Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
c64fb07027
0
krebs/0tests/data/secrets/gollum.id_ed25519
Normal file
0
krebs/0tests/data/secrets/gollum.id_ed25519
Normal file
0
krebs/0tests/data/secrets/shack/telegram_bot.env
Normal file
0
krebs/0tests/data/secrets/shack/telegram_bot.env
Normal file
@ -85,7 +85,7 @@
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
users.users.joerg = {
|
users.users.joerg = {
|
||||||
openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ];
|
openssh.authorizedKeys.keys = [ config.krebs.users.mic92.pubkey ];
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
shell = "/run/current-system/sw/bin/zsh";
|
shell = "/run/current-system/sw/bin/zsh";
|
||||||
};
|
};
|
||||||
|
@ -13,7 +13,7 @@ with import <stockholm/lib>;
|
|||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts.go = {
|
virtualHosts.go = {
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_set_header Host go;
|
proxy_set_header Host go.r;
|
||||||
proxy_pass http://localhost:1337;
|
proxy_pass http://localhost:1337;
|
||||||
'';
|
'';
|
||||||
serverAliases = [
|
serverAliases = [
|
||||||
|
@ -76,7 +76,7 @@ let
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
pattern = ''^([\w-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$'';
|
pattern = ''^([\H-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$'';
|
||||||
activate = "match";
|
activate = "match";
|
||||||
arguments = [1 2 3];
|
arguments = [1 2 3];
|
||||||
command = {
|
command = {
|
||||||
|
@ -1,9 +1,41 @@
|
|||||||
{ config, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
let
|
||||||
|
|
||||||
|
setupGit = ''
|
||||||
|
export PATH=${makeBinPath [ pkgs.git ]}
|
||||||
|
export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519'
|
||||||
|
repo='git@localhost:wiki'
|
||||||
|
cd ${config.krebs.gollum.stateDir}
|
||||||
|
if ! url=$(git config remote.origin.url); then
|
||||||
|
git remote add origin "$repo"
|
||||||
|
elif test "$url" != "$repo"; then
|
||||||
|
git remote set-url origin "$repo"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
|
pushGollum = pkgs.writeDash "push_gollum" ''
|
||||||
|
${setupGit}
|
||||||
|
git fetch origin
|
||||||
|
git merge --ff-only origin/master
|
||||||
|
'';
|
||||||
|
|
||||||
|
pushCgit = pkgs.writeDash "push_cgit" ''
|
||||||
|
${setupGit}
|
||||||
|
git push origin master
|
||||||
|
'';
|
||||||
|
|
||||||
|
in
|
||||||
{
|
{
|
||||||
services.gollum = {
|
krebs.gollum = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
extraConfig = ''
|
||||||
|
Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
|
||||||
|
system('${pushCgit}')
|
||||||
|
end
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -16,4 +48,51 @@
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
krebs.git = {
|
||||||
|
enable = true;
|
||||||
|
cgit.settings = {
|
||||||
|
root-title = "krebs repos";
|
||||||
|
};
|
||||||
|
rules = with git; [
|
||||||
|
{
|
||||||
|
user = [
|
||||||
|
{
|
||||||
|
name = "gollum";
|
||||||
|
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXbjDnQWg8EECsNRZZWezocMIiuENhCSQFcFUXcsOQ6";
|
||||||
|
}
|
||||||
|
] ++ (attrValues config.krebs.users);
|
||||||
|
repo = [ config.krebs.git.repos.wiki ];
|
||||||
|
perm = push ''refs/heads/master'' [ create merge ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
repos.wiki = {
|
||||||
|
public = true;
|
||||||
|
name = "wiki";
|
||||||
|
hooks = {
|
||||||
|
post-receive = ''
|
||||||
|
${pkgs.git-hooks.irc-announce {
|
||||||
|
channel = "#xxx";
|
||||||
|
refs = [
|
||||||
|
"refs/heads/master"
|
||||||
|
];
|
||||||
|
nick = config.networking.hostName;
|
||||||
|
server = "irc.r";
|
||||||
|
verbose = true;
|
||||||
|
}}
|
||||||
|
/run/wrappers/bin/sudo -S -u gollum ${pushGollum}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
krebs.secret.files.gollum = {
|
||||||
|
path = "${config.krebs.gollum.stateDir}/.ssh/id_ed25519";
|
||||||
|
owner = { name = "gollum"; };
|
||||||
|
source-path = "${<secrets/gollum.id_ed25519>}";
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.extraConfig = ''
|
||||||
|
git ALL=(gollum) NOPASSWD: ${pushGollum}
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
@ -27,6 +27,7 @@ let
|
|||||||
./github-known-hosts.nix
|
./github-known-hosts.nix
|
||||||
./git.nix
|
./git.nix
|
||||||
./go.nix
|
./go.nix
|
||||||
|
./gollum.nix
|
||||||
./hidden-ssh.nix
|
./hidden-ssh.nix
|
||||||
./hosts.nix
|
./hosts.nix
|
||||||
./htgen.nix
|
./htgen.nix
|
||||||
@ -108,7 +109,6 @@ let
|
|||||||
{
|
{
|
||||||
krebs.dns.providers = {
|
krebs.dns.providers = {
|
||||||
"krebsco.de" = "zones";
|
"krebsco.de" = "zones";
|
||||||
gg23 = "hosts";
|
|
||||||
shack = "hosts";
|
shack = "hosts";
|
||||||
i = "hosts";
|
i = "hosts";
|
||||||
r = "hosts";
|
r = "hosts";
|
||||||
@ -152,9 +152,11 @@ let
|
|||||||
let
|
let
|
||||||
longs = net.aliases;
|
longs = net.aliases;
|
||||||
shorts =
|
shorts =
|
||||||
map (removeSuffix ".${cfg.dns.search-domain}")
|
optionals
|
||||||
(filter (hasSuffix ".${cfg.dns.search-domain}")
|
(cfg.dns.search-domain != null)
|
||||||
longs);
|
(map (removeSuffix ".${cfg.dns.search-domain}")
|
||||||
|
(filter (hasSuffix ".${cfg.dns.search-domain}")
|
||||||
|
longs));
|
||||||
add-port = a:
|
add-port = a:
|
||||||
if net.ssh.port != 22
|
if net.ssh.port != 22
|
||||||
then "[${a}]:${toString net.ssh.port}"
|
then "[${a}]:${toString net.ssh.port}"
|
||||||
@ -177,7 +179,8 @@ let
|
|||||||
(concatMap (host: attrValues host.nets)
|
(concatMap (host: attrValues host.nets)
|
||||||
(mapAttrsToList
|
(mapAttrsToList
|
||||||
(_: host: recursiveUpdate host
|
(_: host: recursiveUpdate host
|
||||||
(optionalAttrs (hasAttr cfg.dns.search-domain host.nets) {
|
(optionalAttrs (cfg.dns.search-domain != null &&
|
||||||
|
hasAttr cfg.dns.search-domain host.nets) {
|
||||||
nets."" = host.nets.${cfg.dns.search-domain} // {
|
nets."" = host.nets.${cfg.dns.search-domain} // {
|
||||||
aliases = [host.name];
|
aliases = [host.name];
|
||||||
addrs = [];
|
addrs = [];
|
||||||
|
@ -6,7 +6,7 @@ with import <stockholm/lib>;
|
|||||||
};
|
};
|
||||||
|
|
||||||
krebs.dns.search-domain = mkOption {
|
krebs.dns.search-domain = mkOption {
|
||||||
type = types.hostname;
|
type = types.nullOr types.hostname;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
4
krebs/3modules/external/default.nix
vendored
4
krebs/3modules/external/default.nix
vendored
@ -465,9 +465,9 @@ in {
|
|||||||
mail = "kieran.meinhardt@gmail.com";
|
mail = "kieran.meinhardt@gmail.com";
|
||||||
pubkey = ssh-for "kmein";
|
pubkey = ssh-for "kmein";
|
||||||
};
|
};
|
||||||
Mic92 = {
|
mic92 = {
|
||||||
mail = "joerg@thalheim.io";
|
mail = "joerg@thalheim.io";
|
||||||
pubkey = ssh-for "Mic92";
|
pubkey = ssh-for "mic92";
|
||||||
};
|
};
|
||||||
qubasa = {
|
qubasa = {
|
||||||
mail = "luis.nixos@gmail.com";
|
mail = "luis.nixos@gmail.com";
|
||||||
|
99
krebs/3modules/external/mic92.nix
vendored
99
krebs/3modules/external/mic92.nix
vendored
@ -11,7 +11,7 @@ with import <stockholm/lib>;
|
|||||||
in {
|
in {
|
||||||
hosts = mapAttrs hostDefaults {
|
hosts = mapAttrs hostDefaults {
|
||||||
amy = {
|
amy = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
ip4.addr = "129.215.165.57";
|
ip4.addr = "129.215.165.57";
|
||||||
@ -44,7 +44,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
clara = {
|
clara = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
ip4.addr = "129.215.165.58";
|
ip4.addr = "129.215.165.58";
|
||||||
@ -77,7 +77,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
dimitrios = {
|
dimitrios = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.183";
|
ip4.addr = "10.243.29.183";
|
||||||
@ -98,7 +98,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
donna = {
|
donna = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
ip4.addr = "129.215.165.54";
|
ip4.addr = "129.215.165.54";
|
||||||
@ -132,7 +132,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
dpdkm = {
|
dpdkm = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.173";
|
ip4.addr = "10.243.29.173";
|
||||||
@ -156,7 +156,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
herbert = {
|
herbert = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
addrs = [
|
addrs = [
|
||||||
@ -179,7 +179,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
inspector = {
|
inspector = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
ip4.addr = "141.76.44.154";
|
ip4.addr = "141.76.44.154";
|
||||||
@ -208,7 +208,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
eddie = {
|
eddie = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
# eddie.thalheim.io
|
# eddie.thalheim.io
|
||||||
@ -242,7 +242,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
eve = {
|
eve = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
# eve.thalheim.io
|
# eve.thalheim.io
|
||||||
@ -273,13 +273,17 @@ in {
|
|||||||
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
|
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
|
||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
# ohorn lan
|
tinc.subnets = [
|
||||||
tinc.subnets = [ "fd42:4492:6a6d:500:8526:2adf:7451:8bbb" ];
|
# ohorn lan
|
||||||
|
"fd42:4492:6a6d:500:8526:2adf:7451:8bbb"
|
||||||
|
# docker network
|
||||||
|
"42:0000:002b:1605:3::/80"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
martha = {
|
martha = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
ip4.addr = "129.215.165.53";
|
ip4.addr = "129.215.165.53";
|
||||||
@ -313,7 +317,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
matchbox = {
|
matchbox = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.176";
|
ip4.addr = "10.243.29.176";
|
||||||
@ -339,31 +343,32 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
rock = {
|
rock = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.171";
|
ip4.addr = "10.243.29.171";
|
||||||
aliases = [ "rock.r" ];
|
aliases = [ "rock.r" ];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0uhNk3XXVxQcIVhD1Ime
|
||||||
DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
|
9PY3QBIcXvwDlOrd3oUwyWTvZpUeO7yzIXdouAe4s0ohPIVq7Cmruj4ZrOGUCKyB
|
||||||
HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
|
oJpOziYSbL/IiCpXyOzWMLEwu0AoeFfbxig+5oZfwQ9epM2j902CgsUipJBLIg48
|
||||||
mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
|
BC9oOD+/iYEwsFPqQ/S0kETyQK5Ad+qv0lbU6/Kmify8Qplvpv/8DRdjsdLki1fU
|
||||||
Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
|
a6MAEw12OtHe6IWtlitPjFMBykTP6kkSp/eg0G2KZFVuEulwHGf9QT/eT4fZTMCC
|
||||||
Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
|
2V5Vp4rIr/hawmj+h4NIxniBSQcPAAIGNwZVC4uYYV1nd4iaI/T04rDJwte5WKHf
|
||||||
91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
|
EVxtlYt9RU1I/XdNRSj9gYyneVcVlDVos8Z93oUv1hIGZYFtNmGVna6lggOBPf/t
|
||||||
fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
|
BZ1MT6FKA4QX9JI8bQoNs18s8ffzyb07psNbH6YhpCygnhf9C7NR/CeI8BtpzJza
|
||||||
3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
|
1Qk731Z6bk6xRFKMuY2tRKlNCqPHULj44oTHB3Ki2B/bMlkguqSChfFzKIRASYO1
|
||||||
ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
|
SASSgddexjkjKLslxcLWhIqYrZhuhYlFyoeoMI3qQsey/4X5PUmQDxxhTT80+qvE
|
||||||
cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
|
thBNPg46joyLTq9E9ddf7t/0C6oD2DXY88N9bkztuK5dtYHmjajUbePuaTJtrKhI
|
||||||
-----END RSA PUBLIC KEY-----
|
7MnLboZCEiSyvkVTTx0Yjf0CAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
rose = {
|
rose = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
internet = {
|
internet = {
|
||||||
ip4.addr = "129.215.165.52";
|
ip4.addr = "129.215.165.52";
|
||||||
@ -397,7 +402,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
turingmachine = {
|
turingmachine = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.168";
|
ip4.addr = "10.243.29.168";
|
||||||
@ -425,7 +430,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
harsha = {
|
harsha = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.184";
|
ip4.addr = "10.243.29.184";
|
||||||
@ -446,22 +451,36 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
eva = {
|
eva = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.mic92;
|
||||||
nets = {
|
nets = rec {
|
||||||
|
internet = {
|
||||||
|
# eva.thalheim.io
|
||||||
|
ip4.addr = "52.59.172.193";
|
||||||
|
ip6.addr = "2a05:d014:301:a601:ef0e:5434:d814:b8ed";
|
||||||
|
aliases = [ "eva.i" ];
|
||||||
|
};
|
||||||
retiolum = {
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
ip4.addr = "10.243.29.185";
|
ip4.addr = "10.243.29.185";
|
||||||
aliases = [
|
aliases = [
|
||||||
"eva.r"
|
"eva.r"
|
||||||
|
"prometheus.r"
|
||||||
];
|
];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHptaExEcSUjEJ+RH33h
|
||||||
3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC
|
uRK0Ttq8mJLDosWFYcoQkcL9S54aO9kF1gRJAKPBHoOt/IGeOxg2LNYWK6UjWfUy
|
||||||
pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r
|
LB9c42EQ1wWZ2jSJ0LJgYzjR9cp3dlo9aHSa//O6p6eLpXRo9QLf8+aIWhNW5+BG
|
||||||
NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44
|
sLIMR5b6Ngc2l8xQS+wvMmvTWJt3LyfQ6AKiKwCjeyrUFiuw0VWSn1I6n7H+CZBZ
|
||||||
9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd
|
f/UvSxLucy1e0rvbHoTITOflIAfA84iCHsHsZjVqrx1iyOMdPtY2sBPmWhtVemDo
|
||||||
WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB
|
duwzUpIuaJnWS7JOB4jsYWm672/KfzK7yAivqxD19OwqfZ3nNQ7sEDb3p4udw2Lf
|
||||||
-----END RSA PUBLIC KEY-----
|
0dqHwZ5Hoj21vs3XiXX/SHcSf5QLzpj1MWBkV3r1D8I8v3P5qUbLunCofp3d9GxE
|
||||||
|
N0gK06gqbLNonJvC/WD7lxeY32Rh1wYXbzbD/X6aWe/oD8WMIl312hH4cHQHOnVT
|
||||||
|
t76NISlYTPxwX5mfFsBm8t0GjnnWY2jLwaefk7N/CwoDaKhkhmw1oeAZMuRcDRvE
|
||||||
|
0ecpO4CZ6CcYERLxoYHgEAj3cMkSrQ8dT6XS4b9EO4hW4zCQ3RK9xDz71+uaihuB
|
||||||
|
6uuTTsn7s0PYBJDNdccOf1Qt8fqPPgzqUKqeUciHojYDDPTC5KQh5m2PBv4I4iIR
|
||||||
|
LnKOqNUX7UCqbdaE/tfFRG0CAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
112
krebs/3modules/gollum.nix
Normal file
112
krebs/3modules/gollum.nix
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.krebs.gollum;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options.krebs.gollum = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Enable the Gollum service.";
|
||||||
|
};
|
||||||
|
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "0.0.0.0";
|
||||||
|
description = "IP address on which the web server will listen.";
|
||||||
|
};
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 4567;
|
||||||
|
description = "Port on which the web server will run.";
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = mkOption {
|
||||||
|
type = types.lines;
|
||||||
|
default = "";
|
||||||
|
description = "Content of the configuration file";
|
||||||
|
};
|
||||||
|
|
||||||
|
mathjax = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Enable support for math rendering using MathJax";
|
||||||
|
};
|
||||||
|
|
||||||
|
allowUploads = mkOption {
|
||||||
|
type = types.nullOr (types.enum [ "dir" "page" ]);
|
||||||
|
default = null;
|
||||||
|
description = "Enable uploads of external files";
|
||||||
|
};
|
||||||
|
|
||||||
|
emoji = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Parse and interpret emoji tags";
|
||||||
|
};
|
||||||
|
|
||||||
|
branch = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "master";
|
||||||
|
example = "develop";
|
||||||
|
description = "Git branch to serve";
|
||||||
|
};
|
||||||
|
|
||||||
|
stateDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/var/lib/gollum";
|
||||||
|
description = "Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup.";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
users.users.gollum = {
|
||||||
|
group = config.users.users.gollum.name;
|
||||||
|
description = "Gollum user";
|
||||||
|
home = cfg.stateDir;
|
||||||
|
createHome = false;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.gollum = { };
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services.gollum = {
|
||||||
|
description = "Gollum wiki";
|
||||||
|
after = [ "network.target" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
path = [ pkgs.git ];
|
||||||
|
|
||||||
|
preStart = ''
|
||||||
|
# This is safe to be run on an existing repo
|
||||||
|
git init ${cfg.stateDir}
|
||||||
|
'';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
User = config.users.users.gollum.name;
|
||||||
|
Group = config.users.groups.gollum.name;
|
||||||
|
ExecStart = ''
|
||||||
|
${pkgs.gollum}/bin/gollum \
|
||||||
|
--port ${toString cfg.port} \
|
||||||
|
--host ${cfg.address} \
|
||||||
|
--config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \
|
||||||
|
--ref ${cfg.branch} \
|
||||||
|
${optionalString cfg.mathjax "--mathjax"} \
|
||||||
|
${optionalString cfg.emoji "--emoji"} \
|
||||||
|
${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \
|
||||||
|
${cfg.stateDir}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -24,7 +24,11 @@ in {
|
|||||||
aliases = longs ++ shorts;
|
aliases = longs ++ shorts;
|
||||||
longs = filter check net.aliases;
|
longs = filter check net.aliases;
|
||||||
shorts = let s = ".${config.krebs.dns.search-domain}"; in
|
shorts = let s = ".${config.krebs.dns.search-domain}"; in
|
||||||
map (removeSuffix s) (filter (hasSuffix s) longs);
|
optionals
|
||||||
|
(config.krebs.dns.search-domain != null)
|
||||||
|
(map (removeSuffix s)
|
||||||
|
(filter (hasSuffix s)
|
||||||
|
longs));
|
||||||
in
|
in
|
||||||
map (addr: { ${addr} = aliases; }) net.addrs)
|
map (addr: { ${addr} = aliases; }) net.addrs)
|
||||||
(attrValues host.nets))
|
(attrValues host.nets))
|
||||||
@ -44,7 +48,9 @@ in {
|
|||||||
hostNetAliases = host:
|
hostNetAliases = host:
|
||||||
mapAttrs (_: net: filter (x: x.name != null && x.value != []) [
|
mapAttrs (_: net: filter (x: x.name != null && x.value != []) [
|
||||||
{ name = net.ip4.addr or null; value = net.aliases; }
|
{ name = net.ip4.addr or null; value = net.aliases; }
|
||||||
|
{ name = net.ip4.addr or null; value = (map (alias: "4.${alias}") net.aliases); }
|
||||||
{ name = net.ip6.addr or null; value = net.aliases; }
|
{ name = net.ip6.addr or null; value = net.aliases; }
|
||||||
|
{ name = net.ip6.addr or null; value = (map (alias: "6.${alias}") net.aliases); }
|
||||||
]) host.nets;
|
]) host.nets;
|
||||||
|
|
||||||
# netAliases : { ${netname} : [addrAliases] }
|
# netAliases : { ${netname} : [addrAliases] }
|
||||||
|
@ -18,6 +18,15 @@ with import <stockholm/lib>;
|
|||||||
default = null;
|
default = null;
|
||||||
type = types.nullOr types.groupname;
|
type = types.nullOr types.groupname;
|
||||||
};
|
};
|
||||||
|
keepGoing = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Whether to keep going when chowning or chmodding fails.
|
||||||
|
If set to false, then errors will cause the service to restart
|
||||||
|
instead.
|
||||||
|
'';
|
||||||
|
};
|
||||||
owner = mkOption {
|
owner = mkOption {
|
||||||
type = types.username;
|
type = types.username;
|
||||||
};
|
};
|
||||||
@ -43,7 +52,12 @@ with import <stockholm/lib>;
|
|||||||
'';
|
'';
|
||||||
in concatMapStrings mkdir plans;
|
in concatMapStrings mkdir plans;
|
||||||
|
|
||||||
systemd.services = genAttrs' plans (plan: {
|
systemd.services = genAttrs' plans (plan: let
|
||||||
|
continuable = command:
|
||||||
|
if plan.keepGoing
|
||||||
|
then /* sh */ "{ ${command}; } || :"
|
||||||
|
else command;
|
||||||
|
in {
|
||||||
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
|
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
|
||||||
value = {
|
value = {
|
||||||
environment = {
|
environment = {
|
||||||
@ -82,9 +96,9 @@ with import <stockholm/lib>;
|
|||||||
cleanup
|
cleanup
|
||||||
exec "$0" "$@"
|
exec "$0" "$@"
|
||||||
fi
|
fi
|
||||||
chown -h "$OWNER_GROUP" "$path"
|
${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''}
|
||||||
if test -f "$path"; then
|
if test -f "$path"; then
|
||||||
chmod "$FILE_MODE" "$path"
|
${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''}
|
||||||
fi
|
fi
|
||||||
done < "$paths"
|
done < "$paths"
|
||||||
'';
|
'';
|
||||||
|
@ -22,7 +22,7 @@ in {
|
|||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}";
|
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${shell.escape file.service}";
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
cfg.files
|
cfg.files
|
||||||
|
@ -29,6 +29,9 @@ let
|
|||||||
Interface = ${netname}
|
Interface = ${netname}
|
||||||
Broadcast = no
|
Broadcast = no
|
||||||
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
||||||
|
${optionalString (tinc.config.privkey_ed25519 != null)
|
||||||
|
"Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
|
||||||
|
}
|
||||||
PrivateKeyFile = ${tinc.config.privkey.path}
|
PrivateKeyFile = ${tinc.config.privkey.path}
|
||||||
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
||||||
${tinc.config.extraConfig}
|
${tinc.config.extraConfig}
|
||||||
@ -165,6 +168,17 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
privkey_ed25519 = mkOption {
|
||||||
|
type = types.nullOr types.secret-file;
|
||||||
|
default =
|
||||||
|
if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
|
||||||
|
name = "${tinc.config.netname}.ed25519_key.priv";
|
||||||
|
path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
|
||||||
|
owner = tinc.config.user;
|
||||||
|
source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
connectTo = mkOption {
|
connectTo = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
${if tinc.config.netname == "retiolum" then "default" else null} = [
|
${if tinc.config.netname == "retiolum" then "default" else null} = [
|
||||||
@ -198,8 +212,23 @@ let
|
|||||||
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
|
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
|
||||||
# avoid conflicts in environment if the packages differ
|
# avoid conflicts in environment if the packages differ
|
||||||
|
|
||||||
krebs.secret.files = mapAttrs' (netname: cfg:
|
krebs.secret.files =
|
||||||
nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
|
let
|
||||||
|
ed25519_keys =
|
||||||
|
filterAttrs
|
||||||
|
(_: key: key != null)
|
||||||
|
(mapAttrs'
|
||||||
|
(netname: cfg:
|
||||||
|
nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
|
||||||
|
)
|
||||||
|
config.krebs.tinc);
|
||||||
|
|
||||||
|
rsa_keys =
|
||||||
|
mapAttrs'
|
||||||
|
(netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
|
||||||
|
config.krebs.tinc;
|
||||||
|
in
|
||||||
|
ed25519_keys // rsa_keys;
|
||||||
|
|
||||||
users.users = mapAttrs' (netname: cfg:
|
users.users = mapAttrs' (netname: cfg:
|
||||||
nameValuePair "${netname}" {
|
nameValuePair "${netname}" {
|
||||||
@ -221,11 +250,15 @@ let
|
|||||||
in {
|
in {
|
||||||
description = "Tinc daemon for ${netname}";
|
description = "Tinc daemon for ${netname}";
|
||||||
after = [
|
after = [
|
||||||
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
|
||||||
"network.target"
|
"network.target"
|
||||||
|
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
||||||
|
] ++ optionals (cfg.privkey_ed25519 != null) [
|
||||||
|
config.krebs.secret.files."${netname}.ed25519_key.priv".service
|
||||||
];
|
];
|
||||||
partOf = [
|
partOf = [
|
||||||
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
||||||
|
] ++ optionals (cfg.privkey_ed25519 != null) [
|
||||||
|
config.krebs.secret.files."${netname}.ed25519_key.priv".service
|
||||||
];
|
];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ tinc iproute ];
|
path = [ tinc iproute ];
|
||||||
|
@ -55,6 +55,33 @@ in {
|
|||||||
ssh.privkey.path = <secrets/ssh.id_rsa>;
|
ssh.privkey.path = <secrets/ssh.id_rsa>;
|
||||||
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
|
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
|
||||||
};
|
};
|
||||||
|
au = {
|
||||||
|
ci = true;
|
||||||
|
cores = 4;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.13.39";
|
||||||
|
aliases = [
|
||||||
|
"au.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
|
||||||
|
9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
|
||||||
|
PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
|
||||||
|
PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
|
||||||
|
cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
|
||||||
|
jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 =
|
||||||
|
"Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secure = true;
|
||||||
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
|
||||||
|
};
|
||||||
mu = {
|
mu = {
|
||||||
ci = true;
|
ci = true;
|
||||||
cores = 2;
|
cores = 2;
|
||||||
@ -131,11 +158,6 @@ in {
|
|||||||
ci = true;
|
ci = true;
|
||||||
cores = 2;
|
cores = 2;
|
||||||
nets = {
|
nets = {
|
||||||
gg23 = {
|
|
||||||
ip4.addr = "10.23.1.110";
|
|
||||||
aliases = ["nomic.gg23"];
|
|
||||||
ssh.port = 11423;
|
|
||||||
};
|
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.0.110";
|
ip4.addr = "10.243.0.110";
|
||||||
aliases = [
|
aliases = [
|
||||||
@ -158,27 +180,10 @@ in {
|
|||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
|
||||||
};
|
};
|
||||||
ok = {
|
|
||||||
external = true;
|
|
||||||
nets = {
|
|
||||||
gg23 = {
|
|
||||||
ip4.addr = "10.23.1.1";
|
|
||||||
aliases = ["ok.gg23"];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
wu = {
|
wu = {
|
||||||
ci = true;
|
ci = true;
|
||||||
cores = 4;
|
cores = 4;
|
||||||
nets = {
|
nets = {
|
||||||
gg23 = {
|
|
||||||
ip4.addr = "10.23.1.37";
|
|
||||||
aliases = [
|
|
||||||
"wu.gg23"
|
|
||||||
"cache.wu.gg23"
|
|
||||||
];
|
|
||||||
ssh.port = 11423;
|
|
||||||
};
|
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.13.37";
|
ip4.addr = "10.243.13.37";
|
||||||
aliases = [
|
aliases = [
|
||||||
@ -237,14 +242,6 @@ in {
|
|||||||
ci = true;
|
ci = true;
|
||||||
cores = 4;
|
cores = 4;
|
||||||
nets = {
|
nets = {
|
||||||
gg23 = {
|
|
||||||
ip4.addr = "10.23.1.38";
|
|
||||||
aliases = [
|
|
||||||
"xu.gg23"
|
|
||||||
"cache.xu.gg23"
|
|
||||||
];
|
|
||||||
ssh.port = 11423;
|
|
||||||
};
|
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.13.38";
|
ip4.addr = "10.243.13.38";
|
||||||
aliases = [
|
aliases = [
|
||||||
@ -272,13 +269,6 @@ in {
|
|||||||
ci = true;
|
ci = true;
|
||||||
cores = 4;
|
cores = 4;
|
||||||
nets = {
|
nets = {
|
||||||
gg23 = {
|
|
||||||
ip4.addr = "10.23.1.39";
|
|
||||||
aliases = [
|
|
||||||
"zu.gg23"
|
|
||||||
];
|
|
||||||
ssh.port = 11423;
|
|
||||||
};
|
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.13.40";
|
ip4.addr = "10.243.13.40";
|
||||||
aliases = [
|
aliases = [
|
||||||
|
@ -2,7 +2,7 @@ with import <stockholm/lib>;
|
|||||||
{ attr, coreutils, exiv2, findutils, gnugrep, jq, nix, utillinux, stdenv }:
|
{ attr, coreutils, exiv2, findutils, gnugrep, jq, nix, utillinux, stdenv }:
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "htgen-imgur";
|
pname = "htgen-imgur";
|
||||||
version = "1.0.0";
|
version = "1.1.0";
|
||||||
|
|
||||||
src = ./src;
|
src = ./src;
|
||||||
|
|
||||||
|
@ -27,13 +27,15 @@ basic_response() {(
|
|||||||
}
|
}
|
||||||
')
|
')
|
||||||
|
|
||||||
printf "HTTP/1.1 $status_code $status_reason\r\n"
|
if test "$HTGEN_VERBOSE" = true; then
|
||||||
printf 'Connection: close\r\n'
|
printf "HTTP/1.1 $status_code $status_reason\r\n"
|
||||||
printf 'Content-Length: %d\r\n' $(expr ${#response_body} + 1)
|
printf 'Connection: close\r\n'
|
||||||
printf 'Content-Type: application/json; charset=UTF-8\r\n'
|
printf 'Content-Length: %d\r\n' $(expr ${#response_body} + 1)
|
||||||
printf 'Server: %s\r\n' "$Server"
|
printf 'Content-Type: application/json; charset=UTF-8\r\n'
|
||||||
printf '\r\n'
|
printf 'Server: %s\r\n' "$Server"
|
||||||
printf '%s\n' "$response_body"
|
printf '\r\n'
|
||||||
|
printf '%s\n' "$response_body"
|
||||||
|
fi
|
||||||
|
|
||||||
)}
|
)}
|
||||||
|
|
||||||
@ -78,7 +80,9 @@ case "$Method $path" in
|
|||||||
trap "rm $content >&2" EXIT
|
trap "rm $content >&2" EXIT
|
||||||
|
|
||||||
case ${req_expect-} in 100-continue)
|
case ${req_expect-} in 100-continue)
|
||||||
printf 'HTTP/1.1 100 Continue\r\n\r\n'
|
if test "$HTGEN_VERBOSE" = true; then
|
||||||
|
printf 'HTTP/1.1 100 Continue\r\n\r\n'
|
||||||
|
fi
|
||||||
esac
|
esac
|
||||||
|
|
||||||
head -c $req_content_length > $content
|
head -c $req_content_length > $content
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
{ coreutils, dash, fetchgit, gnused, stdenv, ucspi-tcp }:
|
{ coreutils, dash, fetchgit, gnused, stdenv, ucspi-tcp }:
|
||||||
with import <stockholm/lib>;
|
with import <stockholm/lib>;
|
||||||
let
|
let
|
||||||
version = "1.2.3";
|
version = "1.2.8";
|
||||||
in stdenv.mkDerivation {
|
in stdenv.mkDerivation {
|
||||||
name = "htgen-${version}";
|
name = "htgen-${version}";
|
||||||
|
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = "http://cgit.krebsco.de/htgen";
|
url = "http://cgit.krebsco.de/htgen";
|
||||||
rev = "refs/tags/v${version}";
|
rev = "refs/tags/v${version}";
|
||||||
sha256 = "0lml336w31ckgspp633ym2jnppzln3f8mvmy3y2vz9yanf59j0hb";
|
sha256 = "046c05jswar2agagqixad3idqxca494aaf199h6bdn02cyzygnpq";
|
||||||
};
|
};
|
||||||
|
|
||||||
installPhase = ''
|
installPhase = ''
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs-channels",
|
"url": "https://github.com/NixOS/nixpkgs-channels",
|
||||||
"rev": "8e2b14aceb1d40c7e8b84c03a7c78955359872bb",
|
"rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
|
||||||
"date": "2020-08-05T09:17:35+01:00",
|
"date": "2020-08-20T19:08:02+02:00",
|
||||||
"sha256": "0zzjpd9smr7rxzrdf6raw9kbj42fbvafxb5bz36lcxgv290pgsm8",
|
"sha256": "1ak7jqx94fjhc68xh1lh35kh3w3ndbadprrb762qgvcfb8351x8v",
|
||||||
"fetchSubmodules": false
|
"fetchSubmodules": false
|
||||||
}
|
}
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs-channels",
|
"url": "https://github.com/NixOS/nixpkgs-channels",
|
||||||
"rev": "e23e05452c67ce406debffa831290fb3abaabf0e",
|
"rev": "42674051d12540d4a996504990c6ea3619505953",
|
||||||
"date": "2020-08-06T15:33:30+02:00",
|
"date": "2020-09-06T21:21:08-04:00",
|
||||||
"sha256": "10wlcm20bvak8cxjhfvmn0vm4n9da3zl19026h66zc1wfmcqgrkp",
|
"sha256": "1hz1n1hghilgzk4zlya498xm5lvhsf0r5b49yii7q86h3616fhwy",
|
||||||
"fetchSubmodules": false
|
"fetchSubmodules": false
|
||||||
}
|
}
|
||||||
|
@ -15,14 +15,6 @@ with import <stockholm/lib>;
|
|||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.blue;
|
krebs.build.host = config.krebs.hosts.blue;
|
||||||
|
|
||||||
environment.shellAliases = {
|
|
||||||
deploy = pkgs.writeDash "deploy" ''
|
|
||||||
set -eu
|
|
||||||
export SYSTEM="$1"
|
|
||||||
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.nameservers = [ "1.1.1.1" ];
|
networking.nameservers = [ "1.1.1.1" ];
|
||||||
|
|
||||||
services.restic.backups = genAttrs [
|
services.restic.backups = genAttrs [
|
||||||
|
@ -396,12 +396,12 @@ with import <stockholm/lib>;
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
nix.trustedUsers = [ "Mic92" ];
|
nix.trustedUsers = [ "mic92" ];
|
||||||
users.users.Mic92 = {
|
users.users.mic92 = {
|
||||||
uid = genid_uint31 "Mic92";
|
uid = genid_uint31 "mic92";
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.Mic92.pubkey
|
config.krebs.users.mic92.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -251,6 +251,27 @@ with import <stockholm/lib>;
|
|||||||
3f8a56ddb2e64eb67adfc9b337157ff4
|
3f8a56ddb2e64eb67adfc9b337157ff4
|
||||||
-----END OpenVPN Static key V1-----
|
-----END OpenVPN Static key V1-----
|
||||||
</tls-auth>
|
</tls-auth>
|
||||||
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
systemd.services.flix-index = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
path = [
|
||||||
|
pkgs.coreutils
|
||||||
|
pkgs.findutils
|
||||||
|
pkgs.inotifyTools
|
||||||
|
];
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "always";
|
||||||
|
ExecStart = pkgs.writers.writeDash "flix-index" ''
|
||||||
|
set -efu
|
||||||
|
|
||||||
|
DIR=/var/download/finished
|
||||||
|
cd "$DIR"
|
||||||
|
while inotifywait -rq -e create -e move -e delete "$DIR"; do
|
||||||
|
find . -type f > "$DIR"/index.tmp
|
||||||
|
mv "$DIR"/index.tmp "$DIR"/index
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
@ -93,6 +93,7 @@ with import <stockholm/lib>;
|
|||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
#stockholm
|
#stockholm
|
||||||
|
deploy
|
||||||
git
|
git
|
||||||
gnumake
|
gnumake
|
||||||
jq
|
jq
|
||||||
|
@ -66,14 +66,16 @@ in {
|
|||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
# minecraft
|
# minecraft
|
||||||
steam-run
|
# ftb
|
||||||
scummvm
|
# steam-run
|
||||||
dolphinEmu
|
# scummvm
|
||||||
doom1
|
# dolphinEmu
|
||||||
doom2
|
# doom1
|
||||||
vdoom1
|
# doom2
|
||||||
vdoom2
|
# protontricks
|
||||||
vdoomserver
|
# vdoom1
|
||||||
|
# vdoom2
|
||||||
|
# vdoomserver
|
||||||
retroarchBare
|
retroarchBare
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
6
lass/5pkgs/deploy/default.nix
Normal file
6
lass/5pkgs/deploy/default.nix
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
{ writers }:
|
||||||
|
writers.writeDashBin "deploy" ''
|
||||||
|
set -eu
|
||||||
|
export SYSTEM="$1"
|
||||||
|
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
|
||||||
|
''
|
@ -179,6 +179,10 @@ rec {
|
|||||||
pubkey = mkOption {
|
pubkey = mkOption {
|
||||||
type = tinc-pubkey;
|
type = tinc-pubkey;
|
||||||
};
|
};
|
||||||
|
pubkey_ed25519 = mkOption {
|
||||||
|
type = nullOr tinc-pubkey;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
description = "Extra Configuration to be appended to the hosts file";
|
description = "Extra Configuration to be appended to the hosts file";
|
||||||
default = "";
|
default = "";
|
||||||
|
@ -17,7 +17,6 @@ with import <stockholm/lib>;
|
|||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
chromium
|
|
||||||
firefoxWrapper
|
firefoxWrapper
|
||||||
networkmanagerapplet
|
networkmanagerapplet
|
||||||
(pkgs.pidgin-with-plugins.override {
|
(pkgs.pidgin-with-plugins.override {
|
||||||
@ -31,12 +30,12 @@ with import <stockholm/lib>;
|
|||||||
};
|
};
|
||||||
"/" = {
|
"/" = {
|
||||||
device = "/dev/mapper/main-root";
|
device = "/dev/mapper/main-root";
|
||||||
fsType = "btrfs";
|
fsType = "ext4";
|
||||||
options = [ "defaults" "noatime" ];
|
options = [ "defaults" "noatime" ];
|
||||||
};
|
};
|
||||||
"/home" = {
|
"/home" = {
|
||||||
device = "/dev/mapper/main-home";
|
device = "/dev/mapper/main-home";
|
||||||
fsType = "btrfs";
|
fsType = "ext4";
|
||||||
options = [ "defaults" "noatime" ];
|
options = [ "defaults" "noatime" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -55,9 +54,11 @@ with import <stockholm/lib>;
|
|||||||
|
|
||||||
networking.networkmanager.enable = true;
|
networking.networkmanager.enable = true;
|
||||||
|
|
||||||
nixpkgs.config = {
|
services.earlyoom.enable = true;
|
||||||
allowUnfree = true;
|
services.earlyoom.freeMemThreshold = 5;
|
||||||
};
|
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
|
||||||
|
"--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs
|
||||||
|
];
|
||||||
|
|
||||||
services.xserver = {
|
services.xserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
18
tv/1systems/au/config.nix
Normal file
18
tv/1systems/au/config.nix
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{ config, ... }: {
|
||||||
|
imports = [
|
||||||
|
./disks.nix
|
||||||
|
<stockholm/tv>
|
||||||
|
<stockholm/tv/2configs/hw/x220.nix>
|
||||||
|
<stockholm/tv/2configs/retiolum.nix>
|
||||||
|
];
|
||||||
|
|
||||||
|
krebs.build.host = config.krebs.hosts.au;
|
||||||
|
|
||||||
|
networking.wireless.enable = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.interfaces.enp0s25.useDHCP = true;
|
||||||
|
networking.interfaces.wlp3s0.useDHCP = true;
|
||||||
|
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
|
||||||
|
|
||||||
|
system.stateVersion = "20.03";
|
||||||
|
}
|
19
tv/1systems/au/disks.nix
Normal file
19
tv/1systems/au/disks.nix
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{
|
||||||
|
boot.initrd.luks.devices.main.device = "/dev/sda2";
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/main/root";
|
||||||
|
options = ["defaults" "noatime" "commit=60"];
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/sda1";
|
||||||
|
options = ["defaults" "noatime"];
|
||||||
|
};
|
||||||
|
fileSystems."/bku" = {
|
||||||
|
device = "/dev/main/bku";
|
||||||
|
options = ["defaults" "noatime"];
|
||||||
|
};
|
||||||
|
fileSystems."/home" = {
|
||||||
|
device = "/dev/main/home";
|
||||||
|
options = ["defaults" "noatime" "commit=60"];
|
||||||
|
};
|
||||||
|
}
|
@ -27,7 +27,7 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts.nix-serve = {
|
virtualHosts.nix-serve = {
|
||||||
serverAliases = [
|
serverAliases = [
|
||||||
"cache.${config.krebs.build.host.name}.gg23"
|
"cache.${config.krebs.build.host.name}.hkw"
|
||||||
];
|
];
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||||
|
@ -16,6 +16,7 @@ with import <stockholm/lib>;
|
|||||||
./backup.nix
|
./backup.nix
|
||||||
./bash
|
./bash
|
||||||
./htop.nix
|
./htop.nix
|
||||||
|
./nets/hkw.nix
|
||||||
./nginx
|
./nginx
|
||||||
./pki
|
./pki
|
||||||
./ssh.nix
|
./ssh.nix
|
||||||
|
81
tv/2configs/nets/hkw.nix
Normal file
81
tv/2configs/nets/hkw.nix
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
{
|
||||||
|
krebs = {
|
||||||
|
dns.providers.hkw = "hosts";
|
||||||
|
hosts = {
|
||||||
|
au = {
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.39";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"au.hkw"
|
||||||
|
];
|
||||||
|
ssh.port = 11423;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
nomic = {
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.110";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"nomic.hkw"
|
||||||
|
];
|
||||||
|
ssh.port = 11423;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ok = {
|
||||||
|
external = true;
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.1";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"ok.hkw"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
wu = {
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.37";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"wu.hkw"
|
||||||
|
"cache.wu.hkw"
|
||||||
|
];
|
||||||
|
ssh.port = 11423;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
xu = {
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.38";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"xu.hkw"
|
||||||
|
"cache.xu.hkw"
|
||||||
|
];
|
||||||
|
ssh.port = 11423;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
zu = {
|
||||||
|
nets.hkw = {
|
||||||
|
ip4 = {
|
||||||
|
addr = "10.23.1.40";
|
||||||
|
prefix = "10.23.1.0/24";
|
||||||
|
};
|
||||||
|
aliases = [
|
||||||
|
"zu.hkw"
|
||||||
|
];
|
||||||
|
ssh.port = 11423;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -9,7 +9,7 @@ with import <stockholm/lib>;
|
|||||||
serverAliases = [
|
serverAliases = [
|
||||||
"localhost"
|
"localhost"
|
||||||
"${config.krebs.build.host.name}"
|
"${config.krebs.build.host.name}"
|
||||||
"${config.krebs.build.host.name}.gg23"
|
"${config.krebs.build.host.name}.hkw"
|
||||||
"${config.krebs.build.host.name}.r"
|
"${config.krebs.build.host.name}.r"
|
||||||
];
|
];
|
||||||
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
|
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
|
||||||
|
Loading…
Reference in New Issue
Block a user