From 24330950fe2bd31056e3ae1d58c1965c8a736f1f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 16:11:02 +0100 Subject: [PATCH 01/13] wirelum -> wiregrill --- krebs/3modules/lass/default.nix | 18 ++++++------ lass/1systems/prism/config.nix | 6 ++-- lass/2configs/blue.nix | 4 +-- lass/2configs/default.nix | 2 +- lass/2configs/wiregrill.nix | 44 ++++++++++++++++++++++++++++ lass/2configs/wirelum.nix | 44 ---------------------------- lass/5pkgs/l-gen-secrets/default.nix | 8 ++--- lib/krebs/genipv6.nix | 4 +-- 8 files changed, 65 insertions(+), 65 deletions(-) create mode 100644 lass/2configs/wiregrill.nix delete mode 100644 lass/2configs/wirelum.nix diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 1eac198fa..1117dc61c 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -8,7 +8,7 @@ with import ; }; r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; - w6 = ip: (krebs.genipv6 "wirelum" "lass" ip).address; + w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; in { dns.providers = { @@ -89,7 +89,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { via = internet; ip4.addr = "10.244.1.1"; ip6.addr = w6 "1"; @@ -191,7 +191,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "dea7"; aliases = [ "mors.w" @@ -224,7 +224,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "50da"; aliases = [ "shodan.w" @@ -257,7 +257,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "1205"; aliases = [ "icarus.w" @@ -419,7 +419,7 @@ in { -----END PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "3110"; aliases = [ "yellow.w" @@ -456,7 +456,7 @@ in { -----END PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "b1ce"; aliases = [ "blue.w" @@ -469,7 +469,7 @@ in { }; phone = { nets = { - wirelum = { + wiregrill = { ip4.addr = "10.244.1.2"; ip6.addr = w6 "a"; aliases = [ @@ -506,7 +506,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "012f"; aliases = [ "morpheus.w" diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 962a77cc2..6c454b4ac 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -298,15 +298,15 @@ with import ; } { imports = [ - + ]; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = [ - { precedence = 1000; predicate = "-i wirelum -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wirelum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; } diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 6dc2b1213..cdd77e847 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -22,9 +22,9 @@ with (import ); krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-i wirelum -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} - { predicate = "-i wirelum -p tcp --dport 9999"; target = "ACCEPT";} + { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";} ]; systemd.services.chat = let diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dea32d4d4..62a42baf9 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -10,7 +10,7 @@ with import ; ./zsh.nix ./htop.nix ./security-workarounds.nix - ./wirelum.nix + ./wiregrill.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix new file mode 100644 index 000000000..b2ee35df3 --- /dev/null +++ b/lass/2configs/wiregrill.nix @@ -0,0 +1,44 @@ +with import ; +{ config, pkgs, ... }: let + + self = config.krebs.build.host.nets.wiregrill; + isRouter = !isNull self.via; + +in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv6.conf.all.forwarding" = 1; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ + { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + ]; + + networking.wireguard.interfaces.wiregrill = { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = 51820; + privateKeyFile = (toString ) + "/wiregrill.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = if isRouter then + (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ + (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) + else + host.nets.wiregrill.wireguard.subnets + ; + endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; + publicKey = host.nets.wiregrill.wireguard.pubkey; + }) + (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); + }; +} diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix deleted file mode 100644 index cd8a20c6b..000000000 --- a/lass/2configs/wirelum.nix +++ /dev/null @@ -1,44 +0,0 @@ -with import ; -{ config, pkgs, ... }: let - - self = config.krebs.build.host.nets.wirelum; - isRouter = !isNull self.via; - -in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) { - #hack for modprobe inside containers - systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [ - (pkgs.writeDashBin "modprobe" ":") - ]); - - boot.kernel.sysctl = mkIf isRouter { - "net.ipv6.conf.all.forwarding" = 1; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ - { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; } - ]; - - networking.wireguard.interfaces.wirelum = { - ips = - (optional (!isNull self.ip4) self.ip4.addr) ++ - (optional (!isNull self.ip6) self.ip6.addr); - listenPort = 51820; - privateKeyFile = (toString ) + "/wirelum.key"; - allowedIPsAsRoutes = true; - peers = mapAttrsToList - (_: host: { - allowedIPs = if isRouter then - (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++ - (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr) - else - host.nets.wirelum.wireguard.subnets - ; - endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}"); - persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61; - publicKey = host.nets.wirelum.wireguard.pubkey; - }) - (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts); - }; -} diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 5997dca09..85b050644 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -8,8 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" '' ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null - ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wirelum.key - ${pkgs.coreutils}/bin/cat $TMPDIR/wirelum.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wirelum.pub + ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wiregrill.key + ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wiregrill.pub cat < $TMPDIR/hashedPasswords.nix { root = "$HASHED_PASSWORD"; @@ -37,13 +37,13 @@ pkgs.writeDashBin "l-gen-secrets" '' $(cat $TMPDIR/retiolum.rsa_key.pub) ${"''"}; }; - wirelum = { + wiregrill = { ip6.addr = (wip6 "changeme").address; aliases = [ "$HOSTNAME.w" ]; wireguard.pubkey = ${"''"} - $(cat $TMPDIR/wirelum.pub) + $(cat $TMPDIR/wiregrill.pub) ${"''"}; }; }; diff --git a/lib/krebs/genipv6.nix b/lib/krebs/genipv6.nix index 1d3f398ec..22a23fcef 100644 --- a/lib/krebs/genipv6.nix +++ b/lib/krebs/genipv6.nix @@ -16,12 +16,12 @@ let { normalize-ip6-addr (appendZeros addressLength netPrefix); netHash = toString { retiolum = 0; - wirelum = 1; + wiregrill = 1; }.${netname}; netPrefix = "42:${netHash}"; netPrefixLength = { retiolum = 32; - wirelum = 32; + wiregrill = 32; }.${netname}; inherit subnetname; From bb22dc7475a01b262f4102c9a7b9df96c1ed5708 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 16:31:57 +0100 Subject: [PATCH 02/13] l littleT: make into blue-host --- lass/1systems/littleT/config.nix | 1 + lass/2configs/blue-host.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index 2f28cc0d6..7fe143c3c 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -6,6 +6,7 @@ with import ; + ]; networking.networkmanager.enable = true; diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 9cf294afd..718a92e9c 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -7,6 +7,7 @@ let "daedalus" "skynet" "prism" + "littleT" ]; remote_hosts = filter (h: h != config.networking.hostName) all_hosts; From c8943a2c89d2bcefc910f3c2bc588bcf6c1673f2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 16:33:37 +0100 Subject: [PATCH 03/13] l skynet.r don't fetch wallpaper --- lass/1systems/skynet/config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 13a8b3e41..4b806af7b 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -5,7 +5,6 @@ with import ; - { From e9907ee8a8433904026bf1c54edd7f79ab0c49a3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 16:34:45 +0100 Subject: [PATCH 04/13] l baseX: add fzfmenu to pkgs --- lass/2configs/baseX.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 859a2a1b9..1b6a1d593 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -64,6 +64,7 @@ in { dic dmenu font-size + fzfmenu gitAndTools.qgit git-preview gnome3.dconf From 8705b4dbc8e8cf0c4e09c114daad3f96026520ab Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 16:36:13 +0100 Subject: [PATCH 05/13] l domsen: add klabusterbeere --- lass/2configs/websites/domsen.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 4935268a4..ce7df4bfb 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -126,6 +126,7 @@ in { { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } { from = "akayguen@freemonkey.art"; to ="akayguen"; } { from = "bui@freemonkey.art"; to ="bui"; } + { from = "kontakt@alewis.de"; to ="klabusterbeere"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -204,5 +205,12 @@ in { createHome = true; }; + users.users.klabusterbeere = { + uid = genid_uint31 "klabusterbeere"; + home = "/home/klabusterbeere"; + useDefaultShell = true; + createHome = true; + }; + } From 23562e36190e07f338211541ac3d2cc77ebdbafa Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 17 Dec 2018 09:33:45 +0100 Subject: [PATCH 06/13] l domsen: add alewis.de to sender_domains --- lass/2configs/websites/domsen.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index ce7df4bfb..25dac0ac4 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -135,6 +135,7 @@ in { "jla-trading.com" "ubikmedia.eu" "ubikmedia.de" + "alewis.de" ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; From 6179076fe236f3de9062c6d65d2a286834049e4d Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Dec 2018 17:10:24 +0100 Subject: [PATCH 07/13] tv mu: use /dev/sda for devices, not UUIDs^_^ --- tv/1systems/mu/config.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index a653ce40d..7820b1a77 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -13,10 +13,7 @@ with import ; tv.x0vncserver.enable = true; - # hardware configuration - boot.initrd.luks.devices.muca = { - device = "/dev/disk/by-uuid/7b24a931-40b6-44a6-ba22-c805cf164e91"; - }; + boot.initrd.luks.devices.muca.device = "/dev/sda2"; boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ]; boot.initrd.availableKernelModules = [ "ahci" ]; boot.kernelModules = [ "fbcon" "kvm-intel" ]; @@ -34,7 +31,7 @@ with import ; options = [ "defaults" "discard" ]; }; "/boot" = { - device = "/dev/disk/by-uuid/CEB1-9743"; + device = "/dev/sda1"; fsType = "vfat"; }; }; From 8b4428816d1385e1dd5ec9bf0ce44ae0e284130a Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Dec 2018 17:11:31 +0100 Subject: [PATCH 08/13] tv mu: import x220 config --- tv/1systems/mu/config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index 7820b1a77..be8d90940 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -5,6 +5,11 @@ with import ; + + { + # Override x220.nix as we're using networkmanager here. + networking.wireless.enable = mkForce false; + } ]; From f89f99011d77e53cc0729d2cf735ea2adb45ef22 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 18 Dec 2018 20:39:36 +0100 Subject: [PATCH 09/13] tv: enable networking.wireless in systems --- tv/1systems/alnus/config.nix | 4 ---- tv/1systems/mu/config.nix | 4 ---- tv/1systems/nomic/config.nix | 2 ++ tv/1systems/wu/config.nix | 2 ++ tv/1systems/xu/config.nix | 2 ++ tv/1systems/zu/config.nix | 2 ++ tv/2configs/hw/AO753.nix | 2 -- tv/2configs/hw/x220.nix | 2 -- 8 files changed, 8 insertions(+), 12 deletions(-) diff --git a/tv/1systems/alnus/config.nix b/tv/1systems/alnus/config.nix index 001ad0bc4..949a98b2a 100644 --- a/tv/1systems/alnus/config.nix +++ b/tv/1systems/alnus/config.nix @@ -8,10 +8,6 @@ with import ; ]; - # TODO remove non-hardware stuff from ../2configs/hw/x220.nix - # networking.wireless.enable collides with networkmanager - networking.wireless.enable = mkForce false; - boot = { initrd = { availableKernelModules = [ "ahci" ]; diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index be8d90940..f1cd7d673 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -6,10 +6,6 @@ with import ; - { - # Override x220.nix as we're using networkmanager here. - networking.wireless.enable = mkForce false; - } ]; diff --git a/tv/1systems/nomic/config.nix b/tv/1systems/nomic/config.nix index 996a5e7ec..a89f07e8a 100644 --- a/tv/1systems/nomic/config.nix +++ b/tv/1systems/nomic/config.nix @@ -64,4 +64,6 @@ with import ; gnupg tmux ]; + + networking.wireless.enable = true; } diff --git a/tv/1systems/wu/config.nix b/tv/1systems/wu/config.nix index 17eeff5da..4c491d65b 100644 --- a/tv/1systems/wu/config.nix +++ b/tv/1systems/wu/config.nix @@ -41,6 +41,8 @@ with import ; }; }; + networking.wireless.enable = true; + services.printing.enable = true; services.udev.extraRules = '' diff --git a/tv/1systems/xu/config.nix b/tv/1systems/xu/config.nix index 5421cab92..b9c76cf49 100644 --- a/tv/1systems/xu/config.nix +++ b/tv/1systems/xu/config.nix @@ -147,6 +147,8 @@ with import ; gptfdisk ]; + networking.wireless.enable = true; + #services.bitlbee.enable = true; #services.tor.client.enable = true; #services.tor.enable = true; diff --git a/tv/1systems/zu/config.nix b/tv/1systems/zu/config.nix index 414d2f226..bbfcfafc1 100644 --- a/tv/1systems/zu/config.nix +++ b/tv/1systems/zu/config.nix @@ -44,6 +44,8 @@ with import ; }; }; + networking.wireless.enable = true; + services.printing.enable = true; #services.bitlbee.enable = true; diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index 8625078da..4df5e097a 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -25,8 +25,6 @@ with import ; config.boot.kernelPackages.broadcom_sta ]; - networking.wireless.enable = true; - nix = { buildCores = 2; maxJobs = 2; diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index 38a89cfc3..35e7d8941 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -26,8 +26,6 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.wireless.enable = true; - # Required for Centrino. hardware.enableRedistributableFirmware = true; From f7e0cdbc142ad38e435c9d24a7098714b5d2c473 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 18 Dec 2018 21:17:29 +0100 Subject: [PATCH 10/13] lass prism: set wiregrill subnets explicitly --- krebs/3modules/lass/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 1117dc61c..9d1d56ad3 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -98,7 +98,11 @@ in { ]; wireguard = { pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk="; - subnets = [ "10.244.1.0/24" "42:1::/32" ]; + subnets = [ + "10.244.1.0/24" + (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR + (krebs.genipv6 "wiregrill" "lass" 0).subnetCIDR + ]; }; }; }; From 0b57526d4fabfd40cd1f0bd5ba7bca301c7288d3 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 18 Dec 2018 21:05:51 +0100 Subject: [PATCH 11/13] tv: configure the wiregrill --- krebs/3modules/tv/default.nix | 33 +++++++++++++++++++++----- krebs/3modules/tv/wiregrill/alnus.pub | 1 + krebs/3modules/tv/wiregrill/mu.pub | 1 + krebs/3modules/tv/wiregrill/ni.pub | 1 + krebs/3modules/tv/wiregrill/nomic.pub | 1 + krebs/3modules/tv/wiregrill/querel.pub | 1 + krebs/3modules/tv/wiregrill/wu.pub | 1 + krebs/3modules/tv/wiregrill/xu.pub | 1 + krebs/3modules/tv/wiregrill/zu.pub | 1 + 9 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 krebs/3modules/tv/wiregrill/alnus.pub create mode 100644 krebs/3modules/tv/wiregrill/mu.pub create mode 100644 krebs/3modules/tv/wiregrill/ni.pub create mode 100644 krebs/3modules/tv/wiregrill/nomic.pub create mode 100644 krebs/3modules/tv/wiregrill/querel.pub create mode 100644 krebs/3modules/tv/wiregrill/wu.pub create mode 100644 krebs/3modules/tv/wiregrill/xu.pub create mode 100644 krebs/3modules/tv/wiregrill/zu.pub diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 0683492bc..a20801b12 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -1,12 +1,30 @@ with import ; { config, ... }: let - hostDefaults = hostName: host: flip recursiveUpdate host ({ - owner = config.krebs.users.tv; - } // optionalAttrs (host.nets?retiolum) { - nets.retiolum.ip6.addr = - (krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address; - }); + hostDefaults = hostName: host: foldl' recursiveUpdate {} [ + { + owner = config.krebs.users.tv; + } + (optionalAttrs (host.nets?retiolum) { + nets.retiolum = { + ip6.addr = + (krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address; + }; + }) + (let + pubkey-path = ./wiregrill + "/${hostName}.pub"; + in optionalAttrs (pathExists pubkey-path) { + nets.wiregrill = { + aliases = [ + "${hostName}.w" + ]; + ip6.addr = + (krebs.genipv6 "wiregrill" "tv" { inherit hostName; }).address; + wireguard.pubkey = readFile pubkey-path; + }; + }) + host + ]; in { dns.providers = { @@ -103,6 +121,9 @@ in { -----END RSA PUBLIC KEY----- ''; }; + wiregrill.wireguard.subnets = [ + (krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR + ]; }; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb"; }; diff --git a/krebs/3modules/tv/wiregrill/alnus.pub b/krebs/3modules/tv/wiregrill/alnus.pub new file mode 100644 index 000000000..de85e54da --- /dev/null +++ b/krebs/3modules/tv/wiregrill/alnus.pub @@ -0,0 +1 @@ +w7+6kMf1P3Ka0kXXY4CCbr80TrWPYpe/zd13yuvz9SE= diff --git a/krebs/3modules/tv/wiregrill/mu.pub b/krebs/3modules/tv/wiregrill/mu.pub new file mode 100644 index 000000000..18edc8986 --- /dev/null +++ b/krebs/3modules/tv/wiregrill/mu.pub @@ -0,0 +1 @@ +4bboT+cZM1BYvNho9oKbO0MFnPFTvmASR+1IdV4/fwQ= diff --git a/krebs/3modules/tv/wiregrill/ni.pub b/krebs/3modules/tv/wiregrill/ni.pub new file mode 100644 index 000000000..257b29833 --- /dev/null +++ b/krebs/3modules/tv/wiregrill/ni.pub @@ -0,0 +1 @@ +KiIiwkuin+E4FXqFajJjnoGKkHW3H3FzIx5EQrF1+lw= diff --git a/krebs/3modules/tv/wiregrill/nomic.pub b/krebs/3modules/tv/wiregrill/nomic.pub new file mode 100644 index 000000000..be9c94be6 --- /dev/null +++ b/krebs/3modules/tv/wiregrill/nomic.pub @@ -0,0 +1 @@ +UgvgarDtuSvbciNx5SU2NDbctb9/OTQ9Kr8H/O3931A= diff --git a/krebs/3modules/tv/wiregrill/querel.pub b/krebs/3modules/tv/wiregrill/querel.pub new file mode 100644 index 000000000..2273cf99d --- /dev/null +++ b/krebs/3modules/tv/wiregrill/querel.pub @@ -0,0 +1 @@ +sxaqrsqcDgdM3+QH6mxzqDs3SLWgm7J8AytpIbRZ2n0= diff --git a/krebs/3modules/tv/wiregrill/wu.pub b/krebs/3modules/tv/wiregrill/wu.pub new file mode 100644 index 000000000..0d25d9de9 --- /dev/null +++ b/krebs/3modules/tv/wiregrill/wu.pub @@ -0,0 +1 @@ +68bL6l3/sjbirva80tm0Dw6/PJu1S95nJC58gWCh42E= diff --git a/krebs/3modules/tv/wiregrill/xu.pub b/krebs/3modules/tv/wiregrill/xu.pub new file mode 100644 index 000000000..ba0c7dd04 --- /dev/null +++ b/krebs/3modules/tv/wiregrill/xu.pub @@ -0,0 +1 @@ +XU76RFN0jG/YjffAPg3e3VuHF/iKMvVoRhHmixvLL1s= diff --git a/krebs/3modules/tv/wiregrill/zu.pub b/krebs/3modules/tv/wiregrill/zu.pub new file mode 100644 index 000000000..0238dd653 --- /dev/null +++ b/krebs/3modules/tv/wiregrill/zu.pub @@ -0,0 +1 @@ +WrILdnsketejrJuYM/sLEh89GdSVbddv8BG/D3sW7kw= From b199a386d331ab7ff16cae6e0393379ce18a17af Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Dec 2018 21:57:08 +0100 Subject: [PATCH 12/13] external: add qubasa --- krebs/3modules/external/default.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 02d28ddc8..39922e2ee 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -289,6 +289,31 @@ in { }; }; }; + qubasa = { + owner = config.krebs.users.qubasa; + nets = { + retiolum = { + ip4.addr = "10.243.29.175"; + aliases = [ "qubasa.r" ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6ioASTOx6Vndp316u89Z + f+9WgfyVGw9deP2pQjoHnsPjBqRrsDCQGFO/U1ILQn0AWskQpHWHRir7Q6cI90jm + 8MqqGVymVFbeYbrOLHLjp+2fle9iU9DfST4O76TQwF/3elLf3tpGFS8EB+qF3Ig7 + aVOf5TuHPWWj6VtGTuWW9I8MsPnNykyRstlWXEztIs2zQrc0cO1IGd1QVarDGqTs + KR4Zm7PvF7U193NzPLaH6jcdjF37FETLrNxAu88M+YnvXBp4oRHeJmvBloazpH0v + aSb3+vNRlViMSlf9ImpAHlFRyvYYDAWlIY0nyeNUJna1ImGloSStLtBAhFAwc65j + kmrXeK3TVAoGZQOvSbjFmI/nBgfHEOnz/9aRVHGUNoQ/nAM6UhALFEZV6sdjX6W4 + 3p670DEO5fiI3fqqErkscbv8zSEjfmxV4YGMXVMw8Ub87fGwQEF17uDLeqD0k9AB + 7umwrWP53YffauAqinma0I6RcLRVRfJ2vhyBH1mKwAAW55WU6DpBTydy46kxy/Oz + k9Cnxw7oMydUAAdnf5Axgs+dcx43lnXvGsoHi4lZycYhqtPe2YI152HAbGfmrixV + Slzh8aiinBkLYW2VzJNTRmHvB3njjeua4/guXwe00G7MIs3UDMIieJNcVxb+E07v + vF2rqhqU9b+1MQRhIPsBf4cCAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + }; }; users = { Mic92 = { @@ -301,6 +326,9 @@ in { }; sokratess = { }; + qubasa = { + mail = "luis.nixos@gmail.com"; + }; }; } From dc79107558105a3b6afb558f194965fcb3867542 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Dec 2018 22:29:56 +0100 Subject: [PATCH 13/13] l wiregrill: remove newlines from pubkeys --- lass/2configs/wiregrill.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index b2ee35df3..0183bd4e5 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -37,7 +37,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { ; endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; - publicKey = host.nets.wiregrill.wireguard.pubkey; + publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey); }) (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); };