390 lines
10 KiB
Nix
390 lines
10 KiB
Nix
## generate keys with:
|
|
# tinc generate-keys
|
|
# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host
|
|
|
|
with import <stockholm/lib>;
|
|
{ config, ... }: let
|
|
|
|
hostDefaults = hostName: host: foldl' recursiveUpdate {} [
|
|
{
|
|
owner = config.krebs.users.makefu;
|
|
}
|
|
# Retiolum defaults
|
|
(let
|
|
pubkey-path = ./retiolum + "/${hostName}.pub";
|
|
in optionalAttrs (pathExists pubkey-path) {
|
|
nets.retiolum = {
|
|
tinc.pubkey = readFile pubkey-path;
|
|
aliases = [
|
|
"${hostName}.r"
|
|
];
|
|
ip6.addr =
|
|
(krebs.genipv6 "retiolum" "makefu" { inherit hostName; }).address;
|
|
};
|
|
})
|
|
# Retiolum ed25519 keys
|
|
(let
|
|
pubkey-path = ./retiolum + "/${hostName}_ed25519.pub";
|
|
in optionalAttrs (pathExists pubkey-path) {
|
|
nets.retiolum.tinc.pubkey_ed25519 = readFile pubkey-path;
|
|
})
|
|
# Wiregrill defaults
|
|
(let
|
|
pubkey-path = ./wiregrill + "/${hostName}.pub";
|
|
in optionalAttrs (pathExists pubkey-path) {
|
|
nets.wiregrill = {
|
|
aliases = [
|
|
"${hostName}.w"
|
|
];
|
|
ip6.addr =
|
|
(krebs.genipv6 "wiregrill" "makefu" { inherit hostName; }).address;
|
|
wireguard.pubkey = readFile pubkey-path;
|
|
};
|
|
})
|
|
# SSHD defaults
|
|
(let
|
|
pubkey-path = ./sshd + "/${hostName}.pub";
|
|
in optionalAttrs (pathExists pubkey-path) {
|
|
ssh.pubkey = readFile pubkey-path;
|
|
# We assume that if the sshd pubkey exits then there must be a privkey in
|
|
# the screts store as well
|
|
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
|
|
})
|
|
host
|
|
];
|
|
|
|
pub-for = name: builtins.readFile (./ssh + "/${name}.pub");
|
|
w6 = ip: (krebs.genipv6 "wiregrill" "makefu" ip).address;
|
|
in {
|
|
hosts = mapAttrs hostDefaults {
|
|
cake = rec {
|
|
cores = 4;
|
|
ci = false;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.136.236";
|
|
};
|
|
};
|
|
crapi = rec { # raspi1
|
|
cores = 1;
|
|
ci = false;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.136.237";
|
|
};
|
|
};
|
|
firecracker = {
|
|
cores = 4;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.12.12";
|
|
};
|
|
};
|
|
|
|
studio = rec {
|
|
ci = false;
|
|
cores = 4;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.227.163";
|
|
};
|
|
};
|
|
fileleech = rec {
|
|
ci = false;
|
|
cores = 4;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.113.98";
|
|
};
|
|
};
|
|
tsp = {
|
|
ci = true;
|
|
cores = 1;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.0.212";
|
|
};
|
|
};
|
|
x = {
|
|
ci = true;
|
|
cores = 4;
|
|
syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5";
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.0.91";
|
|
wiregrill = {
|
|
# defaults
|
|
};
|
|
};
|
|
|
|
};
|
|
filepimp = rec {
|
|
ci = false;
|
|
cores = 1;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.153.102";
|
|
};
|
|
};
|
|
|
|
omo = rec {
|
|
ci = true;
|
|
cores = 2;
|
|
syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK";
|
|
nets = {
|
|
retiolum = {
|
|
ip4.addr = "10.243.0.89";
|
|
aliases = [
|
|
"omo.r"
|
|
"dcpp.omo.r"
|
|
"torrent.omo.r"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
wbob = rec {
|
|
ci = true;
|
|
cores = 4;
|
|
nets = {
|
|
retiolum = {
|
|
ip4.addr = "10.243.214.15";
|
|
aliases = [
|
|
"wbob.r"
|
|
"hydra.wbob.r"
|
|
"log.wbob.r"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
latte = rec {
|
|
ci = true;
|
|
extraZones = {
|
|
"krebsco.de" = ''
|
|
latte.euer IN A ${nets.internet.ip4.addr}
|
|
'';
|
|
};
|
|
cores = 4;
|
|
nets = rec {
|
|
internet = {
|
|
ip4.addr = "178.254.30.202";
|
|
ip6.addr = "2a00:6800:3:18c::2";
|
|
aliases = [
|
|
"latte.i"
|
|
];
|
|
};
|
|
#wiregrill = {
|
|
# via = internet;
|
|
# ip4.addr = "10.244.245.1";
|
|
# ip6.addr = w6 "1";
|
|
# wireguard.port = 51821;
|
|
# wireguard.subnets = [
|
|
# (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
|
|
# "10.244.245.0/24" # required for routing directly to gum via rockit
|
|
# ];
|
|
#};
|
|
retiolum = {
|
|
via = internet;
|
|
ip4.addr = "10.243.0.214";
|
|
# never connect via gum (he eats your packets!)
|
|
#tinc.weight = 9001;
|
|
|
|
aliases = [
|
|
"latte.r"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
gum = rec {
|
|
ci = true;
|
|
extraZones = {
|
|
"krebsco.de" = ''
|
|
bookmark.euer IN A ${nets.internet.ip4.addr}
|
|
boot IN A ${nets.internet.ip4.addr}
|
|
boot.euer IN A ${nets.internet.ip4.addr}
|
|
cache.euer IN A ${nets.internet.ip4.addr}
|
|
cache.gum IN A ${nets.internet.ip4.addr}
|
|
cgit.euer IN A ${nets.internet.ip4.addr}
|
|
dl.euer IN A ${nets.internet.ip4.addr}
|
|
dns.euer IN A ${nets.internet.ip4.addr}
|
|
dockerhub IN A ${nets.internet.ip4.addr}
|
|
euer IN A ${nets.internet.ip4.addr}
|
|
euer IN MX 1 aspmx.l.google.com.
|
|
ghook IN A ${nets.internet.ip4.addr}
|
|
git.euer IN A ${nets.internet.ip4.addr}
|
|
gold IN A ${nets.internet.ip4.addr}
|
|
graph IN A ${nets.internet.ip4.addr}
|
|
gum IN A ${nets.internet.ip4.addr}
|
|
io IN NS gum.krebsco.de.
|
|
iso.euer IN A ${nets.internet.ip4.addr}
|
|
feed.euer IN A ${nets.internet.ip4.addr}
|
|
board.euer IN A ${nets.internet.ip4.addr}
|
|
etherpad.euer IN A ${nets.internet.ip4.addr}
|
|
rss.euer IN A ${nets.internet.ip4.addr}
|
|
mediengewitter IN CNAME over.dose.io.
|
|
mon.euer IN A ${nets.internet.ip4.addr}
|
|
netdata.euer IN A ${nets.internet.ip4.addr}
|
|
nixos.unstable IN CNAME krebscode.github.io.
|
|
o.euer IN A ${nets.internet.ip4.addr}
|
|
photostore IN A ${nets.internet.ip4.addr}
|
|
pigstarter IN CNAME makefu.github.io.
|
|
share.euer IN A ${nets.internet.ip4.addr}
|
|
wg.euer IN A ${nets.internet.ip4.addr}
|
|
wiki.euer IN A ${nets.internet.ip4.addr}
|
|
wikisearch IN A ${nets.internet.ip4.addr}
|
|
|
|
meet.euer IN A ${nets.internet.ip4.addr}
|
|
work.euer IN A ${nets.internet.ip4.addr}
|
|
admin.work.euer IN A ${nets.internet.ip4.addr}
|
|
push.work.euer IN A ${nets.internet.ip4.addr}
|
|
api.work.euer IN A ${nets.internet.ip4.addr}
|
|
maps.work.euer IN A ${nets.internet.ip4.addr}
|
|
play.work.euer IN A ${nets.internet.ip4.addr}
|
|
ul.work.euer IN A ${nets.internet.ip4.addr}
|
|
bw.euer IN A ${nets.internet.ip4.addr}
|
|
'';
|
|
};
|
|
cores = 8;
|
|
nets = rec {
|
|
internet = {
|
|
ip4.addr = "144.76.26.247";
|
|
ip6.addr = "2a01:4f8:191:12f6::2";
|
|
aliases = [
|
|
"gum.i"
|
|
];
|
|
};
|
|
wiregrill = {
|
|
via = internet;
|
|
ip4.addr = "10.244.245.1";
|
|
ip6.addr = w6 "1";
|
|
wireguard.port = 51821;
|
|
wireguard.subnets = [
|
|
(krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
|
|
"10.244.245.0/24" # required for routing directly to gum via rockit
|
|
];
|
|
};
|
|
retiolum = {
|
|
via = internet;
|
|
ip4.addr = "10.243.0.213";
|
|
# never connect via gum (he eats your packets!)
|
|
#tinc.weight = 9001;
|
|
|
|
aliases = [
|
|
"gum.r"
|
|
"backup.makefu.r"
|
|
"blog.gum.r"
|
|
"blog.makefu.r"
|
|
"cache.gum.r"
|
|
"cgit.gum.r"
|
|
"dcpp.gum.r"
|
|
"dcpp.nextgum.r"
|
|
"graph.makefu.r"
|
|
"logs.makefu.r"
|
|
"netdata.makefu.r"
|
|
"nextgum.r"
|
|
"o.gum.r"
|
|
"search.makefu.r"
|
|
"stats.makefu.r"
|
|
"torrent.gum.r"
|
|
"tracker.makefu.r"
|
|
"wiki.gum.r"
|
|
"wiki.makefu.r"
|
|
"warrior.gum.r"
|
|
"rss.makefu.r"
|
|
"sick.makefu.r"
|
|
"dl.gum.r"
|
|
"dl.makefu.r"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
sdev = rec {
|
|
ci = true;
|
|
cores = 1;
|
|
nets = {
|
|
retiolum.ip4.addr = "10.243.83.237";
|
|
};
|
|
};
|
|
|
|
|
|
# non-stockholm
|
|
|
|
flap = rec {
|
|
cores = 1;
|
|
extraZones = {
|
|
"krebsco.de" = ''
|
|
flap IN A ${nets.internet.ip4.addr}
|
|
'';
|
|
};
|
|
nets = {
|
|
internet = {
|
|
ip4.addr = "162.248.11.162";
|
|
aliases = [
|
|
"flap.i"
|
|
];
|
|
};
|
|
retiolum = {
|
|
ip4.addr = "10.243.211.172";
|
|
};
|
|
};
|
|
};
|
|
|
|
nukular = rec {
|
|
cores = 1;
|
|
nets = {
|
|
retiolum = {
|
|
ip4.addr = "10.243.231.219";
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
shackdev = rec { # router@shack
|
|
cores = 1;
|
|
nets.wiregrill.ip4.addr = "10.244.245.2";
|
|
};
|
|
|
|
rockit = rec { # router@home
|
|
cores = 1;
|
|
nets.wiregrill.ip4.addr = "10.244.245.3";
|
|
};
|
|
|
|
senderechner = rec {
|
|
cores = 2;
|
|
nets = {
|
|
retiolum = {
|
|
ip4.addr = "10.243.0.163";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
users = rec {
|
|
makefu = {
|
|
mail = "makefu@x.r";
|
|
pubkey = pub-for "makefu.x";
|
|
pgp.pubkeys.default = builtins.readFile ./pgp/default.asc;
|
|
pgp.pubkeys.brain = builtins.readFile ./pgp/brain.asc;
|
|
};
|
|
makefu-omo = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.omo";
|
|
};
|
|
makefu-tsp = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.tsp";
|
|
};
|
|
makefu-vbob = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.vbob";
|
|
};
|
|
makefu-tempx = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.tempx";
|
|
};
|
|
makefu-android = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.android";
|
|
};
|
|
makefu-remote-builder = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.remote-builder";
|
|
};
|
|
makefu-bob = {
|
|
inherit (makefu) mail pgp;
|
|
pubkey = pub-for "makefu.bob";
|
|
};
|
|
};
|
|
}
|