summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2020-09-08 22:04:21 +0200
committerlassulus <lassulus@lassul.us>2020-09-08 22:04:21 +0200
commit32a5fd32c8a06084ee06d57cb2feeac0b14b380d (patch)
treec33c4e9d8da1ba419541950f110f4b4dfbf8155b
parent549598bfd9cf6e94f8bb83ebbcc17400069f1198 (diff)
parent6fbbf7e6170f6a1ba42c5dcecd11ca67c6bc5afd (diff)
Merge remote-tracking branch 'ni/master' into HEAD
-rw-r--r--krebs/3modules/permown.nix20
-rw-r--r--krebs/3modules/tinc.nix39
-rw-r--r--krebs/3modules/tv/default.nix27
-rw-r--r--lib/types.nix4
-rw-r--r--tv/1systems/alnus/config.nix13
-rw-r--r--tv/1systems/au/config.nix18
-rw-r--r--tv/1systems/au/disks.nix19
-rw-r--r--tv/2configs/nets/hkw.nix14
8 files changed, 141 insertions, 13 deletions
diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix
index fe293810c..ca81e2ea5 100644
--- a/krebs/3modules/permown.nix
+++ b/krebs/3modules/permown.nix
@@ -18,6 +18,15 @@ with import <stockholm/lib>;
default = null;
type = types.nullOr types.groupname;
};
+ keepGoing = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Whether to keep going when chowning or chmodding fails.
+ If set to false, then errors will cause the service to restart
+ instead.
+ '';
+ };
owner = mkOption {
type = types.username;
};
@@ -43,7 +52,12 @@ with import <stockholm/lib>;
'';
in concatMapStrings mkdir plans;
- systemd.services = genAttrs' plans (plan: {
+ systemd.services = genAttrs' plans (plan: let
+ continuable = command:
+ if plan.keepGoing
+ then /* sh */ "{ ${command}; } || :"
+ else command;
+ in {
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
value = {
environment = {
@@ -82,9 +96,9 @@ with import <stockholm/lib>;
cleanup
exec "$0" "$@"
fi
- chown -h "$OWNER_GROUP" "$path"
+ ${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''}
if test -f "$path"; then
- chmod "$FILE_MODE" "$path"
+ ${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''}
fi
done < "$paths"
'';
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 1fca7de5c..0f5e1aa83 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -29,6 +29,9 @@ let
Interface = ${netname}
Broadcast = no
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
+ ${optionalString (tinc.config.privkey_ed25519 != null)
+ "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
+ }
PrivateKeyFile = ${tinc.config.privkey.path}
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
${tinc.config.extraConfig}
@@ -165,6 +168,17 @@ let
};
};
+ privkey_ed25519 = mkOption {
+ type = types.nullOr types.secret-file;
+ default =
+ if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
+ name = "${tinc.config.netname}.ed25519_key.priv";
+ path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
+ owner = tinc.config.user;
+ source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
+ };
+ };
+
connectTo = mkOption {
type = types.listOf types.str;
${if tinc.config.netname == "retiolum" then "default" else null} = [
@@ -198,8 +212,23 @@ let
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
# avoid conflicts in environment if the packages differ
- krebs.secret.files = mapAttrs' (netname: cfg:
- nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
+ krebs.secret.files =
+ let
+ ed25519_keys =
+ filterAttrs
+ (_: key: key != null)
+ (mapAttrs'
+ (netname: cfg:
+ nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
+ )
+ config.krebs.tinc);
+
+ rsa_keys =
+ mapAttrs'
+ (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
+ config.krebs.tinc;
+ in
+ ed25519_keys // rsa_keys;
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
@@ -221,11 +250,15 @@ let
in {
description = "Tinc daemon for ${netname}";
after = [
- config.krebs.secret.files."${netname}.rsa_key.priv".service
"network.target"
+ config.krebs.secret.files."${netname}.rsa_key.priv".service
+ ] ++ optionals (cfg.privkey_ed25519 != null) [
+ config.krebs.secret.files."${netname}.ed25519_key.priv".service
];
partOf = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
+ ] ++ optionals (cfg.privkey_ed25519 != null) [
+ config.krebs.secret.files."${netname}.ed25519_key.priv".service
];
wantedBy = [ "multi-user.target" ];
path = [ tinc iproute ];
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index c2bf406f1..c86fda05d 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -55,6 +55,33 @@ in {
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
};
+ au = {
+ ci = true;
+ cores = 4;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.13.39";
+ aliases = [
+ "au.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z
+ 9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm
+ PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb
+ PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG
+ cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83
+ jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 =
+ "Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO";
+ };
+ };
+ secure = true;
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
+ };
mu = {
ci = true;
cores = 2;
diff --git a/lib/types.nix b/lib/types.nix
index 1eb4d947c..3eda2262f 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -179,6 +179,10 @@ rec {
pubkey = mkOption {
type = tinc-pubkey;
};
+ pubkey_ed25519 = mkOption {
+ type = nullOr tinc-pubkey;
+ default = null;
+ };
extraConfig = mkOption {
description = "Extra Configuration to be appended to the hosts file";
default = "";
diff --git a/tv/1systems/alnus/config.nix b/tv/1systems/alnus/config.nix
index 66bd52ab2..ed5fb671c 100644
--- a/tv/1systems/alnus/config.nix
+++ b/tv/1systems/alnus/config.nix
@@ -17,7 +17,6 @@ with import <stockholm/lib>;
};
environment.systemPackages = with pkgs; [
- chromium
firefoxWrapper
networkmanagerapplet
(pkgs.pidgin-with-plugins.override {
@@ -31,12 +30,12 @@ with import <stockholm/lib>;
};
"/" = {
device = "/dev/mapper/main-root";
- fsType = "btrfs";
+ fsType = "ext4";
options = [ "defaults" "noatime" ];
};
"/home" = {
device = "/dev/mapper/main-home";
- fsType = "btrfs";
+ fsType = "ext4";
options = [ "defaults" "noatime" ];
};
};
@@ -55,9 +54,11 @@ with import <stockholm/lib>;
networking.networkmanager.enable = true;
- nixpkgs.config = {
- allowUnfree = true;
- };
+ services.earlyoom.enable = true;
+ services.earlyoom.freeMemThreshold = 5;
+ systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
+ "--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs
+ ];
services.xserver = {
enable = true;
diff --git a/tv/1systems/au/config.nix b/tv/1systems/au/config.nix
new file mode 100644
index 000000000..fc4b216f5
--- /dev/null
+++ b/tv/1systems/au/config.nix
@@ -0,0 +1,18 @@
+{ config, ... }: {
+ imports = [
+ ./disks.nix
+ <stockholm/tv>
+ <stockholm/tv/2configs/hw/x220.nix>
+ <stockholm/tv/2configs/retiolum.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.au;
+
+ networking.wireless.enable = true;
+ networking.useDHCP = false;
+ networking.interfaces.enp0s25.useDHCP = true;
+ networking.interfaces.wlp3s0.useDHCP = true;
+ networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
+
+ system.stateVersion = "20.03";
+}
diff --git a/tv/1systems/au/disks.nix b/tv/1systems/au/disks.nix
new file mode 100644
index 000000000..434de1740
--- /dev/null
+++ b/tv/1systems/au/disks.nix
@@ -0,0 +1,19 @@
+{
+ boot.initrd.luks.devices.main.device = "/dev/sda2";
+ fileSystems."/" = {
+ device = "/dev/main/root";
+ options = ["defaults" "noatime" "commit=60"];
+ };
+ fileSystems."/boot" = {
+ device = "/dev/sda1";
+ options = ["defaults" "noatime"];
+ };
+ fileSystems."/bku" = {
+ device = "/dev/main/bku";
+ options = ["defaults" "noatime"];
+ };
+ fileSystems."/home" = {
+ device = "/dev/main/home";
+ options = ["defaults" "noatime" "commit=60"];
+ };
+}
diff --git a/tv/2configs/nets/hkw.nix b/tv/2configs/nets/hkw.nix
index 725e63b13..c3acde1fb 100644
--- a/tv/2configs/nets/hkw.nix
+++ b/tv/2configs/nets/hkw.nix
@@ -2,6 +2,18 @@
krebs = {
dns.providers.hkw = "hosts";
hosts = {
+ au = {
+ nets.hkw = {
+ ip4 = {
+ addr = "10.23.1.39";
+ prefix = "10.23.1.0/24";
+ };
+ aliases = [
+ "au.hkw"
+ ];
+ ssh.port = 11423;
+ };
+ };
nomic = {
nets.hkw = {
ip4 = {
@@ -55,7 +67,7 @@
zu = {
nets.hkw = {
ip4 = {
- addr = "10.23.1.39";
+ addr = "10.23.1.40";
prefix = "10.23.1.0/24";
};
aliases = [