Merge remote-tracking branch 'lass/master'

This commit is contained in:
makefu 2023-01-10 13:20:04 +01:00
commit c691e94c45
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
101 changed files with 2469 additions and 1716 deletions

3
.gitmodules vendored
View File

@ -7,3 +7,6 @@
[submodule "lass/5pkgs/autowifi"] [submodule "lass/5pkgs/autowifi"]
path = lass/5pkgs/autowifi path = lass/5pkgs/autowifi
url = https://github.com/Lassulus/autowifi url = https://github.com/Lassulus/autowifi
[submodule "submodules/disko"]
path = submodules/disko
url = https://github.com/nix-community/disko

View File

@ -21,11 +21,11 @@ rather fuzzy and may mean different things, just choose what would fit best.
Here are a numbers of samples for defining the component: Here are a numbers of samples for defining the component:
* Change `gum` in `krebs/3modules/makefu/default.nix`: `gum.r: change ip` * Change `gum` in `krebs/3modules/makefu/default.nix`: `gum: change ip`
* Change `prepare.sh` in `krebs/4libs/infest`: `infest: prepare stockholm ISO` * Change `prepare.sh` in `krebs/4libs/infest`: `infest: prepare stockholm ISO`
* Remove `concat` in `krebs/5pkgs`: `concat: RIP`, this commit may like some `<rationale>` * Remove `concat` in `krebs/5pkgs`: `concat: RIP`, this commit may like some `<rationale>`
* Update `types` in `krebs/3modules`: `lib/types: add managed bool to host type` * Update `types` in `krebs/3modules`: `lib/types: add managed bool to host type`
* Change host `gum` in `makefu/1systems/gum`: `ma gum.r: add taskserver` * Change host `gum` in `makefu/1systems/gum`: `ma gum: add taskserver`
* Change `tinc` module in `krebs/3modules`: `tinc module: add option enableLegacy` * Change `tinc` module in `krebs/3modules`: `tinc module: add option enableLegacy`
## `<rationale>` ## `<rationale>`

View File

@ -15,7 +15,6 @@ with import ../../lib;
"test-all-krebs-modules" "test-all-krebs-modules"
] (name: { ] (name: {
inherit name; inherit name;
cores = 1;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.73.57"; ip4.addr = "10.243.73.57";
@ -36,7 +35,6 @@ in {
hosts = mapAttrs hostDefaults ({ hosts = mapAttrs hostDefaults ({
filebitch = { filebitch = {
ci = true; ci = true;
cores = 4;
nets = { nets = {
shack = { shack = {
ip4 = { ip4 = {
@ -134,7 +132,6 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo "; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo ";
}; };
onebutton = { onebutton = {
cores = 1;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.101"; ip4.addr = "10.243.0.101";
@ -163,7 +160,6 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe "; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe ";
}; };
ponte = { ponte = {
cores = 1;
owner = config.krebs.users.krebs; owner = config.krebs.users.krebs;
extraZones = { extraZones = {
"krebsco.de" = /* bindzone */ '' "krebsco.de" = /* bindzone */ ''
@ -212,7 +208,6 @@ in {
}; };
puyak = { puyak = {
ci = true; ci = true;
cores = 4;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.77.2"; ip4.addr = "10.243.77.2";

40
kartei/lass/blue.nix Normal file
View File

@ -0,0 +1,40 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.77";
ip6.addr = r6 "b1ce";
aliases = [
"blue.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd
QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc
sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM
wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu
PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ
RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/
HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm
khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP
49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N
w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6
ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J
Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "vf3JzuLpEkjcwZtuJ/0M9Zjfp5ChKXvkORMXsZ4nJKL";
};
};
wiregrill = {
ip6.addr = w6 "b1ce";
aliases = [
"blue.w"
];
wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U=";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
syncthing.id = "J2LMIPD-PBEPVKL-A3MN6NQ-KL6DZ4N-K4GGWZB-E2EPLFN-PDLVAOC-DCSZHAD";
}

42
kartei/lass/coaxmetal.nix Normal file
View File

@ -0,0 +1,42 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.17";
ip6.addr = r6 "17";
aliases = [
"coaxmetal.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA
xCc8CkqpUTYldPdB9KJmcH6OpbQqCcPxGOvRe42NdOfCyy11WjAjUMRGnzMyi4MK
gMEjcrl5CnQd9nF9f8Mom8cuSOVm1j46qY7Trl/MsEKsKHiYAHtLFpHz2+UI+HBU
WbSeDLLA8g79SZq/pqWHfp3YKzqP4p+dmi8j+aOZJWkGu9l+Q40qQrTJQCxYgEek
ODeBFCY3DGfJRn79IFGuhF1/jGiAwF3/1j2Rxlesazl6/Lyvmtioplsqn8J94z32
G5wyGpqn/BcXkJTlWtwb3Rrg6OOALJAqy2H5EoIVT26gwmvkEStMtvgLfAeYjL8F
G2bAtaeQGzwQZNuVJAMI9Qtb+PHw322Wz+P8U669C/HCdGCumMf+M7UDHP79kXOO
IFs1NvkU3z/iO/5bj41v8u0W8+b9NWe++dI8N8q0hWLPgnz5PI998xW06Dul7pAX
K1OMIMfTTGgAZHAF1Kdn1BSXezgwkutwzy5h8XkYclyHB2nPXkXIYmahi1XgWeAE
7B4NmefbS6H8dLOU7yMEWuxmYl41UOybtyrsp1za5wtERpQgzl6EWfIXISEdx1Ly
bmb3SGtB85RyqqCe2O9DzVZCw7mXgN69R5efyEuq3HIIN9udLNrybPNNyD/OlAqo
l/xwDxiSCEsO6yY5lGc0MCMCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "bEGgA5Wupw+Dgh6Ub7V21Y3wOmyspW1rKGrZsVhi3cO";
};
};
wiregrill = {
ip6.addr = w6 "17";
aliases = [
"coaxmetal.w"
];
wireguard.pubkey = ''
lkjR14oOVKl03/0sUzOmddf28ps+v5qRxrbRY03Pg38=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9vAYuTv07c9bOjDJId3ShXJ1qIEuyrjkVYkJn9yMET ";
syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ";
}

33
kartei/lass/daedalus.nix Normal file
View File

@ -0,0 +1,33 @@
{ r6, w6, ... }:
{
nets = rec {
retiolum = {
ip4.addr = "10.243.133.115";
ip6.addr = r6 "daed";
aliases = [
"daedalus.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8
5hz7go+l3Z7IhTc/HbpGFJ5QJJNFSuSpLfZVyi+cKAUVheTivIniHFIRw37JbJ4+
qWTlVe3uvOiZ0cA9S6LrbzqAUTLbH0JlWj36mvGIPICDr9YSEkIUKbenxjJlIpX8
ECEBm8RU1aq3PUo/cVjmpqircynVJBbRCXZiHoxyLXNmh23d0fCPCabEYWhJhgaR
arkYRls5A14HGMI52F3ehnhED3k0mU8/lb4OzYgk34FjuZGmyRWIfrEKnqL4Uu2w
3pmEvswG1WYG/3+YE80C5OpCE4BUKAzYSwIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "ybmNcRLtZ0NxlxIRE3bdc2G4lLXtTGXu+iRaXMTKCNG";
};
};
wiregrill = {
ip6.addr = w6 "daed";
aliases = [
"daedalus.w"
];
wireguard.pubkey = "ZVTTWbJfe8Oq6E6QW1qgXU91FnkuKDGJO3MF3I3gDFI=";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5Ovdcsljr5dOl7+2sQNKpGpdX0SlOIuCZKEiWEp8g";
}

View File

@ -3,6 +3,12 @@ with import ../../lib;
r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
hostFiles =
builtins.map (lib.removeSuffix ".nix") (
builtins.filter
(x: lib.hasSuffix ".nix" x && x != "default.nix")
(lib.attrNames (builtins.readDir ./.))
);
in { in {
dns.providers = { dns.providers = {
@ -13,895 +19,10 @@ in {
consul = true; consul = true;
ci = true; ci = true;
monitoring = true; monitoring = true;
}) {
dishfire = {
cores = 4;
nets = rec {
internet = {
ip4 = rec {
addr = "157.90.232.92";
prefix = "${addr}/32";
};
aliases = [
"dishfire.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.133.99";
ip6.addr = r6 "d15f:1233";
aliases = [
"dishfire.r"
"grafana.lass.r"
"prometheus.lass.r"
"alert.lass.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs
Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7
uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK
R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd
vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U
HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO";
};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; }) (
}; lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") { inherit config krebs lib r6 w6; })
prism = rec { );
cores = 4;
extraZones = {
"krebsco.de" = ''
cache 60 IN A ${nets.internet.ip4.addr}
p 60 IN A ${nets.internet.ip4.addr}
c 60 IN A ${nets.internet.ip4.addr}
paste 60 IN A ${nets.internet.ip4.addr}
prism 60 IN A ${nets.internet.ip4.addr}
social 60 IN A ${nets.internet.ip4.addr}
'';
"lassul.us" = ''
$TTL 3600
@ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr}
IN MX 5 mail.lassul.us.
60 IN TXT "v=spf1 mx -all"
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
confusion 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
ip4 = {
addr = "95.216.1.150";
prefix = "0.0.0.0/0";
};
ip6 = {
addr = "2a01:4f9:2a:1e9::1";
prefix = "2a01:4f9:2a:1e9::/64";
};
aliases = [
"prism.i"
"paste.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.0.103";
ip6.addr = r6 "1";
aliases = [
"prism.r"
"cache.prism.r"
"cgit.prism.r"
"bota.r"
"flix.r"
"jelly.r"
"paste.r"
"c.r"
"p.r"
"search.r"
"radio-news.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje
fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo
rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z
ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB
wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio
/jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA
BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C
9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5
Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu
3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH
TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb
g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ
kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg
7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo
7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz
cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451
k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0
dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu
ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i
jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/
AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE
T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "XbBBPg+dtZM1LRN46VAujVKIC6VSo6nFoHo/1unbggO";
};
};
wiregrill = {
via = internet;
ip4.addr = "10.244.1.103";
ip6.addr = w6 "1";
aliases = [
"prism.w"
];
wireguard = {
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
subnets = [
(krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
(krebs.genipv6 "wiregrill" "lass" 0).subnetCIDR
"10.244.1.0/24"
];
};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU";
};
mors = {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.0.2";
ip6.addr = r6 "dea7";
aliases = [
"mors.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE
H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R
+P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+
1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa
9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU
O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "kuh0cP/HjGOQ+NafR3zjmqp+RAnA59F4CgtzENj9/MM";
};
};
wiregrill = {
ip6.addr = w6 "dea7";
aliases = [
"mors.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD";
syncthing.id = "ZPRS57K-YK32ROQ-7A6MRAV-VOYXQ3I-CQCXISZ-C5PCV2A-GSFLG3I-K7UGGAH";
};
shodan = {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.0.4";
ip6.addr = r6 "50da";
aliases = [
"shodan.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT
YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7
ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF
7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4
xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ
V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "Ptc5VuYkRd5+zHibZwNe3DEgGHHvAk0Ul00dW1YXsrC";
};
};
wiregrill = {
ip6.addr = w6 "50da";
ip4.addr = "10.244.1.4";
aliases = [
"shodan.w"
];
wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6";
};
icarus = {
cores = 2;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.114";
ip6.addr = r6 "1205";
aliases = [
"icarus.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr
Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK
7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t
k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7
zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt
gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "vUc/ynOlNqB7a+sr0BmfdRv0dATtGZTjsU2qL2yGInK";
};
};
wiregrill = {
ip6.addr = w6 "1205";
aliases = [
"icarus.w"
];
wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
syncthing.id = "7V75LMM-MIFCAIZ-TAWR3AI-OXONVZR-TEW4GBK-URKPPN4-PQFG653-LGHPDQ4";
};
daedalus = {
cores = 2;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.115";
ip6.addr = r6 "daed";
aliases = [
"daedalus.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8
5hz7go+l3Z7IhTc/HbpGFJ5QJJNFSuSpLfZVyi+cKAUVheTivIniHFIRw37JbJ4+
qWTlVe3uvOiZ0cA9S6LrbzqAUTLbH0JlWj36mvGIPICDr9YSEkIUKbenxjJlIpX8
ECEBm8RU1aq3PUo/cVjmpqircynVJBbRCXZiHoxyLXNmh23d0fCPCabEYWhJhgaR
arkYRls5A14HGMI52F3ehnhED3k0mU8/lb4OzYgk34FjuZGmyRWIfrEKnqL4Uu2w
3pmEvswG1WYG/3+YE80C5OpCE4BUKAzYSwIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "ybmNcRLtZ0NxlxIRE3bdc2G4lLXtTGXu+iRaXMTKCNG";
};
};
wiregrill = {
ip6.addr = w6 "daed";
aliases = [
"daedalus.w"
];
wireguard.pubkey = "ZVTTWbJfe8Oq6E6QW1qgXU91FnkuKDGJO3MF3I3gDFI=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5Ovdcsljr5dOl7+2sQNKpGpdX0SlOIuCZKEiWEp8g";
};
skynet = {
cores = 2;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.116";
ip6.addr = r6 "5ce7";
aliases = [
"skynet.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX
Ic457utOSGxTE+90yXXez2DD9llJMMyd+O06lHJ7CxtbJGBNr3jwoUZVCdBuuo5B
p9XfhXU9l9fUsbc1+a/cDjPBhQv8Uqmc6tOX+52H1aqZsa4W50c9Dv5vjsHgxCB0
yiUd2MrKptCQTdmMM9Mf0XWKPPOuwpHpxaomlrpUz07LisFVGGHCflOvj5PAy8Da
NC+AfNgR/76yfuYWcv4NPo9acjD9AIftS2c0tD3szyHBCGaYK/atKzIoBbFbOtMb
mwG3B0X3UdphkqGDGsvT+66Kcv2jnKwL0wIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "9s7eB16k7eAtHyneffTCmYR7s3mRpJqpVVjSPGaVKKN";
};
};
wiregrill = {
ip6.addr = w6 "5ce7";
aliases = [
"skynet.w"
];
wireguard.pubkey = "pt9a6nP+YPqxnSskcM9NqRmAmFzbO5bE7wzViFFonnU=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t";
syncthing.id = "KWGPAHH-H53Y2WL-SDAUVQE-7PMYRVP-6Q2INYB-FL535EO-HIE7425-ZCNP7A3";
};
littleT = {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.133.77";
ip6.addr = r6 "771e";
aliases = [
"littleT.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF
/m2ZWpKDZyKx17GXQwm8n0NgyvcemvoCVGqSHIsbxvLB6aBF6ZLkeKyx1mZioEDY
1MWR+yr42dFn+6uVTxJhLPmOxgX0D3pWe31UycoAMSWf4eAhmFIEFUvQCAW43arO
ni1TFSsaHOCxOaLVd/r7tSO0aT72WbOat84zWccwBZXvpqt/V6/o1MGB28JwZ92G
sBMjsCsoiciSg9aAzMCdjOYdM+RSwHEHI9xMineJgZFAbQqwTvK9axyvleJvgaWR
M9906r/17tlqJ/hZ0IwA6X+OT4w/JNGruy/5phxHvZmDgvXmYD9hf2a6JmjOMPp/
Zn6zYCDYgSYugwJ7GI39GG7f+3Xpmre87O6g6WSaMWCfdOaAeYnj+glP5+YvTLpT
+cdN9HweV27wShRozJAqTGZbD0Nfs+EXd0J/q6kP43lwv6wyZdmXCShPF2NzBlEY
xdtWKhRYKC1cs0Z2nK+XGEyznNzp1f8NC5qvTguj4kDMhoOd6WXwk460HF49Tf/c
aGQTGzgEVMAI7phTJubEmxdBooedvPFamS5wpHTmOt9dZ3qbpCgThaMblVvUu/lm
7pkPgc60Y2RAk/Rvyy5A8AaxBXPRBNwVkM5TY/5TW+S1zY09600ZCC2GE27qGT9v
k4GHabO42n3wTHk+APodzKDBbEazhOp5Oclg4nNKqgg+IrmheB91oEqBXlfyDj8B
idVoUvbH9WPwBqdh7hoqzrHDur5wCFBphrkjEe98o5iFFFi2C8W04H7iqe+nFqvJ
y/vzKk5kbfpjov71EEje+hNUCLTWF7sjgT4Z2z8LuqjpIq+d2i5dASfTqj4VBs6D
SeiHyyAfCHG/03I9E5eizCCd98Tr30yhu3IKsdFFXsVwxHVFenq2Y1ca7uypCk+i
mDC5q5WQFEK/8SSO25i1teWBawfNVVVI/A1b676VJyafS9ebJs8TmXYRbE6rcBzH
PssdHNwbtEwhbGdQhgQ2pqQg1SIZM3zvjcpgzL9QP29tulubJ05keaw/4p/Yg/mB
ivF8EAIefXYYVxYkRQsHox7UQpSCzjOtj7gvc0KdJxshSLuryM0LxP+gk+x6JPX5
Ht8x+oE7iL0cqBsIenc/e0XdTZ+4zrBY5hWbGH8a8VJqEYs54WRJhzQf1jzNaCbS
8328MpRF5lXujv61aveg0i4pvczznlSV7wXmmwNAdhvSUTh34tCpRqabpCJdlRBt
NvVuij6guPKt4XV1TxXNsPCfib1vYjvwX8gUE4UhL69VmM8OBaC3XdroMfNvz9YW
5ObxDGIEiP53Jp8hiWId0AI/XF5Ct3Gh2wIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "rDnc4Ha+M6fyN5JU4lkV9NKfMBtIHOcG4/AUB9KodiP";
};
};
wiregrill = {
ip6.addr = w6 "771e";
aliases = [
"littleT.w"
];
wireguard.pubkey = "VfSTPO1XGqLqujAGCov1yA0WxyRXJndZCW5XYkScNXg=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
syncthing.id = "PCDXICO-GMGWKSB-V6CYF3I-LQMZSGV-B7YBJXA-DVO7KXN-TFCSQXW-XY6WNQD";
};
xerxes = {
cores = 2;
consul = false;
nets = rec {
retiolum = {
ip4.addr = "10.243.1.3";
ip6.addr = r6 "3";
aliases = [
"xerxes.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
/EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
+2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
/Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "PRtxFg/zw8dmwEGEM+u28N5GWuGNiHSNlaieplVSqQK";
};
};
wiregrill = {
ip6.addr = w6 "3";
aliases = [
"xerxes.w"
];
wireguard.pubkey = "UTm8B8YUVvBGqwwxAUMVFsVQFQGQ6jbcXAavZ8LxYT8=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM";
};
yellow = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.14";
ip6.addr = r6 "3110";
aliases = [
"yellow.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY
b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU
Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd
OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP
vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6
C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp
Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU
52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg
zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p
DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ
Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "qZBhDSW6ir1/w6lOngg2feCZj9W9AfifEMlKXcOb5QE";
};
};
wiregrill = {
ip6.addr = w6 "3110";
aliases = [
"yellow.w"
];
wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
};
blue = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.77";
ip6.addr = r6 "b1ce";
aliases = [
"blue.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd
QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc
sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM
wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu
PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ
RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/
HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm
khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP
49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N
w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6
ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J
Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "vf3JzuLpEkjcwZtuJ/0M9Zjfp5ChKXvkORMXsZ4nJKL";
};
};
wiregrill = {
ip6.addr = w6 "b1ce";
aliases = [
"blue.w"
];
wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
syncthing.id = "J2LMIPD-PBEPVKL-A3MN6NQ-KL6DZ4N-K4GGWZB-E2EPLFN-PDLVAOC-DCSZHAD";
};
green = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.66";
ip6.addr = r6 "12ee";
aliases = [
"green.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk
uoDBjWqhM9Pgq6PJSpJjyNAgMkKJcQnWi0WpELaHISAVqjdPGUQSLiar++JN3YBx
ZQGFiucG0ijVJKAUbQQDYbc+RGK8MGO2v3Bv/6E56UKjxtT1zjjvkyXpSC7FN477
n9IfsvIzH/RLcAP5VnHBYqZ467UR4rqi7T7yWjrEgr+VirY9Opp9LM9YozlbRrlI
hYshk5RET/EvOSwYlw/KJEMMmYHro74neZKIVKoXD3CSE66rncNmdFwD3ZXVxYn6
m3Eob8ojWPW+CpAL2AurUyq4Igem9JVigZiyKGgaYsdkOWgkYLW2M0DXX+vCRcM6
BvJgJn7s0PHkLvybEVveTolRWO+I/IG1LN8m0SvrVPXf5JYHB32nKYwVMLwi+BQ1
pwo0USGByVRv2lWZfy3doKxow0ppilq4DwoT+iqVO4sK5YhPipBHSmCcaxlquHjy
2k1eb0gYisp0LBjHlhTErXtt4RlrUqs/84RfgtIZYUowJfXbtEbyDmLIlESbY7qk
UlXIMXtY0sWpDivWwpdMj9kJdKlS09QTMeLYz4fFGXMksFmLijx8RKDOYfNWL7oA
udmEOHPzYzu/Ex8RfKJjD4GhWLDvDTcyXDG9vmuDNZGcPHANeg23sGhr5Hz37FRT
3MVh92sFyMVYkJcL7SISk80CAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "WfH8ULtWklOFK6htphdSSL46vHn6TkJIhsvK9fK+4+C";
};
};
wiregrill = {
ip6.addr = w6 "12ee";
aliases = [
"green.w"
];
wireguard.pubkey = "lOORkStNJ6iP5ffqjHa/kWOxilJIMW4E6BEtNvNhLGk=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0wqzo7rMkyw6gqTGuUp8aUA0vtwj0HuuaTIkkOnA30 ";
syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM";
};
massulus = {
cores = 1;
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.0.113";
ip6.addr = r6 "113";
aliases = [
"massulus.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt
ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN
ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K
zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3
F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e
v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd
kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF
LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW
EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb
KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl
oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00
yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM";
port = 1655;
};
};
wiregrill = {
ip6.addr = w6 "113";
aliases = [
"massulus.w"
];
wireguard.pubkey = ''
4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 ";
};
phone = {
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.13";
ip6.addr = w6 "a";
aliases = [
"phone.w"
];
wireguard.pubkey = "FY4PB8E/RC2JvtLgq/IDyMmZ9Ln6pz6eGyoytmUFMgk=";
};
};
external = true;
ci = false;
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
};
tablet = {
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.14";
ip6.addr = w6 "b";
aliases = [
"tablet.w"
];
wireguard.pubkey = "eIafsxYEFCqmWNFon6ZsYXeDrK4X1UJ9KD0zmNZjgEI=";
};
};
external = true;
ci = false;
};
hilum = {
consul = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.20.123";
ip6.addr = r6 "005b";
aliases = [
"hilum.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb
pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi
V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c
SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh
4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE
saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz
vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY
8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ
wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3
RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh
Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl
87b8jfJNXlKFW+EBxBxN2uECAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "9D50r3DmftSe2L++jPktQRbcCrE4sEazMewgbQbodRH";
};
};
wiregrill = {
ip6.addr = w6 "005b";
aliases = [
"hilum.w"
];
wireguard.pubkey = ''
0DRcCDR0O+UqV07DsGfS4On+6YaZ3LPfvni9u1NZNhw=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPARXXe0HaP1r0pLqtInhnbYSZsP0g4VC6aaWP7qi5+w";
syncthing.id = "J6PHKTS-2JG5NOL-H5ZWOF6-6L6ENA7-L4RO6DV-BQHU7YL-CHOLDCC-S5YX3AC";
};
styx = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.11.1";
ip6.addr = r6 "111";
aliases = [
"styx.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn
ETYrLu/TJjq5iSQx/JbbonJriMS3X/0+m8JREzeol67svQDuZEXTEg5EfEldxrrU
aZpNmTSmFbj2NLLCIfNBL/oLOvg9ElzhN+f+4jvakfEKi7Y7LekV25VVGrHbOEVE
3G6XWfHx5qO5Vd6kqNWQKD3LG38aZ/Lx9XYDMbujYxPGCtOsabtAz8BKo/RgOZzi
6A/54RFhdecJm0VoQk3iKpp2YqyCN6dLfJVLil4cREs4sW6nDyF4Y4l3dtZdfskq
m/MoZt6fwOjNIKuI9DGdU4/X1hQelnemstzxY5x1XwG52cz+ww0h7pMF2aggsHqn
Vmaq3b0fXrbn066Ybkbhz3UEIU9zKQGYaANGCnXxbvkd5lWbIN60GEXGE3zYJSAt
EH3FLDTGa27fTNgAnbdnSV40KWKN4FM0iY/xrt3aOXfneTP9S2fqzTVEL9vd04C/
7RWvRjvZ7mlAi+kVKSHkOibFVjeo+Z4Pvw5YxCAavrjXCiWj8zP8o3MNWcq/bMao
Uk9zBMXymm8zX43w5LNnhf59oitBjiY/mzZ3NDI9N3szMvJsaUEnhO4Kq1CWtMs2
6/TpEyRSmen1UmNwgKKFx3rELuctwMmNbOLL8cGLotEBhIk7vnZKD7NvLVX7xtOF
wzhy2N6a3ypB4XqM7dBzzAUCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "yVT5nQstw+o5P0ZoBK81G7sL6nQEBwg42wyBn6ogZgK";
};
};
wiregrill = {
ip6.addr = w6 "111";
aliases = [
"styx.w"
];
wireguard.pubkey = ''
0BZfd8f0pZMRfyoHrdYZY0cR5zfFvJcS8gQLn6xGuFs=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU ";
syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN";
};
coaxmetal = {
cores = 16;
nets = {
retiolum = {
ip4.addr = "10.243.0.17";
ip6.addr = r6 "17";
aliases = [
"coaxmetal.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA
xCc8CkqpUTYldPdB9KJmcH6OpbQqCcPxGOvRe42NdOfCyy11WjAjUMRGnzMyi4MK
gMEjcrl5CnQd9nF9f8Mom8cuSOVm1j46qY7Trl/MsEKsKHiYAHtLFpHz2+UI+HBU
WbSeDLLA8g79SZq/pqWHfp3YKzqP4p+dmi8j+aOZJWkGu9l+Q40qQrTJQCxYgEek
ODeBFCY3DGfJRn79IFGuhF1/jGiAwF3/1j2Rxlesazl6/Lyvmtioplsqn8J94z32
G5wyGpqn/BcXkJTlWtwb3Rrg6OOALJAqy2H5EoIVT26gwmvkEStMtvgLfAeYjL8F
G2bAtaeQGzwQZNuVJAMI9Qtb+PHw322Wz+P8U669C/HCdGCumMf+M7UDHP79kXOO
IFs1NvkU3z/iO/5bj41v8u0W8+b9NWe++dI8N8q0hWLPgnz5PI998xW06Dul7pAX
K1OMIMfTTGgAZHAF1Kdn1BSXezgwkutwzy5h8XkYclyHB2nPXkXIYmahi1XgWeAE
7B4NmefbS6H8dLOU7yMEWuxmYl41UOybtyrsp1za5wtERpQgzl6EWfIXISEdx1Ly
bmb3SGtB85RyqqCe2O9DzVZCw7mXgN69R5efyEuq3HIIN9udLNrybPNNyD/OlAqo
l/xwDxiSCEsO6yY5lGc0MCMCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "bEGgA5Wupw+Dgh6Ub7V21Y3wOmyspW1rKGrZsVhi3cO";
};
};
wiregrill = {
ip6.addr = w6 "17";
aliases = [
"coaxmetal.w"
];
wireguard.pubkey = ''
lkjR14oOVKl03/0sUzOmddf28ps+v5qRxrbRY03Pg38=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9vAYuTv07c9bOjDJId3ShXJ1qIEuyrjkVYkJn9yMET ";
syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ";
};
echelon = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.3";
ip6.addr = r6 "4";
aliases = [
"echelon.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp
1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A
MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe
UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V
rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez
gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO
c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna
dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze
ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D
KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq
GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr
43jjLL40ONdFxX7qW/DhT9MCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "LgJ7+/sq7t+Ym/DjJrWesIpUw1Lw7bxPi0XFHtsVWLB";
};
};
wiregrill = {
ip6.addr = w6 "3";
aliases = [
"echelon.w"
];
wireguard.pubkey = ''
SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ";
};
lasspi = {
consul = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.1.89";
ip6.addr = r6 "189";
aliases = [
"lasspi.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1
JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F
CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl
oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P
Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS
BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC
VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8
+Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs
QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP
zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP
6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc
287nChBcbY+HlshTe0lZdrkCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "vSCHU+/BkoCo6lL5OmikALKBWgkRY8JRo4q8ZZRd5EG";
};
};
wiregrill = {
ip6.addr = w6 "189";
aliases = [
"lasspi.w"
];
wireguard.pubkey = ''
IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB";
};
domsen-pixel = {
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.17";
ip6.addr = w6 "d0";
aliases = [
"domsen-pixel.w"
];
wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY=";
};
};
external = true;
ci = false;
};
};
users = rec { users = rec {
lass = lass-yubikey; lass = lass-yubikey;
lass-yubikey = { lass-yubikey = {
@ -917,6 +38,10 @@ in {
mail = "lass@green.r"; mail = "lass@green.r";
pubkey = builtins.readFile ./ssh/green.ed25519; pubkey = builtins.readFile ./ssh/green.ed25519;
}; };
lass-red = {
mail = "lass@red.r";
pubkey = builtins.readFile ./ssh/red.ed25519;
};
lass-mors = { lass-mors = {
mail = "lass@mors.r"; mail = "lass@mors.r";
pubkey = builtins.readFile ./ssh/mors.rsa; pubkey = builtins.readFile ./ssh/mors.rsa;

40
kartei/lass/dishfire.nix Normal file
View File

@ -0,0 +1,40 @@
{ r6, w6, ... }:
{
nets = rec {
internet = {
ip4 = rec {
addr = "157.90.232.92";
prefix = "${addr}/32";
};
aliases = [
"dishfire.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.133.99";
ip6.addr = r6 "d15f:1233";
aliases = [
"dishfire.r"
"grafana.lass.r"
"prometheus.lass.r"
"alert.lass.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs
Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7
uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK
R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd
vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U
HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO";
};
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
}

View File

@ -0,0 +1,16 @@
{ r6, w6, ... }:
{
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.17";
ip6.addr = w6 "d0";
aliases = [
"domsen-pixel.w"
];
wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY=";
};
};
external = true;
ci = false;
}

42
kartei/lass/echelon.nix Normal file
View File

@ -0,0 +1,42 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.3";
ip6.addr = r6 "4";
aliases = [
"echelon.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp
1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A
MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe
UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V
rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez
gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO
c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna
dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze
ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D
KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq
GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr
43jjLL40ONdFxX7qW/DhT9MCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "LgJ7+/sq7t+Ym/DjJrWesIpUw1Lw7bxPi0XFHtsVWLB";
};
};
wiregrill = {
ip6.addr = w6 "3";
aliases = [
"echelon.w"
];
wireguard.pubkey = ''
SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ";
}

40
kartei/lass/green.nix Normal file
View File

@ -0,0 +1,40 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.66";
ip6.addr = r6 "12ee";
aliases = [
"green.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk
uoDBjWqhM9Pgq6PJSpJjyNAgMkKJcQnWi0WpELaHISAVqjdPGUQSLiar++JN3YBx
ZQGFiucG0ijVJKAUbQQDYbc+RGK8MGO2v3Bv/6E56UKjxtT1zjjvkyXpSC7FN477
n9IfsvIzH/RLcAP5VnHBYqZ467UR4rqi7T7yWjrEgr+VirY9Opp9LM9YozlbRrlI
hYshk5RET/EvOSwYlw/KJEMMmYHro74neZKIVKoXD3CSE66rncNmdFwD3ZXVxYn6
m3Eob8ojWPW+CpAL2AurUyq4Igem9JVigZiyKGgaYsdkOWgkYLW2M0DXX+vCRcM6
BvJgJn7s0PHkLvybEVveTolRWO+I/IG1LN8m0SvrVPXf5JYHB32nKYwVMLwi+BQ1
pwo0USGByVRv2lWZfy3doKxow0ppilq4DwoT+iqVO4sK5YhPipBHSmCcaxlquHjy
2k1eb0gYisp0LBjHlhTErXtt4RlrUqs/84RfgtIZYUowJfXbtEbyDmLIlESbY7qk
UlXIMXtY0sWpDivWwpdMj9kJdKlS09QTMeLYz4fFGXMksFmLijx8RKDOYfNWL7oA
udmEOHPzYzu/Ex8RfKJjD4GhWLDvDTcyXDG9vmuDNZGcPHANeg23sGhr5Hz37FRT
3MVh92sFyMVYkJcL7SISk80CAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "WfH8ULtWklOFK6htphdSSL46vHn6TkJIhsvK9fK+4+C";
};
};
wiregrill = {
ip6.addr = w6 "12ee";
aliases = [
"green.w"
];
wireguard.pubkey = "lOORkStNJ6iP5ffqjHa/kWOxilJIMW4E6BEtNvNhLGk=";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0wqzo7rMkyw6gqTGuUp8aUA0vtwj0HuuaTIkkOnA30 ";
syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM";
}

43
kartei/lass/hilum.nix Normal file
View File

@ -0,0 +1,43 @@
{ r6, w6, ... }:
{
consul = false;
nets = {
retiolum = {
ip4.addr = "10.243.20.123";
ip6.addr = r6 "005b";
aliases = [
"hilum.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb
pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi
V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c
SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh
4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE
saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz
vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY
8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ
wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3
RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh
Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl
87b8jfJNXlKFW+EBxBxN2uECAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "9D50r3DmftSe2L++jPktQRbcCrE4sEazMewgbQbodRH";
};
};
wiregrill = {
ip6.addr = w6 "005b";
aliases = [
"hilum.w"
];
wireguard.pubkey = ''
0DRcCDR0O+UqV07DsGfS4On+6YaZ3LPfvni9u1NZNhw=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPARXXe0HaP1r0pLqtInhnbYSZsP0g4VC6aaWP7qi5+w";
syncthing.id = "J6PHKTS-2JG5NOL-H5ZWOF6-6L6ENA7-L4RO6DV-BQHU7YL-CHOLDCC-S5YX3AC";
}

35
kartei/lass/icarus.nix Normal file
View File

@ -0,0 +1,35 @@
{ r6, w6, ... }:
{
nets = rec {
retiolum = {
ip4.addr = "10.243.133.114";
ip6.addr = r6 "1205";
aliases = [
"icarus.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr
Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK
7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t
k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7
zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt
gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "vUc/ynOlNqB7a+sr0BmfdRv0dATtGZTjsU2qL2yGInK";
};
};
wiregrill = {
ip6.addr = w6 "1205";
aliases = [
"icarus.w"
];
wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
syncthing.id = "7V75LMM-MIFCAIZ-TAWR3AI-OXONVZR-TEW4GBK-URKPPN4-PQFG653-LGHPDQ4";
}

42
kartei/lass/lasspi.nix Normal file
View File

@ -0,0 +1,42 @@
{ r6, w6, ... }:
{
consul = false;
nets = {
retiolum = {
ip4.addr = "10.243.1.89";
ip6.addr = r6 "189";
aliases = [
"lasspi.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1
JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F
CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl
oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P
Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS
BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC
VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8
+Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs
QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP
zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP
6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc
287nChBcbY+HlshTe0lZdrkCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "vSCHU+/BkoCo6lL5OmikALKBWgkRY8JRo4q8ZZRd5EG";
};
};
wiregrill = {
ip6.addr = w6 "189";
aliases = [
"lasspi.w"
];
wireguard.pubkey = ''
IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB";
}

51
kartei/lass/littleT.nix Normal file
View File

@ -0,0 +1,51 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.133.77";
ip6.addr = r6 "771e";
aliases = [
"littleT.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF
/m2ZWpKDZyKx17GXQwm8n0NgyvcemvoCVGqSHIsbxvLB6aBF6ZLkeKyx1mZioEDY
1MWR+yr42dFn+6uVTxJhLPmOxgX0D3pWe31UycoAMSWf4eAhmFIEFUvQCAW43arO
ni1TFSsaHOCxOaLVd/r7tSO0aT72WbOat84zWccwBZXvpqt/V6/o1MGB28JwZ92G
sBMjsCsoiciSg9aAzMCdjOYdM+RSwHEHI9xMineJgZFAbQqwTvK9axyvleJvgaWR
M9906r/17tlqJ/hZ0IwA6X+OT4w/JNGruy/5phxHvZmDgvXmYD9hf2a6JmjOMPp/
Zn6zYCDYgSYugwJ7GI39GG7f+3Xpmre87O6g6WSaMWCfdOaAeYnj+glP5+YvTLpT
+cdN9HweV27wShRozJAqTGZbD0Nfs+EXd0J/q6kP43lwv6wyZdmXCShPF2NzBlEY
xdtWKhRYKC1cs0Z2nK+XGEyznNzp1f8NC5qvTguj4kDMhoOd6WXwk460HF49Tf/c
aGQTGzgEVMAI7phTJubEmxdBooedvPFamS5wpHTmOt9dZ3qbpCgThaMblVvUu/lm
7pkPgc60Y2RAk/Rvyy5A8AaxBXPRBNwVkM5TY/5TW+S1zY09600ZCC2GE27qGT9v
k4GHabO42n3wTHk+APodzKDBbEazhOp5Oclg4nNKqgg+IrmheB91oEqBXlfyDj8B
idVoUvbH9WPwBqdh7hoqzrHDur5wCFBphrkjEe98o5iFFFi2C8W04H7iqe+nFqvJ
y/vzKk5kbfpjov71EEje+hNUCLTWF7sjgT4Z2z8LuqjpIq+d2i5dASfTqj4VBs6D
SeiHyyAfCHG/03I9E5eizCCd98Tr30yhu3IKsdFFXsVwxHVFenq2Y1ca7uypCk+i
mDC5q5WQFEK/8SSO25i1teWBawfNVVVI/A1b676VJyafS9ebJs8TmXYRbE6rcBzH
PssdHNwbtEwhbGdQhgQ2pqQg1SIZM3zvjcpgzL9QP29tulubJ05keaw/4p/Yg/mB
ivF8EAIefXYYVxYkRQsHox7UQpSCzjOtj7gvc0KdJxshSLuryM0LxP+gk+x6JPX5
Ht8x+oE7iL0cqBsIenc/e0XdTZ+4zrBY5hWbGH8a8VJqEYs54WRJhzQf1jzNaCbS
8328MpRF5lXujv61aveg0i4pvczznlSV7wXmmwNAdhvSUTh34tCpRqabpCJdlRBt
NvVuij6guPKt4XV1TxXNsPCfib1vYjvwX8gUE4UhL69VmM8OBaC3XdroMfNvz9YW
5ObxDGIEiP53Jp8hiWId0AI/XF5Ct3Gh2wIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "rDnc4Ha+M6fyN5JU4lkV9NKfMBtIHOcG4/AUB9KodiP";
};
};
wiregrill = {
ip6.addr = w6 "771e";
aliases = [
"littleT.w"
];
wireguard.pubkey = "VfSTPO1XGqLqujAGCov1yA0WxyRXJndZCW5XYkScNXg=";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
syncthing.id = "PCDXICO-GMGWKSB-V6CYF3I-LQMZSGV-B7YBJXA-DVO7KXN-TFCSQXW-XY6WNQD";
}

44
kartei/lass/massulus.nix Normal file
View File

@ -0,0 +1,44 @@
{ r6, w6, ... }:
{
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.0.113";
ip6.addr = r6 "113";
aliases = [
"massulus.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt
ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN
ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K
zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3
F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e
v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd
kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF
LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW
EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb
KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl
oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00
yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM";
port = 1655;
};
};
wiregrill = {
ip6.addr = w6 "113";
aliases = [
"massulus.w"
];
wireguard.pubkey = ''
4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 ";
syncthing.id = "R2EGJ5S-PQMETUP-C2UGXQG-A6VP7TB-NGSN3MV-C7OGSWT-SZ34L3X-H6IF6AQ";
}

35
kartei/lass/mors.nix Normal file
View File

@ -0,0 +1,35 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.2";
ip6.addr = r6 "dea7";
aliases = [
"mors.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE
H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R
+P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+
1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa
9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU
O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "kuh0cP/HjGOQ+NafR3zjmqp+RAnA59F4CgtzENj9/MM";
};
};
wiregrill = {
ip6.addr = w6 "dea7";
aliases = [
"mors.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD";
syncthing.id = "ZPRS57K-YK32ROQ-7A6MRAV-VOYXQ3I-CQCXISZ-C5PCV2A-GSFLG3I-K7UGGAH";
}

38
kartei/lass/neoprism.nix Normal file
View File

@ -0,0 +1,38 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.99";
ip6.addr = r6 "99";
aliases = [
"neoprism.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAwQiPQT9XQkeAIMohNhIVH1Er73LS36JQu/bokNSAlgRjiHfmWVQw
hpmI0hO5ewI/HSxVH8MqITTjj8fp5+TOY5rxb3qj9SKGmoDpENw7g7BJsrpydu8+
hdvC4btCibAeTeaNqubPMoJLnwuh7NJ9ucYAcRU24FI6qR/Q973a3rzWYBfPd4w9
+Lq3ltFE4m6eLiL4ruQGR9Fc4HOJshJlUDUovGIC/98Fu468OuCaka4fR/IXD13O
khc5LfAzm2PLuD25YZRjw27Pv3txYOWzb9ZfI8BS+7WUg1nKPDVZErvj97OouqVH
binDgKLdLsamJgi+BrZs9uoxmXK9b459B3J6z4/d8dXTAW/cczqsODzsJnvw8IEE
u45Pm3sY49vmnNsVhDEIPad3ZDitgeWW6UVBR+EJHp+r1TZ8eLaeUTdV6x3zIrHv
dkobgI/0ynujSeMVzXA8cRDuLLVz0CwvNQ9FWzciZw4prOPjUDeSaOlIISOD4q8O
u/jRfaIzPuQNyQN/0B9gUacHOGkQ3sZ33gFt1j6YdfjWnHn2Ddxm99nXfYUo82oC
tEMui/7Vtj5G9dqDCzEacECvKqNVY2MRq5gpX+X5IwSbNc/vmykqhuDB5fzZWXRD
AmRfNCsuFCw3EehPWkdH9JJxysBa52sAB387CL44bJ2rfRglTAKZYNUCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "/k2/hpq3XdSKfPPSAolfIx/AUgtKNF6kgv+WRTKtMqG";
};
wiregrill = {
ip6.addr = w6 "99";
aliases = [
"neoprism.w"
];
wireguard.pubkey = ''
lhMJvEZOREjCSS3BbBxel0dJ3Mxjj0m82sUXqyYlUx0=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEljpF/rqA2o9CcZny8Kdg1Ij9JmHsmuS/ii+HS5T7rW ";
}

17
kartei/lass/phone.nix Normal file
View File

@ -0,0 +1,17 @@
{ r6, w6, ... }:
{
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.13";
ip6.addr = w6 "a";
aliases = [
"phone.w"
];
wireguard.pubkey = "FY4PB8E/RC2JvtLgq/IDyMmZ9Ln6pz6eGyoytmUFMgk=";
};
};
external = true;
ci = false;
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
}

123
kartei/lass/prism.nix Normal file
View File

@ -0,0 +1,123 @@
{ config, krebs, r6, w6, ... }:
rec {
extraZones = {
"krebsco.de" = ''
cache 60 IN A ${nets.internet.ip4.addr}
p 60 IN A ${nets.internet.ip4.addr}
c 60 IN A ${nets.internet.ip4.addr}
paste 60 IN A ${nets.internet.ip4.addr}
prism 60 IN A ${nets.internet.ip4.addr}
social 60 IN A ${nets.internet.ip4.addr}
'';
"lassul.us" = ''
$TTL 3600
@ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr}
IN MX 5 mail.lassul.us.
60 IN TXT "v=spf1 mx -all"
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit CNAME ${config.krebs.hosts.prism.nets.internet.ip4.addr}
pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mail 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr}
flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
ip4 = {
addr = "95.216.1.150";
prefix = "0.0.0.0/0";
};
ip6 = {
addr = "2a01:4f9:2a:1e9::1";
prefix = "2a01:4f9:2a:1e9::/64";
};
aliases = [
"prism.i"
"paste.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.0.103";
ip6.addr = r6 "1";
aliases = [
"prism.r"
"cache.prism.r"
"cgit.prism.r"
"bota.r"
"flix.r"
"paste.r"
"c.r"
"p.r"
"search.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje
fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo
rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z
ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB
wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio
/jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA
BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C
9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5
Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu
3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH
TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb
g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ
kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg
7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo
7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz
cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451
k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0
dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu
ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i
jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/
AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE
T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "XbBBPg+dtZM1LRN46VAujVKIC6VSo6nFoHo/1unbggO";
};
};
wiregrill = {
via = internet;
ip4.addr = "10.244.1.103";
ip6.addr = w6 "1";
aliases = [
"prism.w"
];
wireguard = {
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
subnets = [
(krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
(krebs.genipv6 "wiregrill" "lass" 0).subnetCIDR
"10.244.1.0/24"
];
};
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU";
}

40
kartei/lass/radio.nix Normal file
View File

@ -0,0 +1,40 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.11";
ip6.addr = r6 "4d10";
aliases = [
"radio.r"
"radio-news.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAx08urv4sl22+pLchD6W6kprJ1JZBiG9/MVA50PqYAJmvTpYyDUCR
Dwgt7pR8n/zbbof98QS5D67J5rZPcrLI6PY2bBzlXFFKHZEj2AVwUjUbyvEvQqtf
yJM+AxFy1/CaXmDvYM9UF/Wh6rb/ZeUxFtbaIVfMPox0Zln0THEsOmCWvNzxMvjZ
rjouZGzrH+er3yxJVovxD/JT32COmK0R20DLDoofBdtBkFlB/VkrbxYfX/cWXX1K
WQVJuQ/H1xP9m4c4S8g/nM63rLUBOIkn06TcXyI/mEgRecEUDgC02PNXc5BDgB4A
seXx+BiLC/f6+64KOWODHEEm/iHjCyrOSZtdA2EbPCATfOHrj0EG5Y4V6d1Iw4WP
kiOIQByHMbOzRwm91yd/gM1DTxdy3j5nqaMhCzrM/QeOhSf5FXkWpARawUsChwh+
eCuSZDg218u/NkzCrTvCPTdY1q+MZ5d5qgID4VQrenjBJq4AZxsw74Zd2G2uRWlF
paZ2pSCyAey19A/or2iG10tqNpXJzZy0HNhh7q/gKhQKKTh+ggzgOrRe2ZaxlbEy
P45JQKcR9/WJAohnYQ8uZJ6oin5EsEdVkapdYu60aReRGeyTmq3RLnu3Zn5MR5RH
1r+W03KQcQzmmpE5YrxKSZL6OriXQYEPTa9/mSZT6TEUIvRT8W5jGQ0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "DmiyfmRsWd8Qg6M/ZsAd5lFM+vnkwRTfnMH/jCFwWFF";
};
wiregrill = {
ip6.addr = w6 "4d10";
aliases = [
"radio.w"
];
wireguard.pubkey = ''
iCe1O9qeziw18AlGuFt5tIxm6SIBtNpwO/6OZm9Bn30=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsvyWrMN2lupBmjI8nW+NUSJIDPkr8c90Z4BcuZ7Myi";
syncthing.id = "KMDPLE5-7FBYYXH-PF5LEET-G2AWR33-7XAPZJU-5S3VOB7-ZX5Q74V-PZKI6QN";
}

36
kartei/lass/shodan.nix Normal file
View File

@ -0,0 +1,36 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.4";
ip6.addr = r6 "50da";
aliases = [
"shodan.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT
YYZgM2lBkYcDN3/LdGaFFKrQQSGiF90oXA2wFqPuIfycx+1+TENGCzF8pExwbTd7
ROSVnISbghXYDgr3TqkjpPmnM+piFKymMDBGhxWuy1bw1AUfvRzhQwPAvtjB4VvF
7AVN/Z9dAZ/LLmYfYq7fL8V7PzQNvR+f5DP6+Eubx0xCuyuo63bWuGgp3pqKupx4
xsixtMQPuqMBvOUo0SBCCPa9a+6I8dSwqAmKWM5BhmNlNCRDi37mH/m96av7SIiZ
V29hwypVnmLoJEFiDzPMCdiH9wJNpHuHuQIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "Ptc5VuYkRd5+zHibZwNe3DEgGHHvAk0Ul00dW1YXsrC";
};
};
wiregrill = {
ip6.addr = w6 "50da";
ip4.addr = "10.244.1.4";
aliases = [
"shodan.w"
];
wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30=";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6";
}

35
kartei/lass/skynet.nix Normal file
View File

@ -0,0 +1,35 @@
{ r6, w6, ... }:
{
nets = rec {
retiolum = {
ip4.addr = "10.243.133.116";
ip6.addr = r6 "5ce7";
aliases = [
"skynet.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX
Ic457utOSGxTE+90yXXez2DD9llJMMyd+O06lHJ7CxtbJGBNr3jwoUZVCdBuuo5B
p9XfhXU9l9fUsbc1+a/cDjPBhQv8Uqmc6tOX+52H1aqZsa4W50c9Dv5vjsHgxCB0
yiUd2MrKptCQTdmMM9Mf0XWKPPOuwpHpxaomlrpUz07LisFVGGHCflOvj5PAy8Da
NC+AfNgR/76yfuYWcv4NPo9acjD9AIftS2c0tD3szyHBCGaYK/atKzIoBbFbOtMb
mwG3B0X3UdphkqGDGsvT+66Kcv2jnKwL0wIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "9s7eB16k7eAtHyneffTCmYR7s3mRpJqpVVjSPGaVKKN";
};
};
wiregrill = {
ip6.addr = w6 "5ce7";
aliases = [
"skynet.w"
];
wireguard.pubkey = "pt9a6nP+YPqxnSskcM9NqRmAmFzbO5bE7wzViFFonnU=";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t";
syncthing.id = "KWGPAHH-H53Y2WL-SDAUVQE-7PMYRVP-6Q2INYB-FL535EO-HIE7425-ZCNP7A3";
}

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp

43
kartei/lass/styx.nix Normal file
View File

@ -0,0 +1,43 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.11.1";
ip6.addr = r6 "111";
aliases = [
"styx.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn
ETYrLu/TJjq5iSQx/JbbonJriMS3X/0+m8JREzeol67svQDuZEXTEg5EfEldxrrU
aZpNmTSmFbj2NLLCIfNBL/oLOvg9ElzhN+f+4jvakfEKi7Y7LekV25VVGrHbOEVE
3G6XWfHx5qO5Vd6kqNWQKD3LG38aZ/Lx9XYDMbujYxPGCtOsabtAz8BKo/RgOZzi
6A/54RFhdecJm0VoQk3iKpp2YqyCN6dLfJVLil4cREs4sW6nDyF4Y4l3dtZdfskq
m/MoZt6fwOjNIKuI9DGdU4/X1hQelnemstzxY5x1XwG52cz+ww0h7pMF2aggsHqn
Vmaq3b0fXrbn066Ybkbhz3UEIU9zKQGYaANGCnXxbvkd5lWbIN60GEXGE3zYJSAt
EH3FLDTGa27fTNgAnbdnSV40KWKN4FM0iY/xrt3aOXfneTP9S2fqzTVEL9vd04C/
7RWvRjvZ7mlAi+kVKSHkOibFVjeo+Z4Pvw5YxCAavrjXCiWj8zP8o3MNWcq/bMao
Uk9zBMXymm8zX43w5LNnhf59oitBjiY/mzZ3NDI9N3szMvJsaUEnhO4Kq1CWtMs2
6/TpEyRSmen1UmNwgKKFx3rELuctwMmNbOLL8cGLotEBhIk7vnZKD7NvLVX7xtOF
wzhy2N6a3ypB4XqM7dBzzAUCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "yVT5nQstw+o5P0ZoBK81G7sL6nQEBwg42wyBn6ogZgK";
weight = null;
};
};
wiregrill = {
ip6.addr = w6 "111";
aliases = [
"styx.w"
];
wireguard.pubkey = ''
0BZfd8f0pZMRfyoHrdYZY0cR5zfFvJcS8gQLn6xGuFs=
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU ";
syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN";
}

16
kartei/lass/tablet.nix Normal file
View File

@ -0,0 +1,16 @@
{ r6, w6, ... }:
{
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.14";
ip6.addr = w6 "b";
aliases = [
"tablet.w"
];
wireguard.pubkey = "eIafsxYEFCqmWNFon6ZsYXeDrK4X1UJ9KD0zmNZjgEI=";
};
};
external = true;
ci = false;
}

52
kartei/lass/xerxes.nix Normal file
View File

@ -0,0 +1,52 @@
{ r6, w6, ... }:
{
consul = false;
nets = rec {
retiolum = {
ip4.addr = "10.243.1.3";
ip6.addr = r6 "3";
aliases = [
"xerxes.r"
];
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
/EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
+2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
/Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
pubkey_ed25519 = "PRtxFg/zw8dmwEGEM+u28N5GWuGNiHSNlaieplVSqQK";
};
};
wiregrill = {
ip6.addr = w6 "3";
aliases = [
"xerxes.w"
];
wireguard.pubkey = "UTm8B8YUVvBGqwwxAUMVFsVQFQGQ6jbcXAavZ8LxYT8=";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM";
}

42
kartei/lass/yellow.nix Normal file
View File

@ -0,0 +1,42 @@
{ r6, w6, ... }:
{
nets = {
retiolum = {
ip4.addr = "10.243.0.14";
ip6.addr = r6 "3110";
aliases = [
"yellow.r"
"jelly.r"
"radar.r"
"sonar.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY
b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU
Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd
OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP
vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6
C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp
Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU
52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg
zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p
DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ
Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "qZBhDSW6ir1/w6lOngg2feCZj9W9AfifEMlKXcOb5QE";
};
};
wiregrill = {
ip6.addr = w6 "3110";
aliases = [
"yellow.w"
];
wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
}

View File

@ -58,21 +58,18 @@ with import ../../lib;
in { in {
hosts = mapAttrs hostDefaults { hosts = mapAttrs hostDefaults {
cake = rec { cake = rec {
cores = 4;
ci = false; ci = false;
nets = { nets = {
retiolum.ip4.addr = "10.243.136.236"; retiolum.ip4.addr = "10.243.136.236";
}; };
}; };
crapi = rec { # raspi1 crapi = rec { # raspi1
cores = 1;
ci = false; ci = false;
nets = { nets = {
retiolum.ip4.addr = "10.243.136.237"; retiolum.ip4.addr = "10.243.136.237";
}; };
}; };
firecracker = { firecracker = {
cores = 4;
nets = { nets = {
retiolum.ip4.addr = "10.243.12.12"; retiolum.ip4.addr = "10.243.12.12";
}; };
@ -80,28 +77,24 @@ in {
studio = rec { studio = rec {
ci = false; ci = false;
cores = 4;
nets = { nets = {
retiolum.ip4.addr = "10.243.227.163"; retiolum.ip4.addr = "10.243.227.163";
}; };
}; };
fileleech = rec { fileleech = rec {
ci = false; ci = false;
cores = 4;
nets = { nets = {
retiolum.ip4.addr = "10.243.113.98"; retiolum.ip4.addr = "10.243.113.98";
}; };
}; };
tsp = { tsp = {
ci = true; ci = true;
cores = 1;
nets = { nets = {
retiolum.ip4.addr = "10.243.0.212"; retiolum.ip4.addr = "10.243.0.212";
}; };
}; };
x = { x = {
ci = true; ci = true;
cores = 4;
syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5";
nets = { nets = {
retiolum.ip4.addr = "10.243.0.91"; retiolum.ip4.addr = "10.243.0.91";
@ -113,7 +106,6 @@ in {
}; };
filepimp = rec { filepimp = rec {
ci = false; ci = false;
cores = 1;
nets = { nets = {
retiolum.ip4.addr = "10.243.153.102"; retiolum.ip4.addr = "10.243.153.102";
}; };
@ -121,7 +113,6 @@ in {
omo = rec { omo = rec {
ci = true; ci = true;
cores = 2;
syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK";
nets = { nets = {
retiolum = { retiolum = {
@ -139,7 +130,6 @@ in {
}; };
wbob = rec { wbob = rec {
ci = true; ci = true;
cores = 4;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.214.15"; ip4.addr = "10.243.214.15";
@ -165,7 +155,6 @@ in {
latte.euer IN A ${nets.internet.ip4.addr} latte.euer IN A ${nets.internet.ip4.addr}
''; '';
}; };
cores = 4;
nets = rec { nets = rec {
internet = { internet = {
ip4.addr = "178.254.30.202"; ip4.addr = "178.254.30.202";
@ -247,7 +236,6 @@ in {
music.euer IN A ${nets.internet.ip4.addr} music.euer IN A ${nets.internet.ip4.addr}
''; '';
}; };
cores = 8;
nets = rec { nets = rec {
internet = { internet = {
ip4.addr = "142.132.189.140"; ip4.addr = "142.132.189.140";
@ -303,7 +291,6 @@ in {
sdev = rec { sdev = rec {
ci = true; ci = true;
cores = 1;
nets = { nets = {
retiolum.ip4.addr = "10.243.83.237"; retiolum.ip4.addr = "10.243.83.237";
}; };
@ -313,7 +300,6 @@ in {
# non-stockholm # non-stockholm
flap = rec { flap = rec {
cores = 1;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
flap IN A ${nets.internet.ip4.addr} flap IN A ${nets.internet.ip4.addr}
@ -333,7 +319,6 @@ in {
}; };
nukular = rec { nukular = rec {
cores = 1;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.231.219"; ip4.addr = "10.243.231.219";
@ -343,17 +328,14 @@ in {
shackdev = rec { # router@shack shackdev = rec { # router@shack
cores = 1;
nets.wiregrill.ip4.addr = "10.244.245.2"; nets.wiregrill.ip4.addr = "10.244.245.2";
}; };
rockit = rec { # router@home rockit = rec { # router@home
cores = 1;
nets.wiregrill.ip4.addr = "10.244.245.3"; nets.wiregrill.ip4.addr = "10.244.245.3";
}; };
senderechner = rec { senderechner = rec {
cores = 2;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.163"; ip4.addr = "10.243.0.163";

View File

@ -507,8 +507,8 @@ in {
nets = rec { nets = rec {
internet = { internet = {
# eva.thalheim.io # eva.thalheim.io
ip4.addr = "131.159.102.4"; ip4.addr = "89.58.27.144";
ip6.addr = "2a09:80c0:102::4"; ip6.addr = "2a03:4000:62:fdb::";
aliases = [ "eva.i" ]; aliases = [ "eva.i" ];
}; };
retiolum = { retiolum = {

View File

@ -43,7 +43,6 @@ in {
}; };
}; };
horisa = { horisa = {
cores = 2;
owner = config.krebs.users.ulrich; # main laptop owner = config.krebs.users.ulrich; # main laptop
nets = { nets = {
retiolum = { retiolum = {
@ -57,7 +56,6 @@ in {
}; };
}; };
hasegateway = { hasegateway = {
cores = 1;
owner = config.krebs.users.hase; owner = config.krebs.users.hase;
nets = { nets = {
#internet = { #internet = {
@ -343,7 +341,6 @@ in {
}; };
}; };
tpsw = { tpsw = {
cores = 2;
owner = config.krebs.users.ciko; # main laptop owner = config.krebs.users.ciko; # main laptop
nets = { nets = {
retiolum = { retiolum = {

View File

@ -1,7 +1,17 @@
with import ../../lib; with import ../../lib;
{ config, ... }: let { config, ... }: {
dns.providers = {
evalHost = hostName: hostConfig: evalSubmodule types.host [ "viljetic.de" = "regfish";
};
hosts =
mapAttrs
(hostName: hostFile: let
hostSource = import hostFile;
hostConfig = getAttr (typeOf hostSource) {
lambda = hostSource { inherit config lib; };
set = hostSource;
};
in evalSubmodule types.host [
hostConfig hostConfig
{ {
name = hostName; name = hostName;
@ -31,340 +41,13 @@ with import ../../lib;
type = head (toList (match "ssh-([^ ]+) .*" host.config.ssh.pubkey)); type = head (toList (match "ssh-([^ ]+) .*" host.config.ssh.pubkey));
}; };
}) })
]; ])
(mapAttrs'
in { (name: type: {
dns.providers = { name = removeSuffix ".nix" name;
"viljetic.de" = "regfish"; value = ./hosts + "/${name}";
}; })
hosts = mapAttrs evalHost { (readDir ./hosts));
alnus = {
ci = true;
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
aliases = [
"alnus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP
/4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs
gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+
q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ
rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU
cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K";
};
};
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
};
au = {
ci = true;
cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.13.39";
aliases = [
"au.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
};
bu = {
ci = true;
cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";
aliases = [
"bu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb
hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l
jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M
gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG
sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/
st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE";
};
};
secure = true;
ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa";
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu";
};
hu = {
nets = {
retiolum = {
ip4.addr = "10.243.13.41";
aliases = [
"hu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwj5T9Rejp8zGVrHjqA+OeMvcVpax4VazssnRPSUznUEOdVEeSJL5
8gDBJPtIfxF8iunXr5K7CW036tKvYaGMDwYMOPJZXhFCmU2yUF2g4BcqEhuDdIfO
+D2Pfr4lc9xO90SKOgwJ53qhf5yqeU/WQ3dpCF/n8k4SUmdafTsvh00UrxYpHuTU
C22BRXIKR4r/sCJUitWQSWNdSQUxh3lu7sUPr+6sZyJov+eu8oBVlPgYOv6u9nZe
YhrbCPDKMGPfnQTAtWfHIxNt70Ec5AG6ddQzLeVcM2gP5qi957Fert+C2RNtbz5s
Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rrf9tvuusYlnSZwUiHS4O+AhrpVZ/6n7peSRKojTc root@hu";
};
mu = {
ci = true;
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";
aliases = [
"mu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApXErmPSn2CO4V25lqxanCGCFgxEAjdzFUiTCCu0IvELEuCc3PqVA
g4ecf8gGwPCbzMW/1txjlgbsQcm87U5enaCwzSv/pa7P9/memV74OhqEVOypFlDE
XeZczqQfNbjoLYl4cKZpTsSZmOgASXaMDrH2N37f50q35C0MQw0HRzaQM5VLrzb4
o87MClS+yPqpvp34QjW+1lqnOKvMkr6mDrmtcAjCOs9Ma16txyfjGVFi8KmYqIs1
QEJmyC9Uocz5zuoSLUghgVRn9yl4+MEw6++akFDwKt/eMkcSq0GPB+3Rz/WLDiBs
FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu";
};
ni = {
extraZones = {
"krebsco.de" = ''
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
krebsco.de. 60 IN MX 5 ni
krebsco.de. 60 IN TXT "v=spf1 mx -all"
tv 300 IN NS ni
'';
};
nets = {
internet = {
ip4 = rec {
addr = "188.68.36.196";
prefix = "${addr}/32";
};
ip6 = rec {
addr = "2a03:4000:13:4c::1";
prefix = "${addr}/64";
};
aliases = [
"ni.i"
"cgit.ni.i"
];
ssh.port = 11423;
};
retiolum = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223";
aliases = [
"ni.r"
"cgit.ni.r"
"krebs.ni.r"
"search.ni.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12
bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6
Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59
OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im
W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2
NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY
nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv
lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ
9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9
q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF
Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE";
};
wiregrill = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.244.3.1";
wireguard.subnets = [
(krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR
];
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb";
};
nomic = {
ci = true;
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.0.110";
aliases = [
"nomic.r"
"cgit.nomic.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+
qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw
Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu
5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a
OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA
Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
};
wu = {
ci = true;
cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.13.37";
aliases = [
"wu.r"
"cgit.wu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn
M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg
GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT
KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4
4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik
AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
querel = {
ci = true;
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";
aliases = [
"querel.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEArv9eB8acpUhJwRaLY9kGeM7DEPvInVvoduEbec10p4Y2PFx2MjSz
2OhyxFRkONC4EMV9oVTKD+NRtpbRGZGLYD8ZPB622SvccgB0XnL6ZZfie1feSgrn
bPyVnX8EnEgtx9IQckHyaxWgtyrluJnY2CbLkCYgD+50KFT12rdHyAa3+QoYU65x
ACQo28i9xIpsl6dm7iWBb+ecHc7fST35OqWywtVxSpHPe1nvwaYm1p3rqqtkCGVh
iXE5ruAscri7Dskc5dGR1p7LquhBaebuylH6sfRKA6kre05+/IkXi+JLeAmAtJ+W
xezYlecEvxhguql9ZmSYAYkR4KknZb56KtvCnm29o0evvEpsaYcbtgq1D0JhoGyk
4DixS5e+5dg470icVKxPfz1AzejxrTUTtMlI28qjAIx1FcmCBGM+T6yHs/MhNGbf
aqUmN+FwtsJ2QWFYqu9zjxxyAfrAw+gqHm0LnsKK1ttwF/2fYCTRLowY+ItB3axs
UVq7DQxyunyYalKGX2RSJ5BHczREHrfgX43HCSlcAuMuow9jHLOjzul0A49rSZ9E
vOPqbjrki0KEEQj0HN3Ax4UVqZ6mPWaTQzuup+bPQ/2Sjkx6COzMSAPmKo4l6DkA
J++ZonpnOCUkwCeCU6qJgMuHeXn0uh117Ypj/3J9eKYMO/RTSs3x8l0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFM2GdL9yOjSBmYBE07ClywNOADc/zxqXwZuWd7Mael root@querel.r";
};
xu = {
binary-cache = {
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
};
ci = true;
cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.13.38";
aliases = [
"xu.r"
"cgit.xu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAl3l7IWbfbkVgaJFM3s9g2UCh2rmqoTba16Of7NNWMj05L/hIkUsQ
uc43/QzidWh/4gEaq5MQ7JpLyzVBQYRJkNlPRF/Z07KdLBskAZCjDYdYue9BrziX
8s2Irs2+FNbCK2LqtrPhbcXQJvixsk6vjl2OBpWTDUcDEsk+D1YQilxdtyUzCUkw
mmRo/mzNsLZsYlSgZ6El/ZLkRdtexAzGxJ0DrukpDR0uqXXkp7jUaxRCZ+Cwanvj
4I1Hu5aHzWB7KJ1SIvpX3a4f+mun1gh3TPqWP5PUqJok1PSuScz6P2UGaLZZyH63
4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
};
zu = {
ci = true;
cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.13.40";
aliases = [
"zu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d
idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u
BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a
OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj
/NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk
b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu";
};
umz = {
nets.wiregrill.ip4.addr = "10.244.3.101";
};
};
sitemap = { sitemap = {
"http://cgit.krebsco.de" = { "http://cgit.krebsco.de" = {
desc = "Git repositories"; desc = "Git repositories";

23
kartei/tv/hosts/alnus.nix Normal file
View File

@ -0,0 +1,23 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
aliases = [
"alnus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP
/4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs
gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+
q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ
rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU
cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "Td6pRkmSzSGVJll26rULdr6W4U87xsHZ/87NEaglW3K";
};
};
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
}

24
kartei/tv/hosts/au.nix Normal file
View File

@ -0,0 +1,24 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.39";
aliases = [
"au.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
}

24
kartei/tv/hosts/bu.nix Normal file
View File

@ -0,0 +1,24 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";
aliases = [
"bu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb
hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l
jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M
gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG
sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/
st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE";
};
};
secure = true;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu";
}

23
kartei/tv/hosts/hu.nix Normal file
View File

@ -0,0 +1,23 @@
{
nets = {
retiolum = {
ip4.addr = "10.243.13.41";
aliases = [
"hu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwj5T9Rejp8zGVrHjqA+OeMvcVpax4VazssnRPSUznUEOdVEeSJL5
8gDBJPtIfxF8iunXr5K7CW036tKvYaGMDwYMOPJZXhFCmU2yUF2g4BcqEhuDdIfO
+D2Pfr4lc9xO90SKOgwJ53qhf5yqeU/WQ3dpCF/n8k4SUmdafTsvh00UrxYpHuTU
C22BRXIKR4r/sCJUitWQSWNdSQUxh3lu7sUPr+6sZyJov+eu8oBVlPgYOv6u9nZe
YhrbCPDKMGPfnQTAtWfHIxNt70Ec5AG6ddQzLeVcM2gP5qi957Fert+C2RNtbz5s
Brbw1bqZ3P+CGzvxVJZtirvR2f3HkidGPQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "PV8Dz9ni2cPXyJGiG5oU0XWdJkUPgrMzDuzHj7kpMzO";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rrf9tvuusYlnSZwUiHS4O+AhrpVZ/6n7peSRKojTc root@hu";
}

23
kartei/tv/hosts/mu.nix Normal file
View File

@ -0,0 +1,23 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";
aliases = [
"mu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApXErmPSn2CO4V25lqxanCGCFgxEAjdzFUiTCCu0IvELEuCc3PqVA
g4ecf8gGwPCbzMW/1txjlgbsQcm87U5enaCwzSv/pa7P9/memV74OhqEVOypFlDE
XeZczqQfNbjoLYl4cKZpTsSZmOgASXaMDrH2N37f50q35C0MQw0HRzaQM5VLrzb4
o87MClS+yPqpvp34QjW+1lqnOKvMkr6mDrmtcAjCOs9Ma16txyfjGVFi8KmYqIs1
QEJmyC9Uocz5zuoSLUghgVRn9yl4+MEw6++akFDwKt/eMkcSq0GPB+3Rz/WLDiBs
FK6BsssQWdwiEWpv6xIl1Fi+s7F0riq2cwIDAQAB
-----END RSA PUBLIC KEY-----
'';
#tinc.pubkey_ed25519 = "cEf/Kq/2Fo70yoIcVmhIp4it9eA7L3GdkgrVE9AWU6C";
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu";
}

68
kartei/tv/hosts/ni.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, ... }: {
extraZones = {
"krebsco.de" = ''
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
search.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
search.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
krebsco.de. 60 IN MX 5 ni
krebsco.de. 60 IN TXT "v=spf1 mx -all"
tv 300 IN NS ni
'';
};
nets = {
internet = {
ip4 = rec {
addr = "188.68.36.196";
prefix = "${addr}/32";
};
ip6 = rec {
addr = "2a03:4000:13:4c::1";
prefix = "${addr}/64";
};
aliases = [
"ni.i"
"cgit.ni.i"
];
ssh.port = 11423;
};
retiolum = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223";
aliases = [
"ni.r"
"cgit.ni.r"
"krebs.ni.r"
"search.ni.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12
bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6
Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59
OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im
W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2
NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY
nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv
lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ
9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9
q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF
Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE";
};
wiregrill = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.244.3.1";
wireguard.subnets = [
(lib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR
];
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb";
}

25
kartei/tv/hosts/nomic.nix Normal file
View File

@ -0,0 +1,25 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.0.110";
aliases = [
"nomic.r"
"cgit.nomic.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+
qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw
Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu
5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a
OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA
Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "sBevGkYkcNKd39yf/Mp0whnsWIJfTGxSU1lbqN305nP";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
}

View File

@ -0,0 +1,27 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";
aliases = [
"querel.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEArv9eB8acpUhJwRaLY9kGeM7DEPvInVvoduEbec10p4Y2PFx2MjSz
2OhyxFRkONC4EMV9oVTKD+NRtpbRGZGLYD8ZPB622SvccgB0XnL6ZZfie1feSgrn
bPyVnX8EnEgtx9IQckHyaxWgtyrluJnY2CbLkCYgD+50KFT12rdHyAa3+QoYU65x
ACQo28i9xIpsl6dm7iWBb+ecHc7fST35OqWywtVxSpHPe1nvwaYm1p3rqqtkCGVh
iXE5ruAscri7Dskc5dGR1p7LquhBaebuylH6sfRKA6kre05+/IkXi+JLeAmAtJ+W
xezYlecEvxhguql9ZmSYAYkR4KknZb56KtvCnm29o0evvEpsaYcbtgq1D0JhoGyk
4DixS5e+5dg470icVKxPfz1AzejxrTUTtMlI28qjAIx1FcmCBGM+T6yHs/MhNGbf
aqUmN+FwtsJ2QWFYqu9zjxxyAfrAw+gqHm0LnsKK1ttwF/2fYCTRLowY+ItB3axs
UVq7DQxyunyYalKGX2RSJ5BHczREHrfgX43HCSlcAuMuow9jHLOjzul0A49rSZ9E
vOPqbjrki0KEEQj0HN3Ax4UVqZ6mPWaTQzuup+bPQ/2Sjkx6COzMSAPmKo4l6DkA
J++ZonpnOCUkwCeCU6qJgMuHeXn0uh117Ypj/3J9eKYMO/RTSs3x8l0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFM2GdL9yOjSBmYBE07ClywNOADc/zxqXwZuWd7Mael root@querel.r";
}

3
kartei/tv/hosts/umz.nix Normal file
View File

@ -0,0 +1,3 @@
{
nets.wiregrill.ip4.addr = "10.244.3.101";
}

25
kartei/tv/hosts/wu.nix Normal file
View File

@ -0,0 +1,25 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.37";
aliases = [
"wu.r"
"cgit.wu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn
M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg
GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT
KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4
4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik
AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "urVOEGxTkBedkpszPH0XRCRMk+Fc2U9IneYMFDqGoIB";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
}

28
kartei/tv/hosts/xu.nix Normal file
View File

@ -0,0 +1,28 @@
{
binary-cache = {
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
};
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.38";
aliases = [
"xu.r"
"cgit.xu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAl3l7IWbfbkVgaJFM3s9g2UCh2rmqoTba16Of7NNWMj05L/hIkUsQ
uc43/QzidWh/4gEaq5MQ7JpLyzVBQYRJkNlPRF/Z07KdLBskAZCjDYdYue9BrziX
8s2Irs2+FNbCK2LqtrPhbcXQJvixsk6vjl2OBpWTDUcDEsk+D1YQilxdtyUzCUkw
mmRo/mzNsLZsYlSgZ6El/ZLkRdtexAzGxJ0DrukpDR0uqXXkp7jUaxRCZ+Cwanvj
4I1Hu5aHzWB7KJ1SIvpX3a4f+mun1gh3TPqWP5PUqJok1PSuScz6P2UGaLZZyH63
4o+9nGJPuzb9bpMVRaVGtKXd39jwY7mbqwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "xYgYM9rXS73RFKUHF3ekQWhcWzuBLOPYG2bimhpH2pM";
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
}

23
kartei/tv/hosts/zu.nix Normal file
View File

@ -0,0 +1,23 @@
{
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.13.40";
aliases = [
"zu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAti6y+Qkz80oay6H2+ANROWdH4aJS54ST8VhFxRB3WdnlDFG/9t6d
idU87uxW5Xmfm6nvpO0OPhG4E3+UI7KtWP71nnducpLV6gfob4f2xNGVG435CJ6u
BgorbneUbJEfr4Bb0xd46X2BtLqi5/vUY3M5KMGE2sMdyL2/7oujEI8zQJCse95a
OhDZdF2bCDEixCHahNprkQrD8t1lNYoLR2qtDZ5psIh5vgdp0WOOMGvUkCDkNjWj
/NKaRXPhUVRDLRFEzMZhtFtSHzaofzrhGFoU1rGZwc/XopqpiFi0D7L++TiNqKAk
b9cXwDAI50f8dJagPYtIupjN5bmo+QhXcQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNjHxyUC7afNGSwfwBfQizmDnHTNLWDRHE8SY9W4oiw2lPhCFGTN8Jz84CKtnABbZhbNY1E8T58emF2h45WzDg/OGi8DPAk4VsXSkIhyvAto+nkTy2L4atjqfvXDvqxTDC9sui+t8p5OqOK+sghe4kiy+Vx1jhnjSnkQsx9Kocu24BYTkNqYxG7uwOz6t262XYNwMn13Y2K/yygDR3Uw3wTnEjpaYnObRxxJS3iTECDzgixiQ6ewXwYNggpzO/+EfW1BTz5vmuEVf4GbQ9iEc7IsVXHhR+N0boCscvSgae9KW9MBun0A2veRFXNkkfBEMfzelz+S63oeVfelkBq6N5aLsHYYGC4VQjimScelHYVwxR7O4fV+NttJaFF7H06FJeFzPt3NYZeoPKealD5y2Muh1UnewpmkMgza9hQ9EmI4/G1fMowqeMq0U6Hu0QMDUAagyalizN97AfsllY2cs0qLNg7+zHMPwc5RgLzs73oPUsF3umz0O42I5p5733vveUlWi5IZeI8CA1ZKdpwyMXXNhIOHs8u+yGsOLfSy3RgjVKp2GjN4lfnFd0LI+p7iEsEWDRkIAvGCOFepsebyVpBjGP+Kqs10bPGpk5dMcyn9iBJejoz9ka+H9+JAG04LnXwt6Rf1CRV3VRCRX1ayZEjRv9czV7U9ZpuFQcIlVRJQ== root@zu";
}

View File

@ -8,7 +8,6 @@
]; ];
krebs.hosts.minimal = { krebs.hosts.minimal = {
cores = 1;
secure = false; secure = false;
}; };

View File

@ -53,6 +53,7 @@ with import <stockholm/lib>;
config.krebs.users.lass-mors.pubkey config.krebs.users.lass-mors.pubkey
config.krebs.users.makefu.pubkey config.krebs.users.makefu.pubkey
config.krebs.users.tv.pubkey config.krebs.users.tv.pubkey
config.krebs.users.kmein.pubkey
]; ];
# The NixOS release to be compatible with for stateful data such as databases. # The NixOS release to be compatible with for stateful data such as databases.

View File

@ -8,6 +8,7 @@
services.ergochat = { services.ergochat = {
enable = true; enable = true;
settings = { settings = {
server.name = "irc.r";
server.secure-nets = [ server.secure-nets = [
"42::0/16" "42::0/16"
"10.240.0.0/12" "10.240.0.0/12"

View File

@ -146,7 +146,7 @@ let
command = 1; command = 1;
arguments = [2]; arguments = [2];
env.TASKDATA = "${stateDir}/${name}"; env.TASKDATA = "${stateDir}/${name}";
commands = { commands = rec {
add.filename = pkgs.writeDash "${name}-task-add" '' add.filename = pkgs.writeDash "${name}-task-add" ''
${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1"
''; '';
@ -159,6 +159,7 @@ let
delete.filename = pkgs.writeDash "${name}-task-delete" '' delete.filename = pkgs.writeDash "${name}-task-delete" ''
${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1"
''; '';
del = delete;
done.filename = pkgs.writeDash "${name}-task-done" '' done.filename = pkgs.writeDash "${name}-task-done" ''
${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1"
''; '';

View File

@ -7,6 +7,7 @@ let
out = { out = {
imports = [ imports = [
../../kartei ../../kartei
../../submodules/disko/module.nix
./acl.nix ./acl.nix
./airdcpp.nix ./airdcpp.nix
./announce-activation.nix ./announce-activation.nix

View File

@ -108,7 +108,7 @@ let
}; };
imp = { imp = {
krebs.systemd.services.exim = {}; krebs.systemd.services.exim.restartIfCredentialsChange = true;
systemd.services.exim.serviceConfig.LoadCredential = systemd.services.exim.serviceConfig.LoadCredential =
map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
krebs.exim = { krebs.exim = {

View File

@ -43,10 +43,6 @@ let
target = mkOption { target = mkOption {
type = str; type = str;
}; };
precedence = mkOption {
type = int;
default = 0;
};
v4 = mkOption { v4 = mkOption {
type = bool; type = bool;
default = true; default = true;
@ -145,13 +141,11 @@ let
buildChain = tn: cn: buildChain = tn: cn:
let let
filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
in in
#TODO: double check should be unneccessary, refactor! #TODO: double check should be unneccessary, refactor!
if ts.${tn}.${cn}.rules or null != null then if ts.${tn}.${cn}.rules or null != null then
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
++ map (buildRule tn cn) sortedRules ++ map (buildRule tn cn) filteredRules
) )
else else
"" ""

View File

@ -159,7 +159,9 @@ let
) cfg.repos; ) cfg.repos;
krebs.systemd.services = mapAttrs' (name: _: krebs.systemd.services = mapAttrs' (name: _:
nameValuePair "repo-sync-${name}" {} nameValuePair "repo-sync-${name}" {
restartIfCredentialsChange = true;
}
) cfg.repos; ) cfg.repos;
systemd.services = mapAttrs' (name: repo: systemd.services = mapAttrs' (name: repo:

View File

@ -3,14 +3,28 @@
body.options.krebs.systemd.services = lib.mkOption { body.options.krebs.systemd.services = lib.mkOption {
default = {}; default = {};
type = lib.types.attrsOf (lib.types.submodule { type = lib.types.attrsOf (lib.types.submodule (cfg_: let
serviceName = cfg_.config._module.args.name;
cfg = config.systemd.services.${serviceName} // cfg_.config;
in {
options = { options = {
credentialPaths = lib.mkOption {
default =
lib.sort
lib.lessThan
(lib.filter
lib.types.absolute-pathname.check
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
(lib.toList cfg.serviceConfig.LoadCredential)));
readOnly = true;
};
credentialUnitName = lib.mkOption {
default = "trigger-${lib.systemd.encodeName serviceName}";
readOnly = true;
};
restartIfCredentialsChange = lib.mkOption { restartIfCredentialsChange = lib.mkOption {
# Enabling this by default only makes sense here as the user already default = false;
# bothered to write down krebs.systemd.services.* = {}. If this
# functionality gets upstreamed to systemd.services, restarting
# should be disabled by default.
default = true;
description = '' description = ''
Whether to restart the service whenever any of its credentials Whether to restart the service whenever any of its credentials
change. Only credentials with an absolute path in LoadCredential= change. Only credentials with an absolute path in LoadCredential=
@ -19,30 +33,40 @@
type = lib.types.bool; type = lib.types.bool;
}; };
}; };
}); }));
}; };
body.config = { body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: {
systemd.paths = lib.mapAttrs' (serviceName: _: paths.${cfg.credentialUnitName} = {
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged = pathConfig.PathChanged = cfg.credentialPaths;
lib.filter };
lib.types.absolute-pathname.check services.${cfg.credentialUnitName} = {
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
(lib.toList
config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
}
) config.krebs.systemd.services;
systemd.services = lib.mapAttrs' (serviceName: cfg:
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}"; StateDirectory = "credentials";
ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" ''
set -efu
PATH=${lib.makeBinPath [
pkgs.coreutils
pkgs.diffutils
pkgs.systemd
]}
cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum
tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX)
trap 'rm -f "$tmpfile"' EXIT
sha1sum ${toString cfg.credentialPaths} > "$tmpfile"
if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then
exit
fi
mv "$tmpfile" "$cache"
systemctl restart ${lib.shell.escape serviceName}
'';
}; };
}
) config.krebs.systemd.services;
}; };
}) config.krebs.systemd.services);
} }

View File

@ -232,6 +232,7 @@ with import <stockholm/lib>;
) config.krebs.tinc; ) config.krebs.tinc;
krebs.systemd.services = mapAttrs (netname: cfg: { krebs.systemd.services = mapAttrs (netname: cfg: {
restartIfCredentialsChange = true;
}) config.krebs.tinc; }) config.krebs.tinc;
systemd.services = mapAttrs (netname: cfg: { systemd.services = mapAttrs (netname: cfg: {

View File

@ -23,7 +23,6 @@ pkgs.writers.writeDashBin "generate-secrets" ''
cat <<EOF cat <<EOF
$HOSTNAME = { $HOSTNAME = {
cores = 1;
owner = config.krebs.users.krebs; owner = config.krebs.users.krebs;
nets = { nets = {
retiolum = { retiolum = {

View File

@ -0,0 +1,24 @@
{ pkgs, stdenv }:
stdenv.mkDerivation rec {
pname = "git-assembler";
version = "1.3";
src = pkgs.fetchFromGitLab {
owner = "wavexx";
repo = "git-assembler";
rev = "v${version}";
hash = "sha256-A+ygt6Fxiu6EkVoQU5L1rhxu2e1HU0nbqJFzLzXzHBo=";
};
buildInputs = [
pkgs.python3
];
buildPhase = ":";
installPhase = ''
mkdir -p $out/bin
cp git-assembler $out/bin
'';
}

View File

@ -16,7 +16,7 @@
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/prism-mounts/samba.nix> <stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/mail.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>

View File

@ -57,7 +57,7 @@ with import <stockholm/lib>;
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
]; ];
# workaround for ssh access from yubikey via android # workaround for ssh access from yubikey via android

View File

@ -41,6 +41,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ppp/umts-stick.nix> <stockholm/lass/2configs/ppp/umts-stick.nix>
# <stockholm/lass/2configs/remote-builder/morpheus.nix> # <stockholm/lass/2configs/remote-builder/morpheus.nix>
# <stockholm/lass/2configs/remote-builder/prism.nix> # <stockholm/lass/2configs/remote-builder/prism.nix>
<stockholm/lass/2configs/autotether.nix>
{ {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain #risk of rain

View File

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
# sync-containers
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/yellow-host.nix>
<stockholm/lass/2configs/radio/container-host.nix>
# other containers
<stockholm/lass/2configs/riot.nix>
];
krebs.build.host = config.krebs.hosts.neoprism;
}

View File

@ -0,0 +1,116 @@
{ lib, ... }:
{
disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: {
type = "disk";
device = disk;
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
type = "partition";
start = "0";
end = "1M";
part-type = "primary";
flags = ["bios_grub"];
}
{
type = "partition";
name = "ESP";
start = "1M";
end = "1GiB";
fs-type = "fat32";
bootable = true;
content = {
type = "mdraid";
name = "boot";
};
}
{
type = "partition";
name = "zfs";
start = "1GiB";
end = "100%";
content = {
type = "zfs";
pool = "zroot";
};
}
];
};
})) // {
hdd1 = {
type = "disk";
device = "/dev/sda";
content = {
type = "zfs";
pool = "tank";
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
};
zpool = {
zroot = {
type = "zpool";
mode = "mirror";
mountpoint = "/";
rootFsOptions = {
};
datasets.reserved = {
zfs_type = "filesystem";
options.refreservation = "1G";
};
};
tank = {
type = "zpool";
datasets = {
reserved = {
zfs_type = "filesystem";
options.refreservation = "1G";
};
containers = {
zfs_type = "filesystem";
mountpoint = "/var/lib/containers";
};
home = {
zfs_type = "filesystem";
mountpoint = "/home";
};
srv = {
zfs_type = "filesystem";
mountpoint = "/srv";
};
libvirt = {
zfs_type = "filesystem";
mountpoint = "/var/lib/libvirt";
};
# encrypted = {
# zfs_type = "filesystem";
# options = {
# mountpoint = "none";
# encryption = "aes-256-gcm";
# keyformat = "passphrase";
# keylocation = "prompt";
# };
# };
# "encrypted/download" = {
# zfs_type = "filesystem";
# mountpoint = "/var/download";
# };
};
};
};
}

View File

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
disko.devices = import ./disk.nix;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# networking config
boot.kernelParams = [ "net.ifnames=0" ];
networking.bridges."ext-br".interfaces = [ "eth0" ];
networking = {
hostId = "2283aaae";
defaultGateway = "95.217.192.1";
defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
# Use google's public DNS server
nameservers = [ "8.8.8.8" ];
interfaces.ext-br.ipv4.addresses = [
{
address = "95.217.192.59";
prefixLength = 26;
}
];
interfaces.ext-br.ipv6.addresses = [
{
address = "2a01:4f9:4a:4f1a::1";
prefixLength = 64;
}
];
};
}

View File

@ -33,9 +33,9 @@ with import <stockholm/lib>;
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
]; ];
}; };
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
]; ];
} }
{ {
@ -97,9 +97,35 @@ with import <stockholm/lib>;
localAddress = "10.233.2.2"; localAddress = "10.233.2.2";
}; };
} }
{
services.nginx.virtualHosts."radio.lassul.us" = {
enableACME = true;
addSSL = true;
locations."/" = {
# recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://radio.r";
extraConfig = ''
proxy_set_header Host radio.r;
# get source ip for weather reports
proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
'';
};
};
krebs.htgen.radio-redirect = {
port = 8000;
scriptFile = pkgs.writers.writeDash "redir" ''
printf 'HTTP/1.1 301 Moved Permanently\r\n'
printf "Location: http://radio.lassul.us''${Request_URI}\r\n"
printf '\r\n'
'';
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/exim-smarthost.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix> <stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/radio>
<stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/paste.nix>
@ -227,13 +253,13 @@ with import <stockholm/lib>;
imports = [ imports = [
<stockholm/lass/2configs/wiregrill.nix> <stockholm/lass/2configs/wiregrill.nix>
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
@ -252,7 +278,7 @@ with import <stockholm/lib>;
} }
{ {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
]; ];
} }
<stockholm/lass/2configs/murmur.nix> <stockholm/lass/2configs/murmur.nix>

View File

@ -0,0 +1,24 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/radio>
];
krebs.build.host = config.krebs.hosts.radio;
security.acme = {
acceptTerms = true;
defaults.email = "acme@lassul.us";
};
lass.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt";
};
}

View File

@ -0,0 +1,7 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = true;
}

View File

@ -16,7 +16,7 @@
<stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix> <stockholm/lass/2configs/green-host.nix>
<stockholm/krebs/2configs/news-host.nix> <stockholm/krebs/2configs/news-host.nix>
<stockholm/lass/2configs/prism-mounts/samba.nix> <stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/consul.nix> <stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/red-host.nix> <stockholm/lass/2configs/red-host.nix>

View File

@ -9,20 +9,23 @@ in {
krebs.build.host = config.krebs.hosts.yellow; krebs.build.host = config.krebs.hosts.yellow;
lass.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
};
users.groups.download.members = [ "transmission" ]; users.groups.download.members = [ "transmission" ];
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
networking.useNetworkd = true; networking.useNetworkd = true;
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
services.transmission = { services.transmission = {
enable = true; enable = true;
home = "/var/state/transmission";
group = "download"; group = "download";
downloadDirPermissions = "775"; downloadDirPermissions = "775";
settings = { settings = {
download-dir = "/var/download/finished"; download-dir = "/var/download/transmission";
incomplete-dir = "/var/download/incoming"; incomplete-dir-enabled = false;
incomplete-dir-enable = true;
rpc-bind-address = "::"; rpc-bind-address = "::";
message-level = 1; message-level = 1;
umask = 18; umask = 18;
@ -31,6 +34,12 @@ in {
}; };
}; };
security.acme.defaults.email = "spam@krebsco.de";
security.acme.acceptTerms = true;
security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.nginx.override { package = pkgs.nginx.override {
@ -38,13 +47,12 @@ in {
fancyindex fancyindex
]; ];
}; };
virtualHosts.default = { virtualHosts."yellow.r" = {
default = true; default = true;
locations."/dl".extraConfig = '' enableACME = true;
return 301 /; addSSL = true;
'';
locations."/" = { locations."/" = {
root = "/var/download/finished"; root = "/var/download";
extraConfig = '' extraConfig = ''
fancyindex on; fancyindex on;
fancyindex_footer "/fancy.html"; fancyindex_footer "/fancy.html";
@ -136,9 +144,87 @@ in {
''}; ''};
''; '';
}; };
virtualHosts."jelly.r" = {
enableACME = true;
addSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:8096/;
proxy_set_header Accept-Encoding "";
'';
};
virtualHosts."radar.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:7878";
};
};
virtualHosts."sonar.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:8989";
};
};
}; };
systemd.services.bruellwuerfel = { services.samba = {
enable = true;
enableNmbd = false;
extraConfig = ''
workgroup = WORKGROUP
server string = ${config.networking.hostName}
# only allow retiolum addresses
hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
# Use sendfile() for performance gain
use sendfile = true
# No NetBIOS is needed
disable netbios = true
# Only mangle non-valid NTFS names, don't care about DOS support
mangled names = illegal
# Performance optimizations
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
# Disable all printing
load printers = false
disable spoolss = true
printcap name = /dev/null
map to guest = Bad User
max log size = 50
dns proxy = no
security = user
[global]
syslog only = yes
'';
shares.public = {
comment = "Warez";
path = "/var/download";
public = "yes";
"only guest" = "yes";
"create mask" = "0644";
"directory mask" = "2777";
writable = "no";
printable = "no";
};
};
systemd.services.bruellwuerfel =
let
bruellwuerfelSrc = pkgs.fetchFromGitHub {
owner = "krebs";
repo = "bruellwuerfel";
rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015";
sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd";
};
in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment = { environment = {
IRC_CHANNEL = "#flix"; IRC_CHANNEL = "#flix";
@ -147,7 +233,7 @@ in {
IRC_HISTORY_FILE = "/tmp/bruelli.history"; IRC_HISTORY_FILE = "/tmp/bruelli.history";
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.bruellwuerfel}/bin/bruellwuerfel"; ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts";
}; };
}; };
@ -155,15 +241,36 @@ in {
enable = true; enable = true;
tables.filter.INPUT.rules = [ tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
{ predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
{ predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr
{ predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr
{ predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr
{ predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr
# smbd
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
]; ];
tables.filter.OUTPUT = { tables.filter.OUTPUT = {
policy = "DROP"; policy = "DROP";
rules = [ rules = [
{ predicate = "-o lo"; target = "ACCEPT"; }
{ v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
{ predicate = "-o tun0"; target = "ACCEPT"; } { predicate = "-o tun0"; target = "ACCEPT"; }
{ predicate = "-o retiolum"; target = "ACCEPT"; } { predicate = "-o retiolum"; target = "ACCEPT"; }
@ -271,7 +378,7 @@ in {
ExecStart = pkgs.writers.writeDash "flix-index" '' ExecStart = pkgs.writers.writeDash "flix-index" ''
set -efu set -efu
DIR=/var/download/finished DIR=/var/download
cd "$DIR" cd "$DIR"
while inotifywait -rq -e create -e move -e delete "$DIR"; do while inotifywait -rq -e create -e move -e delete "$DIR"; do
find . -type f > "$DIR"/index.tmp find . -type f > "$DIR"/index.tmp
@ -286,9 +393,22 @@ in {
group = "download"; group = "download";
}; };
services.magnetico = { services.radarr = {
enable = true; enable = true;
web.address = "0.0.0.0"; group = "download";
web.port = 9092; };
services.sonarr = {
enable = true;
group = "download";
};
services.prowlarr = {
enable = true;
};
services.bazarr = {
enable = true;
group = "download";
}; };
} }

View File

@ -68,8 +68,8 @@ in {
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about? #TODO find out what this is about?

View File

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
{
systemd.services.usb_tether = {
script = ''
${pkgs.android-tools}/bin/adb -s QV770FAMEK wait-for-device
${pkgs.android-tools}/bin/adb -s QV770FAMEK shell svc usb setFunctions rndis
'';
};
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="fce/320d/510", TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
'';
systemd.network.networks.android = {
matchConfig.Name = "enp0s20u1";
DHCP = "yes";
};
}

View File

@ -1,97 +1,115 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import <stockholm/lib>) genid;
in { in {
users.extraUsers = {
cbasevpn = rec {
name = "cbasevpn";
uid = genid "cbasevpn";
description = "user for running c-base openvpn";
home = "/home/${name}";
};
};
users.extraGroups.cbasevpn.gid = genid "cbasevpn";
environment.systemPackages = [ environment.systemPackages = [
pkgs.cifs-utils pkgs.cifs-utils
]; ];
services.openvpn.servers = { systemd.network.networks.c-base = {
c-base = { matchConfig.Name = "c-base";
networkConfig = {
IgnoreCarrierLoss = "3s";
KeepConfiguration = "static";
DNS = "10.0.1.254";
Domains = "cbrp3.c-base.org";
};
routes = [
{ routeConfig = {
Destination = "10.0.1.0/24";
Gateway = "172.31.77.1";
};}
{ routeConfig = {
Destination = "91.102.9.99/32"; # vorstand.c-base.org
Gateway = "172.31.77.1";
};}
];
};
services.openvpn.servers.c-base = {
config = '' config = ''
client
dev tap
proto tcp
remote vpn.ext.c-base.org 1194 remote vpn.ext.c-base.org 1194
verify-x509-name vpn.ext.c-base.org name
client
proto udp
dev-type tun
dev c-base
resolv-retry infinite resolv-retry infinite
nobind nobind
user cbasevpn # user openvpn
group cbasevpn # group openvpn
persist-key persist-key
persist-tun persist-tun
auth-nocache
#auth-user-pass
auth-user-pass ${toString <secrets/cbase.txt>}
comp-lzo comp-lzo
verb 3 # register-dns
# block-outside-dns
#script-security 2 script-security 2
#up /etc/openvpn/update-resolv-conf auth-user-pass ${toString <secrets/cbase.txt>}
#down /etc/openvpn/update-resolv-conf #auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDUjCCArugAwIBAgIJAOOk8EXgjsf5MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
BAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZj
LWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJ
ARYQYWRtYXhAYy1iYXNlLm9yZzAeFw0wOTAyMTMwOTE1MzdaFw0xOTAyMTEwOTE1
MzdaMHoxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGlu
MQ8wDQYDVQQKEwZjLWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEf
MB0GCSqGSIb3DQEJARYQYWRtYXhAYy1iYXNlLm9yZzCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAt3wEgXbqFKxs8z/E4rv13hkRi6J+QdshNzntm7rTOmUsXKE7
IEwoJSglrmsDPv4UqE86A7bjW7YYSFjhzxFRkTEHJanyOCF48ZPItVl7Eq7T81co
uR+6lAhxnLDrwnPJCC83NzAa6lw8U1DsQRDkayKlrQrtZq6++pFFEvZvt1cCAwEA
AaOB3zCB3DAdBgNVHQ4EFgQUqkSbdXS90+HtqXDeAI+PcyTSSHEwgawGA1UdIwSB
pDCBoYAUqkSbdXS90+HtqXDeAI+PcyTSSHGhfqR8MHoxCzAJBgNVBAYTAkRFMQsw
CQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZjLWJhc2UxGzAZ
BgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhA
Yy1iYXNlLm9yZ4IJAOOk8EXgjsf5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAOBANG1H4uEEWk3sbeQoSMeA3LFG1+6MgFGk2WAdeHYuV9GKYBq6/PLP5
ffw+FNkiDjLSeSQO88vHYJr2V1v8n/ZoCIT+1VBcDWXTpGz0YxDI1iBauO3tUPzK
wGs46RA/S0YwiZw64MaUHd88ZVadjKy9kNoO3w6/vpAS6s/Mh+o=
-----END CERTIFICATE-----
</ca>
key-direction 1 key-direction 1
<tls-auth> <tls-auth>
# #
# 2048 bit OpenVPN static key # 2048 bit OpenVPN static key
# #
-----BEGIN OpenVPN Static key V1----- -----BEGIN OpenVPN Static key V1-----
5d49aa8c9cec18de7ab6e0b5cd09a368 54a66ed1048bed7508703347e89d68d6
d3f1b8b77e055e448804fa0e14f487cb 5586e6a5d1218cf8675941031d540be6
491681742f96b54a23fb8639aa9ed14e 993e07200a16ad3b770b659932ee71e5
c40b86a5546b888c4f3873f23c956e87 f8080b5c9fa2acb3893abd40fad2552c
169076ec869127ffc85353fd5928871c fdaf17565e617ae450efcccf5652dca5
da19776b79f723abb366fae6cdfe4ad6 a16419509024b075941098731eb25ac0
7ef667b7d05a7b78dfd5ea1d2da276dc a64f963ece3dca1d2a64a9c5e17839d7
5f6c82313fe9c1178c7256b8d1d081b0 5b5080165a9b2dc90ef111879d7d3173
4c80bc8f21add61fbc52c158579edc1d 2d1027ae42d869394aca08da4472a9d0
bbde230afb9d0e531624ce289a17098a 6b724b4ed43a957feef7d6dfc86da241
3261f9144a9a2a6f0da4250c9eed4086 74828fa0e1240941586f0d937cac32fc
187ec6fa757a454de743a349e32af193 13cc81e7bed58817353d6afaff7e6a26
e9f8b49b010014bdfb3240d992f2f234 4f9cc086af79c1cdca660d86e18cff96
581d0ce05d4e07a2b588ad9b0555b704 69dd3d392caf09a468894a8504f4cc7c
9d5edc28efde59226ec8942feed690a1 7ae0072e6d9ad90b166ad13a39c57b3c
2acd0c8bc9424d6074d0d495391023b6 3a869e27a1d89deb161c255227551713
-----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
</tls-auth> </tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
MIIGsDCCBJigAwIBAgIJAPkM1l2zA306MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
VQQGEwJERTEPMA0GA1UEBxMGQmVybGluMRswGQYDVQQLExJ2cG4uZXh0LmMtYmFz
ZS5vcmcxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEbMBkGA1UEKRMSdnBu
LmV4dC5jLWJhc2Uub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1heEBjLWJhc2Uub3Jn
MB4XDTE2MDcwOTE4MjkyMFoXDTI2MDcxMDE4MjkyMFowgZYxCzAJBgNVBAYTAkRF
MQ8wDQYDVQQHEwZCZXJsaW4xGzAZBgNVBAsTEnZwbi5leHQuYy1iYXNlLm9yZzEb
MBkGA1UEAxMSdnBuLmV4dC5jLWJhc2Uub3JnMRswGQYDVQQpExJ2cG4uZXh0LmMt
YmFzZS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWF4QGMtYmFzZS5vcmcwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXEs+uWCXLNmm+lgP9x7u3FqWa4pPI
h64c6EWIULMATrhEw+Ej4fpCXwU9otFaO04fAeJmZGkDcnAYdBDiCeI0luOSdj44
Bg9KecSei/TskqjhDVnEBp65hiz0rZE6c1baPdLYmD5xrXWb3i0zrlBYFawuL6C2
lwVCEm3cadvkDJ2DleMuu3NblV8ViIDN0HZqzJNP72g1I0MgohkpetACXlf7MzQV
PFHfzvb04Rj2lJ8BDhceQ0WmjtVV/Ag6nka5oi954OeHMujRuH+rZYiQZDZpJLHK
Kh1KWTVlWPRy+AvCi9lweDWSmLccq7Ug4xMtDF4I5qW3tjCd0xqpZ21Xmo2JyKtY
4h8wEDPqiJvgwvkXsH17GLn5ZxiMcQuRJQYZqJephkzR9uccJeWSS76kwm/vLqG3
+eORlYnyjiNXtiMIhmAEFjpWUrGH8v4CijpUNP6E63ynGrRVXK684YQXkqL+xPAt
t6dsMBUwf94a2S1o2kgvuRCim1wlHvf1QsHrO/Hwgpzc8no/daWL+Z9Rq9okTHNK
nc1G5dv8TkmxIDYnLm07QMzzBoOT36BcGtkEBA+0xhQlX5PyQdM5/jnZVhdSBmoP
MbZXPoU/gJAIuuBuwdTlgCzYf44/9/YU/AnW8eLrbhm9KtMtoMpatrWorKqk/GPv
/lGNRQuNffrbiQIDAQABo4H+MIH7MB0GA1UdDgQWBBTf5cYbK+KCF9u9aobFlLbu
ilwX4jCBywYDVR0jBIHDMIHAgBTf5cYbK+KCF9u9aobFlLbuilwX4qGBnKSBmTCB
ljELMAkGA1UEBhMCREUxDzANBgNVBAcTBkJlcmxpbjEbMBkGA1UECxMSdnBuLmV4
dC5jLWJhc2Uub3JnMRswGQYDVQQDExJ2cG4uZXh0LmMtYmFzZS5vcmcxGzAZBgNV
BCkTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhAYy1i
YXNlLm9yZ4IJAPkM1l2zA306MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggIBAMs1moiS7UZ4neOivQjqwKrBbm1j3tgmPLhDfNMmXYarGhnBGAlLxLAQWtG+
Fnbx8KcsJnrsWcGfZcst1z45S4a5oBdVNKOfgkMOG0glZorIDO8Odrb51rpyzU0v
0wcNumMNWhkFuo2OTBHPnnJIWEAFwwCCSCL0I0hQxxoaV36kphjuIwzrMJhd+XAT
24En58cNp6sPRDd+FzOH08uFINevyzKWYxkMgVj+e3fbuiyOB8RqvndKvtfBBcpB
cCO86lGnj/ETMDciTczUShxaMn9wV1zr1KH1xvT3ohUeOcQZGbGTcjG4mxlns8ZO
U5J3Yrcd1eMfJq9Bwd3zPsTLnT8LwIS8vfYRav9b34XdqcBG73dhrjsicMK0Qy0z
Qz7vKJzcvrEnKuaMyB3mCxz/UvbNc2Bupwm4FmzN5eFjDs+7paYFdfOzqMjoRP+8
bcXSqDN5P2eUd7cdsZXaFNcsf1FkWlE3GudVBOmNJqz9zBab/T5J+l4Z90Pd6OUX
GNozEvLhcJkvPKA526TegHTGC8hMquxKc9tpOzNRqZJMFa+UG1mgMrMepRmM/B3s
QrKI1C11iCVYfb9J0tQUkfENHMx4J7mG2DZAhnKWQDU2awM41qU4A7aBYaJvDPnQ
RRcbaT0D794lKUQwH/mZuyKzF22oZNk1o1TV2SaFXqgX5tDt
-----END CERTIFICATE-----
</ca>
''; '';
}; };
};
} }

View File

@ -8,8 +8,8 @@
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
{ v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }

View File

@ -69,7 +69,6 @@ with import <stockholm/lib>;
]; ];
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;
nix.maxJobs = config.krebs.build.host.cores;
krebs = { krebs = {
enable = true; enable = true;
@ -190,28 +189,34 @@ with import <stockholm/lib>;
enable = true; enable = true;
tables = { tables = {
nat.PREROUTING.rules = [ nat.PREROUTING.rules = [
{ predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; }
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
]; ];
nat.OUTPUT.rules = [ nat.OUTPUT.rules = [
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
]; ];
filter.INPUT.policy = "DROP"; filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP"; filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [ filter.INPUT.rules = mkMerge [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} (mkBefore [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } { predicate = "-p icmp"; target = "ACCEPT"; }
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } { predicate = "-i lo"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } ])
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } (mkOrder 1000 [
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
])
(mkAfter [
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; }
])
]; ];
}; };
}; };

View File

@ -2,37 +2,56 @@
with import <stockholm/lib>; with import <stockholm/lib>;
{ {
systemd.network.networks."50-et0" = {
matchConfig.Name = "et0";
DHCP = "yes";
# dhcpV4Config.UseDNS = false;
# dhcpV6Config.UseDNS = false;
linkConfig = {
RequiredForOnline = "routable";
};
# networkConfig = {
# LinkLocalAddressing = "no";
# };
# dhcpV6Config = {
# PrefixDelegationHint = "::/60";
# };
# networkConfig = {
# IPv6AcceptRA = true;
# };
# ipv6PrefixDelegationConfig = {
# Managed = true;
# };
};
systemd.network.networks."50-int0" = {
name = "int0";
address = [
"10.42.0.1/24"
];
networkConfig = {
IPForward = "yes";
IPMasquerade = "both";
ConfigureWithoutCarrier = true;
DHCPServer = "yes";
# IPv6SendRA = "yes";
# DHCPPrefixDelegation = "yes";
};
};
networking.networkmanager.unmanaged = [ "int0" ]; networking.networkmanager.unmanaged = [ "int0" ];
networking.interfaces.int0.ipv4.addresses = [{ krebs.iptables.tables.filter.INPUT.rules = [
address = "10.42.0.1"; { predicate = "-i int0"; target = "ACCEPT"; }
prefixLength = 24; ];
}]; krebs.iptables.tables.filter.FORWARD.rules = [
{ predicate = "-i int0"; target = "ACCEPT"; }
{ predicate = "-o int0"; target = "ACCEPT"; }
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
];
krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; }
];
networking.domain = "gg23"; networking.domain = "gg23";
services.dhcpd4 = {
enable = true;
interfaces = [ "int0" ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.42.0.1;
option domain-name-servers 10.42.0.1;
subnet 10.42.0.0 netmask 255.255.255.0 {
range 10.42.0.100 10.42.0.200;
}
'';
machines = [
{ ethernetAddress = "a8:a6:48:65:ce:4c"; hostName = "tv"; ipAddress = "10.42.0.3"; }
{ ethernetAddress = "3c:2a:f4:22:28:37"; hostName = "drucker"; ipAddress = "10.42.0.4"; }
{ ethernetAddress = "80:7d:3a:67:b7:01"; hostName = "s20-tv"; ipAddress = "10.42.0.10"; }
{ ethernetAddress = "80:7d:3a:68:04:f0"; hostName = "s20-drucker"; ipAddress = "10.42.0.11"; }
{ ethernetAddress = "80:7d:3a:68:11:a5"; hostName = "s20-wasch"; ipAddress = "10.42.0.12"; }
{ ethernetAddress = "80:7d:3a:67:bb:69"; hostName = "s20-stereo"; ipAddress = "10.42.0.13"; }
{ ethernetAddress = "ec:b5:fa:07:78:16"; hostName = "hue-bridge"; ipAddress = "10.42.0.21"; }
{ ethernetAddress = "80:8d:b7:c5:80:dc"; hostName = "arubaAP"; ipAddress = "10.42.0.99"; }
];
};
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
resolveLocalQueries = false; resolveLocalQueries = false;
@ -45,22 +64,4 @@ with import <stockholm/lib>;
interface=int0 interface=int0
''; '';
}; };
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i int0 -p udp --dport 53"; target = "ACCEPT"; } # dns
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.42.0.0/24 -o int0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.42.0.0/24 -i int0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; }
];
} }

View File

@ -18,22 +18,22 @@ with import <stockholm/lib>;
} }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
]; ];
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.OUTPUT.rules = [ krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
]; ];
# TODO use bridge interfaces instead of this crap # TODO use bridge interfaces instead of this crap

View File

@ -20,8 +20,8 @@
krebs.iptables.tables.filter.OUTPUT.rules = [ krebs.iptables.tables.filter.OUTPUT.rules = [
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
{ v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }

View File

@ -0,0 +1,23 @@
{ config, pkgs, ... }:
{
lass.sync-containers3.containers.radio = {
sshKey = "${toString <secrets>}/radio.sync.key";
};
containers.radio = {
bindMounts."/var/music" = {
hostPath = "/var/music";
isReadOnly = false;
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
];
krebs.htgen.radio-redirect = {
port = 8000;
scriptFile = pkgs.writers.writeDash "redir" ''
printf 'HTTP/1.1 301 Moved Permanently\r\n'
printf "Location: http://radio.lassul.us''${Request_URI}\r\n"
printf '\r\n'
'';
};
}

View File

@ -3,7 +3,7 @@
let let
name = "radio"; name = "radio";
music_dir = "/home/radio/music"; music_dir = "/var/music";
skip_track = pkgs.writers.writeBashBin "skip_track" '' skip_track = pkgs.writers.writeBashBin "skip_track" ''
set -eu set -eu
@ -113,7 +113,7 @@ in {
LIMIT=1000 #how many tracks to keep in the history LIMIT=1000 #how many tracks to keep in the history
HISTORY_FILE=/var/lib/radio/recent HISTORY_FILE=/var/lib/radio/recent
listeners=$(${pkgs.curl}/bin/curl -fSs lassul.us:8000/status-json.xsl | listeners=$(${pkgs.curl}/bin/curl -fSs http://localhost:8000/status-json.xsl |
${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add' || echo 0) ${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add' || echo 0)
echo "$(${pkgs.coreutils}/bin/date -Is)" "$filename" | ${pkgs.coreutils}/bin/tee -a "$HISTORY_FILE" echo "$(${pkgs.coreutils}/bin/date -Is)" "$filename" | ${pkgs.coreutils}/bin/tee -a "$HISTORY_FILE"
echo "$(${pkgs.coreutils}/bin/tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE" echo "$(${pkgs.coreutils}/bin/tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE"
@ -128,6 +128,18 @@ in {
serviceConfig.User = lib.mkForce "radio"; serviceConfig.User = lib.mkForce "radio";
}; };
nixpkgs.config.packageOverrides = opkgs: {
icecast = opkgs.icecast.overrideAttrs (old: rec {
version = "2.5-beta3";
src = pkgs.fetchurl {
url = "http://downloads.xiph.org/releases/icecast/icecast-${version}.tar.gz";
sha256 = "sha256-4FDokoA9zBDYj8RAO/kuTHaZ6jZYBLSJZiX/IYFaCW8=";
};
buildInputs = old.buildInputs ++ [ pkgs.pkg-config ];
});
};
services.icecast = { services.icecast = {
enable = true; enable = true;
hostname = "radio.lassul.us"; hostname = "radio.lassul.us";
@ -135,7 +147,14 @@ in {
extraConf = '' extraConf = ''
<authentication> <authentication>
<source-password>hackme</source-password> <source-password>hackme</source-password>
<admin-user>admin</admin-user>
<admin-password>hackme</admin-password>
</authentication> </authentication>
<logging>
<accesslog>-</accesslog>
<errorlog>-</errorlog>
<loglevel>3</loglevel>
</logging>
''; '';
}; };
@ -234,18 +253,38 @@ in {
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."radio.lassul.us" = { virtualHosts."radio.r" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_set_header Host $host; # https://github.com/aswild/icecast-notes#core-nginx-config
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000; proxy_pass http://localhost:8000;
# Disable request size limit, very important for uploading large files
client_max_body_size 0;
# Enable support `Transfer-Encoding: chunked`
chunked_transfer_encoding on;
# Disable request and response buffering, minimize latency to/from Icecast
proxy_buffering off;
proxy_request_buffering off;
# Icecast needs HTTP/1.1, not 1.0 or 2
proxy_http_version 1.1;
# Forward all original request headers
proxy_pass_request_headers on;
# Set some standard reverse proxy headers. Icecast server currently ignores these,
# but may support them in a future version so that access logs are more useful.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# get source ip for weather reports
proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
''; '';
locations."= /recent".extraConfig = '' locations."= /recent".extraConfig = ''
default_type "text/plain"; default_type "text/plain";
@ -266,7 +305,7 @@ in {
while sleep 1; do while sleep 1; do
mpv \ mpv \
--cache-secs=0 --demuxer-readahead-secs=0 --untimed --cache-pause=no \ --cache-secs=0 --demuxer-readahead-secs=0 --untimed --cache-pause=no \
'http://lassul.us:8000/radio.ogg' 'http://radio.lassul.us/radio.ogg'
done done
''; '';
locations."= /controls".extraConfig = '' locations."= /controls".extraConfig = ''
@ -278,35 +317,12 @@ in {
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
''; '';
}; };
virtualHosts."lassul.us".locations."= /the_playlist".extraConfig = let
html = pkgs.writeText "index.html" ''
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>lassulus playlist</title>
</head>
<body>
<div style="display:inline-block;margin:0px;padding:0px;overflow:hidden">
<iframe src="https://kiwiirc.com/client/irc.hackint.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe>
</div>
<div style="position:absolute;bottom:1px;display:inline-block;background-color:red;">
<audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio>
</div>
<!-- page content -->
</body>
</html>
'';
in ''
default_type "text/html";
alias ${html};
'';
}; };
services.syncthing.declarative.folders."the_playlist" = { services.syncthing.declarative.folders."the_playlist" = {
path = "/home/radio/music/the_playlist"; path = "/var/music/the_playlist";
devices = [ "mors" "phone" "prism" "omo" ]; devices = [ "mors" "phone" "prism" "omo" "radio" ];
}; };
krebs.acl."/home/radio/music/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/var/music/the_playlist"."u:syncthing:X".parents = true;
krebs.acl."/home/radio/music/the_playlist"."u:syncthing:rwX" = {}; krebs.acl."/var/music/the_playlist"."u:syncthing:rwX" = {};
krebs.acl."/home/radio/music/the_playlist"."u:radio:rwX" = {}; krebs.acl."/var/music/the_playlist"."u:radio:rwX" = {};
} }

View File

@ -10,7 +10,7 @@ def stringify_attrs(attrs) =
out out
end end
def filter_graveyard(req) = def filter_music(req) =
filename = request.filename(req) filename = request.filename(req)
if string.match(pattern = '.*/\\.graveyard/.*', filename) then if string.match(pattern = '.*/\\.graveyard/.*', filename) then
false false
@ -27,7 +27,7 @@ end
env = environment() env = environment()
port = string.to_int(env["RADIO_PORT"], default = 8000) port = string.to_int(env["RADIO_PORT"], default = 8000)
all_music = playlist(env["MUSIC"], check_next = filter_graveyard) all_music = playlist(env["MUSIC"], check_next = filter_music)
wishlist = request.queue() wishlist = request.queue()
tracks = fallback(track_sensitive = true, [wishlist, all_music]) tracks = fallback(track_sensitive = true, [wishlist, all_music])
tracks = blank.eat(tracks) tracks = blank.eat(tracks)
@ -36,7 +36,7 @@ last_metadata = ref([])
def on_metadata(m) = def on_metadata(m) =
last_metadata := m last_metadata := m
print("changing tracks") print("changing tracks")
out = process.read(env["HOOK_TRACK_CHANGE"], env = m) out = process.read(env["HOOK_TRACK_CHANGE"], env = m, timeout = 5.0)
print(out) print(out)
end end
tracks.on_metadata(on_metadata) tracks.on_metadata(on_metadata)

View File

@ -10,19 +10,24 @@ let
export PATH="${lib.makeBinPath [ export PATH="${lib.makeBinPath [
pkgs.coreutils pkgs.coreutils
pkgs.curl pkgs.curl
pkgs.iproute2
pkgs.jc
pkgs.jq pkgs.jq
]}" ]}"
curl -fSsz /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb curl -fSsz /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb
MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB
OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY
ss -no 'sport = :8000' | (
jc --ss | jq -r '.[] | curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.ogg'
select( curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.mp3'
.local_address != "[::ffff:127.0.0.1]" curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.opus'
and .local_address != "[::1]" ) | jq -rs '
) | .peer_address | gsub("[\\[\\]]"; "") [
.[][].source|values|to_entries[].value |
(.listener//[]) [] |
(.useragent | capture("client-ip=(?<ip>[a-f0-9.:]+)")).ip // .ip
] |
unique[] |
select(. != "127.0.0.1") |
select(. != "::1")
' | ' |
${weather_for_ips}/bin/weather_for_ips ${weather_for_ips}/bin/weather_for_ips
''; '';

View File

@ -3,12 +3,24 @@ import fileinput
import json import json
import requests import requests
import os import os
import random
geoip = geoip2.database.Reader(os.environ['MAXMIND_GEOIP_DB']) geoip = geoip2.database.Reader(os.environ['MAXMIND_GEOIP_DB'])
seen = {} seen = {}
output = [] output = []
for ip in fileinput.input(): for ip in fileinput.input():
if "80.147.140.51" in ip:
output.append(
'Weather report for c-base, space.'
'It is empty space outside '
'with a temperature of -270 degrees, '
'a lightspeed of 299792 kilometers per second '
'and a humidity of Not a Number percent. '
f'The probability of reincarnation is {random.randrange(0, 100)} percent.'
)
else:
try:
location = geoip.city(ip.strip()) location = geoip.city(ip.strip())
if location.city.geoname_id not in seen: if location.city.geoname_id not in seen:
seen[location.city.geoname_id] = True seen[location.city.geoname_id] = True
@ -30,5 +42,7 @@ for ip in fileinput.input():
f'and a humidity of {weather["current"]["humidity"]} percent. ' f'and a humidity of {weather["current"]["humidity"]} percent. '
f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. '
) )
except: # noqa E722
pass
print('\n'.join(output)) print('\n'.join(output))

View File

@ -27,6 +27,15 @@
LocalDiscovery = no LocalDiscovery = no
''} ''}
''; '';
tincUp = lib.mkIf config.systemd.network.enable "";
};
systemd.network.networks.retiolum = {
matchConfig.Name = "retiolum";
address = [
"${config.krebs.build.host.nets.retiolum.ip4.addr}/16"
"${config.krebs.build.host.nets.retiolum.ip6.addr}/16"
];
}; };
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {

59
lass/2configs/riot.nix Normal file
View File

@ -0,0 +1,59 @@
{ config, lib, pkgs, ... }:
{
containers.riot = {
config = {
environment.systemPackages = [
pkgs.dhcpcd
pkgs.git
pkgs.jq
];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
];
networking.defaultGateway = "10.233.1.1";
systemd.services.autoswitch = {
environment = {
NIX_REMOTE = "daemon";
};
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
set -efu
if test -e /var/src/nixos-config; then
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
fi
'';
unitConfig.X-StopOnRemoval = false;
};
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.1.1";
localAddress = "10.233.1.2";
forwardPorts = [
{ hostPort = 45622; containerPort = 22; }
];
};
systemd.network.networks."50-ve-riot" = {
matchConfig.Name = "ve-riot";
networkConfig = {
IPForward = "yes";
# weirdly we have to use POSTROUTING MASQUERADE here
# IPMasquerade = "both";
LinkLocalAddressing = "no";
KeepConfiguration = "static";
};
};
# networking.nat can be used instead of this
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ predicate = "-i ve-riot"; target = "ACCEPT"; }
{ predicate = "-o ve-riot"; target = "ACCEPT"; }
];
}

View File

@ -1,7 +1,7 @@
{ {
services.syncthing.folders.the_playlist = { services.syncthing.folders.the_playlist = {
path = "/home/lass/tmp/the_playlist"; path = "/home/lass/tmp/the_playlist";
devices = [ "mors" "phone" "prism" "omo" ]; devices = [ "mors" "phone" "prism" "omo" "radio" ];
}; };
krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true;
krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {};

View File

@ -16,13 +16,20 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [
{ precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
]; ]);
systemd.network.networks.wiregrill = {
matchConfig.Name = "wiregrill";
address =
(optional (!isNull self.ip4) "${self.ip4.addr}/16") ++
(optional (!isNull self.ip6) "${self.ip6.addr}/48")
;
};
networking.wireguard.interfaces.wiregrill = { networking.wireguard.interfaces.wiregrill = {
ips = ips =

View File

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
lass.sync-containers3.containers.yellow = {
sshKey = "${toString <secrets>}/yellow.sync.key";
};
containers.yellow.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/yellow/state";
isReadOnly = false;
};
containers.yellow.bindMounts."/var/download" = {
hostPath = "/var/download";
isReadOnly = false;
};
}

View File

@ -1,6 +1,6 @@
{ {
fileSystems."/mnt/prism" = { fileSystems."/mnt/yellow" = {
device = "//prism.r/public"; device = "//yellow.r/public";
fsType = "cifs"; fsType = "cifs";
options = [ options = [
"guest" "guest"

View File

@ -28,6 +28,10 @@ in {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
}; };
runContainer = lib.mkOption {
type = lib.types.bool;
default = true;
};
}; };
})); }));
}; };
@ -50,7 +54,8 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
set -efu set -efu
ln -frs /var/state/var_src /var/src mkdir -p /var/state/var_src
ln -Tfrs /var/state/var_src /var/src
if test -e /var/src/nixos-config; then if test -e /var/src/nixos-config; then
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
fi fi
@ -64,7 +69,6 @@ in {
privateNetwork = true; privateNetwork = true;
hostBridge = "ctr0"; hostBridge = "ctr0";
bindMounts = { bindMounts = {
"/etc/resolv.conf".hostPath = "/etc/resolv.conf";
"/var/lib/self/disk" = { "/var/lib/self/disk" = {
hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; hostPath = "/var/lib/sync-containers3/${ctr.name}/disk";
isReadOnly = false; isReadOnly = false;
@ -74,7 +78,7 @@ in {
isReadOnly = false; isReadOnly = false;
}; };
}; };
}) cfg.containers; }) (lib.filterAttrs (_: ctr: ctr.runContainer) cfg.containers);
systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [
{ "${ctr.name}_syncer" = { { "${ctr.name}_syncer" = {
@ -101,14 +105,14 @@ in {
set -efux set -efux
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
touch "$HOME"/incomplete touch "$HOME"/incomplete
rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
rm "$HOME"/incomplete rm "$HOME"/incomplete
fi fi
''} ''}
''; '';
}; };
}; } }; }
{ "${ctr.name}_watcher" = { { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer {
path = with pkgs; [ path = with pkgs; [
coreutils coreutils
consul consul
@ -136,7 +140,8 @@ in {
;; ;;
200) 200)
# echo 'got 200 from kv, will check payload' # echo 'got 200 from kv, will check payload'
export payload=$(consul kv get containers/${ctr.name}) payload=$(consul kv get containers/${ctr.name}) || continue
export payload
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
# echo 'we are the host, trying to reach container' # echo 'we are the host, trying to reach container'
if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
@ -163,7 +168,7 @@ in {
''; '';
}; };
}; } }; }
{ "${ctr.name}_scheduler" = { { "${ctr.name}_scheduler" = lib.mkIf ctr.runContainer {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ path = with pkgs; [
coreutils coreutils
@ -246,7 +251,7 @@ in {
users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" { users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" {
}) cfg.containers; }) cfg.containers;
users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({ users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({
group = "container_${ctr.name}"; group = "${ctr.name}_container";
isNormalUser = true; isNormalUser = true;
uid = slib.genid_uint31 "container_${ctr.name}"; uid = slib.genid_uint31 "container_${ctr.name}";
home = "/var/lib/sync-containers3/${ctr.name}"; home = "/var/lib/sync-containers3/${ctr.name}";
@ -254,47 +259,51 @@ in {
homeMode = "705"; homeMode = "705";
})) cfg.containers; })) cfg.containers;
environment.systemPackages = lib.mapAttrsToList (_: ctr: (pkgs.writers.writeDashBin "${ctr.name}_init" ''
set -efux
export PATH=${lib.makeBinPath [
pkgs.coreutils
pkgs.cryptsetup
pkgs.libxfs.bin
]}:$PATH
truncate -s 5G /var/lib/sync-containers3/${ctr.name}/disk
cryptsetup luksFormat /var/lib/sync-containers3/${ctr.name}/disk ${ctr.luksKey}
cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name}
mkfs.xfs /dev/mapper/${ctr.name}
mkdir -p /var/lib/sync-containers3/${ctr.name}/state
mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
/run/current-system/sw/bin/nixos-container start ${ctr.name}
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "init" ''
mkdir -p /var/state
''}
'')) cfg.containers;
}) })
(lib.mkIf (cfg.containers != {}) { (lib.mkIf (cfg.containers != {}) {
# networking # networking
networking.networkmanager.unmanaged = [ "ctr0" ]; systemd.network.networks.ctr0 = {
networking.interfaces.dummy0.virtual = true; name = "ctr0";
networking.bridges.ctr0.interfaces = [ "dummy0" ]; address = [
networking.interfaces.ctr0.ipv4.addresses = [{ "10.233.0.1/24"
address = "10.233.0.1";
prefixLength = 24;
}];
systemd.services."dhcpd-ctr0" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
DynamicUser = true;
StateDirectory = "dhcpd-ctr0";
User = "dhcpd-ctr0";
Group = "dhcpd-ctr0";
AmbientCapabilities = [
"CAP_NET_RAW" # to send ICMP messages
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
]; ];
ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; networkConfig = {
ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' IPForward = "yes";
default-lease-time 600; IPMasquerade = "both";
max-lease-time 7200; ConfigureWithoutCarrier = true;
authoritative; DHCPServer = "yes";
ddns-update-style interim;
log-facility local1; # see dhcpd.nix
option subnet-mask 255.255.255.0;
option routers 10.233.0.1;
# option domain-name-servers 8.8.8.8; # TODO configure dns server
subnet 10.233.0.0 netmask 255.255.255.0 {
range 10.233.0.10 10.233.0.250;
}
''} ctr0";
}; };
}; };
systemd.network.netdevs.ctr0.netdevConfig = {
Kind = "bridge";
Name = "ctr0";
};
networking.networkmanager.unmanaged = [ "ctr0" ];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i ctr0"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ predicate = "-i ctr0"; target = "ACCEPT"; }
{ predicate = "-o ctr0"; target = "ACCEPT"; }
];
}) })
(lib.mkIf cfg.inContainer.enable { (lib.mkIf cfg.inContainer.enable {
users.groups.container_sync = {}; users.groups.container_sync = {};
@ -308,6 +317,17 @@ in {
cfg.inContainer.pubkey cfg.inContainer.pubkey
]; ];
}; };
networking.useHostResolvConf = false;
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks.eth0 = {
matchConfig.Name = "eth0";
DHCP = "yes";
dhcpV4Config.UseDNS = true;
};
};
}) })
]; ];
} }

View File

@ -1,26 +0,0 @@
{ yarn2nix-moretea, fetchFromGitHub, nodePackages, nodejs }: let
#src = ~/src/bruellwuerfel;
src = fetchFromGitHub {
owner = "krebs";
repo = "bruellwuerfel";
rev = "57e20e630f732ce4e15b495ec5f9bf72a121b959";
sha256 = "08zwwl24sq21r497a03lqpy2x10az8frrsh6d38xm92snd1yf85b";
};
in yarn2nix-moretea.mkYarnModules rec {
pname = "bruellwuerfel";
version = "1.0";
name = "${pname}-${version}";
packageJSON = "${src}/package.json";
yarnLock = "${src}/yarn.lock";
postBuild = ''
cp -r ${src}/{src,tsconfig.json} $out/
cd $out
${nodePackages.typescript}/bin/tsc || :
mkdir -p $out/bin
echo '#!/bin/sh' > $out/bin/bruellwuerfel
echo "export NODE_PATH=$out/dist" >> $out/bin/bruellwuerfel
echo "${nodejs}/bin/node $out/dist/index.js" >> $out/bin/bruellwuerfel
chmod +x $out/bin/bruellwuerfel
'';
}

View File

@ -0,0 +1,26 @@
{ pkgs }:
pkgs.writers.writeDashBin "install-system" ''
set -efux
SYSTEM=$1
TARGET=$2
# format
if ! (sshn "$TARGET" -- mountpoint /mnt); then
nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '<nixpkgs/nixos>' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET"
fi
# install dependencies
sshn "$TARGET" << SSH
nix-channel --update
nix-env -iA nixos.git
SSH
# populate
$(nix-build --no-out-link "$HOME"/sync/stockholm/lass/krops.nix -A populate --argstr name "$SYSTEM" --argstr target "$TARGET"/mnt/var/src --arg force true)
# install
sshn "$TARGET" << SSH
ln -s /mnt/var/src /var/src
NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /var/src
zpool export -fa
SSH
''

View File

@ -1,31 +1,59 @@
{ pkgs }: { pkgs }:
pkgs.writeDashBin "l-gen-secrets" '' pkgs.writers.writeDashBin "l-gen-secrets" ''
HOSTNAME="$1" set -efu
HOSTNAME=$1
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
if [ "''${DRYRUN-n}" = "n" ]; then
trap 'rm -rf $TMPDIR' EXIT
else
echo "$TMPDIR"
set -x
fi
mkdir -p $TMPDIR/out
PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
# ssh
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key # tor
${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 >/dev/null || :
cat <<EOF > $TMPDIR/hashedPasswords.nix ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv
# tinc
${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc
${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null
${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv
${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv
# wireguard
${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key
${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub
# system passwords
cat <<EOF > $TMPDIR/out/hashedPasswords.nix
{ {
root = "$HASHED_PASSWORD"; root = "$HASHED_PASSWORD";
mainUser = "$HASHED_PASSWORD"; mainUser = "$HASHED_PASSWORD";
} }
EOF EOF
cd $TMPDIR set +f
if [ "''${DRYRUN-n}" = "n" ]; then
cd $TMPDIR/out
for x in *; do for x in *; do
${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
done done
echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null
${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null
fi
set -f
cat <<EOF cat <<EOF
$HOSTNAME = { { r6, w6, ... }:
cores = 1; {
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.0.changeme"; ip4.addr = "10.243.0.changeme";
@ -34,8 +62,9 @@ pkgs.writeDashBin "l-gen-secrets" ''
"$HOSTNAME.r" "$HOSTNAME.r"
]; ];
tinc.pubkey = ${"''"} tinc.pubkey = ${"''"}
$(cat $TMPDIR/retiolum.rsa_key.pub) $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/ /')
${"''"}; ${"''"};
tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')";
}; };
wiregrill = { wiregrill = {
ip6.addr = w6 "changeme"; ip6.addr = w6 "changeme";
@ -47,11 +76,7 @@ pkgs.writeDashBin "l-gen-secrets" ''
${"''"}; ${"''"};
}; };
}; };
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
}; }
EOF EOF
rm -rf $TMPDIR
'' ''

View File

@ -39,6 +39,8 @@ let
ne = x: y: x != y; ne = x: y: x != y;
mod = x: y: x - y * (x / y); mod = x: y: x - y * (x / y);
on = b: u: x: y: b (u x) (u y);
genid = lib.genid_uint32; # TODO remove genid = lib.genid_uint32; # TODO remove
genid_uint31 = x: ((lib.genid_uint32 x) + 16777216) / 2; genid_uint31 = x: ((lib.genid_uint32 x) + 16777216) / 2;
genid_uint32 = import ./genid.nix { inherit lib; }; genid_uint32 = import ./genid.nix { inherit lib; };
@ -185,6 +187,30 @@ let
in in
filter (x: x != []) ([acc.chunk] ++ acc.chunks); filter (x: x != []) ([acc.chunk] ++ acc.chunks);
# Filter adjacent duplicate elements.
uniq = uniqBy eq;
# Filter adjacent duplicate elements determined via the given function.
uniqBy = cmp: let
f = a: s:
if length s == 0 then
[]
else let
b = head s;
in
if cmp a b then
f b (tail s)
else
[b] ++ f b (tail s);
in
s:
if length s == 0 then
[]
else let
b = head s;
in
[b] ++ f b (tail s);
warnOldVersion = oldName: newName: warnOldVersion = oldName: newName:
if compareVersions oldName newName != -1 then if compareVersions oldName newName != -1 then
trace "Upstream `${oldName}' gets overridden by `${newName}'." newName trace "Upstream `${oldName}' gets overridden by `${newName}'." newName

View File

@ -39,7 +39,12 @@ rec {
in in
if parse == null then if parse == null then
(pkgs.writeText name s).overrideAttrs (old: { (pkgs.writeText name s).overrideAttrs (old: {
dependencies = old.dependencies or [] ++ dependencies; dependencies =
lib.uniq
(lib.sort (lib.on lib.lessThan (lib.getAttr "name"))
(filter
(lib.ne null)
(old.dependencies or [] ++ dependencies)));
}) })
else else

View File

@ -18,9 +18,6 @@ rec {
type = label; type = label;
default = config._module.args.name; default = config._module.args.name;
}; };
cores = mkOption {
type = uint;
};
nets = mkOption { nets = mkOption {
type = attrsOf net; type = attrsOf net;
default = {}; default = {};
@ -149,6 +146,14 @@ rec {
}.${config._module.args.name} or { }.${config._module.args.name} or {
default = "${ip4.config.addr}/32"; default = "${ip4.config.addr}/32";
}); });
prefixLength = mkOption ({
type = uint;
} // {
retiolum.default = 16;
wiregrill.default = 16;
}.${config._module.args.name} or {
default = 32;
});
}; };
})); }));
default = null; default = null;
@ -168,6 +173,14 @@ rec {
}.${config._module.args.name} or { }.${config._module.args.name} or {
default = "${ip6.config.addr}/128"; default = "${ip6.config.addr}/128";
}); });
prefixLength = mkOption ({
type = uint;
} // {
retiolum.default = 32;
wiregrill.default = 32;
}.${config._module.args.name} or {
default = 128;
});
}; };
})); }));
default = null; default = null;

View File

@ -23,7 +23,6 @@ pkgs.writeDashBin "generate-secrets" ''
cat <<EOF cat <<EOF
$HOSTNAME = { $HOSTNAME = {
cores = 1;
owner = config.krebs.users.makefu; owner = config.krebs.users.makefu;
nets = { nets = {
retiolum = { retiolum = {

1
submodules/disko Submodule

@ -0,0 +1 @@
Subproject commit df3a607ad7ee431f4831a51af2c464aa8a8813f4

View File

@ -4,6 +4,7 @@ with import ./lib;
imports = [ imports = [
<stockholm/tv> <stockholm/tv>
../../2configs/autotether.nix
<stockholm/tv/2configs/hw/x220.nix> <stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix> <stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix> <stockholm/tv/2configs/gitconfig.nix>

View File

@ -0,0 +1,19 @@
{ config, pkgs, ... }: let
cfg.serial = "17e064850405";
in {
systemd.services.usb_tether.serviceConfig = {
SyslogIdentifier = "usb_tether";
ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device";
ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis";
};
services.udev.extraRules = /* sh */ ''
ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android"
ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \
TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
'';
systemd.network.networks.android = {
matchConfig.Name = "android";
DHCP = "yes";
};
}

View File

@ -11,6 +11,16 @@ with import ./lib;
LocalDiscovery = yes LocalDiscovery = yes
''; '';
tincPackage = pkgs.tinc_pre; tincPackage = pkgs.tinc_pre;
tincUp = lib.mkIf config.systemd.network.enable "";
};
systemd.network.networks.retiolum = {
matchConfig.Name = "retiolum";
address = let
inherit (config.krebs.build.host.nets.retiolum) ip4 ip6;
in [
"${ip4.addr}/${toString ip4.prefixLength}"
"${ip6.addr}/${toString ip6.prefixLength}"
];
}; };
tv.iptables.input-internet-accept-tcp = singleton "tinc"; tv.iptables.input-internet-accept-tcp = singleton "tinc";
tv.iptables.input-internet-accept-udp = singleton "tinc"; tv.iptables.input-internet-accept-udp = singleton "tinc";

View File

@ -127,7 +127,7 @@ in {
}) })
]; ];
krebs.systemd.services.ejabberd = {}; krebs.systemd.services.ejabberd.restartIfCredentialsChange = true;
systemd.services.ejabberd = { systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];

View File

@ -26,7 +26,7 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
krebs.systemd.services.x0vncserver = {}; krebs.systemd.services.x0vncserver.restartIfCredentialsChange = true;
systemd.services.x0vncserver = { systemd.services.x0vncserver = {
after = [ "graphical.target" ]; after = [ "graphical.target" ];
requires = [ "graphical.target" ]; requires = [ "graphical.target" ];

Some files were not shown because too many files have changed in this diff Show More