-ml; # RFC 822
"lass@krebsco.de" = lass; "lass@krebsco.de" = lass;
"makefu@krebsco.de" = makefu; "makefu@krebsco.de" = makefu;
@ -218,7 +223,7 @@ let
(filter (hasSuffix ".${cfg.search-domain}") (filter (hasSuffix ".${cfg.search-domain}")
longs); longs);
add-port = a: add-port = a:
if net.ssh.port != null if net.ssh.port != 22
then "[${a}]:${toString net.ssh.port}" then "[${a}]:${toString net.ssh.port}"
else a; else a;
in in
@ -228,8 +233,25 @@ let
publicKey = host.ssh.pubkey; publicKey = host.ssh.pubkey;
}) })
(filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
programs.ssh.extraConfig = concatMapStrings
(net: ''
Host ${toString (net.aliases ++ net.addrs)}
Port ${toString net.ssh.port}
'')
(filter
(net: net.ssh.port != 22)
(concatMap (host: attrValues host.nets)
(mapAttrsToList
(_: host: recursiveUpdate host
(optionalAttrs (hasAttr config.krebs.search-domain host.nets) {
nets."" = host.nets.${config.krebs.search-domain} // {
aliases = [host.name];
addrs = [];
};
}))
config.krebs.hosts)));
} }
]; ];
in in out
out

4
krebs/3modules/exim-retiolum.nix
View File

@ -32,7 +32,7 @@ let
}; };
imp = { imp = {
services.exim = { krebs.exim = {
enable = true; enable = true;
config = config =
# This configuration makes only sense for retiolum-enabled hosts. # This configuration makes only sense for retiolum-enabled hosts.
@ -57,6 +57,8 @@ let
syslog_timestamp = false syslog_timestamp = false
syslog_duplication = false syslog_duplication = false
tls_advertise_hosts =
begin acl begin acl
acl_check_rcpt: acl_check_rcpt:

8
krebs/3modules/exim-smarthost.nix
View File

@ -105,7 +105,7 @@ let
requires = [ "secret.service" ]; requires = [ "secret.service" ];
}; };
}; };
services.exim = { krebs.exim = {
enable = true; enable = true;
config = '' config = ''
keep_environment = keep_environment =
@ -136,6 +136,8 @@ let
syslog_timestamp = false syslog_timestamp = false
syslog_duplication = false syslog_duplication = false
tls_advertise_hosts =
begin acl begin acl
acl_check_rcpt: acl_check_rcpt:
@ -162,7 +164,7 @@ let
control = dkim_disable_verify control = dkim_disable_verify
accept message = relay not permitted 2 accept message = relay not permitted 2
recipients = lsearch;${lsearch.internet-aliases} recipients = lsearch*@;${lsearch.internet-aliases}
require message = relay not permitted require message = relay not permitted
domains = +local_domains : +relay_to_domains domains = +local_domains : +relay_to_domains
@ -196,7 +198,7 @@ let
internet_aliases: internet_aliases:
debug_print = "R: internet_aliases for $local_part@$domain" debug_print = "R: internet_aliases for $local_part@$domain"
driver = redirect driver = redirect
data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} data = ''${lookup{$local_part@$domain}lsearch*@{${lsearch.internet-aliases}}}
dnslookup: dnslookup:
debug_print = "R: dnslookup for $local_part@$domain" debug_print = "R: dnslookup for $local_part@$domain"

80
krebs/3modules/exim.nix Normal file
View File

@ -0,0 +1,80 @@
{ config, lib, pkgs, ... }: with config.krebs.lib; let
cfg = config.krebs.exim;
in {
options.krebs.exim = {
enable = mkEnableOption "krebs.exim";
config = mkOption {
type = types.str;
default = "";
description = ''
Verbatim Exim configuration. This should not contain exim_user,
exim_group, exim_path, or spool_directory.
'';
};
user = mkOption {
type = types.user;
default = {
name = "exim";
home = "/var/spool/exim";
};
description = ''
User to use when no root privileges are required.
In particular, this applies when receiving messages and when doing
remote deliveries. (Local deliveries run as various non-root users,
typically as the owner of a local mailbox.) Specifying this value
as root is not supported.
'';
};
group = mkOption {
type = types.group;
default = {
name = "exim";
};
description = ''
Group to use when no root privileges are required.
'';
};
};
config = lib.mkIf cfg.enable {
environment = {
etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" ''
exim_user = ${cfg.user.name}
exim_group = ${cfg.group.name}
exim_path = /var/setuid-wrappers/exim
spool_directory = ${cfg.user.home}
${cfg.config}
'';
systemPackages = [ pkgs.exim ];
};
krebs.setuid = {
exim = {
filename = "${pkgs.exim}/bin/exim";
mode = "4111";
};
sendmail = {
filename = "${pkgs.exim}/bin/exim";
mode = "4111";
};
};
systemd.services.exim = {
restartTriggers = [
config.environment.etc."exim.conf".source
];
serviceConfig = {
ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
wantedBy = [ "multi-user.target" ];
};
users = {
groups.${cfg.group.name} = {
inherit (cfg.group) name gid;
};
users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
group = cfg.group.name;
};
};
};
}

46
krebs/3modules/lass/default.nix
View File

@ -8,15 +8,15 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["144.76.172.188"]; ip4.addr = "144.76.172.188";
aliases = [ aliases = [
"dishfire.internet" "dishfire.internet"
]; ];
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.133.99"]; ip4.addr = "10.243.133.99";
addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"]; ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1233";
aliases = [ aliases = [
"dishfire.retiolum" "dishfire.retiolum"
"dishfire.r" "dishfire.r"
@ -40,15 +40,15 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["162.252.241.33"]; ip4.addr = "162.252.241.33";
aliases = [ aliases = [
"echelon.internet" "echelon.internet"
]; ];
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.206.103"]; ip4.addr = "10.243.206.103";
addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f763"]; ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763";
aliases = [ aliases = [
"echelon.retiolum" "echelon.retiolum"
"echelon.r" "echelon.r"
@ -75,15 +75,15 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["213.239.205.240"]; ip4.addr = "213.239.205.240";
aliases = [ aliases = [
"prism.internet" "prism.internet"
]; ];
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.0.103"]; ip4.addr = "10.243.0.103";
addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab";
aliases = [ aliases = [
"prism.retiolum" "prism.retiolum"
"prism.r" "prism.r"
@ -107,15 +107,15 @@ with config.krebs.lib;
fastpoke = { fastpoke = {
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["193.22.164.36"]; ip4.addr = "193.22.164.36";
aliases = [ aliases = [
"fastpoke.internet" "fastpoke.internet"
]; ];
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.253.152"]; ip4.addr = "10.243.253.152";
addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; ip6.addr = "42:422a:194f:ff3b:e196:2f82:5cf5:bc00";
aliases = [ aliases = [
"fastpoke.retiolum" "fastpoke.retiolum"
"fastpoke.r" "fastpoke.r"
@ -139,15 +139,15 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["104.167.113.104"]; ip4.addr = "104.167.113.104";
aliases = [ aliases = [
"cloudkrebs.internet" "cloudkrebs.internet"
]; ];
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.206.102"]; ip4.addr = "10.243.206.102";
addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f762";
aliases = [ aliases = [
"cloudkrebs.retiolum" "cloudkrebs.retiolum"
"cloudkrebs.r" "cloudkrebs.r"
@ -172,12 +172,12 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.12"]; ip4.addr = "10.23.1.12";
aliases = ["uriel.gg23"]; aliases = ["uriel.gg23"];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.81.176"]; ip4.addr = "10.243.81.176";
addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56";
aliases = [ aliases = [
"uriel.retiolum" "uriel.retiolum"
"uriel.r" "uriel.r"
@ -203,12 +203,12 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.11"]; ip4.addr = "10.23.1.11";
aliases = ["mors.gg23"]; aliases = ["mors.gg23"];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.0.2"]; ip4.addr = "10.243.0.2";
addrs6 = ["42:0:0:0:0:0:0:dea7"]; ip6.addr = "42:0:0:0:0:0:0:dea7";
aliases = [ aliases = [
"mors.retiolum" "mors.retiolum"
"mors.r" "mors.r"
@ -234,8 +234,8 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.3"]; ip4.addr = "10.243.0.3";
addrs6 = ["42:0:0:0:0:0:0:7105"]; ip6.addr = "42:0:0:0:0:0:0:7105";
aliases = [ aliases = [
"helios.retiolum" "helios.retiolum"
"helios.r" "helios.r"

131
krebs/3modules/makefu/default.nix
View File

@ -8,8 +8,8 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.210"]; ip4.addr = "10.243.0.210";
addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001";
aliases = [ aliases = [
"pnp.retiolum" "pnp.retiolum"
"cgit.pnp.retiolum" "cgit.pnp.retiolum"
@ -31,8 +31,8 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.84"]; ip4.addr = "10.243.0.84";
addrs6 = ["42:ff6b:5f0b:460d:2cee:4d05:73f7:5566"]; ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566";
aliases = [ aliases = [
"darth.retiolum" "darth.retiolum"
"darth.r" "darth.r"
@ -54,8 +54,8 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.212"]; ip4.addr = "10.243.0.212";
addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"]; ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002";
aliases = [ aliases = [
"tsp.retiolum" "tsp.retiolum"
]; ];
@ -81,8 +81,8 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.91"]; ip4.addr = "10.243.0.91";
addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"]; ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db";
aliases = [ aliases = [
"pornocauster.retiolum" "pornocauster.retiolum"
"pornocauster.r" "pornocauster.r"
@ -108,8 +108,8 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.1.91"]; ip4.addr = "10.243.1.91";
addrs6 = ["42:0b2c:d90e:e717:03dd:9ac1:0000:a400"]; ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400";
aliases = [ aliases = [
"vbob.retiolum" "vbob.retiolum"
]; ];
@ -135,22 +135,22 @@ with config.krebs.lib;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
euer IN MX 1 aspmx.l.google.com. euer IN MX 1 aspmx.l.google.com.
pigstarter IN A ${head nets.internet.addrs4} pigstarter IN A ${nets.internet.ip4.addr}
gold IN A ${head nets.internet.addrs4} gold IN A ${nets.internet.ip4.addr}
boot IN A ${head nets.internet.addrs4} boot IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = { nets = {
internet = { internet = {
addrs4 = ["192.40.56.122"]; ip4.addr = "192.40.56.122";
addrs6 = ["2604:2880::841f:72c"]; ip6.addr = "2604:2880::841f:72c";
aliases = [ aliases = [
"pigstarter.internet" "pigstarter.internet"
]; ];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.0.153"]; ip4.addr = "10.243.0.153";
addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"]; ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110";
aliases = [ aliases = [
"pigstarter.retiolum" "pigstarter.retiolum"
]; ];
@ -171,18 +171,18 @@ with config.krebs.lib;
cores = 1; cores = 1;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
euer IN A ${head nets.internet.addrs4} euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${head nets.internet.addrs4} wiki.euer IN A ${nets.internet.ip4.addr}
wry IN A ${head nets.internet.addrs4} wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de. io IN NS wry.krebsco.de.
graphs IN A ${head nets.internet.addrs4} graphs IN A ${nets.internet.ip4.addr}
paste 60 IN A ${head nets.internet.addrs4} paste 60 IN A ${nets.internet.ip4.addr}
tinc IN A ${head nets.internet.addrs4} tinc IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["104.233.87.86"]; ip4.addr = "104.233.87.86";
aliases = [ aliases = [
"wry.internet" "wry.internet"
"paste.internet" "paste.internet"
@ -190,8 +190,8 @@ with config.krebs.lib;
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.29.169"]; ip4.addr = "10.243.29.169";
addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"]; ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [ aliases = [
"graphs.wry.retiolum" "graphs.wry.retiolum"
"graphs.retiolum" "graphs.retiolum"
@ -228,8 +228,8 @@ with config.krebs.lib;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.153.102"]; ip4.addr = "10.243.153.102";
addrs6 = ["42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"]; ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [ aliases = [
"filepimp.retiolum" "filepimp.retiolum"
]; ];
@ -252,8 +252,8 @@ with config.krebs.lib;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.89"]; ip4.addr = "10.243.0.89";
addrs6 = ["42:f9f0::10"]; ip6.addr = "42:f9f0::10";
aliases = [ aliases = [
"omo.retiolum" "omo.retiolum"
"omo.r" "omo.r"
@ -277,8 +277,8 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.214.15"]; ip4.addr = "10.243.214.15";
addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"]; ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
aliases = [ aliases = [
"wbob.retiolum" "wbob.retiolum"
]; ];
@ -301,24 +301,24 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
share.euer IN A ${head nets.internet.addrs4} share.euer IN A ${nets.internet.ip4.addr}
mattermost.euer IN A ${head nets.internet.addrs4} mattermost.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${head nets.internet.addrs4} git.euer IN A ${nets.internet.ip4.addr}
gum IN A ${head nets.internet.addrs4} gum IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${head nets.internet.addrs4} cgit.euer IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["195.154.108.70"]; ip4.addr = "195.154.108.70";
aliases = [ aliases = [
"gum.internet" "gum.internet"
]; ];
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.0.211"]; ip4.addr = "10.243.0.211";
addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"]; ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2";
aliases = [ aliases = [
"gum.r" "gum.r"
"gum.retiolum" "gum.retiolum"
@ -346,20 +346,20 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
mediengewitter IN A ${head nets.internet.addrs4} mediengewitter IN A ${nets.internet.ip4.addr}
flap IN A ${head nets.internet.addrs4} flap IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = { nets = {
internet = { internet = {
addrs4 = ["162.248.11.162"]; ip4.addr = "162.248.11.162";
aliases = [ aliases = [
"flap.internet" "flap.internet"
]; ];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.211.172"]; ip4.addr = "10.243.211.172";
addrs6 = ["42:472a:3d01:bbe4:4425:567e:592b:065d"]; ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d";
aliases = [ aliases = [
"flap.retiolum" "flap.retiolum"
"flap.r" "flap.r"
@ -382,8 +382,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.231.219"]; ip4.addr = "10.243.231.219";
addrs6 = ["42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72"]; ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72";
aliases = [ aliases = [
"nukular.r" "nukular.r"
]; ];
@ -405,9 +405,12 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.124.21"]; ip4.addr = "10.243.124.21";
addrs6 = ["42:9898:a8be:ce56:0ee3:b99c:42c5:109e"]; ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [ "heidi.r" "heidi.retiolum" ]; aliases = [
"heidi.r"
"heidi.retiolum"
];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqRLnAJNZ1OoO1bTS58DQgxi1VKgITHIuTW0fVGDvbXnsjPUB3cgx MIIBCgKCAQEAqRLnAJNZ1OoO1bTS58DQgxi1VKgITHIuTW0fVGDvbXnsjPUB3cgx
@ -427,7 +430,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.69.184"]; ip4.addr = "10.243.69.184";
aliases = [ aliases = [
"soundflower.r" "soundflower.r"
]; ];
@ -449,7 +452,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.120.19"]; ip4.addr = "10.243.120.19";
aliases = [ aliases = [
"falk.r" "falk.r"
]; ];
@ -471,8 +474,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 4; cores = 4;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.189.130"]; ip4.addr = "10.243.189.130";
addrs6 = ["42:c64e:011f:9755:31e1:c3e6:73c0:af2d"]; ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d";
aliases = [ aliases = [
"filebitch.r" "filebitch.r"
]; ];
@ -494,8 +497,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.26.29"]; ip4.addr = "10.243.26.29";
addrs6 = ["42:927a:3d59:1cb3:29d6:1a08:78d3:812e"]; ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e";
aliases = [ aliases = [
"excobridge.r" "excobridge.r"
]; ];
@ -517,14 +520,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
internet = { internet = {
addrs4 = ["148.251.47.69"]; ip4.addr = "148.251.47.69";
aliases = [ aliases = [
"wooki.internet" "wooki.internet"
]; ];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.57.85"]; ip4.addr = "10.243.57.85";
addrs6 = ["42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"]; ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731";
aliases = [ aliases = [
"wooki.r" "wooki.r"
]; ];
@ -546,8 +549,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 2; cores = 2;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.0.163"]; ip4.addr = "10.243.0.163";
addrs6 = ["42:b67b:5752:a730:5f28:d80d:6b37:5bda/128"]; ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda";
aliases = [ aliases = [
"senderechner.r" "senderechner.r"
]; ];
@ -569,14 +572,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1; cores = 1;
nets = { nets = {
internet = { internet = {
addrs4 = ["217.160.206.154"]; ip4.addr = "217.160.206.154";
aliases = [ aliases = [
"muhbaasu.internet" "muhbaasu.internet"
]; ];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.139.184"]; ip4.addr = "10.243.139.184";
addrs6 = ["42:d568:6106:ba30:753b:0f2a:8225:b1fb"]; ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb";
aliases = [ aliases = [
"muhbaasu.r" "muhbaasu.r"
]; ];

4
krebs/3modules/miefda/default.nix
View File

@ -8,8 +8,8 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.111.112"]; ip4.addr = "10.243.111.112";
addrs6 = ["42:0:0:0:0:0:111:112"]; ip6.addr = "42:0:0:0:0:0:111:112";
aliases = [ aliases = [
"bobby.retiolum" "bobby.retiolum"
"cgit.bobby.retiolum" "cgit.bobby.retiolum"

4
krebs/3modules/mv/default.nix
View File

@ -8,8 +8,8 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.111.111"]; ip4.addr = "10.243.111.111";
addrs6 = ["42:0:0:0:0:0:111:111"]; ip6.addr = "42:0:0:0:0:0:111:111";
aliases = [ aliases = [
"stro.retiolum" "stro.retiolum"
"cgit.stro.retiolum" "cgit.stro.retiolum"

40
krebs/3modules/nginx.nix
View File

@ -117,28 +117,24 @@ let
} }
''; '';
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
let server {
_extraConfig = if ssl.enable then server_name ${toString server-names};
extraConfig + '' ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
ssl_certificate ${ssl.certificate}; ${optionalString ssl.enable (indent ''
ssl_certificate_key ${ssl.certificate_key}; listen 443 ssl;
${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} ssl_certificate ${ssl.certificate};
ssl_ciphers ${ssl.ciphers}; ssl_certificate_key ${ssl.certificate_key};
ssl_protocols ${toString ssl.protocols}; ${optionalString ssl.prefer_server_ciphers ''
'' ssl_prefer_server_ciphers On;
else ''}
extraConfig ssl_ciphers ${ssl.ciphers};
; ssl_protocols ${toString ssl.protocols};
'')}
in '' ${indent extraConfig}
server { ${indent (concatMapStrings to-location locations)}
${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} }
server_name ${toString server-names}; '';
${indent _extraConfig}
${indent (concatMapStrings to-location locations)}
}
'';
in in
out out

8
krebs/3modules/on-failure.nix
View File

@ -84,6 +84,14 @@
${pkgs.systemd}/bin/journalctl \ ${pkgs.systemd}/bin/journalctl \
--lines=${toString plan.journalctl.lines} \ --lines=${toString plan.journalctl.lines} \
--output=${plan.journalctl.output} \ --output=${plan.journalctl.output} \
--since="$(
${pkgs.coreutils}/bin/date +'%F %T UTC' -ud "$(
${pkgs.systemd}/bin/systemctl show \
-p ExecMainStartTimestamp \
${shell.escape plan.name} \
| ${pkgs.coreutils}/bin/cut -d= -f2-
)"
)" \
--unit=${shell.escape plan.name}.service --unit=${shell.escape plan.name}.service
} | ${shell.escape cfg.sendmail} -t } | ${shell.escape cfg.sendmail} -t
''; '';

133
krebs/3modules/retiolum.nix
View File

@ -11,26 +11,13 @@ let
api = { api = {
enable = mkEnableOption "krebs.retiolum"; enable = mkEnableOption "krebs.retiolum";
name = mkOption { host = mkOption {
type = types.str; type = types.host;
default = config.networking.hostName; default = config.krebs.build.host;
# Description stolen from tinc.conf(5).
description = ''
This is the name which identifies this tinc daemon. It must
be unique for the virtual private network this daemon will
connect to. The Name may only consist of alphanumeric and
underscore characters. If Name starts with a $, then the
contents of the environment variable that follows will be
used. In that case, invalid characters will be converted to
underscores. If Name is $HOST, but no such environment
variable exist, the hostname will be read using the
gethostnname() system call This is the name which identifies
the this tinc daemon.
'';
}; };
netname = mkOption { netname = mkOption {
type = types.str; type = types.enum (attrNames cfg.host.nets);
default = "retiolum"; default = "retiolum";
description = '' description = ''
The tinc network name. The tinc network name.
@ -99,17 +86,13 @@ let
description = "Iproute2 package to use."; description = "Iproute2 package to use.";
}; };
privkey = mkOption {
privateKeyFile = mkOption { type = types.secret-file;
# TODO if it's types.path then it gets copied to /nix/store with default = {
# bad unsafe permissions... path = "${cfg.user.home}/tinc.rsa_key.priv";
type = types.str; owner = cfg.user;
default = toString <secrets/retiolum.rsa_key.priv>; source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv";
description = '' };
Generate file with <literal>tincd -K</literal>.
This file must exist on the local system. The default points to
<secrets/retiolum.rsa_key.priv>.
'';
}; };
connectTo = mkOption { connectTo = mkOption {
@ -126,81 +109,67 @@ let
''; '';
}; };
user = mkOption {
type = types.user;
default = {
name = cfg.netname;
home = "/var/lib/${cfg.user.name}";
};
};
}; };
imp = { imp = {
krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey;
environment.systemPackages = [ tinc iproute ]; environment.systemPackages = [ tinc iproute ];
systemd.services.retiolum = { systemd.services.${cfg.netname} = {
description = "Tinc daemon for Retiolum"; description = "Tinc daemon for Retiolum";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
path = [ tinc iproute ]; path = [ tinc iproute ];
serviceConfig = rec { serviceConfig = rec {
PermissionsStartOnly = "true";
PrivateTmp = "true";
Restart = "always"; Restart = "always";
# TODO we cannot chroot (-R) b/c we use symlinks to hosts ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
# and the private key. SyslogIdentifier = cfg.netname;
ExecStartPre = pkgs.writeScript "retiolum-init" ''
#! /bin/sh
install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv
'';
ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
SyslogIdentifier = "retiolum";
}; };
}; };
users.extraUsers = singleton { users.users.${cfg.user.name} = {
inherit (user) name uid; inherit (cfg.user) home name uid;
createHome = true;
}; };
}; };
user = rec { net = cfg.host.nets.${cfg.netname};
name = "retiolum";
uid = genid name;
};
tinc = cfg.tincPackage; tinc = cfg.tincPackage;
iproute = cfg.iproutePackage; iproute = cfg.iproutePackage;
confDir = pkgs.runCommand "retiolum" { confDir = let
# TODO text namePathPair = name: path: { inherit name path; };
executable = true; in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair {
preferLocalBuild = true; "hosts" = cfg.hostsPackage;
} '' "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
set -euf Name = ${cfg.host.name}
Interface = ${cfg.netname}
mkdir -p $out ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
PrivateKeyFile = ${cfg.privkey.path}
ln -s ${cfg.hostsPackage} $out/hosts ${cfg.extraConfig}
'';
cat > $out/tinc.conf <<EOF "tinc-up" = pkgs.writeScript "${cfg.netname}-tinc-up" ''
Name = ${cfg.name} ${iproute}/sbin/ip link set ${cfg.netname} up
Device = /dev/net/tun ${optionalString (net.ip4 != null) ''
Interface = ${cfg.netname} ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname}
${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)} ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname}
PrivateKeyFile = /tmp/retiolum-rsa_key.priv ''}
${cfg.extraConfig} ${optionalString (net.ip6 != null) ''
EOF ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname}
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname}
# source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up ''}
cat > $out/tinc-up <<EOF '';
host=$out/hosts/${cfg.name} });
${iproute}/sbin/ip link set \$INTERFACE up
addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)
if [ -n "\$addr4" ];then
${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE
${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE
fi
addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)
${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE
${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE
EOF
chmod +x $out/tinc-up
'';
in out in out

10
krebs/3modules/shared/default.nix
View File

@ -12,8 +12,8 @@ let
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.111.111"]; ip4.addr = "10.243.111.111";
addrs6 = ["42:0:0:0:0:0:0:7357"]; ip6.addr = "42:0:0:0:0:0:0:7357";
aliases = [ aliases = [
"test.r" "test.r"
"test.retiolum" "test.retiolum"
@ -36,7 +36,7 @@ in {
wolf = { wolf = {
nets = { nets = {
shack = { shack = {
addrs4 = [ "10.42.2.150" ]; ip4.addr = "10.42.2.150" ;
aliases = [ aliases = [
"wolf.shack" "wolf.shack"
"graphite.shack" "graphite.shack"
@ -45,8 +45,8 @@ in {
]; ];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.77.1"]; ip4.addr = "10.243.77.1";
addrs6 = ["42:0:0:0:0:0:77:1"]; ip6.addr = "42:0:0:0:0:0:77:1";
aliases = [ aliases = [
"wolf.retiolum" "wolf.retiolum"
"cgit.wolf.retiolum" "cgit.wolf.retiolum"

73
krebs/3modules/tv/default.nix
View File

@ -13,15 +13,15 @@ with config.krebs.lib;
# TODO generate krebsco.de zone from nets and don't use extraZones at all # TODO generate krebsco.de zone from nets and don't use extraZones at all
"krebsco.de" = '' "krebsco.de" = ''
krebsco.de. 60 IN MX 5 mx23 krebsco.de. 60 IN MX 5 mx23
mx23 60 IN A ${elemAt nets.internet.addrs4 0} mx23 60 IN A ${nets.internet.ip4.addr}
cd 60 IN A ${elemAt nets.internet.addrs4 0} cd 60 IN A ${nets.internet.ip4.addr}
cgit 60 IN A ${elemAt nets.internet.addrs4 0} cgit 60 IN A ${nets.internet.ip4.addr}
cgit.cd 60 IN A ${elemAt nets.internet.addrs4 0} cgit.cd 60 IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["162.219.7.216"]; ip4.addr = "45.62.237.203";
aliases = [ aliases = [
"cd.i" "cd.i"
"cd.internet" "cd.internet"
@ -34,8 +34,8 @@ with config.krebs.lib;
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.113.222"]; ip4.addr = "10.243.113.222";
addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af3";
aliases = [ aliases = [
"cd.r" "cd.r"
"cd.retiolum" "cd.retiolum"
@ -66,7 +66,7 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["104.167.114.142"]; ip4.addr = "104.167.114.142";
aliases = [ aliases = [
"mkdir.i" "mkdir.i"
"mkdir.internet" "mkdir.internet"
@ -74,8 +74,8 @@ with config.krebs.lib;
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.113.223"]; ip4.addr = "10.243.113.223";
addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af4";
aliases = [ aliases = [
"mkdir.r" "mkdir.r"
"mkdir.retiolum" "mkdir.retiolum"
@ -101,12 +101,12 @@ with config.krebs.lib;
extraZones = { extraZones = {
# TODO generate krebsco.de zone from nets and don't use extraZones at all # TODO generate krebsco.de zone from nets and don't use extraZones at all
"krebsco.de" = '' "krebsco.de" = ''
ire 60 IN A ${elemAt nets.internet.addrs4 0} ire 60 IN A ${nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["198.147.22.115"]; ip4.addr = "198.147.22.115";
aliases = [ aliases = [
"ire.i" "ire.i"
"ire.internet" "ire.internet"
@ -116,8 +116,8 @@ with config.krebs.lib;
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.231.66"]; ip4.addr = "10.243.231.66";
addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"]; ip6.addr = "42:b912:0f42:a82d:0d27:8610:e89b:490c";
aliases = [ aliases = [
"ire.r" "ire.r"
"ire.retiolum" "ire.retiolum"
@ -140,7 +140,7 @@ with config.krebs.lib;
kaepsele = { kaepsele = {
nets = { nets = {
internet = { internet = {
addrs4 = ["92.222.10.169"]; ip4.addr = "92.222.10.169";
aliases = [ aliases = [
"kaepsele.i" "kaepsele.i"
"kaepsele.internet" "kaepsele.internet"
@ -148,8 +148,8 @@ with config.krebs.lib;
]; ];
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.166.2"]; ip4.addr = "10.243.166.2";
addrs6 = ["42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d"]; ip6.addr = "42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d";
aliases = [ aliases = [
"kaepsele.r" "kaepsele.r"
"kaepsele.retiolum" "kaepsele.retiolum"
@ -172,8 +172,8 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = { nets = {
retiolum = { retiolum = {
addrs4 = ["10.243.20.1"]; ip4.addr = "10.243.20.1";
addrs6 = ["42:0:0:0:0:0:0:2001"]; ip6.addr = "42:0:0:0:0:0:0:2001";
aliases = [ aliases = [
"mu.r" "mu.r"
"mu.retiolum" "mu.retiolum"
@ -197,13 +197,13 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = rec { nets = rec {
gg23 = { gg23 = {
addrs4 = ["10.23.1.110"]; ip4.addr = "10.23.1.110";
aliases = ["nomic.gg23"]; aliases = ["nomic.gg23"];
ssh.port = 11423; ssh.port = 11423;
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.0.110"]; ip4.addr = "10.243.0.110";
addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; ip6.addr = "42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec";
aliases = [ aliases = [
"nomic.r" "nomic.r"
"nomic.retiolum" "nomic.retiolum"
@ -229,7 +229,7 @@ with config.krebs.lib;
ok = { ok = {
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.1"]; ip4.addr = "10.23.1.1";
aliases = ["ok.gg23"]; aliases = ["ok.gg23"];
}; };
}; };
@ -238,7 +238,7 @@ with config.krebs.lib;
cores = 1; cores = 1;
nets = rec { nets = rec {
internet = { internet = {
addrs4 = ["167.88.34.182"]; ip4.addr = "167.88.34.182";
aliases = [ aliases = [
"rmdir.i" "rmdir.i"
"rmdir.internet" "rmdir.internet"
@ -246,8 +246,8 @@ with config.krebs.lib;
}; };
retiolum = { retiolum = {
via = internet; via = internet;
addrs4 = ["10.243.113.224"]; ip4.addr = "10.243.113.224";
addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5";
aliases = [ aliases = [
"rmdir.r" "rmdir.r"
"rmdir.retiolum" "rmdir.retiolum"
@ -272,7 +272,7 @@ with config.krebs.lib;
schnabeldrucker = { schnabeldrucker = {
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.21"]; ip4.addr = "10.23.1.21";
aliases = ["schnabeldrucker.gg23"]; aliases = ["schnabeldrucker.gg23"];
}; };
}; };
@ -280,7 +280,7 @@ with config.krebs.lib;
schnabelscanner = { schnabelscanner = {
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.22"]; ip4.addr = "10.23.1.22";
aliases = ["schnabelscanner.gg23"]; aliases = ["schnabelscanner.gg23"];
}; };
}; };
@ -289,7 +289,7 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.37"]; ip4.addr = "10.23.1.37";
aliases = [ aliases = [
"wu.gg23" "wu.gg23"
"cache.wu.gg23" "cache.wu.gg23"
@ -297,8 +297,8 @@ with config.krebs.lib;
ssh.port = 11423; ssh.port = 11423;
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.13.37"]; ip4.addr = "10.243.13.37";
addrs6 = ["42:0:0:0:0:0:0:1337"]; ip6.addr = "42:0:0:0:0:0:0:1337";
aliases = [ aliases = [
"wu.r" "wu.r"
"wu.retiolum" "wu.retiolum"
@ -325,13 +325,13 @@ with config.krebs.lib;
cores = 4; cores = 4;
nets = { nets = {
gg23 = { gg23 = {
addrs4 = ["10.23.1.38"]; ip4.addr = "10.23.1.38";
aliases = ["xu.gg23"]; aliases = ["xu.gg23"];
ssh.port = 11423; ssh.port = 11423;
}; };
retiolum = { retiolum = {
addrs4 = ["10.243.13.38"]; ip4.addr = "10.243.13.38";
addrs6 = ["42:0:0:0:0:0:0:1338"]; ip6.addr = "42:0:0:0:0:0:0:1338";
aliases = [ aliases = [
"xu.r" "xu.r"
"xu.retiolum" "xu.retiolum"
@ -355,13 +355,14 @@ with config.krebs.lib;
}; };
users = rec { users = rec {
mv = { mv = {
mail = "mv@cd.retiolum"; mail = "mv@cd.r";
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod";
}; };
tv = { tv = {
mail = "tv@nomic.retiolum"; mail = "tv@nomic.r";
pgp.pubkeys.default = '' pgp.pubkeys.default = ''
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFbJ/B0BEADZx8l5gRurzhEHcc3PbBepdZqDJQZ2cGHixi8VEk9iN25qJO5y mQINBFbJ/B0BEADZx8l5gRurzhEHcc3PbBepdZqDJQZ2cGHixi8VEk9iN25qJO5y
HB0q5sQRsh7oNCbzKp6qRhaG9kXmEda+Uu+qbHWxE32QcT76+W8npH73qthaFwC/ HB0q5sQRsh7oNCbzKp6qRhaG9kXmEda+Uu+qbHWxE32QcT76+W8npH73qthaFwC/
5RA8KcSE8/XFxVBnVb14PNVHyAVxPHawawbhsOeaiZcHrq5IF6sVzcsc2KN87sIE 5RA8KcSE8/XFxVBnVb14PNVHyAVxPHawawbhsOeaiZcHrq5IF6sVzcsc2KN87sIE

75
krebs/4lib/types.nix
View File

@ -63,34 +63,62 @@ types // rec {
net = submodule ({ config, ... }: { net = submodule ({ config, ... }: {
options = { options = {
name = mkOption {
type = label;
default = config._module.args.name;
};
via = mkOption { via = mkOption {
type = nullOr net; type = nullOr net;
default = null; default = null;
}; };
addrs = mkOption { addrs = mkOption {
type = listOf addr; type = listOf addr;
default = config.addrs4 ++ config.addrs6; default =
# TODO only default addrs make sense optional (config.ip4 != null) config.ip4.addr ++
}; optional (config.ip6 != null) config.ip6.addr;
addrs4 = mkOption { readOnly = true;
type = listOf addr4;
default = [];
};
addrs6 = mkOption {
type = listOf addr6;
default = [];
}; };
aliases = mkOption { aliases = mkOption {
# TODO nonEmptyListOf hostname # TODO nonEmptyListOf hostname
type = listOf hostname; type = listOf hostname;
default = []; default = [];
}; };
ip4 = mkOption {
type = nullOr (submodule {
options = {
addr = mkOption {
type = addr4;
};
prefix = mkOption ({
type = str; # TODO routing prefix (CIDR)
} // optionalAttrs (config.name == "retiolum") {
default = "10.243.0.0/16";
});
};
});
default = null;
};
ip6 = mkOption {
type = nullOr (submodule {
options = {
addr = mkOption {
type = addr6;
};
prefix = mkOption ({
type = str; # TODO routing prefix (CIDR)
} // optionalAttrs (config.name == "retiolum") {
default = "42::/16";
});
};
});
default = null;
};
ssh = mkOption { ssh = mkOption {
type = submodule { type = submodule {
options = { options = {
port = mkOption { port = mkOption {
type = nullOr int; type = int;
default = null; default = 22;
}; };
}; };
}; };
@ -185,6 +213,18 @@ types // rec {
}; };
}; };
}); });
group = submodule ({ config, ... }: {
options = {
name = mkOption {
type = username;
default = config._module.args.name;
};
gid = mkOption {
type = int;
default = genid config.name;
};
};
});
addr = either addr4 addr6; addr = either addr4 addr6;
addr4 = mkOptionType { addr4 = mkOptionType {
@ -192,10 +232,17 @@ types // rec {
check = let check = let
IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in
concatMapStringsSep "." (const d) (range 1 4); concatMapStringsSep "." (const d) (range 1 4);
in x: match IPv4address != null; in x: match IPv4address x != null;
merge = mergeOneOption;
};
addr6 = mkOptionType {
name = "IPv6 address";
check = let
# TODO check IPv6 address harder
IPv6address = "[0-9a-f.:]+";
in x: match IPv6address x != null;
merge = mergeOneOption; merge = mergeOneOption;
}; };
addr6 = str; # TODO
pgp-pubkey = str; pgp-pubkey = str;

8
krebs/5pkgs/builders.nix
View File

@ -56,6 +56,14 @@ rec {
''; '';
}; };
writeEximConfig = name: text: pkgs.runCommand name {
inherit text;
passAsFile = [ "text" ];
} ''
${pkgs.exim}/bin/exim -C "$textPath" -bV >/dev/null
mv "$textPath" $out
'';
writeNixFromCabal = name: path: pkgs.runCommand name {} '' writeNixFromCabal = name: path: pkgs.runCommand name {} ''
${pkgs.cabal2nix}/bin/cabal2nix ${path} > $out ${pkgs.cabal2nix}/bin/cabal2nix ${path} > $out
''; '';

17
krebs/5pkgs/default.nix
View File

@ -14,7 +14,12 @@ with config.krebs.lib;
then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
else override; else override;
in { in {}
// import ./builders.nix args
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir.has-default-nix)
(subdirsOf ./.))
// {
haskellPackages = pkgs.haskellPackages.override { haskellPackages = pkgs.haskellPackages.override {
overrides = self: super: overrides = self: super:
mapAttrs (name: path: self.callPackage path {}) mapAttrs (name: path: self.callPackage path {})
@ -29,18 +34,10 @@ with config.krebs.lib;
(builtins.readDir ./haskell-overrides)); (builtins.readDir ./haskell-overrides));
}; };
push = callPackage ./push {
inherit (subdirs) get;
};
ReaktorPlugins = callPackage ./Reaktor/plugins.nix {}; ReaktorPlugins = callPackage ./Reaktor/plugins.nix {};
test = { test = {
infest-cac-centos7 = callPackage ./test/infest-cac-centos7 {}; infest-cac-centos7 = callPackage ./test/infest-cac-centos7 {};
}; };
} };
// import ./builders.nix args
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir.has-default-nix)
(subdirsOf ./.));
} }

3
lass/1systems/cloudkrebs.nix
View File

@ -2,9 +2,8 @@
let let
inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway;
inherit (lib) head;
ip = (head config.krebs.build.host.nets.internet.addrs4); ip = config.krebs.build.host.nets.internet.ip4.addr;
in { in {
imports = [ imports = [
../. ../.

3
lass/1systems/echelon.nix
View File

@ -2,9 +2,8 @@
let let
inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway;
inherit (lib) head;
ip = (head config.krebs.build.host.nets.internet.addrs4); ip = config.krebs.build.host.nets.internet.ip4.addr;
in { in {
imports = [ imports = [
../. ../.

4
lass/1systems/prism.nix
View File

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib) head; ip = config.krebs.build.host.nets.internet.ip4.addr;
ip = (head config.krebs.build.host.nets.internet.addrs4);
in { in {
imports = [ imports = [
../. ../.

3
lass/2configs/privoxy-retiolum.nix
View File

@ -1,8 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
let let
r_ip = (head config.krebs.build.host.nets.retiolum.addrs4); r_ip = config.krebs.build.host.nets.retiolum.ip4.addr;
inherit (lib) head;
in { in {
imports = [ imports = [

2
lass/3modules/static_nginx.nix
View File

@ -54,7 +54,7 @@ let
user = config.services.nginx.user; user = config.services.nginx.user;
group = config.services.nginx.group; group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
imp = { imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: { krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {

4
makefu/1systems/gum.nix
View File

@ -2,8 +2,8 @@
with config.krebs.lib; with config.krebs.lib;
let let
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in { in {
imports = [ imports = [
../. ../.

4
makefu/1systems/wry.nix
View File

@ -3,8 +3,8 @@
with config.krebs.lib; with config.krebs.lib;
let let
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in { in {
imports = [ imports = [
../. ../.

2
makefu/2configs/deployment/mycube.connector.one.nix
View File

@ -3,7 +3,7 @@
with config.krebs.lib; with config.krebs.lib;
let let
hostname = config.krebs.build.host.name; hostname = config.krebs.build.host.name;
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock"; wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock";
in { in {
services.redis.enable = true; services.redis.enable = true;

2
makefu/2configs/iodined.nix
View File

@ -10,7 +10,7 @@ in {
enable = true; enable = true;
domain = domain; domain = domain;
ip = "172.16.10.1/24"; ip = "172.16.10.1/24";
extraConfig = "-P ${pw} -l ${pkgs.lib.head config.krebs.build.host.nets.internet.addrs4}"; extraConfig = "-P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}";
}; };
} }

4
makefu/2configs/nginx/euer.blog.nix
View File

@ -8,8 +8,8 @@ let
hostname = config.krebs.build.host.name; hostname = config.krebs.build.host.name;
user = config.services.nginx.user; user = config.services.nginx.user;
group = config.services.nginx.group; group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
base-dir = "/var/www/blog.euer"; base-dir = "/var/www/blog.euer";
in { in {
# Prepare Blog directory # Prepare Blog directory

4
makefu/2configs/nginx/euer.test.nix
View File

@ -5,8 +5,8 @@ let
hostname = config.krebs.build.host.name; hostname = config.krebs.build.host.name;
user = config.services.nginx.user; user = config.services.nginx.user;
group = config.services.nginx.group; group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in { in {
krebs.nginx = { krebs.nginx = {
enable = mkDefault true; enable = mkDefault true;

4
makefu/2configs/nginx/euer.wiki.nix
View File

@ -18,8 +18,8 @@ let
# user1 = pass1 # user1 = pass1
# userN = passN # userN = passN
tw-pass-file = "${sec}/tw-pass.ini"; tw-pass-file = "${sec}/tw-pass.ini";
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in { in {
services.phpfpm = { services.phpfpm = {
# phpfpm does not have an enable option # phpfpm does not have an enable option

2
makefu/2configs/nginx/update.connector.one.nix
View File

@ -3,7 +3,7 @@
with config.krebs.lib; with config.krebs.lib;
let let
hostname = config.krebs.build.host.name; hostname = config.krebs.build.host.name;
external-ip = head config.krebs.build.host.nets.internet.addrs4; external-ip = config.krebs.build.host.nets.internet.ip4.addr;
in { in {
krebs.nginx = { krebs.nginx = {
enable = mkDefault true; enable = mkDefault true;

2
makefu/2configs/omo-share.nix
View File

@ -5,7 +5,7 @@ let
hostname = config.krebs.build.host.name; hostname = config.krebs.build.host.name;
# TODO local-ip from the nets config # TODO local-ip from the nets config
local-ip = "192.168.1.11"; local-ip = "192.168.1.11";
# local-ip = head config.krebs.build.host.nets.retiolum.addrs4; # local-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in { in {
krebs.nginx = { krebs.nginx = {
enable = mkDefault true; enable = mkDefault true;

9
shared/1systems/test-all-krebs-modules.nix
View File

@ -19,10 +19,11 @@ in {
username = "lol"; username = "lol";
password = "wut"; password = "wut";
}; };
exim-retiolum = { # XXX exim-retiolum and exim-smarthost are mutually exclusive
enable = true; #exim-retiolum = {
primary_hostname = "test.r"; # enable = true;
}; # primary_hostname = "test.r";
#};
exim-smarthost = { exim-smarthost = {
enable = true; enable = true;
primary_hostname = "test.r"; primary_hostname = "test.r";

4
shared/1systems/wolf.nix
View File

@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
shack-ip = lib.head config.krebs.build.host.nets.shack.addrs4; shack-ip = config.krebs.build.host.nets.shack.ip4.addr;
internal-ip = lib.head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in in
{ {
imports = [ imports = [

18
tv/1systems/cd.nix
View File

@ -61,16 +61,16 @@ with config.krebs.lib;
} }
]; ];
networking.interfaces.enp2s1.ip4 = [ networking = {
{ interfaces.enp2s1.ip4 = singleton {
address = "162.219.7.216"; address = let
addr = "45.62.237.203";
in assert config.krebs.build.host.nets.internet.ip4.addr == addr; addr;
prefixLength = 24; prefixLength = 24;
} };
]; defaultGateway = "45.62.237.1";
networking.defaultGateway = "162.219.7.1"; nameservers = ["8.8.8.8"];
networking.nameservers = [ };
"8.8.8.8"
];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
htop htop

11
tv/1systems/mkdir.nix
View File

@ -7,12 +7,7 @@ let
getDefaultGateway = ip: getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr;
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
in in
{ {
@ -55,10 +50,6 @@ in
address = primary-addr4; address = primary-addr4;
prefixLength = 24; prefixLength = 24;
} }
#{
# address = secondary-addr4;
# prefixLength = 24;
#}
]; ];
# TODO define gateway in krebs/3modules/default.nix # TODO define gateway in krebs/3modules/default.nix

7
tv/1systems/rmdir.nix
View File

@ -7,12 +7,7 @@ let
getDefaultGateway = ip: getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr;
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
in in
{ {

2
tv/1systems/wu.nix
View File

@ -183,7 +183,5 @@ with config.krebs.lib;
KERNEL=="hpet", GROUP="audio" KERNEL=="hpet", GROUP="audio"
''; '';
services.tor.client.enable = true;
services.tor.enable = true;
services.virtualboxHost.enable = true; services.virtualboxHost.enable = true;
} }

4
tv/2configs/exim-retiolum.nix
View File

@ -4,9 +4,5 @@ with config.krebs.lib;
{ {
krebs.exim-retiolum.enable = true; krebs.exim-retiolum.enable = true;
krebs.setuid.sendmail = {
filename = "${pkgs.exim}/bin/exim";
mode = "4111";
};
tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
} }

6
tv/2configs/exim-smarthost.nix
View File

@ -13,7 +13,7 @@ with config.krebs.lib;
"shackspace.de" "shackspace.de"
"viljetic.de" "viljetic.de"
]; ];
relay_from_hosts = concatMap (host: host.nets.retiolum.addrs4) [ relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
config.krebs.hosts.nomic config.krebs.hosts.nomic
config.krebs.hosts.wu config.krebs.hosts.wu
config.krebs.hosts.xu config.krebs.hosts.xu
@ -43,9 +43,5 @@ with config.krebs.lib;
{ from = "mirko"; to = "mv"; } { from = "mirko"; to = "mv"; }
]; ];
}; };
krebs.setuid.sendmail = {
filename = "${pkgs.exim}/bin/exim";
mode = "4111";
};
tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
} }

4
tv/2configs/git.nix
View File

@ -71,13 +71,13 @@ let
make-public-repo = name: { desc ? null, section ? null, ... }: { make-public-repo = name: { desc ? null, section ? null, ... }: {
inherit name desc section; inherit name desc section;
public = true; public = true;
hooks = { hooks = optionalAttrs (config.krebs.build.host.name == "cd") {
post-receive = pkgs.git-hooks.irc-announce { post-receive = pkgs.git-hooks.irc-announce {
# TODO make nick = config.krebs.build.host.name the default # TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name; nick = config.krebs.build.host.name;
channel = "#retiolum"; channel = "#retiolum";
server = "cd.retiolum"; server = "cd.retiolum";
verbose = config.krebs.build.host.name == "cd"; verbose = true;
}; };
}; };
}; };

9
tv/3modules/charybdis/config.nix
View File

@ -56,9 +56,9 @@ in toFile "charybdis.conf" ''
/* On multi-homed hosts you may need the following. These define /* On multi-homed hosts you may need the following. These define
* the addresses we connect from to other servers. */ * the addresses we connect from to other servers. */
/* for IPv4 */ /* for IPv4 */
vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; vhost = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
/* for IPv6 */ /* for IPv6 */
vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
/* ssl_private_key: our ssl private key */ /* ssl_private_key: our ssl private key */
ssl_private_key = ${toJSON cfg.ssl_private_key.path}; ssl_private_key = ${toJSON cfg.ssl_private_key.path};
@ -160,10 +160,7 @@ in toFile "charybdis.conf" ''
/* If you want to listen on a specific IP only, specify host. /* If you want to listen on a specific IP only, specify host.
* host definitions apply only to the following port line. * host definitions apply only to the following port line.
*/ */
# XXX This is stupid because only one host is allowed[?] #host = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
#host = ''${concatMapStringsSep ", " toJSON (
# config.krebs.build.host.nets.retiolum.addrs
#)};
port = ${toString cfg.port}; port = ${toString cfg.port};
sslport = ${toString cfg.sslport}; sslport = ${toString cfg.sslport};
}; };